adding some simple authetication code to limit proxy access

2012-12-30 01:41:58 -08:00 · 2012-12-30 01:41:58 -08:00 · 440a9f6bda
parent 935505bc4f
commit 440a9f6bda
4 changed files with 99 additions and 38 deletions
--- a/libmproxy/authentication.py
+++ b/libmproxy/authentication.py
@ -27,18 +27,14 @@ class BasicProxyAuth(NullProxyAuth):

    def authenticate(self, auth_value):
        if (not auth_value) or (not auth_value[0]):
-            print "ROULI: no auth specified"
            return False;
        try:
            scheme, username, password = self.parse_authorization_header(auth_value[0])
        except:
-            print "ROULI: Malformed Proxy-Authorization header"
            return False
        if scheme.lower()!='basic':
-            print "ROULI: Unexpected Authorization scheme"
            return False
        if not self.password_manager.test(username, password):
-            print "ROULI: authorization failed!"
            return False
        self.username = username
        return True
@ -47,12 +43,9 @@ class BasicProxyAuth(NullProxyAuth):
        return {'Proxy-Authenticate':'Basic realm="%s"'%self.realm}

    def parse_authorization_header(self, auth_value):
-        print "ROULI: ", auth_value
        words = auth_value.split()
-        print "ROULI basic auth: ", words
        scheme = words[0]
        user = binascii.a2b_base64(words[1])
-        print "ROULI basic auth user: ", user
        username, password = user.split(':')
        return scheme, username, password

@ -85,12 +78,10 @@ class HtpasswdPasswordManager(PasswordManager):

    def test(self, username, password_token):
        if username not in self.usernames:
-            print "ROULI: username not in db"
            return False
        full_token = self.usernames[username]
        dummy, magic, salt, hashed_password = full_token.split('$')
        expected = md5crypt.md5crypt(password_token, salt, '$'+magic+'$')
-        print "ROULI: password", binascii.hexlify(expected), binascii.hexlify(full_token), expected==full_token
        return expected==full_token

 class SingleUserPasswordManager(PasswordManager):
--- a/libmproxy/cmdline.py
+++ b/libmproxy/cmdline.py
@ -15,7 +15,7 @@

 import proxy
 import re, filt
-
+import argparse

 class ParseException(Exception): pass
 class OptionException(Exception): pass
@ -334,4 +334,50 @@ def common_options(parser):
        help="Header set pattern."
    )

+
+    group = parser.add_argument_group(
+        "Proxy Authentication",
+        """
+            Specification of which users are allowed to access the proxy and the method used for authenticating them.
+            If authscheme is specified, one must specify a list of authorized users and their passwords.
+            In case that authscheme is not specified, or set to None, any list of authorized users will be ignored.
+        """.strip()
+    )
+
+    group.add_argument(
+        "--authscheme", type=str,
+        action="store", dest="authscheme", default=None, choices=["none", "basic"],
+        help="""
+            Specify the scheme used by the proxy to identify users.
+            If not none, requires the specification of a list of authorized users.
+            This option is ignored if the proxy is in transparent or reverse mode.
+            """.strip()
+
+    )
+
+    user_specification_group = group.add_mutually_exclusive_group()
+
+
+    user_specification_group.add_argument(
+        "--nonanonymous",
+        action="store_true", dest="auth_nonanonymous",
+        help="Allow access to any user as long as a username is specified. Ignores the provided password."
+    )
+
+    user_specification_group.add_argument(
+        "--singleuser",
+        action="store", dest="auth_singleuser", type=str,
+        help="Allows access to a single user as specified by the option value. Specify a username and password in the form username:password."
+    )
+
+    user_specification_group.add_argument(
+        "--htpasswd",
+        action="store", dest="auth_htpasswd", type=argparse.FileType('r'),
+        help="Allow access to users specified in an Apache htpasswd file."
+    )
+
+
+
+
+
    proxy.certificate_option_group(parser)
--- a/libmproxy/contrib/README
+++ b/libmproxy/contrib/README
@ -11,4 +11,5 @@ jsbeautifier, git checkout 25/03/12, MIT license

