feat(mediaauth): policy-based playback authorization#22
Merged
Conversation
Replace the single global media-auth config with first-class Policy entities. Each Policy carries its own token secret and its own static allow/deny chain (IP / country / user-agent / referer-domain). A stream binds to at most one Policy via PlaybackPolicy; a stream with no policy is public, and a reference to an unknown policy fails closed. - domain.Policy + PolicyCode + Validate; rename Stream/Template PlaybackAuth -> PlaybackPolicy (a code reference), inherited via ResolveStream - store.PolicyRepository (json + yaml) + fixtures + round-trip tests - mediaauth.Authorizer resolves a stream's policy and runs the chain using that policy's own secret; the compiled set is hot-swapped via SetPolicies (atomic) - /policies CRUD handler inside the admin-auth group; delete is refused (409) while any stream or template still references the policy; every change hot-reloads the authorizer - remove the global media-auth config block and its config-reload hook BREAKING CHANGE: the global media-auth config and the playback_auth field are removed. Recreate playback rules as Policy entities and bind streams via playback_policy.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Reworks media-plane (playback) authorization from a single global config into first-class, reusable Policy objects.
/policies) that carries a complete, self-contained rule set:require_token+ its owntoken_secret, plus staticallow/denylists for IP (exact or CIDR), country (ISO-3166-1 alpha-2), user-agent (substring), and referer domain.playback_policy(templates carry the same field and inherit it). A stream with no policy is public (allow-all); a reference to an unknown policy fails closed (deny).API
/policies(admin-auth group):GET /policies— listGET /policies/{code}— getPOST /policies/{code}— create/replace (validated; URL code is authoritative)DELETE /policies/{code}— refused with409 POLICY_IN_USEwhile any stream or template still references itTokens are client-signed, server-verify-only (HMAC-SHA256 over
<stream_code>|<exp>, keyed by the policy's secret). The MAC binds to the stream code, so a token minted for one stream never authorizes another.Behaviour
Breaking change / migration
The global media-auth config block and the
playback_authfield are removed. Recreate playback rules as Policy entities and bind streams viaplayback_policy. Streams that previously setplayback_authbecome public until re-bound to a policy.Tests
Policy.Validate, json/yamlPolicyRepository, mediaauth chain rewritten for the per-policy model (deny/allow per dimension, token sign/verify/expiry/tamper/cross-stream, unknown-policy fail-closed, hot-reload).go build,go vet,golangci-lint(0 issues), andgo test -race -shuffle=on ./...all green.