1
0
mirror of https://gitlab.xiph.org/xiph/icecast-server.git synced 2024-11-03 04:17:17 -05:00
Commit Graph

42 Commits

Author SHA1 Message Date
Philipp Schafft
001ac59127 Feature: Added auth backend "enforce_auth".
Closes: #2348
2019-01-16 14:11:03 +00:00
Philipp Schafft
5f4b002485 Feature: Support filtering on CORS "Origin". 2018-11-12 21:51:23 +00:00
Philipp Schafft
2c72d9a37c Feature: Support per-<role> HTTP headers 2018-11-12 21:51:23 +00:00
Philipp Schafft
7b608e27be Feature: Added function to convert strings into auth results 2018-09-19 13:32:58 +00:00
Philipp Schafft
b3497e6ec8 Feature: Added way for the auth backend to store per-request data 2018-09-19 13:32:58 +00:00
Philipp Schafft
cb32973572 Feature: Added permission system for auth backends altering clients 2018-09-19 13:32:58 +00:00
Philipp Schafft
0392b4a32f Feature: Added lookup function for auth_alter_t 2018-09-19 13:32:58 +00:00
Philipp Schafft
4d7a60d588 Feature: Added basic support for auth backends to manipulate the client 2018-09-19 13:32:58 +00:00
Philipp Schafft
6c491b3814 Cleanup: Code reformating 2018-09-14 19:25:40 +00:00
Philipp Schafft
1f8d19cb40 Cleanup: Use (auth_stack_t) not (struct auth_stack_tag) 2018-09-13 11:09:16 +00:00
Philipp Schafft
8bd43eb3d4 Feature: Added new <role> properties: match-method, and nomatch-method. This is more inline with the other properties 2018-09-13 10:37:33 +00:00
Philipp Schafft
d317b6fbdc Feature: Added new <role> properties: match-web, nomatch-web, match-admin, and nomatch-admin 2018-09-13 10:14:31 +00:00
Philipp Schafft
5c3e7760c5 Cleanup: Corrected headers used in headers 2018-06-17 12:28:38 +00:00
Philipp Schafft
34b10657da Cleanup: Make use of "icecasttypes.h" 2018-06-17 10:33:10 +00:00
Philipp Schafft
6ffc893b6a Update: Move most common types into "icecasttypes.h" 2018-06-17 10:12:15 +00:00
Philipp Schafft
442960ac4a Feature: Added admin format ADMIN_FORMAT_AUTO 2018-06-09 10:43:57 +00:00
Philipp Schafft
651ece018c Update: Corrected Copyright statements 2018-05-28 14:19:55 +00:00
Marvin Scholz
0dfc7c5b6a Cleanup codestyle
This commit cleanups codestyle a bit, yet there is still some work to be done
2015-01-25 19:57:27 +01:00
Philipp Schafft
f39b7d8880 Cleanup: Removed trivial header files for auth backends
All Auth backends had just one prototype in auth_*.h. Those
got merged into auth.h to avoid to have many small files around.
2015-01-06 11:29:07 +00:00
Philipp Schafft
55d429a6c8 Fix: Corrected display of "login" on status page
This corrects the creation of <authenticator> in the status output
and this way fixes the display of login link on status page.
Closes #1939
2014-12-20 09:39:26 +00:00
Philipp Schafft
3d6ea2efdb Merged support for thread-less <role>s 2014-12-19 17:30:37 +00:00
Philipp Schafft
25f6c53929 Feature: immediate mode for <role>s
This allows a <role> represented by a auth_t to run in "immediate"
mode. In this mode no thread is created for this <role>. This is a
major speedup.

Closes #2124
2014-12-19 17:27:54 +00:00
Philipp Schafft
0eb466b76d Feature: Allow mangement of <role>s via admin/ interface.
This allows to manage <role>s via admin interface if the role supports.
Also format of admin/manageauth has been changed:
- <source> was renamed to <role>.
- mount parameter was removed.
- <role> got new parameters: type, name,
  can-adduser, can-deleteuser, can-listuser.
- can-* parameters are bools ("true" or "false"). They should be used
  to show or hide elements on the admin interface.

