auth.c 15.9 KB
Newer Older
1
2
3
4
5
6
7
8
9
10
11
12
/* Icecast
 *
 * This program is distributed under the GNU General Public License, version 2.
 * A copy of this license is included with this source.
 *
 * Copyright 2000-2004, Jack Moffitt <jack@xiph.org, 
 *                      Michael Smith <msmith@xiph.org>,
 *                      oddsock <oddsock@xiph.org>,
 *                      Karl Heyes <karl@xiph.org>
 *                      and others (see AUTHORS for details).
 */

Michael Smith's avatar
Michael Smith committed
13
14
15
16
17
18
19
20
21
22
23
24
25
26
/** 
 * Client authentication functions
 */

#ifdef HAVE_CONFIG_H
#include <config.h>
#endif

#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <stdio.h>

#include "auth.h"
27
#include "auth_htpasswd.h"
Karl Heyes's avatar
Karl Heyes committed
28
#include "auth_url.h"
Michael Smith's avatar
Michael Smith committed
29
30
31
#include "source.h"
#include "client.h"
#include "cfgfile.h"
32
#include "stats.h"
Michael Smith's avatar
Michael Smith committed
33
#include "httpp/httpp.h"
34
#include "fserve.h"
Michael Smith's avatar
Michael Smith committed
35
36
37

#include "logging.h"
#define CATMODULE "auth"
38

39
40
41
42
43
44
45
46
47

static volatile auth_client *clients_to_auth;
static volatile unsigned int auth_pending_count;
static volatile int auth_running;
static mutex_t auth_lock;
static thread_type *auth_thread;


static void auth_client_setup (mount_proxy *mountinfo, client_t *client)
48
{
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
    /* This will look something like "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==" */
    char *header = httpp_getvar(client->parser, "authorization");
    char *userpass, *tmp;
    char *username, *password;

    do
    {
        if (header == NULL)
            break;

        if (strncmp(header, "Basic ", 6) == 0)
        {
            userpass = util_base64_decode (header+6);
            if (userpass == NULL)
            {
                WARN1("Base64 decode of Authorization header \"%s\" failed",
                        header+6);
                break;
            }

            tmp = strchr(userpass, ':');
            if (tmp == NULL)
            { 
                free (userpass);
                break;
74
            }
75
76
77
78
79
80
81
82

            *tmp = 0;
            username = userpass;
            password = tmp+1;
            client->username = strdup (username);
            client->password = strdup (password);
            free (userpass);
            break;
83
        }
84
        INFO1 ("unhandled authorization header: %s", header);
85

86
    } while (0);
87

88
    thread_mutex_lock (&mountinfo->auth->lock);
89
90
    client->auth = mountinfo->auth;
    client->auth->refcount++;
91
    thread_mutex_unlock (&mountinfo->auth->lock);
92
93
}

Michael Smith's avatar
Michael Smith committed
94

95
96
97
98
99
100
101
102
static void queue_auth_client (auth_client *auth_user)
{
    thread_mutex_lock (&auth_lock);
    auth_user->next = (auth_client *)clients_to_auth;
    clients_to_auth = auth_user;
    auth_pending_count++;
    thread_mutex_unlock (&auth_lock);
}
Michael Smith's avatar
Michael Smith committed
103
104


105
106
107
108
109
110
111
/* release the auth. It is referred to by multiple structures so this is
 * refcounted and only actual freed after the last use
 */
void auth_release (auth_t *authenticator)
{
    if (authenticator == NULL)
        return;
Michael Smith's avatar
Michael Smith committed
112

113
    thread_mutex_lock (&authenticator->lock);
114
115
    authenticator->refcount--;
    if (authenticator->refcount)
116
117
    {
        thread_mutex_unlock (&authenticator->lock);
118
        return;
119
    }
Michael Smith's avatar
Michael Smith committed
120

