2024-03-04 13:20:34 +00:00
|
|
|
package auth
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
2024-04-18 20:58:37 +00:00
|
|
|
"crypto/rand"
|
|
|
|
"crypto/rsa"
|
2024-03-04 13:20:34 +00:00
|
|
|
"encoding/json"
|
|
|
|
"net"
|
|
|
|
"net/http"
|
|
|
|
"testing"
|
2024-04-18 20:58:37 +00:00
|
|
|
"time"
|
2024-03-04 13:20:34 +00:00
|
|
|
|
2024-04-18 20:58:37 +00:00
|
|
|
"github.com/MicahParks/jwkset"
|
2024-03-04 13:20:34 +00:00
|
|
|
"github.com/bluenviron/gortsplib/v4/pkg/auth"
|
|
|
|
"github.com/bluenviron/gortsplib/v4/pkg/base"
|
|
|
|
"github.com/bluenviron/mediamtx/internal/conf"
|
2024-04-18 20:58:37 +00:00
|
|
|
"github.com/golang-jwt/jwt/v5"
|
2024-03-04 13:20:34 +00:00
|
|
|
"github.com/stretchr/testify/require"
|
|
|
|
)
|
|
|
|
|
|
|
|
func mustParseCIDR(v string) net.IPNet {
|
|
|
|
_, ne, err := net.ParseCIDR(v)
|
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
if ipv4 := ne.IP.To4(); ipv4 != nil {
|
|
|
|
return net.IPNet{IP: ipv4, Mask: ne.Mask[len(ne.Mask)-4 : len(ne.Mask)]}
|
|
|
|
}
|
|
|
|
return *ne
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestAuthInternal(t *testing.T) {
|
|
|
|
for _, outcome := range []string{
|
|
|
|
"ok",
|
|
|
|
"wrong user",
|
|
|
|
"wrong pass",
|
|
|
|
"wrong ip",
|
|
|
|
"wrong action",
|
|
|
|
"wrong path",
|
|
|
|
} {
|
|
|
|
for _, encryption := range []string{
|
|
|
|
"plain",
|
|
|
|
"sha256",
|
|
|
|
"argon2",
|
|
|
|
} {
|
|
|
|
t.Run(outcome+" "+encryption, func(t *testing.T) {
|
|
|
|
m := Manager{
|
|
|
|
Method: conf.AuthMethodInternal,
|
|
|
|
InternalUsers: []conf.AuthInternalUser{
|
|
|
|
{
|
|
|
|
IPs: conf.IPNetworks{mustParseCIDR("127.1.1.1/32")},
|
2024-04-18 20:58:37 +00:00
|
|
|
Permissions: []conf.AuthInternalUserPermission{{
|
|
|
|
Action: conf.AuthActionPublish,
|
|
|
|
Path: "mypath",
|
|
|
|
}},
|
2024-03-04 13:20:34 +00:00
|
|
|
},
|
|
|
|
},
|
|
|
|
HTTPAddress: "",
|
|
|
|
RTSPAuthMethods: nil,
|
|
|
|
}
|
|
|
|
|
|
|
|
switch encryption {
|
|
|
|
case "plain":
|
|
|
|
m.InternalUsers[0].User = conf.Credential("testuser")
|
|
|
|
m.InternalUsers[0].Pass = conf.Credential("testpass")
|
|
|
|
|
|
|
|
case "sha256":
|
|
|
|
m.InternalUsers[0].User = conf.Credential("sha256:rl3rgi4NcZkpAEcacZnQ2VuOfJ0FxAqCRaKB/SwdZoQ=")
|
|
|
|
m.InternalUsers[0].Pass = conf.Credential("sha256:E9JJ8stBJ7QM+nV4ZoUCeHk/gU3tPFh/5YieiJp6n2w=")
|
|
|
|
|
|
|
|
case "argon2":
|
|
|
|
m.InternalUsers[0].User = conf.Credential(
|
|
|
|
"argon2:$argon2id$v=19$m=4096,t=3,p=1$MTIzNDU2Nzg$Ux/LWeTgJQPyfMMJo1myR64+o8rALHoPmlE1i/TR+58")
|
|
|
|
m.InternalUsers[0].Pass = conf.Credential(
|
|
|
|
"argon2:$argon2i$v=19$m=4096,t=3,p=1$MTIzNDU2Nzg$/mrZ42TiTv1mcPnpMUera5oi0SFYbbyueAbdx5sUvWo")
|
|
|
|
}
|
|
|
|
|
|
|
|
switch outcome {
|
|
|
|
case "ok":
|
|
|
|
err := m.Authenticate(&Request{
|
|
|
|
User: "testuser",
|
|
|
|
Pass: "testpass",
|
|
|
|
IP: net.ParseIP("127.1.1.1"),
|
|
|
|
Action: conf.AuthActionPublish,
|
|
|
|
