implement "auth-ip-acl=" in the native and esound protocols

git-svn-id: file:///home/lennart/svn/public/pulseaudio/trunk@1125 fefdeb5f-60dc-0310-8127-8f9354f1896f

src/Makefile.am

@@ -513,7 +513,7 @@ pulsecoreinclude_HEADERS = \
 
 lib_LTLIBRARIES += libpulsecore.la
 
-# Some public stuff is used even in the core.
+# Some public stuff is used even in the core
 libpulsecore_la_SOURCES = \
 		pulse/channelmap.c pulse/channelmap.h \
 		pulse/error.c pulse/error.h \
@@ -733,7 +733,7 @@ libprotocol_http_la_LIBADD = $(AM_LIBADD) libsocket-server.la libioline.la libpu
 
 libprotocol_native_la_SOURCES = pulsecore/protocol-native.c pulsecore/protocol-native.h pulsecore/native-common.h
 libprotocol_native_la_LDFLAGS = -avoid-version
-libprotocol_native_la_LIBADD = $(AM_LIBADD) libsocket-server.la libpstream.la libpstream-util.la libpdispatch.la libtagstruct.la libauthkey.la libauthkey-prop.la libstrlist.la libpulsecore.la libiochannel.la
+libprotocol_native_la_LIBADD = $(AM_LIBADD) libsocket-server.la libpstream.la libpstream-util.la libpdispatch.la libtagstruct.la libauthkey.la libauthkey-prop.la libstrlist.la libpulsecore.la libiochannel.la libipacl.la
 
 libtagstruct_la_SOURCES = pulsecore/tagstruct.c pulsecore/tagstruct.h
 libtagstruct_la_LDFLAGS = -avoid-version
@@ -741,7 +741,7 @@ libtagstruct_la_LIBADD = $(AM_LIBADD) libpulsecore.la $(WINSOCK_LIBS)
 
 libprotocol_esound_la_SOURCES = pulsecore/protocol-esound.c pulsecore/protocol-esound.h pulsecore/esound.h
 libprotocol_esound_la_LDFLAGS = -avoid-version
-libprotocol_esound_la_LIBADD = $(AM_LIBADD) libsocket-server.la libiochannel.la libauthkey.la libpulsecore.la
+libprotocol_esound_la_LIBADD = $(AM_LIBADD) libsocket-server.la libiochannel.la libauthkey.la libpulsecore.la libipacl.la
 
 libauthkey_la_SOURCES = pulsecore/authkey.c pulsecore/authkey.h
 libauthkey_la_LDFLAGS = -avoid-version

src/modules/module-protocol-stub.c

@@ -129,8 +129,11 @@
   #endif
 
   #if defined(HAVE_CREDS) && !defined(USE_TCP_SOCKETS)
-    #define MODULE_ARGUMENTS MODULE_ARGUMENTS_COMMON "auth-group", "auth-group-enable="
+    #define MODULE_ARGUMENTS MODULE_ARGUMENTS_COMMON "auth-group", "auth-group-enable", 
     #define AUTH_USAGE "auth-group=<system group to allow access> auth-group-enable=<enable auth by UNIX group?> "
+  #elif defined(USE_TCP_SOCKETS)
+    #define MODULE_ARGUMENTS MODULE_ARGUMENTS_COMMON "auth-ip-acl", 
+    #define AUTH_USAGE "auth-ip-acl=<IP address ACL to allow access> "
   #else
     #define MODULE_ARGUMENTS MODULE_ARGUMENTS_COMMON
     #define AUTH_USAGE
@@ -149,17 +152,27 @@
   #define TCPWRAP_SERVICE "esound"
   #define IPV4_PORT ESD_DEFAULT_PORT
   #define UNIX_SOCKET ESD_UNIX_SOCKET_NAME
-  #define MODULE_ARGUMENTS "sink", "source", "auth-anonymous", "cookie",
+  #define MODULE_ARGUMENTS_COMMON "sink", "source", "auth-anonymous", "cookie",
   #ifdef USE_TCP_SOCKETS
     #include "module-esound-protocol-tcp-symdef.h"
   #else
     #include "module-esound-protocol-unix-symdef.h"
   #endif
+
+  #if defined(USE_TCP_SOCKETS)
+    #define MODULE_ARGUMENTS MODULE_ARGUMENTS_COMMON "auth-ip-acl", 
+    #define AUTH_USAGE "auth-ip-acl=<IP address ACL to allow access> "
+  #else
+    #define MODULE_ARGUMENTS MODULE_ARGUMENTS_COMMON
+    #define AUTH_USAGE
+  #endif
+
   PA_MODULE_DESCRIPTION("ESOUND protocol "SOCKET_DESCRIPTION)
   PA_MODULE_USAGE("sink=<sink to connect to> "
                   "source=<source to connect to> "
                   "auth-anonymous=<don't verify cookies?> "
                   "cookie=<path to cookie file> "
+                  AUTH_USAGE
                   SOCKET_USAGE)
 #else
   #error "Broken build system" 

