2004-01-29 01:02:12 +00:00
|
|
|
/* Icecast
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed under the GNU General Public License, version 2.
|
|
|
|
|
* A copy of this license is included with this source.
|
|
|
|
|
*
|
|
|
|
|
* Copyright 2000-2004, Jack Moffitt <jack@xiph.org,
|
|
|
|
|
* Michael Smith <msmith@xiph.org>,
|
|
|
|
|
* oddsock <oddsock@xiph.org>,
|
|
|
|
|
* Karl Heyes <karl@xiph.org>
|
|
|
|
|
* and others (see AUTHORS for details).
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
|
|
|
* Copyright 2011, Dave 'justdave' Miller <justdave@mozilla.com>,
|
|
|
|
|
* Copyright 2011-2014, Philipp "ph3-der-loewe" Schafft <lion@lion.leolix.org>,
|
2004-01-29 01:02:12 +00:00
|
|
|
*/
|
|
|
|
|
|
2003-03-27 17:10:14 +00:00
|
|
|
/* -*- c-basic-offset: 4; indent-tabs-mode: nil; -*- */
|
2003-07-21 01:58:54 +00:00
|
|
|
#ifdef HAVE_CONFIG_H
|
|
|
|
|
#include <config.h>
|
|
|
|
|
#endif
|
|
|
|
|
|
2001-09-10 02:21:46 +00:00
|
|
|
#include <stdio.h>
|
|
|
|
|
#include <stdlib.h>
|
2007-11-15 15:12:21 +00:00
|
|
|
#include <errno.h>
|
2001-09-10 02:21:46 +00:00
|
|
|
#include <string.h>
|
2003-03-09 11:27:06 +00:00
|
|
|
#ifdef HAVE_POLL
|
|
|
|
|
#include <sys/poll.h>
|
|
|
|
|
#endif
|
2007-10-23 22:25:31 +00:00
|
|
|
#include <sys/types.h>
|
|
|
|
|
#include <sys/stat.h>
|
2001-10-20 06:43:04 +00:00
|
|
|
|
|
|
|
|
#ifndef _WIN32
|
2001-09-10 02:21:46 +00:00
|
|
|
#include <sys/socket.h>
|
|
|
|
|
#include <netinet/in.h>
|
2001-10-20 06:43:04 +00:00
|
|
|
#else
|
2002-02-07 01:04:09 +00:00
|
|
|
#include <winsock2.h>
|
2001-10-20 06:43:04 +00:00
|
|
|
#define snprintf _snprintf
|
|
|
|
|
#define strcasecmp stricmp
|
2002-02-07 01:04:09 +00:00
|
|
|
#define strncasecmp strnicmp
|
2001-10-20 06:43:04 +00:00
|
|
|
#endif
|
2001-09-10 02:21:46 +00:00
|
|
|
|
2005-12-17 12:41:34 +00:00
|
|
|
#include "compat.h"
|
2001-09-10 02:21:46 +00:00
|
|
|
|
2003-07-16 19:41:59 +00:00
|
|
|
#include "thread/thread.h"
|
|
|
|
|
#include "avl/avl.h"
|
|
|
|
|
#include "net/sock.h"
|
|
|
|
|
#include "httpp/httpp.h"
|
2001-09-10 02:21:46 +00:00
|
|
|
|
2003-07-21 01:58:54 +00:00
|
|
|
#include "cfgfile.h"
|
2001-09-10 02:21:46 +00:00
|
|
|
#include "global.h"
|
|
|
|
|
#include "util.h"
|
|
|
|
|
#include "connection.h"
|
|
|
|
|
#include "refbuf.h"
|
|
|
|
|
#include "client.h"
|
|
|
|
|
#include "stats.h"
|
|
|
|
|
#include "logging.h"
|
2002-08-09 06:52:07 +00:00
|
|
|
#include "xslt.h"
|
2002-08-18 05:06:58 +00:00
|
|
|
#include "fserve.h"
|
2003-07-24 23:45:29 +00:00
|
|
|
#include "sighandler.h"
|
2003-02-02 14:33:47 +00:00
|
|
|
|
|
|
|
|
#include "yp.h"
|
2001-09-10 02:21:46 +00:00
|
|
|
#include "source.h"
|
2002-12-30 07:55:56 +00:00
|
|
|
#include "format.h"
|
2002-12-31 06:28:39 +00:00
|
|
|
#include "format_mp3.h"
|
2003-03-05 13:03:35 +00:00
|
|
|
#include "event.h"
|
2003-03-06 14:17:33 +00:00
|
|
|
#include "admin.h"
|
2004-01-15 01:01:09 +00:00
|
|
|
#include "auth.h"
|
2001-09-10 02:21:46 +00:00
|
|
|
|
|
|
|
|
#define CATMODULE "connection"
|
|
|
|
|
|
2004-11-11 15:47:33 +00:00
|
|
|
/* Two different major types of source authentication.
|
|
|
|
|
Shoutcast style is used only by the Shoutcast DSP
|
|
|
|
|
and is a crazy version of HTTP. It looks like :
|
|
|
|
|
Source Client -> Connects to port + 1
|
|
|
|
|
Source Client -> sends encoder password (plaintext)\r\n
|
|
|
|
|
Icecast -> reads encoder password, if ok, sends OK2\r\n, else disconnects
|
|
|
|
|
Source Client -> reads OK2\r\n, then sends http-type request headers
|
|
|
|
|
that contain the stream details (icy-name, etc..)
|
|
|
|
|
Icecast -> reads headers, stores them
|
|
|
|
|
Source Client -> starts sending MP3 data
|
|
|
|
|
Source Client -> periodically updates metadata via admin.cgi call
|
|
|
|
|
|
|
|
|
|
Icecast auth style uses HTTP and Basic Authorization.
|
|
|
|
|
*/
|
|
|
|
|
|
2005-08-11 23:29:58 +00:00
|
|
|
typedef struct client_queue_tag {
|
|
|
|
|
client_t *client;
|
|
|
|
|
int offset;
|
|
|
|
|
int stream_offset;
|
|
|
|
|
int shoutcast;
|
2007-10-25 02:25:49 +00:00
|
|
|
char *shoutcast_mount;
|
2005-08-11 23:29:58 +00:00
|
|
|
struct client_queue_tag *next;
|
|
|
|
|
} client_queue_t;
|
2001-09-10 02:21:46 +00:00
|
|
|
|
|
|
|
|
typedef struct _thread_queue_tag {
|
2003-03-15 02:10:19 +00:00
|
|
|
thread_type *thread_id;
|
|
|
|
|
struct _thread_queue_tag *next;
|
2001-09-10 02:21:46 +00:00
|
|
|
} thread_queue_t;
|
|
|
|
|
|
2007-10-23 22:25:31 +00:00
|
|
|
typedef struct
|
|
|
|
|
{
|
|
|
|
|
char *filename;
|
|
|
|
|
time_t file_recheck;
|
|
|
|
|
time_t file_mtime;
|
|
|
|
|
avl_tree *contents;
|
|
|
|
|
} cache_file_contents;
|
|
|
|
|
|
2012-07-17 14:03:37 +00:00
|
|
|
static spin_t _connection_lock; // protects _current_id, _con_queue, _con_queue_tail
|
2004-10-26 16:31:16 +00:00
|
|
|
static volatile unsigned long _current_id = 0;
|
2001-09-10 02:21:46 +00:00
|
|
|
static int _initialized = 0;
|
|
|
|
|
|
2005-08-11 23:29:58 +00:00
|
|
|
static volatile client_queue_t *_req_queue = NULL, **_req_queue_tail = &_req_queue;
|
|
|
|
|
static volatile client_queue_t *_con_queue = NULL, **_con_queue_tail = &_con_queue;
|
2007-08-29 03:51:22 +00:00
|
|
|
static int ssl_ok;
|
|
|
|
|
#ifdef HAVE_OPENSSL
|
|
|
|
|
static SSL_CTX *ssl_ctx;
|
|
|
|
|
#endif
|
|
|
|
|
|
2007-10-23 22:25:31 +00:00
|
|
|
/* filtering client connection based on IP */
|
2012-10-10 22:48:15 +00:00
|
|
|
static cache_file_contents banned_ip, allowed_ip;
|
2007-10-23 22:25:31 +00:00
|
|
|
|
2002-08-05 14:48:04 +00:00
|
|
|
rwlock_t _source_shutdown_rwlock;
|
2001-09-10 02:21:46 +00:00
|
|
|
|
2008-07-22 02:24:30 +00:00
|
|
|
static void _handle_connection(void);
|
2001-09-10 02:21:46 +00:00
|
|
|
|
2007-10-23 22:25:31 +00:00
|
|
|
static int compare_ip (void *arg, void *a, void *b)
|
|
|
|
|
{
|
|
|
|
|
const char *ip = (const char *)a;
|
|
|
|
|
const char *pattern = (const char *)b;
|
|
|
|
|
|
|
|
|
|
return strcmp (pattern, ip);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static int free_filtered_ip (void*x)
|
|
|
|
|
{
|
|
|
|
|
free (x);
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2001-09-10 02:21:46 +00:00
|
|
|
void connection_initialize(void)
|
|
|
|
|
{
|
2003-03-15 02:10:19 +00:00
|
|
|
if (_initialized) return;
|
|
|
|
|
|
2009-01-09 03:18:03 +00:00
|
|
|
thread_spin_create (&_connection_lock);
|
2004-01-29 16:46:54 +00:00
|
|
|
thread_mutex_create(&move_clients_mutex);
|
2003-03-15 02:10:19 +00:00
|
|
|
thread_rwlock_create(&_source_shutdown_rwlock);
|
2002-08-05 14:48:04 +00:00
|
|
|
thread_cond_create(&global.shutdown_cond);
|
2006-03-15 02:30:26 +00:00
|
|
|
_req_queue = NULL;
|
|
|
|
|
_req_queue_tail = &_req_queue;
|
|
|
|
|
_con_queue = NULL;
|
|
|
|
|
_con_queue_tail = &_con_queue;
|
2001-09-10 02:21:46 +00:00
|
|
|
|
2007-10-23 22:25:31 +00:00
|
|
|
banned_ip.contents = NULL;
|
|
|
|
|
banned_ip.file_mtime = 0;
|
|
|
|
|
|
|
|
|
|
allowed_ip.contents = NULL;
|
|
|
|
|
allowed_ip.file_mtime = 0;
|
|
|
|
|
|
2003-03-15 02:10:19 +00:00
|
|
|
_initialized = 1;
|
2001-09-10 02:21:46 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void connection_shutdown(void)
|
|
|
|
|
{
|
2003-03-15 02:10:19 +00:00
|
|
|
if (!_initialized) return;
|
|
|
|
|
|
2007-08-29 03:51:22 +00:00
|
|
|
#ifdef HAVE_OPENSSL
|
|
|
|
|
SSL_CTX_free (ssl_ctx);
|
|
|
|
|
#endif
|
2007-10-23 22:25:31 +00:00
|
|
|
if (banned_ip.contents) avl_tree_free (banned_ip.contents, free_filtered_ip);
|
|
|
|
|
if (allowed_ip.contents) avl_tree_free (allowed_ip.contents, free_filtered_ip);
|
|
|
|
|
|
2002-08-05 14:48:04 +00:00
|
|
|
thread_cond_destroy(&global.shutdown_cond);
|
2003-03-15 02:10:19 +00:00
|
|
|
thread_rwlock_destroy(&_source_shutdown_rwlock);
|
2009-01-09 03:18:03 +00:00
|
|
|
thread_spin_destroy (&_connection_lock);
|
2004-01-29 16:46:54 +00:00
|
|
|
thread_mutex_destroy(&move_clients_mutex);
|
2001-09-10 02:21:46 +00:00
|
|
|
|
2003-03-15 02:10:19 +00:00
|
|
|
_initialized = 0;
|
2001-09-10 02:21:46 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static unsigned long _next_connection_id(void)
|
|
|
|
|
{
|
2003-03-15 02:10:19 +00:00
|
|
|
unsigned long id;
|
2001-09-10 02:21:46 +00:00
|
|
|
|
2014-11-30 20:32:30 +00:00
