2004-01-28 20:02:12 -05:00
|
|
|
/* Icecast
|
|
|
|
*
|
|
|
|
* This program is distributed under the GNU General Public License, version 2.
|
|
|
|
* A copy of this license is included with this source.
|
|
|
|
*
|
2015-01-10 13:53:44 -05:00
|
|
|
* Copyright 2000-2004, Jack Moffitt <jack@xiph.org,
|
2004-01-28 20:02:12 -05:00
|
|
|
* Michael Smith <msmith@xiph.org>,
|
|
|
|
* oddsock <oddsock@xiph.org>,
|
|
|
|
* Karl Heyes <karl@xiph.org>
|
|
|
|
* and others (see AUTHORS for details).
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
* Copyright 2011, Dave 'justdave' Miller <justdave@mozilla.com>,
|
2018-04-28 09:49:36 -04:00
|
|
|
* Copyright 2011-2018, Philipp "ph3-der-loewe" Schafft <lion@lion.leolix.org>,
|
2004-01-28 20:02:12 -05:00
|
|
|
*/
|
|
|
|
|
2003-03-27 12:10:14 -05:00
|
|
|
/* -*- c-basic-offset: 4; indent-tabs-mode: nil; -*- */
|
2003-07-20 21:58:54 -04:00
|
|
|
#ifdef HAVE_CONFIG_H
|
|
|
|
#include <config.h>
|
|
|
|
#endif
|
|
|
|
|
2001-09-09 22:21:46 -04:00
|
|
|
#include <stdio.h>
|
|
|
|
#include <stdlib.h>
|
2007-11-15 10:12:21 -05:00
|
|
|
#include <errno.h>
|
2001-09-09 22:21:46 -04:00
|
|
|
#include <string.h>
|
2003-03-09 06:27:06 -05:00
|
|
|
#ifdef HAVE_POLL
|
|
|
|
#include <sys/poll.h>
|
|
|
|
#endif
|
2007-10-23 18:25:31 -04:00
|
|
|
#include <sys/types.h>
|
2001-10-20 02:43:04 -04:00
|
|
|
|
|
|
|
#ifndef _WIN32
|
2001-09-09 22:21:46 -04:00
|
|
|
#include <sys/socket.h>
|
|
|
|
#include <netinet/in.h>
|
2001-10-20 02:43:04 -04:00
|
|
|
#else
|
2002-02-06 20:04:09 -05:00
|
|
|
#include <winsock2.h>
|
2001-10-20 02:43:04 -04:00
|
|
|
#endif
|
2001-09-09 22:21:46 -04:00
|
|
|
|
2014-12-02 16:50:57 -05:00
|
|
|
#include "common/thread/thread.h"
|
|
|
|
#include "common/avl/avl.h"
|
|
|
|
#include "common/net/sock.h"
|
|
|
|
#include "common/httpp/httpp.h"
|
2001-09-09 22:21:46 -04:00
|
|
|
|
2018-06-17 08:47:35 -04:00
|
|
|
#include "compat.h"
|
|
|
|
#include "connection.h"
|
2003-07-20 21:58:54 -04:00
|
|
|
#include "cfgfile.h"
|
2001-09-09 22:21:46 -04:00
|
|
|
#include "global.h"
|
|
|
|
#include "util.h"
|
2018-05-28 10:04:07 -04:00
|
|
|
#include "refobject.h"
|
2001-09-09 22:21:46 -04:00
|
|
|
#include "refbuf.h"
|
|
|
|
#include "client.h"
|
2018-04-28 09:49:36 -04:00
|
|
|
#include "errors.h"
|
2001-09-09 22:21:46 -04:00
|
|
|
#include "stats.h"
|
|
|
|
#include "logging.h"
|
2002-08-18 01:06:58 -04:00
|
|
|
#include "fserve.h"
|
2018-06-17 08:28:38 -04:00
|
|
|
#include "slave.h"
|
2003-02-02 09:33:47 -05:00
|
|
|
|
2001-09-09 22:21:46 -04:00
|
|
|
#include "source.h"
|
2003-03-06 09:17:33 -05:00
|
|
|
#include "admin.h"
|
2004-01-14 20:01:09 -05:00
|
|
|
#include "auth.h"
|
2015-01-05 17:06:53 -05:00
|
|
|
#include "matchfile.h"
|
2016-10-20 04:24:52 -04:00
|
|
|
#include "tls.h"
|
2018-06-17 08:28:38 -04:00
|
|
|
#include "acl.h"
|
2001-09-09 22:21:46 -04:00
|
|
|
|
|
|
|
#define CATMODULE "connection"
|
|
|
|
|
2004-11-11 10:47:33 -05:00
|
|
|
/* Two different major types of source authentication.
|
|
|
|
Shoutcast style is used only by the Shoutcast DSP
|
|
|
|
and is a crazy version of HTTP. It looks like :
|
|
|
|
Source Client -> Connects to port + 1
|
|
|
|
Source Client -> sends encoder password (plaintext)\r\n
|
|
|
|
Icecast -> reads encoder password, if ok, sends OK2\r\n, else disconnects
|
|
|
|
Source Client -> reads OK2\r\n, then sends http-type request headers
|
|
|
|
that contain the stream details (icy-name, etc..)
|
|
|
|
Icecast -> reads headers, stores them
|
|
|
|
Source Client -> starts sending MP3 data
|
|
|
|
Source Client -> periodically updates metadata via admin.cgi call
|
|
|
|
|
|
|
|
Icecast auth style uses HTTP and Basic Authorization.
|
|
|
|
*/
|
|
|
|
|
2005-08-11 19:29:58 -04:00
|
|
|
typedef struct client_queue_tag {
|
|
|
|
client_t *client;
|
|
|
|
int offset;
|
|
|
|
int stream_offset;
|
|
|
|
int shoutcast;
|
2007-10-24 22:25:49 -04:00
|
|
|
char *shoutcast_mount;
|
2005-08-11 19:29:58 -04:00
|
|
|
struct client_queue_tag *next;
|
|
|
|
} client_queue_t;
|
2001-09-09 22:21:46 -04:00
|
|
|
|
|
|
|
typedef struct _thread_queue_tag {
|
2003-03-14 21:10:19 -05:00
|
|
|
thread_type *thread_id;
|
|
|
|
struct _thread_queue_tag *next;
|
2001-09-09 22:21:46 -04:00
|
|
|
} thread_queue_t;
|
|
|
|
|
2012-07-17 10:03:37 -04:00
|
|
|
static spin_t _connection_lock; // protects _current_id, _con_queue, _con_queue_tail
|
2004-10-26 12:31:16 -04:00
|
|
|
static volatile unsigned long _current_id = 0;
|
2001-09-09 22:21:46 -04:00
|
|
|
static int _initialized = 0;
|
|
|
|
|
2005-08-11 19:29:58 -04:00
|
|
|
static volatile client_queue_t *_req_queue = NULL, **_req_queue_tail = &_req_queue;
|
|
|
|
static volatile client_queue_t *_con_queue = NULL, **_con_queue_tail = &_con_queue;
|
2016-11-06 05:59:15 -05:00
|
|
|
static int tls_ok;
|
2016-10-20 04:24:52 -04:00
|
|
|
static tls_ctx_t *tls_ctx;
|
2007-08-28 23:51:22 -04:00
|
|
|
|
2007-10-23 18:25:31 -04:00
|
|
|
/* filtering client connection based on IP */
|
2015-01-05 17:06:53 -05:00
|
|
|
static matchfile_t *banned_ip, *allowed_ip;
|
2007-10-23 18:25:31 -04:00
|
|
|
|
2002-08-05 10:48:04 -04:00
|
|
|
rwlock_t _source_shutdown_rwlock;
|
2001-09-09 22:21:46 -04:00
|
|
|
|
2008-07-21 22:24:30 -04:00
|
|
|
static void _handle_connection(void);
|
2016-11-06 05:59:15 -05:00
|
|
|
static void get_tls_certificate(ice_config_t *config);
|
2001-09-09 22:21:46 -04:00
|
|
|
|
|
|
|
void connection_initialize(void)
|
|
|
|
{
|
2015-01-25 13:57:27 -05:00
|
|
|
if (_initialized)
|
|
|
|
return;
|
2015-01-10 13:53:44 -05:00
|
|
|
|
2009-01-08 22:18:03 -05:00
|
|
|
thread_spin_create (&_connection_lock);
|
2004-01-29 11:46:54 -05:00
|
|
|
thread_mutex_create(&move_clients_mutex);
|
2003-03-14 21:10:19 -05:00
|
|
|
thread_rwlock_create(&_source_shutdown_rwlock);
|
2002-08-05 10:48:04 -04:00
|
|
|
thread_cond_create(&global.shutdown_cond);
|
2006-03-14 21:30:26 -05:00
|
|
|
_req_queue = NULL;
|
|
|
|
_req_queue_tail = &_req_queue;
|
|
|
|
_con_queue = NULL;
|
|
|
|
_con_queue_tail = &_con_queue;
|
2001-09-09 22:21:46 -04:00
|
|
|
|
2003-03-14 21:10:19 -05:00
|
|
|
_initialized = 1;
|
2001-09-09 22:21:46 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
void connection_shutdown(void)
|
|
|
|
{
|
2015-01-25 13:57:27 -05:00
|
|
|
if (!_initialized)
|
|
|
|
return;
|
2015-01-10 13:53:44 -05:00
|
|
|
|
2016-10-20 04:24:52 -04:00
|
|
|
tls_ctx_unref(tls_ctx);
|
2015-01-05 17:06:53 -05:00
|
|
|
matchfile_release(banned_ip);
|
|
|
|
matchfile_release(allowed_ip);
|
|
|
|
|
2002-08-05 10:48:04 -04:00
|
|
|
thread_cond_destroy(&global.shutdown_cond);
|
2003-03-14 21:10:19 -05:00
|
|
|
thread_rwlock_destroy(&_source_shutdown_rwlock);
|
2009-01-08 22:18:03 -05:00
|
|
|
thread_spin_destroy (&_connection_lock);
|
2004-01-29 11:46:54 -05:00
|
|
|
thread_mutex_destroy(&move_clients_mutex);
|
2001-09-09 22:21:46 -04:00
|
|
|
|
2003-03-14 21:10:19 -05:00
|
|
|
_initialized = 0;
|
2001-09-09 22:21:46 -04:00
|
|
|
}
|
|
|
|
|
2018-06-17 06:22:17 -04:00
|
|
|
void connection_reread_config(ice_config_t *config)
|
2016-10-20 05:38:53 -04:00
|
|
|
{
|
2016-11-06 05:59:15 -05:00
|
|
|
get_tls_certificate(config);
|
2016-10-20 05:38:53 -04:00
|
|
|
}
|
|
|
|
|
2001-09-09 22:21:46 -04:00
|
|
|
static unsigned long _next_connection_id(void)
|
|
|
|
{
|
2003-03-14 21:10:19 -05:00
|
|
|
unsigned long id;
|
2001-09-09 22:21:46 -04:00
|
|
|
|
2014-11-30 15:32:30 -05:00
|
|
|
thread_spin_lock(&_connection_lock);
|
2003-03-14 21:10:19 -05:00
|
|
|
id = _current_id++;
|
2014-11-30 15:32:30 -05:00
|
|
|
thread_spin_unlock(&_connection_lock);
|
2001-09-09 22:21:46 -04:00
|
|
|
|
2003-03-14 21:10:19 -05:00
|
|
|
return id;
|
2001-09-09 22:21:46 -04:00
|
|
|
}
|
|
|
|
|
2007-08-28 23:51:22 -04:00
|
|
|
|
2016-11-06 05:48:41 -05:00
|
|
|
#ifdef ICECAST_CAP_TLS
|
2016-11-06 05:59:15 -05:00
|
|
|
static void get_tls_certificate(ice_config_t *config)
|
2007-08-28 23:51:22 -04:00
|
|
|
{
|
2017-05-18 04:02:41 -04:00
|
|
|
const char *keyfile;
|
|
|
|
|
2016-11-06 05:59:15 -05:00
|
|
|
config->tls_ok = tls_ok = 0;
|
2007-08-28 23:51:22 -04:00
|
|
|
|
2017-05-18 04:02:41 -04:00
|
|
|
keyfile = config->tls_context.key_file;
|
|
|
|
if (!keyfile)
|
|
|
|
keyfile = config->tls_context.cert_file;
|
|
|
|
|
2016-10-20 04:24:52 -04:00
|
|
|
tls_ctx_unref(tls_ctx);
|
2017-05-18 04:02:41 -04:00
|
|
|
tls_ctx = tls_ctx_new(config->tls_context.cert_file, keyfile, config->tls_context.cipher_list);
|
2016-10-20 04:24:52 -04:00
|
|
|
if (!tls_ctx) {
|
|
|
|
ICECAST_LOG_INFO("No TLS capability on any configured ports");
|
2007-10-21 22:29:49 -04:00
|
|
|
return;
|
2016-10-20 04:24:52 -04:00
|
|
|
}
|
|
|
|
|
2016-11-06 05:59:15 -05:00
|
|
|
config->tls_ok = tls_ok = 1;
|
2007-08-28 23:51:22 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2016-11-06 05:59:15 -05:00
|
|
|
/* handlers for reading and writing a connection_t when there is TLS
|
2007-08-28 23:51:22 -04:00
|
|
|
* configured on the listening port
|
|
|
|
*/
|
2016-11-06 05:59:15 -05:00
|
|
|
static int connection_read_tls(connection_t *con, void *buf, size_t len)
|
2007-08-28 23:51:22 -04:00
|
|
|
{
|
2016-10-20 05:06:28 -04:00
|
|
|
ssize_t bytes = tls_read(con->tls, buf, len);
|
2007-08-28 23:51:22 -04:00
|
|
|
|
2015-01-25 13:57:27 -05:00
|
|
|
if (bytes < 0) {
|
2016-10-20 05:06:28 -04:00
|
|
|
if (tls_want_io(con->tls) > 0)
|
2014-11-30 15:32:30 -05:00
|
|
|
return -1;
|
2007-08-28 23:51:22 -04:00
|
|
|
con->error = 1;
|
|
|
|
}
|
|
|
|
return bytes;
|
|
|
|
}
|
|
|
|
|
2016-11-06 05:59:15 -05:00
|
|
|
static int connection_send_tls(connection_t *con, const void *buf, size_t len)
|
2007-08-28 23:51:22 -04:00
|
|
|
{
|
2016-10-20 05:06:28 -04:00
|
|
|
ssize_t bytes = tls_write(con->tls, buf, len);
|
2007-08-28 23:51:22 -04:00
|
|
|
|
2015-01-25 13:57:27 -05:00
|
|
|
if (bytes < 0) {
|
2016-10-20 05:06:28 -04:00
|
|
|
if (tls_want_io(con->tls) > 0)
|
|
|
|
return -1;
|
2007-08-28 23:51:22 -04:00
|
|
|