121
122
    if (authenticator->free)
        authenticator->free (authenticator);
123
    xmlFree (authenticator->type);
124
125
    thread_mutex_unlock (&authenticator->lock);
    thread_mutex_destroy (&authenticator->lock);
126
    free (authenticator);
Michael Smith's avatar
Michael Smith committed
127
128
129
}


130
void auth_client_free (auth_client *auth_user)
Michael Smith's avatar
Michael Smith committed
131
{
132
133
134
135
136
    if (auth_user == NULL)
        return;
    if (auth_user->client)
    {
        client_t *client = auth_user->client;
Michael Smith's avatar
Michael Smith committed
137

138
139
140
141
142
143
144
145
        if (client->respcode)
            client_destroy (client);
        else
            client_send_401 (client);
        auth_user->client = NULL;
    }
    free (auth_user->mount);
    free (auth_user);
Michael Smith's avatar
Michael Smith committed
146
147
148
}


149
150
151
152
/* wrapper function for auth thread to authenticate new listener
 * connection details
 */
static void auth_new_listener (auth_client *auth_user)
Michael Smith's avatar
Michael Smith committed
153
{
154
155
156
157
158
    client_t *client = auth_user->client;

    if (client->auth->authenticate)
    {
        if (client->auth->authenticate (auth_user) != AUTH_OK)
159
160
161
        {
            auth_release (client->auth);
            client->auth = NULL;
162
            return;
163
        }
Michael Smith's avatar
Michael Smith committed
164
    }
165
166
    if (auth_postprocess_client (auth_user) < 0)
        INFO1 ("client %lu failed", client->con->id);
Michael Smith's avatar
Michael Smith committed
167
168
}

169
170
171
172
173

/* wrapper function are auth thread to authenticate new listener
 * connections
 */
static void auth_remove_listener (auth_client *auth_user)
Michael Smith's avatar
Michael Smith committed
174
{
175
176
177
178
179
180
181
182
    client_t *client = auth_user->client;

    if (client->auth->release_client)
        client->auth->release_client (auth_user);
    auth_release (client->auth);
    client->auth = NULL;
    return;
}
Michael Smith's avatar
Michael Smith committed
183
184


185
186
187
188
189
190
191
192
193
/* The auth thread main loop. */
static void *auth_run_thread (void *arg)
{
    INFO0 ("Authentication thread started");
    while (1)
    {
        if (clients_to_auth)
        {
            auth_client *auth_user;
Michael Smith's avatar
Michael Smith committed
194

195
196
197
198
199
200
            thread_mutex_lock (&auth_lock);
            auth_user = (auth_client*)clients_to_auth;
            clients_to_auth = auth_user->next;
            auth_pending_count--;
            thread_mutex_unlock (&auth_lock);
            auth_user->next = NULL;
Michael Smith's avatar
Michael Smith committed
201

202
203
204
205
            if (auth_user->process)
                auth_user->process (auth_user);
            else
                ERROR0 ("client auth process not set");
Michael Smith's avatar
Michael Smith committed
206

207
            auth_client_free (auth_user);
Michael Smith's avatar
Michael Smith committed
208

209
            continue;
210
        }
211
212
213
214
        /* is there a request to shutdown */
        if (auth_running == 0)
            break;
        thread_sleep (150000);
215
    }
216
217
218
    INFO0 ("Authenication thread shutting down");
    return NULL;
}
Michael Smith's avatar
Michael Smith committed
219
220


221
222
223
224
225
226
227
228
229
230
231
/* Check whether this client is currently on this mount, the client may be
 * on either the active or pending lists.
 * return 1 if ok to add or 0 to prevent
 */
static int check_duplicate_logins (source_t *source, client_t *client)
{
    auth_t *auth = client->auth;

    /* allow multiple authenticated relays */
    if (client->username == NULL)
        return 1;
Michael Smith's avatar
Michael Smith committed
232