|
|
|
thread_spin_lock(&_connection_lock);
|
2003-03-15 02:10:19 +00:00
|
|
|
id = _current_id++;
|
2014-11-30 20:32:30 +00:00
|
|
|
thread_spin_unlock(&_connection_lock);
|
2001-09-10 02:21:46 +00:00
|
|
|
|
2003-03-15 02:10:19 +00:00
|
|
|
return id;
|
2001-09-10 02:21:46 +00:00
|
|
|
}
|
|
|
|
|
|
2007-08-29 03:51:22 +00:00
|
|
|
|
|
|
|
|
#ifdef HAVE_OPENSSL
|
2007-10-22 02:29:49 +00:00
|
|
|
static void get_ssl_certificate (ice_config_t *config)
|
2007-08-29 03:51:22 +00:00
|
|
|
{
|
|
|
|
|
SSL_METHOD *method;
|
2011-11-25 22:12:11 +00:00
|
|
|
long ssl_opts;
|
2007-08-29 03:51:22 +00:00
|
|
|
ssl_ok = 0;
|
|
|
|
|
|
2014-11-30 20:32:30 +00:00
|
|
|
SSL_load_error_strings(); /* readable error messages */
|
|
|
|
|
SSL_library_init(); /* initialize library */
|
2007-08-29 03:51:22 +00:00
|
|
|
|
|
|
|
|
method = SSLv23_server_method();
|
|
|
|
|
ssl_ctx = SSL_CTX_new (method);
|
2011-11-25 22:12:11 +00:00
|
|
|
ssl_opts = SSL_CTX_get_options (ssl_ctx);
|
2014-11-03 19:34:10 +00:00
|
|
|
#ifdef SSL_OP_NO_COMPRESSION
|
|
|
|
|
SSL_CTX_set_options (ssl_ctx, ssl_opts|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_COMPRESSION);
|
|
|
|
|
#else
|
|
|
|
|
SSL_CTX_set_options (ssl_ctx, ssl_opts|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);
|
|
|
|
|
#endif
|
2007-08-29 03:51:22 +00:00
|
|
|
|
|
|
|
|
do
|
|
|
|
|
{
|
|
|
|
|
if (config->cert_file == NULL)
|
|
|
|
|
break;
|
2011-11-25 22:12:11 +00:00
|
|
|
if (SSL_CTX_use_certificate_chain_file (ssl_ctx, config->cert_file) <= 0)
|
2007-08-29 03:51:22 +00:00
|
|
|
{
|
2014-10-31 08:46:58 +00:00
|
|
|
ICECAST_LOG_WARN("Invalid cert file %s", config->cert_file);
|
2007-08-29 03:51:22 +00:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
if (SSL_CTX_use_PrivateKey_file (ssl_ctx, config->cert_file, SSL_FILETYPE_PEM) <= 0)
|
|
|
|
|
{
|
2014-10-31 08:46:58 +00:00
|
|
|
ICECAST_LOG_WARN("Invalid private key file %s", config->cert_file);
|
2007-08-29 03:51:22 +00:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
if (!SSL_CTX_check_private_key (ssl_ctx))
|
|
|
|
|
{
|
2014-10-31 08:46:58 +00:00
|
|
|
ICECAST_LOG_ERROR("Invalid %s - Private key does not match cert public key", config->cert_file);
|
2007-08-29 03:51:22 +00:00
|
|
|
break;
|
|
|
|
|
}
|
2011-11-25 22:12:11 +00:00
|
|
|
if (SSL_CTX_set_cipher_list(ssl_ctx, config->cipher_list) <= 0)
|
|
|
|
|
{
|
2014-10-31 08:46:58 +00:00
|
|
|
ICECAST_LOG_WARN("Invalid cipher list: %s", config->cipher_list);
|
2011-11-25 22:12:11 +00:00
|
|
|
}
|
2007-08-29 03:51:22 +00:00
|
|
|
ssl_ok = 1;
|
2014-10-31 08:46:58 +00:00
|
|
|
ICECAST_LOG_INFO("SSL certificate found at %s", config->cert_file);
|
|
|
|
|
ICECAST_LOG_INFO("SSL using ciphers %s", config->cipher_list);
|
2007-10-22 02:29:49 +00:00
|
|
|
return;
|
2007-08-29 03:51:22 +00:00
|
|
|
} while (0);
|
2014-10-31 08:46:58 +00:00
|
|
|
ICECAST_LOG_INFO("No SSL capability on any configured ports");
|
2007-08-29 03:51:22 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* handlers for reading and writing a connection_t when there is ssl
|
|
|
|
|
* configured on the listening port
|
|
|
|
|
*/
|
|
|
|
|
static int connection_read_ssl (connection_t *con, void *buf, size_t len)
|
|
|
|
|
{
|
|
|
|
|
int bytes = SSL_read (con->ssl, buf, len);
|
|
|
|
|
|
|
|
|
|
if (bytes < 0)
|
|
|
|
|
{
|
|
|
|
|
switch (SSL_get_error (con->ssl, bytes))
|
|
|
|
|
{
|
|
|
|
|
case SSL_ERROR_WANT_READ:
|
|
|
|
|
case SSL_ERROR_WANT_WRITE:
|
2014-11-30 20:32:30 +00:00
|
|
|
return -1;
|
2007-08-29 03:51:22 +00:00
|
|
|
}
|
|
|
|
|
con->error = 1;
|
|
|
|
|
}
|
|
|
|
|
return bytes;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int connection_send_ssl (connection_t *con, const void *buf, size_t len)
|
|
|
|
|
{
|
|
|
|
|
int bytes = SSL_write (con->ssl, buf, len);
|
|
|
|
|
|
|
|
|
|
if (bytes < 0)
|
|
|
|
|
{
|
|
|
|
|
switch (SSL_get_error (con->ssl, bytes))
|
|
|
|
|
{
|
|
|
|
|
case SSL_ERROR_WANT_READ:
|
|
|
|
|
case SSL_ERROR_WANT_WRITE:
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
con->error = 1;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
con->sent_bytes += bytes;
|
|
|
|
|
return bytes;
|
|
|
|
|
}
|
|
|
|
|
#else
|
|
|
|
|
|
|
|
|
|
/* SSL not compiled in, so at least log it */
|
2014-11-30 20:32:30 +00:00
|
|
|
static void get_ssl_certificate(ice_config_t *config)
|
2007-08-29 03:51:22 +00:00
|
|
|
{
|
|
|
|
|
ssl_ok = 0;
|
2014-10-31 08:46:58 +00:00
|
|
|
ICECAST_LOG_INFO("No SSL capability");
|
2007-08-29 03:51:22 +00:00
|
|
|
}
|
|
|
|
|
#endif /* HAVE_OPENSSL */
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* handlers (default) for reading and writing a connection_t, no encrpytion
|
|
|
|
|
* used just straight access to the socket
|
|
|
|
|
*/
|
|
|
|
|
static int connection_read (connection_t *con, void *buf, size_t len)
|
|
|
|
|
{
|
|
|
|
|
int bytes = sock_read_bytes (con->sock, buf, len);
|
|
|
|
|
if (bytes == 0)
|
|
|
|
|
con->error = 1;
|
|
|
|
|
if (bytes == -1 && !sock_recoverable (sock_error()))
|
|
|
|
|
con->error = 1;
|
|
|
|
|
return bytes;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int connection_send (connection_t *con, const void *buf, size_t len)
|
|
|
|
|
{
|
|
|
|
|
int bytes = sock_write_bytes (con->sock, buf, len);
|
|
|
|
|
if (bytes < 0)
|
|
|
|
|
{
|
|
|
|
|
if (!sock_recoverable (sock_error()))
|
|
|
|
|
con->error = 1;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
con->sent_bytes += bytes;
|
|
|
|
|
return bytes;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2007-10-23 22:25:31 +00:00
|
|
|
/* function to handle the re-populating of the avl tree containing IP addresses
|
|
|
|
|
* for deciding whether a connection of an incoming request is to be dropped.
|
|
|
|
|
*/
|
2014-11-30 20:32:30 +00:00
|
|
|
static void recheck_ip_file(cache_file_contents *cache)
|
2007-10-23 22:25:31 +00:00
|
|
|
{
|
|
|
|
|
time_t now = time(NULL);
|
|
|
|
|
if (now >= cache->file_recheck)
|
|
|
|
|
{
|
|
|
|
|
struct stat file_stat;
|
|
|
|
|
FILE *file = NULL;
|
|
|
|
|
int count = 0;
|
|
|
|
|
avl_tree *new_ips;
|
|
|
|
|
char line [MAX_LINE_LEN];
|
|
|
|
|
|
|
|
|
|
cache->file_recheck = now + 10;
|
|
|
|
|
if (cache->filename == NULL)
|
|
|
|
|
{
|
|
|
|
|
if (cache->contents)
|
|
|
|
|
{
|
|
|
|
|
avl_tree_free (cache->contents, free_filtered_ip);
|
|
|
|
|
cache->contents = NULL;
|
|
|
|
|
}
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
if (stat (cache->filename, &file_stat) < 0)
|
|
|
|
|
{
|
2014-10-31 08:46:58 +00:00
|
|
|
ICECAST_LOG_WARN("failed to check status of \"%s\": %s", cache->filename, strerror(errno));
|
2007-10-23 22:25:31 +00:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
if (file_stat.st_mtime == cache->file_mtime)
|
|
|
|
|
return; /* common case, no update to file */
|
|
|
|
|
|
|
|
|
|
cache->file_mtime = file_stat.st_mtime;
|
|
|
|
|
|
|
|
|
|
file = fopen (cache->filename, "r");
|
|
|
|
|
if (file == NULL)
|
|
|
|
|
{
|
2014-10-31 08:46:58 +00:00
|
|
|
ICECAST_LOG_WARN("Failed to open file \"%s\": %s", cache->filename, strerror (errno));
|
2007-10-23 22:25:31 +00:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
new_ips = avl_tree_new (compare_ip, NULL);
|
|
|
|
|
|
|
|
|
|
while (get_line (file, line, MAX_LINE_LEN))
|
|
|
|
|
{
|
|
|
|
|
char *str;
|
|
|
|
|
if(!line[0] || line[0] == '#')
|
|
|
|
|
continue;
|
|
|
|
|
count++;
|
|
|
|
|
str = strdup (line);
|
|
|
|
|
if (str)
|
|
|
|
|
avl_insert (new_ips, str);
|
|
|
|
|
}
|
|
|
|
|
fclose (file);
|
2014-10-31 08:46:58 +00:00
|
|
|
ICECAST_LOG_INFO("%d entries read from file \"%s\"", count, cache->filename);
|
2007-10-23 22:25:31 +00:00
|
|
|
|
|
|
|
|
if (cache->contents) avl_tree_free (cache->contents, free_filtered_ip);
|
|
|
|
|
cache->contents = new_ips;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* return 0 if the passed ip address is not to be handled by icecast, non-zero otherwise */
|
2014-11-30 20:32:30 +00:00
|
|
|
static int accept_ip_address(char *ip)
|
2007-10-23 22:25:31 +00:00
|
|
|
{
|
|
|
|
|
void *result;
|
|
|
|
|
|
2014-11-30 20:32:30 +00:00
|
|
|
recheck_ip_file(&banned_ip);
|
|
|
|
|
recheck_ip_file(&allowed_ip);
|
2007-10-23 22:25:31 +00:00
|
|
|
|
