TURN refresh hardening + ChannelBind/CreatePermission timer fix

[Copilot]

TL;DR

This PR fixes a long-standing class of TURN allocation bugs in libnice that caused relay candidates to silently stop refreshing — eventually killing media flow on long calls — and a related shutdown crash. The root causes were:

1. Refresh timers attached to the wrong GMainContext — they ran but could not be cancelled, leaking sources and crashing on socket close with Source ID … not found.
2. Stale-NONCE retries on TURN Refresh were mishandled — the rotated NONCE was not propagated to the TURN socket's credential cache, the cached 200 OK ALLOCATE response was stale, retries were unbounded, and on exhaustion the periodic Refresh GSource was torn down entirely, so a single bad cycle silently killed the allocation forever.
3. No way to exercise the Refresh path in CI — the RFC-derived schedule is minutes long, so the bug never surfaced in unit tests.

The PR is split into logically-grouped commits, ships three new regression tests, and adds descriptive GST_INFO/GST_WARNING logs around every suspicious branch so future failures are diagnosable from a single log.

---

Why managers should care

• Symptom: Long WebRTC calls would lose their relay path (Pexip-hosted TURN), causing one-way audio/video or full call drop. Reproducible only in production / long-running soak tests.
• Blast radius: Any deployment that relies on TURN allocation Refresh — i.e. anything > ~10 minutes long behind symmetric NAT.
• Fix shape: Surgical, RFC-aligned changes to agent/conncheck.c and socket/turn.c. No public API changes, no behaviour change on the happy path.
• Confidence: Three new unit tests cover the previously-untested code paths; full validation (Code Review + CodeQL) is clean.

---

Why developers should care — root causes & fixes

1. GMainContext mix-up on TURN socket timers (socket/turn.c)

• TURN binding/permission/channel-bind refresh timers were created against agent->main_context, but the cleanup path tried to remove them from priv->ctx (the socket's own context). g_source_remove_by_user_data() therefore returned NULL → GLib-CRITICAL **: Source ID … not found and on shutdown a crash.
• Fix: all socket-owned timers are now attached to priv->ctx consistently. Lowered channel-bind refresh to 240 s (was 540) to stay safely below the 600 s server lifetime.
• Diagnostic log added when priv_source_remove_with_context finds no source — flushes out any remaining mismatches in CI.
• Commits: b5bb7f2, dcc6af9, 1b829d7, a099a24.

2. Stale-NONCE handling on allocation Refresh (agent/conncheck.c, socket/turn.c)

The server rotates NONCE periodically (RFC 5389 §10.2). Our handling was broken in four ways; each commit fixes one:

• Cache realm/nonce on the TURN socket so subsequent Refresh requests use the rotated credentials, not the original ALLOCATE ones. (84b2e48)
• Propagate the rotated NONCE back into the TURN socket's credential cache when conncheck.c receives a 438. Without this, the next Refresh attempt repeats the stale value and the server replies 438 again — forever. (995c318)
• Cache the 200 OK ALLOCATE response so the very first Refresh uses the freshest credentials available, not whatever was in cdisco->stun_resp_msg at allocation time. (e242069)
• Cap consecutive stale-NONCE retries at 5 (was unbounded). After exhaustion, re-arm the periodic Refresh timer instead of removing the candidate — the original behaviour killed the allocation on a single bad nonce-rotation cycle. (14f589d → 5313ce6 for the cap, 3c82a14 for tear-down, then 07f0549 superseding it with the safer re-arm.)

3. Refresh-interval scheduling & test ergonomics (agent/conncheck.c)

• Added NICE_TURN_EXPIRE_TIMEOUT test-only env knob, sibling to the existing NICE_TURN_BINDING_TIMEOUT / NICE_TURN_PERMISSION_TIMEOUT knobs in socket/turn.c. Lets unit tests drive the Refresh path in seconds instead of minutes. NOT public API. (6415153)
• Made it re-readable on every refresh-interval computation rather than cached via g_once_init_enter — the cache caused the knob to be silently ignored if any earlier code path in the same process evaluated the helper before g_setenv() ran. (efc1453)
• Added a GST_WARNING when allocation succeeds but discovery_add_relay_candidate() returns NULL — that's the silent branch where priv_add_new_turn_refresh() is skipped and no Refresh is ever scheduled. (efc1453)