233
234
235
236
237
238
239
240
    if (auth && auth->allow_duplicate_users == 0)
    {
        avl_node *node;

        avl_tree_rlock (source->client_tree);
        node = avl_get_first (source->client_tree);
        while (node)
        {   
241
242
243
            client_t *existing_client = (client_t *)node->key;
            if (existing_client->username && 
                    strcmp (existing_client->username, client->username) == 0)
244
245
246
247
248
249
250
251
252
253
254
255
            {
                avl_tree_unlock (source->client_tree);
                return 0;
            }
            node = avl_get_next (node);
        }       
        avl_tree_unlock (source->client_tree);

        avl_tree_rlock (source->pending_tree);
        node = avl_get_first (source->pending_tree);
        while (node)
        {
256
257
258
            client_t *existing_client = (client_t *)node->key;
            if (existing_client->username && 
                    strcmp (existing_client->username, client->username) == 0)
259
260
261
            {
                avl_tree_unlock (source->pending_tree);
                return 0;
Michael Smith's avatar
Michael Smith committed
262
            }
263
            node = avl_get_next (node);
Michael Smith's avatar
Michael Smith committed
264
        }
265
        avl_tree_unlock (source->pending_tree);
Michael Smith's avatar
Michael Smith committed
266
    }
267
    return 1;
Michael Smith's avatar
Michael Smith committed
268
269
}

270
271
272
273
274

/* if 0 is returned then the client should not be touched, however if -1
 * is returned then the caller is responsible for handling the client
 */
static int add_client_to_source (source_t *source, client_t *client)
Michael Smith's avatar
Michael Smith committed
275
{
276
    int loop = 10;
277
278
279
280
281
282
283
284
    do
    {
        DEBUG3 ("max on %s is %ld (cur %lu)", source->mount,
                source->max_listeners, source->listeners);
        if (source->max_listeners == -1)
            break;
        if (source->listeners < (unsigned long)source->max_listeners)
            break;
Michael Smith's avatar
Michael Smith committed
285

286
287
288
        if (loop && source->fallback_when_full && source->fallback_mount)
        {
            source_t *next = source_find_mount (source->fallback_mount);
289
            if (!next) {
Michael Smith's avatar
Michael Smith committed
290
                ERROR2("Fallback '%s' for full source '%s' not found", 
291
292
293
294
                        source->mount, source->fallback_mount);
                return -1;
            }

295
296
297
298
299
            INFO1 ("stream full trying %s", next->mount);
            source = next;
            loop--;
            continue;
        }
300
301
        /* now we fail the client */
        return -1;
Michael Smith's avatar
Michael Smith committed
302

303
    } while (1);
Michael Smith's avatar
Michael Smith committed
304

305
306
307
308
    client->write_to_client = format_generic_write_to_client;
    client->check_buffer = format_check_http_buffer;
    client->refbuf->len = PER_CLIENT_REFBUF_SIZE;
    memset (client->refbuf->data, 0, PER_CLIENT_REFBUF_SIZE);
Michael Smith's avatar
Michael Smith committed
309

310
311
312
313
314
315
    /* lets add the client to the active list */
    avl_tree_wlock (source->pending_tree);
    avl_insert (source->pending_tree, client);
    avl_tree_unlock (source->pending_tree);
    stats_event_inc (NULL, "listener_connections");

316
317
318
319
320
321
    if (source->running == 0 && source->on_demand)
    {
        /* enable on-demand relay to start, wake up the slave thread */
        DEBUG0("kicking off on-demand relay");
        source->on_demand_req = 1;
        slave_rescan ();
Michael Smith's avatar
Michael Smith committed
322
    }
323
324
325
    DEBUG1 ("Added client to %s", source->mount);
    return 0;
}
Michael Smith's avatar
Michael Smith committed
326
327


328
329
330
331
332
333
334
/* Add listener to the pending lists of either the  source or fserve thread.
 * This can be run from the connection or auth thread context
 */
static int add_authenticated_client (const char *mount, mount_proxy *mountinfo, client_t *client)
{
    int ret = 0;
    source_t *source = NULL;
335

336
337
    avl_tree_rlock (global.source_tree);
    source = source_find_mount (mount);
Michael Smith's avatar
Michael Smith committed
338

