auth_url.c 17.3 KB
Newer Older
Karl Heyes's avatar
Karl Heyes committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
/* Icecast
 *
 * This program is distributed under the GNU General Public License, version 2.
 * A copy of this license is included with this source.
 *
 * Copyright 2000-2004, Jack Moffitt <jack@xiph.org>, 
 *                      Michael Smith <msmith@xiph.org>,
 *                      oddsock <oddsock@xiph.org>,
 *                      Karl Heyes <karl@xiph.org>
 *                      and others (see AUTHORS for details).
 */

/* 
 * Client authentication via URL functions
 *
 * authenticate user via a URL, this is done via libcurl so https can also
 * be handled. The request will have POST information about the request in
 * the form of
 *
20
 * action=listener_add&client=1&server=host&port=8000&mount=/live&user=fred&pass=mypass&ip=127.0.0.1&agent=""
Karl Heyes's avatar
Karl Heyes committed
21 22 23 24 25 26
 *
 * For a user to be accecpted the following HTTP header needs
 * to be returned (the actual string can be specified in the xml file)
 *
 * icecast-auth-user: 1
 *
27 28 29 30 31 32
 * A listening client may also be configured as only to stay connected for a
 * certain length of time. eg The auth server may only allow a 15 minute
 * playback by sending back.
 *
 * icecast-auth-timelimit: 900
 *
Karl Heyes's avatar
Karl Heyes committed
33 34 35
 * On client disconnection another request can be sent to a URL with the POST
 * information of
 *
36
 * action=listener_remove&server=host&port=8000&client=1&mount=/live&user=fred&pass=mypass&duration=3600
Karl Heyes's avatar
Karl Heyes committed
37 38 39 40 41 42 43 44 45 46
 *
 * client refers to the icecast client identification number. mount refers
 * to the mountpoint (beginning with / and may contain query parameters eg ?&
 * encoded) and duration is the amount of time in seconds. user and pass
 * setting can be blank
 *
 * On stream start and end, another url can be issued to help clear any user
 * info stored at the auth server. Useful for abnormal outage/termination
 * cases.
 *
47 48
 * action=mount_add&mount=/live&server=myserver.com&port=8000
 * action=mount_remove&mount=/live&server=myserver.com&port=8000
Karl Heyes's avatar
Karl Heyes committed
49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86
 */

#ifdef HAVE_CONFIG_H
#include <config.h>
#endif

#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <stdio.h>
#ifndef _WIN32
#include <sys/wait.h>
#include <strings.h>
#else
#define snprintf _snprintf
#define strncasecmp strnicmp
#endif

#include <curl/curl.h>

#include "auth.h"
#include "source.h"
#include "client.h"
#include "cfgfile.h"
#include "httpp/httpp.h"

#include "logging.h"
#define CATMODULE "auth_url"

typedef struct {
    char *addurl;
    char *removeurl;
    char *stream_start;
    char *stream_end;
    char *username;
    char *password;
    char *auth_header;
    int  auth_header_len;
87 88
    char *timelimit_header;
    int  timelimit_header_len;
89
    char *userpwd;
Karl Heyes's avatar
Karl Heyes committed
90 91 92 93 94 95
    CURL *handle;
    char errormsg [CURL_ERROR_SIZE];
} auth_url;


static void auth_url_clear(auth_t *self)
96 97
{
    auth_url *url;
Ed "oddsock" Zaleski's avatar
Ed "oddsock" Zaleski committed
98

99
    INFO0 ("Doing auth URL cleanup");
Ed "oddsock" Zaleski's avatar
Ed "oddsock" Zaleski committed
100
    url = self->state;
101
    self->state = NULL;
Karl Heyes's avatar
Karl Heyes committed
102 103 104 105 106 107 108 109
    curl_easy_cleanup (url->handle);
    free (url->username);
    free (url->password);
    free (url->removeurl);
    free (url->addurl);
    free (url->stream_start);
    free (url->stream_end);
    free (url->auth_header);
110
    free (url->timelimit_header);
111
    free (url->userpwd);
Karl Heyes's avatar
Karl Heyes committed
112 113 114 115
    free (url);
}


116
#ifdef CURLOPT_PASSWDFUNCTION
117 118 119 120 121 122
/* make sure that prompting at the console does not occur */
static int my_getpass(void *client, char *prompt, char *buffer, int buflen)
{
    buffer[0] = '\0';
    return 0;
}
123
#endif
124 125


