Add RFC 2617 qop support and fix SETUP URL handling (#58)

* Add RFC 2617 qop support and fix SETUP URL handling

* less Map.put/get

---------

Co-authored-by: George Alexander Day <georgealexanderday@proton.me>

Author: georgeday-firefly

lib/membrane_rtsp/request.ex

@@ -172,12 +172,17 @@ defmodule Membrane.RTSP.Request do
   defp apply_path(%URI{} = base_url, %__MODULE__{path: nil}), do: base_url
 
   defp apply_path(%URI{} = base_url, %__MODULE__{path: path}) do
-    URI.parse(path)
-    |> Map.get(:path)
-    |> Path.relative_to(base_url.path)
-    |> then(&Path.join(base_url.path, &1))
-    |> then(&Map.put(base_url, :path, &1))
-    |> URI.to_string()
+    %URI{} = parsed = URI.parse(path)
+
+    if parsed.host do
+      %URI{parsed | userinfo: nil} |> URI.to_string()
+    else
+      parsed.path
+      |> Path.relative_to(base_url.path)
+      |> then(&Path.join(base_url.path, &1))
+      |> then(&%URI{base_url | path: &1, query: nil})
+      |> URI.to_string()
+    end
   end
 
   defp render_headers([]), do: ""

lib/membrane_rtsp/rtsp.ex

@@ -21,7 +21,9 @@ defmodule Membrane.RTSP do
     @moduledoc false
     @type digest_opts() :: %{
             realm: String.t() | nil,
-            nonce: String.t() | nil
+            nonce: String.t() | nil,
+            qop: String.t() | nil,
+            nc: non_neg_integer()
           }
 
     @type auth() :: nil | :basic | {:digest, digest_opts()}
@@ -269,10 +271,17 @@ defmodule Membrane.RTSP do
          {:ok, state} <- handle_session_id(parsed_response, state),
          {:ok, %State{} = state} <- detect_authentication_type(parsed_response, state) do
       state = %State{state | cseq: state.cseq + 1}
+      state = increment_nc(state)
       {:ok, parsed_response, state}
     end
   end
 
+  defp increment_nc(%State{auth: {:digest, %{nc: nc} = opts}} = state) do
+    %State{state | auth: {:digest, %{opts | nc: nc + 1}}}
+  end
+
+  defp increment_nc(state), do: state
+
   @spec handle_execute_call(Request.t(), boolean(), State.t()) ::
           {:reply, Response.result(), State.t()}
   defp handle_execute_call(request, retry, state) do
@@ -311,6 +320,11 @@ defmodule Membrane.RTSP do
     encoded_uri = Request.process_uri(request, uri)
     ha1 = md5([username, options.realm, password])
     ha2 = md5([request.method, encoded_uri])
+
+    encode_digest_auth(username, encoded_uri, ha1, ha2, options)
+  end
+
+  defp encode_digest_auth(username, encoded_uri, ha1, ha2, %{qop: nil} = options) do
     response = md5([ha1, options.nonce, ha2])
 
