Rooba
/
mitmproxy
mirror of https://github.com/mitmproxy/mitmproxy.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

adding some simple authetication code to limit proxy access

This commit is contained in:
israel 2012-12-30 01:41:58 -08:00
parent 935505bc4f
commit 440a9f6bda
4 changed files with 99 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
libmproxy/authentication.py
View File

@ -27,18 +27,14 @@ class BasicProxyAuth(NullProxyAuth):
def authenticate(self, auth_value): def authenticate(self, auth_value):
if (not auth_value) or (not auth_value[0]): if (not auth_value) or (not auth_value[0]):
print "ROULI: no auth specified"
return False; return False;
try: try:
scheme, username, password = self.parse_authorization_header(auth_value[0]) scheme, username, password = self.parse_authorization_header(auth_value[0])
except: except:
print "ROULI: Malformed Proxy-Authorization header"
return False return False
if scheme.lower()!='basic': if scheme.lower()!='basic':
print "ROULI: Unexpected Authorization scheme"
return False return False
if not self.password_manager.test(username, password): if not self.password_manager.test(username, password):
print "ROULI: authorization failed!"
return False return False
self.username = username self.username = username
return True return True
@ -47,12 +43,9 @@ class BasicProxyAuth(NullProxyAuth):
return {'Proxy-Authenticate':'Basic realm="%s"'%self.realm} return {'Proxy-Authenticate':'Basic realm="%s"'%self.realm}
def parse_authorization_header(self, auth_value): def parse_authorization_header(self, auth_value):
print "ROULI: ", auth_value
words = auth_value.split() words = auth_value.split()
print "ROULI basic auth: ", words
scheme = words[0] scheme = words[0]
user = binascii.a2b_base64(words[1]) user = binascii.a2b_base64(words[1])
print "ROULI basic auth user: ", user
username, password = user.split(':') username, password = user.split(':')
return scheme, username, password return scheme, username, password
@ -85,12 +78,10 @@ class HtpasswdPasswordManager(PasswordManager):
def test(self, username, password_token): def test(self, username, password_token):
if username not in self.usernames: if username not in self.usernames:
print "ROULI: username not in db"
return False return False
full_token = self.usernames[username] full_token = self.usernames[username]
dummy, magic, salt, hashed_password = full_token.split('$') dummy, magic, salt, hashed_password = full_token.split('$')
expected = md5crypt.md5crypt(password_token, salt, '$'+magic+'$') expected = md5crypt.md5crypt(password_token, salt, '$'+magic+'$')
print "ROULI: password", binascii.hexlify(expected), binascii.hexlify(full_token), expected==full_token
return expected==full_token return expected==full_token
class SingleUserPasswordManager(PasswordManager): class SingleUserPasswordManager(PasswordManager):

48
libmproxy/cmdline.py
View File

@ -15,7 +15,7 @@
import proxy import proxy
import re, filt import re, filt
import argparse
class ParseException(Exception): pass class ParseException(Exception): pass
class OptionException(Exception): pass class OptionException(Exception): pass
@ -334,4 +334,50 @@ def common_options(parser):
help="Header set pattern." help="Header set pattern."
) )
group = parser.add_argument_group(
"Proxy Authentication",
"""
Specification of which users are allowed to access the proxy and the method used for authenticating them.
If authscheme is specified, one must specify a list of authorized users and their passwords.
In case that authscheme is not specified, or set to None, any list of authorized users will be ignored.
""".strip()
)
group.add_argument(
"--authscheme", type=str,
action="store", dest="authscheme", default=None, choices=["none", "basic"],
help="""
Specify the scheme used by the proxy to identify users.
If not none, requires the specification of a list of authorized users.
This option is ignored if the proxy is in transparent or reverse mode.
""".strip()
)
user_specification_group = group.add_mutually_exclusive_group()
user_specification_group.add_argument(
"--nonanonymous",
action="store_true", dest="auth_nonanonymous",
help="Allow access to any user as long as a username is specified. Ignores the provided password."
)
user_specification_group.add_argument(
"--singleuser",
action="store", dest="auth_singleuser", type=str,
help="Allows access to a single user as specified by the option value. Specify a username and password in the form username:password."
)
user_specification_group.add_argument(
"--htpasswd",
action="store", dest="auth_htpasswd", type=argparse.FileType('r'),
help="Allow access to users specified in an Apache htpasswd file."
)
proxy.certificate_option_group(parser) proxy.certificate_option_group(parser)

1
libmproxy/contrib/README
View File

@ -11,4 +11,5 @@ jsbeautifier, git checkout 25/03/12, MIT license
html2text, git checkout 18/08/12, GPLv3 html2text, git checkout 18/08/12, GPLv3
md5crypt, PSF license, http://code.activestate.com/recipes/325204/