Karl Heyes's avatar
Karl Heyes committed
126 127 128 129 130 131 132 133 134 135 136 137
static int handle_returned_header (void *ptr, size_t size, size_t nmemb, void *stream)
{
    auth_client *auth_user = stream;
    unsigned bytes = size * nmemb;
    client_t *client = auth_user->client;

    if (client)
    {
        auth_t *auth = client->auth;
        auth_url *url = auth->state;
        if (strncasecmp (ptr, url->auth_header, url->auth_header_len) == 0)
            client->authenticated = 1;
138 139 140 141 142 143
        if (strncasecmp (ptr, url->timelimit_header, url->timelimit_header_len) == 0)
        {
            unsigned int limit = 0;
            sscanf ((char *)ptr+url->timelimit_header_len, "%u\r\n", &limit);
            client->con->discon_time = time(NULL) + limit;
        }
Karl Heyes's avatar
Karl Heyes committed
144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165
        if (strncasecmp (ptr, "icecast-auth-message: ", 22) == 0)
        {
            char *eol;
            snprintf (url->errormsg, sizeof (url->errormsg), "%s", (char*)ptr+22);
            eol = strchr (url->errormsg, '\r');
            if (eol == NULL)
                eol = strchr (url->errormsg, '\n');
            if (eol)
                *eol = '\0';
        }
    }

    return (int)bytes;
}

/* capture returned data, but don't do anything with it */
static int handle_returned_data (void *ptr, size_t size, size_t nmemb, void *stream)
{
    return (int)(size*nmemb);
}


166
static auth_result url_remove_listener (auth_client *auth_user)
Karl Heyes's avatar
Karl Heyes committed
167 168 169 170 171 172
{
    client_t *client = auth_user->client;
    auth_t *auth = client->auth;
    auth_url *url = auth->state;
    time_t duration = time(NULL) - client->con->con_time;
    char *username, *password, *mount, *server;
173
    const char *mountreq;
Karl Heyes's avatar
Karl Heyes committed
174 175
    ice_config_t *config;
    int port;
176
    char *userpwd = NULL, post [4096];
Karl Heyes's avatar
Karl Heyes committed
177

178 179
    if (url->removeurl == NULL)
        return AUTH_OK;
Karl Heyes's avatar
Karl Heyes committed
180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195
    config = config_get_config ();
    server = util_url_escape (config->hostname);
    port = config->port;
    config_release_config ();

    if (client->username)
        username = util_url_escape (client->username);
    else
        username = strdup ("");

    if (client->password)
        password = util_url_escape (client->password);
    else
        password = strdup ("");

    /* get the full uri (with query params if available) */
196 197 198 199
    mountreq = httpp_getvar (client->parser, HTTPP_VAR_RAWURI);
    if (mountreq == NULL)
        mountreq = httpp_getvar (client->parser, HTTPP_VAR_URI);
    mount = util_url_escape (mountreq);
Karl Heyes's avatar
Karl Heyes committed
200 201

    snprintf (post, sizeof (post),
202
            "action=listener_remove&server=%s&port=%d&client=%lu&mount=%s"
Karl Heyes's avatar
Karl Heyes committed
203 204 205 206 207 208 209 210
            "&user=%s&pass=%s&duration=%lu",
            server, port, client->con->id, mount, username,
            password, (long unsigned)duration);
    free (server);
    free (mount);
    free (username);
    free (password);

211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233
    if (strchr (url->removeurl, '@') == NULL)
    {
        if (url->userpwd)
            curl_easy_setopt (url->handle, CURLOPT_USERPWD, url->userpwd);
        else
        {
            /* auth'd requests may not have a user/pass, but may use query args */
            if (client->username && client->password)
            {
                int len = strlen (client->username) + strlen (client->password) + 2;
                userpwd = malloc (len);
                snprintf (userpwd, len, "%s:%s", client->username, client->password);
                curl_easy_setopt (url->handle, CURLOPT_USERPWD, userpwd);
            }
            else
                curl_easy_setopt (url->handle, CURLOPT_USERPWD, "");
        }
    }
    else
    {
        /* url has user/pass but libcurl may need to clear any existing settings */
        curl_easy_setopt (url->handle, CURLOPT_USERPWD, "");
    }
Karl Heyes's avatar
Karl Heyes committed
234 235 236 237 238 239 240
    curl_easy_setopt (url->handle, CURLOPT_URL, url->removeurl);
    curl_easy_setopt (url->handle, CURLOPT_POSTFIELDS, post);
    curl_easy_setopt (url->handle, CURLOPT_WRITEHEADER, auth_user);

    if (curl_easy_perform (url->handle))
        WARN2 ("auth to server %s failed with %s", url->removeurl, url->errormsg);

