rtsp: rewrite authentication around ServerConn.VerifyCredentials (#4267)

Author: aler9

go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/alecthomas/kong v1.8.1
 	github.com/asticode/go-astits v1.13.0
 	github.com/bluenviron/gohlslib/v2 v2.1.4-0.20250210133907-d3dddacbb9fc
-	github.com/bluenviron/gortsplib/v4 v4.12.4-0.20250214103455-885a9975ef10
+	github.com/bluenviron/gortsplib/v4 v4.12.4-0.20250218163904-55556f1ecfa2
 	github.com/bluenviron/mediacommon/v2 v2.0.0
 	github.com/datarhei/gosrt v0.8.0
 	github.com/fsnotify/fsnotify v1.8.0

go.sum

@@ -33,8 +33,8 @@ github.com/benburkert/openpgp v0.0.0-20160410205803-c2471f86866c h1:8XZeJrs4+ZYh
 github.com/benburkert/openpgp v0.0.0-20160410205803-c2471f86866c/go.mod h1:x1vxHcL/9AVzuk5HOloOEPrtJY0MaalYr78afXZ+pWI=
 github.com/bluenviron/gohlslib/v2 v2.1.4-0.20250210133907-d3dddacbb9fc h1:t1i9foTQ+RfFT5Ke9HV845zWtz2vtWQCWV8ZXvpzM4g=
 github.com/bluenviron/gohlslib/v2 v2.1.4-0.20250210133907-d3dddacbb9fc/go.mod h1:soTVqoidOT+L08hUSDreM7DebNyjjViUiEvpWlr7EIs=
-github.com/bluenviron/gortsplib/v4 v4.12.4-0.20250214103455-885a9975ef10 h1:nQI+hp8j2uSSHTumlqG4JcgwdpK+jy8Hj19Z96HRmPo=
-github.com/bluenviron/gortsplib/v4 v4.12.4-0.20250214103455-885a9975ef10/go.mod h1:87/zjOqku9cRSk7q6tZ4R8N7evB29E11GnwLVUk7sAQ=
+github.com/bluenviron/gortsplib/v4 v4.12.4-0.20250218163904-55556f1ecfa2 h1:GgPHJTUYTwKBVu/bf0SVSCdXxRz9AMcLnV7tDmiVYko=
+github.com/bluenviron/gortsplib/v4 v4.12.4-0.20250218163904-55556f1ecfa2/go.mod h1:87/zjOqku9cRSk7q6tZ4R8N7evB29E11GnwLVUk7sAQ=
 github.com/bluenviron/mediacommon/v2 v2.0.0 h1:JinZ9v2x6QeAOzA0cDA6aFe8vQuCrU8OyWEhG2iNzwY=
 github.com/bluenviron/mediacommon/v2 v2.0.0/go.mod h1:iHEz1SFIet6zBwAQoh1a92vTQ3dV3LpVFbom6/SLz3k=
 github.com/bytedance/sonic v1.12.6 h1:/isNmCUF2x3Sh8RAp/4mh4ZGkcFAX/hLrzrK3AvpRzk=

internal/api/api.go

@@ -294,7 +294,7 @@ func (a *API) middlewareAuth(ctx *gin.Context) {
 
 	err := a.AuthManager.Authenticate(req)
 	if err != nil {
-		if err.(*auth.Error).AskCredentials { //nolint:errorlint
+		if err.(auth.Error).AskCredentials { //nolint:errorlint
 			ctx.Header("WWW-Authenticate", `Basic realm="mediamtx"`)
 			ctx.AbortWithStatus(http.StatusUnauthorized)
 			return

internal/auth/manager.go

@@ -14,8 +14,6 @@ import (
 	"time"
 
 	"github.com/MicahParks/keyfunc/v3"
-	"github.com/bluenviron/gortsplib/v4/pkg/auth"
-	"github.com/bluenviron/gortsplib/v4/pkg/headers"
 	"github.com/bluenviron/mediamtx/internal/conf"
 	"github.com/bluenviron/mediamtx/internal/conf/jsonwrapper"
 	"github.com/golang-jwt/jwt/v5"
@@ -26,19 +24,19 @@ const (
 	// PauseAfterError is the pause to apply after an authentication failure.
 	PauseAfterError = 2 * time.Second
 
-	rtspAuthRealm    = "IPCAM"
 	jwtRefreshPeriod = 60 * 60 * time.Second
 )
 
 // Error is a authentication error.
 type Error struct {
+	Wrapped        error
 	Message        string
 	AskCredentials bool
 }
 
