mediamtx/internal/pprof/pprof.go

// Package pprof contains a pprof exporter.
package pprof

import (
	"net"
	"net/http"
	"time"

	// start pprof
	_ "net/http/pprof"

	"github.com/bluenviron/mediamtx/internal/auth"
	"github.com/bluenviron/mediamtx/internal/conf"
	"github.com/bluenviron/mediamtx/internal/logger"
	"github.com/bluenviron/mediamtx/internal/protocols/httpp"
	"github.com/bluenviron/mediamtx/internal/restrictnetwork"
	"github.com/gin-gonic/gin"
)

type pprofAuthManager interface {
	Authenticate(req *auth.Request) error
}

type pprofParent interface {
	logger.Writer
}

// PPROF is a pprof exporter.
type PPROF struct {
	Address        string
	Encryption     bool
	ServerKey      string
	ServerCert     string
	AllowOrigin    string
	TrustedProxies conf.IPNetworks
	ReadTimeout    conf.StringDuration
	AuthManager    pprofAuthManager
	Parent         pprofParent

	httpServer *httpp.WrappedServer
}

// Initialize initializes PPROF.
func (pp *PPROF) Initialize() error {
	router := gin.New()
	router.SetTrustedProxies(pp.TrustedProxies.ToTrustedProxies()) //nolint:errcheck
	router.NoRoute(pp.onRequest)

	network, address := restrictnetwork.Restrict("tcp", pp.Address)

	pp.httpServer = &httpp.WrappedServer{
		Network:     network,
		Address:     address,
		ReadTimeout: time.Duration(pp.ReadTimeout),
		Encryption:  pp.Encryption,
		ServerCert:  pp.ServerCert,
		ServerKey:   pp.ServerKey,
		Handler:     router,
		Parent:      pp,
	}
	err := pp.httpServer.Initialize()
	if err != nil {
		return err
	}

	pp.Log(logger.Info, "listener opened on "+address)

	return nil
}

// Close closes PPROF.
func (pp *PPROF) Close() {
	pp.Log(logger.Info, "listener is closing")
	pp.httpServer.Close()
}

// Log implements logger.Writer.
func (pp *PPROF) Log(level logger.Level, format string, args ...interface{}) {
	pp.Parent.Log(level, "[pprof] "+format, args...)
}

func (pp *PPROF) onRequest(ctx *gin.Context) {
	ctx.Writer.Header().Set("Access-Control-Allow-Origin", pp.AllowOrigin)
	ctx.Writer.Header().Set("Access-Control-Allow-Credentials", "true")

	// preflight requests
	if ctx.Request.Method == http.MethodOptions &&
		ctx.Request.Header.Get("Access-Control-Request-Method") != "" {
		ctx.Writer.Header().Set("Access-Control-Allow-Methods", "OPTIONS, GET")
		ctx.Writer.Header().Set("Access-Control-Allow-Headers", "Authorization")
		ctx.Writer.WriteHeader(http.StatusNoContent)
		return
	}

	err := pp.AuthManager.Authenticate(&auth.Request{
		IP:          net.ParseIP(ctx.ClientIP()),
		Action:      conf.AuthActionMetrics,
		HTTPRequest: ctx.Request,
	})
	if err != nil {
		if err.(*auth.Error).AskCredentials { //nolint:errorlint
			ctx.Writer.Header().Set("WWW-Authenticate", `Basic realm="mediamtx"`)
			ctx.Writer.WriteHeader(http.StatusUnauthorized)
			return
		}