241 242
    free (userpwd);

Karl Heyes's avatar
Karl Heyes committed
243 244 245 246
    return AUTH_OK;
}


247
static auth_result url_add_listener (auth_client *auth_user)
Karl Heyes's avatar
Karl Heyes committed
248 249 250 251 252
{
    client_t *client = auth_user->client;
    auth_t *auth = client->auth;
    auth_url *url = auth->state;
    int res = 0, port;
253 254 255
    const char *agent;
    char *user_agent, *username, *password;
    const char *mountreq;
Karl Heyes's avatar
Karl Heyes committed
256 257
    char *mount, *ipaddr, *server;
    ice_config_t *config;
258
    char *userpwd = NULL, post [4096];
Karl Heyes's avatar
Karl Heyes committed
259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280

    if (url->addurl == NULL)
        return AUTH_OK;

    config = config_get_config ();
    server = util_url_escape (config->hostname);
    port = config->port;
    config_release_config ();
    agent = httpp_getvar (client->parser, "user-agent");
    if (agent == NULL)
        agent = "-";
    user_agent = util_url_escape (agent);
    if (client->username)
        username  = util_url_escape (client->username);
    else
        username = strdup ("");
    if (client->password)
        password  = util_url_escape (client->password);
    else
        password = strdup ("");

    /* get the full uri (with query params if available) */
281 282 283 284
    mountreq = httpp_getvar (client->parser, HTTPP_VAR_RAWURI);
    if (mountreq == NULL)
        mountreq = httpp_getvar (client->parser, HTTPP_VAR_URI);
    mount = util_url_escape (mountreq);
Karl Heyes's avatar
Karl Heyes committed
285 286 287
    ipaddr = util_url_escape (client->con->ip);

    snprintf (post, sizeof (post),
288
            "action=listener_add&server=%s&port=%d&client=%lu&mount=%s"
Karl Heyes's avatar
Karl Heyes committed
289 290 291 292 293 294 295 296 297 298
            "&user=%s&pass=%s&ip=%s&agent=%s",
            server, port, client->con->id, mount, username,
            password, ipaddr, user_agent);
    free (server);
    free (mount);
    free (user_agent);
    free (username);
    free (password);
    free (ipaddr);

299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321
    if (strchr (url->addurl, '@') == NULL)
    {
        if (url->userpwd)
            curl_easy_setopt (url->handle, CURLOPT_USERPWD, url->userpwd);
        else
        {
            /* auth'd requests may not have a user/pass, but may use query args */
            if (client->username && client->password)
            {
                int len = strlen (client->username) + strlen (client->password) + 2;
                userpwd = malloc (len);
                snprintf (userpwd, len, "%s:%s", client->username, client->password);
                curl_easy_setopt (url->handle, CURLOPT_USERPWD, userpwd);
            }
            else
                curl_easy_setopt (url->handle, CURLOPT_USERPWD, "");
        }
    }
    else
    {
        /* url has user/pass but libcurl may need to clear any existing settings */
        curl_easy_setopt (url->handle, CURLOPT_USERPWD, "");
    }
Karl Heyes's avatar
Karl Heyes committed
322 323 324 325 326 327 328
    curl_easy_setopt (url->handle, CURLOPT_URL, url->addurl);
    curl_easy_setopt (url->handle, CURLOPT_POSTFIELDS, post);
    curl_easy_setopt (url->handle, CURLOPT_WRITEHEADER, auth_user);
    url->errormsg[0] = '\0';

    res = curl_easy_perform (url->handle);

329 330
    free (userpwd);

Karl Heyes's avatar
Karl Heyes committed
331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372
    if (res)
    {
        WARN2 ("auth to server %s failed with %s", url->addurl, url->errormsg);
        return AUTH_FAILED;
    }
    /* we received a response, lets see what it is */
    if (client->authenticated)
        return AUTH_OK;
    INFO2 ("client auth (%s) failed with \"%s\"", url->addurl, url->errormsg);
    return AUTH_FAILED;
}


