mediamtx/internal/conf/credential.go

package conf

import (
	"crypto/sha256"
	"encoding/base64"
	"encoding/json"
	"fmt"
	"regexp"
	"strings"

	"github.com/matthewhartstonge/argon2"
)

var (
	rePlainCredential = regexp.MustCompile(`^[a-zA-Z0-9!\$\(\)\*\+\.;<=>\[\]\^_\-\{\}@#&]+$`)
	reBase64          = regexp.MustCompile(`^sha256:[a-zA-Z0-9\+/=]+$`)
)

const plainCredentialSupportedChars = "A-Z,0-9,!,$,(,),*,+,.,;,<,=,>,[,],^,_,-,\",\",@,#,&"

func sha256Base64(in string) string {
	h := sha256.New()
	h.Write([]byte(in))
	return base64.StdEncoding.EncodeToString(h.Sum(nil))
}

// Credential is a parameter that is used as username or password.
type Credential string

// MarshalJSON implements json.Marshaler.
func (d Credential) MarshalJSON() ([]byte, error) {
	return json.Marshal(string(d))
}

// UnmarshalJSON implements json.Unmarshaler.
func (d *Credential) UnmarshalJSON(b []byte) error {
	var in string
	if err := json.Unmarshal(b, &in); err != nil {
		return err
	}

	*d = Credential(in)

	return d.validate()
}

// UnmarshalEnv implements env.Unmarshaler.
func (d *Credential) UnmarshalEnv(_ string, v string) error {
	return d.UnmarshalJSON([]byte(`"` + v + `"`))
}

// IsSha256 returns true if the credential is a sha256 hash.
func (d Credential) IsSha256() bool {
	return strings.HasPrefix(string(d), "sha256:")
}

// IsArgon2 returns true if the credential is an argon2 hash.
func (d Credential) IsArgon2() bool {
	return strings.HasPrefix(string(d), "argon2:")
}

// IsHashed returns true if the credential is a sha256 or argon2 hash.
func (d Credential) IsHashed() bool {
	return d.IsSha256() || d.IsArgon2()
}

// Check returns true if the given value matches the credential.
func (d Credential) Check(guess string) bool {
	if d.IsSha256() {
		return string(d)[len("sha256:"):] == sha256Base64(guess)
	}

	if d.IsArgon2() {
		// TODO: remove matthewhartstonge/argon2 when this PR gets merged into mainline Go:
		// https://go-review.googlesource.com/c/crypto/+/502515
		ok, err := argon2.VerifyEncoded([]byte(guess), []byte(string(d)[len("argon2:"):]))
		return ok && err == nil
	}

	if d != "" {
		return string(d) == guess
	}

	return true
}

func (d Credential) validate() error {
	if d != "" {
		switch {
		case d.IsSha256():
			if !reBase64.MatchString(string(d)) {
				return fmt.Errorf("credential contains unsupported characters, sha256 hash must be base64 encoded")
			}
		case d.IsArgon2():
			// TODO: remove matthewhartstonge/argon2 when this PR gets merged into mainline Go:
			// https://go-review.googlesource.com/c/crypto/+/502515
			_, err := argon2.Decode([]byte(string(d)[len("argon2:"):]))
			if err != nil {
				return fmt.Errorf("invalid argon2 hash: %w", err)
			}
		default:
			if !rePlainCredential.MatchString(string(d)) {
				return fmt.Errorf("credential contains unsupported characters. Supported are: %s", plainCredentialSupportedChars)
			}
		}
	}
	return nil
}
move decoding of more configuration into JSON decoding 2021-09-27 13:45:51 +00:00			`package conf`

			`import (`
Add Argon2 credential hash support (#2888) * Add argon2 credential hash support * update README, tests and documentation --------- Co-authored-by: aler9 <46489434+aler9@users.noreply.github.com> 2024-01-13 11:49:08 +00:00			`"crypto/sha256"`
			`"encoding/base64"`
move decoding of more configuration into JSON decoding 2021-09-27 13:45:51 +00:00			`"encoding/json"`
			`"fmt"`
			`"regexp"`
			`"strings"`
Add Argon2 credential hash support (#2888) * Add argon2 credential hash support * update README, tests and documentation --------- Co-authored-by: aler9 <46489434+aler9@users.noreply.github.com> 2024-01-13 11:49:08 +00:00
			`"github.com/matthewhartstonge/argon2"`
move decoding of more configuration into JSON decoding 2021-09-27 13:45:51 +00:00			`)`

