auth.c 15.9 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
/* Icecast
 *
 * This program is distributed under the GNU General Public License, version 2.
 * A copy of this license is included with this source.
 *
 * Copyright 2000-2004, Jack Moffitt <jack@xiph.org, 
 *                      Michael Smith <msmith@xiph.org>,
 *                      oddsock <oddsock@xiph.org>,
 *                      Karl Heyes <karl@xiph.org>
 *                      and others (see AUTHORS for details).
 */

Michael Smith's avatar
Michael Smith committed
13
14
15
16
17
18
19
20
21
22
23
24
25
26
/** 
 * Client authentication functions
 */

#ifdef HAVE_CONFIG_H
#include <config.h>
#endif

#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <stdio.h>

#include "auth.h"
27
#include "auth_htpasswd.h"
Karl Heyes's avatar
Karl Heyes committed
28
#include "auth_url.h"
Michael Smith's avatar
Michael Smith committed
29
30
31
#include "source.h"
#include "client.h"
#include "cfgfile.h"
32
#include "stats.h"
Michael Smith's avatar
Michael Smith committed
33
#include "httpp/httpp.h"
34
#include "fserve.h"
Michael Smith's avatar
Michael Smith committed
35
36
37

#include "logging.h"
#define CATMODULE "auth"
38

39
40
41
42
43
44
45
46
47

static volatile auth_client *clients_to_auth;
static volatile unsigned int auth_pending_count;
static volatile int auth_running;
static mutex_t auth_lock;
static thread_type *auth_thread;


static void auth_client_setup (mount_proxy *mountinfo, client_t *client)
48
{
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
    /* This will look something like "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==" */
    char *header = httpp_getvar(client->parser, "authorization");
    char *userpass, *tmp;
    char *username, *password;

    do
    {
        if (header == NULL)
            break;

        if (strncmp(header, "Basic ", 6) == 0)
        {
            userpass = util_base64_decode (header+6);
            if (userpass == NULL)
            {
                WARN1("Base64 decode of Authorization header \"%s\" failed",
                        header+6);
                break;
            }

            tmp = strchr(userpass, ':');
            if (tmp == NULL)
            { 
                free (userpass);
                break;
74
            }
75
76
77
78
79
80
81
82

            *tmp = 0;
            username = userpass;
            password = tmp+1;
            client->username = strdup (username);
            client->password = strdup (password);
            free (userpass);
            break;
83
        }
84
        INFO1 ("unhandled authorization header: %s", header);
85

86
    } while (0);
87

88
    thread_mutex_lock (&mountinfo->auth->lock);
89
90
    client->auth = mountinfo->auth;
    client->auth->refcount++;
91
    thread_mutex_unlock (&mountinfo->auth->lock);
92
93
}

Michael Smith's avatar
Michael Smith committed
94

95
96
97
98
99
100
101
102
static void queue_auth_client (auth_client *auth_user)
{
    thread_mutex_lock (&auth_lock);
    auth_user->next = (auth_client *)clients_to_auth;
    clients_to_auth = auth_user;
    auth_pending_count++;
    thread_mutex_unlock (&auth_lock);
}
Michael Smith's avatar
Michael Smith committed
103
104


105
106
107
108
109
110
111
/* release the auth. It is referred to by multiple structures so this is
 * refcounted and only actual freed after the last use
 */
void auth_release (auth_t *authenticator)
{
    if (authenticator == NULL)
        return;
Michael Smith's avatar
Michael Smith committed
112

113
    thread_mutex_lock (&authenticator->lock);
114
115
    authenticator->refcount--;
    if (authenticator->refcount)
116
117
    {
        thread_mutex_unlock (&authenticator->lock);
118
        return;
119
    }
Michael Smith's avatar
Michael Smith committed
120

121
122
    if (authenticator->free)
        authenticator->free (authenticator);
123
    xmlFree (authenticator->type);
124
125
    thread_mutex_unlock (&authenticator->lock);
    thread_mutex_destroy (&authenticator->lock);
126
    free (authenticator);
Michael Smith's avatar
Michael Smith committed
127
128
129
}