/* called by auth thread when a source starts, there is no client_t in
 * this case
 */
static void url_stream_start (auth_client *auth_user)
{
    char *mount, *server;
    ice_config_t *config = config_get_config ();
    mount_proxy *mountinfo = config_find_mount (config, auth_user->mount);
    auth_t *auth = mountinfo->auth;
    auth_url *url = auth->state;
    char *stream_start_url;
    int port;
    char post [4096];

    if (url->stream_start == NULL)
    {
        config_release_config ();
        return;
    }
    server = util_url_escape (config->hostname);
    port = config->port;
    stream_start_url = strdup (url->stream_start);
    /* we don't want this auth disappearing from under us while
     * the connection is in progress */
    mountinfo->auth->refcount++;
    config_release_config ();
    mount = util_url_escape (auth_user->mount);

    snprintf (post, sizeof (post),
373
            "action=mount_add&mount=%s&server=%s&port=%d", mount, server, port);
Karl Heyes's avatar
Karl Heyes committed
374 375 376
    free (server);
    free (mount);

377 378 379 380 381 382 383 384 385
    if (strchr (url->stream_start, '@') == NULL)
    {
        if (url->userpwd)
            curl_easy_setopt (url->handle, CURLOPT_USERPWD, url->userpwd);
        else
            curl_easy_setopt (url->handle, CURLOPT_USERPWD, "");
    }
    else
        curl_easy_setopt (url->handle, CURLOPT_USERPWD, "");
Karl Heyes's avatar
Karl Heyes committed
386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424
    curl_easy_setopt (url->handle, CURLOPT_URL, stream_start_url);
    curl_easy_setopt (url->handle, CURLOPT_POSTFIELDS, post);
    curl_easy_setopt (url->handle, CURLOPT_WRITEHEADER, auth_user);

    if (curl_easy_perform (url->handle))
        WARN2 ("auth to server %s failed with %s", stream_start_url, url->errormsg);

    auth_release (auth);
    free (stream_start_url);
    return;
}


static void url_stream_end (auth_client *auth_user)
{
    char *mount, *server;
    ice_config_t *config = config_get_config ();
    mount_proxy *mountinfo = config_find_mount (config, auth_user->mount);
    auth_t *auth = mountinfo->auth;
    auth_url *url = auth->state;
    char *stream_end_url;
    int port;
    char post [4096];

    if (url->stream_end == NULL)
    {
        config_release_config ();
        return;
    }
    server = util_url_escape (config->hostname);
    port = config->port;
    stream_end_url = strdup (url->stream_end);
    /* we don't want this auth disappearing from under us while
     * the connection is in progress */
    mountinfo->auth->refcount++;
    config_release_config ();
    mount = util_url_escape (auth_user->mount);

    snprintf (post, sizeof (post),
425
            "action=mount_remove&mount=%s&server=%s&port=%d", mount, server, port);
Karl Heyes's avatar
Karl Heyes committed
426 427 428
    free (server);
    free (mount);

429 430 431 432 433 434 435 436 437 438
    if (strchr (url->stream_end, '@') == NULL)
    {
        if (url->userpwd)
            curl_easy_setopt (url->handle, CURLOPT_USERPWD, url->userpwd);
        else
            curl_easy_setopt (url->handle, CURLOPT_USERPWD, "");
    }
    else
        curl_easy_setopt (url->handle, CURLOPT_USERPWD, "");
    curl_easy_setopt (url->handle, CURLOPT_URL, url->stream_end);
Karl Heyes's avatar
Karl Heyes committed
439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475
    curl_easy_setopt (url->handle, CURLOPT_POSTFIELDS, post);
    curl_easy_setopt (url->handle, CURLOPT_WRITEHEADER, auth_user);

    if (curl_easy_perform (url->handle))
        WARN2 ("auth to server %s failed with %s", stream_end_url, url->errormsg);

    auth_release (auth);
    free (stream_end_url);
    return;
}


static auth_result auth_url_adduser(auth_t *auth, const char *username, const char *password)
{
    return AUTH_FAILED;
}

static auth_result auth_url_deleteuser (auth_t *auth, const char *username)
{
    return AUTH_FAILED;
}

static auth_result auth_url_listuser (auth_t *auth, xmlNodePtr srcnode)
{
    return AUTH_FAILED;
}

int auth_get_url_auth (auth_t *authenticator, config_options_t *options)
{
    auth_url *url_info;

    authenticator->free = auth_url_clear;
    authenticator->adduser = auth_url_adduser;
    authenticator->deleteuser = auth_url_deleteuser;
    authenticator->listuser = auth_url_listuser;

    url_info = calloc(1, sizeof(auth_url));
476
    authenticator->state = url_info;
477 478