     Enum.join(
@@ -326,6 +340,29 @@ defmodule Membrane.RTSP do
     )
   end
 
+  defp encode_digest_auth(username, encoded_uri, ha1, ha2, %{qop: qop} = options) do
+    nc = options[:nc] || 1
+    nc_hex = :io_lib.format("~8.16.0b", [nc]) |> IO.iodata_to_binary()
+    cnonce = :crypto.strong_rand_bytes(8) |> Base.encode16(case: :lower)
+    response = md5([ha1, options.nonce, nc_hex, cnonce, qop, ha2])
+
+    "Digest " <>
+      Enum.join(
+        [
+          ~s(username="#{username}"),
+          ~s(realm="#{options.realm}"),
+          ~s(nonce="#{options.nonce}"),
+          ~s(uri="#{encoded_uri}"),
+          ~s(response="#{response}"),
+          ~s(algorithm=MD5),
+          ~s(qop=#{qop}),
+          ~s(nc=#{nc_hex}),
+          ~s(cnonce="#{cnonce}")
+        ],
+        ","
+      )
+  end
+
   @spec md5([String.t()]) :: String.t()
   defp md5(value) do
     value
@@ -359,7 +396,14 @@ defmodule Membrane.RTSP do
     with {:ok, "Digest " <> digest} <- Response.get_header(response, "WWW-Authenticate") do
       [_match, nonce] = Regex.run(~r/nonce=\"(?<nonce>.*)\"/U, digest)
       [_match, realm] = Regex.run(~r/realm=\"(?<realm>.*)\"/U, digest)
-      auth_options = {:digest, %{nonce: nonce, realm: realm}}
+
+      qop =
+        case Regex.run(~r/qop=\"?([^",]+)\"?/, digest) do
+          [_match, qop_value] -> qop_value
+          nil -> nil
+        end
+
+      auth_options = {:digest, %{nonce: nonce, realm: realm, qop: qop, nc: 1}}
       {:ok, %{state | auth: auth_options}}
     else
       # non digest auth?

test/membrane_rtsp/request_test.exs

@@ -43,6 +43,62 @@ defmodule Membrane.RTSP.RequestTest do
                Factory.SampleOptionsRequest.request()
                |> Request.stringify(Factory.SampleOptionsRequest.url())
     end
+
+    test "strips query string from base URI when path is relative" do
+      # VIVOTEK cameras include query params in stream URI that should not appear in SETUP
+      uri = "rtsp://192.168.1.196:554/media2/stream.sdp?profile=Profile200"
+
+      expected_result = """
+      SETUP rtsp://192.168.1.196:554/media2/stream.sdp/trackID=2 RTSP/1.0
+      CSeq: 4
+      Transport: RTP/AVP;unicast;client_port=57614-57615
+      """
+
+      %Request{
+        method: "SETUP",
+        headers: [{"CSeq", "4"}, {"Transport", "RTP/AVP;unicast;client_port=57614-57615"}],
+        path: "trackID=2"
+      }
+      |> assert_rendered_request(expected_result, uri)
+    end
+
+    test "uses absolute URL directly when path is absolute (RFC 2326)" do
+      # Bosch cameras return absolute control URLs in SDP
+      base_uri = "rtsp://192.168.1.44:554/rtsp_tunnel"
+
+      absolute_control =
+        "rtsp://192.168.1.44:554/rtsp_tunnel?p=0&line=1&inst=1&vcd=2&stream=video"
+
+      expected_result = """
+      SETUP rtsp://192.168.1.44:554/rtsp_tunnel?p=0&line=1&inst=1&vcd=2&stream=video RTSP/1.0
+      CSeq: 4
+      Transport: RTP/AVP;unicast;client_port=57614-57615
+      """
+
+      %Request{
+        method: "SETUP",
+        headers: [{"CSeq", "4"}, {"Transport", "RTP/AVP;unicast;client_port=57614-57615"}],
+        path: absolute_control
+      }
+      |> assert_rendered_request(expected_result, base_uri)
+    end
+
+    test "strips userinfo from absolute control URL" do
+      # Absolute URLs should not leak credentials
+      base_uri = "rtsp://user:pass@192.168.1.44:554/rtsp_tunnel"
+      absolute_control = "rtsp://user:pass@192.168.1.44:554/rtsp_tunnel?p=0&stream=video"
+
+      request = %Request{
+        method: "SETUP",
+        headers: [],
+        path: absolute_control
+      }
+
+      result = Request.stringify(request, URI.parse(base_uri))
+
+      refute String.contains?(result, "user:pass")
+      assert String.contains?(result, "rtsp://192.168.1.44:554/rtsp_tunnel?p=0&stream=video")
+    end
   end
 
   defp assert_rendered_request(request, expected_result, uri_string) do

test/membrane_rtsp/session/session_logic_test.exs

@@ -139,10 +139,35 @@ defmodule Membrane.RTSP.SessionLogicTest do
 
     assert {:reply, {:ok, _response}, state} = RTSP.handle_call({:execute, request}, nil, state)
 
