srs/trunk/src/app/srs_app_security.cpp

/**
 * The MIT License (MIT)
 *
 * Copyright (c) 2013-2018 Winlin
 *
 * Permission is hereby granted, free of charge, to any person obtaining a copy of
 * this software and associated documentation files (the "Software"), to deal in
 * the Software without restriction, including without limitation the rights to
 * use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
 * the Software, and to permit persons to whom the Software is furnished to do so,
 * subject to the following conditions:
 *
 * The above copyright notice and this permission notice shall be included in all
 * copies or substantial portions of the Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
 * FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
 * COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
 * IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 */

#include <srs_app_security.hpp>

#include <srs_kernel_error.hpp>
#include <srs_app_config.hpp>

using namespace std;

SrsSecurity::SrsSecurity()
{
}

SrsSecurity::~SrsSecurity()
{
}

srs_error_t SrsSecurity::check(SrsRtmpConnType type, string ip, SrsRequest* req)
{
    srs_error_t err = srs_success;
    
    // allow all if security disabled.
    if (!_srs_config->get_security_enabled(req->vhost)) {
        return err;
    }
    
    // default to deny all when security enabled.
    err = srs_error_new(ERROR_SYSTEM_SECURITY, "allowed");
    
    // rules to apply
    SrsConfDirective* rules = _srs_config->get_security_rules(req->vhost);
    if (!rules) {
        return err;
    }
    
    // allow if matches allow strategy.
    if (allow_check(rules, type, ip) == ERROR_SYSTEM_SECURITY_ALLOW) {
        srs_error_reset(err);
    }
    
    // deny if matches deny strategy.
    if (deny_check(rules, type, ip) == ERROR_SYSTEM_SECURITY_DENY) {
        srs_error_reset(err);
        return srs_error_new(ERROR_SYSTEM_SECURITY_DENY, "denied");
    }
    
    return err;
}

int SrsSecurity::allow_check(SrsConfDirective* rules, SrsRtmpConnType type, std::string ip)
{
    int ret = ERROR_SUCCESS;
    
    for (int i = 0; i < (int)rules->directives.size(); i++) {
        SrsConfDirective* rule = rules->at(i);
        
        if (rule->name != "allow") {
            continue;
        }
        
        switch (type) {
            case SrsRtmpConnPlay:
                if (rule->arg0() != "play") {
                    break;
                }
                if (rule->arg1() == "all" || rule->arg1() == ip) {
                    ret = ERROR_SYSTEM_SECURITY_ALLOW;
                    break;
                }
                break;
            case SrsRtmpConnFMLEPublish:
            case SrsRtmpConnFlashPublish:
            case SrsRtmpConnHaivisionPublish:
                if (rule->arg0() != "publish") {
                    break;
                }
                if (rule->arg1() == "all" || rule->arg1() == ip) {
                    ret = ERROR_SYSTEM_SECURITY_ALLOW;
                    break;
                }
                break;
            case SrsRtmpConnUnknown:
            default:
                break;
        }
        
        // when matched, donot search more.
        if (ret == ERROR_SYSTEM_SECURITY_ALLOW) {
            break;
        }
    }
    
    return ret;
}

int SrsSecurity::deny_check(SrsConfDirective* rules, SrsRtmpConnType type, std::string ip)
{
    int ret = ERROR_SUCCESS;
    
    for (int i = 0; i < (int)rules->directives.size(); i++) {
        SrsConfDirective* rule = rules->at(i);
        
        if (rule->name != "deny") {
            continue;
        }
        
        switch (type) {
            case SrsRtmpConnPlay:
                if (rule->arg0() != "play") {
                    break;
                }
                if (rule->arg1() == "all" || rule->arg1() == ip) {
                    ret = ERROR_SYSTEM_SECURITY_DENY;
                    break;
                }
                break;
            case SrsRtmpConnFMLEPublish:
            case SrsRtmpConnFlashPublish:
            case SrsRtmpConnHaivisionPublish:
                if (rule->arg0() != "publish") {
                    break;
                }
                if (rule->arg1() == "all" || rule->arg1() == ip) {
                    ret = ERROR_SYSTEM_SECURITY_DENY;
                    break;
                }
                break;
            case SrsRtmpConnUnknown:
            default:
                break;
        }
        
