dash-mpd 0.20.2

Parse, serialize, download an MPD manifest for MPEG-DASH or WebM-DASH media streaming
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385

//! Support for decrypting media content
//
// We provide implementations for decrypting using the following helper applications:
//
//   - the historical mp4decrypt application from the Bento4 suite
//   - shaka-packager
//   - shaka-packager running in a Podman/Docker container
//   - MP4Box from the GPAC suite
//   - MP4Box from the official GPAC Podman/Docker container
//
// The options for running a helper application in a container rely on being able to run the
// container in rootless mode, to ensure that the decypted media files are owned by the user running
// our library. This is the default configuration for Podman, so we default to using that. It is
// possible to configure Docker to run in rootless mode; if you prefer to use Docker you can set the
// DOCKER environment variable to "docker".


use std::env;
use std::path::Path;
use std::process::Command;
use std::ffi::OsStr;
use tokio::fs;
use tracing::{info, warn, error};
use crate::DashMpdError;
use crate::fetch::{DashDownloader, partial_process_output, tmp_file_path};


pub async fn decrypt_mp4decrypt(
    downloader: &DashDownloader,
    inpath: &Path,
    outpath: &Path,
    media_type: &str) -> Result<(), DashMpdError>
{
    let mut args = Vec::new();
    for (k, v) in &downloader.decryption_keys {
        args.push("--key".to_string());
        args.push(format!("{k}:{v}"));
    }
    args.push(inpath.to_string_lossy().to_string());
    args.push(outpath.to_string_lossy().to_string());
    if downloader.verbosity > 1 {
        info!("  Running mp4decrypt {}", args.join(" "));
    }
    let out = Command::new(downloader.mp4decrypt_location.clone())
        .args(args)
        .output()
        .map_err(|e| DashMpdError::Io(e, String::from("spawning mp4decrypt")))?;
    let mut no_output = false;
    if let Ok(metadata) = fs::metadata(outpath).await {
        if downloader.verbosity > 0 {
            info!("  Decrypted {media_type} stream of size {} kB.", metadata.len() / 1024);
        }
        if metadata.len() == 0 {
            no_output = true;
        }
    } else {
        no_output = true;
    }
    if !out.status.success() || no_output {
        error!("  mp4decrypt subprocess failed");
        let msg = partial_process_output(&out.stdout);
        if !msg.is_empty() {
            warn!("  mp4decrypt stdout: {msg}");
        }
        let msg = partial_process_output(&out.stderr);
        if !msg.is_empty() {
            warn!("  mp4decrypt stderr: {msg}");
        }
    }
    if no_output {
        error!("  Failed to decrypt {media_type} stream with mp4decrypt");
        warn!("  Undecrypted {media_type} stream left in {}", inpath.display());
        return Err(DashMpdError::Decrypting(format!("{media_type} stream")));
    }
    Ok(())
}


pub async fn decrypt_shaka(
    downloader: &DashDownloader,
    inpath: &Path,
    outpath: &Path,
    media_type: &str) -> Result<(), DashMpdError>
{
    let mut args = Vec::new();
    let mut keys = Vec::new();
    if downloader.verbosity < 1 {
        args.push("--quiet".to_string());
    }
    args.push(format!("in={},stream={media_type},output={}", inpath.display(), outpath.display()));
    let mut drm_label = 0;
    #[allow(clippy::explicit_counter_loop)]
    for (k, v) in &downloader.decryption_keys {
        keys.push(format!("label=lbl{drm_label}:key_id={k}:key={v}"));
        drm_label += 1;
    }
    args.push("--enable_raw_key_decryption".to_string());
    args.push("--keys".to_string());
    args.push(keys.join(","));
    if downloader.verbosity > 1 {
        info!("  Running shaka-packager {}", args.join(" "));
    }
    let out = Command::new(downloader.shaka_packager_location.clone())
        .args(args)
        .output()
        .map_err(|e| DashMpdError::Io(e, String::from("spawning shaka-packager")))?;
    let mut no_output = true;
    if let Ok(metadata) = fs::metadata(outpath).await {
        if downloader.verbosity > 0 {
            info!("  Decrypted {media_type} stream of size {} kB.", metadata.len() / 1024);
        }
        no_output = false;
    }
    if !out.status.success() || no_output {
        warn!("  shaka-packager subprocess failed");
        let msg = partial_process_output(&out.stdout);
        if !msg.is_empty() {
            warn!("  shaka-packager stdout: {msg}");
        }
        let msg = partial_process_output(&out.stderr);
        if !msg.is_empty() {
            warn!("  shaka-packager stderr: {msg}");
        }
    }
    if no_output {
        error!("  Failed to decrypt {media_type} stream with shaka-packager");
        warn!("  Undecrypted {media_type} left in {}", inpath.display());
        return Err(DashMpdError::Decrypting(format!("{media_type} stream")));
    }
    Ok(())
}