Ticket #2123 is nearly complet with this, just admin/manageauth.xsl
needs up be updated. Please close the bug in the commit that updates
admin/manageauth.xsl.
See #2123
2014-12-19 16:14:35 +00:00
Philipp Schafft
1c550b0c8e Feature: Added support for management-url="" in <role>
This adds setting a URL for manegement of roles to the framework.
If no URl is given in the config file this defaults to internal
(/admin/manageauth.xsl) interface if supported by the backend.
See #2123
2014-12-19 11:16:13 +00:00
Philipp Schafft
40bb04b644 Feature: Added a unique ID to each auth_t.
This added a unique ID to each auth_t instance so it can be refered
to e.g. by the web interface for mangement functionallity. Mostly
stolen from connection.[ch].
See #2123
2014-12-19 10:50:52 +00:00
Marvin Scholz
1bf41cfdb6 Epic Git migration commit
Added .gitignore and submodules
Changed paths to match new location of things
2014-12-02 22:50:57 +01:00
Philipp Schafft
a642cac542 Wow. Mega patch!
This patch *replaces* the authentication system completly.

What is new:
 - <authentication> in mount section is now a container object.
 - <authentication> in root and mount section may hold any number of <role>-Tags.
 - <role> tags:
   Those tags define a 'role' and it's ACL rules.
   A role is a instance of an authentication module (see below).
   <role> takes the following options. All but type are optional.
   - authentication related:
     - type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
             symbolic constants in auth.h)
     - name: Name for the role. For later matching. (values: any string; default: (none))
     - method: This rule is only active on the given list of HTTP methods.
               (list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
   - ACL related:
     - allow-method: Allowed HTTP methods.
       (list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
     - deny-method: Rejected HTTP methods.
       (list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
     - allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
     - deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
     - allow-web: Allowed web pages. (values: empty or *; default: *)
     - deny-web: Rejected web pages. (values: empty or *; default: (empty))
     - connections-per-user: maximum number of simultaneous connections per role and username.
       This is only active on active sources.  (values: unlimited or number of connections; default: unlimited)
     - connection-duration: maximum time of a connection. This is only active on active sources.
       (values: unlimited or number of secounds; default: unlimited)
   <role> takes <option> child tags. <option> tags contain a name and a value option.
   Meaning of <option> tags is up to the authentication module.
 - <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
 - <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
   Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
   and rejects all other requests.
 - New authentication module: anonymous
   This module matches all requests. No options taken.
 - New authentication module: static
   This module matches with a static username and password.
   It takes two <option>s. One with name="username" and one with name="password" to set username and password.
   This replaces old style <*-username> and <*-password> tags.
 - New authentication module: legacy-password
   This module matches with a statich password.
   It takes one <option> with name="password" to set password.
   This replaces old ICE and ICY (shoutcast compat mode) authentication.
 - Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
 - Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
   <authentication> for 100% backward compatibility.
 - <alias> is now proccessed very early. This enables them to be used for all kinds of requests.

To Do List & What does not yet work:
 - type="url" auth: mount_add and mount_remove.
   This should be replaced by an unique feature I would call '<event>'.
 - Admin commands manageauth and manageauth.xsl are disabled as they need more review:
   This code needs to be ported to support multiple <role>s per <mount>.
 - url authentication module can not yet return AUTH_NOMATCH.
   This needs to be reviewed and discussed on how to handle this case best way.
 - Default config files needs to be updated to reflect the changes.
   As this is quite some political act it should be done in dicussion with the whole team
   and permission of the release manager.
 - Docs need to be updated to reflect the changes.

How does it work:
 Code has been changed so that authentification is done early for all clients.
 This allows accessing the ACL data (client->acl) from nearly everywhere in the code.

 After accept() and initial client setup the request is parsed. In the next step
 all <alias>es are resolved. After this the client is passed for authentication.
 After authentication it is passed to the corresponding subsystem depending on kind of request.

 All authentication instances have a thread running for doing the authentication.
 This thread works on a queue of clients.

Hints for testers:
 - Test with default config.
 - Test with diffrent authentication modules in <mount>.
 - Test shoutcast compatibility mode.
 - Test with new style <authentication> and any amount of <role> (zero to quite some).
 - Test <alias> lookup on all kinds of objects.
 - Test source level credential login into the admin interface.
 - Test shoucast style meta data updates.
 - Test playlist generation.