130
void auth_client_free (auth_client *auth_user)
Michael Smith's avatar
Michael Smith committed
131
{
132
133
134
135
136
    if (auth_user == NULL)
        return;
    if (auth_user->client)
    {
        client_t *client = auth_user->client;
Michael Smith's avatar
Michael Smith committed
137

138
139
140
141
142
143
144
145
        if (client->respcode)
            client_destroy (client);
        else
            client_send_401 (client);
        auth_user->client = NULL;
    }
    free (auth_user->mount);
    free (auth_user);
Michael Smith's avatar
Michael Smith committed
146
147
148
}


149
150
151
152
/* wrapper function for auth thread to authenticate new listener
 * connection details
 */
static void auth_new_listener (auth_client *auth_user)
Michael Smith's avatar
Michael Smith committed
153
{
154
155
156
157
158
    client_t *client = auth_user->client;

    if (client->auth->authenticate)
    {
        if (client->auth->authenticate (auth_user) != AUTH_OK)
159
160
161
        {
            auth_release (client->auth);
            client->auth = NULL;
162
            return;
163
        }
Michael Smith's avatar
Michael Smith committed
164
    }
165
166
    if (auth_postprocess_client (auth_user) < 0)
        INFO1 ("client %lu failed", client->con->id);
Michael Smith's avatar
Michael Smith committed
167
168
}

169
170
171
172
173

/* wrapper function are auth thread to authenticate new listener
 * connections
 */
static void auth_remove_listener (auth_client *auth_user)
Michael Smith's avatar
Michael Smith committed
174
{
175
176
177
178
179
180
181
182
    client_t *client = auth_user->client;

    if (client->auth->release_client)
        client->auth->release_client (auth_user);
    auth_release (client->auth);
    client->auth = NULL;
    return;
}
Michael Smith's avatar
Michael Smith committed
183
184


185
186
187
188
189
190
191
192
193
/* The auth thread main loop. */
static void *auth_run_thread (void *arg)
{
    INFO0 ("Authentication thread started");
    while (1)
    {
        if (clients_to_auth)
        {
            auth_client *auth_user;
Michael Smith's avatar
Michael Smith committed
194

195
196
197
198
199
200
            thread_mutex_lock (&auth_lock);
            auth_user = (auth_client*)clients_to_auth;
            clients_to_auth = auth_user->next;
            auth_pending_count--;
            thread_mutex_unlock (&auth_lock);
            auth_user->next = NULL;
Michael Smith's avatar
Michael Smith committed
201

202
203
204
205
            if (auth_user->process)
                auth_user->process (auth_user);
            else
                ERROR0 ("client auth process not set");
Michael Smith's avatar
Michael Smith committed
206

207
            auth_client_free (auth_user);
Michael Smith's avatar
Michael Smith committed
208

209
            continue;
210
        }
211
212
213
214
        /* is there a request to shutdown */
        if (auth_running == 0)
            break;
        thread_sleep (150000);
215
    }
216
217
218
    INFO0 ("Authenication thread shutting down");
    return NULL;
}
Michael Smith's avatar
Michael Smith committed
219
220


221
222
223
224
225
226
227
228
229
230
231
/* Check whether this client is currently on this mount, the client may be
 * on either the active or pending lists.
 * return 1 if ok to add or 0 to prevent
 */
static int check_duplicate_logins (source_t *source, client_t *client)
{
    auth_t *auth = client->auth;

    /* allow multiple authenticated relays */
    if (client->username == NULL)
        return 1;
Michael Smith's avatar
Michael Smith committed
232