339
340
341
342
343
344
    if (source)
    {
        if (client->auth && check_duplicate_logins (source, client) == 0)
        {
            avl_tree_unlock (global.source_tree);
            return -1;
345
        }
346
347
348
349
350
351
        if (mountinfo)
        {
            /* set a per-mount disconnect time if auth hasn't set one already */
            if (mountinfo->max_listener_duration && client->con->discon_time == 0)
                client->con->discon_time = time(NULL) + mountinfo->max_listener_duration;
        }
352

353
354
355
356
        ret = add_client_to_source (source, client);
        avl_tree_unlock (global.source_tree);
        if (ret == 0)
            DEBUG0 ("client authenticated, passed to source");
357
    }
358
359
360
361
362
    else
    {
        avl_tree_unlock (global.source_tree);
        fserve_client_create (client, mount);
    }
363
364
    return ret;
}
365
366
367


int auth_postprocess_client (auth_client *auth_user)
368
{
369
370
    int ret;
    ice_config_t *config = config_get_config();
371

372
373
    mount_proxy *mountinfo = config_find_mount (config, auth_user->mount);
    auth_user->client->authenticated = 1;
374

375
376
    ret = add_authenticated_client (auth_user->mount, mountinfo, auth_user->client);
    config_release_config();
377

378
379
380
    if (ret < 0)
        client_send_401 (auth_user->client);
    auth_user->client = NULL;
381

382
    return ret;
383
384
}

385
386
387
388
389

/* Add a listener. Check for any mount information that states any
 * authentication to be used.
 */
void add_client (const char *mount, client_t *client)
390
{
391
392
393
394
395
396
397
    mount_proxy *mountinfo; 
    ice_config_t *config = config_get_config();

    mountinfo = config_find_mount (config, mount);
    if (mountinfo && mountinfo->no_mount)
    {
        config_release_config ();
398
        client_send_403 (client, "mountpoint unavailable");
399
400
401
402
403
404
405
406
407
408
        return;
    }
    if (mountinfo && mountinfo->auth)
    {
        auth_client *auth_user;

        if (auth_pending_count > 30)
        {
            config_release_config ();
            WARN0 ("too many clients awaiting authentication");
409
            client_send_403 (client, "busy, please try again later");
410
411
412
413
414
415
416
417
418
            return;
        }
        auth_client_setup (mountinfo, client);
        config_release_config ();

        if (client->auth == NULL)
        {
            client_send_401 (client);
            return;
419
        }
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
        auth_user = calloc (1, sizeof (auth_client));
        if (auth_user == NULL)
        {
            client_send_401 (client);
            return;
        }
        auth_user->mount = strdup (mount);
        auth_user->process = auth_new_listener;
        auth_user->client = client;

        INFO0 ("adding client for authentication");
        queue_auth_client (auth_user);
    }
    else
    {
        int ret = add_authenticated_client (mount, mountinfo, client);
        config_release_config ();
        if (ret < 0)
438
            client_send_403 (client, "max listeners reached");
439
440
441
    }
}

442
443
444
445
446

/* determine whether we need to process this client further. This
 * involves any auth exit, typically for external auth servers.
 */
int release_client (client_t *client)
447
{
448
    if (client->auth)
449
    {
450
451
452
        auth_client *auth_user = calloc (1, sizeof (auth_client));
        if (auth_user == NULL)
            return 0;
453

454
455
456
        auth_user->mount = strdup (httpp_getvar (client->parser, HTTPP_VAR_URI));
        auth_user->process = auth_remove_listener;
        auth_user->client = client;
457

458
459
460
461
462
        queue_auth_client (auth_user);
        return 1;
    }
    return 0;
}
463
464