|
|
|
|
if (banned_ip.contents)
|
|
|
|
|
{
|
|
|
|
|
if (avl_get_by_key (banned_ip.contents, ip, &result) == 0)
|
|
|
|
|
{
|
2014-10-31 08:46:58 +00:00
|
|
|
ICECAST_LOG_DEBUG("%s is banned", ip);
|
2007-10-23 22:25:31 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (allowed_ip.contents)
|
|
|
|
|
{
|
|
|
|
|
if (avl_get_by_key (allowed_ip.contents, ip, &result) == 0)
|
|
|
|
|
{
|
2014-10-31 08:46:58 +00:00
|
|
|
ICECAST_LOG_DEBUG("%s is allowed", ip);
|
2007-10-23 22:25:31 +00:00
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
2014-10-31 08:46:58 +00:00
|
|
|
ICECAST_LOG_DEBUG("%s is not allowed", ip);
|
2007-10-23 22:25:31 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2005-08-11 23:29:58 +00:00
|
|
|
connection_t *connection_create (sock_t sock, sock_t serversock, char *ip)
|
|
|
|
|
{
|
2003-03-15 02:10:19 +00:00
|
|
|
connection_t *con;
|
2005-08-11 23:29:58 +00:00
|
|
|
con = (connection_t *)calloc(1, sizeof(connection_t));
|
|
|
|
|
if (con)
|
|
|
|
|
{
|
|
|
|
|
con->sock = sock;
|
|
|
|
|
con->serversock = serversock;
|
|
|
|
|
con->con_time = time(NULL);
|
|
|
|
|
con->id = _next_connection_id();
|
|
|
|
|
con->ip = ip;
|
2007-08-29 03:51:22 +00:00
|
|
|
con->read = connection_read;
|
|
|
|
|
con->send = connection_send;
|
2005-08-11 23:29:58 +00:00
|
|
|
}
|
2003-03-05 13:03:35 +00:00
|
|
|
|
2003-03-15 02:10:19 +00:00
|
|
|
return con;
|
2002-08-05 14:48:04 +00:00
|
|
|
}
|
|
|
|
|
|
2007-08-29 03:51:22 +00:00
|
|
|
/* prepare connection for interacting over a SSL connection
|
|
|
|
|
*/
|
2014-11-30 20:32:30 +00:00
|
|
|
void connection_uses_ssl(connection_t *con)
|
2007-08-29 03:51:22 +00:00
|
|
|
{
|
|
|
|
|
#ifdef HAVE_OPENSSL
|
|
|
|
|
con->read = connection_read_ssl;
|
|
|
|
|
con->send = connection_send_ssl;
|
|
|
|
|
con->ssl = SSL_new (ssl_ctx);
|
|
|
|
|
SSL_set_accept_state (con->ssl);
|
|
|
|
|
SSL_set_fd (con->ssl, con->sock);
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
2007-10-24 22:42:49 +00:00
|
|
|
static sock_t wait_for_serversock(int timeout)
|
2003-03-09 11:27:06 +00:00
|
|
|
{
|
|
|
|
|
#ifdef HAVE_POLL
|
2007-10-22 02:29:49 +00:00
|
|
|
struct pollfd ufds [global.server_sockets];
|
2003-03-09 11:27:06 +00:00
|
|
|
int i, ret;
|
|
|
|
|
|
|
|
|
|
for(i=0; i < global.server_sockets; i++) {
|
|
|
|
|
ufds[i].fd = global.serversock[i];
|
|
|
|
|
ufds[i].events = POLLIN;
|
|
|
|
|
ufds[i].revents = 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ret = poll(ufds, global.server_sockets, timeout);
|
|
|
|
|
if(ret < 0) {
|
2007-10-24 22:42:49 +00:00
|
|
|
return SOCK_ERROR;
|
2003-03-09 11:27:06 +00:00
|
|
|
}
|
|
|
|
|
else if(ret == 0) {
|
2007-10-24 22:42:49 +00:00
|
|
|
return SOCK_ERROR;
|
2003-03-09 11:27:06 +00:00
|
|
|
}
|
|
|
|
|
else {
|
2003-06-20 18:50:24 +00:00
|
|
|
int dst;
|
2003-03-09 11:27:06 +00:00
|
|
|
for(i=0; i < global.server_sockets; i++) {
|
2003-06-20 18:50:24 +00:00
|
|
|
if(ufds[i].revents & POLLIN)
|
2003-03-09 11:27:06 +00:00
|
|
|
return ufds[i].fd;
|
2003-06-20 18:50:24 +00:00
|
|
|
if(ufds[i].revents & (POLLHUP|POLLERR|POLLNVAL))
|
|
|
|
|
{
|
|
|
|
|
if (ufds[i].revents & (POLLHUP|POLLERR))
|
|
|
|
|
{
|
2007-10-24 22:42:49 +00:00
|
|
|
sock_close (global.serversock[i]);
|
2014-10-31 08:46:58 +00:00
|
|
|
ICECAST_LOG_WARN("Had to close a listening socket");
|
2003-06-20 18:50:24 +00:00
|
|
|
}
|
2007-10-24 22:42:49 +00:00
|
|
|
global.serversock[i] = SOCK_ERROR;
|
2003-06-20 18:50:24 +00:00
|
|
|
}
|
2003-03-09 11:27:06 +00:00
|
|
|
}
|
2003-06-20 18:50:24 +00:00
|
|
|
/* remove any closed sockets */
|
|
|
|
|
for(i=0, dst=0; i < global.server_sockets; i++)
|
|
|
|
|
{
|
2007-10-24 22:42:49 +00:00
|
|
|
if (global.serversock[i] == SOCK_ERROR)
|
2014-11-30 20:32:30 +00:00
|
|
|
continue;
|
2003-06-20 18:50:24 +00:00
|
|
|
if (i!=dst)
|
2014-11-30 20:32:30 +00:00
|
|
|
global.serversock[dst] = global.serversock[i];
|
2003-06-20 18:50:24 +00:00
|
|
|
dst++;
|
|
|
|
|
}
|
|
|
|
|
global.server_sockets = dst;
|
2007-10-24 22:42:49 +00:00
|
|
|
return SOCK_ERROR;
|
2003-03-09 11:27:06 +00:00
|
|
|
}
|
|
|
|
|
#else
|
|
|
|
|
fd_set rfds;
|
|
|
|
|
struct timeval tv, *p=NULL;
|
|
|
|
|
int i, ret;
|
2007-10-24 22:42:49 +00:00
|
|
|
sock_t max = SOCK_ERROR;
|
2003-03-09 11:27:06 +00:00
|
|
|
|
|
|
|
|
FD_ZERO(&rfds);
|
|
|
|
|
|
|
|
|
|
for(i=0; i < global.server_sockets; i++) {
|
|
|
|
|
FD_SET(global.serversock[i], &rfds);
|
2007-10-24 22:42:49 +00:00
|
|
|
if (max == SOCK_ERROR || global.serversock[i] > max)
|
2003-03-09 11:27:06 +00:00
|
|
|
max = global.serversock[i];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if(timeout >= 0) {
|
|
|
|
|
tv.tv_sec = timeout/1000;
|
2003-03-12 05:40:45 +00:00
|
|
|
tv.tv_usec = (timeout % 1000) * 1000;
|
2003-03-09 11:27:06 +00:00
|
|
|
p = &tv;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ret = select(max+1, &rfds, NULL, NULL, p);
|
|
|
|
|
if(ret < 0) {
|
2007-10-24 22:42:49 +00:00
|
|
|
return SOCK_ERROR;
|
2003-03-09 11:27:06 +00:00
|
|
|
}
|
|
|
|
|
else if(ret == 0) {
|
2007-10-24 22:42:49 +00:00
|
|
|
return SOCK_ERROR;
|
2003-03-09 11:27:06 +00:00
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
for(i=0; i < global.server_sockets; i++) {
|
|
|
|
|
if(FD_ISSET(global.serversock[i], &rfds))
|
|
|
|
|
return global.serversock[i];
|
|
|
|
|
}
|
2007-10-24 22:42:49 +00:00
|
|
|
return SOCK_ERROR; /* Should be impossible, stop compiler warnings */
|
2003-03-09 11:27:06 +00:00
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
2008-07-22 02:24:30 +00:00
|
|
|
static connection_t *_accept_connection(int duration)
|
2001-09-10 02:21:46 +00:00
|
|
|
{
|
2008-07-22 02:24:30 +00:00
|
|
|
sock_t sock, serversock;
|
2003-03-15 02:10:19 +00:00
|
|
|
char *ip;
|
2001-09-10 02:21:46 +00:00
|
|
|
|
2008-07-22 02:24:30 +00:00
|
|
|
serversock = wait_for_serversock (duration);
|
2007-10-24 22:42:49 +00:00
|
|
|
if (serversock == SOCK_ERROR)
|
2003-03-09 11:27:06 +00:00
|
|
|
return NULL;
|
2001-09-10 02:21:46 +00:00
|
|
|
|
2003-03-15 02:10:19 +00:00
|
|
|
/* malloc enough room for a full IP address (including ipv6) */
|
|
|
|
|
ip = (char *)malloc(MAX_ADDR_LEN);
|
2001-09-10 02:21:46 +00:00
|
|
|
|
2003-03-15 02:10:19 +00:00
|
|
|
sock = sock_accept(serversock, ip, MAX_ADDR_LEN);
|
2007-10-24 22:42:49 +00:00
|
|
|
if (sock != SOCK_ERROR)
|
2005-08-11 23:29:58 +00:00
|
|
|
{
|
2007-10-23 22:25:31 +00:00
|
|
|
connection_t *con = NULL;
|
2007-08-09 03:36:03 +00:00
|
|
|
/* Make any IPv4 mapped IPv6 address look like a normal IPv4 address */
|
|
|
|
|
if (strncmp (ip, "::ffff:", 7) == 0)
|
|
|
|
|
memmove (ip, ip+7, strlen (ip+7)+1);
|
2001-09-10 02:21:46 +00:00
|
|
|
|
2007-10-23 22:25:31 +00:00
|
|
|
if (accept_ip_address (ip))
|
|
|
|
|
con = connection_create (sock, serversock, ip);
|
2007-08-09 03:36:03 +00:00
|
|
|
if (con)
|
|
|
|
|
return con;
|
|
|
|
|
sock_close (sock);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
if (!sock_recoverable(sock_error()))
|
|
|
|
|
{
|
2014-10-31 08:46:58 +00:00
|
|
|
ICECAST_LOG_WARN("accept() failed with error %d: %s", sock_error(), strerror(sock_error()));
|
2007-08-09 03:36:03 +00:00
|
|
|
thread_sleep (500000);
|
|
|
|
|
}
|
2003-03-15 02:10:19 +00:00
|
|
|
}
|
|
|
|
|
free(ip);
|
|
|
|
|
return NULL;
|
2001-09-10 02:21:46 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2005-08-11 23:29:58 +00:00
|
|
|
/* add client to connection queue. At this point some header information
|
|
|
|
|
* has been collected, so we now pass it onto the connection thread for
|
|
|
|
|
* further processing
|
|
|
|
|
*/
|
2014-11-30 20:32:30 +00:00
|
|
|
static void _add_connection(client_queue_t *node)
|
2001-09-10 02:21:46 +00:00
|
|
|
{
|
2014-11-30 20:32:30 +00:00
|
|
|
thread_spin_lock(&_connection_lock);
|
2005-08-11 23:29:58 +00:00
|
|
|
*_con_queue_tail = node;
|
2014-11-30 20:32:30 +00:00
|
|
|
_con_queue_tail = (volatile client_queue_t **) &node->next;
|
|
|
|
|
thread_spin_unlock(&_connection_lock);
|
2001-09-10 02:21:46 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2005-08-11 23:29:58 +00:00
|
|
|
/* this returns queued clients for the connection thread. headers are
|
|
|
|
|
* already provided, but need to be parsed.
