add security for hls/flv/rtc/srt

ossrs · Dec 7, 2023 · 9b3d142 · 9b3d142
1 parent 1b34fc4
commit 9b3d142
Show file tree

Hide file tree

Showing 9 changed files with 57 additions and 7 deletions.
diff --git a/trunk/src/app/srs_app_http_static.cpp b/trunk/src/app/srs_app_http_static.cpp
@@ -64,6 +64,7 @@ void SrsHlsVirtualConn::expire()
 SrsHlsStream::SrsHlsStream()
 {
     _srs_hybrid->timer5s()->subscribe(this);
+    security_ = new SrsSecurity();
 }
 
 SrsHlsStream::~SrsHlsStream()
@@ -76,6 +77,7 @@ SrsHlsStream::~SrsHlsStream()
         srs_freep(info);
     }
     map_ctx_info_.clear();
+    srs_freep(security_);
 }
 
 srs_error_t SrsHlsStream::serve_m3u8_ctx(ISrsHttpResponseWriter* w, ISrsHttpMessage* r, ISrsFileReaderFactory* factory, string fullpath, SrsRequest* req, bool* served)
@@ -167,6 +169,10 @@ srs_error_t SrsHlsStream::serve_new_session(ISrsHttpResponseWriter* w, ISrsHttpM
         return srs_error_wrap(err, "stat on client");
     }
 
+    if ((err = security_->check(SrsHlsPlay, req->ip, req)) != srs_success) {
+        return srs_error_wrap(err, "HLS: security check");
+    }
+
     // We must do hook after stat, because depends on it.
     if ((err = http_hooks_on_play(req)) != srs_success) {
         return srs_error_wrap(err, "HLS: http_hooks_on_play");

diff --git a/trunk/src/app/srs_app_http_static.hpp b/trunk/src/app/srs_app_http_static.hpp
@@ -8,7 +8,7 @@
 #define SRS_APP_HTTP_STATIC_HPP
 
 #include <srs_core.hpp>
-
+#include <srs_app_security.hpp>
 #include <srs_app_http_conn.hpp>
 
 class ISrsFileReaderFactory;
@@ -52,6 +52,8 @@ class SrsHlsStream : public ISrsFastTimer
 // interface ISrsFastTimer
 private:
     srs_error_t on_timer(srs_utime_t interval);
+private:
+    SrsSecurity* security_;
 };
 
 // The Vod streaming, like FLV, MP4 or HLS streaming.

diff --git a/trunk/src/app/srs_app_http_stream.cpp b/trunk/src/app/srs_app_http_stream.cpp
@@ -558,11 +558,13 @@ SrsLiveStream::SrsLiveStream(SrsLiveSource* s, SrsRequest* r, SrsBufferCache* c)
     source = s;
     cache = c;
     req = r->copy()->as_http();
+    security_ = new SrsSecurity();
 }
 
 SrsLiveStream::~SrsLiveStream()
 {
     srs_freep(req);
+    srs_freep(security_);
 }
 
 srs_error_t SrsLiveStream::update_auth(SrsLiveSource* s, SrsRequest* r)
@@ -600,6 +602,10 @@ srs_error_t SrsLiveStream::serve_http(ISrsHttpResponseWriter* w, ISrsHttpMessage
         return srs_error_wrap(err, "stat on client");
     }
 
+    if ((err = security_->check(SrsFlvPlay, req->ip, req)) != srs_success) {
+        return srs_error_wrap(err, "flv: security check");
+    }
+
     // We must do hook after stat, because depends on it.
     if ((err = http_hooks_on_play(r)) != srs_success) {
         return srs_error_wrap(err, "http hook");

diff --git a/trunk/src/app/srs_app_http_stream.hpp b/trunk/src/app/srs_app_http_stream.hpp
@@ -8,7 +8,7 @@
 #define SRS_APP_HTTP_STREAM_HPP
 