 // Error implements the error interface.
-func (e *Error) Error() string {
-	return "authentication failed: " + e.Message
+func (e Error) Error() string {
+	return "authentication failed: " + e.Wrapped.Error()
 }
 
 func matchesPermission(perms []conf.AuthInternalUserPermission, req *Request) bool {
@@ -102,14 +100,13 @@ func (c *customClaims) UnmarshalJSON(b []byte) error {
 
 // Manager is the authentication manager.
 type Manager struct {
-	Method          conf.AuthMethod
-	InternalUsers   []conf.AuthInternalUser
-	HTTPAddress     string
-	HTTPExclude     []conf.AuthInternalUserPermission
-	JWTJWKS         string
-	JWTClaimKey     string
-	ReadTimeout     time.Duration
-	RTSPAuthMethods []auth.VerifyMethod
+	Method        conf.AuthMethod
+	InternalUsers []conf.AuthInternalUser
+	HTTPAddress   string
+	HTTPExclude   []conf.AuthInternalUserPermission
+	JWTJWKS       string
+	JWTClaimKey   string
+	ReadTimeout   time.Duration
 
 	mutex          sync.RWMutex
 	jwtHTTPClient  *http.Client
@@ -140,8 +137,8 @@ func (m *Manager) Authenticate(req *Request) error {
 	}
 
 	if err != nil {
-		return &Error{
-			Message:        err.Error(),
+		return Error{
+			Wrapped:        err,
 			AskCredentials: (req.User == "" && req.Pass == ""),
 		}
 	}
@@ -150,20 +147,11 @@ func (m *Manager) Authenticate(req *Request) error {
 }
 
 func (m *Manager) authenticateInternal(req *Request) error {
-	var rtspAuthHeader *headers.Authorization
-	if req.RTSPRequest != nil {
-		var tmp headers.Authorization
-		err := tmp.Unmarshal(req.RTSPRequest.Header["Authorization"])
-		if err == nil {
-			rtspAuthHeader = &tmp
-		}
-	}
-
 	m.mutex.RLock()
 	defer m.mutex.RUnlock()
 
 	for _, u := range m.InternalUsers {
-		if err := m.authenticateWithUser(req, rtspAuthHeader, &u); err == nil {
+		if ok := m.authenticateWithUser(req, &u); ok {
 			return nil
 		}
 	}
@@ -173,39 +161,29 @@ func (m *Manager) authenticateInternal(req *Request) error {
 
 func (m *Manager) authenticateWithUser(
 	req *Request,
-	rtspAuthHeader *headers.Authorization,
 	u *conf.AuthInternalUser,
-) error {
-	if u.User != "any" && !u.User.Check(req.User) {
-		return fmt.Errorf("wrong user")
-	}
-
+) bool {
 	if len(u.IPs) != 0 && !u.IPs.Contains(req.IP) {
-		return fmt.Errorf("IP not allowed")
+		return false
 	}
 
 	if !matchesPermission(u.Permissions, req) {
-		return fmt.Errorf("user doesn't have permission to perform action")
+		return false
 	}
 
 	if u.User != "any" {
-		if req.RTSPRequest != nil && rtspAuthHeader != nil && rtspAuthHeader.Method == headers.AuthMethodDigest {
-			err := auth.Verify(
-				req.RTSPRequest,
-				string(u.User),
-				string(u.Pass),
-				m.RTSPAuthMethods,
-				rtspAuthRealm,
-				req.RTSPNonce)
-			if err != nil {
-				return err
+		if req.CustomVerifyFunc != nil {
+			if ok := req.CustomVerifyFunc(string(u.User), string(u.Pass)); !ok {
+				return false
+			}
+		} else {
+			if !u.User.Check(req.User) || !u.Pass.Check(req.Pass) {
+				return false
 			}
-		} else if !u.Pass.Check(req.Pass) {
-			return fmt.Errorf("invalid credentials")
 		}
 	}
 
-	return nil
+	return true
 }
 
 func (m *Manager) authenticateHTTP(req *Request) error {

internal/auth/manager_test.go

@@ -12,7 +12,6 @@ import (
 	"time"
 
 	"github.com/MicahParks/jwkset"
-	"github.com/bluenviron/gortsplib/v4/pkg/auth"
 	"github.com/bluenviron/gortsplib/v4/pkg/base"
 	"github.com/bluenviron/mediamtx/internal/conf"
 	"github.com/golang-jwt/jwt/v5"
@@ -56,8 +55,6 @@ func TestAuthInternal(t *testing.T) {
 							}},
 						},
 					},
-					HTTPAddress:     "",
-					RTSPAuthMethods: nil,
 				}
 
 				switch encryption {
@@ -142,7 +139,7 @@ func TestAuthInternal(t *testing.T) {
 	}
 }
 
