1#[cfg(test)]
2mod auth_test;
3
4use std::net::SocketAddr;
5use std::time::{Duration, SystemTime, UNIX_EPOCH};
6
7use base64::prelude::BASE64_STANDARD;
8use base64::Engine;
9use md5::{Digest, Md5};
10use ring::hmac;
11
12use crate::error::*;
13
14pub trait AuthHandler {
15 fn auth_handle(&self, username: &str, realm: &str, src_addr: SocketAddr) -> Result<Vec<u8>>;
16}
17
18pub fn generate_long_term_credentials(
20 shared_secret: &str,
21 duration: Duration,
22) -> Result<(String, String)> {
23 let t = SystemTime::now().duration_since(UNIX_EPOCH)? + duration;
24 let username = format!("{}", t.as_secs());
25 let password = long_term_credentials(&username, shared_secret);
26 Ok((username, password))
27}
28
29fn long_term_credentials(username: &str, shared_secret: &str) -> String {
30 let mac = hmac::Key::new(
31 hmac::HMAC_SHA1_FOR_LEGACY_USE_ONLY,
32 shared_secret.as_bytes(),
33 );
34 let password = hmac::sign(&mac, username.as_bytes()).as_ref().to_vec();
35 BASE64_STANDARD.encode(password)
36}
37
38pub fn generate_auth_key(username: &str, realm: &str, password: &str) -> Vec<u8> {
40 let s = format!("{username}:{realm}:{password}");
41
42 let mut h = Md5::new();
43 h.update(s.as_bytes());
44 h.finalize().as_slice().to_vec()
45}
46
47pub struct LongTermAuthHandler {
48 shared_secret: String,
49}
50
51impl AuthHandler for LongTermAuthHandler {
52 fn auth_handle(&self, username: &str, realm: &str, src_addr: SocketAddr) -> Result<Vec<u8>> {
53 log::trace!("Authentication username={username} realm={realm} src_addr={src_addr}");
54
55 let t = Duration::from_secs(username.parse::<u64>()?);
56 if t < SystemTime::now().duration_since(UNIX_EPOCH)? {
57 return Err(Error::Other(format!(
58 "Expired time-windowed username {username}"
59 )));
60 }
61
62 let password = long_term_credentials(username, &self.shared_secret);
63 Ok(generate_auth_key(username, realm, &password))
64 }
65}
66
67impl LongTermAuthHandler {
68 pub fn new(shared_secret: String) -> Self {
70 LongTermAuthHandler { shared_secret }
71 }
72}