con->error = 1;
|
2015-01-25 13:57:27 -05:00
|
|
|
} else {
|
2007-08-28 23:51:22 -04:00
|
|
|
con->sent_bytes += bytes;
|
2015-01-25 13:57:27 -05:00
|
|
|
}
|
2007-08-28 23:51:22 -04:00
|
|
|
return bytes;
|
|
|
|
}
|
|
|
|
#else
|
|
|
|
|
2016-11-06 05:59:15 -05:00
|
|
|
/* TLS not compiled in, so at least log it */
|
|
|
|
static void get_tls_certificate(ice_config_t *config)
|
2007-08-28 23:51:22 -04:00
|
|
|
{
|
2016-11-06 05:59:15 -05:00
|
|
|
tls_ok = 0;
|
2015-03-01 11:51:09 -05:00
|
|
|
ICECAST_LOG_INFO("No TLS capability. "
|
2016-11-06 05:49:47 -05:00
|
|
|
"Rebuild Icecast with OpenSSL support to enable this.");
|
2007-08-28 23:51:22 -04:00
|
|
|
}
|
2016-11-06 05:48:41 -05:00
|
|
|
#endif /* ICECAST_CAP_TLS */
|
2007-08-28 23:51:22 -04:00
|
|
|
|
|
|
|
|
|
|
|
/* handlers (default) for reading and writing a connection_t, no encrpytion
|
|
|
|
* used just straight access to the socket
|
|
|
|
*/
|
2015-01-25 13:57:27 -05:00
|
|
|
static int connection_read(connection_t *con, void *buf, size_t len)
|
2007-08-28 23:51:22 -04:00
|
|
|
{
|
2015-01-25 13:57:27 -05:00
|
|
|
int bytes = sock_read_bytes(con->sock, buf, len);
|
2007-08-28 23:51:22 -04:00
|
|
|
if (bytes == 0)
|
|
|
|
con->error = 1;
|
2015-01-25 13:57:27 -05:00
|
|
|
if (bytes == -1 && !sock_recoverable(sock_error()))
|
2007-08-28 23:51:22 -04:00
|
|
|
con->error = 1;
|
|
|
|
return bytes;
|
|
|
|
}
|
|
|
|
|
2015-01-25 13:57:27 -05:00
|
|
|
static int connection_send(connection_t *con, const void *buf, size_t len)
|
2007-08-28 23:51:22 -04:00
|
|
|
{
|
2015-01-25 13:57:27 -05:00
|
|
|
int bytes = sock_write_bytes(con->sock, buf, len);
|
|
|
|
if (bytes < 0) {
|
|
|
|
if (!sock_recoverable(sock_error()))
|
2007-08-28 23:51:22 -04:00
|
|
|
con->error = 1;
|
2015-01-25 13:57:27 -05:00
|
|
|
} else {
|
2007-08-28 23:51:22 -04:00
|
|
|
con->sent_bytes += bytes;
|
2015-01-25 13:57:27 -05:00
|
|
|
}
|
2007-08-28 23:51:22 -04:00
|
|
|
return bytes;
|
|
|
|
}
|
|
|
|
|
2005-08-11 19:29:58 -04:00
|
|
|
connection_t *connection_create (sock_t sock, sock_t serversock, char *ip)
|
|
|
|
{
|
2003-03-14 21:10:19 -05:00
|
|
|
connection_t *con;
|
2005-08-11 19:29:58 -04:00
|
|
|
con = (connection_t *)calloc(1, sizeof(connection_t));
|
2015-01-25 13:57:27 -05:00
|
|
|
if (con) {
|
|
|
|
con->sock = sock;
|
2005-08-11 19:29:58 -04:00
|
|
|
con->serversock = serversock;
|
2015-01-25 13:57:27 -05:00
|
|
|
con->con_time = time(NULL);
|
|
|
|
con->id = _next_connection_id();
|
|
|
|
con->ip = ip;
|
2016-10-20 07:20:25 -04:00
|
|
|
con->tlsmode = ICECAST_TLSMODE_AUTO;
|
2015-01-25 13:57:27 -05:00
|
|
|
con->read = connection_read;
|
|
|
|
con->send = connection_send;
|
2005-08-11 19:29:58 -04:00
|
|
|
}
|
2003-03-05 08:03:35 -05:00
|
|
|
|
2003-03-14 21:10:19 -05:00
|
|
|
return con;
|
2002-08-05 10:48:04 -04:00
|
|
|
}
|
|
|
|
|
2016-11-06 05:59:15 -05:00
|
|
|
/* prepare connection for interacting over a TLS connection
|
2007-08-28 23:51:22 -04:00
|
|
|
*/
|
2016-11-06 05:59:15 -05:00
|
|
|
void connection_uses_tls(connection_t *con)
|
2007-08-28 23:51:22 -04:00
|
|
|
{
|
2016-11-06 05:48:41 -05:00
|
|
|
#ifdef ICECAST_CAP_TLS
|
2016-10-20 05:06:28 -04:00
|
|
|
if (con->tls)
|
2015-02-06 05:25:40 -05:00
|
|
|
return;
|
|
|
|
|
2016-10-20 07:20:25 -04:00
|
|
|
con->tlsmode = ICECAST_TLSMODE_RFC2818;
|
2016-11-06 05:59:15 -05:00
|
|
|
con->read = connection_read_tls;
|
|
|
|
con->send = connection_send_tls;
|
2016-10-20 05:06:28 -04:00
|
|
|
con->tls = tls_new(tls_ctx);
|
|
|
|
tls_set_incoming(con->tls);
|
|
|
|
tls_set_socket(con->tls, con->sock);
|
2007-08-28 23:51:22 -04:00
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
2015-02-10 16:18:52 -05:00
|
|
|
ssize_t connection_read_bytes(connection_t *con, void *buf, size_t len)
|
|
|
|
{
|
|
|
|
return con->read(con, buf, len);
|
|
|
|
}
|
|
|
|
|
2007-10-24 18:42:49 -04:00
|
|
|
static sock_t wait_for_serversock(int timeout)
|
2003-03-09 06:27:06 -05:00
|
|
|
{
|
|
|
|
#ifdef HAVE_POLL
|
2007-10-21 22:29:49 -04:00
|
|
|
struct pollfd ufds [global.server_sockets];
|
2003-03-09 06:27:06 -05:00
|
|
|
int i, ret;
|
|
|
|
|
|
|
|
for(i=0; i < global.server_sockets; i++) {
|
|
|
|
ufds[i].fd = global.serversock[i];
|
|
|
|
ufds[i].events = POLLIN;
|
|
|
|
ufds[i].revents = 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = poll(ufds, global.server_sockets, timeout);
|
|
|
|
if(ret < 0) {
|
2007-10-24 18:42:49 -04:00
|
|
|
return SOCK_ERROR;
|
2015-01-25 13:57:27 -05:00
|
|
|
} else if(ret == 0) {
|
2007-10-24 18:42:49 -04:00
|
|
|
return SOCK_ERROR;
|
2015-01-25 13:57:27 -05:00
|
|
|
} else {
|
2003-06-20 14:50:24 -04:00
|
|
|
int dst;
|
2003-03-09 06:27:06 -05:00
|
|
|
for(i=0; i < global.server_sockets; i++) {
|
2003-06-20 14:50:24 -04:00
|
|
|
if(ufds[i].revents & POLLIN)
|
2003-03-09 06:27:06 -05:00
|
|
|
return ufds[i].fd;
|
2015-01-25 13:57:27 -05:00
|
|
|
if(ufds[i].revents & (POLLHUP|POLLERR|POLLNVAL)) {
|
|
|
|
if (ufds[i].revents & (POLLHUP|POLLERR)) {
|
2007-10-24 18:42:49 -04:00
|
|
|
sock_close (global.serversock[i]);
|
2014-10-31 04:46:58 -04:00
|
|
|
ICECAST_LOG_WARN("Had to close a listening socket");
|
2003-06-20 14:50:24 -04:00
|
|
|
}
|
2007-10-24 18:42:49 -04:00
|
|
|
global.serversock[i] = SOCK_ERROR;
|
2003-06-20 14:50:24 -04:00
|
|
|
}
|
2003-03-09 06:27:06 -05:00
|
|
|
}
|
2003-06-20 14:50:24 -04:00
|
|
|
/* remove any closed sockets */
|
2015-01-25 13:57:27 -05:00
|
|
|
for(i=0, dst=0; i < global.server_sockets; i++) {
|
2007-10-24 18:42:49 -04:00
|
|
|
if (global.serversock[i] == SOCK_ERROR)
|
2014-11-30 15:32:30 -05:00
|
|
|
continue;
|
2003-06-20 14:50:24 -04:00
|
|
|
if (i!=dst)
|
2014-11-30 15:32:30 -05:00
|
|
|
global.serversock[dst] = global.serversock[i];
|
2003-06-20 14:50:24 -04:00
|
|
|
dst++;
|
|
|
|
}
|
|
|
|
global.server_sockets = dst;
|
2007-10-24 18:42:49 -04:00
|
|
|
return SOCK_ERROR;
|
2003-03-09 06:27:06 -05:00
|
|
|
}
|
|
|
|
#else
|
|
|
|
fd_set rfds;
|
|
|
|
struct timeval tv, *p=NULL;
|
|
|
|
int i, ret;
|
2007-10-24 18:42:49 -04:00
|
|
|
sock_t max = SOCK_ERROR;
|
2003-03-09 06:27:06 -05:00
|
|
|
|
|
|
|
FD_ZERO(&rfds);
|
|
|
|
|
|
|
|
for(i=0; i < global.server_sockets; i++) {
|
|
|
|
FD_SET(global.serversock[i], &rfds);
|
2007-10-24 18:42:49 -04:00
|
|
|
if (max == SOCK_ERROR || global.serversock[i] > max)
|
2003-03-09 06:27:06 -05:00
|
|
|
max = global.serversock[i];
|
|
|
|
}
|
|
|
|
|
|
|
|
if(timeout >= 0) {
|
|
|
|
tv.tv_sec = timeout/1000;
|
2003-03-12 00:40:45 -05:00
|
|
|
tv.tv_usec = (timeout % 1000) * 1000;
|
2003-03-09 06:27:06 -05:00
|
|
|
p = &tv;
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = select(max+1, &rfds, NULL, NULL, p);
|
|
|
|
if(ret < 0) {
|
2007-10-24 18:42:49 -04:00
|
|
|
return SOCK_ERROR;
|
2015-01-25 13:57:27 -05:00
|
|
|
} else if(ret == 0) {
|
2007-10-24 18:42:49 -04:00
|
|
|
return SOCK_ERROR;
|
2015-01-25 13:57:27 -05:00
|
|
|
} else {
|
2003-03-09 06:27:06 -05:00
|
|
|
for(i=0; i < global.server_sockets; i++) {
|
|
|
|
if(FD_ISSET(global.serversock[i], &rfds))
|
|
|
|
return global.serversock[i];
|
|
|
|
}
|
2007-10-24 18:42:49 -04:00
|
|
|
return SOCK_ERROR; /* Should be impossible, stop compiler warnings */
|
2003-03-09 06:27:06 -05:00
|
|
|
}
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
2008-07-21 22:24:30 -04:00
|
|
|
static connection_t *_accept_connection(int duration)
|
2001-09-09 22:21:46 -04:00
|
|
|
{
|
2008-07-21 22:24:30 -04:00
|
|
|
sock_t sock, serversock;
|
2003-03-14 21:10:19 -05:00
|
|
|
char *ip;
|
2001-09-09 22:21:46 -04:00
|
|
|
|
2008-07-21 22:24:30 -04:00
|
|
|
serversock = wait_for_serversock (duration);
|
2007-10-24 18:42:49 -04:00
|
|
|
if (serversock == SOCK_ERROR)
|
2003-03-09 06:27:06 -05:00
|
|
|
return NULL;
|
2001-09-09 22:21:46 -04:00
|
|
|
|
2003-03-14 21:10:19 -05:00
|
|
|
/* malloc enough room for a full IP address (including ipv6) */
|
|
|
|
ip = (char *)malloc(MAX_ADDR_LEN);
|
2001-09-09 22:21:46 -04:00
|
|
|
|
2003-03-14 21:10:19 -05:00
|
|
|
sock = sock_accept(serversock, ip, MAX_ADDR_LEN);
|
2015-01-25 13:57:27 -05:00
|
|
|
if (sock != SOCK_ERROR) {
|
2007-10-23 18:25:31 -04:00
|
|
|
connection_t *con = NULL;
|
2007-08-08 23:36:03 -04:00
|
|
|
/* Make any IPv4 mapped IPv6 address look like a normal IPv4 address */
|
2015-01-25 13:57:27 -05:00
|
|
|
if (strncmp(ip, "::ffff:", 7) == 0)
|
|
|
|
memmove(ip, ip+7, strlen (ip+7)+1);
|
2001-09-09 22:21:46 -04:00
|
|
|
|
2015-01-06 07:03:28 -05:00
|
|
|
if (matchfile_match_allow_deny(allowed_ip, banned_ip, ip))
|
|
|
|
con = connection_create (sock, serversock, ip);
|
2007-08-08 23:36:03 -04:00
|
|
|
if (con)
|
|
|
|
return con;
|
2015-01-25 13:57:27 -05:00
|
|
|
sock_close(sock);
|
|
|
|
} else {
|
|
|
|
if (!sock_recoverable(sock_error())) {
|
2014-10-31 04:46:58 -04:00
|
|
|
ICECAST_LOG_WARN("accept() failed with error %d: %s", sock_error(), strerror(sock_error()));
|
2015-01-25 13:57:27 -05:00
|
|
|
thread_sleep(500000);
|
2007-08-08 23:36:03 -04:00
|
|
|
}
|
2003-03-14 21:10:19 -05:00
|
|
|
}
|
|
|
|
free(ip);
|
|
|
|
return NULL;
|
2001-09-09 22:21:46 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2005-08-11 19:29:58 -04:00
|
|
|
/* add client to connection queue. At this point some header information
|
|
|
|
* has been collected, so we now pass it onto the connection thread for
|
|
|
|
* further processing
|
|
|
|
*/
|
2014-11-30 15:32:30 -05:00
|
|
|
static void _add_connection(client_queue_t *node)
|
2001-09-09 22:21:46 -04:00
|
|
|
{
|
2014-11-30 15:32:30 -05:00
|
|
|
thread_spin_lock(&_connection_lock);
|
2005-08-11 19:29:58 -04:00
|
|
|
*_con_queue_tail = node;
|
2014-11-30 15:32:30 -05:00
|
|
|
_con_queue_tail = (volatile client_queue_t **) &node->next;
|
|
|
|
thread_spin_unlock(&_connection_lock);
|
2001-09-09 22:21:46 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2005-08-11 19:29:58 -04:00
|
|
|
/* this returns queued clients for the connection thread. headers are
|
|
|
|
* already provided, but need to be parsed.
