From 0e4ee6fcf8f1bcb47a121c022d11176c7bb4c104 Mon Sep 17 00:00:00 2001 From: genofire Date: Sun, 12 Mar 2023 15:53:33 +0100 Subject: [PATCH] feat: add policy with signing for Access Control --- go.mod | 1 + go.sum | 3 +++ helper/policy.go | 63 +++++++++++++++++++++++++++++++++++++++++++ helper/policy_test.go | 57 +++++++++++++++++++++++++++++++++++++++ 4 files changed, 124 insertions(+) create mode 100644 helper/policy.go create mode 100644 helper/policy_test.go diff --git a/go.mod b/go.mod index 867d01d..0ef242f 100644 --- a/go.mod +++ b/go.mod @@ -11,6 +11,7 @@ require ( github.com/prometheus/client_golang v1.14.0 github.com/prometheus/common v0.40.0 // indirect github.com/prometheus/procfs v0.9.0 // indirect + github.com/stretchr/testify v1.8.2 // indirect go.uber.org/atomic v1.10.0 // indirect go.uber.org/multierr v1.9.0 // indirect go.uber.org/zap v1.24.0 diff --git a/go.sum b/go.sum index ac46ad4..a4756bc 100644 --- a/go.sum +++ b/go.sum @@ -468,6 +468,7 @@ github.com/streadway/handy v0.0.0-20190108123426-d5acb3125c2a/go.mod h1:qNTQ5P5J github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw= +github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= @@ -476,6 +477,8 @@ github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5Cc github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= +github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8= +github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA= github.com/urfave/cli v1.22.1/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0= diff --git a/helper/policy.go b/helper/policy.go new file mode 100644 index 0000000..5bf18bd --- /dev/null +++ b/helper/policy.go @@ -0,0 +1,63 @@ +package helper + +import ( + "crypto/hmac" + "crypto/sha1" + "encoding/base64" + "encoding/json" + "net/url" +) + +type Policy struct { + URLExpire int `json:"url_expire"` + URLActivate int `json:"url_activate,omitempty"` + StreamExpire int `json:"stream_expire,omitempty"` + AllowIP string `json:"allow_ip,omitempty"` +} + +func (p Policy) Encode() (string, error) { + str, err := json.Marshal(p) + if err != nil { + return "", err + } + return base64.RawStdEncoding.EncodeToString(str), nil +} + +func SignEncodedPolicy(u *url.URL, secretKey string) string { + hasher := hmac.New(sha1.New, []byte(secretKey)) + hasher.Write([]byte(u.String())) + return base64.RawURLEncoding.EncodeToString(hasher.Sum(nil)) + +} + +func (p Policy) SignWithQuery(u *url.URL, secretKey, encodeQuery string) (string, error) { + encode, err := p.Encode() + if err != nil { + return "", nil + } + query := u.Query() + query.Add(encodeQuery, encode) + u.RawQuery = query.Encode() + return SignEncodedPolicy(u, secretKey), nil +} +func (p Policy) Sign(u *url.URL, secretKey string) (string, error) { + return p.SignWithQuery(u, secretKey, "policy") +} + +func (p Policy) SignURLWithQuery(u *url.URL, secretKey, encodeQuery, signatureQuery string) error { + encode, err := p.Encode() + if err != nil { + return err + } + query := u.Query() + query.Add(encodeQuery, encode) + u.RawQuery = query.Encode() + + signature := SignEncodedPolicy(u, secretKey) + query.Add(signatureQuery, signature) + u.RawQuery = query.Encode() + return nil +} +func (p Policy) SignURL(u *url.URL, secretKey string) error { + return p.SignURLWithQuery(u, secretKey, "policy", "signature") +} diff --git a/helper/policy_test.go b/helper/policy_test.go new file mode 100644 index 0000000..83f89c4 --- /dev/null +++ b/helper/policy_test.go @@ -0,0 +1,57 @@ +// https://airensoft.gitbook.io/ovenmediaengine/access-control/signedpolicy +package helper + +import ( + "net/url" + "testing" + + "github.com/stretchr/testify/assert" +) + +const ( + examplePolicyEncode = "eyJ1cmxfZXhwaXJlIjoxMzk5NzIxNTgxfQ" + exampleSecretKey = "1kU^b6" + exampleURL = "ws://192.168.0.100:3333/app/stream" + exampleSignature = "dvVdBpoxAeCPl94Kt5RoiqLI0YE" + exampleURLWithSignatureAndPolicy = "ws://192.168.0.100/app/stream?policy=eyJ1cmxfZXhwaXJlIjoxMzk5NzIxNTgxfQ&signature=dvVdBpoxAeCPl94Kt5RoiqLI0YE" +) + +var ( + examplePolicy = Policy{ + URLExpire: 1399721581, + } +) + +func TestPolicyEncode(t *testing.T) { + assert := assert.New(t) + + encode, err := examplePolicy.Encode() + assert.NoError(err) + assert.Equal(examplePolicyEncode, encode) +} + +func TestPolicySign(t *testing.T) { + assert := assert.New(t) + + u, err := url.Parse(exampleURL) + assert.NoError(err) + + sign, err := examplePolicy.Sign(u, exampleSecretKey) + assert.NoError(err) + assert.Equal(exampleSignature, sign) +} + +func TestPolicySignURL(t *testing.T) { + assert := assert.New(t) + + u, err := url.Parse(exampleURL) + assert.NoError(err) + + err = examplePolicy.SignURL(u, exampleSecretKey) + assert.NoError(err) + + // drop port -> is not part of example + u.Host = u.Hostname() + + assert.Equal(exampleURLWithSignatureAndPolicy, u.String()) +}