Path: "mypath",
|
|
|
|
})
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
case "wrong user":
|
|
|
|
err := m.Authenticate(&Request{
|
|
|
|
User: "wrong",
|
|
|
|
Pass: "testpass",
|
|
|
|
IP: net.ParseIP("127.1.1.1"),
|
|
|
|
Action: conf.AuthActionPublish,
|
|
|
|
Path: "mypath",
|
|
|
|
})
|
|
|
|
require.Error(t, err)
|
|
|
|
|
|
|
|
case "wrong pass":
|
|
|
|
err := m.Authenticate(&Request{
|
|
|
|
User: "testuser",
|
|
|
|
Pass: "wrong",
|
|
|
|
IP: net.ParseIP("127.1.1.1"),
|
|
|
|
Action: conf.AuthActionPublish,
|
|
|
|
Path: "mypath",
|
|
|
|
})
|
|
|
|
require.Error(t, err)
|
|
|
|
|
|
|
|
case "wrong ip":
|
|
|
|
err := m.Authenticate(&Request{
|
|
|
|
User: "testuser",
|
|
|
|
Pass: "testpass",
|
|
|
|
IP: net.ParseIP("127.1.1.2"),
|
|
|
|
Action: conf.AuthActionPublish,
|
|
|
|
Path: "mypath",
|
|
|
|
})
|
|
|
|
require.Error(t, err)
|
|
|
|
|
|
|
|
case "wrong action":
|
|
|
|
err := m.Authenticate(&Request{
|
|
|
|
User: "testuser",
|
|
|
|
Pass: "testpass",
|
|
|
|
IP: net.ParseIP("127.1.1.1"),
|
|
|
|
Action: conf.AuthActionRead,
|
|
|
|
Path: "mypath",
|
|
|
|
})
|
|
|
|
require.Error(t, err)
|
|
|
|
|
|
|
|
case "wrong path":
|
|
|
|
err := m.Authenticate(&Request{
|
|
|
|
User: "testuser",
|
|
|
|
Pass: "testpass",
|
|
|
|
IP: net.ParseIP("127.1.1.1"),
|
|
|
|
Action: conf.AuthActionPublish,
|
|
|
|
Path: "wrong",
|
|
|
|
})
|
|
|
|
require.Error(t, err)
|
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestAuthInternalRTSPDigest(t *testing.T) {
|
|
|
|
m := Manager{
|
|
|
|
Method: conf.AuthMethodInternal,
|
|
|
|
InternalUsers: []conf.AuthInternalUser{
|
|
|
|
{
|
|
|
|
User: "myuser",
|
|
|
|
Pass: "mypass",
|
|
|
|
IPs: conf.IPNetworks{mustParseCIDR("127.1.1.1/32")},
|
2024-04-18 20:58:37 +00:00
|
|
|
Permissions: []conf.AuthInternalUserPermission{{
|
|
|
|
Action: conf.AuthActionPublish,
|
|
|
|
Path: "mypath",
|
|
|
|
}},
|
2024-03-04 13:20:34 +00:00
|
|
|
},
|
|
|
|
},
|
|
|
|
HTTPAddress: "",
|
2024-05-15 08:28:12 +00:00
|
|
|
RTSPAuthMethods: []auth.ValidateMethod{auth.ValidateMethodDigestMD5},
|
2024-03-04 13:20:34 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
u, err := base.ParseURL("rtsp://127.0.0.1:8554/mypath")
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
s, err := auth.NewSender(
|
2024-05-15 08:28:12 +00:00
|
|
|
auth.GenerateWWWAuthenticate([]auth.ValidateMethod{auth.ValidateMethodDigestMD5}, "IPCAM", "mynonce"),
|
2024-03-04 13:20:34 +00:00
|
|
|
"myuser",
|
|
|
|
"mypass",
|
|
|
|
)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
req := &base.Request{
|
|
|
|
Method: "ANNOUNCE",
|
|
|
|
URL: u,
|
|
|
|
}
|
|
|
|
|
|
|
|
s.AddAuthorization(req)
|
|
|
|
|
|
|
|
err = m.Authenticate(&Request{
|
|
|
|
IP: net.ParseIP("127.1.1.1"),
|
|
|
|
Action: conf.AuthActionPublish,
|
|
|
|
Path: "mypath",
|
|
|
|
RTSPRequest: req,
|
|
|
|
RTSPNonce: "mynonce",
|
|
|
|
})
|
|
|
|
require.NoError(t, err)