|
|
|
|
*/
|
|
|
|
static client_queue_t *_get_connection(void)
|
|
|
|
{
|
|
|
|
client_queue_t *node = NULL;
|
2001-09-09 22:21:46 -04:00
|
|
|
|
2015-01-25 13:57:27 -05:00
|
|
|
thread_spin_lock(&_connection_lock);
|
2012-07-17 10:03:37 -04:00
|
|
|
|
2015-01-25 13:57:27 -05:00
|
|
|
if (_con_queue){
|
2005-08-11 19:29:58 -04:00
|
|
|
node = (client_queue_t *)_con_queue;
|
|
|
|
_con_queue = node->next;
|
|
|
|
if (_con_queue == NULL)
|
|
|
|
_con_queue_tail = &_con_queue;
|
2007-08-08 22:51:53 -04:00
|
|
|
node->next = NULL;
|
2003-03-14 21:10:19 -05:00
|
|
|
}
|
2012-07-17 10:03:37 -04:00
|
|
|
|
2015-01-25 13:57:27 -05:00
|
|
|
thread_spin_unlock(&_connection_lock);
|
2005-08-11 19:29:58 -04:00
|
|
|
return node;
|
|
|
|
}
|
2001-09-09 22:21:46 -04:00
|
|
|
|
|
|
|
|
2005-08-11 19:29:58 -04:00
|
|
|
/* run along queue checking for any data that has come in or a timeout */
|
2005-12-17 07:23:09 -05:00
|
|
|
static void process_request_queue (void)
|
2005-08-11 19:29:58 -04:00
|
|
|
{
|
|
|
|
client_queue_t **node_ref = (client_queue_t **)&_req_queue;
|
2016-10-20 07:20:25 -04:00
|
|
|
ice_config_t *config;
|
|
|
|
int timeout;
|
|
|
|
char peak;
|
|
|
|
|
|
|
|
config = config_get_config();
|
|
|
|
timeout = config->header_timeout;
|
2005-08-11 19:29:58 -04:00
|
|
|
config_release_config();
|
2001-09-09 22:21:46 -04:00
|
|
|
|
2015-01-25 13:57:27 -05:00
|
|
|
while (*node_ref) {
|
2005-08-11 19:29:58 -04:00
|
|
|
client_queue_t *node = *node_ref;
|
|
|
|
client_t *client = node->client;
|
|
|
|
int len = PER_CLIENT_REFBUF_SIZE - 1 - node->offset;
|
|
|
|
char *buf = client->refbuf->data + node->offset;
|
2001-09-09 22:21:46 -04:00
|
|
|
|
2016-11-06 11:02:11 -05:00
|
|
|
if (client->con->tlsmode == ICECAST_TLSMODE_AUTO || client->con->tlsmode == ICECAST_TLSMODE_AUTO_NO_PLAIN) {
|
2016-10-20 07:20:25 -04:00
|
|
|
if (recv(client->con->sock, &peak, 1, MSG_PEEK) == 1) {
|
|
|
|
if (peak == 0x16) { /* TLS Record Protocol Content type 0x16 == Handshake */
|
2016-11-06 05:59:15 -05:00
|
|
|
connection_uses_tls(client->con);
|
2016-10-20 07:20:25 -04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-01-25 13:57:27 -05:00
|
|
|
if (len > 0) {
|
|
|
|
if (client->con->con_time + timeout <= time(NULL)) {
|
2005-08-11 19:29:58 -04:00
|
|
|
len = 0;
|
2015-01-25 13:57:27 -05:00
|
|
|
} else {
|
|
|
|
len = client_read_bytes(client, buf, len);
|
|
|
|
}
|
2005-08-11 19:29:58 -04:00
|
|
|
}
|
2001-09-09 22:21:46 -04:00
|
|
|
|
2015-01-25 13:57:27 -05:00
|
|
|
if (len > 0) {
|
2005-08-11 19:29:58 -04:00
|
|
|
int pass_it = 1;
|
|
|
|
char *ptr;
|
|
|
|
|
2005-10-01 10:08:36 -04:00
|
|
|
/* handle \n, \r\n and nsvcap which for some strange reason has
|
|
|
|
* EOL as \r\r\n */
|
2005-08-11 19:29:58 -04:00
|
|
|
node->offset += len;
|
2015-01-25 13:57:27 -05:00
|
|
|
client->refbuf->data[node->offset] = '\000';
|
|
|
|
do {
|
|
|
|
if (node->shoutcast == 1) {
|
2005-08-11 19:29:58 -04:00
|
|
|
/* password line */
|
2005-10-01 10:08:36 -04:00
|
|
|
if (strstr (client->refbuf->data, "\r\r\n") != NULL)
|
|
|
|
break;
|
2005-08-11 19:29:58 -04:00
|
|
|
if (strstr (client->refbuf->data, "\r\n") != NULL)
|
|
|
|
break;
|
|
|
|
if (strstr (client->refbuf->data, "\n") != NULL)
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
/* stream_offset refers to the start of any data sent after the
|
|
|
|
* http style headers, we don't want to lose those */
|
2015-01-25 13:57:27 -05:00
|
|
|
ptr = strstr(client->refbuf->data, "\r\r\n\r\r\n");
|
|
|
|
if (ptr) {
|
2005-10-01 10:08:36 -04:00
|
|
|
node->stream_offset = (ptr+6) - client->refbuf->data;
|
|
|
|
break;
|
|
|
|
}
|
2015-01-25 13:57:27 -05:00
|
|
|
ptr = strstr(client->refbuf->data, "\r\n\r\n");
|
|
|
|
if (ptr) {
|
2005-08-11 19:29:58 -04:00
|
|
|
node->stream_offset = (ptr+4) - client->refbuf->data;
|
|
|
|
break;
|
|
|
|
}
|
2015-01-25 13:57:27 -05:00
|
|
|
ptr = strstr(client->refbuf->data, "\n\n");
|
|
|
|
if (ptr) {
|
2005-08-11 19:29:58 -04:00
|
|
|
node->stream_offset = (ptr+2) - client->refbuf->data;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
pass_it = 0;
|
|
|
|
} while (0);
|
2001-09-09 22:21:46 -04:00
|
|
|
|
2015-01-25 13:57:27 -05:00
|
|
|
if (pass_it) {
|
2005-08-11 19:29:58 -04:00
|
|
|
if ((client_queue_t **)_req_queue_tail == &(node->next))
|
|
|
|
_req_queue_tail = (volatile client_queue_t **)node_ref;
|
|
|
|
*node_ref = node->next;
|
|
|
|
node->next = NULL;
|
2015-01-25 13:57:27 -05:00
|
|
|
_add_connection(node);
|
2006-03-14 21:30:26 -05:00
|
|
|
continue;
|
2005-08-11 19:29:58 -04:00
|
|
|
}
|
2015-01-25 13:57:27 -05:00
|
|
|
} else {
|
|
|
|
if (len == 0 || client->con->error) {
|
2005-08-11 19:29:58 -04:00
|
|
|
if ((client_queue_t **)_req_queue_tail == &node->next)
|
|
|
|
_req_queue_tail = (volatile client_queue_t **)node_ref;
|
|
|
|
*node_ref = node->next;
|
2015-01-25 13:57:27 -05:00
|
|
|
client_destroy(client);
|
|
|
|
free(node);
|
2005-08-11 19:29:58 -04:00
|
|
|
continue;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
node_ref = &node->next;
|
2003-03-14 21:10:19 -05:00
|
|
|
}
|
2008-07-21 22:24:30 -04:00
|
|
|
_handle_connection();
|
2001-09-09 22:21:46 -04:00
|
|
|
}
|
|
|
|
|
2003-03-14 21:10:19 -05:00
|
|
|
|
2005-08-11 19:29:58 -04:00
|
|
|
/* add node to the queue of requests. This is where the clients are when
|
|
|
|
* initial http details are read.
