Add: Automatically create permission for connected peers is not exist.

2025-12-29 03:08:57 +01:00 · 2025-12-29 03:08:57 +01:00 · 295bac11e3
commit 295bac11e3
parent a434a6ad8a
2 changed files with 66 additions and 18 deletions
--- a/src/server.rs
+++ b/src/server.rs
@ -401,15 +401,39 @@ pub async fn udp_reader_loop_with_limits(
                        };

                        if !allocation.is_peer_allowed(&peer_addr) {
-                            let resp = build_error_response_with_integrity_mode(
-                                &msg.header,
-                                403,
-                                "Peer Not Permitted",
-                                &key,
-                                mi_mode,
-                            );
-                            let _ = udp.send_to(&resp, &peer).await;
-                            continue;
+                            match allocs.add_permission(peer, peer_addr) {
+                                Ok(()) => {
+                                    tracing::info!(
+                                        "added implicit permission for {} -> {} (via CHANNEL-BIND)",
+                                        peer,
+                                        peer_addr
+                                    );
+                                    crate::metrics::inc_permission_added();
+                                }
+                                Err(e) => {
+                                    tracing::error!(
+                                        "failed to add implicit permission {} -> {}: {:?}",
+                                        peer,
+                                        peer_addr,
+                                        e
+                                    );
+                                    let (code, reason) = match e.downcast_ref::<AllocationError>() {
+                                        Some(AllocationError::PermissionQuotaExceeded) => {
+                                            (508, "Insufficient Capacity")
+                                        }
+                                        _ => (403, "Peer Not Permitted"),
+                                    };
+                                    let resp = build_error_response_with_integrity_mode(
+                                        &msg.header,
+                                        code,
+                                        reason,
+                                        &key,
+                                        mi_mode,
+                                    );
+                                    let _ = udp.send_to(&resp, &peer).await;
+                                    continue;
+                                }
+                            }
                        }

                        if let Err(e) = allocs.add_channel_binding(peer, channel, peer_addr) {
--- a/src/turn_stream.rs
+++ b/src/turn_stream.rs
@ -545,15 +545,39 @@ where
                                    };

                                    if !allocation.is_peer_allowed(&peer_addr) {
-                                        let resp = build_error_response_with_integrity_mode(
-                                            &msg.header,
-                                            403,
-                                            "Peer Not Permitted",
-                                            key,
-                                            mi_mode,
-                                        );
-                                        let _ = tx.send(resp).await;
-                                        continue;
+                                        match allocs.add_permission(peer, peer_addr) {
+                                            Ok(()) => {
+                                                tracing::info!(
+                                                    "added implicit permission for {} -> {} (via CHANNEL-BIND)",
+                                                    peer,
+                                                    peer_addr
+                                                );
+                                                crate::metrics::inc_permission_added();
+                                            }
+                                            Err(e) => {
+                                                tracing::error!(
+                                                    "failed to add implicit permission {} -> {}: {:?}",
+                                                    peer,
+                                                    peer_addr,
+                                                    e
+                                                );
+                                                let (code, reason) = match e.downcast_ref::<AllocationError>() {
+                                                    Some(AllocationError::PermissionQuotaExceeded) => {
+                                                        (508, "Insufficient Capacity")
+                                                    }
+                                                    _ => (403, "Peer Not Permitted"),
+                                                };
+                                                let resp = build_error_response_with_integrity_mode(
+                                                    &msg.header,
+                                                    code,
+                                                    reason,
+                                                    key,
+                                                    mi_mode,
+                                                );
+                                                let _ = tx.send(resp).await;
+                                                continue;
+                                            }
+                                        }
                                    }

                                    if let Err(e) =