|
|
|
|
|
*/
|
|
|
|
|
static client_queue_t *_get_connection(void)
|
|
|
|
|
{
|
|
|
|
|
client_queue_t *node = NULL;
|
2001-09-10 02:21:46 +00:00
|
|
|
|
2012-07-17 14:03:37 +00:00
|
|
|
thread_spin_lock (&_connection_lock);
|
|
|
|
|
|
2005-08-11 23:29:58 +00:00
|
|
|
if (_con_queue)
|
|
|
|
|
{
|
|
|
|
|
node = (client_queue_t *)_con_queue;
|
|
|
|
|
_con_queue = node->next;
|
|
|
|
|
if (_con_queue == NULL)
|
|
|
|
|
_con_queue_tail = &_con_queue;
|
2007-08-09 02:51:53 +00:00
|
|
|
node->next = NULL;
|
2003-03-15 02:10:19 +00:00
|
|
|
}
|
2012-07-17 14:03:37 +00:00
|
|
|
|
|
|
|
|
thread_spin_unlock (&_connection_lock);
|
2005-08-11 23:29:58 +00:00
|
|
|
return node;
|
|
|
|
|
}
|
2001-09-10 02:21:46 +00:00
|
|
|
|
|
|
|
|
|
2005-08-11 23:29:58 +00:00
|
|
|
/* run along queue checking for any data that has come in or a timeout */
|
2005-12-17 12:23:09 +00:00
|
|
|
static void process_request_queue (void)
|
2005-08-11 23:29:58 +00:00
|
|
|
{
|
|
|
|
|
client_queue_t **node_ref = (client_queue_t **)&_req_queue;
|
|
|
|
|
ice_config_t *config = config_get_config ();
|
|
|
|
|
int timeout = config->header_timeout;
|
|
|
|
|
config_release_config();
|
2001-09-10 02:21:46 +00:00
|
|
|
|
2005-08-11 23:29:58 +00:00
|
|
|
while (*node_ref)
|
|
|
|
|
{
|
|
|
|
|
client_queue_t *node = *node_ref;
|
|
|
|
|
client_t *client = node->client;
|
|
|
|
|
int len = PER_CLIENT_REFBUF_SIZE - 1 - node->offset;
|
|
|
|
|
char *buf = client->refbuf->data + node->offset;
|
2001-09-10 02:21:46 +00:00
|
|
|
|
2005-08-11 23:29:58 +00:00
|
|
|
if (len > 0)
|
|
|
|
|
{
|
|
|
|
|
if (client->con->con_time + timeout <= time(NULL))
|
|
|
|
|
len = 0;
|
|
|
|
|
else
|
|
|
|
|
len = client_read_bytes (client, buf, len);
|
|
|
|
|
}
|
2001-09-10 02:21:46 +00:00
|
|
|
|
2005-08-11 23:29:58 +00:00
|
|
|
if (len > 0)
|
|
|
|
|
{
|
|
|
|
|
int pass_it = 1;
|
|
|
|
|
char *ptr;
|
|
|
|
|
|
2005-10-01 14:08:36 +00:00
|
|
|
/* handle \n, \r\n and nsvcap which for some strange reason has
|
|
|
|
|
* EOL as \r\r\n */
|
2005-08-11 23:29:58 +00:00
|
|
|
node->offset += len;
|
|
|
|
|
client->refbuf->data [node->offset] = '\000';
|
|
|
|
|
do
|
|
|
|
|
{
|
|
|
|
|
if (node->shoutcast == 1)
|
|
|
|
|
{
|
|
|
|
|
/* password line */
|
2005-10-01 14:08:36 +00:00
|
|
|
if (strstr (client->refbuf->data, "\r\r\n") != NULL)
|
|
|
|
|
break;
|
2005-08-11 23:29:58 +00:00
|
|
|
if (strstr (client->refbuf->data, "\r\n") != NULL)
|
|
|
|
|
break;
|
|
|
|
|
if (strstr (client->refbuf->data, "\n") != NULL)
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
/* stream_offset refers to the start of any data sent after the
|
|
|
|
|
* http style headers, we don't want to lose those */
|
2005-10-01 14:08:36 +00:00
|
|
|
ptr = strstr (client->refbuf->data, "\r\r\n\r\r\n");
|
|
|
|
|
if (ptr)
|
|
|
|
|
{
|
|
|
|
|
node->stream_offset = (ptr+6) - client->refbuf->data;
|
|
|
|
|
break;
|
|
|
|
|
}
|
2005-08-11 23:29:58 +00:00
|
|
|
ptr = strstr (client->refbuf->data, "\r\n\r\n");
|
|
|
|
|
if (ptr)
|
|
|
|
|
{
|
|
|
|
|
node->stream_offset = (ptr+4) - client->refbuf->data;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
ptr = strstr (client->refbuf->data, "\n\n");
|
|
|
|
|
if (ptr)
|
|
|
|
|
{
|
|
|
|
|
node->stream_offset = (ptr+2) - client->refbuf->data;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
pass_it = 0;
|
|
|
|
|
} while (0);
|
2001-09-10 02:21:46 +00:00
|
|
|
|
2005-08-11 23:29:58 +00:00
|
|
|
if (pass_it)
|
|
|
|
|
{
|
|
|
|
|
if ((client_queue_t **)_req_queue_tail == &(node->next))
|
|
|
|
|
_req_queue_tail = (volatile client_queue_t **)node_ref;
|
|
|
|
|
*node_ref = node->next;
|
|
|
|
|
node->next = NULL;
|
|
|
|
|
_add_connection (node);
|
2006-03-15 02:30:26 +00:00
|
|
|
continue;
|
2005-08-11 23:29:58 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
if (len == 0 || client->con->error)
|
|
|
|
|
{
|
|
|
|
|
if ((client_queue_t **)_req_queue_tail == &node->next)
|
|
|
|
|
_req_queue_tail = (volatile client_queue_t **)node_ref;
|
|
|
|
|
*node_ref = node->next;
|
|
|
|
|
client_destroy (client);
|
|
|
|
|
free (node);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
node_ref = &node->next;
|
2003-03-15 02:10:19 +00:00
|
|
|
}
|
2008-07-22 02:24:30 +00:00
|
|
|
_handle_connection();
|
2001-09-10 02:21:46 +00:00
|
|
|
}
|
|
|
|
|
|
2003-03-15 02:10:19 +00:00
|
|
|
|
2005-08-11 23:29:58 +00:00
|
|
|
/* add node to the queue of requests. This is where the clients are when
|
|
|
|
|
* initial http details are read.
|
|
|
|
|
*/
|
|
|
|
|
static void _add_request_queue (client_queue_t *node)
|
|
|
|
|
{
|
|
|
|
|
*_req_queue_tail = node;
|
|
|
|
|
_req_queue_tail = (volatile client_queue_t **)&node->next;
|
2001-09-10 02:21:46 +00:00
|
|
|
}
|
|
|
|
|
|
2005-08-11 23:29:58 +00:00
|
|
|
|
2008-07-22 02:24:30 +00:00
|
|
|
void connection_accept_loop (void)
|
2001-09-10 02:21:46 +00:00
|
|
|
{
|
2003-03-15 02:10:19 +00:00
|
|
|
connection_t *con;
|
2007-10-22 02:29:49 +00:00
|
|
|
ice_config_t *config;
|
2008-07-22 02:24:30 +00:00
|
|
|
int duration = 300;
|
2007-10-22 02:29:49 +00:00
|
|
|
|
|
|
|
|
config = config_get_config ();
|
|
|
|
|
get_ssl_certificate (config);
|
|
|
|
|
config_release_config ();
|
2001-09-10 02:21:46 +00:00
|
|
|
|
2014-10-31 09:00:45 +00:00
|
|
|
while (global.running == ICECAST_RUNNING)
|
2003-07-24 23:45:29 +00:00
|
|
|
{
|
2008-07-22 02:24:30 +00:00
|
|
|
con = _accept_connection (duration);
|
2005-08-11 23:29:58 +00:00
|
|
|
|
|
|
|
|
if (con)
|
2003-07-24 23:45:29 +00:00
|
|
|
{
|
2005-08-11 23:29:58 +00:00
|
|
|
client_queue_t *node;
|
|
|
|
|
ice_config_t *config;
|
|
|
|
|
client_t *client = NULL;
|
2007-10-16 01:53:06 +00:00
|
|
|
listener_t *listener;
|
2003-07-24 23:45:29 +00:00
|
|
|
|
2005-08-11 23:29:58 +00:00
|
|
|
global_lock();
|
|
|
|
|
if (client_create (&client, con, NULL) < 0)
|
|
|
|
|
{
|
|
|
|
|
global_unlock();
|
2014-11-21 18:05:17 +00:00
|
|
|
client_send_error(client, 403, 1, "Icecast connection limit reached");
|
2007-10-22 02:29:49 +00:00
|
|
|
/* don't be too eager as this is an imposed hard limit */
|
|
|
|
|
thread_sleep (400000);
|
2005-08-11 23:29:58 +00:00
|
|
|
continue;
|
|
|
|
|
}
|
2003-07-24 23:45:29 +00:00
|
|
|
|
2005-08-11 23:29:58 +00:00
|
|
|
/* setup client for reading incoming http */
|
|
|
|
|
client->refbuf->data [PER_CLIENT_REFBUF_SIZE-1] = '\000';
|
|
|
|
|
|
2009-01-08 02:47:44 +00:00
|
|
|
if (sock_set_blocking (client->con->sock, 0) || sock_set_nodelay (client->con->sock))
|
|
|
|
|
{
|
2009-01-11 16:46:08 +00:00
|
|
|
global_unlock();
|
2014-10-31 08:46:58 +00:00
|
|
|
ICECAST_LOG_WARN("failed to set tcp options on client connection, dropping");
|
2009-01-08 02:47:44 +00:00
|
|
|
client_destroy (client);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
2005-08-11 23:29:58 +00:00
|
|
|
node = calloc (1, sizeof (client_queue_t));
|
|
|
|
|
if (node == NULL)
|
|
|
|
|
{
|
2009-01-11 16:46:08 +00:00
|
|
|
global_unlock();
|
2005-08-11 23:29:58 +00:00
|
|
|
client_destroy (client);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
node->client = client;
|
|
|
|
|
|
|
|
|
|
config = config_get_config();
|
2007-10-16 01:53:06 +00:00
|
|
|
listener = config_get_listen_sock (config, client->con);
|
|
|
|
|
|
|
|
|
|
if (listener)
|
2005-08-11 23:29:58 +00:00
|
|
|
{
|
2007-10-16 01:53:06 +00:00
|
|
|
if (listener->shoutcast_compat)
|
|
|
|
|
node->shoutcast = 1;
|
|
|
|
|
if (listener->ssl && ssl_ok)
|
|
|
|
|
connection_uses_ssl (client->con);
|
2007-10-25 02:25:49 +00:00
|
|
|
if (listener->shoutcast_mount)
|
|
|
|
|
node->shoutcast_mount = strdup (listener->shoutcast_mount);
|
2005-08-11 23:29:58 +00:00
|
|
|
}
|
2009-01-11 16:46:08 +00:00
|
|
|
global_unlock();
|
2007-08-29 03:51:22 +00:00
|
|
|
config_release_config();
|
2005-08-11 23:29:58 +00:00
|
|
|
|
|
|
|
|
_add_request_queue (node);
|
|
|
|
|
stats_event_inc (NULL, "connections");
|
2008-07-22 02:24:30 +00:00
|
|
|
duration = 5;
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
if (_req_queue == NULL)
|
|
|
|
|
duration = 300; /* use longer timeouts when nothing waiting */
|
2003-03-15 02:10:19 +00:00
|
|
|
}
|
2005-08-11 23:29:58 +00:00
|
|
|
process_request_queue ();
|
2003-03-15 02:10:19 +00:00
|
|
|
}
|
2001-09-10 02:21:46 +00:00
|
|
|
|
2002-08-05 14:48:04 +00:00
|
|
|
/* Give all the other threads notification to shut down */
|
|
|
|
|
thread_cond_broadcast(&global.shutdown_cond);
|
|
|
|
|
|
2003-03-15 02:10:19 +00:00
|
|
|
/* wait for all the sources to shutdown */
|
|
|
|
|
thread_rwlock_wlock(&_source_shutdown_rwlock);
|
|
|
|
|
thread_rwlock_unlock(&_source_shutdown_rwlock);
|
2001-09-10 02:21:46 +00:00
|
|
|
}
|
|
|
|
|
|
2004-02-19 16:32:26 +00:00
|
|
|
|
|
|
|
|
/* Called when activating a source. Verifies that the source count is not
|
|
|
|
|
* exceeded and applies any initial parameters.