|
|
|
|
*/
|
2015-01-25 13:57:27 -05:00
|
|
|
static void _add_request_queue(client_queue_t *node)
|
2005-08-11 19:29:58 -04:00
|
|
|
{
|
|
|
|
*_req_queue_tail = node;
|
|
|
|
_req_queue_tail = (volatile client_queue_t **)&node->next;
|
2001-09-09 22:21:46 -04:00
|
|
|
}
|
|
|
|
|
2015-02-01 16:01:01 -05:00
|
|
|
static client_queue_t *create_client_node(client_t *client)
|
|
|
|
{
|
|
|
|
client_queue_t *node = calloc (1, sizeof (client_queue_t));
|
|
|
|
ice_config_t *config;
|
|
|
|
listener_t *listener;
|
|
|
|
|
|
|
|
if (!node)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
node->client = client;
|
|
|
|
|
|
|
|
config = config_get_config();
|
|
|
|
listener = config_get_listen_sock(config, client->con);
|
|
|
|
|
|
|
|
if (listener) {
|
|
|
|
if (listener->shoutcast_compat)
|
|
|
|
node->shoutcast = 1;
|
2016-11-06 11:02:11 -05:00
|
|
|
client->con->tlsmode = listener->tls;
|
|
|
|
if (listener->tls == ICECAST_TLSMODE_RFC2818 && tls_ok)
|
2016-11-06 05:59:15 -05:00
|
|
|
connection_uses_tls(client->con);
|
2015-02-01 16:01:01 -05:00
|
|
|
if (listener->shoutcast_mount)
|
|
|
|
node->shoutcast_mount = strdup(listener->shoutcast_mount);
|
|
|
|
}
|
|
|
|
|
|
|
|
config_release_config();
|
|
|
|
|
|
|
|
return node;
|
|
|
|
}
|
2005-08-11 19:29:58 -04:00
|
|
|
|
2015-02-01 18:04:54 -05:00
|
|
|
void connection_queue(connection_t *con)
|
|
|
|
{
|
|
|
|
client_queue_t *node;
|
|
|
|
client_t *client = NULL;
|
|
|
|
|
|
|
|
global_lock();
|
|
|
|
if (client_create(&client, con, NULL) < 0) {
|
|
|
|
global_unlock();
|
2018-04-28 09:49:36 -04:00
|
|
|
client_send_error_by_id(client, ICECAST_ERROR_GEN_CLIENT_LIMIT);
|
2015-02-01 18:04:54 -05:00
|
|
|
/* don't be too eager as this is an imposed hard limit */
|
|
|
|
thread_sleep(400000);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* setup client for reading incoming http */
|
|
|
|
client->refbuf->data[PER_CLIENT_REFBUF_SIZE-1] = '\000';
|
|
|
|
|
|
|
|
if (sock_set_blocking(client->con->sock, 0) || sock_set_nodelay(client->con->sock)) {
|
|
|
|
global_unlock();
|
2015-03-01 11:51:09 -05:00
|
|
|
ICECAST_LOG_WARN("Failed to set tcp options on client connection, dropping");
|
2015-02-01 18:04:54 -05:00
|
|
|
client_destroy(client);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
node = create_client_node(client);
|
|
|
|
global_unlock();
|
|
|
|
|
|
|
|
if (node == NULL) {
|
|
|
|
client_destroy(client);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
_add_request_queue(node);
|
|
|
|
stats_event_inc(NULL, "connections");
|
|
|
|
}
|
|
|
|
|
2015-01-25 13:57:27 -05:00
|
|
|
void connection_accept_loop(void)
|
2001-09-09 22:21:46 -04:00
|
|
|
{
|
2003-03-14 21:10:19 -05:00
|
|
|
connection_t *con;
|
2007-10-21 22:29:49 -04:00
|
|
|
ice_config_t *config;
|
2008-07-21 22:24:30 -04:00
|
|
|
int duration = 300;
|
2007-10-21 22:29:49 -04:00
|
|
|
|
2015-01-25 13:57:27 -05:00
|
|
|
config = config_get_config();
|
2016-11-06 05:59:15 -05:00
|
|
|
get_tls_certificate(config);
|
2015-01-25 13:57:27 -05:00
|
|
|
config_release_config();
|
2001-09-09 22:21:46 -04:00
|
|
|
|
2015-01-25 13:57:27 -05:00
|
|
|
while (global.running == ICECAST_RUNNING) {
|
2008-07-21 22:24:30 -04:00
|
|
|
con = _accept_connection (duration);
|
2005-08-11 19:29:58 -04:00
|
|
|
|
2015-01-25 13:57:27 -05:00
|
|
|
if (con) {
|
2015-02-01 18:04:54 -05:00
|
|
|
connection_queue(con);
|
2008-07-21 22:24:30 -04:00
|
|
|
duration = 5;
|
2015-01-25 13:57:27 -05:00
|
|
|
} else {
|
2008-07-21 22:24:30 -04:00
|
|
|
if (_req_queue == NULL)
|
|
|
|
duration = 300; /* use longer timeouts when nothing waiting */
|
2003-03-14 21:10:19 -05:00
|
|
|
}
|
2015-01-25 13:57:27 -05:00
|
|
|
process_request_queue();
|
2003-03-14 21:10:19 -05:00
|
|
|
}
|
2001-09-09 22:21:46 -04:00
|
|
|
|
2002-08-05 10:48:04 -04:00
|
|
|
/* Give all the other threads notification to shut down */
|
|
|
|
thread_cond_broadcast(&global.shutdown_cond);
|
|
|
|
|
2003-03-14 21:10:19 -05:00
|
|
|
/* wait for all the sources to shutdown */
|
|
|
|
thread_rwlock_wlock(&_source_shutdown_rwlock);
|
|
|
|
thread_rwlock_unlock(&_source_shutdown_rwlock);
|
2001-09-09 22:21:46 -04:00
|
|
|
}
|
|
|
|
|
2004-02-19 11:32:26 -05:00
|
|
|
|
|
|
|
/* Called when activating a source. Verifies that the source count is not
|
|
|
|
* exceeded and applies any initial parameters.
|
2003-02-17 06:56:12 -05:00
|
|
|
*/
|
2015-01-25 13:57:27 -05:00
|
|
|
int connection_complete_source(source_t *source, int response)
|
2004-02-19 11:32:26 -05:00
|
|
|
{
|
2009-01-11 11:46:08 -05:00
|
|
|
ice_config_t *config;
|
2004-02-19 11:32:26 -05:00
|
|
|
|
2015-01-25 13:57:27 -05:00
|
|
|
global_lock();
|
2014-10-31 04:46:58 -04:00
|
|
|
ICECAST_LOG_DEBUG("sources count is %d", global.sources);
|
2004-02-19 11:32:26 -05:00
|
|
|
|
2009-01-11 11:46:08 -05:00
|
|
|
config = config_get_config();
|
2015-01-25 13:57:27 -05:00
|
|
|
if (global.sources < config->source_limit) {
|
2007-08-16 18:49:13 -04:00
|
|
|
const char *contenttype;
|
2005-05-30 10:50:57 -04:00
|
|
|
mount_proxy *mountinfo;
|
2004-02-19 11:32:26 -05:00
|
|
|
format_type_t format_type;
|
|
|
|
|
|
|
|
/* setup format handler */
|
|
|
|
contenttype = httpp_getvar (source->parser, "content-type");
|
2015-01-25 13:57:27 -05:00
|
|
|
if (contenttype != NULL) {
|
|
|
|
format_type = format_get_type(contenttype);
|
2004-02-19 11:32:26 -05:00
|
|
|
|
2015-01-25 13:57:27 -05:00
|
|
|
if (format_type == FORMAT_ERROR) {
|
2004-02-19 11:32:26 -05:00
|
|
|
config_release_config();
|
2009-01-11 11:46:08 -05:00
|
|
|
global_unlock();
|
2014-11-08 11:23:26 -05:00
|
|
|
if (response) {
|
2018-04-28 09:49:36 -04:00
|
|
|
client_send_error_by_id(source->client, ICECAST_ERROR_CON_CONTENT_TYPE_NOSYS);
|
2005-08-24 20:07:17 -04:00
|
|
|
source->client = NULL;
|
|
|
|
}
|
2014-10-31 04:46:58 -04:00
|
|
|
ICECAST_LOG_WARN("Content-type \"%s\" not supported, dropping source", contenttype);
|
2004-02-19 11:32:26 -05:00
|
|
|
return -1;
|
|
|
|
}
|
2014-11-08 11:23:26 -05:00
|
|
|
} else if (source->parser->req_type == httpp_req_put) {
|
|
|
|
config_release_config();
|
|
|
|
global_unlock();
|
|
|
|
if (response) {
|
2018-04-28 09:49:36 -04:00
|
|
|
client_send_error_by_id(source->client, ICECAST_ERROR_CON_NO_CONTENT_TYPE_GIVEN);
|
2014-11-08 11:23:26 -05:00
|
|
|
source->client = NULL;
|
|
|
|
}
|
|
|
|
ICECAST_LOG_ERROR("Content-type not given in PUT request, dropping source");
|
|
|
|
return -1;
|
|
|
|
} else {
|
|
|
|
ICECAST_LOG_ERROR("No content-type header, falling back to backwards compatibility mode "
|
|
|
|
"for icecast 1.x relays. Assuming content is mp3. This behaviour is deprecated "
|
|
|
|
"and the source client will NOT work with future Icecast versions!");
|
2004-11-18 18:49:59 -05:00
|
|
|
format_type = FORMAT_TYPE_GENERIC;
|
2004-02-19 11:32:26 -05:00
|
|
|
}
|
|
|
|
|
2015-01-25 13:57:27 -05:00
|
|
|
if (format_get_plugin (format_type, source) < 0) {
|
2004-02-19 11:32:26 -05:00
|
|
|
global_unlock();
|
|
|
|
config_release_config();
|
2015-01-25 13:57:27 -05:00
|
|
|
if (response) {
|
2018-04-28 09:49:36 -04:00
|
|
|
client_send_error_by_id(source->client, ICECAST_ERROR_CON_INTERNAL_FORMAT_ALLOC_ERROR);
|
2005-08-24 20:07:17 -04:00
|
|
|
source->client = NULL;
|
|
|
|
}
|
2014-10-31 04:46:58 -04:00
|
|
|
ICECAST_LOG_WARN("plugin format failed for \"%s\"", source->mount);
|
2004-02-19 11:32:26 -05:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2005-08-11 19:29:58 -04:00
|
|
|
global.sources++;
|
2015-01-25 13:57:27 -05:00
|
|
|
stats_event_args(NULL, "sources", "%d", global.sources);
|
2005-08-11 19:29:58 -04:00
|
|
|
global_unlock();
|
2004-02-19 11:32:26 -05:00
|
|
|
|
2005-05-30 10:50:57 -04:00
|
|
|
source->running = 1;
|
2015-01-25 13:57:27 -05:00
|
|
|
mountinfo = config_find_mount(config, source->mount, MOUNT_TYPE_NORMAL);
|
|
|
|
source_update_settings(config, source, mountinfo);
|
2004-02-19 11:32:26 -05:00
|
|
|
config_release_config();
|
2007-08-11 13:44:45 -04:00
|
|
|
slave_rebuild_mounts();
|
2004-02-19 11:32:26 -05:00
|
|
|
|
|
|
|
source->shutdown_rwlock = &_source_shutdown_rwlock;
|
2014-10-31 04:46:58 -04:00
|
|
|
ICECAST_LOG_DEBUG("source is ready to start");
|
2004-02-19 11:32:26 -05:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
2014-10-31 04:46:58 -04:00
|
|
|
ICECAST_LOG_WARN("Request to add source when maximum source limit "
|
2015-01-25 13:57:27 -05:00
|
|
|
"reached %d", global.sources);
|
2004-02-19 11:32:26 -05:00
|
|
|
|
|
|
|
global_unlock();
|
|
|
|
config_release_config();
|
|
|
|
|
2015-01-25 13:57:27 -05:00
|
|
|
if (response) {
|
2018-04-28 09:49:36 -04:00
|
|
|
client_send_error_by_id(source->client, ICECAST_ERROR_CON_SOURCE_CLIENT_LIMIT);
|
2005-08-24 20:07:17 -04:00
|
|
|
source->client = NULL;
|
|
|
|
}
|
2004-02-19 11:32:26 -05:00
|
|
|
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2015-01-25 13:57:27 -05:00
|
|
|
static inline void source_startup(client_t *client, const char *uri)
|
2009-01-13 20:18:22 -05:00
|
|
|
{
|
|
|
|
source_t *source;
|
2015-01-25 13:57:27 -05:00
|
|
|
source = source_reserve(uri);
|
2009-01-13 20:18:22 -05:00
|
|
|
|
2015-01-25 13:57:27 -05:00
|
|
|
if (source) {
|
2004-02-19 16:16:59 -05:00
|
|
|
source->client = client;
|
2005-05-06 11:57:15 -04:00
|
|
|
source->parser = client->parser;
|
|
|
|
source->con = client->con;
|
2015-01-25 13:57:27 -05:00
|
|
|
if (connection_complete_source(source, 1) < 0) {
|
|
|
|
source_clear_source(source);
|
|
|
|
source_free_source(source);
|
2009-01-13 20:18:22 -05:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
client->respcode = 200;
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
if (client->protocol == ICECAST_PROTOCOL_SHOUTCAST) {
|
|
|
|
client->respcode = 200;
|
|
|
|
