enforce camera-level access on go2rtc live stream websocket endpoints

frigate/api/auth.py

@@ -12,6 +12,7 @@ import time
 from datetime import datetime
 from pathlib import Path
 from typing import List, Optional
+from urllib.parse import parse_qs, urlparse
 
 from fastapi import APIRouter, Depends, HTTPException, Request, Response
 from fastapi.responses import JSONResponse, RedirectResponse
@@ -26,7 +27,11 @@ from frigate.api.defs.request.app_body import (
     AppPutRoleBody,
 )
 from frigate.api.defs.tags import Tags
-from frigate.api.media_auth import check_camera_access, deny_response_for_media_uri
+from frigate.api.media_auth import (
+    check_camera_access,
+    deny_response_for_media_uri,
+    is_role_restricted,
+)
 from frigate.config import AuthConfig, NetworkingConfig, ProxyConfig
 from frigate.const import CONFIG_DIR, JWT_SECRET_ENV_VAR, PASSWORD_HASH_ALGORITHM
 from frigate.models import User
@@ -658,6 +663,10 @@ def auth(request: Request):
         if deny_status is not None:
             return Response("", status_code=deny_status)
 
+        deny_status = deny_response_for_go2rtc_stream(original_url, role, request)
+        if deny_status is not None:
+            return Response("", status_code=deny_status)
+
         return success_response
 
     # now apply authentication
@@ -757,6 +766,10 @@ def auth(request: Request):
         if deny_status is not None:
             return Response("", status_code=deny_status)
 
+        deny_status = deny_response_for_go2rtc_stream(original_url, role, request)
+        if deny_status is not None:
+            return Response("", status_code=deny_status)
+
         return success_response
     except Exception as e:
         logger.error(f"Error parsing jwt: {e}")
@@ -1112,6 +1125,66 @@ def _get_stream_owner_cameras(request: Request, stream_name: str) -> set[str]:
     return owner_cameras
 
 
+# nginx proxies these paths straight to go2rtc with authentication-only checks
+# (see auth_request.conf). Each names the desired stream via the `src` query
+# param, so the camera-level check must happen here in the `/auth` subrequest —
+# `require_go2rtc_stream_access` only guards the REST `/go2rtc/streams/{name}`
+# endpoint, not these proxied live-stream paths.
+GO2RTC_STREAM_PROXY_PATHS = frozenset(
+    {
+        "/live/mse/api/ws",
+        "/live/webrtc/api/ws",
+        "/api/go2rtc/webrtc",
+    }
+)
+
+
+def deny_response_for_go2rtc_stream(
+    original_url: Optional[str], role: Optional[str], request: Request
+) -> Optional[int]:
+    """Block role-restricted users from go2rtc live streams they cannot access.
+
+    Returns 403 when any `src` stream named in `original_url` resolves to a
+    camera outside the role's allow-list (or when no `src` is provided on a
+    stream-proxy path), otherwise None. Mirrors the resolution logic in
+    `require_go2rtc_stream_access` so substream names map to their owning
+    camera correctly.
+    """
+    if not original_url:
+        return None
+
+    parsed = urlparse(original_url)
+    if parsed.path not in GO2RTC_STREAM_PROXY_PATHS:
+        return None
+
+    frigate_config = request.app.frigate_config
+
+    # admin and full-access roles (no allow-list) bypass the camera check
+    if not role or not is_role_restricted(role, frigate_config):
+        return None
+
+    sources = parse_qs(parsed.query).get("src", [])
+    if not sources:
+        # a stream-proxy request naming no stream has nothing legitimate to
+        # show a restricted user
+        return 403
+
+    allowed_cameras = set(
+        User.get_allowed_cameras(
+            role,
+            frigate_config.auth.roles,
+            set(frigate_config.cameras.keys()),
+        )
+    )
+
+    # deny if any requested source resolves outside the allow-list
+    for src in sources:
+        if not (_get_stream_owner_cameras(request, src) & allowed_cameras):
+            return 403
+
+    return None
+
+
 async def require_go2rtc_stream_access(
     stream_name: Optional[str] = None,
     request: Request = None,

