From 935505bc4f3c98214ad89884feb7f752d6c87490 Mon Sep 17 00:00:00 2001 From: israel Date: Sun, 30 Dec 2012 01:24:30 -0800 Subject: adding some simple authetication code to limit proxy access --- libmproxy/authentication.py | 104 ++++++++++++++++++++++++++++++++++++++++++ libmproxy/contrib/md5crypt.py | 94 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 198 insertions(+) create mode 100644 libmproxy/authentication.py create mode 100644 libmproxy/contrib/md5crypt.py diff --git a/libmproxy/authentication.py b/libmproxy/authentication.py new file mode 100644 index 00000000..bb8a5074 --- /dev/null +++ b/libmproxy/authentication.py @@ -0,0 +1,104 @@ +import binascii +import contrib.md5crypt as md5crypt + +class NullProxyAuth(): + """ No proxy auth at all (returns empty challange headers) """ + def __init__(self, password_manager=None): + self.password_manager = password_manager + self.username = "" + + def authenticate(self, auth_value): + """ Tests that the specified user is allowed to use the proxy (stub) """ + return True + + def auth_challenge_headers(self): + """ Returns a dictionary containing the headers require to challenge the user """ + return {} + + def get_username(self): + return self.username + + +class BasicProxyAuth(NullProxyAuth): + + def __init__(self, password_manager, realm="mitmproxy"): + NullProxyAuth.__init__(self, password_manager) + self.realm = "mitmproxy" + + def authenticate(self, auth_value): + if (not auth_value) or (not auth_value[0]): + print "ROULI: no auth specified" + return False; + try: + scheme, username, password = self.parse_authorization_header(auth_value[0]) + except: + print "ROULI: Malformed Proxy-Authorization header" + return False + if scheme.lower()!='basic': + print "ROULI: Unexpected Authorization scheme" + return False + if not self.password_manager.test(username, password): + print "ROULI: authorization failed!" + return False + self.username = username + return True + + def auth_challenge_headers(self): + return {'Proxy-Authenticate':'Basic realm="%s"'%self.realm} + + def parse_authorization_header(self, auth_value): + print "ROULI: ", auth_value + words = auth_value.split() + print "ROULI basic auth: ", words + scheme = words[0] + user = binascii.a2b_base64(words[1]) + print "ROULI basic auth user: ", user + username, password = user.split(':') + return scheme, username, password + +class PasswordManager(): + def __init__(self): + pass + + def test(self, username, password_token): + return False + +class PermissivePasswordManager(PasswordManager): + + def __init__(self): + PasswordManager.__init__(self) + + def test(self, username, password_token): + if username: + return True + return False + +class HtpasswdPasswordManager(PasswordManager): + """ Read usernames and passwords from a file created by Apache htpasswd""" + + def __init__(self, filehandle): + PasswordManager.__init__(self) + entries = (line.strip().split(':') for line in filehandle) + valid_entries = (entry for entry in entries if len(entry)==2) + self.usernames = {username:token for username,token in valid_entries} + + + def test(self, username, password_token): + if username not in self.usernames: + print "ROULI: username not in db" + return False + full_token = self.usernames[username] + dummy, magic, salt, hashed_password = full_token.split('$') + expected = md5crypt.md5crypt(password_token, salt, '$'+magic+'$') + print "ROULI: password", binascii.hexlify(expected), binascii.hexlify(full_token), expected==full_token + return expected==full_token + +class SingleUserPasswordManager(PasswordManager): + + def __init__(self, username, password): + PasswordManager.__init__(self) + self.username = username + self.password = password + + def test(self, username, password_token): + return self.username==username and self.password==password_token diff --git a/libmproxy/contrib/md5crypt.py b/libmproxy/contrib/md5crypt.py new file mode 100644 index 00000000..d64ea8ac --- /dev/null +++ b/libmproxy/contrib/md5crypt.py @@ -0,0 +1,94 @@ +# Based on FreeBSD src/lib/libcrypt/crypt.c 1.2 +# http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/src/lib/libcrypt/crypt.c?rev=1.2&content-type=text/plain + +# Original license: +# * "THE BEER-WARE LICENSE" (Revision 42): +# * wrote this file. As long as you retain this notice you +# * can do whatever you want with this stuff. If we meet some day, and you think +# * this stuff is worth it, you can buy me a beer in return. Poul-Henning Kamp + +# This port adds no further stipulations. I forfeit any copyright interest. + +import md5 + +def