/* send this non-blocking but if there is only a partial write
|
|
|
|
* then leave to header timeout */
|
2018-04-21 05:54:19 -04:00
|
|
|
client_send_bytes(client, "OK2\r\nicy-caps:11\r\n\r\n", 20); /* TODO: Replace Magic Number! */
|
2009-01-13 20:18:22 -05:00
|
|
|
source->shoutcast_compat = 1;
|
2015-01-25 13:57:27 -05:00
|
|
|
source_client_callback(client, source);
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
} else {
|
2015-01-25 13:57:27 -05:00
|
|
|
refbuf_t *ok = refbuf_new(PER_CLIENT_REFBUF_SIZE);
|
2015-02-10 04:44:11 -05:00
|
|
|
const char *expectcontinue;
|
2015-02-10 16:18:52 -05:00
|
|
|
const char *transfer_encoding;
|
2015-02-10 04:44:11 -05:00
|
|
|
int status_to_send = 200;
|
2018-04-13 09:43:36 -04:00
|
|
|
ssize_t ret;
|
2015-02-10 04:44:11 -05:00
|
|
|
|
2015-02-10 16:18:52 -05:00
|
|
|
transfer_encoding = httpp_getvar(source->parser, "transfer-encoding");
|
|
|
|
if (transfer_encoding && strcasecmp(transfer_encoding, HTTPP_ENCODING_IDENTITY) != 0) {
|
|
|
|
client->encoding = httpp_encoding_new(transfer_encoding);
|
|
|
|
if (!client->encoding) {
|
2018-04-28 09:49:36 -04:00
|
|
|
client_send_error_by_id(client, ICECAST_ERROR_CON_UNIMPLEMENTED);
|
2015-02-10 16:18:52 -05:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-02-10 04:44:11 -05:00
|
|
|
/* For PUT support we check for 100-continue and send back a 100 to stay in spec */
|
|
|
|
expectcontinue = httpp_getvar (source->parser, "expect");
|
|
|
|
|
|
|
|
if (expectcontinue != NULL) {
|
|
|
|
#ifdef HAVE_STRCASESTR
|
|
|
|
if (strcasestr (expectcontinue, "100-continue") != NULL)
|
|
|
|
#else
|
2015-03-01 11:51:09 -05:00
|
|
|
ICECAST_LOG_WARN("OS doesn't support case insensitive substring checks...");
|
2015-02-10 04:44:11 -05:00
|
|
|
if (strstr (expectcontinue, "100-continue") != NULL)
|
|
|
|
#endif
|
|
|
|
{
|
|
|
|
status_to_send = 100;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2005-08-12 11:27:32 -04:00
|
|
|
client->respcode = 200;
|
2018-04-13 09:43:36 -04:00
|
|
|
ret = util_http_build_header(ok->data, PER_CLIENT_REFBUF_SIZE, 0, 0, status_to_send, NULL, NULL, NULL, NULL, NULL, client);
|
|
|
|
snprintf(ok->data + ret, PER_CLIENT_REFBUF_SIZE - ret, "Content-Length: 0\r\n\r\n");
|
2015-01-25 13:57:27 -05:00
|
|
|
ok->len = strlen(ok->data);
|
2005-08-18 16:37:35 -04:00
|
|
|
/* we may have unprocessed data read in, so don't overwrite it */
|
|
|
|
ok->associated = client->refbuf;
|
|
|
|
client->refbuf = ok;
|
2015-01-25 13:57:27 -05:00
|
|
|
fserve_add_client_callback(client, source_client_callback, source);
|
2005-08-12 11:27:32 -04:00
|
|
|
}
|
2015-01-25 13:57:27 -05:00
|
|
|
} else {
|
2018-04-28 09:49:36 -04:00
|
|
|
client_send_error_by_id(client, ICECAST_ERROR_CON_MOUNT_IN_USE);
|
2014-10-31 04:46:58 -04:00
|
|
|
ICECAST_LOG_WARN("Mountpoint %s in use", uri);
|
2003-03-14 21:10:19 -05:00
|
|
|
}
|
2002-08-12 10:48:31 -04:00
|
|
|
}
|
|
|
|
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
/* only called for native icecast source clients */
|
2015-01-25 13:57:27 -05:00
|
|
|
static void _handle_source_request(client_t *client, const char *uri)
|
2001-09-09 22:21:46 -04:00
|
|
|
{
|
2014-12-14 04:27:49 -05:00
|
|
|
ICECAST_LOG_INFO("Source logging in at mountpoint \"%s\" from %s as role %s",
|
|
|
|
uri, client->con->ip, client->role);
|
2005-05-06 11:57:15 -04:00
|
|
|
|
2015-01-25 13:57:27 -05:00
|
|
|
if (uri[0] != '/') {
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
ICECAST_LOG_WARN("source mountpoint not starting with /");
|
2018-04-28 09:49:36 -04:00
|
|
|
client_send_error_by_id(client, ICECAST_ERROR_CON_MOUNTPOINT_NOT_STARTING_WITH_SLASH);
|
2002-08-12 10:48:31 -04:00
|
|
|
return;
|
2003-03-14 21:10:19 -05:00
|
|
|
}
|
2005-05-06 11:57:15 -04:00
|
|
|
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
source_startup(client, uri);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2015-01-25 13:57:27 -05:00
|
|
|
static void _handle_stats_request(client_t *client, char *uri)
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
{
|
|
|
|
stats_event_inc(NULL, "stats_connections");
|
|
|
|
|
2005-05-30 22:40:23 -04:00
|
|
|
client->respcode = 200;
|
2005-08-12 11:27:32 -04:00
|
|
|
snprintf (client->refbuf->data, PER_CLIENT_REFBUF_SIZE,
|
2015-01-25 13:57:27 -05:00
|
|
|
"HTTP/1.0 200 OK\r\n\r\n");
|
|
|
|
client->refbuf->len = strlen(client->refbuf->data);
|
|
|
|
fserve_add_client_callback(client, stats_callback, NULL);
|
2002-08-12 10:48:31 -04:00
|
|
|
}
|
|
|
|
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
/* if 0 is returned then the client should not be touched, however if -1
|
|
|
|
* is returned then the caller is responsible for handling the client
|
|
|
|
*/
|
2015-01-25 13:57:27 -05:00
|
|
|
static int __add_listener_to_source(source_t *source, client_t *client)
|
2002-08-12 10:48:31 -04:00
|
|
|
{
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
size_t loop = 10;
|
2003-03-05 08:03:35 -05:00
|
|
|
|
2015-01-25 13:57:27 -05:00
|
|
|
do {
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
ICECAST_LOG_DEBUG("max on %s is %ld (cur %lu)", source->mount,
|
2015-01-25 13:57:27 -05:00
|
|
|
source->max_listeners, source->listeners);
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
if (source->max_listeners == -1)
|
|
|
|
break;
|
|
|
|
if (source->listeners < (unsigned long)source->max_listeners)
|
|
|
|
break;
|
2007-10-15 21:53:06 -04:00
|
|
|
|
2015-01-25 13:57:27 -05:00
|
|
|
if (loop && source->fallback_when_full && source->fallback_mount) {
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
source_t *next = source_find_mount (source->fallback_mount);
|
|
|
|
if (!next) {
|
|
|
|
ICECAST_LOG_ERROR("Fallback '%s' for full source '%s' not found",
|
2015-01-25 13:57:27 -05:00
|
|
|
source->mount, source->fallback_mount);
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
return -1;
|
|
|
|
}
|
2015-03-01 11:51:09 -05:00
|
|
|
ICECAST_LOG_INFO("stream full, trying %s", next->mount);
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
source = next;
|
|
|
|
loop--;
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
/* now we fail the client */
|
|
|
|
return -1;
|
|
|
|
} while (1);
|
|
|
|
|
|
|
|
client->write_to_client = format_generic_write_to_client;
|
|
|
|
client->check_buffer = format_check_http_buffer;
|
|
|
|
client->refbuf->len = PER_CLIENT_REFBUF_SIZE;
|
2015-01-25 13:57:27 -05:00
|
|
|
memset(client->refbuf->data, 0, PER_CLIENT_REFBUF_SIZE);
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
|
|
|
|
/* lets add the client to the active list */
|
2015-01-25 13:57:27 -05:00
|
|
|
avl_tree_wlock(source->pending_tree);
|
|
|
|
avl_insert(source->pending_tree, client);
|
|
|
|
avl_tree_unlock(source->pending_tree);
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
|
2015-01-25 13:57:27 -05:00
|
|
|
if (source->running == 0 && source->on_demand) {
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
/* enable on-demand relay to start, wake up the slave thread */
|
|
|
|
ICECAST_LOG_DEBUG("kicking off on-demand relay");
|
|
|
|
source->on_demand_req = 1;
|
2003-04-23 08:44:29 -04:00
|
|
|
}
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
ICECAST_LOG_DEBUG("Added client to %s", source->mount);
|
|
|
|
return 0;
|
|
|
|
}
|
2002-08-12 10:48:31 -04:00
|
|
|
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
/* count the number of clients on a mount with same username and same role as the given one */
|
|
|
|
static inline ssize_t __count_user_role_on_mount (source_t *source, client_t *client) {
|
|
|
|
ssize_t ret = 0;
|
|
|
|
avl_node *node;
|
|
|
|
|
|
|
|
avl_tree_rlock(source->client_tree);
|
|
|
|
node = avl_get_first(source->client_tree);
|
|
|
|
while (node) {
|
|
|
|
client_t *existing_client = (client_t *)node->key;
|
|
|
|
if (existing_client->username && client->username &&
|
|
|
|
strcmp(existing_client->username, client->username) == 0 &&
|
|
|
|
existing_client->role && client->role &&
|
2015-01-25 13:57:27 -05:00
|
|
|
strcmp(existing_client->role, client->role) == 0) {
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
ret++;
|
2015-01-25 13:57:27 -05:00
|
|
|
}
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
node = avl_get_next(node);
|
2014-11-20 13:32:14 -05:00
|
|
|
}
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
avl_tree_unlock(source->client_tree);
|
|
|
|
|
|
|
|
avl_tree_rlock(source->pending_tree);
|
|
|
|
node = avl_get_first(source->pending_tree);
|
2015-01-25 13:57:27 -05:00
|
|
|
while (node) {
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
client_t *existing_client = (client_t *)node->key;
|
|
|
|
if (existing_client->username && client->username &&
|
|
|
|
strcmp(existing_client->username, client->username) == 0 &&
|
|
|
|
existing_client->role && client->role &&
|
2015-01-25 13:57:27 -05:00
|
|
|
strcmp(existing_client->role, client->role) == 0){
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
ret++;
|
2015-01-25 13:57:27 -05:00
|
|
|
}
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
node = avl_get_next(node);
|
2003-04-23 08:44:29 -04:00
|
|
|
}
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
avl_tree_unlock(source->pending_tree);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2015-01-25 13:57:27 -05:00
|
|
|
static void _handle_get_request(client_t *client, char *uri) {
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
source_t *source = NULL;
|
|
|
|
|
|
|
|
ICECAST_LOG_DEBUG("Got client %p with URI %H", client, uri);
|
|
|
|
|
|
|
|
/* there are several types of HTTP GET clients
|
|
|
|
* media clients, which are looking for a source (eg, URI = /stream.ogg),
|
|
|
|
* stats clients, which are looking for /admin/stats.xml and
|
|
|
|
* fserve clients, which are looking for static files.