465
466
467
468
469
static void get_authenticator (auth_t *auth, config_options_t *options)
{
    do
    {
        DEBUG1 ("type is %s", auth->type);
Karl Heyes's avatar
Karl Heyes committed
470
471
472
473
474
475
476
#ifdef HAVE_AUTH_URL
        if (strcmp (auth->type, "url") == 0)
        {
            auth_get_url_auth (auth, options);
            break;
        }
#endif
477
478
479
480
        if (strcmp (auth->type, "htpasswd") == 0)
        {
            auth_get_htpasswd_auth (auth, options);
            break;
481
        }
482
483
484
485
486
487
488
489
490
491
492
        
        ERROR1("Unrecognised authenticator type: \"%s\"", auth->type);
        return;
    } while (0);

    auth->refcount = 1;
    while (options)
    {
        if (strcmp(options->name, "allow_duplicate_users") == 0)
            auth->allow_duplicate_users = atoi (options->value);
        options = options->next;
493
    }
494
}
495
496


497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
auth_t *auth_get_authenticator (xmlNodePtr node)
{
    auth_t *auth = calloc (1, sizeof (auth_t));
    config_options_t *options = NULL, **next_option = &options;
    xmlNodePtr option;

    if (auth == NULL)
        return NULL;

    option = node->xmlChildrenNode;
    while (option)
    {
        xmlNodePtr current = option;
        option = option->next;
        if (strcmp (current->name, "option") == 0)
        {
            config_options_t *opt = calloc (1, sizeof (config_options_t));
            opt->name = xmlGetProp (current, "name");
            if (opt->name == NULL)
            {
                free(opt);
                continue;
            }
            opt->value = xmlGetProp (current, "value");
            if (opt->value == NULL)
            {
                xmlFree (opt->name);
                free (opt);
                continue;
            }
            *next_option = opt;
            next_option = &opt->next;
        }
        else
            if (strcmp (current->name, "text") != 0)
                WARN1 ("unknown auth setting (%s)", current->name);
533
    }
534
535
    auth->type = xmlGetProp (node, "type");
    get_authenticator (auth, options);
536
    thread_mutex_create (&auth->lock);
537
538
539
540
541
542
543
    while (options)
    {
        config_options_t *opt = options;
        options = opt->next;
        xmlFree (opt->name);
        xmlFree (opt->value);
        free (opt);
544
    }
545
546
    return auth;
}
547
548


549
550
551
552
/* called when the stream starts, so that authentication engine can do any
 * cleanup/initialisation.
 */
void auth_stream_start (mount_proxy *mountinfo, const char *mount)
553
{
554
555
556
557
558
559
560
    if (mountinfo && mountinfo->auth && mountinfo->auth->stream_start)
    {
        auth_client *auth_user = calloc (1, sizeof (auth_client));
        if (auth_user)
        {
            auth_user->mount = strdup (mount);
            auth_user->process = mountinfo->auth->stream_start;
561

562
            queue_auth_client (auth_user);
563
564
565
566
567
        }
    }
}


568
569
570
571
572
573
574
575
576
577
578
579
/* Called when the stream ends so that the authentication engine can do
 * any authentication cleanup
 */
void auth_stream_end (mount_proxy *mountinfo, const char *mount)
{
    if (mountinfo && mountinfo->auth && mountinfo->auth->stream_end)
    {
        auth_client *auth_user = calloc (1, sizeof (auth_client));
        if (auth_user)
        {
            auth_user->mount = strdup (mount);
            auth_user->process = mountinfo->auth->stream_end;
580

581
582
            queue_auth_client (auth_user);
        }
583
    }
584
}
585
586


587
/* these are called at server start and termination */
588

589
void auth_initialise (void)
590
591
592
593
594
595
{
    clients_to_auth = NULL;
    auth_pending_count = 0;
    auth_running = 1;
    thread_mutex_create (&auth_lock);
    auth_thread = thread_create ("auth thread", auth_run_thread, NULL, THREAD_ATTACHED);
596
597
}

598
void auth_shutdown (void)
599
{
600
601
602
603
604
    if (auth_thread)
    {
        auth_running = 0;
        thread_join (auth_thread);
        INFO0 ("Auth thread has terminated");
605
606
    }
}
607