external/srs
1
0
Fork 0
mirror of https://github.com/ossrs/srs.git synced 2025-03-09 15:49:59 +00:00
Code Issues Releases Wiki Activity

Security: Enable CIDR for allow/deny play/publish (#2914)

Browse source 
* protocol/utility: add srs_ipv4_to_num

* protocol/utility: add srs_ipv4_within_mask

* protocol/utility: add srs_get_cidr_mask and CIDR_VALUES static struct

* protocol/utility: add srs_get_cidr_ipv4

* app/security: support cidr ip ranges in allow/deny rules

* conf: update security example with cidr ranges

* Security: Enable CIDR for allow/deny play/publish

* Security: Enable CIDR for allow/deny play/publish

* Security: Enable CIDR for allow/deny play/publish

* fix compile error on centos6

Co-authored-by: Matheus Macabu <macabu.matheus@gmail.com>
This commit is contained in:
Haibo Chen 2022-03-11 12:24:35 +08:00 committed by GitHub
parent 451b01011c
commit 67ccd589c1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 219 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

6
trunk/conf/full.conf
View file

@ -967,16 +967,20 @@ vhost security.srs.com {
# default: off
enabled on;
# the security list, each item format as:
# allow|deny publish|play all|<ip>
# allow|deny publish|play all|<ip or cidr>
# for example:
# allow publish all;
# deny publish all;
# allow publish 127.0.0.1;
# deny publish 127.0.0.1;
# allow publish 10.0.0.0/8;
# deny publish 10.0.0.0/8;
# allow play all;
# deny play all;
# allow play 127.0.0.1;
# deny play 127.0.0.1;
# allow play 10.0.0.0/8;
# deny play 10.0.0.0/8;
# SRS apply the following simple strategies one by one:
# 1. allow all if security disabled.
# 2. default to deny all when security enabled.

18
trunk/src/app/srs_app_security.cpp
View file

@ -70,6 +70,9 @@ srs_error_t SrsSecurity::allow_check(SrsConfDirective* rules, SrsRtmpConnType ty
}
allow_rules++;
string cidr_ipv4 = srs_get_cidr_ipv4(rule->arg1());
string cidr_mask = srs_get_cidr_mask(rule->arg1());
switch (type) {
case SrsRtmpConnPlay:
case SrsRtcConnPlay:
@ -79,6 +82,9 @@ srs_error_t SrsSecurity::allow_check(SrsConfDirective* rules, SrsRtmpConnType ty
if (rule->arg1() == "all" || rule->arg1() == ip) {
return srs_success; // OK
}
if (srs_is_ipv4(cidr_ipv4) && cidr_mask != "" && srs_ipv4_within_mask(ip, cidr_ipv4, cidr_mask)) {
return srs_success; // OK
}
break;
case SrsRtmpConnFMLEPublish:
case SrsRtmpConnFlashPublish:
@ -90,6 +96,9 @@ srs_error_t SrsSecurity::allow_check(SrsConfDirective* rules, SrsRtmpConnType ty
if (rule->arg1() == "all" || rule->arg1() == ip) {
return srs_success; // OK
}
if (srs_is_ipv4(cidr_ipv4) && cidr_mask != "" && srs_ipv4_within_mask(ip, cidr_ipv4, cidr_mask)) {
return srs_success; // OK
}
break;
case SrsRtmpConnUnknown:
default:
@ -111,6 +120,9 @@ srs_error_t SrsSecurity::deny_check(SrsConfDirective* rules, SrsRtmpConnType typ
if (rule->name != "deny") {
continue;
}
string cidr_ipv4 = srs_get_cidr_ipv4(rule->arg1());
string cidr_mask = srs_get_cidr_mask(rule->arg1());
switch (type) {
case SrsRtmpConnPlay:
@ -121,6 +133,9 @@ srs_error_t SrsSecurity::deny_check(SrsConfDirective* rules, SrsRtmpConnType typ
if (rule->arg1() == "all" || rule->arg1() == ip) {
return srs_error_new(ERROR_SYSTEM_SECURITY_DENY, "deny by rule<%s>", rule->arg1().c_str());
}
if (srs_is_ipv4(cidr_ipv4) && cidr_mask != "" && srs_ipv4_within_mask(ip, cidr_ipv4, cidr_mask)) {
return srs_error_new(ERROR_SYSTEM_SECURITY_DENY, "deny by rule<%s>", rule->arg1().c_str());
}
break;
case SrsRtmpConnFMLEPublish:
case SrsRtmpConnFlashPublish:
@ -132,6 +147,9 @@ srs_error_t SrsSecurity::deny_check(SrsConfDirective* rules, SrsRtmpConnType typ
if (rule->arg1() == "all" || rule->arg1() == ip) {
return srs_error_new(ERROR_SYSTEM_SECURITY_DENY, "deny by rule<%s>", rule->arg1().c_str());
}
if (srs_is_ipv4(cidr_ipv4) && cidr_mask != "" && srs_ipv4_within_mask(ip, cidr_ipv4, cidr_mask)) {
return srs_error_new(ERROR_SYSTEM_SECURITY_DENY, "deny by rule<%s>", rule->arg1().c_str());
}
break;
case SrsRtmpConnUnknown:
default:

1
trunk/src/app/srs_app_security.hpp
View file

@ -12,6 +12,7 @@
#include <string>
#include <srs_rtmp_stack.hpp>
#include <srs_protocol_utility.hpp>
class SrsConfDirective;

136
trunk/src/protocol/srs_protocol_utility.cpp
View file

@ -10,6 +10,7 @@
#include <unistd.h>
#endif
#include <arpa/inet.h>
#include <stdlib.h>
#include <sstream>
using namespace std;
@ -397,3 +398,138 @@ bool srs_is_ipv4(string domain)
return true;
}
uint32_t srs_ipv4_to_num(string ip) {
uint32_t addr = 0;
if (inet_pton(AF_INET, ip.c_str(), &addr) <= 0) {
return 0;
}
return ntohl(addr);
}
bool srs_ipv4_within_mask(string ip, string network, string mask) {
uint32_t ip_addr = srs_ipv4_to_num(ip);
uint32_t mask_addr = srs_ipv4_to_num(mask);
uint32_t network_addr = srs_ipv4_to_num(network);
return (ip_addr & mask_addr) == (network_addr & mask_addr);
}
static struct CIDR_VALUE {
size_t length;
std::string mask;
} CIDR_VALUES[32] = {
{ 1, "128.0.0.0" },
{ 2, "192.0.0.0" },
{ 3, "224.0.0.0" },
{ 4, "240.0.0.0" },
{ 5, "248.0.0.0" },
{ 6, "252.0.0.0" },
{ 7, "254.0.0.0" },
{ 8, "255.0.0.0" },
{ 9, "255.128.0.0" },
{ 10, "255.192.0.0" },
{ 11, "255.224.0.0" },
{ 12, "255.240.0.0" },
{ 13, "255.248.0.0" },
{ 14, "255.252.0.0" },
{ 15, "255.254.0.0" },
{ 16, "255.255.0.0" },
{ 17, "255.255.128.0" },
{ 18, "255.255.192.0" },
{ 19, "255.255.224.0" },
{ 20, "255.255.240.0" },
{ 21, "255.255.248.0" },
{ 22, "255.255.252.0" },
{ 23, "255.255.254.0" },
{ 24, "255.255.255.0" },
{ 25, "255.255.255.128" },
{ 26, "255.255.255.192" },
{ 27, "255.255.255.224" },
{ 28, "255.255.255.240" },
{ 29, "255.255.255.248" },
{ 30, "255.255.255.252" },
{ 31, "255.255.255.254" },
{ 32, "255.255.255.255" },
};
string srs_get_cidr_mask(string network_address) {
string delimiter = "/";
size_t delimiter_position = network_address.find(delimiter);
if (delimiter_position == string::npos) {
// Even if it does not have "/N", it can be a valid IP, by default "/32".
if (srs_is_ipv4(network_address)) {
return CIDR_VALUES[32-1].mask;
}
return "";
}
// Change here to include IPv6 support.
string is_ipv4_address = network_address.substr(0, delimiter_position);
if (!srs_is_ipv4(is_ipv4_address)) {
return "";
}
size_t cidr_length_position = delimiter_position + delimiter.length();
if (cidr_length_position >= network_address.length()) {
return "";
}
string cidr_length = network_address.substr(cidr_length_position, network_address.length());
if (cidr_length.length() <= 0) {
return "";
}
size_t cidr_length_num = 31;
try {
cidr_length_num = atoi(cidr_length.c_str());
if (cidr_length_num <= 0) {
return "";
}
} catch (...) {
return "";
}
return CIDR_VALUES[cidr_length_num-1].mask;
}
string srs_get_cidr_ipv4(string network_address) {
string delimiter = "/";
size_t delimiter_position = network_address.find(delimiter);
if (delimiter_position == string::npos) {
// Even if it does not have "/N", it can be a valid IP, by default "/32".
if (srs_is_ipv4(network_address)) {
return network_address;
}
return "";
}
// Change here to include IPv6 support.
string ipv4_address = network_address.substr(0, delimiter_position);
if (!srs_is_ipv4(ipv4_address)) {
return "";
}
size_t cidr_length_position = delimiter_position + delimiter.length();
if (cidr_length_position >= network_address.length()) {
return "";
}
string cidr_length = network_address.substr(cidr_length_position, network_address.length());
if (cidr_length.length() <= 0) {
return "";
}
try {
size_t cidr_length_num = atoi(cidr_length.c_str());
if (cidr_length_num <= 0) {
return "";
}
} catch (...) {
return "";
}
return ipv4_address;
}

