For #1186, refactor security check. 3.0.114

2025-03-09 15:49:59 +00:00 · 2020-02-04 19:07:54 +08:00 · 2020-02-04 19:07:54 +08:00 · c51c378869
commit c51c378869
parent c01806d5c4
7 changed files with 178 additions and 53 deletions
--- a/trunk/src/app/srs_app_security.cpp
+++ b/trunk/src/app/srs_app_security.cpp
@ -39,54 +39,61 @@ SrsSecurity::~SrsSecurity()
 srs_error_t SrsSecurity::check(SrsRtmpConnType type, string ip, SrsRequest* req)
 {
    srs_error_t err = srs_success;
-    
+
    // allow all if security disabled.
    if (!_srs_config->get_security_enabled(req->vhost)) {
-        return err;
+        return err; // OK
    }
-    
-    // default to deny all when security enabled.
-    err = srs_error_new(ERROR_SYSTEM_SECURITY, "allowed");
-    
+
    // rules to apply
    SrsConfDirective* rules = _srs_config->get_security_rules(req->vhost);
+    return do_check(rules, type, ip, req);
+}
+
+srs_error_t SrsSecurity::do_check(SrsConfDirective* rules, SrsRtmpConnType type, string ip, SrsRequest* req)
+{
+    srs_error_t err = srs_success;
+
    if (!rules) {
-        return err;
+        return srs_error_new(ERROR_SYSTEM_SECURITY, "default deny for %s", ip.c_str());
+    }
+
+    // deny if matches deny strategy.
+    if ((err = deny_check(rules, type, ip)) != srs_success) {
+        return srs_error_wrap(err, "for %s", ip.c_str());
    }
    
    // allow if matches allow strategy.
-    if (allow_check(rules, type, ip) == ERROR_SYSTEM_SECURITY_ALLOW) {
-        srs_error_reset(err);
+    if ((err = allow_check(rules, type, ip)) != srs_success) {
+        return srs_error_wrap(err, "for %s", ip.c_str());
    }
-    
-    // deny if matches deny strategy.
-    if (deny_check(rules, type, ip) == ERROR_SYSTEM_SECURITY_DENY) {
-        srs_error_reset(err);
-        return srs_error_new(ERROR_SYSTEM_SECURITY_DENY, "denied");
-    }
-    
+
    return err;
 }

-int SrsSecurity::allow_check(SrsConfDirective* rules, SrsRtmpConnType type, std::string ip)
+srs_error_t SrsSecurity::allow_check(SrsConfDirective* rules, SrsRtmpConnType type, std::string ip)
 {
-    int ret = ERROR_SUCCESS;
-    
+    int allow_rules = 0;
+    int deny_rules = 0;
+
    for (int i = 0; i < (int)rules->directives.size(); i++) {
        SrsConfDirective* rule = rules->at(i);
-        
+
        if (rule->name != "allow") {
+            if (rule->name == "deny") {
+                deny_rules++;
+            }
            continue;
        }
-        
+        allow_rules++;
+
        switch (type) {
            case SrsRtmpConnPlay:
                if (rule->arg0() != "play") {
                    break;
                }
                if (rule->arg1() == "all" || rule->arg1() == ip) {
-                    ret = ERROR_SYSTEM_SECURITY_ALLOW;
-                    break;
+                    return srs_success; // OK
                }
                break;
            case SrsRtmpConnFMLEPublish:
@ -96,28 +103,23 @@ int SrsSecurity::allow_check(SrsConfDirective* rules, SrsRtmpConnType type, std:
                    break;
                }
                if (rule->arg1() == "all" || rule->arg1() == ip) {
-                    ret = ERROR_SYSTEM_SECURITY_ALLOW;
-                    break;
+                    return srs_success; // OK
                }
                break;
            case SrsRtmpConnUnknown:
            default:
                break;
        }
-        
-        // when matched, donot search more.
-        if (ret == ERROR_SYSTEM_SECURITY_ALLOW) {
-            break;
-        }
    }
-    
-    return ret;
+
+    if (allow_rules > 0 || (deny_rules + allow_rules) == 0) {
+        return srs_error_new(ERROR_SYSTEM_SECURITY_ALLOW, "not allowed by any of %d rules", allow_rules);
+    }
+    return srs_success; // OK
 }

-int SrsSecurity::deny_check(SrsConfDirective* rules, SrsRtmpConnType type, std::string ip)
+srs_error_t SrsSecurity::deny_check(SrsConfDirective* rules, SrsRtmpConnType type, std::string ip)
 {
-    int ret = ERROR_SUCCESS;
-    
    for (int i = 0; i < (int)rules->directives.size(); i++) {
        SrsConfDirective* rule = rules->at(i);
        
@ -131,8 +133,7 @@ int SrsSecurity::deny_check(SrsConfDirective* rules, SrsRtmpConnType type, std::
                    break;
                }
                if (rule->arg1() == "all" || rule->arg1() == ip) {
-                    ret = ERROR_SYSTEM_SECURITY_DENY;
-                    break;
+                    return srs_error_new(ERROR_SYSTEM_SECURITY_DENY, "deny by rule<%s>", rule->arg1().c_str());
                }
                break;
            case SrsRtmpConnFMLEPublish:
@ -142,21 +143,15 @@ int SrsSecurity::deny_check(SrsConfDirective* rules, SrsRtmpConnType type, std::
                    break;
                }
                if (rule->arg1() == "all" || rule->arg1() == ip) {
-                    ret = ERROR_SYSTEM_SECURITY_DENY;
-                    break;
+                    return srs_error_new(ERROR_SYSTEM_SECURITY_DENY, "deny by rule<%s>", rule->arg1().c_str());
                }
                break;
            case SrsRtmpConnUnknown:
            default:
                break;
        }
-        
-        // when matched, donot search more.
-        if (ret == ERROR_SYSTEM_SECURITY_DENY) {
-            break;
-        }
    }
    
-    return ret;
+    return srs_success; // OK
 }