-    assert state.auth == {:digest, %{nonce: "nonce", realm: "realm"}}
+    assert state.auth == {:digest, %{nonce: "nonce", realm: "realm", qop: nil, nc: 2}}
   end
 
-  test "digest auth", %{state: %State{} = state, request: request} do
+  test "add digest information with qop in the state (RFC 2617)", %{
+    state: state,
+    request: request
+  } do
+    mock(:gen_tcp, [send: 2], fn _socket, _request ->
+      {:ok,
+       "RTSP/1.0 200 OK\r\nWWW-Authenticate: Digest realm=\"VIVOTEK\", nonce=\"abc123\", qop=\"auth\"\r\n\r\n"}
+    end)
+
+    assert {:reply, {:ok, _response}, state} = RTSP.handle_call({:execute, request}, nil, state)
+
+    assert state.auth == {:digest, %{nonce: "abc123", realm: "VIVOTEK", qop: "auth", nc: 2}}
+  end
+
+  test "add digest information with unquoted qop", %{state: state, request: request} do
+    mock(:gen_tcp, [send: 2], fn _socket, _request ->
+      {:ok,
+       "RTSP/1.0 200 OK\r\nWWW-Authenticate: Digest realm=\"test\", nonce=\"xyz\", qop=auth\r\n\r\n"}
+    end)
+
+    assert {:reply, {:ok, _response}, state} = RTSP.handle_call({:execute, request}, nil, state)
+
+    assert state.auth == {:digest, %{nonce: "xyz", realm: "test", qop: "auth", nc: 2}}
+  end
+
+  test "digest auth without qop (RFC 2069)", %{state: %State{} = state, request: request} do
     credentials = "login:password"
 
     mock(:gen_tcp, [send: 2], fn _socket, serialized_request ->
@@ -155,13 +180,42 @@ defmodule Membrane.RTSP.SessionLogicTest do
     end)
 
     parsed_uri = URI.parse("rtsp://#{credentials}@localhost:5554/vod/mp4:name.mov")
-    digest_auth_options = {:digest, %{nonce: "nonce", realm: "realm"}}
+    digest_auth_options = {:digest, %{nonce: "nonce", realm: "realm", qop: nil, nc: 1}}
 
     state = %State{state | uri: parsed_uri, auth: digest_auth_options}
 
     assert {:reply, {:ok, _response}, _state} = RTSP.handle_call({:execute, request}, nil, state)
   end
 
+  test "digest auth with qop (RFC 2617)", %{state: %State{} = state, request: request} do
+    credentials = "login:password"
+
+    mock(:gen_tcp, [send: 2], fn _socket, serialized_request ->
+      # QOP auth includes: algorithm, qop, nc (8-digit hex), cnonce
+      assert String.contains?(serialized_request, "Authorization: Digest ")
+      assert String.contains?(serialized_request, "username=\"login\"")
+      assert String.contains?(serialized_request, "realm=\"realm\"")
+      assert String.contains?(serialized_request, "nonce=\"nonce\"")
+      assert String.contains?(serialized_request, "algorithm=MD5")
+      assert String.contains?(serialized_request, "qop=auth")
+      assert String.contains?(serialized_request, "nc=00000001")
+      assert String.contains?(serialized_request, "cnonce=")
+
+      mock_response(serialized_request)
+    end)
+
+    parsed_uri = URI.parse("rtsp://#{credentials}@localhost:5554/vod/mp4:name.mov")
+    digest_auth_options = {:digest, %{nonce: "nonce", realm: "realm", qop: "auth", nc: 1}}
+
+    state = %State{state | uri: parsed_uri, auth: digest_auth_options}
+
+    assert {:reply, {:ok, _response}, new_state} =
+             RTSP.handle_call({:execute, request}, nil, state)
+
+    # nc should increment after successful request
+    assert {:digest, %{nc: 2}} = new_state.auth
+  end
+
   defp mock_response(request) do
     [_line, rest] = String.split(request, "\r\n", parts: 2)
     {:ok, @response_header <> rest}