		// wait some seconds to mitigate brute force attacks
		<-time.After(auth.PauseAfterError)

		ctx.Writer.WriteHeader(http.StatusUnauthorized)
		return
	}

	http.DefaultServeMux.ServeHTTP(ctx.Writer, ctx.Request)
}
move api, metrics and pprof into dedicated packages (#2843) 2023-12-26 12:41:15 +00:00			`// Package pprof contains a pprof exporter.`
			`package pprof`
do not panic if pprof initialization fails 2020-08-30 12:10:05 +00:00
			`import (`
New authentication system (#1341) (#1992) (#2205) (#3081) This is a new authentication system that covers all the features exposed by the server, including playback, API, metrics and PPROF, improves internal authentication by adding permissions, improves HTTP-based authentication by adding the ability to exclude certain actions from being authenticated, adds an additional method (JWT-based authentication). 2024-03-04 13:20:34 +00:00			`"net"`
do not panic if pprof initialization fails 2020-08-30 12:10:05 +00:00			`"net/http"`
fix crash in case of specially-crafted HTTP requests (#2166) (#2169) 2023-08-07 15:16:33 +00:00			`"time"`
add docs 2020-11-05 11:30:25 +00:00
			`// start pprof`
do not panic if pprof initialization fails 2020-08-30 12:10:05 +00:00			`_ "net/http/pprof"`
implement log levels; print requests and responses when log level is "debug" (#116) 2020-12-08 11:21:06 +00:00
New authentication system (#1341) (#1992) (#2205) (#3081) This is a new authentication system that covers all the features exposed by the server, including playback, API, metrics and PPROF, improves internal authentication by adding permissions, improves HTTP-based authentication by adding the ability to exclude certain actions from being authenticated, adds an additional method (JWT-based authentication). 2024-03-04 13:20:34 +00:00			`"github.com/bluenviron/mediamtx/internal/auth"`
change repository owner (#1801) 2023-05-16 14:14:20 +00:00			`"github.com/bluenviron/mediamtx/internal/conf"`
			`"github.com/bluenviron/mediamtx/internal/logger"`
rename httpserv into httpp (#3014) 2024-02-13 12:04:56 +00:00			`"github.com/bluenviron/mediamtx/internal/protocols/httpp"`
move static sources into dedicated package (#2616) 2023-10-31 13:19:04 +00:00			`"github.com/bluenviron/mediamtx/internal/restrictnetwork"`
support HTTPS, Allow-Origin and trusted proxies in API, playback server, metrics server and pprof server (#2658) (#2491) (#3235) (#3280) 2024-04-21 15:10:35 +00:00			`"github.com/gin-gonic/gin"`
do not panic if pprof initialization fails 2020-08-30 12:10:05 +00:00			`)`

fix support for JWT authentication in API, metrics, playback, pprof (#3253) Co-authored-by: Rafael Scheidt <rafaelscheidt@Rafaels-MacBook-Air.local> Co-authored-by: aler9 <46489434+aler9@users.noreply.github.com> 2024-04-18 21:55:48 +00:00			`type pprofAuthManager interface {`
			`Authenticate(req *auth.Request) error`
			`}`

move most components into internal/core in this way coverage can be computed correctly. 2021-07-24 13:55:42 +00:00			`type pprofParent interface {`
print warning in case no key frames are being received (#1763) 2023-05-04 18:16:41 +00:00			`logger.Writer`
new structure 2020-10-19 20:17:48 +00:00			`}`

move api, metrics and pprof into dedicated packages (#2843) 2023-12-26 12:41:15 +00:00			`// PPROF is a pprof exporter.`
			`type PPROF struct {`
support HTTPS, Allow-Origin and trusted proxies in API, playback server, metrics server and pprof server (#2658) (#2491) (#3235) (#3280) 2024-04-21 15:10:35 +00:00			`Address string`
			`Encryption bool`
			`ServerKey string`
			`ServerCert string`
			`AllowOrigin string`
			`TrustedProxies conf.IPNetworks`
			`ReadTimeout conf.StringDuration`
			`AuthManager pprofAuthManager`
			`Parent pprofParent`
align listener opened / closed messages 2021-11-15 19:13:54 +00:00
rename httpserv into httpp (#3014) 2024-02-13 12:04:56 +00:00			`httpServer *httpp.WrappedServer`
do not panic if pprof initialization fails 2020-08-30 12:10:05 +00:00			`}`