Add Argon2 credential hash support (#2888) * Add argon2 credential hash support * update README, tests and documentation --------- Co-authored-by: aler9 <46489434+aler9@users.noreply.github.com> 2024-01-13 11:49:08 +00:00			`var (`
			rePlainCredential = regexp.MustCompile(`^[a-zA-Z0-9!\$\(\)\*\+\.;<=>\[\]\^_\-\{\}@#&]+$`)
			reBase64 = regexp.MustCompile(`^sha256:[a-zA-Z0-9\+/=]+$`)
			`)`
move decoding of more configuration into JSON decoding 2021-09-27 13:45:51 +00:00
Add Argon2 credential hash support (#2888) * Add argon2 credential hash support * update README, tests and documentation --------- Co-authored-by: aler9 <46489434+aler9@users.noreply.github.com> 2024-01-13 11:49:08 +00:00			`const plainCredentialSupportedChars = "A-Z,0-9,!,$,(,),*,+,.,;,<,=,>,[,],^,_,-,\",\",@,#,&"`
move decoding of more configuration into JSON decoding 2021-09-27 13:45:51 +00:00
move RTSP tests into internal/servers/rtsp (#3049) 2024-02-20 18:35:35 +00:00			`func sha256Base64(in string) string {`
			`h := sha256.New()`
			`h.Write([]byte(in))`
			`return base64.StdEncoding.EncodeToString(h.Sum(nil))`
Add Argon2 credential hash support (#2888) * Add argon2 credential hash support * update README, tests and documentation --------- Co-authored-by: aler9 <46489434+aler9@users.noreply.github.com> 2024-01-13 11:49:08 +00:00			`}`
move decoding of more configuration into JSON decoding 2021-09-27 13:45:51 +00:00
move RTSP tests into internal/servers/rtsp (#3049) 2024-02-20 18:35:35 +00:00			`// Credential is a parameter that is used as username or password.`
			`type Credential string`

hls server: show real client IPs when behind a proxy (#955) 2022-06-21 11:41:15 +00:00			`// MarshalJSON implements json.Marshaler.`
move decoding of more configuration into JSON decoding 2021-09-27 13:45:51 +00:00			`func (d Credential) MarshalJSON() ([]byte, error) {`
move RTSP tests into internal/servers/rtsp (#3049) 2024-02-20 18:35:35 +00:00			`return json.Marshal(string(d))`
move decoding of more configuration into JSON decoding 2021-09-27 13:45:51 +00:00			`}`

hls server: show real client IPs when behind a proxy (#955) 2022-06-21 11:41:15 +00:00			`// UnmarshalJSON implements json.Unmarshaler.`
move decoding of more configuration into JSON decoding 2021-09-27 13:45:51 +00:00			`func (d *Credential) UnmarshalJSON(b []byte) error {`
			`var in string`
			`if err := json.Unmarshal(b, &in); err != nil {`
			`return err`
			`}`

move RTSP tests into internal/servers/rtsp (#3049) 2024-02-20 18:35:35 +00:00			`*d = Credential(in)`
move decoding of more configuration into JSON decoding 2021-09-27 13:45:51 +00:00
add playback server (#2452) (#2906) * add playback server * add playback switch * update readme 2024-01-23 19:52:05 +00:00			`return d.validate()`
move decoding of more configuration into JSON decoding 2021-09-27 13:45:51 +00:00			`}`
conf: use dedicated interface to unmarshal from environment 2021-10-11 09:46:40 +00:00
allow changing default path settings; bump API in order to allow so (#2455) 2023-10-07 21:32:15 +00:00			`// UnmarshalEnv implements env.Unmarshaler.`
			`func (d *Credential) UnmarshalEnv(_ string, v string) error {`
			return d.UnmarshalJSON([]byte(`"` + v + `"`))
conf: use dedicated interface to unmarshal from environment 2021-10-11 09:46:40 +00:00			`}`
Add Argon2 credential hash support (#2888) * Add argon2 credential hash support * update README, tests and documentation --------- Co-authored-by: aler9 <46489434+aler9@users.noreply.github.com> 2024-01-13 11:49:08 +00:00
			`// IsSha256 returns true if the credential is a sha256 hash.`
move RTSP tests into internal/servers/rtsp (#3049) 2024-02-20 18:35:35 +00:00			`func (d Credential) IsSha256() bool {`
			`return strings.HasPrefix(string(d), "sha256:")`
Add Argon2 credential hash support (#2888) * Add argon2 credential hash support * update README, tests and documentation --------- Co-authored-by: aler9 <46489434+aler9@users.noreply.github.com> 2024-01-13 11:49:08 +00:00			`}`

			`// IsArgon2 returns true if the credential is an argon2 hash.`
move RTSP tests into internal/servers/rtsp (#3049) 2024-02-20 18:35:35 +00:00			`func (d Credential) IsArgon2() bool {`
			`return strings.HasPrefix(string(d), "argon2:")`
Add Argon2 credential hash support (#2888) * Add argon2 credential hash support * update README, tests and documentation --------- Co-authored-by: aler9 <46489434+aler9@users.noreply.github.com> 2024-01-13 11:49:08 +00:00			`}`

			`// IsHashed returns true if the credential is a sha256 or argon2 hash.`
move RTSP tests into internal/servers/rtsp (#3049) 2024-02-20 18:35:35 +00:00			`func (d Credential) IsHashed() bool {`
Add Argon2 credential hash support (#2888) * Add argon2 credential hash support * update README, tests and documentation --------- Co-authored-by: aler9 <46489434+aler9@users.noreply.github.com> 2024-01-13 11:49:08 +00:00			`return d.IsSha256() \|\| d.IsArgon2()`
			`}`