|
2003-02-17 11:56:12 +00:00
|
|
|
*/
|
2005-08-25 00:07:17 +00:00
|
|
|
int connection_complete_source (source_t *source, int response)
|
2004-02-19 16:32:26 +00:00
|
|
|
{
|
2009-01-11 16:46:08 +00:00
|
|
|
ice_config_t *config;
|
2004-02-19 16:32:26 +00:00
|
|
|
|
|
|
|
|
global_lock ();
|
2014-10-31 08:46:58 +00:00
|
|
|
ICECAST_LOG_DEBUG("sources count is %d", global.sources);
|
2004-02-19 16:32:26 +00:00
|
|
|
|
2009-01-11 16:46:08 +00:00
|
|
|
config = config_get_config();
|
2004-02-19 16:32:26 +00:00
|
|
|
if (global.sources < config->source_limit)
|
|
|
|
|
{
|
2007-08-16 22:49:13 +00:00
|
|
|
const char *contenttype;
|
2014-01-12 12:29:27 +00:00
|
|
|
const char *expectcontinue;
|
2005-05-30 14:50:57 +00:00
|
|
|
mount_proxy *mountinfo;
|
2004-02-19 16:32:26 +00:00
|
|
|
format_type_t format_type;
|
|
|
|
|
|
|
|
|
|
/* setup format handler */
|
|
|
|
|
contenttype = httpp_getvar (source->parser, "content-type");
|
|
|
|
|
if (contenttype != NULL)
|
|
|
|
|
{
|
|
|
|
|
format_type = format_get_type (contenttype);
|
|
|
|
|
|
|
|
|
|
if (format_type == FORMAT_ERROR)
|
|
|
|
|
{
|
|
|
|
|
config_release_config();
|
2009-01-11 16:46:08 +00:00
|
|
|
global_unlock();
|
2014-11-08 16:23:26 +00:00
|
|
|
if (response) {
|
2014-11-21 18:05:17 +00:00
|
|
|
client_send_error(source->client, 403, 1, "Content-type not supported");
|
2005-08-25 00:07:17 +00:00
|
|
|
source->client = NULL;
|
|
|
|
|
}
|
2014-10-31 08:46:58 +00:00
|
|
|
ICECAST_LOG_WARN("Content-type \"%s\" not supported, dropping source", contenttype);
|
2004-02-19 16:32:26 +00:00
|
|
|
return -1;
|
|
|
|
|
}
|
2014-11-08 16:23:26 +00:00
|
|
|
} else if (source->parser->req_type == httpp_req_put) {
|
|
|
|
|
config_release_config();
|
|
|
|
|
global_unlock();
|
|
|
|
|
if (response) {
|
2014-11-21 18:05:17 +00:00
|
|
|
client_send_error(source->client, 403, 1, "No Content-type given");
|
2014-11-08 16:23:26 +00:00
|
|
|
source->client = NULL;
|
|
|
|
|
}
|
|
|
|
|
ICECAST_LOG_ERROR("Content-type not given in PUT request, dropping source");
|
|
|
|
|
return -1;
|
|
|
|
|
} else {
|
|
|
|
|
ICECAST_LOG_ERROR("No content-type header, falling back to backwards compatibility mode "
|
|
|
|
|
"for icecast 1.x relays. Assuming content is mp3. This behaviour is deprecated "
|
|
|
|
|
"and the source client will NOT work with future Icecast versions!");
|
2004-11-18 23:49:59 +00:00
|
|
|
format_type = FORMAT_TYPE_GENERIC;
|
2004-02-19 16:32:26 +00:00
|
|
|
}
|
|
|
|
|
|
2004-08-20 15:13:59 +00:00
|
|
|
if (format_get_plugin (format_type, source) < 0)
|
2004-02-19 16:32:26 +00:00
|
|
|
{
|
|
|
|
|
global_unlock();
|
|
|
|
|
config_release_config();
|
2005-08-25 00:07:17 +00:00
|
|
|
if (response)
|
|
|
|
|
{
|
2014-11-21 18:05:17 +00:00
|
|
|
client_send_error(source->client, 403, 1, "internal format allocation problem");
|
2005-08-25 00:07:17 +00:00
|
|
|
source->client = NULL;
|
|
|
|
|
}
|
2014-10-31 08:46:58 +00:00
|
|
|
ICECAST_LOG_WARN("plugin format failed for \"%s\"", source->mount);
|
2004-02-19 16:32:26 +00:00
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
2014-01-12 12:29:27 +00:00
|
|
|
/* For PUT support we check for 100-continue and send back a 100 to stay in spec */
|
|
|
|
|
expectcontinue = httpp_getvar (source->parser, "expect");
|
|
|
|
|
if (expectcontinue != NULL)
|
|
|
|
|
{
|
|
|
|
|
#ifdef HAVE_STRCASESTR
|
|
|
|
|
if (strcasestr (expectcontinue, "100-continue") != NULL)
|
|
|
|
|
#else
|
2014-10-31 08:46:58 +00:00
|
|
|
ICECAST_LOG_WARN("OS doesn't support case insenestive substring checks...");
|
2014-01-12 12:29:27 +00:00
|
|
|
if (strstr (expectcontinue, "100-continue") != NULL)
|
|
|
|
|
#endif
|
|
|
|
|
{
|
|
|
|
|
client_send_100 (source->client);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2005-08-11 23:29:58 +00:00
|
|
|
global.sources++;
|
|
|
|
|
stats_event_args (NULL, "sources", "%d", global.sources);
|
|
|
|
|
global_unlock();
|
2004-02-19 16:32:26 +00:00
|
|
|
|
2005-05-30 14:50:57 +00:00
|
|
|
source->running = 1;
|
2013-04-02 18:46:44 +00:00
|
|
|
mountinfo = config_find_mount (config, source->mount, MOUNT_TYPE_NORMAL);
|
2007-08-11 17:44:45 +00:00
|
|
|
source_update_settings (config, source, mountinfo);
|
2004-02-19 16:32:26 +00:00
|
|
|
config_release_config();
|
2007-08-11 17:44:45 +00:00
|
|
|
slave_rebuild_mounts();
|
2004-02-19 16:32:26 +00:00
|
|
|
|
|
|
|
|
source->shutdown_rwlock = &_source_shutdown_rwlock;
|
2014-10-31 08:46:58 +00:00
|
|
|
ICECAST_LOG_DEBUG("source is ready to start");
|
2004-02-19 16:32:26 +00:00
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2014-10-31 08:46:58 +00:00
|
|
|
ICECAST_LOG_WARN("Request to add source when maximum source limit "
|
2004-02-19 16:32:26 +00:00
|
|
|
"reached %d", global.sources);
|
|
|
|
|
|
|
|
|
|
global_unlock();
|
|
|
|
|
config_release_config();
|
|
|
|
|
|
2005-08-25 00:07:17 +00:00
|
|
|
if (response)
|
|
|
|
|
{
|
2014-11-21 18:05:17 +00:00
|
|
|
client_send_error(source->client, 403, 1, "too many sources connected");
|
2005-08-25 00:07:17 +00:00
|
|
|
source->client = NULL;
|
|
|
|
|
}
|
2004-02-19 16:32:26 +00:00
|
|
|
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
|
|
|
static inline void source_startup (client_t *client, const char *uri)
|
2009-01-14 01:18:22 +00:00
|
|
|
{
|
|
|
|
|
source_t *source;
|
2004-02-19 21:16:59 +00:00
|
|
|
source = source_reserve (uri);
|
2009-01-14 01:18:22 +00:00
|
|
|
|
2004-02-19 21:16:59 +00:00
|
|
|
if (source)
|
|
|
|
|
{
|
|
|
|
|
source->client = client;
|
2005-05-06 15:57:15 +00:00
|
|
|
source->parser = client->parser;
|
|
|
|
|
source->con = client->con;
|
2005-08-25 00:07:17 +00:00
|
|
|
if (connection_complete_source (source, 1) < 0)
|
2004-02-19 21:16:59 +00:00
|
|
|
{
|
2005-09-08 13:32:17 +00:00
|
|
|
source_clear_source (source);
|
2004-02-19 21:16:59 +00:00
|
|
|
source_free_source (source);
|
2009-01-14 01:18:22 +00:00
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
client->respcode = 200;
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
|
|
|
if (client->protocol == ICECAST_PROTOCOL_SHOUTCAST) {
|
|
|
|
|
client->respcode = 200;
|
|
|
|
|
/* send this non-blocking but if there is only a partial write
|
|
|
|
|
* then leave to header timeout */
|
|
|
|
|
sock_write (client->con->sock, "OK2\r\nicy-caps:11\r\n\r\n");
|
2009-01-14 01:18:22 +00:00
|
|
|
source->shoutcast_compat = 1;
|
|
|
|
|
source_client_callback (client, source);
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
|
|
|
} else {
|
2005-08-18 20:37:35 +00:00
|
|
|
refbuf_t *ok = refbuf_new (PER_CLIENT_REFBUF_SIZE);
|
2005-08-12 15:27:32 +00:00
|
|
|
client->respcode = 200;
|
2005-08-18 20:37:35 +00:00
|
|
|
snprintf (ok->data, PER_CLIENT_REFBUF_SIZE,
|
2005-08-12 15:27:32 +00:00
|
|
|
"HTTP/1.0 200 OK\r\n\r\n");
|
2005-08-18 20:37:35 +00:00
|
|
|
ok->len = strlen (ok->data);
|
|
|
|
|
/* we may have unprocessed data read in, so don't overwrite it */
|
|
|
|
|
ok->associated = client->refbuf;
|
|
|
|
|
client->refbuf = ok;
|
2005-08-12 15:27:32 +00:00
|
|
|
fserve_add_client_callback (client, source_client_callback, source);
|
|
|
|
|
}
|
2004-02-19 21:16:59 +00:00
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
2014-11-21 18:05:17 +00:00
|
|
|
client_send_error(client, 403, 1, "Mountpoint in use");
|
2014-10-31 08:46:58 +00:00
|
|
|
ICECAST_LOG_WARN("Mountpoint %s in use", uri);
|
2003-03-15 02:10:19 +00:00
|
|
|
}
|
2002-08-12 14:48:31 +00:00
|
|
|
}
|
|
|
|
|
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
|
|
|
/* only called for native icecast source clients */
|
|
|
|
|
static void _handle_source_request (client_t *client, const char *uri)
|
2001-09-10 02:21:46 +00:00
|
|
|
{
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
|
|
|
ICECAST_LOG_INFO("Source logging in at mountpoint \"%s\" from %s",
|
|
|
|
|
uri, client->con->ip);
|
2005-05-06 15:57:15 +00:00
|
|
|
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
|
|
|
if (uri[0] != '/')
|
2005-05-06 15:57:15 +00:00
|
|
|
{
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
|
|
|
ICECAST_LOG_WARN("source mountpoint not starting with /");
|
|
|
|
|
client_send_error(client, 400, 1, "source mountpoint not starting with /");
|
2002-08-12 14:48:31 +00:00
|
|
|
return;
|
2003-03-15 02:10:19 +00:00
|
|
|
}
|
2005-05-06 15:57:15 +00:00
|
|
|
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
|
|
|
source_startup(client, uri);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static void _handle_stats_request (client_t *client, char *uri)
|
|
|
|
|
{
|
|
|
|
|
stats_event_inc(NULL, "stats_connections");
|
|
|
|
|
|
2005-05-31 02:40:23 +00:00
|
|
|
client->respcode = 200;
|
2005-08-12 15:27:32 +00:00
|
|
|
snprintf (client->refbuf->data, PER_CLIENT_REFBUF_SIZE,
|
|
|
|
|
"HTTP/1.0 200 OK\r\n\r\n");
|
|
|
|
|
client->refbuf->len = strlen (client->refbuf->data);
|
|
|
|
|
fserve_add_client_callback (client, stats_callback, NULL);
|
2002-08-12 14:48:31 +00:00
|
|
|
}
|
|
|
|
|
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
|
|
|
/* if 0 is returned then the client should not be touched, however if -1
|
|
|
|
|
* is returned then the caller is responsible for handling the client
|
|
|
|
|
*/
|
|
|
|
|
static int __add_listener_to_source (source_t *source, client_t *client)
|
2002-08-12 14:48:31 +00:00
|
|
|
{
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
|
|
|
size_t loop = 10;
|
2003-03-05 13:03:35 +00:00
|
|
|
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
|
|
|
do
|
|
|
|
|
{
|
|
|
|
|
ICECAST_LOG_DEBUG("max on %s is %ld (cur %lu)", source->mount,
|
|
|
|
|
source->max_listeners, source->listeners);
|
|
|
|
|
if (source->max_listeners == -1)
|
|
|
|
|
break;
|
|
|
|
|
if (source->listeners < (unsigned long)source->max_listeners)
|
|
|
|
|
break;
|