233
234
235
236
237
238
239
240
    if (auth && auth->allow_duplicate_users == 0)
    {
        avl_node *node;

        avl_tree_rlock (source->client_tree);
        node = avl_get_first (source->client_tree);
        while (node)
        {   
241
242
243
            client_t *existing_client = (client_t *)node->key;
            if (existing_client->username && 
                    strcmp (existing_client->username, client->username) == 0)
244
245
246
247
248
249
250
251
252
253
254
255
            {
                avl_tree_unlock (source->client_tree);
                return 0;
            }
            node = avl_get_next (node);
        }       
        avl_tree_unlock (source->client_tree);

        avl_tree_rlock (source->pending_tree);
        node = avl_get_first (source->pending_tree);
        while (node)
        {
256
257
258
            client_t *existing_client = (client_t *)node->key;
            if (existing_client->username && 
                    strcmp (existing_client->username, client->username) == 0)
259
260
261
            {
                avl_tree_unlock (source->pending_tree);
                return 0;
Michael Smith's avatar
Michael Smith committed
262
            }
263
            node = avl_get_next (node);
Michael Smith's avatar
Michael Smith committed
264
        }
265
        avl_tree_unlock (source->pending_tree);
Michael Smith's avatar
Michael Smith committed
266
    }
267
    return 1;
Michael Smith's avatar
Michael Smith committed
268
269
}

270
271
272
273
274

/* if 0 is returned then the client should not be touched, however if -1
 * is returned then the caller is responsible for handling the client
 */
static int add_client_to_source (source_t *source, client_t *client)
Michael Smith's avatar
Michael Smith committed
275
{
276
    int loop = 10;
277
278
279
280
281
282
283
284
    do
    {
        DEBUG3 ("max on %s is %ld (cur %lu)", source->mount,
                source->max_listeners, source->listeners);
        if (source->max_listeners == -1)
            break;
        if (source->listeners < (unsigned long)source->max_listeners)
            break;
Michael Smith's avatar
Michael Smith committed
285

286
287
288
        if (loop && source->fallback_when_full && source->fallback_mount)
        {
            source_t *next = source_find_mount (source->fallback_mount);
289
            if (!next) {
Michael Smith's avatar
Michael Smith committed
290
                ERROR2("Fallback '%s' for full source '%s' not found", 
291
292
293
294
                        source->mount, source->fallback_mount);
                return -1;
            }

295
296
297
298
299
            INFO1 ("stream full trying %s", next->mount);
            source = next;
            loop--;
            continue;
        }
300
301
        /* now we fail the client */
        return -1;
Michael Smith's avatar
Michael Smith committed
302

303
    } while (1);
Michael Smith's avatar
Michael Smith committed
304

305
306
307
308
    client->write_to_client = format_generic_write_to_client;
    client->check_buffer = format_check_http_buffer;
    client->refbuf->len = PER_CLIENT_REFBUF_SIZE;
    memset (client->refbuf->data, 0, PER_CLIENT_REFBUF_SIZE);
Michael Smith's avatar
Michael Smith committed
309

310
311
312
313
314
315
    /* lets add the client to the active list */
    avl_tree_wlock (source->pending_tree);
    avl_insert (source->pending_tree, client);
    avl_tree_unlock (source->pending_tree);
    stats_event_inc (NULL, "listener_connections");

316
317
318
319
320
    if (source->running == 0 && source->on_demand)
    {
        /* enable on-demand relay to start, wake up the slave thread */
        DEBUG0("kicking off on-demand relay");
        source->on_demand_req = 1;
Michael Smith's avatar
Michael Smith committed
321
    }
322
323
324
    DEBUG1 ("Added client to %s", source->mount);
    return 0;
}
Michael Smith's avatar
Michael Smith committed
325
326


327
328
329
330
331
332
333
/* Add listener to the pending lists of either the  source or fserve thread.
 * This can be run from the connection or auth thread context
 */
static int add_authenticated_client (const char *mount, mount_proxy *mountinfo, client_t *client)
{
    int ret = 0;
    source_t *source = NULL;
334

335
336
    avl_tree_rlock (global.source_tree);
    source = source_find_mount (mount);
Michael Smith's avatar
Michael Smith committed
337

