Skip to content

Commit

Permalink
prevent mixing together legacy and current auth mechanism (#3258) (#3460
Browse files Browse the repository at this point in the history
)
  • Loading branch information
aler9 authored Jun 12, 2024
1 parent 39ae126 commit 9554fc4
Show file tree
Hide file tree
Showing 4 changed files with 124 additions and 67 deletions.
6 changes: 2 additions & 4 deletions internal/api/api_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -247,16 +247,14 @@ func TestConfigPathDefaultsPatch(t *testing.T) {

httpRequest(t, hc, http.MethodPatch, "http://localhost:9997/v3/config/pathdefaults/patch",
map[string]interface{}{
"readUser": "myuser",
"readPass": "mypass",
"recordFormat": "fmp4",
}, nil)

time.Sleep(500 * time.Millisecond)

var out map[string]interface{}
httpRequest(t, hc, http.MethodGet, "http://localhost:9997/v3/config/pathdefaults/get", nil, &out)
require.Equal(t, "myuser", out["readUser"])
require.Equal(t, "mypass", out["readPass"])
require.Equal(t, "fmp4", out["recordFormat"])
}

func TestConfigPathsList(t *testing.T) {
Expand Down
113 changes: 56 additions & 57 deletions internal/conf/conf.go
Original file line number Diff line number Diff line change
Expand Up @@ -94,31 +94,66 @@ func mustParseCIDR(v string) net.IPNet {
return *ne
}

func credentialIsNotEmpty(c *Credential) bool {
return c != nil && *c != ""
}

func ipNetworkIsNotEmpty(i *IPNetworks) bool {
return i != nil && len(*i) != 0
}
func anyPathHasDeprecatedCredentials(pathDefaults Path, paths map[string]*OptionalPath) bool {
if pathDefaults.PublishUser != nil ||
pathDefaults.PublishPass != nil ||
pathDefaults.PublishIPs != nil ||
pathDefaults.ReadUser != nil ||
pathDefaults.ReadPass != nil ||
pathDefaults.ReadIPs != nil {
return true
}

func anyPathHasDeprecatedCredentials(paths map[string]*OptionalPath) bool {
for _, pa := range paths {
if pa != nil {
rva := reflect.ValueOf(pa.Values).Elem()
if credentialIsNotEmpty(rva.FieldByName("PublishUser").Interface().(*Credential)) ||
credentialIsNotEmpty(rva.FieldByName("PublishPass").Interface().(*Credential)) ||
ipNetworkIsNotEmpty(rva.FieldByName("PublishIPs").Interface().(*IPNetworks)) ||
credentialIsNotEmpty(rva.FieldByName("ReadUser").Interface().(*Credential)) ||
credentialIsNotEmpty(rva.FieldByName("ReadPass").Interface().(*Credential)) ||
ipNetworkIsNotEmpty(rva.FieldByName("ReadIPs").Interface().(*IPNetworks)) {
if rva.FieldByName("PublishUser").Interface().(*Credential) != nil ||
rva.FieldByName("PublishPass").Interface().(*Credential) != nil ||
rva.FieldByName("PublishIPs").Interface().(*IPNetworks) != nil ||
rva.FieldByName("ReadUser").Interface().(*Credential) != nil ||
rva.FieldByName("ReadPass").Interface().(*Credential) != nil ||
rva.FieldByName("ReadIPs").Interface().(*IPNetworks) != nil {
return true
}
}
}
return false
}

var defaultAuthInternalUsers = AuthInternalUsers{
{
User: "any",
Pass: "",
Permissions: []AuthInternalUserPermission{
{
Action: AuthActionPublish,
},
{
Action: AuthActionRead,
},
{
Action: AuthActionPlayback,
},
},
},
{
User: "any",
Pass: "",
IPs: IPNetworks{mustParseCIDR("127.0.0.1/32"), mustParseCIDR("::1/128")},
Permissions: []AuthInternalUserPermission{
{
Action: AuthActionAPI,
},
{
Action: AuthActionMetrics,
},
{
Action: AuthActionPprof,
},
},
},
}

// Conf is a configuration.
// WARNING: Avoid using slices directly due to https://github.com/golang/go/issues/21092
type Conf struct {
Expand Down Expand Up @@ -276,39 +311,7 @@ func (conf *Conf) setDefaults() {
conf.UDPMaxPayloadSize = 1472

// Authentication
conf.AuthInternalUsers = []AuthInternalUser{
{
User: "any",
Pass: "",
Permissions: []AuthInternalUserPermission{
{
Action: AuthActionPublish,
},
{
Action: AuthActionRead,
},
{
Action: AuthActionPlayback,
},
},
},
{
User: "any",
Pass: "",
IPs: IPNetworks{mustParseCIDR("127.0.0.1/32"), mustParseCIDR("::1/128")},
Permissions: []AuthInternalUserPermission{
{
Action: AuthActionAPI,
},
{
Action: AuthActionMetrics,
},
{
Action: AuthActionPprof,
},
},
},
}
conf.AuthInternalUsers = defaultAuthInternalUsers
conf.AuthHTTPExclude = []AuthInternalUserPermission{
{
Action: AuthActionAPI,
Expand Down Expand Up @@ -501,7 +504,6 @@ func (conf *Conf) Validate() error {
}