// Run shaka-packager via its official Docker container, as per
// https://github.com/shaka-project/shaka-packager/blob/main/docs/source/docker_instructions.md
//
// Given the complexity of Podman/Docker arguments, this would be a good candidate for a plugin
// mechanism or use of a scripting language.
pub async fn decrypt_shaka_container(
    downloader: &DashDownloader,
    inpath: &Path,
    outpath: &Path,
    media_type: &str) -> Result<(), DashMpdError>
{
    // We need to pass inpath and outpath into the container, in a manner which works both on Linux
    // and on Windows. We assume the container is a Linux container. We can't map outpath directly
    // in Docker/Podman using the -v argument, because outpath does not exist yet. We know that both
    // inpath and outpath are created in the same system temporary directory (they are created using
    // tmp_file_path, which uses the tempfile crate). The solution chosen here is to map the
    // temporary directory of the host (the parent directory of the inpath) to /tmp in the Linux
    // container, and in the container to refer to files in /tmp with the same filenames as on the
    // host.
    let inpath_dir = inpath.parent()
        .ok_or_else(|| DashMpdError::Decrypting(String::from("inpath parent")))?;
    let inpath_nondir = inpath.file_name()
        .ok_or_else(|| DashMpdError::Decrypting(String::from("inpath file name")))?;
    let outpath_nondir = outpath.file_name()
        .ok_or_else(|| DashMpdError::Decrypting(String::from("outpath file name")))?;
    let mut args = Vec::new();
    let mut keys = Vec::new();
    args.push(String::from("run"));
    args.push(String::from("--rm"));
    args.push(String::from("--network=none"));
    args.push(String::from("--userns=keep-id"));
    args.push(String::from("-v"));
    args.push(format!("{}:/tmp", inpath_dir.display()));
    args.push(String::from("docker.io/google/shaka-packager:latest"));
    args.push(String::from("packager"));
    // Without the --quiet option, shaka-packager prints debugging output to stderr
    args.push("--quiet".to_string());
    args.push(format!("in=/tmp/{},stream={media_type},output=/tmp/{}",
                      inpath_nondir.display(), outpath_nondir.display()));
    let mut drm_label = 0;
    #[allow(clippy::explicit_counter_loop)]
    for (k, v) in &downloader.decryption_keys {
        keys.push(format!("label=lbl{drm_label}:key_id={k}:key={v}"));
        drm_label += 1;
    }
    args.push("--enable_raw_key_decryption".to_string());
    args.push("--keys".to_string());
    args.push(keys.join(","));
    if downloader.verbosity > 1 {
        info!("  Running shaka-packager container {}", args.join(" "));
    }
    // TODO: make container runner a DashDownloader option.
    // TODO: perhaps use the bollard crate to use Docker API.
    let container_runtime = env::var("DOCKER").unwrap_or(String::from("podman"));
    let pull = Command::new(&container_runtime)
        .args(["pull", "docker.io/google/shaka-packager:latest"])
        .output()
        .map_err(|e| DashMpdError::Decrypting(format!("pulling shaka-packager container: {e:?}")))?;
    if !pull.status.success() {
        error!("  Unable to pull shaka-packager decryption container with {container_runtime}");
        let msg = partial_process_output(&pull.stdout);
        if !msg.is_empty() {
            info!("  {container_runtime} stdout: {msg}");
        }
        let msg = partial_process_output(&pull.stderr);
        if !msg.is_empty() {
            info!("  {container_runtime} stderr: {msg}");
        }
        return Err(DashMpdError::Decrypting(String::from("pulling container docker.io/google/shaka-packager:latest")));
    }
    let runner = Command::new(&container_runtime)
        .args(args)
        .output()
        .map_err(|e| DashMpdError::Decrypting(format!("running shaka-packager container: {e:?}")))?;
    let mut no_output = false;
    if let Ok(metadata) = fs::metadata(outpath).await {
        if downloader.verbosity > 0 {
            info!("  Decrypted {media_type} stream of size {} kB.", metadata.len() / 1024);
        }
        no_output = false;
    }
    if !runner.status.success() || no_output {
        warn!("  shaka-packager container failed");
        let msg = partial_process_output(&runner.stdout);
        if !msg.is_empty() {
            warn!("  shaka-packager stdout: {msg}");
        }
        let msg = partial_process_output(&runner.stderr);
        if !msg.is_empty() {
            warn!("  shaka-packager stderr: {msg}");
        }
    }
    if no_output {
        error!("  Failed to decrypt {media_type} stream with shaka-packager container");
        error!("  Undecrypted {media_type} left in {}", inpath.display());
        return Err(DashMpdError::Decrypting(format!("{media_type} stream")));
    }
    Ok(())
}