2007-10-16 01:53:06 +00:00
|
|
|
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
|
|
|
if (loop && source->fallback_when_full && source->fallback_mount)
|
|
|
|
|
{
|
|
|
|
|
source_t *next = source_find_mount (source->fallback_mount);
|
|
|
|
|
if (!next) {
|
|
|
|
|
ICECAST_LOG_ERROR("Fallback '%s' for full source '%s' not found",
|
|
|
|
|
source->mount, source->fallback_mount);
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ICECAST_LOG_INFO("stream full trying %s", next->mount);
|
|
|
|
|
source = next;
|
|
|
|
|
loop--;
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
/* now we fail the client */
|
|
|
|
|
return -1;
|
|
|
|
|
} while (1);
|
|
|
|
|
|
|
|
|
|
client->write_to_client = format_generic_write_to_client;
|
|
|
|
|
client->check_buffer = format_check_http_buffer;
|
|
|
|
|
client->refbuf->len = PER_CLIENT_REFBUF_SIZE;
|
|
|
|
|
memset (client->refbuf->data, 0, PER_CLIENT_REFBUF_SIZE);
|
|
|
|
|
|
|
|
|
|
/* lets add the client to the active list */
|
|
|
|
|
avl_tree_wlock (source->pending_tree);
|
|
|
|
|
avl_insert (source->pending_tree, client);
|
|
|
|
|
avl_tree_unlock (source->pending_tree);
|
|
|
|
|
|
|
|
|
|
if (source->running == 0 && source->on_demand)
|
2007-10-16 01:53:06 +00:00
|
|
|
{
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
|
|
|
/* enable on-demand relay to start, wake up the slave thread */
|
|
|
|
|
ICECAST_LOG_DEBUG("kicking off on-demand relay");
|
|
|
|
|
source->on_demand_req = 1;
|
2003-04-23 12:44:29 +00:00
|
|
|
}
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
|
|
|
ICECAST_LOG_DEBUG("Added client to %s", source->mount);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2002-08-12 14:48:31 +00:00
|
|
|
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
|
|
|
/* count the number of clients on a mount with same username and same role as the given one */
|
|
|
|
|
static inline ssize_t __count_user_role_on_mount (source_t *source, client_t *client) {
|
|
|
|
|
ssize_t ret = 0;
|
|
|
|
|
avl_node *node;
|
|
|
|
|
|
|
|
|
|
avl_tree_rlock(source->client_tree);
|
|
|
|
|
node = avl_get_first(source->client_tree);
|
|
|
|
|
while (node) {
|
|
|
|
|
client_t *existing_client = (client_t *)node->key;
|
|
|
|
|
if (existing_client->username && client->username &&
|
|
|
|
|
strcmp(existing_client->username, client->username) == 0 &&
|
|
|
|
|
existing_client->role && client->role &&
|
|
|
|
|
strcmp(existing_client->role, client->role) == 0)
|
|
|
|
|
ret++;
|
|
|
|
|
node = avl_get_next(node);
|
2014-11-20 18:32:14 +00:00
|
|
|
}
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
|
|
|
avl_tree_unlock(source->client_tree);
|
|
|
|
|
|
|
|
|
|
avl_tree_rlock(source->pending_tree);
|
|
|
|
|
node = avl_get_first(source->pending_tree);
|
|
|
|
|
while (node)
|
|
|
|
|
{
|
|
|
|
|
client_t *existing_client = (client_t *)node->key;
|
|
|
|
|
if (existing_client->username && client->username &&
|
|
|
|
|
strcmp(existing_client->username, client->username) == 0 &&
|
|
|
|
|
existing_client->role && client->role &&
|
|
|
|
|
strcmp(existing_client->role, client->role) == 0)
|
|
|
|
|
ret++;
|
|
|
|
|
node = avl_get_next(node);
|
2003-04-23 12:44:29 +00:00
|
|
|
}
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
|
|
|
avl_tree_unlock(source->pending_tree);
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void _handle_get_request (client_t *client, char *uri) {
|
|
|
|
|
source_t *source = NULL;
|
|
|
|
|
|
|
|
|
|
ICECAST_LOG_DEBUG("Got client %p with URI %H", client, uri);
|
|
|
|
|
|
|
|
|
|
/* there are several types of HTTP GET clients
|
|
|
|
|
* media clients, which are looking for a source (eg, URI = /stream.ogg),
|
|
|
|
|
* stats clients, which are looking for /admin/stats.xml and
|
|
|
|
|
* fserve clients, which are looking for static files.
|
|
|
|
|
*/
|
2004-10-26 19:29:12 +00:00
|
|
|
|
|
|
|
|
stats_event_inc(NULL, "client_connections");
|
2003-04-23 12:44:29 +00:00
|
|
|
|
2003-03-06 14:17:33 +00:00
|
|
|
/* Dispatch all admin requests */
|
2004-11-11 15:47:33 +00:00
|
|
|
if ((strcmp(uri, "/admin.cgi") == 0) ||
|
|
|
|
|
(strncmp(uri, "/admin/", 7) == 0)) {
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
|
|
|
ICECAST_LOG_DEBUG("Client %p requesting admin interface.", client);
|
2003-03-06 14:17:33 +00:00
|
|
|
admin_handle_request(client, uri);
|
2002-12-31 07:49:34 +00:00
|
|
|
return;
|
|
|
|
|
}
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
|
|
|
|
|
|
|
|
/* this is a web/ request. let's check if we are allowed to do that. */
|
|
|
|
|
if (acl_test_web(client->acl) != ACL_POLICY_ALLOW) {
|
|
|
|
|
/* doesn't seem so, sad client :( */
|
|
|
|
|
if (client->protocol == ICECAST_PROTOCOL_SHOUTCAST) {
|
|
|
|
|
client_destroy(client);
|
|
|
|
|
} else {
|
|
|
|
|
client_send_error(client, 401, 1, "You need to authenticate\r\n");
|
|
|
|
|
}
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (util_check_valid_extension(uri) == XSLT_CONTENT) {
|
|
|
|
|
/* If the file exists, then transform it, otherwise, write a 404 */
|
|
|
|
|
ICECAST_LOG_DEBUG("Stats request, sending XSL transformed stats");
|
|
|
|
|
stats_transform_xslt(client, uri);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
avl_tree_rlock(global.source_tree);
|
|
|
|
|
/* let's see if this is a source or just a random fserve file */
|
|
|
|
|
source = source_find_mount(uri);
|
|
|
|
|
if (source) {
|
|
|
|
|
/* true mount */
|
|
|
|
|
int in_error = 0;
|
|
|
|
|
ssize_t max_connections_per_user = acl_get_max_connections_per_user(client->acl);
|
|
|
|
|
/* check for duplicate_logins */
|
|
|
|
|
if (max_connections_per_user > 0) { /* -1 = not set (-> default=unlimited), 0 = unlimited */
|
|
|
|
|
if (max_connections_per_user <= __count_user_role_on_mount(source, client)) {
|
|
|
|
|
client_send_error(client, 403, 1, "Reached limit of concurrent connections on those credentials");
|
|
|
|
|
in_error = 1;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Set max listening duration in case not already set. */
|
|
|
|
|
if (!in_error && client->con->discon_time == 0) {
|
|
|
|
|
time_t connection_duration = acl_get_max_connection_duration(client->acl);
|
|
|
|
|
if (connection_duration == -1) {
|
|
|
|
|
ice_config_t *config = config_get_config();
|
|
|
|
|
mount_proxy *mount = config_find_mount(config, source->mount, MOUNT_TYPE_NORMAL);
|
|
|
|
|
if (mount && mount->max_listener_duration)
|
|
|
|
|
connection_duration = mount->max_listener_duration;
|
|
|
|
|
config_release_config();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (connection_duration > 0) /* -1 = not set (-> default=unlimited), 0 = unlimited */
|
|
|
|
|
client->con->discon_time = connection_duration + time(NULL);
|
|
|
|
|
}
|
|
|
|
|
if (!in_error && __add_listener_to_source(source, client) == -1) {
|
|
|
|
|
client_send_error(client, 403, 1, "Rejecting client for whatever reason");
|
|
|
|
|
}
|
|
|
|
|
avl_tree_unlock(global.source_tree);
|
|
|
|
|
} else {
|
|
|
|
|
/* file */
|
|
|
|
|
avl_tree_unlock(global.source_tree);
|
|
|
|
|
fserve_client_create(client, uri);
|
|
|
|
|
}
|
2002-08-12 14:48:31 +00:00
|
|
|
}
|
|
|
|
|
|
2005-08-11 23:29:58 +00:00
|
|
|
static void _handle_shoutcast_compatible (client_queue_t *node)
|
|
|
|
|
{
|
2004-11-11 15:47:33 +00:00
|
|
|
char *http_compliant;
|
|
|
|
|
int http_compliant_len = 0;
|
|
|
|
|
http_parser_t *parser;
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
|
|
|
const char *shoutcast_mount;
|
2005-08-11 23:29:58 +00:00
|
|
|
client_t *client = node->client;
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
|
|
|
ice_config_t *config;
|
2007-10-25 02:25:49 +00:00
|
|
|
|
2005-08-11 23:29:58 +00:00
|
|
|
if (node->shoutcast == 1)
|
|
|
|
|
{
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
|
|
|
char *ptr, *headers;
|
2005-08-11 23:29:58 +00:00
|
|
|
|
|
|
|
|
/* Get rid of trailing \r\n or \n after password */
|
2005-10-01 14:08:36 +00:00
|
|
|
ptr = strstr (client->refbuf->data, "\r\r\n");
|
2005-09-26 16:34:51 +00:00
|
|
|
if (ptr)
|
2005-10-01 14:08:36 +00:00
|
|
|
headers = ptr+3;
|
2005-09-26 16:34:51 +00:00
|
|
|
else
|
|
|
|
|
{
|
2005-10-01 14:08:36 +00:00
|
|
|
ptr = strstr (client->refbuf->data, "\r\n");
|
2005-09-26 16:34:51 +00:00
|
|
|
if (ptr)
|
2005-10-01 14:08:36 +00:00
|
|
|
headers = ptr+2;
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
ptr = strstr (client->refbuf->data, "\n");
|
|
|
|
|
if (ptr)
|
|
|
|
|
headers = ptr+1;
|
|
|
|
|
}
|
2005-09-26 16:34:51 +00:00
|
|
|
}
|
2005-08-11 23:29:58 +00:00
|
|
|
|
|
|
|
|
if (ptr == NULL)
|
|
|
|
|
{
|
|
|
|
|
client_destroy (client);
|
2007-10-25 02:25:49 +00:00
|
|
|
free (node->shoutcast_mount);
|
2005-08-11 23:29:58 +00:00
|
|
|
free (node);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
*ptr = '\0';
|
|
|
|
|
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
|
|
|
client->password = strdup(client->refbuf->data);
|
|
|
|
|
node->offset -= (headers - client->refbuf->data);
|
|
|
|
|
memmove (client->refbuf->data, headers, node->offset+1);
|
|
|
|
|
node->shoutcast = 2;
|
|
|
|
|
/* we've checked the password, now send it back for reading headers */
|
|
|
|
|
_add_request_queue (node);
|
2004-11-11 15:47:33 +00:00
|
|
|
return;
|
|
|
|
|
}
|
2007-10-25 02:25:49 +00:00
|
|
|
/* actually make a copy as we are dropping the config lock */
|
2004-11-11 15:47:33 +00:00
|
|
|
/* Here we create a valid HTTP request based of the information
|
|
|
|
|
that was passed in via the non-HTTP style protocol above. This
|
|
|
|
|
means we can use some of our existing code to handle this case */
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
|
|
|
config = config_get_config();
|
|
|
|
|
if (node->shoutcast_mount) {
|
|
|
|
|
shoutcast_mount = node->shoutcast_mount;
|
|
|
|
|
