Rooba
/
mitmproxy
mirror of https://github.com/mitmproxy/mitmproxy.git
1
1
Fork 0
Code Issues Packages Projects Releases Wiki Activity

adding some simple authetication code to limit proxy access

This commit is contained in:
israel 2012-12-30 01:24:30 -08:00
parent 3c8dcf8808
commit 935505bc4f
2 changed files with 198 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

104
libmproxy/authentication.py Normal file
View File

@ -0,0 +1,104 @@
import binascii
import contrib.md5crypt as md5crypt
class NullProxyAuth():
""" No proxy auth at all (returns empty challange headers) """
def __init__(self, password_manager=None):
self.password_manager = password_manager
self.username = ""
def authenticate(self, auth_value):
""" Tests that the specified user is allowed to use the proxy (stub) """
return True
def auth_challenge_headers(self):
""" Returns a dictionary containing the headers require to challenge the user """
return {}
def get_username(self):
return self.username
class BasicProxyAuth(NullProxyAuth):
def __init__(self, password_manager, realm="mitmproxy"):
NullProxyAuth.__init__(self, password_manager)
self.realm = "mitmproxy"
def authenticate(self, auth_value):
if (not auth_value) or (not auth_value[0]):
print "ROULI: no auth specified"
return False;
try:
scheme, username, password = self.parse_authorization_header(auth_value[0])
except:
print "ROULI: Malformed Proxy-Authorization header"
return False
if scheme.lower()!='basic':
print "ROULI: Unexpected Authorization scheme"
return False
if not self.password_manager.test(username, password):
print "ROULI: authorization failed!"
return False
self.username = username
return True
def auth_challenge_headers(self):
return {'Proxy-Authenticate':'Basic realm="%s"'%self.realm}
def parse_authorization_header(self, auth_value):
print "ROULI: ", auth_value
words = auth_value.split()
print "ROULI basic auth: ", words
scheme = words[0]
user = binascii.a2b_base64(words[1])
print "ROULI basic auth user: ", user
username, password = user.split(':')
return scheme, username, password
class PasswordManager():
def __init__(self):
pass
def test(self, username, password_token):
return False
class PermissivePasswordManager(PasswordManager):
def __init__(self):
PasswordManager.__init__(self)
def test(self, username, password_token):
if username:
return True
return False
class HtpasswdPasswordManager(PasswordManager):
""" Read usernames and passwords from a file created by Apache htpasswd"""
def __init__(self, filehandle):
PasswordManager.__init__(self)
entries = (line.strip().split(':') for line in filehandle)
valid_entries = (entry for entry in entries if len(entry)==2)
self.usernames = {username:token for username,token in valid_entries}
def test(self, username, password_token):
if username not in self.usernames:
print "ROULI: username not in db"
return False
full_token = self.usernames[username]
dummy, magic, salt, hashed_password = full_token.split('$')
expected = md5crypt.md5crypt(password_token, salt, '$'+magic+'$')
print "ROULI: password", binascii.hexlify(expected), binascii.hexlify(full_token), expected==full_token
return expected==full_token
class SingleUserPasswordManager(PasswordManager):
def __init__(self, username, password):
PasswordManager.__init__(self)
self.username = username
self.password = password
def test(self, username, password_token):
return self.username==username and self.password==password_token

94
libmproxy/contrib/md5crypt.py Normal file
View File

@ -0,0 +1,94 @@
# Based on FreeBSD src/lib/libcrypt/crypt.c 1.2
# http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/src/lib/libcrypt/crypt.c?rev=1.2&content-type=text/plain
# Original license:
# * "THE BEER-WARE LICENSE" (Revision 42):
# * <phk@login.dknet.dk> wrote this file. As long as you retain this notice you
# * can do whatever you want with this stuff. If we meet some day, and you think
# * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp
# This port adds no further stipulations. I forfeit any copyright interest.
import md5
def md5crypt(password, salt, magic='$1$'):
# /* The password first, since that is what is most unknown */ /* Then our magic string */ /* Then the raw salt */
m = md5.new()
m.update(password + magic + salt)
# /* Then just as many characters of the MD5(pw,salt,pw) */
mixin = md5.md5(password + salt + password).digest()
for i in range(0, len(password)):
m.update(mixin[i % 16])
# /* Then something really weird... */
# Also really broken, as far as I can tell. -m
i = len(password)
while i:
if i & 1:
m.update('\x00')
else:
m.update(password[0])
i >>= 1
final = m.digest()
# /* and now, just to make sure things don't run too fast */
for i in range(1000):
m2 = md5.md5()
if i & 1:
m2.update(password)
else:
m2.update(final)
if i % 3:
m2.update(salt)
if i % 7:
m2.update(password)
if i & 1:
m2.update(final)
else:
m2.update(password)
final = m2.digest()
# This is the bit that uses to64() in the original code.
itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
rearranged = ''
for a, b, c in ((0, 6, 12), (1, 7, 13), (2, 8, 14), (3, 9, 15), (4, 10, 5)):
v = ord(final[a]) << 16 | ord(final[b]) << 8 | ord(final[c])
for i in range(4):
rearranged += itoa64[v & 0x3f]; v >>= 6
v = ord(final[11])
for i in range(2):
rearranged += itoa64[v & 0x3f]; v >>= 6
return magic + salt + '$' + rearranged
if __name__ == '__main__':
def test(clear_password, the_hash):
magic, salt = the_hash[1:].split('$')[:2]
magic = '$' + magic + '$'
return md5crypt(clear_password, salt, magic) == the_hash
test_cases = (
(' ', '$1$yiiZbNIH$YiCsHZjcTkYd31wkgW8JF.'),
('pass', '$1$YeNsbWdH$wvOF8JdqsoiLix754LTW90'),
('____fifteen____', '$1$s9lUWACI$Kk1jtIVVdmT01p0z3b/hw1'),
('____sixteen_____', '$1$dL3xbVZI$kkgqhCanLdxODGq14g/tW1'),
('____seventeen____', '$1$NaH5na7J$j7y8Iss0hcRbu3kzoJs5V.'),
('__________thirty-three___________', '$1$HO7Q6vzJ$yGwp2wbL5D7eOVzOmxpsy.'),
('apache', '$apr1$J.w5a/..$IW9y6DR0oO/ADuhlMF5/X1')
)
for clearpw, hashpw in test_cases:
if test(clearpw, hashpw):
print '%s: pass' % clearpw
else:
print '%s: FAIL' % clearpw