Add: Automatically create permission for connected peers is not exist.

2025-12-29 03:08:57 +01:00 · 2025-12-29 03:08:57 +01:00 · 295bac11e3
commit 295bac11e3
parent a434a6ad8a
2 changed files with 66 additions and 18 deletions
--- a/src/server.rs
+++ b/src/server.rs
@ -401,16 +401,40 @@ pub async fn udp_reader_loop_with_limits(
                        };

                        if !allocation.is_peer_allowed(&peer_addr) {
+                            match allocs.add_permission(peer, peer_addr) {
+                                Ok(()) => {
+                                    tracing::info!(
+                                        "added implicit permission for {} -> {} (via CHANNEL-BIND)",
+                                        peer,
+                                        peer_addr
+                                    );
+                                    crate::metrics::inc_permission_added();
+                                }
+                                Err(e) => {
+                                    tracing::error!(
+                                        "failed to add implicit permission {} -> {}: {:?}",
+                                        peer,
+                                        peer_addr,
+                                        e
+                                    );
+                                    let (code, reason) = match e.downcast_ref::<AllocationError>() {
+                                        Some(AllocationError::PermissionQuotaExceeded) => {
+                                            (508, "Insufficient Capacity")
+                                        }
+                                        _ => (403, "Peer Not Permitted"),
+                                    };
                                    let resp = build_error_response_with_integrity_mode(
                                        &msg.header,
-                                403,
-                                "Peer Not Permitted",
+                                        code,
+                                        reason,
                                        &key,
                                        mi_mode,
                                    );
                                    let _ = udp.send_to(&resp, &peer).await;
                                    continue;
                                }
+                            }
+                        }

                        if let Err(e) = allocs.add_channel_binding(peer, channel, peer_addr) {
                            tracing::error!(
--- a/src/turn_stream.rs
+++ b/src/turn_stream.rs
@ -545,16 +545,40 @@ where
                                    };

                                    if !allocation.is_peer_allowed(&peer_addr) {
+                                        match allocs.add_permission(peer, peer_addr) {
+                                            Ok(()) => {
+                                                tracing::info!(
+                                                    "added implicit permission for {} -> {} (via CHANNEL-BIND)",
+                                                    peer,
+                                                    peer_addr
+                                                );
+                                                crate::metrics::inc_permission_added();
+                                            }
+                                            Err(e) => {
+                                                tracing::error!(
+                                                    "failed to add implicit permission {} -> {}: {:?}",
+                                                    peer,
+                                                    peer_addr,
+                                                    e
+                                                );
+                                                let (code, reason) = match e.downcast_ref::<AllocationError>() {
+                                                    Some(AllocationError::PermissionQuotaExceeded) => {
+                                                        (508, "Insufficient Capacity")
+                                                    }
+                                                    _ => (403, "Peer Not Permitted"),
+                                                };
                                                let resp = build_error_response_with_integrity_mode(
                                                    &msg.header,
-                                            403,
-                                            "Peer Not Permitted",
+                                                    code,
+                                                    reason,
                                                    key,
                                                    mi_mode,
                                                );
                                                let _ = tx.send(resp).await;
                                                continue;
                                            }
+                                        }
+                                    }

                                    if let Err(e) =
                                        allocs.add_channel_binding(peer, channel, peer_addr)