move api, metrics and pprof into dedicated packages (#2843) 2023-12-26 12:41:15 +00:00			`// Initialize initializes PPROF.`
			`func (pp *PPROF) Initialize() error {`
support HTTPS, Allow-Origin and trusted proxies in API, playback server, metrics server and pprof server (#2658) (#2491) (#3235) (#3280) 2024-04-21 15:10:35 +00:00			`router := gin.New()`
			`router.SetTrustedProxies(pp.TrustedProxies.ToTrustedProxies()) //nolint:errcheck`
			`router.NoRoute(pp.onRequest)`

move api, metrics and pprof into dedicated packages (#2843) 2023-12-26 12:41:15 +00:00			`network, address := restrictnetwork.Restrict("tcp", pp.Address)`
move HTTP utilities in a dedicated package (#2123) needed by #2068 2023-07-30 21:03:00 +00:00
support HTTPS, Allow-Origin and trusted proxies in API, playback server, metrics server and pprof server (#2658) (#2491) (#3235) (#3280) 2024-04-21 15:10:35 +00:00			`pp.httpServer = &httpp.WrappedServer{`
			`Network: network,`
			`Address: address,`
			`ReadTimeout: time.Duration(pp.ReadTimeout),`
			`Encryption: pp.Encryption,`
			`ServerCert: pp.ServerCert,`
			`ServerKey: pp.ServerKey,`
			`Handler: router,`
			`Parent: pp,`
			`}`
			`err := pp.httpServer.Initialize()`
add base class to all HTTP servers (#1809) 2023-05-16 18:12:45 +00:00			`if err != nil {`
move api, metrics and pprof into dedicated packages (#2843) 2023-12-26 12:41:15 +00:00			`return err`
do not panic if pprof initialization fails 2020-08-30 12:10:05 +00:00			`}`

print warning in case no key frames are being received (#1763) 2023-05-04 18:16:41 +00:00			`pp.Log(logger.Info, "listener opened on "+address)`
new structure 2020-10-19 20:17:48 +00:00
move api, metrics and pprof into dedicated packages (#2843) 2023-12-26 12:41:15 +00:00			`return nil`
do not panic if pprof initialization fails 2020-08-30 12:10:05 +00:00			`}`

move api, metrics and pprof into dedicated packages (#2843) 2023-12-26 12:41:15 +00:00			`// Close closes PPROF.`
			`func (pp *PPROF) Close() {`
print warning in case no key frames are being received (#1763) 2023-05-04 18:16:41 +00:00			`pp.Log(logger.Info, "listener is closing")`
move HTTP utilities in a dedicated package (#2123) needed by #2068 2023-07-30 21:03:00 +00:00			`pp.httpServer.Close()`
align listener opened / closed messages 2021-11-15 19:13:54 +00:00			`}`

move servers into internal/servers (#2792) 2023-12-08 18:17:17 +00:00			`// Log implements logger.Writer.`
move api, metrics and pprof into dedicated packages (#2843) 2023-12-26 12:41:15 +00:00			`func (pp *PPROF) Log(level logger.Level, format string, args ...interface{}) {`
			`pp.Parent.Log(level, "[pprof] "+format, args...)`
new structure 2020-10-19 20:17:48 +00:00			`}`
New authentication system (#1341) (#1992) (#2205) (#3081) This is a new authentication system that covers all the features exposed by the server, including playback, API, metrics and PPROF, improves internal authentication by adding permissions, improves HTTP-based authentication by adding the ability to exclude certain actions from being authenticated, adds an additional method (JWT-based authentication). 2024-03-04 13:20:34 +00:00
support HTTPS, Allow-Origin and trusted proxies in API, playback server, metrics server and pprof server (#2658) (#2491) (#3235) (#3280) 2024-04-21 15:10:35 +00:00			`func (pp PPROF) onRequest(ctx gin.Context) {`
			`ctx.Writer.Header().Set("Access-Control-Allow-Origin", pp.AllowOrigin)`
			`ctx.Writer.Header().Set("Access-Control-Allow-Credentials", "true")`
New authentication system (#1341) (#1992) (#2205) (#3081) This is a new authentication system that covers all the features exposed by the server, including playback, API, metrics and PPROF, improves internal authentication by adding permissions, improves HTTP-based authentication by adding the ability to exclude certain actions from being authenticated, adds an additional method (JWT-based authentication). 2024-03-04 13:20:34 +00:00
fix support for HTTP preflight requests (#1792) (#3535) 2024-07-06 19:45:15 +00:00			`// preflight requests`
			`if ctx.Request.Method == http.MethodOptions &&`
			`ctx.Request.Header.Get("Access-Control-Request-Method") != "" {`
			`ctx.Writer.Header().Set("Access-Control-Allow-Methods", "OPTIONS, GET")`
			`ctx.Writer.Header().Set("Access-Control-Allow-Headers", "Authorization")`
			`ctx.Writer.WriteHeader(http.StatusNoContent)`
			`return`
			`}`