        // when matched, donot search more.
        if (ret == ERROR_SYSTEM_SECURITY_DENY) {
            break;
        }
    }
    
    return ret;
}
For #299, refine code. 2017-03-25 09:21:39 +00:00			`/**`
			`* The MIT License (MIT)`
			`*`
Change date from 2017 to 2018 2018-01-07 02:58:53 +00:00			`* Copyright (c) 2013-2018 Winlin`
For #299, refine code. 2017-03-25 09:21:39 +00:00			`*`
			`* Permission is hereby granted, free of charge, to any person obtaining a copy of`
			`* this software and associated documentation files (the "Software"), to deal in`
			`* the Software without restriction, including without limitation the rights to`
			`* use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of`
			`* the Software, and to permit persons to whom the Software is furnished to do so,`
			`* subject to the following conditions:`
			`*`
			`* The above copyright notice and this permission notice shall be included in all`
			`* copies or substantial portions of the Software.`
			`*`
			`* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR`
			`* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS`
			`* FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR`
			`* COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER`
			`* IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN`
			`* CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.`
			`*/`
fix #211, support security allow/deny publish/play all/ip. 2.0.86 2015-01-02 08:02:13 +00:00
			`#include <srs_app_security.hpp>`

			`#include <srs_kernel_error.hpp>`
			`#include <srs_app_config.hpp>`

			`using namespace std;`

			`SrsSecurity::SrsSecurity()`
			`{`
			`}`

			`SrsSecurity::~SrsSecurity()`
			`{`
			`}`

For #913, APP support complex error. 2018-01-01 13:20:57 +00:00			`srs_error_t SrsSecurity::check(SrsRtmpConnType type, string ip, SrsRequest* req)`
fix #211, support security allow/deny publish/play all/ip. 2.0.86 2015-01-02 08:02:13 +00:00			`{`
For #913, APP support complex error. 2018-01-01 13:20:57 +00:00			`srs_error_t err = srs_success;`
fix #211, support security allow/deny publish/play all/ip. 2.0.86 2015-01-02 08:02:13 +00:00
			`// allow all if security disabled.`
			`if (!_srs_config->get_security_enabled(req->vhost)) {`
For #913, APP support complex error. 2018-01-01 13:20:57 +00:00			`return err;`
fix #211, support security allow/deny publish/play all/ip. 2.0.86 2015-01-02 08:02:13 +00:00			`}`

			`// default to deny all when security enabled.`
For #913, APP support complex error. 2018-01-01 13:20:57 +00:00			`err = srs_error_new(ERROR_SYSTEM_SECURITY, "allowed");`
fix #211, support security allow/deny publish/play all/ip. 2.0.86 2015-01-02 08:02:13 +00:00
			`// rules to apply`
			`SrsConfDirective* rules = _srs_config->get_security_rules(req->vhost);`
			`if (!rules) {`
For #913, APP support complex error. 2018-01-01 13:20:57 +00:00			`return err;`
fix #211, support security allow/deny publish/play all/ip. 2.0.86 2015-01-02 08:02:13 +00:00			`}`

			`// allow if matches allow strategy.`
refine code of security deny check 2015-01-02 08:06:18 +00:00			`if (allow_check(rules, type, ip) == ERROR_SYSTEM_SECURITY_ALLOW) {`
For #913, APP support complex error. 2018-01-01 13:20:57 +00:00			`srs_error_reset(err);`
fix #211, support security allow/deny publish/play all/ip. 2.0.86 2015-01-02 08:02:13 +00:00			`}`

			`// deny if matches deny strategy.`
refine code of security deny check 2015-01-02 08:06:18 +00:00			`if (deny_check(rules, type, ip) == ERROR_SYSTEM_SECURITY_DENY) {`
For #913, APP support complex error. 2018-01-01 13:20:57 +00:00			`srs_error_reset(err);`
			`return srs_error_new(ERROR_SYSTEM_SECURITY_DENY, "denied");`
fix #211, support security allow/deny publish/play all/ip. 2.0.86 2015-01-02 08:02:13 +00:00			`}`

For #913, APP support complex error. 2018-01-01 13:20:57 +00:00			`return err;`
fix #211, support security allow/deny publish/play all/ip. 2.0.86 2015-01-02 08:02:13 +00:00			`}`

refine code of security deny check 2015-01-02 08:06:18 +00:00			`int SrsSecurity::allow_check(SrsConfDirective* rules, SrsRtmpConnType type, std::string ip)`
fix #211, support security allow/deny publish/play all/ip. 2.0.86 2015-01-02 08:02:13 +00:00			`{`
			`int ret = ERROR_SUCCESS;`

