Commit 17c0f8c6 authored by Philipp Schafft's avatar Philipp Schafft 🦁

Feature: Support filtering on CORS "Origin".

parent 997df47d
Pipeline #481 failed with stage
in 15 seconds
......@@ -182,6 +182,8 @@ static void queue_auth_client (auth_client *auth_user)
* refcounted and only actual freed after the last use
*/
void auth_release (auth_t *authenticator) {
size_t i;
if (authenticator == NULL)
return;
......@@ -216,6 +218,12 @@ void auth_release (auth_t *authenticator) {
free(authenticator->mount);
acl_release(authenticator->acl);
config_clear_http_header(authenticator->http_headers);
for (i = 0; i < authenticator->filter_origin_len; i++) {
free(authenticator->filter_origin[i].origin);
}
free(authenticator->filter_origin);
free(authenticator);
}
......@@ -436,6 +444,8 @@ static void *auth_run_thread (void *arg)
static void auth_add_client(auth_t *auth, client_t *client, void (*on_no_match)(client_t *client, void (*on_result)(client_t *client, void *userdata, auth_result result), void *userdata), void (*on_result)(client_t *client, void *userdata, auth_result result), void *userdata) {
auth_client *auth_user;
auth_matchtype_t matchtype;
const char *origin;
size_t i;
ICECAST_LOG_DEBUG("Trying to add client %p to auth %p's (role %s) queue.", client, auth, auth->role);
......@@ -455,6 +465,31 @@ static void auth_add_client(auth_t *auth, client_t *client, void (*on_no_match)(
return;
}
/* Filter for CORS "Origin".
*
* CORS actually knows about non-CORS requests and assigned the "null"
* location to them.
*/
origin = httpp_getvar(client->parser, "origin");
if (!origin)
origin = "null";
matchtype = auth->filter_origin_policy;
for (i = 0; i < auth->filter_origin_len; i++) {
if (strcmp(auth->filter_origin[i].origin, origin) == 0) {
matchtype = auth->filter_origin[i].type;
break;
}
}
if (matchtype == AUTH_MATCHTYPE_NOMATCH) {
if (on_no_match) {
on_no_match(client, on_result, userdata);
} else if (on_result) {
on_result(client, userdata, AUTH_NOMATCH);
}
return;
}
if (client->admin_command == ADMIN_COMMAND_ERROR) {
/* this is a web/ client */
matchtype = auth->filter_web_policy;
......@@ -612,6 +647,49 @@ static inline void auth_get_authenticator__filter_admin(auth_t *auth, xmlNodePtr
}
}
static inline void auth_get_authenticator__filter_origin(auth_t *auth, xmlNodePtr node, const char *name, auth_matchtype_t matchtype)
{
char * tmp = (char*)xmlGetProp(node, XMLSTR(name));
if (tmp) {
char *cur = tmp;
char *next;
while (cur) {
next = strstr(cur, ",");
if (next) {
*next = 0;
next++;
for (; *next == ' '; next++);
}
if (strcmp(cur, "*") == 0) {
auth->filter_origin_policy = matchtype;
} else {
void *n = realloc(auth->filter_origin, (auth->filter_origin_len + 1)*sizeof(*auth->filter_origin));
if (!n) {
ICECAST_LOG_ERROR("Can not allocate memory. BAD.");
break;
}
auth->filter_origin = n;
auth->filter_origin[auth->filter_origin_len].type = matchtype;
auth->filter_origin[auth->filter_origin_len].origin = strdup(cur);
if (auth->filter_origin[auth->filter_origin_len].origin) {
auth->filter_origin_len++;
} else {
ICECAST_LOG_ERROR("Can not allocate memory. BAD.");
break;
}
}
cur = next;
}
free(tmp);
}
}
static inline void auth_get_authenticator__init_method(auth_t *auth, int *method_inited, auth_matchtype_t init_with)
{
size_t i;
......@@ -815,6 +893,10 @@ auth_t *auth_get_authenticator(xmlNodePtr node)
auth_get_authenticator__filter_admin(auth, node, &filter_admin_index, "match-admin", AUTH_MATCHTYPE_MATCH);
auth_get_authenticator__filter_admin(auth, node, &filter_admin_index, "nomatch-admin", AUTH_MATCHTYPE_NOMATCH);
auth->filter_origin_policy = AUTH_MATCHTYPE_MATCH;
auth_get_authenticator__filter_origin(auth, node, "match-origin", AUTH_MATCHTYPE_MATCH);
auth_get_authenticator__filter_origin(auth, node, "nomatch-origin", AUTH_MATCHTYPE_NOMATCH);
auth_get_authenticator__permission_alter(auth, node, "may-alter", AUTH_MATCHTYPE_MATCH);
auth_get_authenticator__permission_alter(auth, node, "may-not-alter", AUTH_MATCHTYPE_NOMATCH);
......
......@@ -116,6 +116,13 @@ struct auth_tag
admin_command_id_t command;
} filter_admin[MAX_ADMIN_COMMANDS];
struct {
auth_matchtype_t type;
char *origin;
} *filter_origin;
size_t filter_origin_len;
auth_matchtype_t filter_origin_policy;
/* permissions */
auth_matchtype_t permission_alter[AUTH_ALTER_SEND_ERROR+1];
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment