auth.c 15.7 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
/* Icecast
 *
 * This program is distributed under the GNU General Public License, version 2.
 * A copy of this license is included with this source.
 *
 * Copyright 2000-2004, Jack Moffitt <jack@xiph.org, 
 *                      Michael Smith <msmith@xiph.org>,
 *                      oddsock <oddsock@xiph.org>,
 *                      Karl Heyes <karl@xiph.org>
 *                      and others (see AUTHORS for details).
 */

Michael Smith's avatar
Michael Smith committed
13
14
15
16
17
18
19
20
21
22
23
24
25
26
/** 
 * Client authentication functions
 */

#ifdef HAVE_CONFIG_H
#include <config.h>
#endif

#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <stdio.h>

#include "auth.h"
27
#include "auth_htpasswd.h"
Karl Heyes's avatar
Karl Heyes committed
28
#include "auth_url.h"
Michael Smith's avatar
Michael Smith committed
29
30
31
#include "source.h"
#include "client.h"
#include "cfgfile.h"
32
#include "stats.h"
Michael Smith's avatar
Michael Smith committed
33
#include "httpp/httpp.h"
34
#include "fserve.h"
Michael Smith's avatar
Michael Smith committed
35
36
37

#include "logging.h"
#define CATMODULE "auth"
38

39
40
41
42
43
44
45
46
47

static volatile auth_client *clients_to_auth;
static volatile unsigned int auth_pending_count;
static volatile int auth_running;
static mutex_t auth_lock;
static thread_type *auth_thread;


static void auth_client_setup (mount_proxy *mountinfo, client_t *client)
48
{
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
    /* This will look something like "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==" */
    char *header = httpp_getvar(client->parser, "authorization");
    char *userpass, *tmp;
    char *username, *password;

    do
    {
        if (header == NULL)
            break;

        if (strncmp(header, "Basic ", 6) == 0)
        {
            userpass = util_base64_decode (header+6);
            if (userpass == NULL)
            {
                WARN1("Base64 decode of Authorization header \"%s\" failed",
                        header+6);
                break;
            }

            tmp = strchr(userpass, ':');
            if (tmp == NULL)
            { 
                free (userpass);
                break;
74
            }
75
76
77
78
79
80
81
82

            *tmp = 0;
            username = userpass;
            password = tmp+1;
            client->username = strdup (username);
            client->password = strdup (password);
            free (userpass);
            break;
83
        }
84
        INFO1 ("unhandled authorization header: %s", header);
85

86
    } while (0);
87

88
    thread_mutex_lock (&mountinfo->auth->lock);
89
90
    client->auth = mountinfo->auth;
    client->auth->refcount++;
91
    thread_mutex_unlock (&mountinfo->auth->lock);
92
93
}

Michael Smith's avatar
Michael Smith committed
94

95
96
97
98
99
100
101
102
static void queue_auth_client (auth_client *auth_user)
{
    thread_mutex_lock (&auth_lock);
    auth_user->next = (auth_client *)clients_to_auth;
    clients_to_auth = auth_user;
    auth_pending_count++;
    thread_mutex_unlock (&auth_lock);
}
Michael Smith's avatar
Michael Smith committed
103
104


105
106
107
108
109
110
111
/* release the auth. It is referred to by multiple structures so this is
 * refcounted and only actual freed after the last use
 */
void auth_release (auth_t *authenticator)
{
    if (authenticator == NULL)
        return;
Michael Smith's avatar
Michael Smith committed
112

113
    thread_mutex_lock (&authenticator->lock);
114
115
    authenticator->refcount--;
    if (authenticator->refcount)
116
117
    {
        thread_mutex_unlock (&authenticator->lock);
118
        return;
119
    }
Michael Smith's avatar
Michael Smith committed
120

