1
0
mirror of https://gitlab.xiph.org/xiph/icecast-server.git synced 2024-11-03 04:17:17 -05:00
Commit Graph

25 Commits

Author SHA1 Message Date
Philipp Schafft
93194594f7 better coding style, patch by ePirat. refs #2059
svn path=/icecast/trunk/icecast/; revision=19376
2014-11-30 20:32:30 +00:00
Philipp Schafft
a642cac542 Wow. Mega patch!
This patch *replaces* the authentication system completly.

What is new:
 - <authentication> in mount section is now a container object.
 - <authentication> in root and mount section may hold any number of <role>-Tags.
 - <role> tags:
   Those tags define a 'role' and it's ACL rules.
   A role is a instance of an authentication module (see below).
   <role> takes the following options. All but type are optional.
   - authentication related:
     - type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
             symbolic constants in auth.h)
     - name: Name for the role. For later matching. (values: any string; default: (none))
     - method: This rule is only active on the given list of HTTP methods.
               (list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
   - ACL related:
     - allow-method: Allowed HTTP methods.
       (list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
     - deny-method: Rejected HTTP methods.
       (list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
     - allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
     - deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
     - allow-web: Allowed web pages. (values: empty or *; default: *)
     - deny-web: Rejected web pages. (values: empty or *; default: (empty))
     - connections-per-user: maximum number of simultaneous connections per role and username.
       This is only active on active sources.  (values: unlimited or number of connections; default: unlimited)
     - connection-duration: maximum time of a connection. This is only active on active sources.
       (values: unlimited or number of secounds; default: unlimited)
   <role> takes <option> child tags. <option> tags contain a name and a value option.
   Meaning of <option> tags is up to the authentication module.
 - <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
 - <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
   Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
   and rejects all other requests.
 - New authentication module: anonymous
   This module matches all requests. No options taken.
 - New authentication module: static
   This module matches with a static username and password.
   It takes two <option>s. One with name="username" and one with name="password" to set username and password.
   This replaces old style <*-username> and <*-password> tags.
 - New authentication module: legacy-password
   This module matches with a statich password.
   It takes one <option> with name="password" to set password.
   This replaces old ICE and ICY (shoutcast compat mode) authentication.
 - Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
 - Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
   <authentication> for 100% backward compatibility.
 - <alias> is now proccessed very early. This enables them to be used for all kinds of requests.

To Do List & What does not yet work:
 - type="url" auth: mount_add and mount_remove.
   This should be replaced by an unique feature I would call '<event>'.
 - Admin commands manageauth and manageauth.xsl are disabled as they need more review:
   This code needs to be ported to support multiple <role>s per <mount>.
 - url authentication module can not yet return AUTH_NOMATCH.
   This needs to be reviewed and discussed on how to handle this case best way.
 - Default config files needs to be updated to reflect the changes.
   As this is quite some political act it should be done in dicussion with the whole team
   and permission of the release manager.
 - Docs need to be updated to reflect the changes.

How does it work:
 Code has been changed so that authentification is done early for all clients.
 This allows accessing the ACL data (client->acl) from nearly everywhere in the code.

 After accept() and initial client setup the request is parsed. In the next step
 all <alias>es are resolved. After this the client is passed for authentication.
 After authentication it is passed to the corresponding subsystem depending on kind of request.

 All authentication instances have a thread running for doing the authentication.
 This thread works on a queue of clients.

Hints for testers:
 - Test with default config.
 - Test with diffrent authentication modules in <mount>.
 - Test shoutcast compatibility mode.
 - Test with new style <authentication> and any amount of <role> (zero to quite some).
 - Test <alias> lookup on all kinds of objects.
 - Test source level credential login into the admin interface.
 - Test shoucast style meta data updates.
 - Test playlist generation.

Thank you for reading this long commit message. Have fun reading the full patch!

svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
Karl Heyes
e6dfee632c Allow source client authentication via auth handler. Here the URL handler can
issue requests (using ithe stream_auth option) to allow external engines to
determine whether a client can stream or not. Admin requests using source auth
are able to use this mechanism however source clients using the icy protocol
cannot yet.


svn path=/icecast/trunk/icecast/; revision=15621
2009-01-14 01:18:22 +00:00
Karl Heyes
af1c8da6b6 more sock_t cleanups, win32 should have less warnings now
svn path=/icecast/trunk/icecast/; revision=14043
2007-10-24 22:42:49 +00:00
Karl Heyes
ba438dd7b5 Don't impose a limit on the number of listening sockets allowed in the xml
svn path=/icecast/trunk/icecast/; revision=13995
2007-10-16 01:53:06 +00:00
Karl Heyes
7e5604b993 merge work. allow sockets to be marked as ssl capable. This is mainly for /admin
requests but can be used for sources and listeners

svn path=/icecast/trunk/icecast/; revision=13650
2007-08-29 03:51:22 +00:00
Karl Heyes
d07723c997 fixes for client handling, these are all related to the handling of max clients.
I've taken out the client_create out of the connection_complete_source and put
it in slave, that way we can control the cleanup of the memory/socket better, the
change also meant fallback to file tests were slghtly different.