Thank you for reading this long commit message. Have fun reading the full patch!

svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
Philipp Schafft
bdc392beb1 some smaller stuff needed to get new authing stuff done
svn path=/icecast/trunk/icecast/; revision=19346
2014-11-22 03:49:36 +00:00
Karl Heyes
e6dfee632c Allow source client authentication via auth handler. Here the URL handler can
issue requests (using ithe stream_auth option) to allow external engines to
determine whether a client can stream or not. Admin requests using source auth
are able to use this mechanism however source clients using the icy protocol
cannot yet.


svn path=/icecast/trunk/icecast/; revision=15621
2009-01-14 01:18:22 +00:00
Karl Heyes
66b68170cc auth sync up. Fix longstanding race bug and make stream start/stop triggers work again.
svn path=/icecast/trunk/icecast/; revision=14114
2007-11-08 19:52:51 +00:00
Karl Heyes
176b9f7eca Auth update. Have each auth_t has its own queue of requests and thread to process
them. Each listener connection for each request is checked as connected before
performing the request (so that time isn't wasted on slow authentication). Various
name/comment cleanups as well.

svn path=/icecast/trunk/icecast/; revision=13583
2007-08-21 22:30:30 +00:00
Karl Heyes
0dc2655838 slave handler update. add timestamps to relays, allows slave thread to
process them better. This simplifies various checks and sits better with
relay startup and relay cleanup in certain error cases.

svn path=/icecast/trunk/icecast/; revision=11008
2006-03-15 03:02:08 +00:00
Michael Smith
37a6bb18d6 Patch from gtgbr@gmx.net to fix (void) function prototypes, with some minor
changes.


svn path=/icecast/trunk/icecast/; revision=10615
2005-12-17 12:23:09 +00:00
Karl Heyes
32691f498a immediately release auth_t if authentication fails, that way we don't
trigger release_client like listener_remove event in the url auth.
Add lock in auth_t so that refcount changes are not a race possibility.

svn path=/icecast/trunk/icecast/; revision=9926
2005-09-01 16:11:07 +00:00
Karl Heyes
a528108e10 merge in client timelimit, only auth_url sets this currently. Add missing
prototypes for compile warning

svn path=/icecast/trunk/icecast/; revision=9736
2005-08-12 02:40:25 +00:00
Karl Heyes
15b3a5f853 Initial auth merge. Add an auth thread (multiple threads can be done later)
which can be used to handle authentication mechanisms without taking locks
for long periods.  Non-authenticated mountpoints bypass the auth thread.

The lookup/checking of the source_t is done after the authentication succeeds
so the fallback mechanism does not affect which authenticator is used. This
can be extended to allow us to authenticate in webroot as well. XML re-read
changes will take effect immediately for new listeners but existing listeners
will use the original auth_t (refcounted) when they exit.

htpasswd access has been seperated out from auth.c, and implements an AVL
tree for a faster username lookup.  The htpasswd file timestamp is checked
just in case there are changes made externally

svn path=/icecast/trunk/icecast/; revision=9713
2005-08-07 23:01:04 +00:00
Karl Heyes
33cf86f527 merge extra checks. minor cleanup work
svn path=/icecast/trunk/icecast/; revision=9711
2005-08-07 14:50:59 +00:00
Karl Heyes
c7432d6602 minor cleanups
svn path=/icecast/trunk/icecast/; revision=8236
2004-11-20 02:16:59 +00:00
oddsock
56cd1de3c5 added ability to disallow concurrent connections from the same username if using htpasswd listener authentication.
svn path=/icecast/trunk/icecast/; revision=6711
2004-05-17 04:33:46 +00:00
oddsock
d642846c80 added web based interface to htpasswd client authentication
svn path=/icecast/trunk/icecast/; revision=6610
2004-04-30 14:36:07 +00:00
Michael Smith
0aad6d849c Add Copyright notice to each source file, as requested by debian.
svn path=/trunk/httpp/; revision=5792
2004-01-29 01:02:12 +00:00
Michael Smith
57dd5f71a5 Client authentication added.
Melanie's multilevel fallbacks added (after major changes).

svn path=/trunk/icecast/; revision=5760
2004-01-15 01:01:09 +00:00