|
|
|
|
*/
|
2004-10-26 15:29:12 -04:00
|
|
|
|
|
|
|
stats_event_inc(NULL, "client_connections");
|
2003-04-23 08:44:29 -04:00
|
|
|
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
/* this is a web/ request. let's check if we are allowed to do that. */
|
|
|
|
if (acl_test_web(client->acl) != ACL_POLICY_ALLOW) {
|
|
|
|
/* doesn't seem so, sad client :( */
|
|
|
|
if (client->protocol == ICECAST_PROTOCOL_SHOUTCAST) {
|
|
|
|
client_destroy(client);
|
|
|
|
} else {
|
2018-04-28 09:49:36 -04:00
|
|
|
client_send_error_by_id(client, ICECAST_ERROR_GEN_CLIENT_NEEDS_TO_AUTHENTICATE);
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
}
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2018-06-15 14:53:43 -04:00
|
|
|
if (client->parser->req_type == httpp_req_options) {
|
|
|
|
client_send_204(client);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
if (util_check_valid_extension(uri) == XSLT_CONTENT) {
|
|
|
|
/* If the file exists, then transform it, otherwise, write a 404 */
|
|
|
|
ICECAST_LOG_DEBUG("Stats request, sending XSL transformed stats");
|
|
|
|
stats_transform_xslt(client, uri);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
avl_tree_rlock(global.source_tree);
|
|
|
|
/* let's see if this is a source or just a random fserve file */
|
|
|
|
source = source_find_mount(uri);
|
|
|
|
if (source) {
|
|
|
|
/* true mount */
|
|
|
|
int in_error = 0;
|
|
|
|
ssize_t max_connections_per_user = acl_get_max_connections_per_user(client->acl);
|
|
|
|
/* check for duplicate_logins */
|
|
|
|
if (max_connections_per_user > 0) { /* -1 = not set (-> default=unlimited), 0 = unlimited */
|
|
|
|
if (max_connections_per_user <= __count_user_role_on_mount(source, client)) {
|
2018-04-28 09:49:36 -04:00
|
|
|
client_send_error_by_id(client, ICECAST_ERROR_CON_PER_CRED_CLIENT_LIMIT);
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
in_error = 1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/* Set max listening duration in case not already set. */
|
|
|
|
if (!in_error && client->con->discon_time == 0) {
|
|
|
|
time_t connection_duration = acl_get_max_connection_duration(client->acl);
|
|
|
|
if (connection_duration == -1) {
|
|
|
|
ice_config_t *config = config_get_config();
|
|
|
|
mount_proxy *mount = config_find_mount(config, source->mount, MOUNT_TYPE_NORMAL);
|
|
|
|
if (mount && mount->max_listener_duration)
|
|
|
|
connection_duration = mount->max_listener_duration;
|
|
|
|
config_release_config();
|
|
|
|
}
|
|
|
|
|
|
|
|
if (connection_duration > 0) /* -1 = not set (-> default=unlimited), 0 = unlimited */
|
|
|
|
client->con->discon_time = connection_duration + time(NULL);
|
|
|
|
}
|
|
|
|
if (!in_error && __add_listener_to_source(source, client) == -1) {
|
2018-04-28 09:49:36 -04:00
|
|
|
client_send_error_by_id(client, ICECAST_ERROR_CON_rejecting_client_for_whatever_reason);
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
}
|
|
|
|
avl_tree_unlock(global.source_tree);
|
|
|
|
} else {
|
|
|
|
/* file */
|
|
|
|
avl_tree_unlock(global.source_tree);
|
|
|
|
fserve_client_create(client, uri);
|
|
|
|
}
|
2002-08-12 10:48:31 -04:00
|
|
|
}
|
|
|
|
|
2015-01-25 13:57:27 -05:00
|
|
|
static void _handle_shoutcast_compatible(client_queue_t *node)
|
2005-08-11 19:29:58 -04:00
|
|
|
{
|
2004-11-11 10:47:33 -05:00
|
|
|
char *http_compliant;
|
|
|
|
int http_compliant_len = 0;
|
|
|
|
http_parser_t *parser;
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
const char *shoutcast_mount;
|
2005-08-11 19:29:58 -04:00
|
|
|
client_t *client = node->client;
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
ice_config_t *config;
|
2007-10-24 22:25:49 -04:00
|
|
|
|
2005-08-11 19:29:58 -04:00
|
|
|
if (node->shoutcast == 1)
|
|
|
|
{
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
char *ptr, *headers;
|
2005-08-11 19:29:58 -04:00
|
|
|
|
|
|
|
/* Get rid of trailing \r\n or \n after password */
|
2015-01-25 13:57:27 -05:00
|
|
|
ptr = strstr(client->refbuf->data, "\r\r\n");
|
|
|
|
if (ptr) {
|
2005-10-01 10:08:36 -04:00
|
|
|
headers = ptr+3;
|
2015-01-25 13:57:27 -05:00
|
|
|
} else {
|
|
|
|
ptr = strstr(client->refbuf->data, "\r\n");
|
|
|
|
if (ptr) {
|
2005-10-01 10:08:36 -04:00
|
|
|
headers = ptr+2;
|
2015-01-25 13:57:27 -05:00
|
|
|
} else {
|
|
|
|
ptr = strstr(client->refbuf->data, "\n");
|
2005-10-01 10:08:36 -04:00
|
|
|
if (ptr)
|
|
|
|
headers = ptr+1;
|
|
|
|
}
|
2005-09-26 12:34:51 -04:00
|
|
|
}
|
2005-08-11 19:29:58 -04:00
|
|
|
|
2015-01-25 13:57:27 -05:00
|
|
|
if (ptr == NULL){
|
|
|
|
client_destroy(client);
|
|
|
|
free(node->shoutcast_mount);
|
|
|
|
free(node);
|
2005-08-11 19:29:58 -04:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
*ptr = '\0';
|
|
|
|
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
client->password = strdup(client->refbuf->data);
|
2018-04-21 07:03:18 -04:00
|
|
|
config = config_get_config();
|
|
|
|
client->username = strdup(config->shoutcast_user);
|
|
|
|
config_release_config();
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
node->offset -= (headers - client->refbuf->data);
|
2015-01-25 13:57:27 -05:00
|
|
|
memmove(client->refbuf->data, headers, node->offset+1);
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
node->shoutcast = 2;
|
|
|
|
/* we've checked the password, now send it back for reading headers */
|
2015-01-25 13:57:27 -05:00
|
|
|
_add_request_queue(node);
|
2004-11-11 10:47:33 -05:00
|
|
|
return;
|
|
|
|
}
|
2007-10-24 22:25:49 -04:00
|
|
|
/* actually make a copy as we are dropping the config lock */
|
2004-11-11 10:47:33 -05:00
|
|
|
/* Here we create a valid HTTP request based of the information
|
|
|
|
that was passed in via the non-HTTP style protocol above. This
|
|
|
|
means we can use some of our existing code to handle this case */
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
config = config_get_config();
|
|
|
|
if (node->shoutcast_mount) {
|
|
|
|
shoutcast_mount = node->shoutcast_mount;
|
|
|
|
} else {
|
|
|
|
shoutcast_mount = config->shoutcast_mount;
|
|
|
|
}
|
|
|
|
http_compliant_len = 20 + strlen(shoutcast_mount) + node->offset;
|
2004-11-11 10:47:33 -05:00
|
|
|
http_compliant = (char *)calloc(1, http_compliant_len);
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
snprintf(http_compliant, http_compliant_len,
|
2005-08-11 19:29:58 -04:00
|
|
|
"SOURCE %s HTTP/1.0\r\n%s", shoutcast_mount, client->refbuf->data);
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
config_release_config();
|
|
|
|
|
2004-11-11 10:47:33 -05:00
|
|
|
parser = httpp_create_parser();
|
|
|
|
httpp_initialize(parser, NULL);
|
2015-01-25 13:57:27 -05:00
|
|
|
if (httpp_parse(parser, http_compliant, strlen(http_compliant))) {
|
2005-08-11 19:29:58 -04:00
|
|
|
/* we may have more than just headers, so prepare for it */
|
2015-01-25 13:57:27 -05:00
|
|
|
if (node->stream_offset == node->offset) {
|
2005-08-11 19:29:58 -04:00
|
|
|
client->refbuf->len = 0;
|
2015-01-25 13:57:27 -05:00
|
|
|
} else {
|
2005-08-11 19:29:58 -04:00
|
|
|
char *ptr = client->refbuf->data;
|
|
|
|
client->refbuf->len = node->offset - node->stream_offset;
|
2015-01-25 13:57:27 -05:00
|
|
|
memmove(ptr, ptr + node->stream_offset, client->refbuf->len);
|
2005-05-06 11:57:15 -04:00
|
|
|
}
|
2005-08-11 19:29:58 -04:00
|
|
|
client->parser = parser;
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
client->protocol = ICECAST_PROTOCOL_SHOUTCAST;
|
|
|
|
node->shoutcast = 0;
|
|
|
|
return;
|
2015-01-25 13:57:27 -05:00
|
|
|
} else {
|
|
|
|
httpp_destroy(parser);
|
|
|
|
client_destroy(client);
|
2004-11-11 10:47:33 -05:00
|
|
|
}
|
2015-01-25 13:57:27 -05:00
|
|
|
free(http_compliant);
|
|
|
|
free(node->shoutcast_mount);
|
|
|
|
free(node);
|
2005-08-11 19:29:58 -04:00
|
|
|
return;
|
2004-11-11 10:47:33 -05:00
|
|
|
}
|
|
|
|
|
2018-05-28 08:25:11 -04:00
|
|
|
/* Handle <resource> lookups here.
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
*/
|
|
|
|
|
2018-05-28 08:25:11 -04:00
|
|
|
static int _handle_resources(client_t *client, char **uri)
|
2015-01-25 13:57:27 -05:00
|
|
|
{
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
const char *http_host = httpp_getvar(client->parser, "host");
|
|
|
|
char *serverhost = NULL;
|
|
|
|
int serverport = 0;
|
2014-11-29 03:16:42 -05:00
|
|
|
char *vhost = NULL;
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
char *vhost_colon;
|
|
|
|
char *new_uri = NULL;
|
|
|
|
ice_config_t *config;
|
|
|
|
listener_t *listen_sock;
|
2018-05-28 08:25:11 -04:00
|
|
|
resource_t *resource;
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
|
|
|
|
if (http_host) {
|
|
|
|
vhost = strdup(http_host);
|
|
|
|
if (vhost) {
|
|
|
|
vhost_colon = strstr(vhost, ":");
|
|
|
|
if (vhost_colon)
|
|
|
|
*vhost_colon = 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
config = config_get_config();
|
|
|
|
listen_sock = config_get_listen_sock (config, client->con);
|
2015-01-25 13:57:27 -05:00
|
|
|
if (listen_sock) {
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
serverhost = listen_sock->bind_address;
|
|
|
|
serverport = listen_sock->port;
|
|
|
|
}
|
|
|
|
|
2018-05-28 08:25:11 -04:00
|
|
|
resource = config->resources;
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
|
2018-05-28 08:25:11 -04:00
|
|
|
/* We now go thru all resources and see if any matches. */
|
|
|
|
for (; resource; resource = resource->next) {
|
2018-05-28 05:07:07 -04:00
|
|
|
/* We check for several aspects, if they DO NOT match, we continue with our search. */
|
|
|
|
|
|
|
|
/* Check for the URI to match. */
|
2018-05-28 08:25:11 -04:00
|
|
|
if (resource->flags & ALIAS_FLAG_PREFIXMATCH) {
|
|
|
|
size_t len = strlen(resource->source);
|
|
|
|
if (strncmp(*uri, resource->source, len) != 0)
|
2018-05-28 05:37:28 -04:00
|
|
|
continue;
|
2018-05-28 08:25:11 -04:00
|
|
|
ICECAST_LOG_DEBUG("Match: *uri='%s', resource->source='%s', len=%zu", *uri, resource->source, len);
|
2018-05-28 05:37:28 -04:00
|
|
|
} else {
|
2018-05-28 08:25:11 -04:00
|
|
|
if (strcmp(*uri, resource->source) != 0)
|
2018-05-28 05:37:28 -04:00
|
|
|
continue;
|
|
|
|
}
|
2018-05-28 05:07:07 -04:00
|
|
|
|
|
|
|
/* Check for the server's port to match. */
|
2018-05-28 08:25:11 -04:00
|
|
|
if (resource->port != -1 && resource->port != serverport)
|
2018-05-28 05:07:07 -04:00
|
|
|
continue;
|
|
|
|
|
|
|
|
/* Check for the server's bind address to match. */
|
2018-05-28 08:25:11 -04:00
|
|
|
if (resource->bind_address != NULL && serverhost != NULL && strcmp(resource->bind_address, serverhost) != 0)
|
2018-05-28 05:07:07 -04:00
|
|
|
continue;
|
|
|
|
|
|
|
|
/* Check for the vhost to match. */
|
2018-05-28 08:25:11 -04:00
|
|
|
if (resource->vhost != NULL && vhost != NULL && strcmp(resource->vhost, vhost) != 0)
|
2018-05-28 05:07:07 -04:00
|
|
|
continue;
|
|
|
|
|
|
|
|
/* Ok, we found a matching entry. */
|
|
|
|
|
2018-05-28 08:25:11 -04:00
|
|
|
if (resource->destination) {
|
|
|
|
if (resource->flags & ALIAS_FLAG_PREFIXMATCH) {
|
|
|
|
size_t len = strlen(resource->source);
|
|
|
|
asprintf(&new_uri, "%s%s", resource->destination, (*uri) + len);
|
2018-05-28 05:37:28 -04:00
|
|
|
} else {
|
2018-05-28 08:25:11 -04:00
|
|
|
new_uri = strdup(resource->destination);
|
2018-05-28 05:37:28 -04:00
|
|
|
}
|
|
|
|
}
|
2018-05-28 08:25:11 -04:00
|
|
|
if (resource->omode != OMODE_DEFAULT)
|
|
|
|
client->mode = resource->omode;
|
2018-05-28 10:04:07 -04:00
|
|
|
|
|
|
|
if (resource->module) {
|
|
|
|
module_t *module = module_container_get_module(global.modulecontainer, resource->module);
|
|
|
|
|
|
|
|
if (module != NULL) {
|
|
|
|
refobject_unref(client->handler_module);
|
|
|
|
client->handler_module = module;
|
|
|
|
} else {
|
|
|
|
ICECAST_LOG_ERROR("Module used in alias not found: %s", resource->module);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (resource->handler) {
|
|
|
|
char *func = strdup(resource->handler);
|
|
|
|
if (func) {
|
|
|
|
free(client->handler_function);
|
|
|
|
client->handler_function = func;
|
|
|
|
} else {
|
|
|
|
ICECAST_LOG_ERROR("Can not allocate memory.");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-05-28 08:25:11 -04:00
|
|
|
ICECAST_LOG_DEBUG("resource has made %s into %s", *uri, new_uri);
|
2018-05-28 05:07:07 -04:00
|
|
|
break;
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
config_release_config();
|
|
|
|
|
|
|
|
if (new_uri) {
|
|
|
|
free(*uri);
|
|
|
|
*uri = new_uri;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (vhost)
|
|
|
|
free(vhost);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2018-05-25 05:52:15 -04:00
|
|
|
static void _handle_admin_request(client_t *client, char *adminuri)
|
|
|
|
{
|
|
|
|
ICECAST_LOG_DEBUG("Client %p requesting admin interface.", client);
|
|
|
|
|
|
|
|
stats_event_inc(NULL, "client_connections");
|
|
|
|
|
2018-06-16 07:09:50 -04:00
|
|
|
admin_handle_request(client, adminuri);
|
2018-05-25 05:52:15 -04:00
|
|
|
}
|
|
|
|
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
/* Handle any client that passed the authing process.