// Decrypt with MP4Box as per https://wiki.gpac.io/xmlformats/Common-Encryption/
//    MP4Box -decrypt drm_file.xml encrypted.mp4 -out decrypted.mp4
pub async fn decrypt_mp4box(
    downloader: &DashDownloader,
    inpath: &Path,
    outpath: &Path,
    media_type: &str) -> Result<(), DashMpdError>
{
    use std::fmt::Write;

    let mut args = Vec::new();
    let drmfile = tmp_file_path("mp4boxcrypt", OsStr::new("xml"))?;
    let mut drmfile_contents = String::from("<GPACDRM>\n  <CrypTrack>\n");
    for (k, v) in &downloader.decryption_keys {
        let _ = writeln!(drmfile_contents, "  <key KID=\"0x{k}\" value=\"0x{v}\"/>");
    }
    drmfile_contents += "  </CrypTrack>\n</GPACDRM>\n";
    fs::write(&drmfile, drmfile_contents).await
        .map_err(|e| DashMpdError::Io(e, String::from("writing to MP4Box decrypt file")))?;
    args.push("-decrypt".to_string());
    args.push(drmfile.display().to_string());
    args.push(String::from(inpath.to_string_lossy()));
    args.push("-out".to_string());
    args.push(String::from(outpath.to_string_lossy()));
    if downloader.verbosity > 1 {
        info!("  Running decryption application MP4Box {}", args.join(" "));
    }
    let out = Command::new(downloader.mp4box_location.clone())
        .args(args)
        .output()
        .map_err(|e| DashMpdError::Decrypting(format!("spawning MP4Box: {e:?}")))?;
    if env::var("DASHMPD_PERSIST_FILES").is_err() {
	if let Err(e) = fs::remove_file(drmfile).await {
            warn!("  Error deleting temporary mp4boxcrypt file: {e}");
        }
    }
    let mut no_output = false;
    if let Ok(metadata) = fs::metadata(outpath).await {
        if downloader.verbosity > 0 {
            info!("  Decrypted {media_type} stream of size {} kB.", metadata.len() / 1024);
        }
        if metadata.len() == 0 {
            no_output = true;
        }
    } else {
        no_output = true;
    }
    if !out.status.success() || no_output {
        warn!("  MP4Box decryption subprocess failed");
        let msg = partial_process_output(&out.stdout);
        if !msg.is_empty() {
            warn!("  MP4Box stdout: {msg}");
        }
        let msg = partial_process_output(&out.stderr);
        if !msg.is_empty() {
            warn!("  MP4Box stderr: {msg}");
        }
    }
    if no_output {
        error!("  Failed to decrypt {media_type} with MP4Box");
        warn!("  Undecrypted {media_type} stream left in {}", inpath.display());
        return Err(DashMpdError::Decrypting(format!("{media_type} stream")));
    }
    Ok(())
}