338
339
340
341
342
343
    if (source)
    {
        if (client->auth && check_duplicate_logins (source, client) == 0)
        {
            avl_tree_unlock (global.source_tree);
            return -1;
344
        }
345
346
347
348
349
350
        if (mountinfo)
        {
            /* set a per-mount disconnect time if auth hasn't set one already */
            if (mountinfo->max_listener_duration && client->con->discon_time == 0)
                client->con->discon_time = time(NULL) + mountinfo->max_listener_duration;
        }
351

352
353
354
355
        ret = add_client_to_source (source, client);
        avl_tree_unlock (global.source_tree);
        if (ret == 0)
            DEBUG0 ("client authenticated, passed to source");
356
    }
357
358
359
360
361
    else
    {
        avl_tree_unlock (global.source_tree);
        fserve_client_create (client, mount);
    }
362
363
    return ret;
}
364
365
366


int auth_postprocess_client (auth_client *auth_user)
367
{
368
369
    int ret;
    ice_config_t *config = config_get_config();
370

371
372
    mount_proxy *mountinfo = config_find_mount (config, auth_user->mount);
    auth_user->client->authenticated = 1;
373

374
375
    ret = add_authenticated_client (auth_user->mount, mountinfo, auth_user->client);
    config_release_config();
376

377
378
379
    if (ret < 0)
        client_send_401 (auth_user->client);
    auth_user->client = NULL;
380

381
    return ret;
382
383
}

384
385
386
387
388

/* Add a listener. Check for any mount information that states any
 * authentication to be used.
 */
void add_client (const char *mount, client_t *client)
389
{
390
391
392
393
394
395
396
    mount_proxy *mountinfo; 
    ice_config_t *config = config_get_config();

    mountinfo = config_find_mount (config, mount);
    if (mountinfo && mountinfo->no_mount)
    {
        config_release_config ();
397
        client_send_403 (client, "mountpoint unavailable");
398
399
400
401
402
403
404
405
406
407
        return;
    }
    if (mountinfo && mountinfo->auth)
    {
        auth_client *auth_user;

        if (auth_pending_count > 30)
        {
            config_release_config ();
            WARN0 ("too many clients awaiting authentication");
408
            client_send_403 (client, "busy, please try again later");
409
410
411
412
413
414
415
416
417
            return;
        }
        auth_client_setup (mountinfo, client);
        config_release_config ();

        if (client->auth == NULL)
        {
            client_send_401 (client);
            return;
418
        }
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
        auth_user = calloc (1, sizeof (auth_client));
        if (auth_user == NULL)
        {
            client_send_401 (client);
            return;
        }
        auth_user->mount = strdup (mount);
        auth_user->process = auth_new_listener;
        auth_user->client = client;

        INFO0 ("adding client for authentication");
        queue_auth_client (auth_user);
    }
    else
    {
        int ret = add_authenticated_client (mount, mountinfo, client);
        config_release_config ();
        if (ret < 0)
437
            client_send_403 (client, "max listeners reached");
438
439
440
    }
}

441
442
443
444
445

/* determine whether we need to process this client further. This
 * involves any auth exit, typically for external auth servers.
 */
int release_client (client_t *client)
446
{
447
    if (client->auth)
448
    {
449
450
451
        auth_client *auth_user = calloc (1, sizeof (auth_client));
        if (auth_user == NULL)
            return 0;
452

453
454
455
        auth_user->mount = strdup (httpp_getvar (client->parser, HTTPP_VAR_URI));
        auth_user->process = auth_remove_listener;
        auth_user->client = client;
456

457
458
459
460
461
        queue_auth_client (auth_user);
        return 1;
    }
    return 0;
}
462
463