			`// Check returns true if the given value matches the credential.`
move RTSP tests into internal/servers/rtsp (#3049) 2024-02-20 18:35:35 +00:00			`func (d Credential) Check(guess string) bool {`
Add Argon2 credential hash support (#2888) * Add argon2 credential hash support * update README, tests and documentation --------- Co-authored-by: aler9 <46489434+aler9@users.noreply.github.com> 2024-01-13 11:49:08 +00:00			`if d.IsSha256() {`
move RTSP tests into internal/servers/rtsp (#3049) 2024-02-20 18:35:35 +00:00			`return string(d)[len("sha256:"):] == sha256Base64(guess)`
Add Argon2 credential hash support (#2888) * Add argon2 credential hash support * update README, tests and documentation --------- Co-authored-by: aler9 <46489434+aler9@users.noreply.github.com> 2024-01-13 11:49:08 +00:00			`}`
move RTSP tests into internal/servers/rtsp (#3049) 2024-02-20 18:35:35 +00:00
Add Argon2 credential hash support (#2888) * Add argon2 credential hash support * update README, tests and documentation --------- Co-authored-by: aler9 <46489434+aler9@users.noreply.github.com> 2024-01-13 11:49:08 +00:00			`if d.IsArgon2() {`
			`// TODO: remove matthewhartstonge/argon2 when this PR gets merged into mainline Go:`
			`// https://go-review.googlesource.com/c/crypto/+/502515`
move RTSP tests into internal/servers/rtsp (#3049) 2024-02-20 18:35:35 +00:00			`ok, err := argon2.VerifyEncoded([]byte(guess), []byte(string(d)[len("argon2:"):]))`
Add Argon2 credential hash support (#2888) * Add argon2 credential hash support * update README, tests and documentation --------- Co-authored-by: aler9 <46489434+aler9@users.noreply.github.com> 2024-01-13 11:49:08 +00:00			`return ok && err == nil`
			`}`
move RTSP tests into internal/servers/rtsp (#3049) 2024-02-20 18:35:35 +00:00
			`if d != "" {`
			`return string(d) == guess`
Add Argon2 credential hash support (#2888) * Add argon2 credential hash support * update README, tests and documentation --------- Co-authored-by: aler9 <46489434+aler9@users.noreply.github.com> 2024-01-13 11:49:08 +00:00			`}`

move RTSP tests into internal/servers/rtsp (#3049) 2024-02-20 18:35:35 +00:00			`return true`
Add Argon2 credential hash support (#2888) * Add argon2 credential hash support * update README, tests and documentation --------- Co-authored-by: aler9 <46489434+aler9@users.noreply.github.com> 2024-01-13 11:49:08 +00:00			`}`

move RTSP tests into internal/servers/rtsp (#3049) 2024-02-20 18:35:35 +00:00			`func (d Credential) validate() error {`
			`if d != "" {`
add playback server (#2452) (#2906) * add playback server * add playback switch * update readme 2024-01-23 19:52:05 +00:00			`switch {`
			`case d.IsSha256():`
move RTSP tests into internal/servers/rtsp (#3049) 2024-02-20 18:35:35 +00:00			`if !reBase64.MatchString(string(d)) {`
add playback server (#2452) (#2906) * add playback server * add playback switch * update readme 2024-01-23 19:52:05 +00:00			`return fmt.Errorf("credential contains unsupported characters, sha256 hash must be base64 encoded")`
			`}`
			`case d.IsArgon2():`
			`// TODO: remove matthewhartstonge/argon2 when this PR gets merged into mainline Go:`
			`// https://go-review.googlesource.com/c/crypto/+/502515`
move RTSP tests into internal/servers/rtsp (#3049) 2024-02-20 18:35:35 +00:00			`_, err := argon2.Decode([]byte(string(d)[len("argon2:"):]))`
add playback server (#2452) (#2906) * add playback server * add playback switch * update readme 2024-01-23 19:52:05 +00:00			`if err != nil {`
			`return fmt.Errorf("invalid argon2 hash: %w", err)`
			`}`
			`default:`
move RTSP tests into internal/servers/rtsp (#3049) 2024-02-20 18:35:35 +00:00			`if !rePlainCredential.MatchString(string(d)) {`
add playback server (#2452) (#2906) * add playback server * add playback switch * update readme 2024-01-23 19:52:05 +00:00			`return fmt.Errorf("credential contains unsupported characters. Supported are: %s", plainCredentialSupportedChars)`
			`}`
Add Argon2 credential hash support (#2888) * Add argon2 credential hash support * update README, tests and documentation --------- Co-authored-by: aler9 <46489434+aler9@users.noreply.github.com> 2024-01-13 11:49:08 +00:00			`}`
			`}`
			`return nil`
			`}`