md5crypt(password, salt, magic='$1$'): + # /* The password first, since that is what is most unknown */ /* Then our magic string */ /* Then the raw salt */ + m = md5.new() + m.update(password + magic + salt) + + # /* Then just as many characters of the MD5(pw,salt,pw) */ + mixin = md5.md5(password + salt + password).digest() + for i in range(0, len(password)): + m.update(mixin[i % 16]) + + # /* Then something really weird... */ + # Also really broken, as far as I can tell. -m + i = len(password) + while i: + if i & 1: + m.update('\x00') + else: + m.update(password[0]) + i >>= 1 + + final = m.digest() + + # /* and now, just to make sure things don't run too fast */ + for i in range(1000): + m2 = md5.md5() + if i & 1: + m2.update(password) + else: + m2.update(final) + + if i % 3: + m2.update(salt) + + if i % 7: + m2.update(password) + + if i & 1: + m2.update(final) + else: + m2.update(password) + + final = m2.digest() + + # This is the bit that uses to64() in the original code. + + itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz' + + rearranged = '' + for a, b, c in ((0, 6, 12), (1, 7, 13), (2, 8, 14), (3, 9, 15), (4, 10, 5)): + v = ord(final[a]) << 16 | ord(final[b]) << 8 | ord(final[c]) + for i in range(4): + rearranged += itoa64[v & 0x3f]; v >>= 6 + + v = ord(final[11]) + for i in range(2): + rearranged += itoa64[v & 0x3f]; v >>= 6 + + return magic + salt + '$' + rearranged + +if __name__ == '__main__': + + def test(clear_password, the_hash): + magic, salt = the_hash[1:].split('$')[:2] + magic = '$' + magic + '$' + return md5crypt(clear_password, salt, magic) == the_hash + + test_cases = ( + (' ', '$1$yiiZbNIH$YiCsHZjcTkYd31wkgW8JF.'), + ('pass', '$1$YeNsbWdH$wvOF8JdqsoiLix754LTW90'), + ('____fifteen____', '$1$s9lUWACI$Kk1jtIVVdmT01p0z3b/hw1'), + ('____sixteen_____', '$1$dL3xbVZI$kkgqhCanLdxODGq14g/tW1'), + ('____seventeen____', '$1$NaH5na7J$j7y8Iss0hcRbu3kzoJs5V.'), + ('__________thirty-three___________', '$1$HO7Q6vzJ$yGwp2wbL5D7eOVzOmxpsy.'), + ('apache', '$apr1$J.w5a/..$IW9y6DR0oO/ADuhlMF5/X1') + ) + + for clearpw, hashpw in test_cases: + if test(clearpw, hashpw): + print '%s: pass' % clearpw + else: + print '%s: FAIL' % clearpw -- cgit v1.2.3 From 440a9f6bda8d645945e8c056a5e869c712dd2d69 Mon Sep 17 00:00:00 2001 From: israel Date: Sun, 30 Dec 2012 01:41:58 -0800 Subject: adding some simple authetication code to limit proxy access --- libmproxy/authentication.py | 9 ------ libmproxy/cmdline.py | 48 ++++++++++++++++++++++++++- libmproxy/contrib/README | 1 + libmproxy/proxy.py | 79 +++++++++++++++++++++++++++++---------------- 4 files changed, 99 insertions(+), 38 deletions(-) diff --git a/libmproxy/authentication.py b/libmproxy/authentication.py index bb8a5074..e5383f5a 100644 --- a/libmproxy/authentication.py +++ b/libmproxy/authentication.py @@ -27,18 +27,14 @@ class BasicProxyAuth(NullProxyAuth): def authenticate(self, auth_value): if (not auth_value) or (not auth_value[0]): - print "ROULI: no auth specified" return False; try: scheme, username, password = self.parse_authorization_header(auth_value[0]) except: - print "ROULI: Malformed Proxy-Authorization header" return False if scheme.lower()!='basic': - print "ROULI: Unexpected Authorization scheme" return False if not self.password_manager.test(username, password): - print "ROULI: authorization failed!" return False self.username = username return True @@ -47,12 +43,9 @@ class BasicProxyAuth(NullProxyAuth): return {'Proxy-Authenticate':'Basic realm="%s"'%self.realm} def parse_authorization_header(self, auth_value): - print "ROULI: ", auth_value words = auth_value.split() - print "ROULI basic auth: ", words scheme = words[0] user = binascii.a2b_base64(words[1]) - print "ROULI basic auth user: ", user username, password = user.split(':') return scheme, username, password @@ -85,12 +78,10 @@ class HtpasswdPasswordManager(PasswordManager): def test(self, username, password_token): if username not in self.usernames: - print "ROULI: username not in db" return False full_token = self.usernames[username] dummy, magic, salt, hashed_password = full_token.split('$') expected = md5crypt.md5crypt(password_token, salt, '$'+magic+'$') - print "ROULI: password", binascii.hexlify(expected), binascii.hexlify(full_token), expected==full_token return expected==full_token class SingleUserPasswordManager(PasswordManager): diff --git a/libmproxy/cmdline.py b/libmproxy/cmdline.py index 279c3cb4..db1ebf0d 100644 --- a/libmproxy/cmdline.py +++ b/libmproxy/cmdline.py @@ -15,7 +15,7 @@ import proxy import re, filt - +import argparse class ParseException(Exception): pass