			`for (int i = 0; i < (int)rules->directives.size(); i++) {`
			`SrsConfDirective* rule = rules->at(i);`

			`if (rule->name != "allow") {`
			`continue;`
			`}`
For #299, refine code. 2017-03-25 09:21:39 +00:00
fix #211, support security allow/deny publish/play all/ip. 2.0.86 2015-01-02 08:02:13 +00:00			`switch (type) {`
			`case SrsRtmpConnPlay:`
			`if (rule->arg0() != "play") {`
			`break;`
			`}`
			`if (rule->arg1() == "all" \|\| rule->arg1() == ip) {`
			`ret = ERROR_SYSTEM_SECURITY_ALLOW;`
			`break;`
			`}`
			`break;`
			`case SrsRtmpConnFMLEPublish:`
			`case SrsRtmpConnFlashPublish:`
Fix #844, support Haivision encoder. 2.0.238 2017-04-15 12:44:02 +00:00			`case SrsRtmpConnHaivisionPublish:`
fix #211, support security allow/deny publish/play all/ip. 2.0.86 2015-01-02 08:02:13 +00:00			`if (rule->arg0() != "publish") {`
			`break;`
			`}`
			`if (rule->arg1() == "all" \|\| rule->arg1() == ip) {`
			`ret = ERROR_SYSTEM_SECURITY_ALLOW;`
			`break;`
			`}`
			`break;`
fix #179: dvr support custom filepath by variables. 2.0.87 2015-01-03 04:54:54 +00:00			`case SrsRtmpConnUnknown:`
			`default:`
			`break;`
fix #211, support security allow/deny publish/play all/ip. 2.0.86 2015-01-02 08:02:13 +00:00			`}`

			`// when matched, donot search more.`
			`if (ret == ERROR_SYSTEM_SECURITY_ALLOW) {`
			`break;`
			`}`
			`}`

			`return ret;`
			`}`

refine code of security deny check 2015-01-02 08:06:18 +00:00			`int SrsSecurity::deny_check(SrsConfDirective* rules, SrsRtmpConnType type, std::string ip)`
fix #211, support security allow/deny publish/play all/ip. 2.0.86 2015-01-02 08:02:13 +00:00			`{`
			`int ret = ERROR_SUCCESS;`

			`for (int i = 0; i < (int)rules->directives.size(); i++) {`
			`SrsConfDirective* rule = rules->at(i);`

			`if (rule->name != "deny") {`
			`continue;`
			`}`
For #299, refine code. 2017-03-25 09:21:39 +00:00
fix #211, support security allow/deny publish/play all/ip. 2.0.86 2015-01-02 08:02:13 +00:00			`switch (type) {`
			`case SrsRtmpConnPlay:`
			`if (rule->arg0() != "play") {`
			`break;`
			`}`
			`if (rule->arg1() == "all" \|\| rule->arg1() == ip) {`
			`ret = ERROR_SYSTEM_SECURITY_DENY;`
			`break;`
			`}`
			`break;`
			`case SrsRtmpConnFMLEPublish:`
			`case SrsRtmpConnFlashPublish:`
Fix #844, support Haivision encoder. 2.0.238 2017-04-15 12:44:02 +00:00			`case SrsRtmpConnHaivisionPublish:`
fix #211, support security allow/deny publish/play all/ip. 2.0.86 2015-01-02 08:02:13 +00:00			`if (rule->arg0() != "publish") {`
			`break;`
			`}`
			`if (rule->arg1() == "all" \|\| rule->arg1() == ip) {`
			`ret = ERROR_SYSTEM_SECURITY_DENY;`
			`break;`
			`}`
			`break;`
fix #179: dvr support custom filepath by variables. 2.0.87 2015-01-03 04:54:54 +00:00			`case SrsRtmpConnUnknown:`
			`default:`
			`break;`
fix #211, support security allow/deny publish/play all/ip. 2.0.86 2015-01-02 08:02:13 +00:00			`}`

			`// when matched, donot search more.`
			`if (ret == ERROR_SYSTEM_SECURITY_DENY) {`
			`break;`
			`}`
			`}`

			`return ret;`
			`}`