support basic authentication

2025-10-07 08:01:14 +08:00 · 2020-06-14 18:34:36 +02:00
parent c06d302979
commit 2eddb95cab
7 changed files with 346 additions and 198 deletions
--- a/auth.go
+++ b/auth.go
@@ -0,0 +1,265 @@
+package gortsplib
+
+import (
+	"crypto/md5"
+	"crypto/rand"
+	"encoding/base64"
+	"encoding/hex"
+	"fmt"
+	"net/url"
+	"strings"
+)
+
+func md5Hex(in string) string {
+	h := md5.New()
+	h.Write([]byte(in))
+	return hex.EncodeToString(h.Sum(nil))
+}
+
+// AuthMethod is an authentication method.
+type AuthMethod int
+
+const (
+	Basic AuthMethod = iota
+	Digest
+)
+
+// AuthServer is an object that helps a server to validate the credentials of
+// a client.
+type AuthServer struct {
+	user    string
+	pass    string
+	methods []AuthMethod
+	realm   string
+	nonce   string
+}
+
+// NewAuthServer allocates an AuthServer.
+// If methods is nil, Basic and Digest authentications are used.
+func NewAuthServer(user string, pass string, methods []AuthMethod) *AuthServer {
+	if methods == nil {
+		methods = []AuthMethod{Basic, Digest}
+	}
+
+	nonceByts := make([]byte, 16)
+	rand.Read(nonceByts)
+	nonce := hex.EncodeToString(nonceByts)
+
+	return &AuthServer{
+		user:    user,
+		pass:    pass,
+		methods: methods,
+		realm:   "IPCAM",
+		nonce:   nonce,
+	}
+}
+
+// GenerateHeader generates the WWW-Authenticate header needed by a client to log in.
+func (as *AuthServer) GenerateHeader() []string {
+	var ret []string
+	for _, m := range as.methods {
+		switch m {
+		case Basic:
+			ret = append(ret, (&HeaderAuth{
+				Prefix: "Basic",
+				Values: map[string]string{
+					"realm": as.realm,
+				},
+			}).Write())
+
+		case Digest:
+			ret = append(ret, (&HeaderAuth{
+				Prefix: "Digest",
+				Values: map[string]string{
+					"realm": as.realm,
+					"nonce": as.nonce,
+				},
+			}).Write())
+		}
+	}
+	return ret
+}
+
+// ValidateHeader validates the Authorization header sent by a client after receiving the
+// WWW-Authenticate header provided by GenerateHeader().
+func (as *AuthServer) ValidateHeader(header []string, method Method, ur *url.URL) error {
+	if len(header) != 1 {
+		return fmt.Errorf("authorization header not provided or provided multiple times")
+	}
+
+	head := header[0]
+
+	if strings.HasPrefix(head, "Basic ") {
+		inResponse := head[len("Basic "):]
+
+		response := base64.StdEncoding.EncodeToString([]byte(as.user + ":" + as.pass))
+
+		if inResponse != response {
+			return fmt.Errorf("wrong response")
+		}
+
+	} else if strings.HasPrefix(head, "Digest ") {
+		auth, err := ReadHeaderAuth(head)
+		if err != nil {
+			return err
+		}
+
+		inRealm, ok := auth.Values["realm"]
+		if !ok {
+			return fmt.Errorf("realm not provided")
+		}
+
+		inNonce, ok := auth.Values["nonce"]
+		if !ok {
+			return fmt.Errorf("nonce not provided")
+		}
+
+		inUsername, ok := auth.Values["username"]
+		if !ok {
+			return fmt.Errorf("username not provided")
+		}
+
+		inUri, ok := auth.Values["uri"]
+		if !ok {
+			return fmt.Errorf("uri not provided")
+		}
+
+		inResponse, ok := auth.Values["response"]
+		if !ok {
+			return fmt.Errorf("response not provided")
+		}
+
+		if inNonce != as.nonce {
+			return fmt.Errorf("wrong nonce")
+		}
+
+		if inRealm != as.realm {
+			return fmt.Errorf("wrong realm")
+		}
+
+		if inUsername != as.user {
+			return fmt.Errorf("wrong username")
+		}
+
+		if inUri != ur.String() {
+			return fmt.Errorf("wrong url")
+		}
+
+		response := md5Hex(md5Hex(as.user+":"+as.realm+":"+as.pass) +
+			":" + as.nonce + ":" + md5Hex(string(method)+":"+ur.String()))
+
+		if inResponse != response {
+			return fmt.Errorf("wrong response")
+		}
+
+	} else {
+		return fmt.Errorf("unsupported authorization header")
+	}
+
+	return nil
+}
+
+// AuthClient is an object that helps a client to send its credentials to a
+// server.
+type AuthClient struct {
+	user   string
+	pass   string
+	method AuthMethod
+	realm  string
+	nonce  string
+}
+
+// NewAuthClient allocates an AuthClient.
+// header is the WWW-Authenticate header provided by the server.
+func NewAuthClient(header []string, user string, pass string) (*AuthClient, error) {
+	// prefer digest
+	headerAuthDigest := func() string {
+		for _, v := range header {
+			if strings.HasPrefix(v, "Digest ") {
+				return v
+			}
+		}
+		return ""
+	}()
+	if headerAuthDigest != "" {
+		auth, err := ReadHeaderAuth(headerAuthDigest)
+		if err != nil {
+			return nil, err
+		}
+
+		realm, ok := auth.Values["realm"]
+		if !ok {
+			return nil, fmt.Errorf("realm not provided")
+		}
+
+		nonce, ok := auth.Values["nonce"]
+		if !ok {
+			return nil, fmt.Errorf("nonce not provided")
+		}
+
+		return &AuthClient{
+			user:   user,
+			pass:   pass,
+			method: Digest,
+			realm:  realm,
+			nonce:  nonce,
+		}, nil
+	}
+
+	headerAuthBasic := func() string {
+		for _, v := range header {
+			if strings.HasPrefix(v, "Basic ") {
+				return v
+			}
+		}
+		return ""
+	}()
+	if headerAuthBasic != "" {
+		auth, err := ReadHeaderAuth(headerAuthBasic)
+		if err != nil {
+			return nil, err
+		}
+
+		realm, ok := auth.Values["realm"]
+		if !ok {
+			return nil, fmt.Errorf("realm not provided")
+		}
+
+		return &AuthClient{
+			user:   user,
+			pass:   pass,
+			method: Basic,
+			realm:  realm,
+		}, nil
+	}
+
+	return nil, fmt.Errorf("there are no authentication methods available")
+}
+
+// GenerateHeader generates an Authorization Header that allows to authenticate a request with
+// the given method and url.
+func (ac *AuthClient) GenerateHeader(method Method, ur *url.URL) []string {
+	switch ac.method {
+	case Basic:
+		response := base64.StdEncoding.EncodeToString([]byte(ac.user + ":" + ac.pass))
+
+		return []string{"Basic " + response}
+
+	case Digest:
+		response := md5Hex(md5Hex(ac.user+":"+ac.realm+":"+ac.pass) + ":" +
+			ac.nonce + ":" + md5Hex(string(method)+":"+ur.String()))
+
+		return []string{(&HeaderAuth{
+			Prefix: "Digest",
+			Values: map[string]string{
+				"username": ac.user,
+				"realm":    ac.realm,
+				"nonce":    ac.nonce,
+				"uri":      ur.String(),
+				"response": response,
+			},
+		}).Write()}
+	}
+
+	return nil
+}