 html2text, git checkout 18/08/12, GPLv3

+md5crypt, PSF license, http://code.activestate.com/recipes/325204/

--- a/libmproxy/proxy.py
+++ b/libmproxy/proxy.py
@ -18,16 +18,18 @@ import SocketServer
 from OpenSSL import SSL
 from netlib import odict, tcp, http, wsgi, certutils, http_status
 import utils, flow, version, platform, controller
+import authentication


 class ProxyError(Exception):
-    def __init__(self, code, msg):
-        self.code, self.msg = code, msg
+    def __init__(self, code, msg, headers=None):
+        self.code, self.msg, self.headers = code, msg, headers

    def __str__(self):
        return "ProxyError(%s, %s)"%(self.code, self.msg)


+
 class Log(controller.Msg):
    def __init__(self, msg):
        controller.Msg.__init__(self)
@ -36,7 +38,7 @@ class Log(controller.Msg):


 class ProxyConfig:
-    def __init__(self, certfile = None, cacert = None, clientcerts = None, cert_wait_time=0, no_upstream_cert=False, body_size_limit = None, reverse_proxy=None, transparent_proxy=None, certdir = None):
+    def __init__(self, certfile = None, cacert = None, clientcerts = None, cert_wait_time=0, no_upstream_cert=False, body_size_limit = None, reverse_proxy=None, transparent_proxy=None, certdir = None, authenticator=None):
        assert not (reverse_proxy and transparent_proxy)
        self.certfile = certfile
        self.cacert = cacert
@ -47,7 +49,7 @@ class ProxyConfig:
        self.body_size_limit = body_size_limit
        self.reverse_proxy = reverse_proxy
        self.transparent_proxy = transparent_proxy
-
+        self.authenticator = authenticator

 class RequestReplayThread(threading.Thread):
    def __init__(self, config, flow, masterq):
@ -217,7 +219,7 @@ class ProxyHandler(tcp.BaseHandler):
                self.log(cc, cc.error)

            if isinstance(e, ProxyError):
-                self.send_error(e.code, e.msg)
+                self.send_error(e.code, e.msg, e.headers)
        else:
            return True

@ -283,9 +285,7 @@ class ProxyHandler(tcp.BaseHandler):
            if not r:
                raise ProxyError(400, "Bad HTTP request line: %s"%repr(line))
            method, path, httpversion = r
-            headers = http.read_headers(self.rfile)
-            if headers is None:
-                raise ProxyError(400, "Invalid headers")
+            headers = self.read_headers(authenticate=False)
            content = http.read_http_body_request(
                        self.rfile, self.wfile, headers, httpversion, self.config.body_size_limit
                    )
@ -299,9 +299,7 @@ class ProxyHandler(tcp.BaseHandler):
            if not r:
                raise ProxyError(400, "Bad HTTP request line: %s"%repr(line))
            method, path, httpversion = r
-            headers = http.read_headers(self.rfile)
-            if headers is None:
-                raise ProxyError(400, "Invalid headers")
+            headers = self.read_headers(authenticate=False)
            content = http.read_http_body_request(
                        self.rfile, self.wfile, headers, httpversion, self.config.body_size_limit
                    )
@ -315,12 +313,9 @@ class ProxyHandler(tcp.BaseHandler):
                if not r:
                    raise ProxyError(400, "Bad HTTP request line: %s"%repr(line))
                host, port, httpversion = r
-                # FIXME: Discard additional headers sent to the proxy. Should I expose
-                # these to users?
-                while 1:
-                    d = self.rfile.readline()
-                    if d == '\r\n' or d == '\n':
-                        break
+
+                headers = self.read_headers(authenticate=True)
+
                self.wfile.write(
                            'HTTP/1.1 200 Connection established\r\n' +
                            ('Proxy-agent: %s\r\n'%self.server_version) +
@ -340,9 +335,8 @@ class ProxyHandler(tcp.BaseHandler):
                if not r:
                    raise ProxyError(400, "Bad HTTP request line: %s"%repr(line))
                method, path, httpversion = r
-                headers = http.read_headers(self.rfile)
-                if headers is None:
-                    raise ProxyError(400, "Invalid headers")
+                headers = self.read_headers(authenticate=False)
+
                content = http.read_http_body_request(
                    self.rfile, self.wfile, headers, httpversion, self.config.body_size_limit
                )
@ -352,14 +346,20 @@ class ProxyHandler(tcp.BaseHandler):
                if not r:
                    raise ProxyError(400, "Bad HTTP request line: %s"%repr(line))
                method, scheme, host, port, path, httpversion = http.parse_init_proxy(line)
-                headers = http.read_headers(self.rfile)
-                if headers is None:
-                    raise ProxyError(400, "Invalid headers")
+                headers = self.read_headers(authenticate=True)
                content = http.read_http_body_request(
                    self.rfile, self.wfile, headers, httpversion, self.config.body_size_limit
                )
                return flow.Request(client_conn, httpversion, host, port, scheme, method, path, headers, content)

