Send additional fields to the external authentication URL (#1408)

* send 'protocol' to the external authentication URL * send session ID to the external authentication URL
3 years ago · b02d3b83c7
10 changed files with 53 additions and 20 deletions
--- a/README.md
+++ b/README.md
@ -264,7 +264,10 @@ Each time a user needs to be authenticated, the specified URL will be requested
				@@ -264,7 +264,10 @@ Each time a user needs to be authenticated, the specified URL will be requested
  "user": "user",
  "password": "password",
  "path": "path",
-  "action": "read|publish"
+  "protocol": "rtsp|rtmp|hls|webrtc",
+  "id": "id",
+  "action": "read|publish",
+  "query": "query"
 }
 ```

--- a/internal/core/externalauth.go
+++ b/internal/core/externalauth.go
@ -5,6 +5,17 @@ import (
				@@ -5,6 +5,17 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
+
+	"github.com/google/uuid"
+)
+
+type externalAuthProto string
+
+const (
+	externalAuthProtoRTSP   externalAuthProto = "rtsp"
+	externalAuthProtoRTMP   externalAuthProto = "rtmp"
+	externalAuthProtoHLS    externalAuthProto = "hls"
+	externalAuthProtoWebRTC externalAuthProto = "webrtc"
 )

 func externalAuth(
@ -13,23 +24,28 @@ func externalAuth(
				@@ -13,23 +24,28 @@ func externalAuth(
 	user string,
 	password string,
 	path string,
-	isPublishing bool,
+	protocol externalAuthProto,
+	id *uuid.UUID,
+	publish bool,
 	query string,
 ) error {
 	enc, _ := json.Marshal(struct {
-		IP       string `json:"ip"`
-		User     string `json:"user"`
-		Password string `json:"password"`
-		Path     string `json:"path"`
-		Action   string `json:"action"`
-		Query    string `json:"query"`
+		IP       string     `json:"ip"`
+		User     string     `json:"user"`
+		Password string     `json:"password"`
+		Path     string     `json:"path"`
+		Protocol string     `json:"protocol"`
+		ID       *uuid.UUID `json:"id"`
+		Action   string     `json:"action"`
+		Query    string     `json:"query"`
 	}{
 		IP:       ip,
 		User:     user,
 		Password: password,
 		Path:     path,
+		Protocol: string(protocol),
 		Action: func() string {
-			if isPublishing {
+			if publish {
 				return "publish"
 			}
 			return "read"
--- a/internal/core/hls_muxer.go
+++ b/internal/core/hls_muxer.go
@ -570,6 +570,8 @@ func (m *hlsMuxer) authenticate(ctx *gin.Context) error {
				@@ -570,6 +570,8 @@ func (m *hlsMuxer) authenticate(ctx *gin.Context) error {
 			user,
 			pass,
 			m.pathName,
+			externalAuthProtoHLS,
+			nil,
 			false,
 			ctx.Request.URL.RawQuery)
 		if err != nil {
--- a/internal/core/hls_server_test.go
+++ b/internal/core/hls_server_test.go
@ -12,19 +12,21 @@ import (
				@@ -12,19 +12,21 @@ import (
 )

 type testHTTPAuthenticator struct {
-	action string
+	protocol string
+	action   string

 	s *http.Server
 }

-func newTestHTTPAuthenticator(action string) (*testHTTPAuthenticator, error) {
+func newTestHTTPAuthenticator(protocol string, action string) (*testHTTPAuthenticator, error) {
 	ln, err := net.Listen("tcp", "127.0.0.1:9120")
 	if err != nil {
 		return nil, err
 	}

 	ts := &testHTTPAuthenticator{
-		action: action,
+		protocol: protocol,
+		action:   action,
 	}

 	router := gin.New()
@ -46,6 +48,7 @@ func (ts *testHTTPAuthenticator) onAuth(ctx *gin.Context) {
				@@ -46,6 +48,7 @@ func (ts *testHTTPAuthenticator) onAuth(ctx *gin.Context) {
 		User     string `json:"user"`
 		Password string `json:"password"`
 		Path     string `json:"path"`
+		Protocol string `json:"protocol"`
 		Action   string `json:"action"`
 		Query    string `json:"query"`
 	}
@ -66,6 +69,7 @@ func (ts *testHTTPAuthenticator) onAuth(ctx *gin.Context) {
				@@ -66,6 +69,7 @@ func (ts *testHTTPAuthenticator) onAuth(ctx *gin.Context) {
 		in.User != user ||
 		in.Password != "testpass" ||
 		in.Path != "teststream" ||
+		in.Protocol != ts.protocol ||
