mirror of
https://github.com/aler9/gortsplib
synced 2025-10-06 07:37:07 +08:00
159 lines
3.2 KiB
Go
159 lines
3.2 KiB
Go
package gortsplib
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"encoding/base64"
|
|
"encoding/hex"
|
|
"fmt"
|
|
"net/url"
|
|
"strings"
|
|
|
|
"github.com/aler9/gortsplib/base"
|
|
)
|
|
|
|
// AuthServer is an object that helps a server to validate the credentials of
|
|
// a client.
|
|
type AuthServer struct {
|
|
user string
|
|
pass string
|
|
methods []AuthMethod
|
|
realm string
|
|
nonce string
|
|
}
|
|
|
|
// NewAuthServer allocates an AuthServer.
|
|
// If methods is nil, the Basic and Digest methods are used.
|
|
func NewAuthServer(user string, pass string, methods []AuthMethod) *AuthServer {
|
|
if methods == nil {
|
|
methods = []AuthMethod{Basic, Digest}
|
|
}
|
|
|
|
nonceByts := make([]byte, 16)
|
|
rand.Read(nonceByts)
|
|
nonce := hex.EncodeToString(nonceByts)
|
|
|
|
return &AuthServer{
|
|
user: user,
|
|
pass: pass,
|
|
methods: methods,
|
|
realm: "IPCAM",
|
|
nonce: nonce,
|
|
}
|
|
}
|
|
|
|
// GenerateHeader generates the WWW-Authenticate header needed by a client to log in.
|
|
func (as *AuthServer) GenerateHeader() base.HeaderValue {
|
|
var ret base.HeaderValue
|
|
for _, m := range as.methods {
|
|
switch m {
|
|
case Basic:
|
|
ret = append(ret, (&HeaderAuth{
|
|
Method: Basic,
|
|
Realm: &as.realm,
|
|
}).Write()...)
|
|
|
|
case Digest:
|
|
ret = append(ret, (&HeaderAuth{
|
|
Method: Digest,
|
|
Realm: &as.realm,
|
|
Nonce: &as.nonce,
|
|
}).Write()...)
|
|
}
|
|
}
|
|
return ret
|
|
}
|
|
|
|
// ValidateHeader validates the Authorization header sent by a client after receiving the
|
|
// WWW-Authenticate header.
|
|
func (as *AuthServer) ValidateHeader(v base.HeaderValue, method base.Method, ur *url.URL) error {
|
|
if len(v) == 0 {
|
|
return fmt.Errorf("authorization header not provided")
|
|
}
|
|
if len(v) > 1 {
|
|
return fmt.Errorf("authorization header provided multiple times")
|
|
}
|
|
|
|
v0 := v[0]
|
|
|
|
if strings.HasPrefix(v0, "Basic ") {
|
|
inResponse := v0[len("Basic "):]
|
|
|
|
response := base64.StdEncoding.EncodeToString([]byte(as.user + ":" + as.pass))
|
|
|
|
if inResponse != response {
|
|
return fmt.Errorf("wrong response")
|
|
}
|
|
|
|
} else if strings.HasPrefix(v0, "Digest ") {
|
|
auth, err := ReadHeaderAuth(base.HeaderValue{v0})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if auth.Realm == nil {
|
|
return fmt.Errorf("realm not provided")
|
|
}
|
|
|
|
if auth.Nonce == nil {
|
|
return fmt.Errorf("nonce not provided")
|
|
}
|
|
|
|
if auth.Username == nil {
|
|
return fmt.Errorf("username not provided")
|
|
}
|
|
|
|
if auth.URI == nil {
|
|
return fmt.Errorf("uri not provided")
|
|
}
|
|
|
|
if auth.Response == nil {
|
|
return fmt.Errorf("response not provided")
|
|
}
|
|
|
|
if *auth.Nonce != as.nonce {
|
|
return fmt.Errorf("wrong nonce")
|
|
}
|
|
|
|
if *auth.Realm != as.realm {
|
|
return fmt.Errorf("wrong realm")
|
|
}
|
|
|
|
if *auth.Username != as.user {
|
|
return fmt.Errorf("wrong username")
|
|
}
|
|
|
|
uri := ur.String()
|
|
|
|
if *auth.URI != uri {
|
|
// VLC strips the subpath
|
|
newUrl := *ur
|
|
newUrl.Path = func() string {
|
|
ret := newUrl.Path
|
|
|
|
if n := strings.Index(ret[1:], "/"); n >= 0 {
|
|
ret = ret[:n+2]
|
|
}
|
|
|
|
return ret
|
|
}()
|
|
uri = newUrl.String()
|
|
|
|
if *auth.URI != uri {
|
|
return fmt.Errorf("wrong url")
|
|
}
|
|
}
|
|
|
|
response := md5Hex(md5Hex(as.user+":"+as.realm+":"+as.pass) +
|
|
":" + as.nonce + ":" + md5Hex(string(method)+":"+uri))
|
|
|
|
if *auth.Response != response {
|
|
return fmt.Errorf("wrong response")
|
|
}
|
|
|
|
} else {
|
|
return fmt.Errorf("unsupported authorization header")
|
|
}
|
|
|
|
return nil
|
|
}
|