|
|
|
|
*/
|
2015-01-25 13:57:27 -05:00
|
|
|
static void _handle_authed_client(client_t *client, void *uri, auth_result result)
|
|
|
|
{
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
auth_stack_release(client->authstack);
|
|
|
|
client->authstack = NULL;
|
|
|
|
|
|
|
|
if (result != AUTH_OK) {
|
2018-04-28 09:49:36 -04:00
|
|
|
client_send_error_by_id(client, ICECAST_ERROR_GEN_CLIENT_NEEDS_TO_AUTHENTICATE);
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
free(uri);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (acl_test_method(client->acl, client->parser->req_type) != ACL_POLICY_ALLOW) {
|
|
|
|
ICECAST_LOG_ERROR("Client (role=%s, username=%s) not allowed to use this request method on %H", client->role, client->username, uri);
|
2018-04-28 09:49:36 -04:00
|
|
|
client_send_error_by_id(client, ICECAST_ERROR_GEN_CLIENT_NEEDS_TO_AUTHENTICATE);
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
free(uri);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2018-05-25 05:52:15 -04:00
|
|
|
/* Dispatch legacy admin.cgi requests */
|
|
|
|
if (strcmp(uri, "/admin.cgi") == 0) {
|
|
|
|
_handle_admin_request(client, uri + 1);
|
2018-05-28 04:47:34 -04:00
|
|
|
free(uri);
|
2018-05-25 05:52:15 -04:00
|
|
|
return;
|
|
|
|
} /* Dispatch all admin requests */
|
|
|
|
else if (strncmp(uri, "/admin/", 7) == 0) {
|
|
|
|
_handle_admin_request(client, uri + 7);
|
2018-05-28 04:47:34 -04:00
|
|
|
free(uri);
|
2018-05-25 05:52:15 -04:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2018-05-28 10:04:07 -04:00
|
|
|
if (client->handler_module && client->handler_function) {
|
|
|
|
const module_client_handler_t *handler = module_get_client_handler(client->handler_module, client->handler_function);
|
|
|
|
if (handler) {
|
|
|
|
handler->cb(client->handler_module, client, uri);
|
|
|
|
free(uri);
|
|
|
|
return;
|
|
|
|
} else {
|
|
|
|
ICECAST_LOG_ERROR("No such handler function in module: %s", client->handler_function);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
switch (client->parser->req_type) {
|
|
|
|
case httpp_req_source:
|
|
|
|
case httpp_req_put:
|
|
|
|
_handle_source_request(client, uri);
|
|
|
|
break;
|
|
|
|
case httpp_req_stats:
|
|
|
|
_handle_stats_request(client, uri);
|
|
|
|
break;
|
|
|
|
case httpp_req_get:
|
2018-06-15 14:53:43 -04:00
|
|
|
case httpp_req_options:
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
_handle_get_request(client, uri);
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
ICECAST_LOG_ERROR("Wrong request type from client");
|
2018-04-28 09:49:36 -04:00
|
|
|
client_send_error_by_id(client, ICECAST_ERROR_CON_UNKNOWN_REQUEST);
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
free(uri);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Handle clients that still need to authenticate.
|
|
|
|
*/
|
|
|
|
|
2015-01-25 13:57:27 -05:00
|
|
|
static void _handle_authentication_global(client_t *client, void *uri, auth_result result)
|
|
|
|
{
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
ice_config_t *config;
|
|
|
|
|
|
|
|
auth_stack_release(client->authstack);
|
|
|
|
client->authstack = NULL;
|
|
|
|
|
2015-01-10 13:53:44 -05:00
|
|
|
if (result != AUTH_NOMATCH &&
|
2015-01-05 11:58:43 -05:00
|
|
|
!(result == AUTH_OK && client->admin_command != -1 && acl_test_admin(client->acl, client->admin_command) == ACL_POLICY_DENY)) {
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
_handle_authed_client(client, uri, result);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2014-12-14 04:27:49 -05:00
|
|
|
ICECAST_LOG_DEBUG("Trying global authenticators for client %p.", client);
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
config = config_get_config();
|
|
|
|
auth_stack_add_client(config->authstack, client, _handle_authed_client, uri);
|
|
|
|
config_release_config();
|
|
|
|
}
|
|
|
|
|
2015-01-25 13:57:27 -05:00
|
|
|
static inline mount_proxy * __find_non_admin_mount(ice_config_t *config, const char *name, mount_type type)
|
|
|
|
{
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
if (strcmp(name, "/admin.cgi") == 0 || strncmp(name, "/admin/", 7) == 0)
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
return config_find_mount(config, name, type);
|
|
|
|
}
|
|
|
|
|
2015-01-25 13:57:27 -05:00
|
|
|
static void _handle_authentication_mount_generic(client_t *client, void *uri, mount_type type, void (*callback)(client_t*, void*, auth_result))
|
|
|
|
{
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
ice_config_t *config;
|
|
|
|
mount_proxy *mountproxy;
|
|
|
|
auth_stack_t *stack = NULL;
|
|
|
|
|
|
|
|
config = config_get_config();
|
|
|
|
mountproxy = __find_non_admin_mount(config, uri, type);
|
|
|
|
if (!mountproxy) {
|
|
|
|
int command_type = admin_get_command_type(client->admin_command);
|
|
|
|
if (command_type == ADMINTYPE_MOUNT || command_type == ADMINTYPE_HYBRID) {
|
|
|
|
const char *mount = httpp_get_query_param(client->parser, "mount");
|
|
|
|
if (mount)
|
|
|
|
mountproxy = __find_non_admin_mount(config, mount, type);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (mountproxy && mountproxy->mounttype == type)
|
|
|
|
stack = mountproxy->authstack;
|
|
|
|
auth_stack_addref(stack);
|
|
|
|
config_release_config();
|
|
|
|
|
|
|
|
if (stack) {
|
|
|
|
auth_stack_add_client(stack, client, callback, uri);
|
|
|
|
auth_stack_release(stack);
|
|
|
|
} else {
|
|
|
|
callback(client, uri, AUTH_NOMATCH);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-01-25 13:57:27 -05:00
|
|
|
static void _handle_authentication_mount_default(client_t *client, void *uri, auth_result result)
|
|
|
|
{
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
auth_stack_release(client->authstack);
|
|
|
|
client->authstack = NULL;
|
|
|
|
|
2015-01-05 11:58:43 -05:00
|
|
|
if (result != AUTH_NOMATCH &&
|
|
|
|
!(result == AUTH_OK && client->admin_command != -1 && acl_test_admin(client->acl, client->admin_command) == ACL_POLICY_DENY)) {
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
_handle_authed_client(client, uri, result);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2014-12-14 04:27:49 -05:00
|
|
|
ICECAST_LOG_DEBUG("Trying <mount type=\"default\"> specific authenticators for client %p.", client);
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
_handle_authentication_mount_generic(client, uri, MOUNT_TYPE_DEFAULT, _handle_authentication_global);
|
|
|
|
}
|
|
|
|
|
2015-01-25 13:57:27 -05:00
|
|
|
static void _handle_authentication_mount_normal(client_t *client, char *uri)
|
|
|
|
{
|
2014-12-14 04:27:49 -05:00
|
|
|
ICECAST_LOG_DEBUG("Trying <mount type=\"normal\"> specific authenticators for client %p.", client);
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
_handle_authentication_mount_generic(client, uri, MOUNT_TYPE_NORMAL, _handle_authentication_mount_default);
|
|
|
|
}
|
|
|
|
|
2015-01-25 13:57:27 -05:00
|
|
|
static void _handle_authentication(client_t *client, char *uri)
|
|
|
|
{
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
_handle_authentication_mount_normal(client, uri);
|
|
|
|
}
|
|
|
|
|
2015-01-25 13:57:27 -05:00
|
|
|
static void __prepare_shoutcast_admin_cgi_request(client_t *client)
|
|
|
|
{
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
ice_config_t *config;
|
|
|
|
const char *sc_mount;
|
|
|
|
const char *pass = httpp_get_query_param(client->parser, "pass");
|
|
|
|
listener_t *listener;
|
|
|
|
|
|
|
|
if (pass == NULL) {
|
|
|
|
ICECAST_LOG_ERROR("missing pass parameter");
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (client->password) {
|
|
|
|
ICECAST_LOG_INFO("Client already has password set");
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
global_lock();
|
|
|
|
config = config_get_config();
|
|
|
|
sc_mount = config->shoutcast_mount;
|
|
|
|
listener = config_get_listen_sock(config, client->con);
|
|
|
|
|
|
|
|
if (listener && listener->shoutcast_mount)
|
|
|
|
sc_mount = listener->shoutcast_mount;
|
|
|
|
|
|
|
|
httpp_set_query_param(client->parser, "mount", sc_mount);
|
|
|
|
httpp_setvar(client->parser, HTTPP_VAR_PROTOCOL, "ICY");
|
|
|
|
client->password = strdup(pass);
|
|
|
|
config_release_config();
|
|
|
|
global_unlock();
|
|
|
|
}
|
2005-08-11 19:29:58 -04:00
|
|
|
|
|
|
|
/* Connection thread. Here we take clients off the connection queue and check
|
|
|
|
* the contents provided. We set up the parser then hand off to the specific
|
|
|
|
* request handler.
|
|
|
|
*/
|
2008-07-21 22:24:30 -04:00
|
|
|
static void _handle_connection(void)
|
2002-08-12 10:48:31 -04:00
|
|
|
{
|
2003-03-14 21:10:19 -05:00
|
|
|
http_parser_t *parser;
|
2007-08-16 18:49:13 -04:00
|
|
|
const char *rawuri;
|
2008-07-21 22:24:30 -04:00
|
|
|
client_queue_t *node;
|
2001-09-09 22:21:46 -04:00
|
|
|
|
2015-01-25 13:57:27 -05:00
|
|
|
while (1) {
|
2008-07-21 22:24:30 -04:00
|
|
|
node = _get_connection();
|
2015-01-25 13:57:27 -05:00
|
|
|
if (node) {
|
2005-08-11 19:29:58 -04:00
|
|
|
client_t *client = node->client;
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
int already_parsed = 0;
|
2001-09-09 22:21:46 -04:00
|
|
|
|
2004-11-11 10:47:33 -05:00
|
|
|
/* Check for special shoutcast compatability processing */
|
2015-01-25 13:57:27 -05:00
|
|
|
if (node->shoutcast) {
|
2005-08-11 19:29:58 -04:00
|
|
|
_handle_shoutcast_compatible (node);
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
if (node->shoutcast)
|
|
|
|
continue;
|
2003-03-14 21:10:19 -05:00
|
|
|
}
|
2001-09-09 22:21:46 -04:00
|
|
|
|
2005-08-11 19:29:58 -04:00
|
|
|
/* process normal HTTP headers */
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
if (client->parser) {
|
|
|
|
already_parsed = 1;
|
|
|
|
parser = client->parser;
|
|
|
|
} else {
|
|
|
|
parser = httpp_create_parser();
|
|
|
|
httpp_initialize(parser, NULL);
|
|
|
|
client->parser = parser;
|
|
|
|
}
|
2015-01-25 13:57:27 -05:00
|
|
|
if (already_parsed || httpp_parse (parser, client->refbuf->data, node->offset)) {
|
2007-08-16 18:49:13 -04:00
|
|
|
char *uri;
|
2015-02-01 19:38:14 -05:00
|
|
|
const char *upgrade, *connection;
|
2007-08-16 18:49:13 -04:00
|
|
|
|
2005-08-11 19:29:58 -04:00
|
|
|
/* we may have more than just headers, so prepare for it */
|
2015-01-25 13:57:27 -05:00
|
|
|
if (node->stream_offset == node->offset) {
|
2005-08-11 19:29:58 -04:00
|
|
|
client->refbuf->len = 0;
|
2015-01-25 13:57:27 -05:00
|
|
|
} else {
|
2005-08-11 19:29:58 -04:00
|
|
|
char *ptr = client->refbuf->data;
|
|
|
|
client->refbuf->len = node->offset - node->stream_offset;
|
|
|
|
memmove (ptr, ptr + node->stream_offset, client->refbuf->len);
|
|
|
|
}
|
2007-10-24 22:25:49 -04:00
|
|
|
|
|
|
|
rawuri = httpp_getvar(parser, HTTPP_VAR_URI);
|
|
|
|
|
|
|
|
/* assign a port-based shoutcast mountpoint if required */
|
|
|
|
if (node->shoutcast_mount && strcmp (rawuri, "/admin.cgi") == 0)
|
|
|
|
httpp_set_query_param (client->parser, "mount", node->shoutcast_mount);
|
|
|
|
|
|
|
|
free (node->shoutcast_mount);
|
2005-08-11 19:29:58 -04:00
|
|
|
free (node);
|
2008-07-21 22:24:30 -04:00
|
|
|
|
2003-03-14 21:10:19 -05:00
|
|
|
if (strcmp("ICE", httpp_getvar(parser, HTTPP_VAR_PROTOCOL)) &&
|
2002-08-12 10:48:31 -04:00
|
|
|
strcmp("HTTP", httpp_getvar(parser, HTTPP_VAR_PROTOCOL))) {
|
2014-10-31 04:46:58 -04:00
|
|
|
ICECAST_LOG_ERROR("Bad HTTP protocol detected");
|
2005-08-11 19:29:58 -04:00
|
|
|
client_destroy (client);
|
2003-03-14 21:10:19 -05:00
|
|
|
continue;
|
|
|
|
}
|
2001-09-09 22:21:46 -04:00
|
|
|
|
2015-02-01 19:34:45 -05:00
|
|
|
upgrade = httpp_getvar(parser, "upgrade");
|
2015-02-01 19:38:14 -05:00
|
|
|
connection = httpp_getvar(parser, "connection");
|
2016-11-06 11:02:11 -05:00
|
|
|
if (upgrade && connection && strcasecmp(connection, "upgrade") == 0) {
|
|
|
|
if (client->con->tlsmode == ICECAST_TLSMODE_DISABLED || strstr(upgrade, "TLS/1.0") == NULL) {
|
2018-04-28 09:49:36 -04:00
|
|
|
client_send_error_by_id(client, ICECAST_ERROR_CON_UPGRADE_ERROR);
|
2016-11-06 11:02:11 -05:00
|
|
|
continue;
|
|
|
|
} else {
|
|
|
|
client_send_101(client, ICECAST_REUSE_UPGRADETLS);
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
} else if (client->con->tlsmode != ICECAST_TLSMODE_DISABLED && client->con->tlsmode != ICECAST_TLSMODE_AUTO && !client->con->tls) {
|
|
|
|
client_send_426(client, ICECAST_REUSE_UPGRADETLS);
|
2015-02-01 19:34:45 -05:00
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
2018-06-15 14:53:43 -04:00
|
|
|
if (strcmp(rawuri, "*") == 0) {
|
|
|
|
client_send_204(client);
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
2002-08-11 10:23:39 -04:00
|
|
|
uri = util_normalise_uri(rawuri);
|
|
|
|
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
if (!uri) {
|
2005-08-11 19:29:58 -04:00
|
|
|
client_destroy (client);
|
2002-08-11 10:23:39 -04:00
|
|
|
continue;
|
|
|
|
}
|
2002-08-10 04:01:56 -04:00
|
|
|
|
2014-12-18 04:56:54 -05:00
|
|
|
client->mode = config_str_to_omode(httpp_get_query_param(client->parser, "omode"));
|
|
|
|
|
2018-05-28 08:25:11 -04:00
|
|
|
if (_handle_resources(client, &uri) != 0) {
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
client_destroy (client);
|
|
|
|
continue;
|
2002-08-12 10:48:31 -04:00
|
|
|
}
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
|
|
|
|
if (strcmp(uri, "/admin.cgi") == 0) {
|
|
|
|
client->admin_command = admin_get_command(uri + 1);
|
|
|
|
__prepare_shoutcast_admin_cgi_request(client);
|
|
|
|
if (!client->password) {
|
2018-04-28 09:49:36 -04:00
|
|
|
client_send_error_by_id(client, ICECAST_ERROR_CON_MISSING_PASS_PARAMETER);
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
continue;
|
|
|
|
}
|
|
|
|
} else if (strncmp("/admin/", uri, 7) == 0) {
|
|
|
|
client->admin_command = admin_get_command(uri + 7);
|
2002-08-12 10:48:31 -04:00
|
|
|
}
|
|
|
|
|
Wow. Mega patch!