121
122
    if (authenticator->free)
        authenticator->free (authenticator);
123
    xmlFree (authenticator->type);
124
125
    thread_mutex_unlock (&authenticator->lock);
    thread_mutex_destroy (&authenticator->lock);
126
    free (authenticator);
Michael Smith's avatar
Michael Smith committed
127
128
129
}


130
void auth_client_free (auth_client *auth_user)
Michael Smith's avatar
Michael Smith committed
131
{
132
133
134
135
136
    if (auth_user == NULL)
        return;
    if (auth_user->client)
    {
        client_t *client = auth_user->client;
Michael Smith's avatar
Michael Smith committed
137

138
139
140
141
142
143
144
145
        if (client->respcode)
            client_destroy (client);
        else
            client_send_401 (client);
        auth_user->client = NULL;
    }
    free (auth_user->mount);
    free (auth_user);
Michael Smith's avatar
Michael Smith committed
146
147
148
}


149
150
151
152
/* wrapper function for auth thread to authenticate new listener
 * connection details
 */
static void auth_new_listener (auth_client *auth_user)
Michael Smith's avatar
Michael Smith committed
153
{
154
155
156
157
158
    client_t *client = auth_user->client;

    if (client->auth->authenticate)
    {
        if (client->auth->authenticate (auth_user) != AUTH_OK)
159
160
161
        {
            auth_release (client->auth);
            client->auth = NULL;
162
            return;
163
        }
Michael Smith's avatar
Michael Smith committed
164
    }
165
166
    if (auth_postprocess_client (auth_user) < 0)
        INFO1 ("client %lu failed", client->con->id);
Michael Smith's avatar
Michael Smith committed
167
168
}

169
170
171
172
173

/* wrapper function are auth thread to authenticate new listener
 * connections
 */
static void auth_remove_listener (auth_client *auth_user)
Michael Smith's avatar
Michael Smith committed
174
{
175
176
177
178
179
180
181
182
    client_t *client = auth_user->client;

    if (client->auth->release_client)
        client->auth->release_client (auth_user);
    auth_release (client->auth);
    client->auth = NULL;
    return;
}
Michael Smith's avatar
Michael Smith committed
183
184


185
186
187
188
189
190
191
192
193
/* The auth thread main loop. */
static void *auth_run_thread (void *arg)
{
    INFO0 ("Authentication thread started");
    while (1)
    {
        if (clients_to_auth)
        {
            auth_client *auth_user;
Michael Smith's avatar
Michael Smith committed
194

195
196
197
198
199
200
            thread_mutex_lock (&auth_lock);
            auth_user = (auth_client*)clients_to_auth;
            clients_to_auth = auth_user->next;
            auth_pending_count--;
            thread_mutex_unlock (&auth_lock);
            auth_user->next = NULL;
Michael Smith's avatar
Michael Smith committed
201

202
203
204
205
            if (auth_user->process)
                auth_user->process (auth_user);
            else
                ERROR0 ("client auth process not set");
Michael Smith's avatar
Michael Smith committed
206

207
            auth_client_free (auth_user);
Michael Smith's avatar
Michael Smith committed
208

209
            continue;
210
        }
211
212
213
214
        /* is there a request to shutdown */
        if (auth_running == 0)
            break;
        thread_sleep (150000);
215
    }
216
217
218
    INFO0 ("Authenication thread shutting down");
    return NULL;
}
Michael Smith's avatar
Michael Smith committed
219
220


221
222
223
224
225
226
227
228
229
230
231
/* Check whether this client is currently on this mount, the client may be
 * on either the active or pending lists.
 * return 1 if ok to add or 0 to prevent
 */
static int check_duplicate_logins (source_t *source, client_t *client)
{
    auth_t *auth = client->auth;

    /* allow multiple authenticated relays */
    if (client->username == NULL)
        return 1;
Michael Smith's avatar
Michael Smith committed
232