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestAuthHTTP(t *testing.T) {
|
|
|
|
for _, outcome := range []string{"ok", "fail"} {
|
|
|
|
t.Run(outcome, func(t *testing.T) {
|
2024-04-18 20:58:37 +00:00
|
|
|
firstReceived := false
|
|
|
|
|
|
|
|
httpServ := &http.Server{
|
|
|
|
Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
require.Equal(t, http.MethodPost, r.Method)
|
|
|
|
require.Equal(t, "/auth", r.URL.Path)
|
|
|
|
|
|
|
|
var in struct {
|
|
|
|
IP string `json:"ip"`
|
|
|
|
User string `json:"user"`
|
|
|
|
Password string `json:"password"`
|
|
|
|
Path string `json:"path"`
|
|
|
|
Protocol string `json:"protocol"`
|
|
|
|
ID string `json:"id"`
|
|
|
|
Action string `json:"action"`
|
|
|
|
Query string `json:"query"`
|
|
|
|
}
|
|
|
|
err := json.NewDecoder(r.Body).Decode(&in)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
if in.IP != "127.0.0.1" ||
|
|
|
|
in.User != "testpublisher" ||
|
|
|
|
in.Password != "testpass" ||
|
|
|
|
in.Path != "teststream" ||
|
|
|
|
in.Protocol != "rtsp" ||
|
|
|
|
(firstReceived && in.ID == "") ||
|
|
|
|
in.Action != "publish" ||
|
|
|
|
(in.Query != "user=testreader&pass=testpass¶m=value" &&
|
|
|
|
in.Query != "user=testpublisher&pass=testpass¶m=value" &&
|
|
|
|
in.Query != "param=value") {
|
|
|
|
w.WriteHeader(http.StatusBadRequest)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
firstReceived = true
|
|
|
|
}),
|
|
|
|
}
|
|
|
|
|
|
|
|
ln, err := net.Listen("tcp", "127.0.0.1:9120")
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
go httpServ.Serve(ln)
|
|
|
|
defer httpServ.Shutdown(context.Background())
|
|
|
|
|
2024-03-04 13:20:34 +00:00
|
|
|
m := Manager{
|
|
|
|
Method: conf.AuthMethodHTTP,
|
|
|
|
HTTPAddress: "http://127.0.0.1:9120/auth",
|
|
|
|
RTSPAuthMethods: nil,
|
|
|
|
}
|
|
|
|
|
|
|
|
if outcome == "ok" {
|
|
|
|
err := m.Authenticate(&Request{
|
|
|
|
User: "testpublisher",
|
|
|
|
Pass: "testpass",
|
|
|
|
IP: net.ParseIP("127.0.0.1"),
|
|
|
|
Action: conf.AuthActionPublish,
|
|
|
|
Path: "teststream",
|
|
|
|
Protocol: ProtocolRTSP,
|
|
|
|
Query: "param=value",
|
|
|
|
})
|
|
|
|
require.NoError(t, err)
|
|
|
|
} else {
|
|
|
|
err := m.Authenticate(&Request{
|
|
|
|
User: "invalid",
|
|
|
|
Pass: "testpass",
|
|
|
|
IP: net.ParseIP("127.0.0.1"),
|
|
|
|
Action: conf.AuthActionPublish,
|
|
|
|
Path: "teststream",
|
|
|
|
Protocol: ProtocolRTSP,
|
|
|
|
Query: "param=value",
|
|
|
|
})
|
|
|
|
require.Error(t, err)
|
|
|
|
}
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func TestAuthHTTPExclude(t *testing.T) {
|
|
|
|
m := Manager{
|
|
|
|
Method: conf.AuthMethodHTTP,
|
|
|
|
HTTPAddress: "http://not-to-be-used:9120/auth",
|
|
|
|
HTTPExclude: []conf.AuthInternalUserPermission{{
|
|
|
|
Action: conf.AuthActionPublish,
|
|
|
|
}},
|
|
|
|
RTSPAuthMethods: nil,
|
|
|
|
}
|
|
|
|
|
|
|
|
err := m.Authenticate(&Request{
|
|
|
|
User: "",
|
|
|
|
Pass: "",
|
|
|
|
IP: net.ParseIP("127.0.0.1"),
|
|
|
|
Action: conf.AuthActionPublish,
