From 40106a5533b9b76fbc415ad939cb5b16c4bab42f Mon Sep 17 00:00:00 2001 From: Dimitri Marechal Date: Fri, 7 Jun 2024 16:22:08 +0200 Subject: [PATCH] Added authJWTExclude to allow exclusion of actions while using the JWT authentication method --- internal/auth/manager.go | 5 +++++ internal/conf/conf.go | 12 ++++++++++++ internal/core/core.go | 2 ++ mediamtx.yml | 8 ++++++-- 4 files changed, 25 insertions(+), 2 deletions(-) diff --git a/internal/auth/manager.go b/internal/auth/manager.go index 7a29bb638bda..55b50b061f00 100644 --- a/internal/auth/manager.go +++ b/internal/auth/manager.go @@ -109,6 +109,7 @@ type Manager struct { HTTPAddress string HTTPExclude []conf.AuthInternalUserPermission JWTJWKS string + JWTExclude []conf.AuthInternalUserPermission ReadTimeout time.Duration RTSPAuthMethods []auth.ValidateMethod @@ -255,6 +256,10 @@ func (m *Manager) authenticateHTTP(req *Request) error { } func (m *Manager) authenticateJWT(req *Request) error { + if matchesPermission(m.JWTExclude, req) { + return nil + } + keyfunc, err := m.pullJWTJWKS() if err != nil { return err diff --git a/internal/conf/conf.go b/internal/conf/conf.go index e70da0dcb93e..4ca85582a6ff 100644 --- a/internal/conf/conf.go +++ b/internal/conf/conf.go @@ -142,6 +142,7 @@ type Conf struct { ExternalAuthenticationURL *string `json:"externalAuthenticationURL,omitempty"` // deprecated AuthHTTPExclude AuthInternalUserPermissions `json:"authHTTPExclude"` AuthJWTJWKS string `json:"authJWTJWKS"` + AuthJWTExclude AuthInternalUserPermissions `json:"authJWTExclude"` // Control API API bool `json:"api"` @@ -320,6 +321,17 @@ func (conf *Conf) setDefaults() { Action: AuthActionPprof, }, } + conf.AuthJWTExclude = []AuthInternalUserPermission{ + { + Action: AuthActionAPI, + }, + { + Action: AuthActionMetrics, + }, + { + Action: AuthActionPprof, + }, + } // Control API conf.APIAddress = ":9997" diff --git a/internal/core/core.go b/internal/core/core.go index 2eeadcdb5105..ae8afc19b1a0 100644 --- a/internal/core/core.go +++ b/internal/core/core.go @@ -287,6 +287,7 @@ func (p *Core) createResources(initial bool) error { HTTPAddress: p.conf.AuthHTTPAddress, HTTPExclude: p.conf.AuthHTTPExclude, JWTJWKS: p.conf.AuthJWTJWKS, + JWTExclude: p.conf.AuthJWTExclude, ReadTimeout: time.Duration(p.conf.ReadTimeout), RTSPAuthMethods: p.conf.RTSPAuthMethods, } @@ -674,6 +675,7 @@ func (p *Core) closeResources(newConf *conf.Conf, calledByAPI bool) { newConf.AuthHTTPAddress != p.conf.AuthHTTPAddress || !reflect.DeepEqual(newConf.AuthHTTPExclude, p.conf.AuthHTTPExclude) || newConf.AuthJWTJWKS != p.conf.AuthJWTJWKS || + !reflect.DeepEqual(newConf.AuthJWTExclude, p.conf.AuthJWTExclude) || newConf.ReadTimeout != p.conf.ReadTimeout || !reflect.DeepEqual(newConf.RTSPAuthMethods, p.conf.RTSPAuthMethods) if !closeAuthManager && !reflect.DeepEqual(newConf.AuthInternalUsers, p.conf.AuthInternalUsers) { diff --git a/mediamtx.yml b/mediamtx.yml index 294683813361..aa8448ba0ee3 100644 --- a/mediamtx.yml +++ b/mediamtx.yml @@ -44,7 +44,7 @@ runOnDisconnect: # * internal: users are stored in the configuration file # * http: an external HTTP URL is contacted to perform authentication # * jwt: an external identity server provides authentication through JWTs -authMethod: internal +authMethod: jwt # Internal authentication. # list of users. @@ -120,7 +120,11 @@ authHTTPExclude: # Users are then expected to pass the JWT as a query parameter, i.e. ?jwt=... # This is the JWKS URL that will be used to pull (once) the public key that allows # to validate JWTs. -authJWTJWKS: +authJWTJWKS: https://localhost:7211/.well-known/openid-configuration/jwks +# Actions to exclude from JWT-based authentication. +# Format is the same as the one of user permissions. +authJWTExclude: +- action: publish ############################################### # Global settings -> Control API