233
234
235
236
237
238
239
240
    if (auth && auth->allow_duplicate_users == 0)
    {
        avl_node *node;

        avl_tree_rlock (source->client_tree);
        node = avl_get_first (source->client_tree);
        while (node)
        {   
241
242
243
            client_t *existing_client = (client_t *)node->key;
            if (existing_client->username && 
                    strcmp (existing_client->username, client->username) == 0)
244
245
246
247
248
249
250
251
252
253
254
255
            {
                avl_tree_unlock (source->client_tree);
                return 0;
            }
            node = avl_get_next (node);
        }       
        avl_tree_unlock (source->client_tree);

        avl_tree_rlock (source->pending_tree);
        node = avl_get_first (source->pending_tree);
        while (node)
        {
256
257
258
            client_t *existing_client = (client_t *)node->key;
            if (existing_client->username && 
                    strcmp (existing_client->username, client->username) == 0)
259
260
261
            {
                avl_tree_unlock (source->pending_tree);
                return 0;
Michael Smith's avatar
Michael Smith committed
262
            }
263
            node = avl_get_next (node);
Michael Smith's avatar
Michael Smith committed
264
        }
265
        avl_tree_unlock (source->pending_tree);
Michael Smith's avatar
Michael Smith committed
266
    }
267
    return 1;
Michael Smith's avatar
Michael Smith committed
268
269
}

270
271
272
273
274

/* if 0 is returned then the client should not be touched, however if -1
 * is returned then the caller is responsible for handling the client
 */
static int add_client_to_source (source_t *source, client_t *client)
Michael Smith's avatar
Michael Smith committed
275
{
276
    int loop = 10;
277
278
279
280
281
282
283
284
    do
    {
        DEBUG3 ("max on %s is %ld (cur %lu)", source->mount,
                source->max_listeners, source->listeners);
        if (source->max_listeners == -1)
            break;
        if (source->listeners < (unsigned long)source->max_listeners)
            break;
Michael Smith's avatar
Michael Smith committed
285

286
287
288
289
290
291
292
293
        if (loop && source->fallback_when_full && source->fallback_mount)
        {
            source_t *next = source_find_mount (source->fallback_mount);
            INFO1 ("stream full trying %s", next->mount);
            source = next;
            loop--;
            continue;
        }
294
295
        /* now we fail the client */
        return -1;
Michael Smith's avatar
Michael Smith committed
296

297
    } while (1);
Michael Smith's avatar
Michael Smith committed
298

299
300
301
302
    client->write_to_client = format_generic_write_to_client;
    client->check_buffer = format_check_http_buffer;
    client->refbuf->len = PER_CLIENT_REFBUF_SIZE;
    memset (client->refbuf->data, 0, PER_CLIENT_REFBUF_SIZE);
Michael Smith's avatar
Michael Smith committed
303

304
305
306
307
308
309
    /* lets add the client to the active list */
    avl_tree_wlock (source->pending_tree);
    avl_insert (source->pending_tree, client);
    avl_tree_unlock (source->pending_tree);
    stats_event_inc (NULL, "listener_connections");

310
311
312
313
314
315
    if (source->running == 0 && source->on_demand)
    {
        /* enable on-demand relay to start, wake up the slave thread */
        DEBUG0("kicking off on-demand relay");
        source->on_demand_req = 1;
        slave_rescan ();
Michael Smith's avatar
Michael Smith committed
316
    }
317
318
319
    DEBUG1 ("Added client to %s", source->mount);
    return 0;
}
Michael Smith's avatar
Michael Smith committed
320
321


322
323
324
325
326
327
328
/* Add listener to the pending lists of either the  source or fserve thread.
 * This can be run from the connection or auth thread context
 */
static int add_authenticated_client (const char *mount, mount_proxy *mountinfo, client_t *client)
{
    int ret = 0;
    source_t *source = NULL;
329

330
331
    avl_tree_rlock (global.source_tree);
    source = source_find_mount (mount);
Michael Smith's avatar
Michael Smith committed
332