 #include <srs_core.hpp>
-
+#include <srs_app_security.hpp>
 #include <srs_app_http_conn.hpp>
 
 class SrsAacTransmuxer;
@@ -180,6 +180,7 @@ class SrsLiveStream : public ISrsHttpHandler
     SrsRequest* req;
     SrsLiveSource* source;
     SrsBufferCache* cache;
+    SrsSecurity* security_;
 public:
     SrsLiveStream(SrsLiveSource* s, SrsRequest* r, SrsBufferCache* c);
     virtual ~SrsLiveStream();

diff --git a/trunk/src/app/srs_app_rtc_api.cpp b/trunk/src/app/srs_app_rtc_api.cpp
@@ -31,10 +31,12 @@ using namespace std;
 SrsGoApiRtcPlay::SrsGoApiRtcPlay(SrsRtcServer* server)
 {
     server_ = server;
+    security_ = new SrsSecurity();
 }
 
 SrsGoApiRtcPlay::~SrsGoApiRtcPlay()
 {
+    srs_freep(security_);
 }
 
 
@@ -228,6 +230,10 @@ srs_error_t SrsGoApiRtcPlay::serve_http(ISrsHttpResponseWriter* w, ISrsHttpMessa
         }
     }
 
+    if ((err = security_->check(SrsRtcConnPlay, ruc->req_->ip, ruc->req_)) != srs_success) {
+        return srs_error_wrap(err, "RTC: security check");
+    }
+
     if ((err = http_hooks_on_play(ruc->req_)) != srs_success) {
         return srs_error_wrap(err, "RTC: http_hooks_on_play");
     }
@@ -324,10 +330,12 @@ srs_error_t SrsGoApiRtcPlay::http_hooks_on_play(SrsRequest* req)
 SrsGoApiRtcPublish::SrsGoApiRtcPublish(SrsRtcServer* server)
 {
     server_ = server;
+    security_ = new SrsSecurity();
 }
 
 SrsGoApiRtcPublish::~SrsGoApiRtcPublish()
 {
+    srs_freep(security_);
 }
 
 // Request:
@@ -503,6 +511,10 @@ srs_error_t SrsGoApiRtcPublish::serve_http(ISrsHttpResponseWriter* w, ISrsHttpMe
         return srs_error_wrap(err, "create session");
     }
 
+    if ((err = security_->check(SrsRtcConnPublish, ruc->req_->ip, ruc->req_)) != srs_success) {
+        return srs_error_wrap(err, "RTC: security check");
+    }
+
     // We must do hook after stat, because depends on it.
     if ((err = http_hooks_on_publish(ruc->req_)) != srs_success) {
         return srs_error_wrap(err, "RTC: http_hooks_on_publish");

diff --git a/trunk/src/app/srs_app_rtc_api.hpp b/trunk/src/app/srs_app_rtc_api.hpp
@@ -8,7 +8,7 @@
 #define SRS_APP_RTC_API_HPP
 
 #include <srs_core.hpp>
-
+#include <srs_app_security.hpp>
 #include <srs_protocol_http_stack.hpp>
 
 class SrsRtcServer;
@@ -20,6 +20,7 @@ class SrsGoApiRtcPlay : public ISrsHttpHandler
 {
 private:
     SrsRtcServer* server_;
+    SrsSecurity* security_;
 public:
     SrsGoApiRtcPlay(SrsRtcServer* server);
     virtual ~SrsGoApiRtcPlay();
@@ -39,6 +40,7 @@ class SrsGoApiRtcPublish : public ISrsHttpHandler
 {
 private:
     SrsRtcServer* server_;
+    SrsSecurity* security_;
 public:
     SrsGoApiRtcPublish(SrsRtcServer* server);
     virtual ~SrsGoApiRtcPublish();

diff --git a/trunk/src/app/srs_app_security.cpp b/trunk/src/app/srs_app_security.cpp
@@ -75,7 +75,10 @@ srs_error_t SrsSecurity::allow_check(SrsConfDirective* rules, SrsRtmpConnType ty
 