-func TestAuthInternalRTSPDigest(t *testing.T) {
+func TestAuthInternalCustomVerifyFunc(t *testing.T) {
 	for _, ca := range []string{"ok", "invalid"} {
 		t.Run(ca, func(t *testing.T) {
 			m := Manager{
@@ -158,8 +155,6 @@ func TestAuthInternalRTSPDigest(t *testing.T) {
 						}},
 					},
 				},
-				HTTPAddress:     "",
-				RTSPAuthMethods: []auth.VerifyMethod{auth.VerifyMethodDigestMD5},
 			}
 
 			u, err := base.ParseURL("rtsp://127.0.0.1:8554/mypath")
@@ -170,25 +165,15 @@ func TestAuthInternalRTSPDigest(t *testing.T) {
 				URL:    u,
 			}
 
-			if ca == "ok" {
-				var s *auth.Sender
-				s, err = auth.NewSender(
-					auth.GenerateWWWAuthenticate([]auth.VerifyMethod{auth.VerifyMethodDigestMD5}, "IPCAM", "mynonce"),
-					"myuser",
-					"mypass",
-				)
-				require.NoError(t, err)
-				s.AddAuthorization(req)
-			} else {
-				req.Header = base.Header{"Authorization": base.HeaderValue{"garbage"}}
-			}
-
 			req1 := &Request{
-				IP:          net.ParseIP("127.1.1.1"),
-				Action:      conf.AuthActionPublish,
-				Path:        "mypath",
-				RTSPRequest: req,
-				RTSPNonce:   "mynonce",
+				IP:     net.ParseIP("127.1.1.1"),
+				Action: conf.AuthActionPublish,
+				Path:   "mypath",
+				CustomVerifyFunc: func(expectedUser, expectedPass string) bool {
+					require.Equal(t, "myuser", expectedUser)
+					require.Equal(t, "mypass", expectedPass)
+					return (ca == "ok")
+				},
 			}
 			req1.FillFromRTSPRequest(req)
 			err = m.Authenticate(req1)
@@ -216,8 +201,6 @@ func TestAuthInternalCredentialsInBearer(t *testing.T) {
 				}},
 			},
 		},
-		HTTPAddress:     "",
-		RTSPAuthMethods: []auth.VerifyMethod{auth.VerifyMethodDigestMD5},
 	}
 
 	req := &Request{
@@ -282,9 +265,8 @@ func TestAuthHTTP(t *testing.T) {
 			defer httpServ.Shutdown(context.Background())
 
 			m := Manager{
-				Method:          conf.AuthMethodHTTP,
-				HTTPAddress:     "http://127.0.0.1:9120/auth",
-				RTSPAuthMethods: nil,
+				Method:      conf.AuthMethodHTTP,
+				HTTPAddress: "http://127.0.0.1:9120/auth",
 			}
 
 			if outcome == "ok" {
@@ -321,7 +303,6 @@ func TestAuthHTTPExclude(t *testing.T) {
 		HTTPExclude: []conf.AuthInternalUserPermission{{
 			Action: conf.AuthActionPublish,
 		}},
-		RTSPAuthMethods: nil,
 	}
 
 	err := m.Authenticate(&Request{

internal/auth/request.go

@@ -37,32 +37,27 @@ const (
 
 // Request is an authentication request.
 type Request struct {
-	User   string
-	Pass   string
-	IP     net.IP
-	Action conf.AuthAction
+	User             string
+	Pass             string
+	IP               net.IP
+	Action           conf.AuthAction
+	CustomVerifyFunc func(expectedUser string, expectedPass string) bool
 
 	// only for ActionPublish, ActionRead, ActionPlayback
 	Path     string
 	Protocol Protocol
 	ID       *uuid.UUID
 	Query    string
-
-	// RTSP only
-	RTSPRequest *base.Request
-	RTSPNonce   string
 }
 
