diff options
| author | Aldo Cortesi <aldo@nullcube.com> | 2012-12-31 10:56:44 +1300 | 
|---|---|---|
| committer | Aldo Cortesi <aldo@nullcube.com> | 2012-12-31 10:56:44 +1300 | 
| commit | 5347cb9c269acdbc2fc36f92e3545fcbb9de45a1 (patch) | |
| tree | 0bc590a4539f78ecce202e8891644a20507b41d9 /libmproxy | |
| parent | 3b84111493dee7c21c4dd6ba390fd70cb13a8674 (diff) | |
| download | mitmproxy-5347cb9c269acdbc2fc36f92e3545fcbb9de45a1.tar.gz mitmproxy-5347cb9c269acdbc2fc36f92e3545fcbb9de45a1.tar.bz2 mitmproxy-5347cb9c269acdbc2fc36f92e3545fcbb9de45a1.zip | |
More work on proxy auth
- Strip auth header if auth succeeds, so it's not passed upstream
- Actually use realm specification to BasicProxyAuth, and make it mandatory
- Cleanups and unit tests
Diffstat (limited to 'libmproxy')
| -rw-r--r-- | libmproxy/authentication.py | 21 | ||||
| -rw-r--r-- | libmproxy/proxy.py | 17 | 
2 files changed, 26 insertions, 12 deletions
| diff --git a/libmproxy/authentication.py b/libmproxy/authentication.py index 675f5dc5..1f1f40ae 100644 --- a/libmproxy/authentication.py +++ b/libmproxy/authentication.py @@ -9,9 +9,15 @@ class NullProxyAuth():          self.password_manager = password_manager          self.username = "" +    def clean(self, headers): +        """ +            Clean up authentication headers, so they're not passed upstream. +        """  +        pass +      def authenticate(self, headers):          """ -            Tests that the specified user is allowed to use the proxy (stub) +            Tests that the user is allowed to use the proxy          """          return True @@ -23,12 +29,17 @@ class NullProxyAuth():  class BasicProxyAuth(NullProxyAuth): -    def __init__(self, password_manager, realm="mitmproxy"): +    CHALLENGE_HEADER = 'Proxy-Authenticate' +    AUTH_HEADER = 'Proxy-Authorization' +    def __init__(self, password_manager, realm):          NullProxyAuth.__init__(self, password_manager) -        self.realm = "mitmproxy" +        self.realm = realm  + +    def clean(self, headers): +        del headers[self.AUTH_HEADER]      def authenticate(self, headers): -        auth_value = headers.get('Proxy-Authorization', []) +        auth_value = headers.get(self.AUTH_HEADER, [])          if not auth_value:              return False          try: @@ -43,7 +54,7 @@ class BasicProxyAuth(NullProxyAuth):          return True      def auth_challenge_headers(self): -        return {'Proxy-Authenticate':'Basic realm="%s"'%self.realm} +        return {self.CHALLENGE_HEADER:'Basic realm="%s"'%self.realm}      def unparse_auth_value(self, scheme, username, password):          v = binascii.b2a_base64(username + ":" + password) diff --git a/libmproxy/proxy.py b/libmproxy/proxy.py index 2c62a880..0cba4cbc 100644 --- a/libmproxy/proxy.py +++ b/libmproxy/proxy.py @@ -356,12 +356,15 @@ class ProxyHandler(tcp.BaseHandler):          headers = http.read_headers(self.rfile)          if headers is None:              raise ProxyError(400, "Invalid headers") -        if authenticate and self.config.authenticator and not self.config.authenticator.authenticate(headers): -            raise ProxyError( -                        407, -                        "Proxy Authentication Required", -                        self.config.authenticator.auth_challenge_headers() -                   ) +        if authenticate and self.config.authenticator: +            if self.config.authenticator.authenticate(headers): +                self.config.authenticator.clean(headers) +            else: +                raise ProxyError( +                            407, +                            "Proxy Authentication Required", +                            self.config.authenticator.auth_challenge_headers() +                       )          return headers      def send_response(self, response): @@ -552,7 +555,7 @@ def process_proxy_options(parser, options):              password_manager = authentication.HtpasswdPasswordManager(options.auth_htpasswd)          # in the meanwhile, basic auth is the only true authentication scheme we support          # so just use it -        authenticator = authentication.BasicProxyAuth(password_manager) +        authenticator = authentication.BasicProxyAuth(password_manager, "mitmproxy")      else:          authenticator = authentication.NullProxyAuth(None) | 