79
libmproxy/proxy.py
View File

@ -18,16 +18,18 @@ import SocketServer
from OpenSSL import SSL from OpenSSL import SSL
from netlib import odict, tcp, http, wsgi, certutils, http_status from netlib import odict, tcp, http, wsgi, certutils, http_status
import utils, flow, version, platform, controller import utils, flow, version, platform, controller
import authentication
class ProxyError(Exception): class ProxyError(Exception):
def __init__(self, code, msg): def __init__(self, code, msg, headers=None):
self.code, self.msg = code, msg self.code, self.msg, self.headers = code, msg, headers
def __str__(self): def __str__(self):
return "ProxyError(%s, %s)"%(self.code, self.msg) return "ProxyError(%s, %s)"%(self.code, self.msg)
class Log(controller.Msg): class Log(controller.Msg):
def __init__(self, msg): def __init__(self, msg):
controller.Msg.__init__(self) controller.Msg.__init__(self)
@ -36,7 +38,7 @@ class Log(controller.Msg):
class ProxyConfig: class ProxyConfig:
def __init__(self, certfile = None, cacert = None, clientcerts = None, cert_wait_time=0, no_upstream_cert=False, body_size_limit = None, reverse_proxy=None, transparent_proxy=None, certdir = None): def __init__(self, certfile = None, cacert = None, clientcerts = None, cert_wait_time=0, no_upstream_cert=False, body_size_limit = None, reverse_proxy=None, transparent_proxy=None, certdir = None, authenticator=None):
assert not (reverse_proxy and transparent_proxy) assert not (reverse_proxy and transparent_proxy)
self.certfile = certfile self.certfile = certfile
self.cacert = cacert self.cacert = cacert
@ -47,7 +49,7 @@ class ProxyConfig:
self.body_size_limit = body_size_limit self.body_size_limit = body_size_limit
self.reverse_proxy = reverse_proxy self.reverse_proxy = reverse_proxy
self.transparent_proxy = transparent_proxy self.transparent_proxy = transparent_proxy
self.authenticator = authenticator
class RequestReplayThread(threading.Thread): class RequestReplayThread(threading.Thread):
def __init__(self, config, flow, masterq): def __init__(self, config, flow, masterq):
@ -217,7 +219,7 @@ class ProxyHandler(tcp.BaseHandler):
self.log(cc, cc.error) self.log(cc, cc.error)
if isinstance(e, ProxyError): if isinstance(e, ProxyError):
self.send_error(e.code, e.msg) self.send_error(e.code, e.msg, e.headers)
else: else:
return True return True
@ -283,9 +285,7 @@ class ProxyHandler(tcp.BaseHandler):
if not r: if not r:
raise ProxyError(400, "Bad HTTP request line: %s"%repr(line)) raise ProxyError(400, "Bad HTTP request line: %s"%repr(line))
method, path, httpversion = r method, path, httpversion = r
headers = http.read_headers(self.rfile) headers = self.read_headers(authenticate=False)
if headers is None:
raise ProxyError(400, "Invalid headers")
content = http.read_http_body_request( content = http.read_http_body_request(
self.rfile, self.wfile, headers, httpversion, self.config.body_size_limit self.rfile, self.wfile, headers, httpversion, self.config.body_size_limit
) )
@ -299,9 +299,7 @@ class ProxyHandler(tcp.BaseHandler):
if not r: if not r:
raise ProxyError(400, "Bad HTTP request line: %s"%repr(line)) raise ProxyError(400, "Bad HTTP request line: %s"%repr(line))
method, path, httpversion = r method, path, httpversion = r
headers = http.read_headers(self.rfile) headers = self.read_headers(authenticate=False)
if headers is None:
raise ProxyError(400, "Invalid headers")
content = http.read_http_body_request( content = http.read_http_body_request(
self.rfile, self.wfile, headers, httpversion, self.config.body_size_limit self.rfile, self.wfile, headers, httpversion, self.config.body_size_limit
) )
@ -315,12 +313,9 @@ class ProxyHandler(tcp.BaseHandler):
if not r: if not r:
raise ProxyError(400, "Bad HTTP request line: %s"%repr(line)) raise ProxyError(400, "Bad HTTP request line: %s"%repr(line))
host, port, httpversion = r host, port, httpversion = r
# FIXME: Discard additional headers sent to the proxy. Should I expose
# these to users? headers = self.read_headers(authenticate=True)
while 1:
d = self.rfile.readline()
if d == '\r\n' or d == '\n':
break
self.wfile.write( self.wfile.write(
'HTTP/1.1 200 Connection established\r\n' + 'HTTP/1.1 200 Connection established\r\n' +
('Proxy-agent: %s\r\n'%self.server_version) + ('Proxy-agent: %s\r\n'%self.server_version) +
@ -340,9 +335,8 @@ class ProxyHandler(tcp.BaseHandler):
if not r: if not r:
raise ProxyError(400, "Bad HTTP request line: %s"%repr(line)) raise ProxyError(400, "Bad HTTP request line: %s"%repr(line))
method, path, httpversion = r method, path, httpversion = r
headers = http.read_headers(self.rfile) headers = self.read_headers(authenticate=False)
if headers is None:
raise ProxyError(400, "Invalid headers")
content = http.read_http_body_request( content = http.read_http_body_request(