+    def read_headers(self, authenticate=False):
+        headers = http.read_headers(self.rfile)
+        if headers is None:
+            raise ProxyError(400, "Invalid headers")
+        if authenticate and self.config.authenticator and not self.config.authenticator.authenticate(headers.get('Proxy-Authorization', [])):
+            raise ProxyError(407, "Proxy Authentication Required", self.config.authenticator.auth_challenge_headers())
+        return headers
+
    def send_response(self, response):
        d = response._assemble()
        if not d:
@ -367,16 +367,19 @@ class ProxyHandler(tcp.BaseHandler):
        self.wfile.write(d)
        self.wfile.flush()

-    def send_error(self, code, body):
+    def send_error(self, code, body, headers):
        try:
            response = http_status.RESPONSES.get(code, "Unknown")
+            html_content = '<html><head>\n<title>%d %s</title>\n</head>\n<body>\n%s\n</body>\n</html>'%(code, response, body)
            self.wfile.write("HTTP/1.1 %s %s\r\n" % (code, response))
            self.wfile.write("Server: %s\r\n"%self.server_version)
-            self.wfile.write("Connection: close\r\n")
            self.wfile.write("Content-type: text/html\r\n")
+            self.wfile.write("Content-Length: %d\r\n"%len(html_content))
+            for key, value in headers.items():
+                self.wfile.write("%s: %s\r\n"%(key, value))
+            self.wfile.write("Connection: close\r\n")
            self.wfile.write("\r\n")
-            self.wfile.write('<html><head>\n<title>%d %s</title>\n</head>\n'
-                    '<body>\n%s\n</body>\n</html>' % (code, response, body))
+            self.wfile.write(html_content)
            self.wfile.flush()
        except:
            pass
@ -531,6 +534,25 @@ def process_proxy_options(parser, options):
        if not os.path.exists(options.certdir) or not os.path.isdir(options.certdir):
            parser.error("Dummy cert directory does not exist or is not a directory: %s"%options.certdir)

+    if options.authscheme and (options.authscheme!='none'):
+        if not (options.auth_nonanonymous or options.auth_singleuser or options.auth_htpasswd):
+            parser.error("Proxy authentication scheme is specified, but no allowed user list is given.")
+        if options.auth_singleuser and len(options.auth_singleuser.split(':'))!=2:
+            parser.error("Authorized user is not given in correct format username:password")
+        if options.auth_nonanonymous:
+            password_manager = authentication.PermissivePasswordManager()
+        elif options.auth_singleuser:
+            username, password = options.auth_singleuser.split(':')
+            password_manager = authentication.SingleUserPasswordManager(username, password)
+        elif options.auth_htpasswd:
+            password_manager = authentication.HtpasswdPasswordManager(options.auth_htpasswd)
+        # in the meanwhile, basic auth is the only true authentication scheme we support
+        # so just use it
+        authenticator = authentication.BasicProxyAuth(password_manager)
+    else:
+        authenticator = authentication.NullProxyAuth(None)
+
+
    return ProxyConfig(
        certfile = options.cert,
        cacert = cacert,
@ -540,5 +562,6 @@ def process_proxy_options(parser, options):
        no_upstream_cert = options.no_upstream_cert,
        reverse_proxy = rp,
        transparent_proxy = trans,
-        certdir = options.certdir
+        certdir = options.certdir,
+        authenticator = authenticator
    )