464
465
466
467
468
static void get_authenticator (auth_t *auth, config_options_t *options)
{
    do
    {
        DEBUG1 ("type is %s", auth->type);
Karl Heyes's avatar
Karl Heyes committed
469
470
471
472
473
474
475
#ifdef HAVE_AUTH_URL
        if (strcmp (auth->type, "url") == 0)
        {
            auth_get_url_auth (auth, options);
            break;
        }
#endif
476
477
478
479
        if (strcmp (auth->type, "htpasswd") == 0)
        {
            auth_get_htpasswd_auth (auth, options);
            break;
480
        }
481
482
483
484
485
486
487
488
489
490
491
        
        ERROR1("Unrecognised authenticator type: \"%s\"", auth->type);
        return;
    } while (0);

    auth->refcount = 1;
    while (options)
    {
        if (strcmp(options->name, "allow_duplicate_users") == 0)
            auth->allow_duplicate_users = atoi (options->value);
        options = options->next;
492
    }
493
}
494
495


496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
auth_t *auth_get_authenticator (xmlNodePtr node)
{
    auth_t *auth = calloc (1, sizeof (auth_t));
    config_options_t *options = NULL, **next_option = &options;
    xmlNodePtr option;

    if (auth == NULL)
        return NULL;

    option = node->xmlChildrenNode;
    while (option)
    {
        xmlNodePtr current = option;
        option = option->next;
        if (strcmp (current->name, "option") == 0)
        {
            config_options_t *opt = calloc (1, sizeof (config_options_t));
            opt->name = xmlGetProp (current, "name");
            if (opt->name == NULL)
            {
                free(opt);
                continue;
            }
            opt->value = xmlGetProp (current, "value");
            if (opt->value == NULL)
            {
                xmlFree (opt->name);
                free (opt);
                continue;
            }
            *next_option = opt;
            next_option = &opt->next;
        }
        else
            if (strcmp (current->name, "text") != 0)
                WARN1 ("unknown auth setting (%s)", current->name);
532
    }
533
534
    auth->type = xmlGetProp (node, "type");
    get_authenticator (auth, options);
535
    thread_mutex_create (&auth->lock);
536
537
538
539
540
541
542
    while (options)
    {
        config_options_t *opt = options;
        options = opt->next;
        xmlFree (opt->name);
        xmlFree (opt->value);
        free (opt);
543
    }
544
545
    return auth;
}
546
547


548
549
550
551
/* called when the stream starts, so that authentication engine can do any
 * cleanup/initialisation.
 */
void auth_stream_start (mount_proxy *mountinfo, const char *mount)
552
{
553
554
555
556
557
558
559
    if (mountinfo && mountinfo->auth && mountinfo->auth->stream_start)
    {
        auth_client *auth_user = calloc (1, sizeof (auth_client));
        if (auth_user)
        {
            auth_user->mount = strdup (mount);
            auth_user->process = mountinfo->auth->stream_start;
560

561
            queue_auth_client (auth_user);
562
563
564
565
566
        }
    }
}


567
568
569
570
571
572
573
574
575
576
577
578
/* Called when the stream ends so that the authentication engine can do
 * any authentication cleanup
 */
void auth_stream_end (mount_proxy *mountinfo, const char *mount)
{
    if (mountinfo && mountinfo->auth && mountinfo->auth->stream_end)
    {
        auth_client *auth_user = calloc (1, sizeof (auth_client));
        if (auth_user)
        {
            auth_user->mount = strdup (mount);
            auth_user->process = mountinfo->auth->stream_end;
579

580
581
            queue_auth_client (auth_user);
        }
582
    }
583
}
584
585


586
/* these are called at server start and termination */
587

588
void auth_initialise (void)
589
590
591
592
593
594
{
    clients_to_auth = NULL;
    auth_pending_count = 0;
    auth_running = 1;
    thread_mutex_create (&auth_lock);
    auth_thread = thread_create ("auth thread", auth_run_thread, NULL, THREAD_ATTACHED);
595
596
}

597
void auth_shutdown (void)
598
{
599
600
601
602
603
    if (auth_thread)
    {
        auth_running = 0;
        thread_join (auth_thread);
        INFO0 ("Auth thread has terminated");
604
605
    }
}
606