mirror of
https://github.com/aler9/gortsplib
synced 2025-10-05 15:16:51 +08:00
200 lines
4.4 KiB
Go
200 lines
4.4 KiB
Go
package auth
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"encoding/base64"
|
|
"encoding/hex"
|
|
"fmt"
|
|
"strings"
|
|
|
|
"github.com/aler9/gortsplib/pkg/base"
|
|
"github.com/aler9/gortsplib/pkg/headers"
|
|
)
|
|
|
|
// Validator allows to validate some credentials generated by a Sender.
|
|
type Validator struct {
|
|
user string
|
|
userHashed bool
|
|
pass string
|
|
passHashed bool
|
|
methods []headers.AuthMethod
|
|
realm string
|
|
nonce string
|
|
}
|
|
|
|
// NewValidator allocates a Validator.
|
|
// If methods is nil, the Basic and Digest methods are used.
|
|
func NewValidator(user string, pass string, methods []headers.AuthMethod) *Validator {
|
|
if methods == nil {
|
|
methods = []headers.AuthMethod{headers.AuthBasic, headers.AuthDigest}
|
|
}
|
|
|
|
userHashed := false
|
|
if strings.HasPrefix(user, "plain:") {
|
|
user = strings.TrimPrefix(user, "plain:")
|
|
} else if strings.HasPrefix(user, "sha256:") {
|
|
user = strings.TrimPrefix(user, "sha256:")
|
|
userHashed = true
|
|
}
|
|
|
|
passHashed := false
|
|
if strings.HasPrefix(pass, "plain:") {
|
|
pass = strings.TrimPrefix(pass, "plain:")
|
|
} else if strings.HasPrefix(pass, "sha256:") {
|
|
pass = strings.TrimPrefix(pass, "sha256:")
|
|
passHashed = true
|
|
}
|
|
|
|
// if credentials are hashed, only basic auth is supported
|
|
if userHashed || passHashed {
|
|
methods = []headers.AuthMethod{headers.AuthBasic}
|
|
}
|
|
|
|
nonceByts := make([]byte, 16)
|
|
rand.Read(nonceByts)
|
|
nonce := hex.EncodeToString(nonceByts)
|
|
|
|
return &Validator{
|
|
user: user,
|
|
userHashed: userHashed,
|
|
pass: pass,
|
|
passHashed: passHashed,
|
|
methods: methods,
|
|
realm: "IPCAM",
|
|
nonce: nonce,
|
|
}
|
|
}
|
|
|
|
// GenerateHeader generates the WWW-Authenticate header needed by a client to
|
|
// authenticate.
|
|
func (va *Validator) GenerateHeader() base.HeaderValue {
|
|
var ret base.HeaderValue
|
|
for _, m := range va.methods {
|
|
switch m {
|
|
case headers.AuthBasic:
|
|
ret = append(ret, (&headers.Auth{
|
|
Method: headers.AuthBasic,
|
|
Realm: &va.realm,
|
|
}).Write()...)
|
|
|
|
case headers.AuthDigest:
|
|
ret = append(ret, headers.Auth{
|
|
Method: headers.AuthDigest,
|
|
Realm: &va.realm,
|
|
Nonce: &va.nonce,
|
|
}.Write()...)
|
|
}
|
|
}
|
|
return ret
|
|
}
|
|
|
|
// ValidateHeader validates the Authorization header sent by a client after receiving the
|
|
// WWW-Authenticate header.
|
|
func (va *Validator) ValidateHeader(v base.HeaderValue, method base.Method, ur *base.URL) error {
|
|
if len(v) == 0 {
|
|
return fmt.Errorf("authorization header not provided")
|
|
}
|
|
if len(v) > 1 {
|
|
return fmt.Errorf("authorization header provided multiple times")
|
|
}
|
|
|
|
v0 := v[0]
|
|
|
|
if strings.HasPrefix(v0, "Basic ") {
|
|
inResponse := v0[len("Basic "):]
|
|
|
|
tmp, err := base64.StdEncoding.DecodeString(inResponse)
|
|
if err != nil {
|
|
return fmt.Errorf("wrong response")
|
|
}
|
|
tmp2 := strings.Split(string(tmp), ":")
|
|
if len(tmp2) != 2 {
|
|
return fmt.Errorf("wrong response")
|
|
}
|
|
user, pass := tmp2[0], tmp2[1]
|
|
|
|
if !va.userHashed {
|
|
if user != va.user {
|
|
return fmt.Errorf("wrong response")
|
|
}
|
|
} else {
|
|
if sha256Base64(user) != va.user {
|
|
return fmt.Errorf("wrong response")
|
|
}
|
|
}
|
|
|
|
if !va.passHashed {
|
|
if pass != va.pass {
|
|
return fmt.Errorf("wrong response")
|
|
}
|
|
} else {
|
|
if sha256Base64(pass) != va.pass {
|
|
return fmt.Errorf("wrong response")
|
|
}
|
|
}
|
|
|
|
} else if strings.HasPrefix(v0, "Digest ") {
|
|
auth, err := headers.ReadAuth(base.HeaderValue{v0})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if auth.Realm == nil {
|
|
return fmt.Errorf("realm not provided")
|
|
}
|
|
|
|
if auth.Nonce == nil {
|
|
return fmt.Errorf("nonce not provided")
|
|
}
|
|
|
|
if auth.Username == nil {
|
|
return fmt.Errorf("username not provided")
|
|
}
|
|
|
|
if auth.URI == nil {
|
|
return fmt.Errorf("uri not provided")
|
|
}
|
|
|
|
if auth.Response == nil {
|
|
return fmt.Errorf("response not provided")
|
|
}
|
|
|
|
if *auth.Nonce != va.nonce {
|
|
return fmt.Errorf("wrong nonce")
|
|
}
|
|
|
|
if *auth.Realm != va.realm {
|
|
return fmt.Errorf("wrong realm")
|
|
}
|
|
|
|
if *auth.Username != va.user {
|
|
return fmt.Errorf("wrong username")
|
|
}
|
|
|
|
uri := ur.String()
|
|
|
|
if *auth.URI != uri {
|
|
// VLC strips the control attribute; do another try without the control attribute
|
|
ur = ur.Clone()
|
|
ur.RemoveControlAttribute()
|
|
uri = ur.String()
|
|
|
|
if *auth.URI != uri {
|
|
return fmt.Errorf("wrong url")
|
|
}
|
|
}
|
|
|
|
response := md5Hex(md5Hex(va.user+":"+va.realm+":"+va.pass) +
|
|
":" + va.nonce + ":" + md5Hex(string(method)+":"+uri))
|
|
|
|
if *auth.Response != response {
|
|
return fmt.Errorf("wrong response")
|
|
}
|
|
|
|
} else {
|
|
return fmt.Errorf("unsupported authorization header")
|
|
}
|
|
|
|
return nil
|
|
}
|