self.rfile, self.wfile, headers, httpversion, self.config.body_size_limit self.rfile, self.wfile, headers, httpversion, self.config.body_size_limit
) )
@ -352,14 +346,20 @@ class ProxyHandler(tcp.BaseHandler):
if not r: if not r:
raise ProxyError(400, "Bad HTTP request line: %s"%repr(line)) raise ProxyError(400, "Bad HTTP request line: %s"%repr(line))
method, scheme, host, port, path, httpversion = http.parse_init_proxy(line) method, scheme, host, port, path, httpversion = http.parse_init_proxy(line)
headers = http.read_headers(self.rfile) headers = self.read_headers(authenticate=True)
if headers is None:
raise ProxyError(400, "Invalid headers")
content = http.read_http_body_request( content = http.read_http_body_request(
self.rfile, self.wfile, headers, httpversion, self.config.body_size_limit self.rfile, self.wfile, headers, httpversion, self.config.body_size_limit
) )
return flow.Request(client_conn, httpversion, host, port, scheme, method, path, headers, content) return flow.Request(client_conn, httpversion, host, port, scheme, method, path, headers, content)
def read_headers(self, authenticate=False):
headers = http.read_headers(self.rfile)
if headers is None:
raise ProxyError(400, "Invalid headers")
if authenticate and self.config.authenticator and not self.config.authenticator.authenticate(headers.get('Proxy-Authorization', [])):
raise ProxyError(407, "Proxy Authentication Required", self.config.authenticator.auth_challenge_headers())
return headers
def send_response(self, response): def send_response(self, response):
d = response._assemble() d = response._assemble()
if not d: if not d:
@ -367,16 +367,19 @@ class ProxyHandler(tcp.BaseHandler):
self.wfile.write(d) self.wfile.write(d)
self.wfile.flush() self.wfile.flush()
def send_error(self, code, body): def send_error(self, code, body, headers):
try: try:
response = http_status.RESPONSES.get(code, "Unknown") response = http_status.RESPONSES.get(code, "Unknown")
html_content = '<html><head>\n<title>%d %s</title>\n</head>\n<body>\n%s\n</body>\n</html>'%(code, response, body)
self.wfile.write("HTTP/1.1 %s %s\r\n" % (code, response)) self.wfile.write("HTTP/1.1 %s %s\r\n" % (code, response))
self.wfile.write("Server: %s\r\n"%self.server_version) self.wfile.write("Server: %s\r\n"%self.server_version)
self.wfile.write("Connection: close\r\n")
self.wfile.write("Content-type: text/html\r\n") self.wfile.write("Content-type: text/html\r\n")
self.wfile.write("Content-Length: %d\r\n"%len(html_content))
for key, value in headers.items():
self.wfile.write("%s: %s\r\n"%(key, value))
self.wfile.write("Connection: close\r\n")
self.wfile.write("\r\n") self.wfile.write("\r\n")
self.wfile.write('<html><head>\n<title>%d %s</title>\n</head>\n' self.wfile.write(html_content)
'<body>\n%s\n</body>\n</html>' % (code, response, body))
self.wfile.flush() self.wfile.flush()
except: except:
pass pass
@ -531,6 +534,25 @@ def process_proxy_options(parser, options):
if not os.path.exists(options.certdir) or not os.path.isdir(options.certdir): if not os.path.exists(options.certdir) or not os.path.isdir(options.certdir):
parser.error("Dummy cert directory does not exist or is not a directory: %s"%options.certdir) parser.error("Dummy cert directory does not exist or is not a directory: %s"%options.certdir)
if options.authscheme and (options.authscheme!='none'):
if not (options.auth_nonanonymous or options.auth_singleuser or options.auth_htpasswd):
parser.error("Proxy authentication scheme is specified, but no allowed user list is given.")
if options.auth_singleuser and len(options.auth_singleuser.split(':'))!=2:
parser.error("Authorized user is not given in correct format username:password")
if options.auth_nonanonymous:
password_manager = authentication.PermissivePasswordManager()
elif options.auth_singleuser:
username, password = options.auth_singleuser.split(':')
password_manager = authentication.SingleUserPasswordManager(username, password)
elif options.auth_htpasswd:
password_manager = authentication.HtpasswdPasswordManager(options.auth_htpasswd)
# in the meanwhile, basic auth is the only true authentication scheme we support
# so just use it
authenticator = authentication.BasicProxyAuth(password_manager)
else:
authenticator = authentication.NullProxyAuth(None)
return ProxyConfig( return ProxyConfig(
certfile = options.cert, certfile = options.cert,
cacert = cacert, cacert = cacert,
@ -540,5 +562,6 @@ def process_proxy_options(parser, options):
no_upstream_cert = options.no_upstream_cert, no_upstream_cert = options.no_upstream_cert,
reverse_proxy = rp, reverse_proxy = rp,
transparent_proxy = trans, transparent_proxy = trans,
certdir = options.certdir certdir = options.certdir,
authenticator = authenticator
) )