Add allowlist

tchapgouv · Aug 27, 2024 · c3124d0 · c3124d0
1 parent 90ff50e
commit c3124d0
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -12,6 +12,8 @@ $ LIVEKIT_URL="ws://somewhere" LIVEKIT_KEY=devkey LIVEKIT_SECRET=secret go run *
 
 The listening port is configurable via the `LK_JWT_PORT` environment variable and defaults to 8080.
 
+Usage can be limited to a set of specific homeservers by setting `HS_ALLOWLIST` environment variable to a comma-separated list of server names.
+
 ## Disable TLS verification
 
 For testing and debugging (e.g., in the absence of trusted certificates while testing in a lab) you can disable TLS verification for outgoing matrix client connection by setting the environment variable `LIVEKIT_INSECURE_SKIP_VERIFY_TLS` to `YES_I_KNOW_WHAT_I_AM_DOING`.
diff --git a/main.go b/main.go
@@ -23,6 +23,7 @@ import (
 	"log"
 	"net/http"
 	"os"
+	"strings"
 
 	"time"
 
@@ -35,7 +36,8 @@ import (
 
 type Handler struct {
 	key, secret, lk_url string
-	skipVerifyTLS bool
+	skipVerifyTLS       bool
+	homeserverAllowList []string
 }
 
 type OpenIDTokenType struct {
@@ -56,12 +58,20 @@ type SFUResponse struct {
 }
 
 func exchangeOIDCToken(
-	ctx context.Context, token OpenIDTokenType, skipVerifyTLS bool,
-) (*fclient.UserInfo, error) {
+	ctx context.Context, token OpenIDTokenType, skipVerifyTLS bool, homeserverAllowList []string) (*fclient.UserInfo, error) {
 	if token.AccessToken == "" || token.MatrixServerName == "" {
 		return nil, errors.New("missing parameters in OIDC token")
 	}
 
+	if len(homeserverAllowList) > 0 {
+		for _, allowed_hs := range homeserverAllowList {
+			if allowed_hs == token.MatrixServerName {
+				break
+			}
+		}
+		return nil, fmt.Errorf("homeserver %s not allowed", token.MatrixServerName)
+	}
+
 	if skipVerifyTLS {
 		log.Printf("!!! WARNING !!! Skipping TLS verification for matrix client connection to %s", token.MatrixServerName)
 	}
@@ -130,7 +140,7 @@ func (h *Handler) handle(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 
-		userInfo, err := exchangeOIDCToken(r.Context(), body.OpenIDToken, h.skipVerifyTLS)
+		userInfo, err := exchangeOIDCToken(r.Context(), body.OpenIDToken, h.skipVerifyTLS, h.homeserverAllowList)
 		if err != nil {
 			w.WriteHeader(http.StatusInternalServerError)
 			err = json.NewEncoder(w).Encode(gomatrix.RespError{
@@ -184,6 +194,11 @@ func main() {
 	secret := os.Getenv("LIVEKIT_SECRET")
 	lk_url := os.Getenv("LIVEKIT_URL")
 
+	homeserverAllowList := []string{}
+	if os.Getenv("HS_ALLOWLIST") != "" {
+		homeserverAllowList = strings.Split(os.Getenv("HS_ALLOWLIST"), ",")
+	}
+
 	// Check if the key, secret or url are empty.
 	if key == "" || secret == "" || lk_url == "" {
 		log.Fatal("LIVEKIT_KEY, LIVEKIT_SECRET and LIVEKIT_URL environment variables must be set")
@@ -194,13 +209,14 @@ func main() {
 		lk_jwt_port = "8080"
 	}
 
-	log.Printf("LIVEKIT_KEY: %s, LIVEKIT_SECRET: %s, LIVEKIT_URL: %s, LK_JWT_PORT: %s", key, secret, lk_url, lk_jwt_port)
+	log.Printf("LIVEKIT_KEY: %s, LIVEKIT_SECRET: __redacted__, LIVEKIT_URL: %s, LK_JWT_PORT: %s, HS_ALLOWLIST: %s", key, lk_url, lk_jwt_port, homeserverAllowList)
 
 	handler := &Handler{
-		key:    key,
-		secret: secret,
-		lk_url: lk_url,
-		skipVerifyTLS: skipVerifyTLS,
+		key:                 key,
+		secret:              secret,
+		lk_url:              lk_url,
+		skipVerifyTLS:       skipVerifyTLS,
+		homeserverAllowList: homeserverAllowList,
 	}
 
 	http.HandleFunc("/sfu/get", handler.handle)