333
334
335
336
337
338
    if (source)
    {
        if (client->auth && check_duplicate_logins (source, client) == 0)
        {
            avl_tree_unlock (global.source_tree);
            return -1;
339
        }
340
341
342
343
344
345
        if (mountinfo)
        {
            /* set a per-mount disconnect time if auth hasn't set one already */
            if (mountinfo->max_listener_duration && client->con->discon_time == 0)
                client->con->discon_time = time(NULL) + mountinfo->max_listener_duration;
        }
346

347
348
349
350
        ret = add_client_to_source (source, client);
        avl_tree_unlock (global.source_tree);
        if (ret == 0)
            DEBUG0 ("client authenticated, passed to source");
351
    }
352
353
354
355
356
    else
    {
        avl_tree_unlock (global.source_tree);
        fserve_client_create (client, mount);
    }
357
358
    return ret;
}
359
360
361


int auth_postprocess_client (auth_client *auth_user)
362
{
363
364
    int ret;
    ice_config_t *config = config_get_config();
365

366
367
    mount_proxy *mountinfo = config_find_mount (config, auth_user->mount);
    auth_user->client->authenticated = 1;
368

369
370
    ret = add_authenticated_client (auth_user->mount, mountinfo, auth_user->client);
    config_release_config();
371

372
373
374
    if (ret < 0)
        client_send_401 (auth_user->client);
    auth_user->client = NULL;
375

376
    return ret;
377
378
}

379
380
381
382
383

/* Add a listener. Check for any mount information that states any
 * authentication to be used.
 */
void add_client (const char *mount, client_t *client)
384
{
385
386
387
388
389
390
391
    mount_proxy *mountinfo; 
    ice_config_t *config = config_get_config();

    mountinfo = config_find_mount (config, mount);
    if (mountinfo && mountinfo->no_mount)
    {
        config_release_config ();
392
        client_send_403 (client, "mountpoint unavailable");
393
394
395
396
397
398
399
400
401
402
        return;
    }
    if (mountinfo && mountinfo->auth)
    {
        auth_client *auth_user;

        if (auth_pending_count > 30)
        {
            config_release_config ();
            WARN0 ("too many clients awaiting authentication");
403
            client_send_403 (client, "busy, please try again later");
404
405
406
407
408
409
410
411
412
            return;
        }
        auth_client_setup (mountinfo, client);
        config_release_config ();

        if (client->auth == NULL)
        {
            client_send_401 (client);
            return;
413
        }
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
        auth_user = calloc (1, sizeof (auth_client));
        if (auth_user == NULL)
        {
            client_send_401 (client);
            return;
        }
        auth_user->mount = strdup (mount);
        auth_user->process = auth_new_listener;
        auth_user->client = client;

        INFO0 ("adding client for authentication");
        queue_auth_client (auth_user);
    }
    else
    {
        int ret = add_authenticated_client (mount, mountinfo, client);
        config_release_config ();
        if (ret < 0)
432
            client_send_403 (client, "max listeners reached");
433
434
435
    }
}

436
437
438
439
440

/* determine whether we need to process this client further. This
 * involves any auth exit, typically for external auth servers.
 */
int release_client (client_t *client)
441
{
442
    if (client->auth)
443
    {
444
445
446
        auth_client *auth_user = calloc (1, sizeof (auth_client));
        if (auth_user == NULL)
            return 0;
447

448
449
450
        auth_user->mount = strdup (httpp_getvar (client->parser, HTTPP_VAR_URI));
        auth_user->process = auth_remove_listener;
        auth_user->client = client;
451

452
453
454
455
456
        queue_auth_client (auth_user);
        return 1;
    }
    return 0;
}
457
458