svn path=/icecast/trunk/icecast/; revision=9847
2005-08-25 00:07:17 +00:00
Karl Heyes
a528108e10 merge in client timelimit, only auth_url sets this currently. Add missing
prototypes for compile warning

svn path=/icecast/trunk/icecast/; revision=9736
2005-08-12 02:40:25 +00:00
Karl Heyes
d7f1285ba2 drop the thread pool of connection threads, they were using a blocking socket
on incoming connections. Now we get the accept thread to create a client_t
and mark it as a shoutcast client if need be.  Then use a single connection
thread to poll the non-blocking sockets for the headers. When complete they
get handled as usual.

svn path=/icecast/trunk/icecast/; revision=9733
2005-08-11 23:29:58 +00:00
Karl Heyes
e2d6bdb86a add function to do mount list search (could be extended later), call it from
various places including the shoutcast source client auth which previously
only used the global source password.

svn path=/icecast/trunk/icecast/; revision=9240
2005-05-08 11:54:46 +00:00
Karl Heyes
466a5cb60c Make source client connections reserve the source mountpoint and get rid
of the unused source setup code.

svn path=/trunk/icecast/; revision=5846
2004-02-19 21:16:59 +00:00
Karl Heyes
a83553ad8f functions to allow for reserving a source_t with a mountpoint
svn path=/trunk/icecast/; revision=5844
2004-02-19 16:32:26 +00:00
Michael Smith
0aad6d849c Add Copyright notice to each source file, as requested by debian.
svn path=/trunk/httpp/; revision=5792
2004-01-29 01:02:12 +00:00
Michael Smith
57dd5f71a5 Client authentication added.
Melanie's multilevel fallbacks added (after major changes).

svn path=/trunk/icecast/; revision=5760
2004-01-15 01:01:09 +00:00
Karl Heyes
508d25641d avoid header namespace clashes
svn path=/trunk/icecast/; revision=5146
2003-07-16 19:41:59 +00:00
Michael Smith
8527ed7b43 Implementation of aliases contributed by Paul Donohue <icecast@TopQuark.net>
svn path=/trunk/icecast/; revision=4629
2003-04-23 12:44:29 +00:00
Michael Smith
3b2df1d0d9 Brendan was getting pissed off about inconsistent indentation styles.
Convert all tabs to 4 spaces. All code must now use 4 space indents.

svn path=/trunk/avl/; revision=4492
2003-03-15 02:10:19 +00:00
Michael Smith
a79f0b6cae Split admin stuff out into a seperate file, add various utility functions there.
rename util_url_escape to util_url_unescape, and write a util_escape function
that actually DOES escape things. Fix all the callers of the function to call
the correct one of these two.

svn path=/trunk/icecast/; revision=4414
2003-03-06 14:17:33 +00:00
Michael Smith
d13ebde7a3 Allow rereading config files.
Lots of new locking happening so that it's safe to have the config file
disappear under the rest of the program

Does NOT affect currently-running sources at the moment

svn path=/trunk/icecast/; revision=4406
2003-03-05 13:03:35 +00:00
Michael Smith
913ec3481a HTTP Basic source login support. The old "ice-password" method is still
available, but is deprecated and turned off by default.

svn path=/trunk/icecast/; revision=3837
2002-08-16 14:26:48 +00:00
Michael Smith
f1dc57ae2b Cleaned up version of Ciaran Anscomb's relaying patch.
svn path=/trunk/httpp/; revision=3760
2002-08-05 14:48:04 +00:00
Jack Moffitt
42688a8366 Add check for stdint.h, since Solaris doesn't have it. This is needed
on Linux for uint64_t, but Solaris defines this in sys/types.h.  Use check
where appropriate, and also add typedefs for Win32.

svn path=/trunk/icecast/; revision=2206
2001-10-20 21:28:09 +00:00
Jack Moffitt
632c1e57fb It's too bad we don't have a commit script that smacks me upside the head
when I do stupid things like this.

svn path=/trunk/icecast/; revision=2196
2001-10-20 06:51:29 +00:00
Jack Moffitt
8f6c02365d Win32 fixes. Look how portable this was ;) Just header stuff and some defines.
Whee!

svn path=/trunk/icecast/; revision=2195
2001-10-20 06:43:04 +00:00
Jack Moffitt
61316a25d7 Initial revision
svn path=/trunk/icecast/; revision=1996
2001-09-10 02:21:46 +00:00