1
0
mirror of https://gitlab.xiph.org/xiph/icecast-server.git synced 2024-11-03 04:17:17 -05:00
Commit Graph

76 Commits

Author SHA1 Message Date
Philipp Schafft
cb32973572 Feature: Added permission system for auth backends altering clients 2018-09-19 13:32:58 +00:00
Philipp Schafft
0392b4a32f Feature: Added lookup function for auth_alter_t 2018-09-19 13:32:58 +00:00
Philipp Schafft
4d7a60d588 Feature: Added basic support for auth backends to manipulate the client 2018-09-19 13:32:58 +00:00
Philipp Schafft
8bd43eb3d4 Feature: Added new <role> properties: match-method, and nomatch-method. This is more inline with the other properties 2018-09-13 10:37:33 +00:00
Philipp Schafft
d317b6fbdc Feature: Added new <role> properties: match-web, nomatch-web, match-admin, and nomatch-admin 2018-09-13 10:14:31 +00:00
Philipp Schafft
fd1f34c1e2 Cleanup: HAVE_AUTH_URL -> HAVE_CURL 2018-06-16 15:34:56 +02:00
Philipp Schafft
a612d0c4a1 Fix: Fixed log level for auth internal debug message
Thanks to ePirat.
2018-05-26 06:17:56 +00:00
Philipp Schafft
b42378abc4 Feature: Generate errors based on IDs.
This generates error pages based on IDs. This allows to reuse errors
and add more advanced information to them.

This patch also makes Icecast send in plain text OR HTML based
on the clients Accept:-string.
2018-05-07 16:28:46 +00:00
Philipp Schafft
84124c313a Update: Added spaces to output of auth_result2str().
This adds spaces into the strings such as "nomatch" (-> "no match")
as returned by auth_result2str(). This is to improve readability of
resulting logfiles by most uses.
2017-01-22 08:38:01 +00:00
Philipp Schafft
e75b1a1612 Fix: Corrected number of arguments for ICECAST_LOG_INFO()
This fixes the number of arguments for ICECAST_LOG_INFO().
Why doesn't GCC warn about this?
2017-01-22 08:38:01 +00:00
Philipp Schafft
f5dd306f71 Update: improved auth related logging 2017-01-22 08:38:01 +00:00
Philipp Schafft
24bc25ec38 Cleanup: fixed some compiler warnings 2015-11-28 11:30:34 +00:00
Thomas B. Ruecker
671c2366cf Fixed log messages and comments
* Reworded many log messages for better understanding.
 * Adjusted some version targets as we won't have a 2.4.2 release.
 * Added some FIXME comments
2015-03-01 16:55:27 +00:00
Marvin Scholz
0dfc7c5b6a Cleanup codestyle
This commit cleanups codestyle a bit, yet there is still some work to be done
2015-01-25 19:57:27 +01:00
Philipp Schafft
11d5dffd49 Cleanup: Removed tailing spaces 2015-01-10 18:53:44 +00:00
Philipp Schafft
f39b7d8880 Cleanup: Removed trivial header files for auth backends
All Auth backends had just one prototype in auth_*.h. Those
got merged into auth.h to avoid to have many small files around.
2015-01-06 11:29:07 +00:00
Philipp Schafft
0f311a318d Fix: Do not segfault if <role type="..."> is unknown 2014-12-28 21:11:52 +00:00
Philipp Schafft
857264acdc Fix: memory leak and race condition fix 2014-12-20 16:12:27 +00:00
Philipp Schafft
55d429a6c8 Fix: Corrected display of "login" on status page
This corrects the creation of <authenticator> in the status output
and this way fixes the display of login link on status page.
Closes #1939
2014-12-20 09:39:26 +00:00
Philipp Schafft
3d6ea2efdb Merged support for thread-less <role>s 2014-12-19 17:30:37 +00:00
Philipp Schafft
25f6c53929 Feature: immediate mode for <role>s
This allows a <role> represented by a auth_t to run in "immediate"
mode. In this mode no thread is created for this <role>. This is a
major speedup.