459
460
461
462
463
static void get_authenticator (auth_t *auth, config_options_t *options)
{
    do
    {
        DEBUG1 ("type is %s", auth->type);
Karl Heyes's avatar
Karl Heyes committed
464
465
466
467
468
469
470
#ifdef HAVE_AUTH_URL
        if (strcmp (auth->type, "url") == 0)
        {
            auth_get_url_auth (auth, options);
            break;
        }
#endif
471
472
473
474
        if (strcmp (auth->type, "htpasswd") == 0)
        {
            auth_get_htpasswd_auth (auth, options);
            break;
475
        }
476
477
478
479
480
481
482
483
484
485
486
        
        ERROR1("Unrecognised authenticator type: \"%s\"", auth->type);
        return;
    } while (0);

    auth->refcount = 1;
    while (options)
    {
        if (strcmp(options->name, "allow_duplicate_users") == 0)
            auth->allow_duplicate_users = atoi (options->value);
        options = options->next;
487
    }
488
}
489
490


491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
auth_t *auth_get_authenticator (xmlNodePtr node)
{
    auth_t *auth = calloc (1, sizeof (auth_t));
    config_options_t *options = NULL, **next_option = &options;
    xmlNodePtr option;

    if (auth == NULL)
        return NULL;

    option = node->xmlChildrenNode;
    while (option)
    {
        xmlNodePtr current = option;
        option = option->next;
        if (strcmp (current->name, "option") == 0)
        {
            config_options_t *opt = calloc (1, sizeof (config_options_t));
            opt->name = xmlGetProp (current, "name");
            if (opt->name == NULL)
            {
                free(opt);
                continue;
            }
            opt->value = xmlGetProp (current, "value");
            if (opt->value == NULL)
            {
                xmlFree (opt->name);
                free (opt);
                continue;
            }
            *next_option = opt;
            next_option = &opt->next;
        }
        else
            if (strcmp (current->name, "text") != 0)
                WARN1 ("unknown auth setting (%s)", current->name);
527
    }
528
529
    auth->type = xmlGetProp (node, "type");
    get_authenticator (auth, options);
530
    thread_mutex_create (&auth->lock);
531
532
533
534
535
536
537
    while (options)
    {
        config_options_t *opt = options;
        options = opt->next;
        xmlFree (opt->name);
        xmlFree (opt->value);
        free (opt);
538
    }
539
540
    return auth;
}
541
542


543
544
545
546
/* called when the stream starts, so that authentication engine can do any
 * cleanup/initialisation.
 */
void auth_stream_start (mount_proxy *mountinfo, const char *mount)
547
{
548
549
550
551
552
553
554
    if (mountinfo && mountinfo->auth && mountinfo->auth->stream_start)
    {
        auth_client *auth_user = calloc (1, sizeof (auth_client));
        if (auth_user)
        {
            auth_user->mount = strdup (mount);
            auth_user->process = mountinfo->auth->stream_start;
555

556
            queue_auth_client (auth_user);
557
558
559
560
561
        }
    }
}


562
563
564
565
566
567
568
569
570
571
572
573
/* Called when the stream ends so that the authentication engine can do
 * any authentication cleanup
 */
void auth_stream_end (mount_proxy *mountinfo, const char *mount)
{
    if (mountinfo && mountinfo->auth && mountinfo->auth->stream_end)
    {
        auth_client *auth_user = calloc (1, sizeof (auth_client));
        if (auth_user)
        {
            auth_user->mount = strdup (mount);
            auth_user->process = mountinfo->auth->stream_end;
574

575
576
            queue_auth_client (auth_user);
        }
577
    }
578
}
579
580


581
/* these are called at server start and termination */
582

583
584
585
586
587
588
589
void auth_initialise ()
{
    clients_to_auth = NULL;
    auth_pending_count = 0;
    auth_running = 1;
    thread_mutex_create (&auth_lock);
    auth_thread = thread_create ("auth thread", auth_run_thread, NULL, THREAD_ATTACHED);
590
591
}

592
void auth_shutdown ()
593
{
594
595
596
597
598
    if (auth_thread)
    {
        auth_running = 0;
        thread_join (auth_thread);
        INFO0 ("Auth thread has terminated");
599
600
    }
}
601