12
trunk/src/protocol/srs_protocol_utility.hpp
View file

@ -112,5 +112,17 @@ std::string srs_join_vector_string(std::vector<T>& vs, std::string separator)
// Whether domain is an IPv4 address.
extern bool srs_is_ipv4(std::string domain);
// Convert an IPv4 from string to uint32_t.
extern uint32_t srs_ipv4_to_num(std::string ip);
// Whether the IPv4 is in an IP mask.
extern bool srs_ipv4_within_mask(std::string ip, std::string network, std::string mask);
// Get the CIDR (Classless Inter-Domain Routing) mask for a network address.
extern std::string srs_get_cidr_mask(std::string network_address);
// Get the CIDR (Classless Inter-Domain Routing) IPv4 for a network address.
extern std::string srs_get_cidr_ipv4(std::string network_address);
#endif

47
trunk/src/utest/srs_utest_rtmp.cpp
View file

@ -3197,6 +3197,53 @@ VOID TEST(ProtocolRTMPTest, OthersAll)
EXPECT_FALSE(srs_is_ipv4("2.3.4.ossrs"));
}
if (true) {
EXPECT_EQ((uint32_t)0, srs_ipv4_to_num("not.a.valid.ip"));
}
if (true) {
EXPECT_EQ((uint32_t)2130706433, srs_ipv4_to_num("127.0.0.1"));
EXPECT_NE((uint32_t)16777343, srs_ipv4_to_num("127.0.0.1")); // Big-Endian
}
if (true) {
EXPECT_TRUE(srs_ipv4_within_mask("192.168.1.1", "192.168.1.0", "255.255.255.0"));
EXPECT_TRUE(srs_ipv4_within_mask("220.1.1.22", "220.1.1.22", "255.255.255.255"));
EXPECT_TRUE(srs_ipv4_within_mask("0.0.0.1", "0.0.0.0", "0.0.0.0"));
EXPECT_TRUE(srs_ipv4_within_mask("10.2.13.243", "10.0.0.0", "255.0.0.0"));
}
if (true) {
EXPECT_FALSE(srs_ipv4_within_mask("192.168.1.1", "192.168.1.2", "255.255.255.255"));
EXPECT_FALSE(srs_ipv4_within_mask("192.168.1.3", "192.168.1.2", "255.255.255.255"));
EXPECT_FALSE(srs_ipv4_within_mask("220.1.1.22", "192.168.1.0", "255.255.255.0"));
EXPECT_FALSE(srs_ipv4_within_mask("220.1.1.22", "220.1.1.23", "255.255.255.255"));
EXPECT_FALSE(srs_ipv4_within_mask("220.1.1.22", "220.1.1.21", "255.255.255.255"));
EXPECT_FALSE(srs_ipv4_within_mask("192.168.1.2", "10.0.0.1", "255.255.255.255"));
}
if (true) {
EXPECT_STREQ("255.255.255.255", srs_get_cidr_mask("127.0.0.1").c_str());
EXPECT_STREQ("255.240.0.0", srs_get_cidr_mask("127.0.0.1/12").c_str());
}
if (true) {
EXPECT_STREQ("", srs_get_cidr_mask("my.custom.domain").c_str());
EXPECT_STREQ("", srs_get_cidr_mask("my.custom.domain/12").c_str());
EXPECT_STREQ("", srs_get_cidr_mask("127.0.0.1/invalid/netmask").c_str());
}
if (true) {
EXPECT_STREQ("127.0.0.1", srs_get_cidr_ipv4("127.0.0.1").c_str());
EXPECT_STREQ("127.0.0.1", srs_get_cidr_ipv4("127.0.0.1/12").c_str());
}
if (true) {
EXPECT_STREQ("", srs_get_cidr_ipv4("my.custom.domain").c_str());
EXPECT_STREQ("", srs_get_cidr_ipv4("my.custom.domain/12").c_str());
EXPECT_STREQ("", srs_get_cidr_ipv4("127.0.0.1/invalid/netmask").c_str());
}
if (true) {
SrsMessageArray h(10);
h.msgs[0] = new SrsSharedPtrMessage();