Closes #2124
2014-12-19 17:27:54 +00:00
Philipp Schafft
0eb466b76d Feature: Allow mangement of <role>s via admin/ interface.
This allows to manage <role>s via admin interface if the role supports.
Also format of admin/manageauth has been changed:
- <source> was renamed to <role>.
- mount parameter was removed.
- <role> got new parameters: type, name,
  can-adduser, can-deleteuser, can-listuser.
- can-* parameters are bools ("true" or "false"). They should be used
  to show or hide elements on the admin interface.

Ticket #2123 is nearly complet with this, just admin/manageauth.xsl
needs up be updated. Please close the bug in the commit that updates
admin/manageauth.xsl.
See #2123
2014-12-19 16:14:35 +00:00
Philipp Schafft
1c550b0c8e Feature: Added support for management-url="" in <role>
This adds setting a URL for manegement of roles to the framework.
If no URl is given in the config file this defaults to internal
(/admin/manageauth.xsl) interface if supported by the backend.
See #2123
2014-12-19 11:16:13 +00:00
Philipp Schafft
40bb04b644 Feature: Added a unique ID to each auth_t.
This added a unique ID to each auth_t instance so it can be refered
to e.g. by the web interface for mangement functionallity. Mostly
stolen from connection.[ch].
See #2123
2014-12-19 10:50:52 +00:00
Philipp Schafft
c73e214f8f Regression Fix: Correction of old-style <authentication>.
Old-style <authentication> within <mount> didn't work for type="url"
as well as some other parameters due to confusion between "node"
and "child" variable.

Thanks for trilliot for pointing out! Should work now.
closes #2039
2014-12-14 09:27:49 +00:00
Philipp Schafft
bdcf008b7c Added <event>: Unified handling of events.
<event> has been added and can be used within <kartoffelsalat>
both in <icecast> and <mount>.
<event> takes backend depending <option> child tags.
Currently supported backends:
 - log: send message to error log.
 - exec: executes a program or script.
 - url: delivers the event via HTTP.

within <mount> <on-connect> and <on-disconnect> has been replaced by
<event>. Config parser can on-the-fly convert old tags.
Also <authentication type="url"> within <mount> has been fixed
for those cases with <option name="mount_add" .../> and
<option name="mount_remove" .../> which are now on-the-fly converted
by the parser to corresponding <event> tags.

Please also see TAGs added as per #2098. Some include hints for
documentation updates needed after this change. Those updates
should take place before 2.4.2.
2014-12-08 00:39:57 +00:00
Marvin Scholz
1bf41cfdb6 Epic Git migration commit
Added .gitignore and submodules
Changed paths to match new location of things
2014-12-02 22:50:57 +01:00
Philipp Schafft
93194594f7 better coding style, patch by ePirat. refs #2059
svn path=/icecast/trunk/icecast/; revision=19376
2014-11-30 20:32:30 +00:00
Philipp Schafft
ea71438af3 s/listener/client/; thanks to micheil.
svn path=/icecast/trunk/icecast/; revision=19375
2014-11-30 18:20:09 +00:00
Philipp Schafft
35723bed54 sock_active() is broken and can not be used
svn path=/icecast/trunk/icecast/; revision=19372
2014-11-30 18:17:10 +00:00
Philipp Schafft
a642cac542 Wow. Mega patch!
This patch *replaces* the authentication system completly.