src/pulsecore/iochannel.c

@@ -408,3 +408,9 @@ pa_mainloop_api* pa_iochannel_get_mainloop_api(pa_iochannel *io) {
     
     return io->mainloop;
 }
+
+int pa_iochannel_get_recv_fd(pa_iochannel *io) {
+    assert(io);
+
+    return io->ifd;
+}

src/pulsecore/iochannel.h

@@ -79,4 +79,6 @@ int pa_iochannel_socket_set_sndbuf(pa_iochannel*io, size_t l);
 
 pa_mainloop_api* pa_iochannel_get_mainloop_api(pa_iochannel *io);
 
+int pa_iochannel_get_recv_fd(pa_iochannel *io);
+
 #endif

src/pulsecore/protocol-esound.c

@@ -49,6 +49,7 @@
 #include <pulsecore/log.h>
 #include <pulsecore/core-util.h>
 #include <pulsecore/core-error.h>
+#include <pulsecore/ipacl.h>
 
 #include "endianmacros.h"
 
@@ -116,6 +117,7 @@ struct pa_protocol_esound {
     char *sink_name, *source_name;
     unsigned n_player;
     uint8_t esd_key[ESD_KEY_LEN];
+    pa_ip_acl *auth_ip_acl;
 };
 
 typedef struct proto_handler {
@@ -1162,7 +1164,7 @@ static void on_connection(pa_socket_server*s, pa_iochannel *io, void *userdata)
     c->client->kill = client_kill_cb;
     c->client->userdata = c;
     
-    c->authorized = p->public;
+    c->authorized = !!p->public;
     c->swap_byte_order = 0;
     c->dead = 0;
 
@@ -1191,6 +1193,11 @@ static void on_connection(pa_socket_server*s, pa_iochannel *io, void *userdata)
 
     c->original_name = NULL;
 
+    if (!c->authorized && p->auth_ip_acl && pa_ip_acl_check(p->auth_ip_acl, pa_iochannel_get_recv_fd(io)) > 0) {
+        pa_log_info(__FILE__": Client authenticated by IP ACL.");
+        c->authorized = 1;
+    }
+
     if (!c->authorized) {
         struct timeval tv;
         pa_gettimeofday(&tv);
@@ -1211,19 +1218,31 @@ static void on_connection(pa_socket_server*s, pa_iochannel *io, void *userdata)
 pa_protocol_esound* pa_protocol_esound_new(pa_core*core, pa_socket_server *server, pa_module *m, pa_modargs *ma) {
     pa_protocol_esound *p;
     int public = 0;
-    assert(core && server && ma);
+    const char *acl;
+    
+    assert(core);
+    assert(server);
+    assert(m);
+    assert(ma);
 
     p = pa_xnew(pa_protocol_esound, 1);
 
     if (pa_modargs_get_value_boolean(ma, "auth-anonymous", &public) < 0) {
         pa_log(__FILE__": auth-anonymous= expects a boolean argument.");
-        return NULL;
+        goto fail;
     }
 
-    if (pa_authkey_load_auto(pa_modargs_get_value(ma, "cookie", DEFAULT_COOKIE_FILE), p->esd_key, sizeof(p->esd_key)) < 0) {
-        pa_xfree(p);
-        return NULL;
+    if (pa_authkey_load_auto(pa_modargs_get_value(ma, "cookie", DEFAULT_COOKIE_FILE), p->esd_key, sizeof(p->esd_key)) < 0)
+        goto fail;
+
+    if ((acl = pa_modargs_get_value(ma, "auth-ip-acl", NULL))) {
+
+        if (!(p->auth_ip_acl = pa_ip_acl_new(acl))) {
+            pa_log(__FILE__": Failed to parse IP ACL '%s'", acl);
+            goto fail;
         }
+    } else
+        p->auth_ip_acl = NULL;
     
     p->module = m;
     p->public = public;
@@ -1238,6 +1257,10 @@ pa_protocol_esound* pa_protocol_esound_new(pa_core*core, pa_socket_server *serve
     p->n_player = 0;
 
     return p;
+
+fail:
+    pa_xfree(p);
+    return NULL;
 }
 
 void pa_protocol_esound_free(pa_protocol_esound *p) {
@@ -1249,5 +1272,9 @@ void pa_protocol_esound_free(pa_protocol_esound *p) {
 
     pa_idxset_free(p->connections, NULL, NULL);
     pa_socket_server_unref(p->server);
+
+    if (p->auth_ip_acl)
+        pa_ip_acl_free(p->auth_ip_acl);
+
     pa_xfree(p);
 }

src/pulsecore/protocol-native.c

@@ -57,6 +57,7 @@
 #include <pulsecore/llist.h>
 #include <pulsecore/creds.h>
 #include <pulsecore/core-util.h>
+#include <pulsecore/ipacl.h>
 
