Add access key gating to incoming streams

For the moment this is a singleton. One access key will let you stream to any app or stream key. It's denoted in the form of appending a GET parameter to the URL like `?access_key=foobarbaz` This at least means someone who knows the stream URL (frex to view it) won't also be able to stream.
2025-02-16 17:06:35 -08:00 · 2025-02-16 17:06:35 -08:00 · 4c2c82cfc3
commit 4c2c82cfc3
parent c934bedd44
3 changed files with 24 additions and 3 deletions
--- a/admission.py
+++ b/admission.py
@ -45,7 +45,7 @@ def webhook_offline() -> None:
    requests.post(config.WEBHOOK_URL, timeout=10, json=data, headers=config.WEBHOOK_HEADERS)


-def check_authorized(host, app, stream, source) -> bool:
+def check_authorized(host, app, stream, source, access_key) -> bool:
    # Are we globally disabled?
    if config.DISABLED:
        return False
@ -57,7 +57,10 @@ def check_authorized(host, app, stream, source) -> bool:
    if f"default:{app}:{stream}" in config.DISABLED_KEYS:
        return False
    # Finally check the provided vhost app/stream
-    return f"{host}:{app}:{stream}" not in config.DISABLED_KEYS
+    if f"{host}:{app}:{stream}" in config.DISABLED_KEYS:
+        return False
+    # Check for an access key requirement
+    return not (config.ACCESS_KEY and access_key != config.ACCESS_KEY)


@cherrypy.tools.register("on_end_request")
@ -124,6 +127,16 @@ class Admission:
        _, _, host, app, path = input_json["request"]["url"].split("/")[:5]
        stream = path.split("?")[0]

+        # Tokenize out URL GET parameters
+        params = {}
+        if "?" in path:
+            for pair in path.split("?")[1].split("&"):
+                if "=" in pair:
+                    k, v = pair.split("=", 1)
+                    params[k] = v
+                else:
+                    params[pair] = None
+
        # Populate variables for our on_end_request tool into request object
        cherrypy.request.update_stream = ("default", app, stream)

@ -136,7 +149,7 @@ class Admission:
        ip = input_json["client"]["real_ip"]

        # Check if stream is authorized
-        if not check_authorized(host, app, stream, ip):
+        if not check_authorized(host, app, stream, ip, params.get("access_key")):
            cherrypy.log(f"Unauthorized stream key: {app}/{stream}")
            return {"allowed": False}

--- a/config.py
+++ b/config.py
@ -7,6 +7,8 @@ from pathlib import Path
 API_USER = os.getenv("OVENMONITOR_API_USER", "")
 API_PASS = os.getenv("OVENMONITOR_API_PASSWORD", "")

+ACCESS_KEY = os.getenv("OVENMONITOR_ACCESS_KEY", "")
+
 WEBHOOK_URL = os.getenv("OVENMONITOR_WEBHOOK_URL", "")
 WEBHOOK_ONLINE = os.getenv("OVENMONITOR_WEBHOOK_ONLINE", "")
 WEBHOOK_OFFLINE = os.getenv("OVENMONITOR_WEBHOOK_OFFLINE", "")
--- a/example/ome_access_control.conf
+++ b/example/ome_access_control.conf
@ -0,0 +1,6 @@
+[Service]
+# This is an access key you wish to require in all inbound streams. This must
+# be provided as a GET parameter "access_key". For example:
+# rtmp://example.org/app/stream?access_key=loginkeyhere
+Environment="OVENMONITOR_ACCESS_KEY=loginkeyhere"
+