} else {
|
|
|
|
|
shoutcast_mount = config->shoutcast_mount;
|
|
|
|
|
}
|
|
|
|
|
http_compliant_len = 20 + strlen(shoutcast_mount) + node->offset;
|
2004-11-11 15:47:33 +00:00
|
|
|
http_compliant = (char *)calloc(1, http_compliant_len);
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
|
|
|
snprintf(http_compliant, http_compliant_len,
|
2005-08-11 23:29:58 +00:00
|
|
|
"SOURCE %s HTTP/1.0\r\n%s", shoutcast_mount, client->refbuf->data);
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
|
|
|
config_release_config();
|
|
|
|
|
|
2004-11-11 15:47:33 +00:00
|
|
|
parser = httpp_create_parser();
|
|
|
|
|
httpp_initialize(parser, NULL);
|
2005-05-06 15:57:15 +00:00
|
|
|
if (httpp_parse (parser, http_compliant, strlen(http_compliant)))
|
|
|
|
|
{
|
2005-08-11 23:29:58 +00:00
|
|
|
/* we may have more than just headers, so prepare for it */
|
|
|
|
|
if (node->stream_offset == node->offset)
|
|
|
|
|
client->refbuf->len = 0;
|
|
|
|
|
else
|
2005-05-06 15:57:15 +00:00
|
|
|
{
|
2005-08-11 23:29:58 +00:00
|
|
|
char *ptr = client->refbuf->data;
|
|
|
|
|
client->refbuf->len = node->offset - node->stream_offset;
|
|
|
|
|
memmove (ptr, ptr + node->stream_offset, client->refbuf->len);
|
2005-05-06 15:57:15 +00:00
|
|
|
}
|
2005-08-11 23:29:58 +00:00
|
|
|
client->parser = parser;
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
|
|
|
client->protocol = ICECAST_PROTOCOL_SHOUTCAST;
|
|
|
|
|
node->shoutcast = 0;
|
|
|
|
|
return;
|
2004-11-11 15:47:33 +00:00
|
|
|
}
|
2006-03-07 19:35:18 +00:00
|
|
|
else {
|
|
|
|
|
httpp_destroy (parser);
|
2005-08-11 23:29:58 +00:00
|
|
|
client_destroy (client);
|
2006-03-07 19:35:18 +00:00
|
|
|
}
|
2005-05-06 15:57:15 +00:00
|
|
|
free (http_compliant);
|
2007-10-25 02:25:49 +00:00
|
|
|
free (node->shoutcast_mount);
|
2005-08-11 23:29:58 +00:00
|
|
|
free (node);
|
|
|
|
|
return;
|
2004-11-11 15:47:33 +00:00
|
|
|
}
|
|
|
|
|
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
|
|
|
/* Handle <alias> lookups here.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
static int _handle_aliases(client_t *client, char **uri) {
|
|
|
|
|
const char *http_host = httpp_getvar(client->parser, "host");
|
|
|
|
|
char *serverhost = NULL;
|
|
|
|
|
int serverport = 0;
|
2014-11-29 08:16:42 +00:00
|
|
|
char *vhost = NULL;
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
|
|
|
char *vhost_colon;
|
|
|
|
|
char *new_uri = NULL;
|
|
|
|
|
ice_config_t *config;
|
|
|
|
|
listener_t *listen_sock;
|
|
|
|
|
aliases *alias;
|
|
|
|
|
|
|
|
|
|
if (http_host) {
|
|
|
|
|
vhost = strdup(http_host);
|
|
|
|
|
if (vhost) {
|
|
|
|
|
vhost_colon = strstr(vhost, ":");
|
|
|
|
|
if (vhost_colon)
|
|
|
|
|
*vhost_colon = 0;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
config = config_get_config();
|
|
|
|
|
listen_sock = config_get_listen_sock (config, client->con);
|
|
|
|
|
if (listen_sock)
|
|
|
|
|
{
|
|
|
|
|
serverhost = listen_sock->bind_address;
|
|
|
|
|
serverport = listen_sock->port;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
alias = config->aliases;
|
|
|
|
|
|
|
|
|
|
while (alias) {
|
|
|
|
|
if(strcmp(*uri, alias->source) == 0 &&
|
|
|
|
|
(alias->port == -1 || alias->port == serverport) &&
|
|
|
|
|
(alias->bind_address == NULL || (serverhost != NULL && strcmp(alias->bind_address, serverhost) == 0)) &&
|
|
|
|
|
(alias->vhost == NULL || (vhost != NULL && strcmp(alias->vhost, vhost) == 0)) ) {
|
|
|
|
|
new_uri = strdup(alias->destination);
|
|
|
|
|
ICECAST_LOG_DEBUG("alias has made %s into %s", *uri, new_uri);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
alias = alias->next;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
config_release_config();
|
|
|
|
|
|
|
|
|
|
if (new_uri) {
|
|
|
|
|
free(*uri);
|
|
|
|
|
*uri = new_uri;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (vhost)
|
|
|
|
|
free(vhost);
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Handle any client that passed the authing process.
|
|
|
|
|
*/
|
|
|
|
|
static void _handle_authed_client(client_t *client, void *uri, auth_result result) {
|
|
|
|
|
auth_stack_release(client->authstack);
|
|
|
|
|
client->authstack = NULL;
|
|
|
|
|
|
|
|
|
|
if (result != AUTH_OK) {
|
|
|
|
|
client_send_error(client, 401, 1, "You need to authenticate\r\n");
|
|
|
|
|
free(uri);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (acl_test_method(client->acl, client->parser->req_type) != ACL_POLICY_ALLOW) {
|
|
|
|
|
ICECAST_LOG_ERROR("Client (role=%s, username=%s) not allowed to use this request method on %H", client->role, client->username, uri);
|
|
|
|
|
client_send_error(client, 401, 1, "You need to authenticate\r\n");
|
|
|
|
|
free(uri);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
switch (client->parser->req_type) {
|
|
|
|
|
case httpp_req_source:
|
|
|
|
|
case httpp_req_put:
|
|
|
|
|
_handle_source_request(client, uri);
|
|
|
|
|
break;
|
|
|
|
|
case httpp_req_stats:
|
|
|
|
|
_handle_stats_request(client, uri);
|
|
|
|
|
break;
|
|
|
|
|
case httpp_req_get:
|
|
|
|
|
_handle_get_request(client, uri);
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
ICECAST_LOG_ERROR("Wrong request type from client");
|
|
|
|
|
client_send_error(client, 400, 0, "unknown request");
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
free(uri);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Handle clients that still need to authenticate.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
static void _handle_authentication_global(client_t *client, void *uri, auth_result result) {
|
|
|
|
|
ice_config_t *config;
|
|
|
|
|
|
|
|
|
|
auth_stack_release(client->authstack);
|
|
|
|
|
client->authstack = NULL;
|
|
|
|
|
|
|
|
|
|
if (result != AUTH_NOMATCH) {
|
|
|
|
|
_handle_authed_client(client, uri, result);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
config = config_get_config();
|
|
|
|
|
auth_stack_add_client(config->authstack, client, _handle_authed_client, uri);
|
|
|
|
|
config_release_config();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline mount_proxy * __find_non_admin_mount(ice_config_t *config, const char *name, mount_type type) {
|
|
|
|
|
if (strcmp(name, "/admin.cgi") == 0 || strncmp(name, "/admin/", 7) == 0)
|
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
|
|
return config_find_mount(config, name, type);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void _handle_authentication_mount_generic(client_t *client, void *uri, mount_type type, void (*callback)(client_t*, void*, auth_result)) {
|
|
|
|
|
ice_config_t *config;
|
|
|
|
|
mount_proxy *mountproxy;
|
|
|
|
|
auth_stack_t *stack = NULL;
|
|
|
|
|
|
|
|
|
|
config = config_get_config();
|
|
|
|
|
mountproxy = __find_non_admin_mount(config, uri, type);
|
|
|
|
|
if (!mountproxy) {
|
|
|
|
|
int command_type = admin_get_command_type(client->admin_command);
|
|
|
|
|
if (command_type == ADMINTYPE_MOUNT || command_type == ADMINTYPE_HYBRID) {
|
|
|
|
|
const char *mount = httpp_get_query_param(client->parser, "mount");
|
|
|
|
|
if (mount)
|
|
|
|
|
mountproxy = __find_non_admin_mount(config, mount, type);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (mountproxy && mountproxy->mounttype == type)
|
|
|
|
|
stack = mountproxy->authstack;
|
|
|
|
|
auth_stack_addref(stack);
|
|
|
|
|
config_release_config();
|
|
|
|
|
|
|
|
|
|
if (stack) {
|
|
|
|
|
auth_stack_add_client(stack, client, callback, uri);
|
|
|
|
|
auth_stack_release(stack);
|
|
|
|
|
} else {
|
|
|
|
|
callback(client, uri, AUTH_NOMATCH);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void _handle_authentication_mount_default(client_t *client, void *uri, auth_result result) {
|
|
|
|
|
auth_stack_release(client->authstack);
|
|
|
|
|
client->authstack = NULL;
|
|
|
|
|
|
|
|
|
|
if (result != AUTH_NOMATCH) {
|
|
|
|
|
_handle_authed_client(client, uri, result);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
_handle_authentication_mount_generic(client, uri, MOUNT_TYPE_DEFAULT, _handle_authentication_global);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void _handle_authentication_mount_normal(client_t *client, char *uri) {
|
|
|
|
|
_handle_authentication_mount_generic(client, uri, MOUNT_TYPE_NORMAL, _handle_authentication_mount_default);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void _handle_authentication(client_t *client, char *uri) {
|
|
|
|
|
_handle_authentication_mount_normal(client, uri);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void __prepare_shoutcast_admin_cgi_request(client_t *client) {
|
|
|
|
|
ice_config_t *config;
|
|
|
|
|
const char *sc_mount;
|
|
|
|
|
const char *pass = httpp_get_query_param(client->parser, "pass");
|
|
|
|
|
listener_t *listener;
|
|
|
|
|
|
|
|
|
|
if (pass == NULL) {
|
|
|
|
|
ICECAST_LOG_ERROR("missing pass parameter");
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (client->password) {
|
|
|
|
|
ICECAST_LOG_INFO("Client already has password set");
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
global_lock();
|
|
|
|
|
config = config_get_config();
|
|
|
|
|
sc_mount = config->shoutcast_mount;
|
|
|
|
|
listener = config_get_listen_sock(config, client->con);
|
|
|
|
|
|
|
|
|
|
if (listener && listener->shoutcast_mount)
|
|
|
|
|
sc_mount = listener->shoutcast_mount;
|
|
|
|
|
|
|
|
|
|
httpp_set_query_param(client->parser, "mount", sc_mount);
|
|
|
|
|
httpp_setvar(client->parser, HTTPP_VAR_PROTOCOL, "ICY");
|
|
|
|
|
client->password = strdup(pass);
|
|
|
|
|
config_release_config();
|
|
|
|
|
global_unlock();
|
|
|
|
|
}
|
2005-08-11 23:29:58 +00:00
|
|
|
|
|
|
|
|
/* Connection thread. Here we take clients off the connection queue and check
|
|
|
|
|
* the contents provided. We set up the parser then hand off to the specific
|
|
|
|
|
* request handler.