This patch *replaces* the authentication system completly.
What is new:
- <authentication> in mount section is now a container object.
- <authentication> in root and mount section may hold any number of <role>-Tags.
- <role> tags:
Those tags define a 'role' and it's ACL rules.
A role is a instance of an authentication module (see below).
<role> takes the following options. All but type are optional.
- authentication related:
- type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
symbolic constants in auth.h)
- name: Name for the role. For later matching. (values: any string; default: (none))
- method: This rule is only active on the given list of HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- ACL related:
- allow-method: Allowed HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
- deny-method: Rejected HTTP methods.
(list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
- allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
- deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
- allow-web: Allowed web pages. (values: empty or *; default: *)
- deny-web: Rejected web pages. (values: empty or *; default: (empty))
- connections-per-user: maximum number of simultaneous connections per role and username.
This is only active on active sources. (values: unlimited or number of connections; default: unlimited)
- connection-duration: maximum time of a connection. This is only active on active sources.
(values: unlimited or number of secounds; default: unlimited)
<role> takes <option> child tags. <option> tags contain a name and a value option.
Meaning of <option> tags is up to the authentication module.
- <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
- <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
and rejects all other requests.
- New authentication module: anonymous
This module matches all requests. No options taken.
- New authentication module: static
This module matches with a static username and password.
It takes two <option>s. One with name="username" and one with name="password" to set username and password.
This replaces old style <*-username> and <*-password> tags.
- New authentication module: legacy-password
This module matches with a statich password.
It takes one <option> with name="password" to set password.
This replaces old ICE and ICY (shoutcast compat mode) authentication.
- Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
- Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
<authentication> for 100% backward compatibility.
- <alias> is now proccessed very early. This enables them to be used for all kinds of requests.
To Do List & What does not yet work:
- type="url" auth: mount_add and mount_remove.
This should be replaced by an unique feature I would call '<event>'.
- Admin commands manageauth and manageauth.xsl are disabled as they need more review:
This code needs to be ported to support multiple <role>s per <mount>.
- url authentication module can not yet return AUTH_NOMATCH.
This needs to be reviewed and discussed on how to handle this case best way.
- Default config files needs to be updated to reflect the changes.
As this is quite some political act it should be done in dicussion with the whole team
and permission of the release manager.
- Docs need to be updated to reflect the changes.
How does it work:
Code has been changed so that authentification is done early for all clients.
This allows accessing the ACL data (client->acl) from nearly everywhere in the code.
After accept() and initial client setup the request is parsed. In the next step
all <alias>es are resolved. After this the client is passed for authentication.
After authentication it is passed to the corresponding subsystem depending on kind of request.
All authentication instances have a thread running for doing the authentication.
This thread works on a queue of clients.
Hints for testers:
- Test with default config.
- Test with diffrent authentication modules in <mount>.
- Test shoutcast compatibility mode.
- Test with new style <authentication> and any amount of <role> (zero to quite some).
- Test <alias> lookup on all kinds of objects.
- Test source level credential login into the admin interface.
- Test shoucast style meta data updates.
- Test playlist generation.
Thank you for reading this long commit message. Have fun reading the full patch!
svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 18:46:08 -05:00
|
|
|
_handle_authentication(client, uri);
|
2015-01-25 13:57:27 -05:00
|
|
|
} else {
|
2005-08-11 19:29:58 -04:00
|
|
|
free (node);
|
2014-10-31 04:46:58 -04:00
|
|
|
ICECAST_LOG_ERROR("HTTP request parsing failed");
|
2005-08-11 19:29:58 -04:00
|
|
|
client_destroy (client);
|
2003-03-14 21:10:19 -05:00
|
|
|
}
|
2005-08-11 19:29:58 -04:00
|
|
|
continue;
|
2003-03-14 21:10:19 -05:00
|
|
|
}
|
2008-07-21 22:24:30 -04:00
|
|
|
break;
|
2003-03-14 21:10:19 -05:00
|
|
|
}
|
2001-09-09 22:21:46 -04:00
|
|
|
}
|
|
|
|
|
2007-10-15 21:53:06 -04:00
|
|
|
|
|
|
|
/* called when listening thread is not checking for incoming connections */
|
|
|
|
int connection_setup_sockets (ice_config_t *config)
|
|
|
|
{
|
|
|
|
int count = 0;
|
|
|
|
listener_t *listener, **prev;
|
|
|
|
|
|
|
|
global_lock();
|
2015-01-25 13:57:27 -05:00
|
|
|
if (global.serversock) {
|
2007-10-15 21:53:06 -04:00
|
|
|
for (; count < global.server_sockets; count++)
|
|
|
|
sock_close (global.serversock [count]);
|
|
|
|
free (global.serversock);
|
|
|
|
global.serversock = NULL;
|
|
|
|
}
|
2015-01-25 13:57:27 -05:00
|
|
|
if (config == NULL) {
|
2007-10-15 21:53:06 -04:00
|
|
|
global_unlock();
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2007-10-23 18:25:31 -04:00
|
|
|
/* setup the banned/allowed IP filenames from the xml */
|
2015-01-05 17:06:53 -05:00
|
|
|
if (config->banfile) {
|
|
|
|
matchfile_release(banned_ip);
|
|
|
|
banned_ip = matchfile_new(config->banfile);
|
|
|
|
if (!banned_ip)
|
|
|
|
ICECAST_LOG_ERROR("Can not create ban object, bad!");
|
|
|
|
}
|
2007-10-23 18:25:31 -04:00
|
|
|
|
2015-01-05 17:06:53 -05:00
|
|
|
if (config->allowfile) {
|
|
|
|
matchfile_release(allowed_ip);
|
|
|
|
allowed_ip = matchfile_new(config->allowfile);
|
|
|
|
}
|
2007-10-23 18:25:31 -04:00
|
|
|
|
2007-10-15 21:53:06 -04:00
|
|
|
count = 0;
|
2014-11-30 15:32:30 -05:00
|
|
|
global.serversock = calloc(config->listen_sock_count, sizeof(sock_t));
|
2007-10-15 21:53:06 -04:00
|
|
|
|
2014-11-30 15:32:30 -05:00
|
|
|
listener = config->listen_sock;
|
2007-10-15 21:53:06 -04:00
|
|
|
prev = &config->listen_sock;
|
2015-01-25 13:57:27 -05:00
|
|
|
while (listener) {
|
2007-10-15 21:53:06 -04:00
|
|
|
int successful = 0;
|
|
|
|
|
2015-01-25 13:57:27 -05:00
|
|
|
do {
|
2007-10-15 21:53:06 -04:00
|
|
|
sock_t sock = sock_get_server_socket (listener->port, listener->bind_address);
|
|
|
|
if (sock == SOCK_ERROR)
|
|
|
|
break;
|
2015-01-25 13:57:27 -05:00
|
|
|
if (sock_listen (sock, ICECAST_LISTEN_QUEUE) == SOCK_ERROR) {
|
2007-10-15 21:53:06 -04:00
|
|
|
sock_close (sock);
|
|
|
|
break;
|
|
|
|
}
|
2009-03-14 12:05:12 -04:00
|
|
|
/* some win32 setups do not do TCP win scaling well, so allow an override */
|
|
|
|
if (listener->so_sndbuf)
|
|
|
|
sock_set_send_buffer (sock, listener->so_sndbuf);
|
2009-01-07 21:47:44 -05:00
|
|
|
sock_set_blocking (sock, 0);
|
2007-10-15 21:53:06 -04:00
|
|
|
successful = 1;
|
|
|
|
global.serversock [count] = sock;
|
|
|
|
count++;
|
|
|
|
} while(0);
|
2015-01-25 13:57:27 -05:00
|
|
|
if (successful == 0) {
|
|
|
|
if (listener->bind_address) {
|
2014-10-31 04:46:58 -04:00
|
|
|
ICECAST_LOG_ERROR("Could not create listener socket on port %d bind %s",
|
2007-10-15 21:53:06 -04:00
|
|
|
listener->port, listener->bind_address);
|
2015-01-25 13:57:27 -05:00
|
|
|
} else {
|
2014-10-31 04:46:58 -04:00
|
|
|
ICECAST_LOG_ERROR("Could not create listener socket on port %d", listener->port);
|
2015-01-25 13:57:27 -05:00
|
|
|
}
|
2007-10-15 21:53:06 -04:00
|
|
|
/* remove failed connection */
|
|
|
|
*prev = config_clear_listener (listener);
|
|
|
|
listener = *prev;
|
|
|
|
continue;
|
|
|
|
}
|
2015-01-25 13:57:27 -05:00
|
|
|
if (listener->bind_address) {
|
2014-10-31 04:46:58 -04:00
|
|
|
ICECAST_LOG_INFO("listener socket on port %d address %s", listener->port, listener->bind_address);
|
2015-01-25 13:57:27 -05:00
|
|
|
} else {
|
2014-10-31 04:46:58 -04:00
|
|
|
ICECAST_LOG_INFO("listener socket on port %d", listener->port);
|
2015-01-25 13:57:27 -05:00
|
|
|
}
|
2007-10-15 21:53:06 -04:00
|
|
|
prev = &listener->next;
|
|
|
|
listener = listener->next;
|
|
|
|
}
|
|
|
|
global.server_sockets = count;
|
|
|
|
global_unlock();
|
|
|
|
|
|
|
|
if (count == 0)
|
2014-10-31 04:46:58 -04:00
|
|
|
ICECAST_LOG_ERROR("No listening sockets established");
|
2007-10-15 21:53:06 -04:00
|
|
|
|
|
|
|
return count;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2001-09-09 22:21:46 -04:00
|
|
|
void connection_close(connection_t *con)
|
|
|
|
{
|
2015-02-01 18:04:54 -05:00
|
|
|
if (!con)
|
|
|
|
return;
|
|
|
|
|
2018-05-19 04:13:05 -04:00
|
|
|
tls_unref(con->tls);
|
2015-03-01 11:53:17 -05:00
|
|
|
if (con->sock != -1) /* TODO: do not use magic */
|
|
|
|
sock_close(con->sock);
|
2015-01-25 13:57:27 -05:00
|
|
|
if (con->ip)
|
|
|
|
free(con->ip);
|
2003-03-14 21:10:19 -05:00
|
|
|
free(con);
|
2001-09-09 22:21:46 -04:00
|
|
|
}
|