From f4cb2e0bdd5a63eabec5e753424fb5e3435a7626 Mon Sep 17 00:00:00 2001
From: charludo <github@charlotteharludo.com>
Date: Thu, 12 Sep 2024 17:37:34 +0200
Subject: [PATCH] Allow TURN secret to be read from file

---
 docs/configuration.md      |  3 ++-
 docs/turn.md               |  6 +++++-
 src/config/mod.rs          | 10 +++++++---
 src/service/globals/mod.rs | 19 ++++++++++++++++---
 4 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/docs/configuration.md b/docs/configuration.md
index d903a21e..44b58909 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -54,6 +54,7 @@ The `global` section contains the following fields:
 | `turn_password` | `string` | The TURN password | `""` |
 | `turn_uris` | `array` | The TURN URIs | `[]` |
 | `turn_secret` | `string` | The TURN secret | `""` |
+| `turn_secret_file` | `string` | Path to a file containing the TURN secret | `""` |
 | `turn_ttl` | `integer` | The TURN TTL in seconds | `86400` |
 | `emergency_password` | `string` | Set a password to login as the `conduit` user in case of emergency | N/A |
 | `well_known` | `table` | Used for [delegation](delegation.md) | See [delegation](delegation.md) |
@@ -92,7 +93,7 @@ An array of tables that contain the following fields:
 
 Both `include` and `exclude` allow for glob pattern matching.
 ##### Example
-In this example, all requests to domains ending in `.onion` and `matrix.secretly-an-onion-domain.xyz` 
+In this example, all requests to domains ending in `.onion` and `matrix.secretly-an-onion-domain.xyz`
 will be proxied via `socks://localhost:9050`, except for domains ending in `.myspecial.onion`. You can add as many `by_domain` tables as you need.
 ```toml
 [[global.proxy.by_domain]]
diff --git a/docs/turn.md b/docs/turn.md
index 94d32db1..4b6181aa 100644
--- a/docs/turn.md
+++ b/docs/turn.md
@@ -7,13 +7,17 @@
 ## Edit/Add a few settings to your existing conduit.toml
 
 ```
-# Refer to your Coturn settings. 
+# Refer to your Coturn settings.
 # `your.turn.url` has to match the REALM setting of your Coturn as well as `transport`.
 turn_uris = ["turn:your.turn.url?transport=udp", "turn:your.turn.url?transport=tcp"]
 
 # static-auth-secret of your turnserver
 turn_secret = "ADD SECRET HERE"
 
+# alternatively: read turn credentials from a file.
+# turn_secret overrides turn_secret_file if both are set.
+turn_secret_file = "/path/to/the/secret"
+
 # If you have your TURN server configured to use a username and password
 # you can provide these information too. In this case comment out `turn_secret above`!
 #turn_username = ""
diff --git a/src/config/mod.rs b/src/config/mod.rs
index 378ab929..34320102 100644
--- a/src/config/mod.rs
+++ b/src/config/mod.rs
@@ -80,6 +80,8 @@ pub struct Config {
     pub turn_uris: Vec<String>,
     #[serde(default)]
     pub turn_secret: String,
+    #[serde(default)]
+    pub turn_secret_file: String,
     #[serde(default = "default_turn_ttl")]
     pub turn_ttl: u64,
 
@@ -215,10 +217,12 @@ impl fmt::Display for Config {
                 }
             }),
             ("TURN secret", {
-                if self.turn_secret.is_empty() {
-                    "not set"
-                } else {
+                if !self.turn_secret.is_empty() {
                     "set"
+                } else if !self.turn_secret_file.is_empty() {
+                    &format!("set in {}", self.turn_secret_file)
+                } else {
+                    "not set"
                 }
             }),
             ("Turn TTL", &self.turn_ttl.to_string()),
diff --git a/src/service/globals/mod.rs b/src/service/globals/mod.rs
index 3325e518..3529d94b 100644
--- a/src/service/globals/mod.rs
+++ b/src/service/globals/mod.rs
@@ -33,7 +33,7 @@ use std::{
 };
 use tokio::sync::{broadcast, watch::Receiver, Mutex, RwLock, Semaphore};
 use tower_service::Service as TowerService;
-use tracing::{error, info};
+use tracing::{error, info, warn};
 
 use base64::{engine::general_purpose, Engine as _};
 
@@ -372,8 +372,21 @@ impl Service {
         &self.config.turn_username
     }
 
-    pub fn turn_secret(&self) -> &String {
-        &self.config.turn_secret
+    pub fn turn_secret(&self) -> String {
+        if !self.config.turn_secret.is_empty() || self.config.turn_secret_file.is_empty() {
+            return self.config.turn_secret.clone();
+        }
+
+        match fs::read_to_string(&self.config.turn_secret_file) {
+            Ok(turn_secret) => turn_secret,
+            Err(e) => {
+                warn!(
+                    "Could not read from \"{}\": {e}",
+                    &self.config.turn_secret_file
+                );
+                String::default()
+            }
+        }
     }
 
     pub fn emergency_password(&self) -> &Option<String> {