adding some simple authetication code to limit proxy access

2 files changed, 198 insertions, 0 deletions

diff --git a/libmproxy/authentication.py b/libmproxy/authentication.py
new file mode 100644
index 00000000..bb8a5074
--- /dev/null
+++ b/libmproxy/authentication.py
@@ -0,0 +1,104 @@
+import binascii
+import contrib.md5crypt as md5crypt
+
+class NullProxyAuth():
+    """ No proxy auth at all (returns empty challange headers) """
+    def __init__(self, password_manager=None):
+        self.password_manager = password_manager
+        self.username = ""
+
+    def authenticate(self, auth_value):
+        """ Tests that the specified user is allowed to use the proxy (stub) """
+        return True
+
+    def auth_challenge_headers(self):
+        """ Returns a dictionary containing the headers require to challenge the user """
+        return {}
+
+    def get_username(self):
+        return self.username
+
+
+class BasicProxyAuth(NullProxyAuth):
+
+    def __init__(self, password_manager, realm="mitmproxy"):
+        NullProxyAuth.__init__(self, password_manager)
+        self.realm = "mitmproxy"
+
+    def authenticate(self, auth_value):
+        if (not auth_value) or (not auth_value[0]):
+            print "ROULI: no auth specified"
+            return False;
+        try:
+            scheme, username, password = self.parse_authorization_header(auth_value[0])
+        except:
+            print "ROULI: Malformed Proxy-Authorization header"
+            return False
+        if scheme.lower()!='basic':
+            print "ROULI: Unexpected Authorization scheme"
+            return False
+        if not self.password_manager.test(username, password):
+            print "ROULI: authorization failed!"
+            return False
+        self.username = username
+        return True
+
+    def auth_challenge_headers(self):
+        return {'Proxy-Authenticate':'Basic realm="%s"'%self.realm}
+
+    def parse_authorization_header(self, auth_value):
+        print "ROULI: ", auth_value
+        words = auth_value.split()
+        print "ROULI basic auth: ", words
+        scheme = words[0]
+        user = binascii.a2b_base64(words[1])
+        print "ROULI basic auth user: ", user
+        username, password = user.split(':')
+        return scheme, username, password
+
+class PasswordManager():
+    def __init__(self):
+        pass
+
+    def test(self, username, password_token):
+        return False
+
+class PermissivePasswordManager(PasswordManager):
+
+    def __init__(self):
+        PasswordManager.__init__(self)
+
+    def test(self, username, password_token):
+        if username:
+            return True
+        return False
+
+class HtpasswdPasswordManager(PasswordManager):
+    """ Read usernames and passwords from a file created by Apache htpasswd"""
+
+    def __init__(self, filehandle):
+        PasswordManager.__init__(self)
+        entries = (line.strip().split(':') for line in filehandle)
+        valid_entries = (entry for entry in entries if len(entry)==2)
+        self.usernames = {username:token for username,token in valid_entries}
+
+
+    def test(self, username, password_token):
+        if username not in self.usernames:
+            print "ROULI: username not in db"
+            return False
+        full_token = self.usernames[username]
+        dummy, magic, salt, hashed_password = full_token.split('$')
+        expected = md5crypt.md5crypt(password_token, salt, '$'+magic+'$')
+        print "ROULI: password", binascii.hexlify(expected), binascii.hexlify(full_token), expected==full_token
+        return expected==full_token
+
+class SingleUserPasswordManager(PasswordManager):
+
+    def __init__(self, username, password):
+        PasswordManager.__init__(self)
+        self.username = username
+        self.password = password
+
+    def test(self, username, password_token):
+        return self.username==username and self.password==password_token
diff --git a/libmproxy/contrib/md5crypt.py b/libmproxy/contrib/md5crypt.py
new file mode 100644
index 00000000..d64ea8ac
--- /dev/null
+++ b/libmproxy/contrib/md5crypt.py
@@ -0,0 +1,94 @@
+# Based on FreeBSD src/lib/libcrypt/crypt.c 1.2
+# http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/src/lib/libcrypt/crypt.c?rev=1.2&content-type=text/plain
+
+# Original license:
+# * "THE BEER-WARE LICENSE" (Revision 42):
+# * <phk@login.dknet.dk> wrote this file.  As long as you retain this notice you
+# * can do whatever you want with this stuff. If we meet some day, and you think
+# * this stuff is worth it, you can buy me a beer in return.   Poul-Henning Kamp
+
+# This port adds no further stipulations.  I forfeit any copyright interest.
+
+import md5
+
+def md5crypt(password, salt, magic='$1$'):
+    # /* The password first, since that is what is most unknown */ /* Then our magic string */ /* Then the raw salt */
+    m = md5.new()
+    m.update(password + magic + salt)
+
+    # /* Then just as many characters of the MD5(pw,salt,pw) */
+    mixin = md5.md5(password + salt + password).digest()
+    for i in range(0, len(password)):
+        m.update(mixin[i % 16])
+
+    # /* Then something really weird... */
+    # Also really broken, as far as I can tell.  -m
+    i = len(password)
+    while i:
+        if i & 1:
+            m.update('\x00')
+        else:
+            m.update(password[0])
+        i >>= 1
+
+    final = m.digest()
+
+    # /* and now, just to make sure things don't run too fast */
+    for i in range(1000):
+        m2 = md5.md5()
+        if i & 1:
+            m2.update(password)
+        else:
+            m2.update(final)
+
+        if i % 3:
+            m2.update(salt)
+
+        if i % 7:
+            m2.update(password)
+
+        if i & 1:
+            m2.update(final)
+        else:
+            m2.update(password)
+
+        final = m2.digest()
+
+    # This is the bit that uses to64() in the original code.
+
+    itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
+
+    rearranged = ''
+    for a, b, c in ((0, 6, 12), (1, 7, 13), (2, 8, 14), (3, 9, 15), (4, 10, 5)):
+        v = ord(final[a]) << 16 | ord(final[b]) << 8 | ord(final[c])
+        for i in range(4):
+            rearranged += itoa64[v & 0x3f]; v >>= 6
+
+    v = ord(final[11])
+    for i in range(2):
+        rearranged += itoa64[v & 0x3f]; v >>= 6
+
+    return magic + salt + '$' + rearranged
+
+if __name__ == '__main__':
+
+    def test(clear_password, the_hash):
+        magic, salt = the_hash[1:].split('$')[:2]
+        magic = '$' + magic + '$'
+        return md5crypt(clear_password, salt, magic) == the_hash
+
+    test_cases = (
+        (' ', '$1$yiiZbNIH$YiCsHZjcTkYd31wkgW8JF.'),
+        ('pass', '$1$YeNsbWdH$wvOF8JdqsoiLix754LTW90'),
+        ('____fifteen____', '$1$s9lUWACI$Kk1jtIVVdmT01p0z3b/hw1'),
+        ('____sixteen_____', '$1$dL3xbVZI$kkgqhCanLdxODGq14g/tW1'),
+        ('____seventeen____', '$1$NaH5na7J$j7y8Iss0hcRbu3kzoJs5V.'),
+        ('__________thirty-three___________', '$1$HO7Q6vzJ$yGwp2wbL5D7eOVzOmxpsy.'),
+        ('apache', '$apr1$J.w5a/..$IW9y6DR0oO/ADuhlMF5/X1')
+    )
+
+    for clearpw, hashpw in test_cases:
+        if test(clearpw, hashpw):
+            print '%s: pass' % clearpw
+        else:
+            print '%s: FAIL' % clearpw