What is new:
 - <authentication> in mount section is now a container object.
 - <authentication> in root and mount section may hold any number of <role>-Tags.
 - <role> tags:
   Those tags define a 'role' and it's ACL rules.
   A role is a instance of an authentication module (see below).
   <role> takes the following options. All but type are optional.
   - authentication related:
     - type: Type of the authentication module (values: anonymous, static, legacy-password, url or htpasswd;
             symbolic constants in auth.h)
     - name: Name for the role. For later matching. (values: any string; default: (none))
     - method: This rule is only active on the given list of HTTP methods.
               (list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
   - ACL related:
     - allow-method: Allowed HTTP methods.
       (list of enum values: methods as recognized by httpp/ (e.g: get,post); default: get)
     - deny-method: Rejected HTTP methods.
       (list of enum values: methods as recognized by httpp/ (e.g: get,post); default: *)
     - allow-admin: Allowed admin commands. (list of enum values: admin command; default: buildm3u)
     - deny-admin: Rejected admin commands. (list of enum values: admin command; default: *)
     - allow-web: Allowed web pages. (values: empty or *; default: *)
     - deny-web: Rejected web pages. (values: empty or *; default: (empty))
     - connections-per-user: maximum number of simultaneous connections per role and username.
       This is only active on active sources.  (values: unlimited or number of connections; default: unlimited)
     - connection-duration: maximum time of a connection. This is only active on active sources.
       (values: unlimited or number of secounds; default: unlimited)
   <role> takes <option> child tags. <option> tags contain a name and a value option.
   Meaning of <option> tags is up to the authentication module.
 - <role>s are considered to build a stack. If a role returns with AUTH_NOMATCH the next one will be tried.
 - <role>s are tested in this order: mount specific, default mount specific, global, internal fallback.
   Internal fallback is set to allow web/ access via GET, POST and HEAD (only GET supported by this time)
   and rejects all other requests.
 - New authentication module: anonymous
   This module matches all requests. No options taken.
 - New authentication module: static
   This module matches with a static username and password.
   It takes two <option>s. One with name="username" and one with name="password" to set username and password.
   This replaces old style <*-username> and <*-password> tags.
 - New authentication module: legacy-password
   This module matches with a statich password.
   It takes one <option> with name="password" to set password.
   This replaces old ICE and ICY (shoutcast compat mode) authentication.
 - Parsing <authentication> in <mount> with a type set in a special way to allow 100% backward compatibility.
 - Parsing of <source-password>, <admin-password>, <admin-user>, <relay-password> and <relay-user> in global
   <authentication> for 100% backward compatibility.
 - <alias> is now proccessed very early. This enables them to be used for all kinds of requests.

To Do List & What does not yet work:
 - type="url" auth: mount_add and mount_remove.
   This should be replaced by an unique feature I would call '<event>'.
 - Admin commands manageauth and manageauth.xsl are disabled as they need more review:
   This code needs to be ported to support multiple <role>s per <mount>.
 - url authentication module can not yet return AUTH_NOMATCH.
   This needs to be reviewed and discussed on how to handle this case best way.
 - Default config files needs to be updated to reflect the changes.
   As this is quite some political act it should be done in dicussion with the whole team
   and permission of the release manager.
 - Docs need to be updated to reflect the changes.

How does it work:
 Code has been changed so that authentification is done early for all clients.
 This allows accessing the ACL data (client->acl) from nearly everywhere in the code.

 After accept() and initial client setup the request is parsed. In the next step
 all <alias>es are resolved. After this the client is passed for authentication.
 After authentication it is passed to the corresponding subsystem depending on kind of request.

 All authentication instances have a thread running for doing the authentication.
 This thread works on a queue of clients.

Hints for testers:
 - Test with default config.
 - Test with diffrent authentication modules in <mount>.
 - Test shoutcast compatibility mode.
 - Test with new style <authentication> and any amount of <role> (zero to quite some).
 - Test <alias> lookup on all kinds of objects.
 - Test source level credential login into the admin interface.
 - Test shoucast style meta data updates.
 - Test playlist generation.

Thank you for reading this long commit message. Have fun reading the full patch!