 		in.Action != ts.action ||
 		(in.Query != "user=testreader&pass=testpass&param=value" &&
 			in.Query != "user=testpublisher&pass=testpass&param=value" &&
--- a/internal/core/rtmp_conn.go
+++ b/internal/core/rtmp_conn.go
@ -640,6 +640,8 @@ func (c *rtmpConn) authenticate(
				@@ -640,6 +640,8 @@ func (c *rtmpConn) authenticate(
 			query.Get("user"),
 			query.Get("pass"),
 			pathName,
+			externalAuthProtoRTMP,
+			&c.uuid,
 			isPublishing,
 			rawQuery)
 		if err != nil {
--- a/internal/core/rtmp_server_test.go
+++ b/internal/core/rtmp_server_test.go
@ -176,7 +176,7 @@ func TestRTMPServerAuth(t *testing.T) {
				@@ -176,7 +176,7 @@ func TestRTMPServerAuth(t *testing.T) {
 			var a *testHTTPAuthenticator
 			if ca == "external" {
 				var err error
-				a, err = newTestHTTPAuthenticator("publish")
+				a, err = newTestHTTPAuthenticator("rtmp", "publish")
 				require.NoError(t, err)
 			}

@ -211,7 +211,7 @@ func TestRTMPServerAuth(t *testing.T) {
				@@ -211,7 +211,7 @@ func TestRTMPServerAuth(t *testing.T) {

 			if ca == "external" {
 				a.close()
-				a, err = newTestHTTPAuthenticator("read")
+				a, err = newTestHTTPAuthenticator("rtmp", "read")
 				require.NoError(t, err)
 				defer a.close()
 			}
@ -296,7 +296,7 @@ func TestRTMPServerAuthFail(t *testing.T) {
				@@ -296,7 +296,7 @@ func TestRTMPServerAuthFail(t *testing.T) {
 		require.Equal(t, true, ok)
 		defer p.Close()

-		a, err := newTestHTTPAuthenticator("publish")
+		a, err := newTestHTTPAuthenticator("rtmp", "publish")
 		require.NoError(t, err)
 		defer a.close()

--- a/internal/core/rtsp_conn.go
+++ b/internal/core/rtsp_conn.go
@ -139,6 +139,8 @@ func (c *rtspConn) authenticate(
				@@ -139,6 +139,8 @@ func (c *rtspConn) authenticate(
 			username,
 			password,
 			path,
+			externalAuthProtoRTSP,
+			&c.uuid,
 			isPublishing,
 			query)
 		if err != nil {
--- a/internal/core/rtsp_server_test.go
+++ b/internal/core/rtsp_server_test.go
@ -42,7 +42,7 @@ func TestRTSPServerAuth(t *testing.T) {
				@@ -42,7 +42,7 @@ func TestRTSPServerAuth(t *testing.T) {
 			var a *testHTTPAuthenticator
 			if ca == "external" {
 				var err error
-				a, err = newTestHTTPAuthenticator("publish")
+				a, err = newTestHTTPAuthenticator("rtsp", "publish")
 				require.NoError(t, err)
 			}

@ -59,7 +59,7 @@ func TestRTSPServerAuth(t *testing.T) {
				@@ -59,7 +59,7 @@ func TestRTSPServerAuth(t *testing.T) {
 			if ca == "external" {
 				a.close()
 				var err error
-				a, err = newTestHTTPAuthenticator("read")
+				a, err = newTestHTTPAuthenticator("rtsp", "read")
 				require.NoError(t, err)
 				defer a.close()
 			}
@ -226,7 +226,7 @@ func TestRTSPServerAuthFail(t *testing.T) {
				@@ -226,7 +226,7 @@ func TestRTSPServerAuthFail(t *testing.T) {
 		require.Equal(t, true, ok)
 		defer p.Close()

-		a, err := newTestHTTPAuthenticator("publish")
+		a, err := newTestHTTPAuthenticator("rtsp", "publish")
 		require.NoError(t, err)
 		defer a.close()

--- a/internal/core/webrtc_server.go
+++ b/internal/core/webrtc_server.go
@ -436,6 +436,8 @@ func (s *webRTCServer) authenticate(pa *path, ctx *gin.Context) error {
				@@ -436,6 +436,8 @@ func (s *webRTCServer) authenticate(pa *path, ctx *gin.Context) error {
 			user,
 			pass,
 			pa.name,
+			externalAuthProtoWebRTC,
+			nil,
 			false,
 			ctx.Request.URL.RawQuery)
 		if err != nil {
--- a/rtsp-simple-server.yml
+++ b/rtsp-simple-server.yml
@ -25,8 +25,10 @@ readBufferCount: 512
				@@ -25,8 +25,10 @@ readBufferCount: 512
 #   "user": "user",
 #   "password": "password",
 #   "path": "path",
-#   "action": "read|publish"
-#   "query": "url's raw query"
+#   "protocol": "rtsp|rtmp|hls|webrtc",
+#   "id": "id",
+#   "action": "read|publish",
+#   "query": "query"
 # }
 # If the response code is 20x, authentication is accepted, otherwise
 # it is discarded.