 // FillFromRTSPRequest fills User and Pass from a RTSP request.
 func (r *Request) FillFromRTSPRequest(rt *base.Request) {
 	var rtspAuthHeader headers.Authorization
 	err := rtspAuthHeader.Unmarshal(rt.Header["Authorization"])
 	if err == nil {
+		r.User = rtspAuthHeader.Username
 		if rtspAuthHeader.Method == headers.AuthMethodBasic {
-			r.User = rtspAuthHeader.BasicUser
 			r.Pass = rtspAuthHeader.BasicPass
-		} else {
-			r.User = rtspAuthHeader.Username
 		}
 	}
 }

internal/conf/auth_internal_users.go

@@ -1,6 +1,8 @@
 package conf
 
 import (
+	"fmt"
+
 	"github.com/bluenviron/mediamtx/internal/conf/jsonwrapper"
 )
 
@@ -18,6 +20,25 @@ type AuthInternalUser struct {
 	Permissions []AuthInternalUserPermission `json:"permissions"`
 }
 
+// UnmarshalJSON implements json.Unmarshaler.
+func (d *AuthInternalUser) UnmarshalJSON(b []byte) error {
+	type alias AuthInternalUser
+	if err := jsonwrapper.Unmarshal(b, (*alias)(d)); err != nil {
+		return err
+	}
+
+	// https://github.com/bluenviron/gortsplib/blob/55556f1ecfa2bd51b29fe14eddd70512a0361cbd/server_conn.go#L155-L156
+	if d.User == "" {
+		return fmt.Errorf("empty usernames are not supported")
+	}
+
+	if d.User == "any" && d.Pass != "" {
+		return fmt.Errorf("using a password with 'any' user is not supported")
+	}
+
+	return nil
+}
+
 // AuthInternalUsers is a list of AuthInternalUser
 type AuthInternalUsers []AuthInternalUser
 

internal/conf/conf_test.go

@@ -407,6 +407,24 @@ func TestConfErrors(t *testing.T) {
 				"    sourceRedirect: invalid://invalid",
 			`'sourceRedirect' is useless when source is not 'redirect'`,
 		},
+		{
+			"invalid user",
+			"authInternalUsers:\n" +
+				"- user:\n" +
+				"  pass: test\n" +
+				"  permissions:\n" +
+				"  - action: publish\n",
+			"empty usernames are not supported",
+		},
+		{
+			"invalid pass",
+			"authInternalUsers:\n" +
+				"- user: any\n" +
+				"  pass: test\n" +
+				"  permissions:\n" +
+				"  - action: publish\n",
+			`using a password with 'any' user is not supported`,
+		},
 	} {
 		t.Run(ca.name, func(t *testing.T) {
 			tmpf, err := createTempFile([]byte(ca.conf))

internal/core/core.go

@@ -264,14 +264,13 @@ func (p *Core) createResources(initial bool) error {
 
 	if p.authManager == nil {
 		p.authManager = &auth.Manager{
-			Method:          p.conf.AuthMethod,
-			InternalUsers:   p.conf.AuthInternalUsers,
-			HTTPAddress:     p.conf.AuthHTTPAddress,
-			HTTPExclude:     p.conf.AuthHTTPExclude,
-			JWTJWKS:         p.conf.AuthJWTJWKS,
-			JWTClaimKey:     p.conf.AuthJWTClaimKey,
-			ReadTimeout:     time.Duration(p.conf.ReadTimeout),
-			RTSPAuthMethods: p.conf.RTSPAuthMethods,
+			Method:        p.conf.AuthMethod,
+			InternalUsers: p.conf.AuthInternalUsers,
+			HTTPAddress:   p.conf.AuthHTTPAddress,
+			HTTPExclude:   p.conf.AuthHTTPExclude,
+			JWTJWKS:       p.conf.AuthJWTJWKS,
+			JWTClaimKey:   p.conf.AuthJWTClaimKey,
+			ReadTimeout:   time.Duration(p.conf.ReadTimeout),
 		}
 	}
 
@@ -653,8 +652,7 @@ func (p *Core) closeResources(newConf *conf.Conf, calledByAPI bool) {
 		!reflect.DeepEqual(newConf.AuthHTTPExclude, p.conf.AuthHTTPExclude) ||
 		newConf.AuthJWTJWKS != p.conf.AuthJWTJWKS ||
 		newConf.AuthJWTClaimKey != p.conf.AuthJWTClaimKey ||
-		newConf.ReadTimeout != p.conf.ReadTimeout ||
-		!reflect.DeepEqual(newConf.RTSPAuthMethods, p.conf.RTSPAuthMethods)
+		newConf.ReadTimeout != p.conf.ReadTimeout
 	if !closeAuthManager && !reflect.DeepEqual(newConf.AuthInternalUsers, p.conf.AuthInternalUsers) {
 		p.authManager.ReloadInternalUsers(newConf.AuthInternalUsers)
 	}