New authentication system (#1341) (#1992) (#2205) (#3081) This is a new authentication system that covers all the features exposed by the server, including playback, API, metrics and PPROF, improves internal authentication by adding permissions, improves HTTP-based authentication by adding the ability to exclude certain actions from being authenticated, adds an additional method (JWT-based authentication). 2024-03-04 13:20:34 +00:00			`err := pp.AuthManager.Authenticate(&auth.Request{`
support using JWT in Authorization header with API, Metrics, PProf (#3630) (#3795) 2024-10-05 19:15:21 +00:00			`IP: net.ParseIP(ctx.ClientIP()),`
			`Action: conf.AuthActionMetrics,`
			`HTTPRequest: ctx.Request,`
New authentication system (#1341) (#1992) (#2205) (#3081) This is a new authentication system that covers all the features exposed by the server, including playback, API, metrics and PPROF, improves internal authentication by adding permissions, improves HTTP-based authentication by adding the ability to exclude certain actions from being authenticated, adds an additional method (JWT-based authentication). 2024-03-04 13:20:34 +00:00			`})`
			`if err != nil {`
support using JWT in Authorization header with API, Metrics, PProf (#3630) (#3795) 2024-10-05 19:15:21 +00:00			`if err.(*auth.Error).AskCredentials { //nolint:errorlint`
support HTTPS, Allow-Origin and trusted proxies in API, playback server, metrics server and pprof server (#2658) (#2491) (#3235) (#3280) 2024-04-21 15:10:35 +00:00			ctx.Writer.Header().Set("WWW-Authenticate", `Basic realm="mediamtx"`)
			`ctx.Writer.WriteHeader(http.StatusUnauthorized)`
New authentication system (#1341) (#1992) (#2205) (#3081) This is a new authentication system that covers all the features exposed by the server, including playback, API, metrics and PPROF, improves internal authentication by adding permissions, improves HTTP-based authentication by adding the ability to exclude certain actions from being authenticated, adds an additional method (JWT-based authentication). 2024-03-04 13:20:34 +00:00			`return`
			`}`

			`// wait some seconds to mitigate brute force attacks`
			`<-time.After(auth.PauseAfterError)`

support HTTPS, Allow-Origin and trusted proxies in API, playback server, metrics server and pprof server (#2658) (#2491) (#3235) (#3280) 2024-04-21 15:10:35 +00:00			`ctx.Writer.WriteHeader(http.StatusUnauthorized)`
New authentication system (#1341) (#1992) (#2205) (#3081) This is a new authentication system that covers all the features exposed by the server, including playback, API, metrics and PPROF, improves internal authentication by adding permissions, improves HTTP-based authentication by adding the ability to exclude certain actions from being authenticated, adds an additional method (JWT-based authentication). 2024-03-04 13:20:34 +00:00			`return`
			`}`

support HTTPS, Allow-Origin and trusted proxies in API, playback server, metrics server and pprof server (#2658) (#2491) (#3235) (#3280) 2024-04-21 15:10:35 +00:00			`http.DefaultServeMux.ServeHTTP(ctx.Writer, ctx.Request)`
New authentication system (#1341) (#1992) (#2205) (#3081) This is a new authentication system that covers all the features exposed by the server, including playback, API, metrics and PPROF, improves internal authentication by adding permissions, improves HTTP-based authentication by adding the ability to exclude certain actions from being authenticated, adds an additional method (JWT-based authentication). 2024-03-04 13:20:34 +00:00			`}`