mirror of
https://github.com/aler9/gortsplib
synced 2025-10-04 23:02:45 +08:00
151 lines
3.2 KiB
Go
151 lines
3.2 KiB
Go
package auth
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"encoding/base64"
|
|
"encoding/hex"
|
|
"fmt"
|
|
"strings"
|
|
|
|
"github.com/aler9/gortsplib/pkg/base"
|
|
"github.com/aler9/gortsplib/pkg/headers"
|
|
)
|
|
|
|
// Server allows a server to authenticate a client.
|
|
type Server struct {
|
|
user string
|
|
pass string
|
|
methods []headers.AuthMethod
|
|
realm string
|
|
nonce string
|
|
}
|
|
|
|
// NewServer allocates a Server.
|
|
// If methods is nil, the Basic and Digest methods are used.
|
|
func NewServer(user string, pass string, methods []headers.AuthMethod) *Server {
|
|
if methods == nil {
|
|
methods = []headers.AuthMethod{headers.AuthBasic, headers.AuthDigest}
|
|
}
|
|
|
|
nonceByts := make([]byte, 16)
|
|
rand.Read(nonceByts)
|
|
nonce := hex.EncodeToString(nonceByts)
|
|
|
|
return &Server{
|
|
user: user,
|
|
pass: pass,
|
|
methods: methods,
|
|
realm: "IPCAM",
|
|
nonce: nonce,
|
|
}
|
|
}
|
|
|
|
// GenerateHeader generates the WWW-Authenticate header needed by a client to
|
|
// authenticate.
|
|
func (as *Server) GenerateHeader() base.HeaderValue {
|
|
var ret base.HeaderValue
|
|
for _, m := range as.methods {
|
|
switch m {
|
|
case headers.AuthBasic:
|
|
ret = append(ret, (&headers.Auth{
|
|
Method: headers.AuthBasic,
|
|
Realm: &as.realm,
|
|
}).Write()...)
|
|
|
|
case headers.AuthDigest:
|
|
ret = append(ret, (&headers.Auth{
|
|
Method: headers.AuthDigest,
|
|
Realm: &as.realm,
|
|
Nonce: &as.nonce,
|
|
}).Write()...)
|
|
}
|
|
}
|
|
return ret
|
|
}
|
|
|
|
// ValidateHeader validates the Authorization header sent by a client after receiving the
|
|
// WWW-Authenticate header.
|
|
func (as *Server) ValidateHeader(v base.HeaderValue, method base.Method, ur *base.URL) error {
|
|
if len(v) == 0 {
|
|
return fmt.Errorf("authorization header not provided")
|
|
}
|
|
if len(v) > 1 {
|
|
return fmt.Errorf("authorization header provided multiple times")
|
|
}
|
|
|
|
v0 := v[0]
|
|
|
|
if strings.HasPrefix(v0, "Basic ") {
|
|
inResponse := v0[len("Basic "):]
|
|
|
|
response := base64.StdEncoding.EncodeToString([]byte(as.user + ":" + as.pass))
|
|
|
|
if inResponse != response {
|
|
return fmt.Errorf("wrong response")
|
|
}
|
|
|
|
} else if strings.HasPrefix(v0, "Digest ") {
|
|
auth, err := headers.ReadAuth(base.HeaderValue{v0})
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
if auth.Realm == nil {
|
|
return fmt.Errorf("realm not provided")
|
|
}
|
|
|
|
if auth.Nonce == nil {
|
|
return fmt.Errorf("nonce not provided")
|
|
}
|
|
|
|
if auth.Username == nil {
|
|
return fmt.Errorf("username not provided")
|
|
}
|
|
|
|
if auth.URI == nil {
|
|
return fmt.Errorf("uri not provided")
|
|
}
|
|
|
|
if auth.Response == nil {
|
|
return fmt.Errorf("response not provided")
|
|
}
|
|
|
|
if *auth.Nonce != as.nonce {
|
|
return fmt.Errorf("wrong nonce")
|
|
}
|
|
|
|
if *auth.Realm != as.realm {
|
|
return fmt.Errorf("wrong realm")
|
|
}
|
|
|
|
if *auth.Username != as.user {
|
|
return fmt.Errorf("wrong username")
|
|
}
|
|
|
|
uri := ur.String()
|
|
|
|
if *auth.URI != uri {
|
|
// VLC strips the control attribute; do another try without the control attribute
|
|
ur = ur.Clone()
|
|
ur.RemoveControlAttribute()
|
|
uri = ur.String()
|
|
|
|
if *auth.URI != uri {
|
|
return fmt.Errorf("wrong url")
|
|
}
|
|
}
|
|
|
|
response := md5Hex(md5Hex(as.user+":"+as.realm+":"+as.pass) +
|
|
":" + as.nonce + ":" + md5Hex(string(method)+":"+uri))
|
|
|
|
if *auth.Response != response {
|
|
return fmt.Errorf("wrong response")
|
|
}
|
|
|
|
} else {
|
|
return fmt.Errorf("unsupported authorization header")
|
|
}
|
|
|
|
return nil
|
|
}
|