package/gortsplib
1
0
Fork 0
mirror of https://github.com/aler9/gortsplib synced 2025-10-07 08:01:14 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
a110f2b6a289fb765a06bc9bcd87d52b39ac3df3
gortsplib/auth.go
aler9 a110f2b6a2 expose InterleavedFrame read/write functions
2020-07-19 18:16:24 +02:00

287 lines
5.9 KiB
Go
Raw Blame History

package gortsplib
import (
"crypto/md5"
"crypto/rand"
"encoding/base64"
"encoding/hex"
"fmt"
"net/url"
"strings"
)
func md5Hex(in string) string {
h := md5.New()
h.Write([]byte(in))
return hex.EncodeToString(h.Sum(nil))
}
// AuthMethod is an authentication method.
type AuthMethod int
const (
// Basic authentication method
Basic AuthMethod = iota
// Digest authentication method
Digest
)
// AuthServer is an object that helps a server to validate the credentials of
// a client.
type AuthServer struct {
user string
pass string
methods []AuthMethod
realm string
nonce string
}
// NewAuthServer allocates an AuthServer.
// If methods is nil, Basic and Digest authentications are used.
func NewAuthServer(user string, pass string, methods []AuthMethod) *AuthServer {
if methods == nil {
methods = []AuthMethod{Basic, Digest}
}
nonceByts := make([]byte, 16)
rand.Read(nonceByts)
nonce := hex.EncodeToString(nonceByts)
return &AuthServer{
user: user,
pass: pass,
methods: methods,
realm: "IPCAM",
nonce: nonce,
}
}
// GenerateHeader generates the WWW-Authenticate header needed by a client to log in.
func (as *AuthServer) GenerateHeader() HeaderValue {
var ret HeaderValue
for _, m := range as.methods {
switch m {
case Basic:
ret = append(ret, (&HeaderAuth{
Prefix: "Basic",
Values: map[string]string{
"realm": as.realm,
},
}).Write()...)
case Digest:
ret = append(ret, (&HeaderAuth{
Prefix: "Digest",
Values: map[string]string{
"realm": as.realm,
"nonce": as.nonce,
},
}).Write()...)
}
}
return ret
}
// ValidateHeader validates the Authorization header sent by a client after receiving the
// WWW-Authenticate header.
func (as *AuthServer) ValidateHeader(v HeaderValue, method Method, ur *url.URL) error {
if len(v) == 0 {
return fmt.Errorf("authorization header not provided")
}
if len(v) > 1 {
return fmt.Errorf("authorization header provided multiple times")
}
v0 := v[0]
if strings.HasPrefix(v0, "Basic ") {
inResponse := v0[len("Basic "):]
response := base64.StdEncoding.EncodeToString([]byte(as.user + ":" + as.pass))
if inResponse != response {
return fmt.Errorf("wrong response")
}
} else if strings.HasPrefix(v0, "Digest ") {
auth, err := ReadHeaderAuth(HeaderValue{v0})
if err != nil {
return err
}
inRealm, ok := auth.Values["realm"]
if !ok {
return fmt.Errorf("realm not provided")
}
inNonce, ok := auth.Values["nonce"]
if !ok {
return fmt.Errorf("nonce not provided")
}
inUsername, ok := auth.Values["username"]
if !ok {
return fmt.Errorf("username not provided")
}
inUri, ok := auth.Values["uri"]
if !ok {
return fmt.Errorf("uri not provided")
}
inResponse, ok := auth.Values["response"]
if !ok {
return fmt.Errorf("response not provided")
}
if inNonce != as.nonce {
return fmt.Errorf("wrong nonce")
}
if inRealm != as.realm {
return fmt.Errorf("wrong realm")
}
if inUsername != as.user {
return fmt.Errorf("wrong username")
}
uri := ur.String()
if inUri != uri {
// VLC strips the subpath
newUrl := *ur
newUrl.Path = func() string {
ret := newUrl.Path
if n := strings.Index(ret[1:], "/"); n >= 0 {
ret = ret[:n+2]
}
return ret
}()
uri = newUrl.String()
if inUri != uri {
return fmt.Errorf("wrong url")
}
}
response := md5Hex(md5Hex(as.user+":"+as.realm+":"+as.pass) +
":" + as.nonce + ":" + md5Hex(string(method)+":"+uri))
if inResponse != response {
return fmt.Errorf("wrong response")
}
} else {
return fmt.Errorf("unsupported authorization header")
}
return nil
}
// authClient is an object that helps a client to send its credentials to a
// server.
type authClient struct {
user string
pass string
method AuthMethod
realm string
nonce string
}
// newAuthClient allocates an authClient.
// header is the WWW-Authenticate header provided by the server.
func newAuthClient(v HeaderValue, user string, pass string) (*authClient, error) {
// prefer digest
if headerAuthDigest := func() string {
for _, vi := range v {
if strings.HasPrefix(vi, "Digest ") {
return vi
}
}
return ""
}(); headerAuthDigest != "" {
auth, err := ReadHeaderAuth(HeaderValue{headerAuthDigest})
if err != nil {
return nil, err
}
realm, ok := auth.Values["realm"]
if !ok {
return nil, fmt.Errorf("realm not provided")
}
nonce, ok := auth.Values["nonce"]
if !ok {
return nil, fmt.Errorf("nonce not provided")
}
return &authClient{
user: user,
pass: pass,
method: Digest,
realm: realm,
nonce: nonce,
}, nil
}
if headerAuthBasic := func() string {
for _, vi := range v {
if strings.HasPrefix(vi, "Basic ") {
return vi
}
}
return ""
}(); headerAuthBasic != "" {
auth, err := ReadHeaderAuth(HeaderValue{headerAuthBasic})
if err != nil {
return nil, err
}
realm, ok := auth.Values["realm"]
if !ok {
return nil, fmt.Errorf("realm not provided")
}
return &authClient{
user: user,
pass: pass,
method: Basic,
realm: realm,
}, nil
}
return nil, fmt.Errorf("there are no authentication methods available")
}
// GenerateHeader generates an Authorization Header that allows to authenticate a request with
// the given method and url.
func (ac *authClient) GenerateHeader(method Method, ur *url.URL) HeaderValue {
switch ac.method {
case Basic:
response := base64.StdEncoding.EncodeToString([]byte(ac.user + ":" + ac.pass))
return HeaderValue{"Basic " + response}
case Digest:
response := md5Hex(md5Hex(ac.user+":"+ac.realm+":"+ac.pass) + ":" +
ac.nonce + ":" + md5Hex(string(method)+":"+ur.String()))
return (&HeaderAuth{
Prefix: "Digest",
Values: map[string]string{
"username": ac.user,
"realm": ac.realm,
"nonce": ac.nonce,
"uri": ur.String(),
"response": response,
},
}).Write()
}
return nil
}
Reference in New Issue View Git Blame Copy Permalink