         switch (type) {
             case SrsRtmpConnPlay:
-            case SrsRtcConnPlay:
+            case SrsHlsPlay:
+            case SrsFlvPlay:
+            case SrsRtcConnPlay: 
+            case SrsSrtConnPlay:
                 if (rule->arg0() != "play") {
                     break;
                 }
@@ -90,6 +93,7 @@ srs_error_t SrsSecurity::allow_check(SrsConfDirective* rules, SrsRtmpConnType ty
             case SrsRtmpConnFlashPublish:
             case SrsRtmpConnHaivisionPublish:
             case SrsRtcConnPublish:
+            case SrsSrtConnPublish:
                 if (rule->arg0() != "publish") {
                     break;
                 }
@@ -126,7 +130,10 @@ srs_error_t SrsSecurity::deny_check(SrsConfDirective* rules, SrsRtmpConnType typ
 
         switch (type) {
             case SrsRtmpConnPlay:
-            case SrsRtcConnPlay:               
+            case SrsHlsPlay:
+            case SrsFlvPlay:
+            case SrsRtcConnPlay: 
+            case SrsSrtConnPlay:
                 if (rule->arg0() != "play") {
                     break;
                 }
@@ -141,6 +148,7 @@ srs_error_t SrsSecurity::deny_check(SrsConfDirective* rules, SrsRtmpConnType typ
             case SrsRtmpConnFlashPublish:
             case SrsRtmpConnHaivisionPublish:
             case SrsRtcConnPublish:
+            case SrsSrtConnPublish:
                 if (rule->arg0() != "publish") {
                     break;
                 }

diff --git a/trunk/src/app/srs_app_srt_conn.cpp b/trunk/src/app/srs_app_srt_conn.cpp
@@ -174,6 +174,8 @@ SrsMpegtsSrtConn::SrsMpegtsSrtConn(SrsSrtServer* srt_server, srs_srt_t srt_fd, s
     srt_source_ = NULL;
     req_ = new SrsRequest();
     req_->ip = ip;
+
+    security_ = new SrsSecurity();
 }
 
 SrsMpegtsSrtConn::~SrsMpegtsSrtConn()
@@ -184,6 +186,7 @@ SrsMpegtsSrtConn::~SrsMpegtsSrtConn()
     srs_freep(delta_);
     srs_freep(srt_conn_);
     srs_freep(req_);
+    srs_freep(security_);
 }
 
 std::string SrsMpegtsSrtConn::desc()
@@ -311,6 +314,10 @@ srs_error_t SrsMpegtsSrtConn::publishing()
         return srs_error_wrap(err, "srt: stat client");
     }
 
+    if ((err = security_->check(SrsSrtConnPublish, ip_, req_)) != srs_success) {
+        return srs_error_wrap(err, "srt: security check");
+    }
+
     // We must do hook after stat, because depends on it.
     if ((err = http_hooks_on_publish()) != srs_success) {
         return srs_error_wrap(err, "srt: callback on publish");
@@ -333,12 +340,16 @@ srs_error_t SrsMpegtsSrtConn::playing()
     // We must do stat the client before hooks, because hooks depends on it.
     SrsStatistic* stat = SrsStatistic::instance();
     if ((err = stat->on_client(_srs_context->get_id().c_str(), req_, this, SrsSrtConnPlay)) != srs_success) {
-        return srs_error_wrap(err, "rtmp: stat client");
+        return srs_error_wrap(err, "srt: stat client");
+    }
+
+    if ((err = security_->check(SrsSrtConnPlay, ip_, req_)) != srs_success) {
+        return srs_error_wrap(err, "srt: security check");
     }
 
     // We must do hook after stat, because depends on it.
     if ((err = http_hooks_on_play()) != srs_success) {
-        return srs_error_wrap(err, "rtmp: callback on play");
+        return srs_error_wrap(err, "srt: callback on play");
     }
 
     err = do_playing();

diff --git a/trunk/src/app/srs_app_srt_conn.hpp b/trunk/src/app/srs_app_srt_conn.hpp
@@ -16,6 +16,7 @@
 #include <srs_app_st.hpp>
 #include <srs_app_conn.hpp>
 #include <srs_app_srt_utility.hpp>
+#include <srs_app_security.hpp>
 
 class SrsBuffer;
 class SrsLiveSource;
@@ -123,6 +124,7 @@ class SrsMpegtsSrtConn : public ISrsConnection, public ISrsStartable, public ISr
 
     SrsRequest* req_;
     SrsSrtSource* srt_source_;
+    SrsSecurity* security_;
 };
 
 #endif