    /* default headers */
Karl Heyes's avatar
Karl Heyes committed
479
    url_info->auth_header = strdup ("icecast-auth-user: 1\r\n");
480
    url_info->timelimit_header = strdup ("icecast-auth-timelimit:");
Karl Heyes's avatar
Karl Heyes committed
481 482 483

    while(options) {
        if(!strcmp(options->name, "username"))
484 485
        {
            free (url_info->username);
Karl Heyes's avatar
Karl Heyes committed
486
            url_info->username = strdup (options->value);
487
        }
Karl Heyes's avatar
Karl Heyes committed
488
        if(!strcmp(options->name, "password"))
489 490
        {
            free (url_info->password);
Karl Heyes's avatar
Karl Heyes committed
491
            url_info->password = strdup (options->value);
492
        }
493
        if(!strcmp(options->name, "listener_add"))
494 495 496
        {
            authenticator->authenticate = url_add_listener;
            free (url_info->addurl);
Karl Heyes's avatar
Karl Heyes committed
497
            url_info->addurl = strdup (options->value);
498
        }
499
        if(!strcmp(options->name, "listener_remove"))
500 501 502
        {
            authenticator->release_listener = url_remove_listener;
            free (url_info->removeurl);
Karl Heyes's avatar
Karl Heyes committed
503
            url_info->removeurl = strdup (options->value);
504
        }
505
        if(!strcmp(options->name, "mount_add"))
506 507 508
        {
            authenticator->stream_start = url_stream_start;
            free (url_info->stream_start);
Karl Heyes's avatar
Karl Heyes committed
509
            url_info->stream_start = strdup (options->value);
510
        }
511
        if(!strcmp(options->name, "mount_remove"))
512 513 514
        {
            authenticator->stream_end = url_stream_end;
            free (url_info->stream_end);
Karl Heyes's avatar
Karl Heyes committed
515
            url_info->stream_end = strdup (options->value);
516
        }
Karl Heyes's avatar
Karl Heyes committed
517 518 519 520 521
        if(!strcmp(options->name, "auth_header"))
        {
            free (url_info->auth_header);
            url_info->auth_header = strdup (options->value);
        }
522
        if (strcmp(options->name, "timelimit_header") == 0)
523 524 525 526
        {
            free (url_info->timelimit_header);
            url_info->timelimit_header = strdup (options->value);
        }
Karl Heyes's avatar
Karl Heyes committed
527 528 529 530 531
        options = options->next;
    }
    url_info->handle = curl_easy_init ();
    if (url_info->handle == NULL)
    {
532
        auth_url_clear (authenticator);
Karl Heyes's avatar
Karl Heyes committed
533 534 535 536
        return -1;
    }
    if (url_info->auth_header)
        url_info->auth_header_len = strlen (url_info->auth_header);
537 538
    if (url_info->timelimit_header)
        url_info->timelimit_header_len = strlen (url_info->timelimit_header);
Karl Heyes's avatar
Karl Heyes committed
539 540 541 542 543 544 545

    curl_easy_setopt (url_info->handle, CURLOPT_USERAGENT, ICECAST_VERSION_STRING);
    curl_easy_setopt (url_info->handle, CURLOPT_HEADERFUNCTION, handle_returned_header);
    curl_easy_setopt (url_info->handle, CURLOPT_WRITEFUNCTION, handle_returned_data);
    curl_easy_setopt (url_info->handle, CURLOPT_WRITEDATA, url_info->handle);
    curl_easy_setopt (url_info->handle, CURLOPT_NOSIGNAL, 1L);
    curl_easy_setopt (url_info->handle, CURLOPT_TIMEOUT, 15L);
546
#ifdef CURLOPT_PASSWDFUNCTION
547
    curl_easy_setopt (url_info->handle, CURLOPT_PASSWDFUNCTION, my_getpass);
548
#endif
Karl Heyes's avatar
Karl Heyes committed
549 550
    curl_easy_setopt (url_info->handle, CURLOPT_ERRORBUFFER, &url_info->errormsg[0]);

551 552 553 554 555 556 557
    if (url_info->username && url_info->password)
    {
        int len = strlen (url_info->username) + strlen (url_info->password) + 2;
        url_info->userpwd = malloc (len);
        snprintf (url_info->userpwd, len, "%s:%s", url_info->username, url_info->password);
    }

Karl Heyes's avatar
Karl Heyes committed
558 559 560 561
    INFO0("URL based authentication setup");
    return 0;
}