svn path=/icecast/trunk/icecast/; revision=19358
2014-11-28 23:46:08 +00:00
Philipp Schafft
bdc392beb1 some smaller stuff needed to get new authing stuff done
svn path=/icecast/trunk/icecast/; revision=19346
2014-11-22 03:49:36 +00:00
Philipp Schafft
0df154f3bf remove client_send_[0-9]{3}() in favor of client_send_error(). Please test
svn path=/icecast/trunk/icecast/; revision=19344
2014-11-21 18:05:17 +00:00
Philipp Schafft
2b7cb1c641 LOG_{ERROR|WARN|INFO|DEBUG}() -> ICECAST_LOG_{ERROR|WARN|INFO|DEBUG}(); this is to avoid collision with LOG_INFO that is defined as part of syslog.
svn path=/icecast/trunk/icecast/; revision=19257
2014-10-31 08:46:58 +00:00
Philipp Schafft
cf419cc1df make <auth> in <mount type="default"> work if no <mount-name> is given.
svn path=/icecast/trunk/icecast/; revision=19251
2014-10-26 14:03:57 +00:00
Philipp Schafft
7ae4664780 Replace the old logging macros with variadic argument macros. (patch by ePirat) (close #2058)
svn path=/icecast/trunk/icecast/; revision=19229
2014-10-09 10:39:13 +00:00
Philipp Schafft
d54c61bf13 Added support for a default mount. See #1914.
The default mount is a block in the config file that contains settings for
all mount points that do not have a block in configfile themself.
This is implemented by a <mount type="default">-block.
In this case the <mount>-block MUST NOT contain a <mount-name>-subblock.

svn path=/icecast/trunk/icecast/; revision=18902
2013-04-02 18:46:44 +00:00
Karl Heyes
e6dfee632c Allow source client authentication via auth handler. Here the URL handler can
issue requests (using ithe stream_auth option) to allow external engines to
determine whether a client can stream or not. Admin requests using source auth
are able to use this mechanism however source clients using the icy protocol
cannot yet.


svn path=/icecast/trunk/icecast/; revision=15621
2009-01-14 01:18:22 +00:00
Karl Heyes
d503f0bf5c guard for 2 NULL pointer cases raised by coverity. Neither should occur in practice
svn path=/icecast/trunk/icecast/; revision=15358
2008-10-01 01:07:29 +00:00
Karl Heyes
a520a18e53 allow listener_remove only cases. clients were not attached to the auth at
connection time so the remove trigger could not be processed.

svn path=/icecast/trunk/icecast/; revision=15265
2008-09-08 00:40:25 +00:00
Karl Heyes
2822e350bb htpasswd auth should apply even if no filename is specified, just reject all
new listeners with the reason logged. auth_t refcount was getting out of sync
which is a potential small memory leak.

svn path=/icecast/trunk/icecast/; revision=14788
2008-04-23 02:48:53 +00:00
Karl Heyes
73401b80d5 prevent NULL dereference
svn path=/icecast/trunk/icecast/; revision=14307
2007-12-15 17:21:22 +00:00
Karl Heyes
66b68170cc auth sync up. Fix longstanding race bug and make stream start/stop triggers work again.
svn path=/icecast/trunk/icecast/; revision=14114
2007-11-08 19:52:51 +00:00
Karl Heyes
549127b9f5 a missing break from a previous auth update was preventing url auth from being
used

svn path=/icecast/trunk/icecast/; revision=14017
2007-10-20 01:55:18 +00:00
Karl Heyes
e065acb7f1 no functional/structural change but cleans up the annoying signed/unsigned pointer warnings
here with xmlChar, based on work originally done by gtgbr@gmx.net.
closes #783, #784, #785, #787

svn path=/icecast/trunk/icecast/; revision=13933
2007-10-04 16:48:38 +00:00
Karl Heyes
b8ab793867 make sure mount authentication has a type specified
svn path=/icecast/trunk/icecast/; revision=13877
2007-09-22 01:21:17 +00:00
Karl Heyes
9e078e714f allow xsl requests to go through the authentication code
svn path=/icecast/trunk/icecast/; revision=13628
2007-08-25 16:04:33 +00:00
Karl Heyes
fe0e17dbaa fix bug #1141
svn path=/icecast/trunk/icecast/; revision=13595
2007-08-23 16:58:18 +00:00
Karl Heyes
176b9f7eca Auth update. Have each auth_t has its own queue of requests and thread to process
them. Each listener connection for each request is checked as connected before
performing the request (so that time isn't wasted on slow authentication). Various
name/comment cleanups as well.

svn path=/icecast/trunk/icecast/; revision=13583
2007-08-21 22:30:30 +00:00
Karl Heyes
5f8cfd70f7 const updates, no functional changes
svn path=/icecast/trunk/icecast/; revision=13559
2007-08-16 22:49:13 +00:00