-
Notifications
You must be signed in to change notification settings - Fork 173
/
validate.go
120 lines (98 loc) · 2.7 KB
/
validate.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
package auth
import (
"crypto/md5"
"crypto/sha256"
"encoding/hex"
"fmt"
"regexp"
"github.com/bluenviron/gortsplib/v4/pkg/base"
"github.com/bluenviron/gortsplib/v4/pkg/headers"
)
var reControlAttribute = regexp.MustCompile("^(.+/)trackID=[0-9]+$")
func md5Hex(in string) string {
h := md5.New()
h.Write([]byte(in))
return hex.EncodeToString(h.Sum(nil))
}
func sha256Hex(in string) string {
h := sha256.New()
h.Write([]byte(in))
return hex.EncodeToString(h.Sum(nil))
}
func contains(list []headers.AuthMethod, item headers.AuthMethod) bool {
for _, i := range list {
if i == item {
return true
}
}
return false
}
func urlMatches(expected string, received string, isSetup bool) bool {
if received == expected {
return true
}
// in SETUP requests, VLC uses the base URL of the stream
// instead of the URL of the track.
// Strip the control attribute to obtain the URL of the stream.
if isSetup {
if m := reControlAttribute.FindStringSubmatch(expected); m != nil && received == m[1] {
return true
}
}
return false
}
// Validate validates a request sent by a client.
func Validate(
req *base.Request,
user string,
pass string,
methods []headers.AuthMethod,
realm string,
nonce string,
) error {
if methods == nil {
methods = []headers.AuthMethod{headers.AuthDigestSHA256, headers.AuthDigestMD5, headers.AuthBasic}
}
var auth headers.Authorization
err := auth.Unmarshal(req.Header["Authorization"])
if err != nil {
return err
}
switch {
case (auth.Method == headers.AuthDigestSHA256 && contains(methods, headers.AuthDigestSHA256)) ||
(auth.Method == headers.AuthDigestMD5 && contains(methods, headers.AuthDigestMD5)):
if auth.Nonce != nonce {
return fmt.Errorf("wrong nonce")
}
if auth.Realm != realm {
return fmt.Errorf("wrong realm")
}
if auth.Username != user {
return fmt.Errorf("authentication failed")
}
if !urlMatches(req.URL.String(), auth.URI, req.Method == base.Setup) {
return fmt.Errorf("wrong URL")
}
var response string
if auth.Method == headers.AuthDigestSHA256 {
response = sha256Hex(sha256Hex(user+":"+realm+":"+pass) +
":" + nonce + ":" + sha256Hex(string(req.Method)+":"+auth.URI))
} else {
response = md5Hex(md5Hex(user+":"+realm+":"+pass) +
":" + nonce + ":" + md5Hex(string(req.Method)+":"+auth.URI))
}
if auth.Response != response {
return fmt.Errorf("authentication failed")
}
case auth.Method == headers.AuthBasic && contains(methods, headers.AuthBasic):
if auth.BasicUser != user {
return fmt.Errorf("authentication failed")
}
if auth.BasicPass != pass {
return fmt.Errorf("authentication failed")
}
default:
return fmt.Errorf("no supported authentication methods found")
}
return nil
}