|
|
|
|
|
*/
|
2008-07-22 02:24:30 +00:00
|
|
|
static void _handle_connection(void)
|
2002-08-12 14:48:31 +00:00
|
|
|
{
|
2003-03-15 02:10:19 +00:00
|
|
|
http_parser_t *parser;
|
2007-08-16 22:49:13 +00:00
|
|
|
const char *rawuri;
|
2008-07-22 02:24:30 +00:00
|
|
|
client_queue_t *node;
|
2001-09-10 02:21:46 +00:00
|
|
|
|
2008-07-22 02:24:30 +00:00
|
|
|
while (1)
|
|
|
|
|
{
|
|
|
|
|
node = _get_connection();
|
2005-08-11 23:29:58 +00:00
|
|
|
if (node)
|
|
|
|
|
{
|
|
|
|
|
client_t *client = node->client;
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
|
|
|
int already_parsed = 0;
|
2001-09-10 02:21:46 +00:00
|
|
|
|
2004-11-11 15:47:33 +00:00
|
|
|
/* Check for special shoutcast compatability processing */
|
2008-07-22 02:24:30 +00:00
|
|
|
if (node->shoutcast)
|
2005-08-11 23:29:58 +00:00
|
|
|
{
|
|
|
|
|
_handle_shoutcast_compatible (node);
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
|
|
|
if (node->shoutcast)
|
|
|
|
|
continue;
|
2003-03-15 02:10:19 +00:00
|
|
|
}
|
2001-09-10 02:21:46 +00:00
|
|
|
|
2005-08-11 23:29:58 +00:00
|
|
|
/* process normal HTTP headers */
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
|
|
|
if (client->parser) {
|
|
|
|
|
already_parsed = 1;
|
|
|
|
|
parser = client->parser;
|
|
|
|
|
} else {
|
|
|
|
|
parser = httpp_create_parser();
|
|
|
|
|
httpp_initialize(parser, NULL);
|
|
|
|
|
client->parser = parser;
|
|
|
|
|
}
|
|
|
|
|
if (already_parsed || httpp_parse (parser, client->refbuf->data, node->offset))
|
2005-08-11 23:29:58 +00:00
|
|
|
{
|
2007-08-16 22:49:13 +00:00
|
|
|
char *uri;
|
|
|
|
|
|
2005-08-11 23:29:58 +00:00
|
|
|
/* we may have more than just headers, so prepare for it */
|
|
|
|
|
if (node->stream_offset == node->offset)
|
|
|
|
|
client->refbuf->len = 0;
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
char *ptr = client->refbuf->data;
|
|
|
|
|
client->refbuf->len = node->offset - node->stream_offset;
|
|
|
|
|
memmove (ptr, ptr + node->stream_offset, client->refbuf->len);
|
|
|
|
|
}
|
2007-10-25 02:25:49 +00:00
|
|
|
|
|
|
|
|
rawuri = httpp_getvar(parser, HTTPP_VAR_URI);
|
|
|
|
|
|
|
|
|
|
/* assign a port-based shoutcast mountpoint if required */
|
|
|
|
|
if (node->shoutcast_mount && strcmp (rawuri, "/admin.cgi") == 0)
|
|
|
|
|
httpp_set_query_param (client->parser, "mount", node->shoutcast_mount);
|
|
|
|
|
|
|
|
|
|
free (node->shoutcast_mount);
|
2005-08-11 23:29:58 +00:00
|
|
|
free (node);
|
2008-07-22 02:24:30 +00:00
|
|
|
|
2003-03-15 02:10:19 +00:00
|
|
|
if (strcmp("ICE", httpp_getvar(parser, HTTPP_VAR_PROTOCOL)) &&
|
2002-08-12 14:48:31 +00:00
|
|
|
strcmp("HTTP", httpp_getvar(parser, HTTPP_VAR_PROTOCOL))) {
|
2014-10-31 08:46:58 +00:00
|
|
|
ICECAST_LOG_ERROR("Bad HTTP protocol detected");
|
2005-08-11 23:29:58 +00:00
|
|
|
client_destroy (client);
|
2003-03-15 02:10:19 +00:00
|
|
|
continue;
|
|
|
|
|
}
|
2001-09-10 02:21:46 +00:00
|
|
|
|
2002-08-11 14:23:39 +00:00
|
|
|
uri = util_normalise_uri(rawuri);
|
|
|
|
|
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
|
|
|
if (!uri) {
|
2005-08-11 23:29:58 +00:00
|
|
|
client_destroy (client);
|
2002-08-11 14:23:39 +00:00
|
|
|
continue;
|
|
|
|
|
}
|
2002-08-10 08:01:56 +00:00
|
|
|
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
|
|
|
if (_handle_aliases(client, &uri) != 0) {
|
|
|
|
|
client_destroy (client);
|
|
|
|
|
continue;
|
2002-08-12 14:48:31 +00:00
|
|
|
}
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
|
|
|
|
|
|
|
|
if (strcmp(uri, "/admin.cgi") == 0) {
|
|
|
|
|
client->admin_command = admin_get_command(uri + 1);
|
|
|
|
|
__prepare_shoutcast_admin_cgi_request(client);
|
|
|
|
|
if (!client->password) {
|
|
|
|
|
client_send_error(client, 400, 0, "missing pass parameter");
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
} else if (strncmp("/admin/", uri, 7) == 0) {
|
|
|
|
|
client->admin_command = admin_get_command(uri + 7);
|
2002-08-12 14:48:31 +00:00
|
|
|
}
|
|
|
|
|
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
|
|
|
_handle_authentication(client, uri);
|
2003-03-15 02:10:19 +00:00
|
|
|
}
|
2005-08-11 23:29:58 +00:00
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
free (node);
|
2014-10-31 08:46:58 +00:00
|
|
|
ICECAST_LOG_ERROR("HTTP request parsing failed");
|
2005-08-11 23:29:58 +00:00
|
|
|
client_destroy (client);
|
2003-03-15 02:10:19 +00:00
|
|
|
}
|
2005-08-11 23:29:58 +00:00
|
|
|
continue;
|
2003-03-15 02:10:19 +00:00
|
|
|
}
|
2008-07-22 02:24:30 +00:00
|
|
|
break;
|
2003-03-15 02:10:19 +00:00
|
|
|
}
|
2001-09-10 02:21:46 +00:00
|
|
|
}
|
|
|
|
|
|
2007-10-16 01:53:06 +00:00
|
|
|
|
|
|
|
|
/* called when listening thread is not checking for incoming connections */
|
|
|
|
|
int connection_setup_sockets (ice_config_t *config)
|
|
|
|
|
{
|
|
|
|
|
int count = 0;
|
|
|
|
|
listener_t *listener, **prev;
|
|
|
|
|
|
2007-10-23 22:25:31 +00:00
|
|
|
free (banned_ip.filename);
|
|
|
|
|
banned_ip.filename = NULL;
|
|
|
|
|
free (allowed_ip.filename);
|
|
|
|
|
allowed_ip.filename = NULL;
|
|
|
|
|
|
2007-10-16 01:53:06 +00:00
|
|
|
global_lock();
|
|
|
|
|
if (global.serversock)
|
|
|
|
|
{
|
|
|
|
|
for (; count < global.server_sockets; count++)
|
|
|
|
|
sock_close (global.serversock [count]);
|
|
|
|
|
free (global.serversock);
|
|
|
|
|
global.serversock = NULL;
|
|
|
|
|
}
|
|
|
|
|
if (config == NULL)
|
|
|
|
|
{
|
|
|
|
|
global_unlock();
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2007-10-23 22:25:31 +00:00
|
|
|
/* setup the banned/allowed IP filenames from the xml */
|
|
|
|
|
if (config->banfile)
|
2014-11-30 20:32:30 +00:00
|
|
|
banned_ip.filename = strdup(config->banfile);
|
2007-10-23 22:25:31 +00:00
|
|
|
|
|
|
|
|
if (config->allowfile)
|
2014-11-30 20:32:30 +00:00
|
|
|
allowed_ip.filename = strdup(config->allowfile);
|
2007-10-23 22:25:31 +00:00
|
|
|
|
2007-10-16 01:53:06 +00:00
|
|
|
count = 0;
|
2014-11-30 20:32:30 +00:00
|
|
|
global.serversock = calloc(config->listen_sock_count, sizeof(sock_t));
|
2007-10-16 01:53:06 +00:00
|
|
|
|
2014-11-30 20:32:30 +00:00
|
|
|
listener = config->listen_sock;
|
2007-10-16 01:53:06 +00:00
|
|
|
prev = &config->listen_sock;
|
|
|
|
|
while (listener)
|
|
|
|
|
{
|
|
|
|
|
int successful = 0;
|
|
|
|
|
|
|
|
|
|
do
|
|
|
|
|
{
|
|
|
|
|
sock_t sock = sock_get_server_socket (listener->port, listener->bind_address);
|
|
|
|
|
if (sock == SOCK_ERROR)
|
|
|
|
|
break;
|
2014-10-31 09:00:45 +00:00
|
|
|
if (sock_listen (sock, ICECAST_LISTEN_QUEUE) == SOCK_ERROR)
|
2007-10-16 01:53:06 +00:00
|
|
|
{
|
|
|
|
|
sock_close (sock);
|
|
|
|
|
break;
|
|
|
|
|
}
|
2009-03-14 16:05:12 +00:00
|
|
|
/* some win32 setups do not do TCP win scaling well, so allow an override */
|
|
|
|
|
if (listener->so_sndbuf)
|
|
|
|
|
sock_set_send_buffer (sock, listener->so_sndbuf);
|
2009-01-08 02:47:44 +00:00
|
|
|
sock_set_blocking (sock, 0);
|
2007-10-16 01:53:06 +00:00
|
|
|
successful = 1;
|
|
|
|
|
global.serversock [count] = sock;
|
|
|
|
|
count++;
|
|
|
|
|
} while(0);
|
|
|
|
|
if (successful == 0)
|
|
|
|
|
{
|
|
|
|
|
if (listener->bind_address)
|
2014-10-31 08:46:58 +00:00
|
|
|
ICECAST_LOG_ERROR("Could not create listener socket on port %d bind %s",
|
2007-10-16 01:53:06 +00:00
|
|
|
listener->port, listener->bind_address);
|
|
|
|
|
else
|
2014-10-31 08:46:58 +00:00
|
|
|
ICECAST_LOG_ERROR("Could not create listener socket on port %d", listener->port);
|
2007-10-16 01:53:06 +00:00
|
|
|
/* remove failed connection */
|
|
|
|
|
*prev = config_clear_listener (listener);
|
|
|
|
|
listener = *prev;
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
if (listener->bind_address)
|
2014-10-31 08:46:58 +00:00
|
|
|
ICECAST_LOG_INFO("listener socket on port %d address %s", listener->port, listener->bind_address);
|
2007-10-16 01:53:06 +00:00
|
|
|
else
|
2014-10-31 08:46:58 +00:00
|
|
|
ICECAST_LOG_INFO("listener socket on port %d", listener->port);
|
2007-10-16 01:53:06 +00:00
|
|
|
prev = &listener->next;
|
|
|
|
|
listener = listener->next;
|
|
|
|
|
}
|
|
|
|
|
global.server_sockets = count;
|
|
|
|
|
global_unlock();
|
|
|
|
|
|
|
|
|
|
if (count == 0)
|
2014-10-31 08:46:58 +00:00
|
|
|
ICECAST_LOG_ERROR("No listening sockets established");
|
2007-10-16 01:53:06 +00:00
|
|
|
|
|
|
|
|
return count;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2001-09-10 02:21:46 +00:00
|
|
|
void connection_close(connection_t *con)
|
|
|
|
|
{
|
2003-03-15 02:10:19 +00:00
|
|
|
sock_close(con->sock);
|
|
|
|
|
if (con->ip) free(con->ip);
|
|
|
|
|
if (con->host) free(con->host);
|
2007-08-29 03:51:22 +00:00
|
|
|
#ifdef HAVE_OPENSSL
|
|
|
|
|
if (con->ssl) { SSL_shutdown (con->ssl); SSL_free (con->ssl); }
|
|
|
|
|
#endif
|
2003-03-15 02:10:19 +00:00
|
|
|
free(con);
|
2001-09-10 02:21:46 +00:00
|
|
|
}
|