// Authentication

if conf.ExternalAuthenticationURL != nil {
conf.AuthMethod = AuthMethodHTTP
conf.AuthHTTPAddress = *conf.ExternalAuthenticationURL
Expand All @@ -517,17 +519,15 @@ func (conf *Conf) Validate() error {
return fmt.Errorf("'authJWTJWKS' must be a HTTP URL")
}
deprecatedCredentialsMode := false
if credentialIsNotEmpty(conf.PathDefaults.PublishUser) ||
credentialIsNotEmpty(conf.PathDefaults.PublishPass) ||
ipNetworkIsNotEmpty(conf.PathDefaults.PublishIPs) ||
credentialIsNotEmpty(conf.PathDefaults.ReadUser) ||
credentialIsNotEmpty(conf.PathDefaults.ReadPass) ||
ipNetworkIsNotEmpty(conf.PathDefaults.ReadIPs) ||
anyPathHasDeprecatedCredentials(conf.OptionalPaths) {
if anyPathHasDeprecatedCredentials(conf.PathDefaults, conf.OptionalPaths) {
if conf.AuthInternalUsers != nil && !reflect.DeepEqual(conf.AuthInternalUsers, defaultAuthInternalUsers) {
return fmt.Errorf("authInternalUsers and legacy credentials " +
"(publishUser, publishPass, publishIPs, readUser, readPass, readIPs) cannot be used together")
}

conf.AuthInternalUsers = []AuthInternalUser{
{
User: "any",
Pass: "",
Permissions: []AuthInternalUserPermission{
{
Action: AuthActionPlayback,
Expand All @@ -536,7 +536,6 @@ func (conf *Conf) Validate() error {
},
{
User: "any",
Pass: "",
IPs: IPNetworks{mustParseCIDR("127.0.0.1/32"), mustParseCIDR("::1/128")},
Permissions: []AuthInternalUserPermission{
{
Expand Down
60 changes: 60 additions & 0 deletions internal/conf/conf_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -192,6 +192,66 @@ func TestConfEncryption(t *testing.T) {
require.Equal(t, true, ok)
}

func TestConfDeprecatedAuth(t *testing.T) {
tmpf, err := createTempFile([]byte(
"paths:\n" +
" cam:\n" +
" readUser: myuser\n" +
" readPass: mypass\n"))
require.NoError(t, err)
defer os.Remove(tmpf)

conf, _, err := Load(tmpf, nil)
require.NoError(t, err)

require.Equal(t, AuthInternalUsers{
{
User: "any",
Permissions: []AuthInternalUserPermission{
{
Action: AuthActionPlayback,
},
},
},
{
User: "any",
IPs: IPNetworks{mustParseCIDR("127.0.0.1/32"), mustParseCIDR("::1/128")},
Permissions: []AuthInternalUserPermission{
{
Action: AuthActionAPI,
},
{
Action: AuthActionMetrics,
},
{
Action: AuthActionPprof,
},
},
},
{
User: "any",
IPs: IPNetworks{mustParseCIDR("0.0.0.0/0")},
Permissions: []AuthInternalUserPermission{
{
Action: AuthActionPublish,
Path: "cam",
},
},
},
{
User: "myuser",
Pass: "mypass",
IPs: IPNetworks{mustParseCIDR("0.0.0.0/0")},
Permissions: []AuthInternalUserPermission{
{
Action: AuthActionRead,
Path: "cam",
},
},
},
}, conf.AuthInternalUsers)
}

func TestConfErrors(t *testing.T) {
for _, ca := range []struct {
name string
Expand Down
12 changes: 6 additions & 6 deletions internal/conf/path.go
Original file line number Diff line number Diff line change
Expand Up @@ -399,17 +399,17 @@ func (pconf *Path) validate(
if deprecatedCredentialsMode {
func() {
var user Credential = "any"
if credentialIsNotEmpty(pconf.PublishUser) {
if pconf.PublishUser != nil && *pconf.PublishUser != "" {
user = *pconf.PublishUser
}

var pass Credential
if credentialIsNotEmpty(pconf.PublishPass) {
if pconf.PublishPass != nil && *pconf.PublishPass != "" {
pass = *pconf.PublishPass
}

ips := IPNetworks{mustParseCIDR("0.0.0.0/0")}
if ipNetworkIsNotEmpty(pconf.PublishIPs) {
if pconf.PublishIPs != nil && len(*pconf.PublishIPs) != 0 {
ips = *pconf.PublishIPs
}

Expand All @@ -431,17 +431,17 @@ func (pconf *Path) validate(

func() {
var user Credential = "any"
if credentialIsNotEmpty(pconf.ReadUser) {
if pconf.ReadUser != nil && *pconf.ReadUser != "" {
user = *pconf.ReadUser
}

var pass Credential
if credentialIsNotEmpty(pconf.ReadPass) {
if pconf.ReadPass != nil && *pconf.ReadPass != "" {
pass = *pconf.ReadPass
}

ips := IPNetworks{mustParseCIDR("0.0.0.0/0")}
if ipNetworkIsNotEmpty(pconf.ReadIPs) {
if pconf.ReadIPs != nil && len(*pconf.ReadIPs) != 0 {
ips = *pconf.ReadIPs
}

Expand Down

0 comments on commit 9554fc4

Please sign in to comment.