package auth import ( "crypto/rand" "encoding/base64" "encoding/hex" "fmt" "strings" "github.com/aler9/gortsplib/pkg/base" "github.com/aler9/gortsplib/pkg/headers" ) // Validator allows to validate some credentials generated by a Sender. type Validator struct { user string userHashed bool pass string passHashed bool methods []headers.AuthMethod realm string nonce string } // NewValidator allocates a Validator. // If methods is nil, the Basic and Digest methods are used. func NewValidator(user string, pass string, methods []headers.AuthMethod) *Validator { if methods == nil { methods = []headers.AuthMethod{headers.AuthBasic, headers.AuthDigest} } userHashed := false if strings.HasPrefix(user, "plain:") { user = strings.TrimPrefix(user, "plain:") } else if strings.HasPrefix(user, "sha256:") { user = strings.TrimPrefix(user, "sha256:") userHashed = true } passHashed := false if strings.HasPrefix(pass, "plain:") { pass = strings.TrimPrefix(pass, "plain:") } else if strings.HasPrefix(pass, "sha256:") { pass = strings.TrimPrefix(pass, "sha256:") passHashed = true } // if credentials are hashed, only basic auth is supported if userHashed || passHashed { methods = []headers.AuthMethod{headers.AuthBasic} } nonceByts := make([]byte, 16) rand.Read(nonceByts) nonce := hex.EncodeToString(nonceByts) return &Validator{ user: user, userHashed: userHashed, pass: pass, passHashed: passHashed, methods: methods, realm: "IPCAM", nonce: nonce, } } // GenerateHeader generates the WWW-Authenticate header needed by a client to // authenticate. func (va *Validator) GenerateHeader() base.HeaderValue { var ret base.HeaderValue for _, m := range va.methods { switch m { case headers.AuthBasic: ret = append(ret, (&headers.Auth{ Method: headers.AuthBasic, Realm: &va.realm, }).Write()...) case headers.AuthDigest: ret = append(ret, headers.Auth{ Method: headers.AuthDigest, Realm: &va.realm, Nonce: &va.nonce, }.Write()...) } } return ret } // ValidateHeader validates the Authorization header sent by a client after receiving the // WWW-Authenticate header. func (va *Validator) ValidateHeader(v base.HeaderValue, method base.Method, ur *base.URL) error { if len(v) == 0 { return fmt.Errorf("authorization header not provided") } if len(v) > 1 { return fmt.Errorf("authorization header provided multiple times") } v0 := v[0] if strings.HasPrefix(v0, "Basic ") { inResponse := v0[len("Basic "):] tmp, err := base64.StdEncoding.DecodeString(inResponse) if err != nil { return fmt.Errorf("wrong response") } tmp2 := strings.Split(string(tmp), ":") if len(tmp2) != 2 { return fmt.Errorf("wrong response") } user, pass := tmp2[0], tmp2[1] if !va.userHashed { if user != va.user { return fmt.Errorf("wrong response") } } else { if sha256Base64(user) != va.user { return fmt.Errorf("wrong response") } } if !va.passHashed { if pass != va.pass { return fmt.Errorf("wrong response") } } else { if sha256Base64(pass) != va.pass { return fmt.Errorf("wrong response") } } } else if strings.HasPrefix(v0, "Digest ") { auth, err := headers.ReadAuth(base.HeaderValue{v0}) if err != nil { return err } if auth.Realm == nil { return fmt.Errorf("realm not provided") } if auth.Nonce == nil { return fmt.Errorf("nonce not provided") } if auth.Username == nil { return fmt.Errorf("username not provided") } if auth.URI == nil { return fmt.Errorf("uri not provided") } if auth.Response == nil { return fmt.Errorf("response not provided") } if *auth.Nonce != va.nonce { return fmt.Errorf("wrong nonce") } if *auth.Realm != va.realm { return fmt.Errorf("wrong realm") } if *auth.Username != va.user { return fmt.Errorf("wrong username") } uri := ur.String() if *auth.URI != uri { // VLC strips the control attribute; do another try without the control attribute ur = ur.Clone() ur.RemoveControlAttribute() uri = ur.String() if *auth.URI != uri { return fmt.Errorf("wrong url") } } response := md5Hex(md5Hex(va.user+":"+va.realm+":"+va.pass) + ":" + va.nonce + ":" + md5Hex(string(method)+":"+uri)) if *auth.Response != response { return fmt.Errorf("wrong response") } } else { return fmt.Errorf("unsupported authorization header") } return nil }