// Decrypt using MP4Box from the GPAC suite, using their official Docker/Podman container.
pub async fn decrypt_mp4box_container(
    downloader: &DashDownloader,
    inpath: &Path,
    outpath: &Path,
    media_type: &str) -> Result<(), DashMpdError>
{
    use std::fmt::Write;
    
    let inpath_dir = inpath.parent()
        .ok_or_else(|| DashMpdError::Decrypting(String::from("inpath parent")))?;
    let inpath_nondir = inpath.file_name()
        .ok_or_else(|| DashMpdError::Decrypting(String::from("inpath file name")))?;
    let outpath_nondir = outpath.file_name()
        .ok_or_else(|| DashMpdError::Decrypting(String::from("outpath file name")))?;
    let mut args = Vec::new();
    let drmpath = tmp_file_path("mp4boxcrypt", OsStr::new("xml"))?;
    let drmpath_nondir = drmpath.file_name()
        .ok_or_else(|| DashMpdError::Decrypting(String::from("drmpath file name")))?;
    let mut drm_contents = String::from("<GPACDRM>\n  <CrypTrack>\n");
    for (k, v) in &downloader.decryption_keys {
        let _ = writeln!(drm_contents, "  <key KID=\"0x{k}\" value=\"0x{v}\"/>");
    }
    drm_contents += "  </CrypTrack>\n</GPACDRM>\n";
    fs::write(&drmpath, drm_contents).await
        .map_err(|e| DashMpdError::Io(e, String::from("writing to MP4Box decrypt file")))?;
    args.push(String::from("run"));
    args.push(String::from("--rm"));
    args.push(String::from("--network=none"));
    args.push(String::from("--userns=keep-id"));
    args.push(String::from("-v"));
    args.push(format!("{}:/tmp", inpath_dir.display()));
    args.push(String::from("docker.io/gpac/ubuntu:latest"));
    args.push(String::from("MP4Box"));
    args.push("-decrypt".to_string());
    args.push(format!("/tmp/{}", drmpath_nondir.display()));
    args.push(format!("/tmp/{}", inpath_nondir.display()));
    args.push("-out".to_string());
    args.push(format!("/tmp/{}", outpath_nondir.display()));
    if downloader.verbosity > 1 {
        info!("  Running decryption container GPAC/MP4Box {}", args.join(" "));
    }
    let container_runtime = env::var("DOCKER").unwrap_or(String::from("podman"));
    let pull = Command::new(&container_runtime)
        .args(["pull", "docker.io/gpac/ubuntu:latest"])
        .output()
        .map_err(|e| DashMpdError::Decrypting(format!("pulling MP4Box container: {e:?}")))?;
    if !pull.status.success() {
        warn!("  Unable to pull MP4Box decryption container");
        return Err(DashMpdError::Decrypting(String::from("pulling container docker.io/gpac/ubuntu:latest")));
    }
    let runner = Command::new(&container_runtime)
        .args(args)
        .output()
        .map_err(|e| DashMpdError::Decrypting(format!("spawning MP4Box container: {e:?}")))?;
    let mut no_output = false;
    if let Ok(metadata) = fs::metadata(&outpath).await {
        if downloader.verbosity > 0 {
            info!("  Decrypted {media_type} stream of size {} kB.", metadata.len() / 1024);
        }
        if metadata.len() == 0 {
            no_output = true;
        }
    } else {
        no_output = true;
    }
    if !runner.status.success() || no_output {
        warn!("  MP4Box decryption container failed");
        let msg = partial_process_output(&runner.stdout);
        if !msg.is_empty() {
            warn!("  MP4Box stdout: {msg}");
        }
        let msg = partial_process_output(&runner.stderr);
        if !msg.is_empty() {
            warn!("  MP4Box stderr: {msg}");
        }
    }
    if no_output {
        error!("  Failed to decrypt {media_type} with MP4Box container");
        error!("  Undecrypted {media_type} stream left in {}", inpath.display());
        return Err(DashMpdError::Decrypting(format!("{media_type} stream")));
    }
    Ok(())
}