4. Idempotent allocation release (agent/conncheck.c)

• TURN release (Refresh with LIFETIME=0) was being sent on every refresh tick after teardown. Now sent exactly once. (228dd34)

5. Misc correctness drive-bys

• Round-2 fixes from earlier review: suppress fatal allocation-failure signal when sibling refreshes are still alive; per-candidate identity in logs. (53c7298, f46d0ac, f01167b)
• socket/tcp-bsd.c: parenthesisation fix.
• agent/agent.c: format-string argument fix.
• agent/conncheck.c: ms overflow fix in scheduling math. (b12e38b)

---

Diagnostics added throughout

Every fix above is paired with a GST_INFO or GST_WARNING at the decision point (allocation succeeds, refresh tick fires, stale-nonce counter increments, source removal finds nothing, relay candidate is dropped, etc.). The goal is that the next time a similar issue appears in the field, the log alone is enough to identify which of the A/B/C variants is occurring without needing a packet capture.

---

Tests added (tests/)

• test-mainctx-cross-thread.c — regression test for the GMainContext mix-up bug. Runs the agent on a non-default main context and asserts that socket close completes without Source ID not found warnings.
• test-turn-refresh-interval.c — invariant tests for priv_turn_lifetime_to_refresh_interval(): never returns 0, always strictly less than the granted lifetime, monotonic in lifetime, honours the env override.
• test-turn-timeout-env.c — exercises NICE_TURN_BINDING_TIMEOUT, NICE_TURN_PERMISSION_TIMEOUT, and NICE_TURN_EXPIRE_TIMEOUT knobs end-to-end, including the new "re-readable" semantics.
• All three wired into tests/meson.build. (Autotools wiring intentionally not added — the tree's autotools build requires Python 2 which is end-of-life; meson is the supported build path.)

---

Files changed

File	Why
agent/conncheck.c (+450/-90)	Core of the Refresh / stale-nonce / scheduling fixes
agent/discovery.{c,h}	Surface cached realm/nonce + 200 OK to the refresh path
agent/agent.c, agent/agent-priv.h, agent/conncheck.h	Minor signature / format-arg fixes
socket/turn.{c,h} (+250/-25)	GMainContext fix, credential cache hooks, env knobs
socket/tcp-bsd.c	Parenthesisation fix
tests/test-mainctx-cross-thread.c (new)	GMainContext regression test
tests/test-turn-refresh-interval.c (new)	Refresh-interval invariants
tests/test-turn-timeout-env.c (new)	Env knob end-to-end test
tests/meson.build, meson.build	Wire up new tests

---

Checklist

• Root-cause GMainContext mix-up on TURN socket timers; fix and add diagnostic log
• Cache realm/nonce on the TURN socket; add test-only timeout knobs
• Cache 200 OK ALLOCATE response so first Refresh uses fresh NONCE
• Propagate Refresh-rotated NONCE back to TURN socket credential cache
• Cap consecutive stale-nonce retries at 5
• Re-arm periodic Refresh on stale-nonce exhaustion (instead of tearing down)
• Send TURN LIFETIME=0 release exactly once
• Honour NICE_TURN_EXPIRE_TIMEOUT for ALLOCATE refresh scheduling
• Make NICE_TURN_EXPIRE_TIMEOUT re-readable per refresh-interval computation
• Warn when allocation succeeds but no relay candidate is created
• Suppress fatal allocation-failure signal when siblings are alive
• Add regression tests: mainctx cross-thread, refresh-interval invariants, timeout env knobs
• Wire new tests into tests/meson.build
• Drive-by fixes: ms overflow in scheduling, tcp-bsd parens, agent.c format args
• Address review feedback (rounds 1 & 2)
• Validation: Code Review ✅ no comments, CodeQL ✅ no alerts

[Copilot]

Pull request overview

Copilot reviewed 14 out of 14 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[bitflows]

LGTM, with one remark.