 #include "protocol-native.h"
 
@@ -139,6 +140,7 @@ struct pa_protocol_native {
 #ifdef HAVE_CREDS
     char *auth_group;
 #endif
+    pa_ip_acl *auth_ip_acl;
 };
 
 static int sink_input_peek_cb(pa_sink_input *i, pa_memchunk *chunk);
@@ -942,7 +944,7 @@ static void command_auth(PA_GCC_UNUSED pa_pdispatch *pd, PA_GCC_UNUSED uint32_t
         }
 #endif
 
-        if (memcmp(c->protocol->auth_cookie, cookie, PA_NATIVE_COOKIE_LENGTH) == 0)
+        if (!success && memcmp(c->protocol->auth_cookie, cookie, PA_NATIVE_COOKIE_LENGTH) == 0)
             success = 1;
 
         if (!success) {
@@ -2241,6 +2243,11 @@ static void on_connection(PA_GCC_UNUSED pa_socket_server*s, pa_iochannel *io, vo
 
     c->authorized = !!p->public;
 
+    if (!c->authorized && p->auth_ip_acl && pa_ip_acl_check(p->auth_ip_acl, pa_iochannel_get_recv_fd(io)) > 0) {
+        pa_log_info(__FILE__": Client authenticated by IP ACL.");
+        c->authorized = 1;
+    }
+    
     if (!c->authorized) {
         struct timeval tv;
         pa_gettimeofday(&tv);
@@ -2319,7 +2326,10 @@ static int load_key(pa_protocol_native*p, const char*fn) {
 static pa_protocol_native* protocol_new_internal(pa_core *c, pa_module *m, pa_modargs *ma) {
     pa_protocol_native *p;
     int public = 0;
-    assert(c && ma);
+    const char *acl;
+    
+    assert(c);
+    assert(ma);
 
     if (pa_modargs_get_value_boolean(ma, "auth-anonymous", &public) < 0) {
         pa_log(__FILE__": auth-anonymous= expects a boolean argument.");
@@ -2331,6 +2341,7 @@ static pa_protocol_native* protocol_new_internal(pa_core *c, pa_module *m, pa_mo
     p->module = m;
     p->public = public;
     p->server = NULL;
+    p->auth_ip_acl = NULL;
     
 #ifdef HAVE_CREDS
     {
@@ -2346,15 +2357,29 @@ static pa_protocol_native* protocol_new_internal(pa_core *c, pa_module *m, pa_mo
     }
 #endif
 
-    if (load_key(p, pa_modargs_get_value(ma, "cookie", NULL)) < 0) {
-        pa_xfree(p);
-        return NULL;
+
+    if ((acl = pa_modargs_get_value(ma, "auth-ip-acl", NULL))) {
+
+        if (!(p->auth_ip_acl = pa_ip_acl_new(acl))) {
+            pa_log(__FILE__": Failed to parse IP ACL '%s'", acl);
+            goto fail;
         }
+    }
+
+    if (load_key(p, pa_modargs_get_value(ma, "cookie", NULL)) < 0)
+        goto fail;
 
     p->connections = pa_idxset_new(NULL, NULL);
     assert(p->connections);
 
     return p;
+
+fail:
+    pa_xfree(p->auth_group);
+    if (p->auth_ip_acl)
+        pa_ip_acl_free(p->auth_ip_acl);
+    pa_xfree(p);
+    return NULL;
 }
 
 pa_protocol_native* pa_protocol_native_new(pa_core *core, pa_socket_server *server, pa_module *m, pa_modargs *ma) {
@@ -2405,6 +2430,9 @@ void pa_protocol_native_free(pa_protocol_native *p) {
     if (p->auth_cookie_in_property)
         pa_authkey_prop_unref(p->core, PA_NATIVE_COOKIE_PROPERTY_NAME);
 
+    if (p->auth_ip_acl)
+        pa_ip_acl_free(p->auth_ip_acl);
+    
 #ifdef HAVE_CREDS
     pa_xfree(p->auth_group);
 #endif