frigate/test/test_go2rtc_stream_auth.py

@@ -0,0 +1,175 @@
+"""Unit tests for `deny_response_for_go2rtc_stream`.
+
+Covers the camera-level authorization enforced in the `/auth` subrequest for
+the nginx-proxied go2rtc live-stream paths (MSE/WebRTC WebSockets and the
+WebRTC signaling endpoint). These paths name the stream via the `src` query
+param, which the static-media auth in `media_auth` does not inspect.
+"""
+
+import types
+import unittest
+
+from frigate.api.auth import deny_response_for_go2rtc_stream
+from frigate.config import FrigateConfig
+
+_CONFIG = {
+    "mqtt": {"host": "mqtt"},
+    "auth": {
+        "roles": {
+            "limited_user": ["front_door"],
+            "dual_user": ["front_door", "back_door"],
+        }
+    },
+    "cameras": {
+        "front_door": {
+            "ffmpeg": {
+                "inputs": [{"path": "rtsp://10.0.0.1:554/video", "roles": ["detect"]}]
+            },
+            "detect": {"height": 1080, "width": 1920, "fps": 5},
+            # go2rtc stream name differs from the camera name (substream)
+            "live": {"streams": {"Main Stream": "front_door_sub"}},
+        },
+        "back_door": {
+            "ffmpeg": {
+                "inputs": [{"path": "rtsp://10.0.0.2:554/video", "roles": ["detect"]}]
+            },
+            "detect": {"height": 1080, "width": 1920, "fps": 5},
+        },
+        "garage": {
+            "ffmpeg": {
+                "inputs": [{"path": "rtsp://10.0.0.3:554/video", "roles": ["detect"]}]
+            },
+            "detect": {"height": 1080, "width": 1920, "fps": 5},
+        },
+    },
+}
+
+
+def _request(config: FrigateConfig) -> types.SimpleNamespace:
+    return types.SimpleNamespace(app=types.SimpleNamespace(frigate_config=config))
+
+
+class TestDenyResponseForGo2rtcStream(unittest.TestCase):
+    def setUp(self) -> None:
+        self.config = FrigateConfig(**_CONFIG)
+        self.request = _request(self.config)
+
+    def _deny(self, url: str, role: str):
+        return deny_response_for_go2rtc_stream(url, role, self.request)
+
+    # --- non-stream paths pass through ---
+
+    def test_non_stream_path_passes_through(self):
+        self.assertIsNone(
+            self._deny("http://host/clips/back_door-1.jpg", "limited_user")
+        )
+
+    def test_empty_url_passes_through(self):
+        self.assertIsNone(self._deny("", "limited_user"))
+
+    def test_jsmpeg_path_not_handled_here(self):
+        # jsmpeg is authorized per-frame in the output pipeline, not here
+        self.assertIsNone(
+            self._deny("http://host/live/jsmpeg/back_door", "limited_user")
+        )
+
+    # --- restricted role: allowed vs forbidden cameras ---
+
+    def test_mse_allowed_camera(self):
+        self.assertIsNone(
+            self._deny("http://host/live/mse/api/ws?src=front_door", "limited_user")
+        )
+
+    def test_mse_forbidden_camera_denied(self):
+        self.assertEqual(
+            self._deny("http://host/live/mse/api/ws?src=back_door", "limited_user"),
+            403,
+        )
+
+    def test_webrtc_ws_forbidden_camera_denied(self):
+        self.assertEqual(
+            self._deny("http://host/live/webrtc/api/ws?src=back_door", "limited_user"),
+            403,
+        )
+
+    def test_webrtc_signaling_forbidden_camera_denied(self):
+        self.assertEqual(
+            self._deny("http://host/api/go2rtc/webrtc?src=back_door", "limited_user"),
+            403,
+        )
+
+    def test_unknown_camera_denied(self):
+        self.assertEqual(
+            self._deny("http://host/live/mse/api/ws?src=nonexistent", "limited_user"),
+            403,
+        )
+
+    def test_missing_src_denied(self):
+        self.assertEqual(self._deny("http://host/live/mse/api/ws", "limited_user"), 403)
+
+    # --- multi-camera role: each assigned camera allowed, others denied ---
+
+    def test_multi_camera_role_allows_first_assigned(self):
+        self.assertIsNone(
+            self._deny("http://host/live/mse/api/ws?src=front_door", "dual_user")
+        )
+
+    def test_multi_camera_role_allows_second_assigned(self):
+        self.assertIsNone(
+            self._deny("http://host/live/mse/api/ws?src=back_door", "dual_user")
+        )
+
+    def test_multi_camera_role_denies_unassigned(self):
+        # garage is configured but not in dual_user's allow-list
+        self.assertEqual(
+            self._deny("http://host/live/mse/api/ws?src=garage", "dual_user"),
+            403,
+        )
+
+    # --- substream names resolve to their owning camera ---
+
+    def test_allowed_substream_resolves_to_owning_camera(self):
+        # front_door_sub is owned by front_door, which limited_user may access
+        self.assertIsNone(
+            self._deny("http://host/live/mse/api/ws?src=front_door_sub", "limited_user")
+        )
+
+    # --- multiple src values: deny if any is forbidden ---
+
+    def test_multiple_src_one_forbidden_denied(self):
+        self.assertEqual(
+            self._deny(
+                "http://host/live/mse/api/ws?src=front_door&src=back_door",
+                "limited_user",
+            ),
+            403,
+        )
+
+    def test_multiple_src_all_allowed(self):
+        self.assertIsNone(
+            self._deny(
+                "http://host/live/mse/api/ws?src=front_door&src=front_door_sub",
+                "limited_user",
+            )
+        )
+
+    # --- privileged roles bypass the check ---
+
+    def test_admin_bypasses(self):
+        self.assertIsNone(
+            self._deny("http://host/live/mse/api/ws?src=back_door", "admin")
+        )
+
+    def test_builtin_viewer_role_bypasses(self):
+        # the built-in viewer role is not in the config allow-list map, so it
+        # is treated as full access
+        self.assertIsNone(
+            self._deny("http://host/live/mse/api/ws?src=back_door", "viewer")
+        )
+
+    def test_missing_role_bypasses(self):
+        self.assertIsNone(self._deny("http://host/live/mse/api/ws?src=back_door", None))
+
+
+if __name__ == "__main__":
+    unittest.main()