|
|
|
|
Path: "teststream",
|
|
|
|
Protocol: ProtocolRTSP,
|
|
|
|
Query: "param=value",
|
|
|
|
})
|
|
|
|
require.NoError(t, err)
|
|
|
|
}
|
2024-04-18 20:58:37 +00:00
|
|
|
|
|
|
|
func TestAuthJWT(t *testing.T) {
|
|
|
|
// taken from
|
|
|
|
// https://github.com/MicahParks/jwkset/blob/master/examples/http_server/main.go
|
|
|
|
|
|
|
|
key, err := rsa.GenerateKey(rand.Reader, 1024)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
jwk, err := jwkset.NewJWKFromKey(key, jwkset.JWKOptions{
|
|
|
|
Metadata: jwkset.JWKMetadataOptions{
|
|
|
|
KID: "test-key-id",
|
|
|
|
},
|
|
|
|
})
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
jwkSet := jwkset.NewMemoryStorage()
|
|
|
|
err = jwkSet.KeyWrite(context.Background(), jwk)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
httpServ := &http.Server{
|
|
|
|
Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
2024-04-28 16:20:08 +00:00
|
|
|
response, err2 := jwkSet.JSONPublic(r.Context())
|
|
|
|
if err2 != nil {
|
2024-04-18 20:58:37 +00:00
|
|
|
w.WriteHeader(http.StatusInternalServerError)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
w.Header().Set("Content-Type", "application/json")
|
|
|
|
_, _ = w.Write(response)
|
|
|
|
}),
|
|
|
|
}
|
|
|
|
|
|
|
|
ln, err := net.Listen("tcp", "localhost:4567")
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
go httpServ.Serve(ln)
|
|
|
|
defer httpServ.Shutdown(context.Background())
|
|
|
|
|
|
|
|
type customClaims struct {
|
|
|
|
jwt.RegisteredClaims
|
2024-08-26 10:43:28 +00:00
|
|
|
MediaMTXPermissions []conf.AuthInternalUserPermission `json:"my_permission_key"`
|
2024-04-18 20:58:37 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
claims := customClaims{
|
|
|
|
RegisteredClaims: jwt.RegisteredClaims{
|
|
|
|
ExpiresAt: jwt.NewNumericDate(time.Now().Add(24 * time.Hour)),
|
|
|
|
IssuedAt: jwt.NewNumericDate(time.Now()),
|
|
|
|
NotBefore: jwt.NewNumericDate(time.Now()),
|
|
|
|
Issuer: "test",
|
|
|
|
Subject: "somebody",
|
|
|
|
ID: "1",
|
|
|
|
},
|
|
|
|
MediaMTXPermissions: []conf.AuthInternalUserPermission{{
|
|
|
|
Action: conf.AuthActionPublish,
|
|
|
|
Path: "mypath",
|
|
|
|
}},
|
|
|
|
}
|
|
|
|
|
|
|
|
token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
|
|
|
|
token.Header[jwkset.HeaderKID] = "test-key-id"
|
|
|
|
ss, err := token.SignedString(key)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
m := Manager{
|
2024-08-26 10:43:28 +00:00
|
|
|
Method: conf.AuthMethodJWT,
|
|
|
|
JWTJWKS: "http://localhost:4567/jwks",
|
|
|
|
JWTClaimKey: "my_permission_key",
|
2024-04-18 20:58:37 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
err = m.Authenticate(&Request{
|
|
|
|
User: "",
|
|
|
|
Pass: "",
|
|
|
|
IP: net.ParseIP("127.0.0.1"),
|
|
|
|
Action: conf.AuthActionPublish,
|
|
|
|
Path: "mypath",
|
|
|
|
Protocol: ProtocolRTSP,
|
|
|
|
Query: "param=value&jwt=" + ss,
|
|
|
|
})
|
|
|
|
require.NoError(t, err)
|
|
|
|
}
|