class OptionException(Exception): pass @@ -334,4 +334,50 @@ def common_options(parser): help="Header set pattern." ) + + group = parser.add_argument_group( + "Proxy Authentication", + """ + Specification of which users are allowed to access the proxy and the method used for authenticating them. + If authscheme is specified, one must specify a list of authorized users and their passwords. + In case that authscheme is not specified, or set to None, any list of authorized users will be ignored. + """.strip() + ) + + group.add_argument( + "--authscheme", type=str, + action="store", dest="authscheme", default=None, choices=["none", "basic"], + help=""" + Specify the scheme used by the proxy to identify users. + If not none, requires the specification of a list of authorized users. + This option is ignored if the proxy is in transparent or reverse mode. + """.strip() + + ) + + user_specification_group = group.add_mutually_exclusive_group() + + + user_specification_group.add_argument( + "--nonanonymous", + action="store_true", dest="auth_nonanonymous", + help="Allow access to any user as long as a username is specified. Ignores the provided password." + ) + + user_specification_group.add_argument( + "--singleuser", + action="store", dest="auth_singleuser", type=str, + help="Allows access to a single user as specified by the option value. Specify a username and password in the form username:password." + ) + + user_specification_group.add_argument( + "--htpasswd", + action="store", dest="auth_htpasswd", type=argparse.FileType('r'), + help="Allow access to users specified in an Apache htpasswd file." + ) + + + + + proxy.certificate_option_group(parser) diff --git a/libmproxy/contrib/README b/libmproxy/contrib/README index 61ae29e2..2506ad6d 100644 --- a/libmproxy/contrib/README +++ b/libmproxy/contrib/README @@ -11,4 +11,5 @@ jsbeautifier, git checkout 25/03/12, MIT license html2text, git checkout 18/08/12, GPLv3 +md5crypt, PSF license, http://code.activestate.com/recipes/325204/ diff --git a/libmproxy/proxy.py b/libmproxy/proxy.py index 961ee465..b1ce310c 100644 --- a/libmproxy/proxy.py +++ b/libmproxy/proxy.py @@ -18,16 +18,18 @@ import SocketServer from OpenSSL import SSL from netlib import odict, tcp, http, wsgi, certutils, http_status import utils, flow, version, platform, controller +import authentication class ProxyError(Exception): - def __init__(self, code, msg): - self.code, self.msg = code, msg + def __init__(self, code, msg, headers=None): + self.code, self.msg, self.headers = code, msg, headers def __str__(self): return "ProxyError(%s, %s)"%(self.code, self.msg) + class Log(controller.Msg): def __init__(self, msg): controller.Msg.__init__(self) @@ -36,7 +38,7 @@ class Log(controller.Msg): class ProxyConfig: - def __init__(self, certfile = None, cacert = None, clientcerts = None, cert_wait_time=0, no_upstream_cert=False, body_size_limit = None, reverse_proxy=None, transparent_proxy=None, certdir = None): + def __init__(self, certfile = None, cacert = None, clientcerts = None, cert_wait_time=0, no_upstream_cert=False, body_size_limit = None, reverse_proxy=None, transparent_proxy=None, certdir = None, authenticator=None): assert not (reverse_proxy and transparent_proxy) self.certfile = certfile self.cacert = cacert @@ -47,7 +49,7 @@ class ProxyConfig: self.body_size_limit = body_size_limit self.reverse_proxy = reverse_proxy self.transparent_proxy = transparent_proxy - + self.authenticator = authenticator class RequestReplayThread(threading.Thread): def __init__(self, config, flow, masterq): @@ -217,7 +219,7 @@ class ProxyHandler(tcp.BaseHandler): self.log(cc, cc.error) if isinstance(e, ProxyError): - self.send_error(e.code, e.msg) + self.send_error(e.code, e.msg, e.headers) else: return True @@ -283,9 +285,7 @@ class ProxyHandler(tcp.BaseHandler): if not r: raise ProxyError(400, "Bad HTTP request line: %s"%repr(line)) method, path, httpversion = r - headers = http.read_headers(self.rfile) - if headers is None: - raise ProxyError(400, "Invalid headers") + headers = self.read_headers(authenticate=False) content = http.read_http_body_request( self.rfile, self.wfile, headers, httpversion, self.config.body_size_limit ) @@ -299,9 +299,7 @@ class ProxyHandler(tcp.BaseHandler): if not r: raise ProxyError(400, "Bad HTTP request line: %s"%repr(line)) method, path, httpversion = r - headers = http.read_headers(self.rfile) - if headers is None: - raise ProxyError(400, "Invalid headers") + headers = self.read_headers(authenticate=False) content = http.read_http_body_request( self.rfile, self.wfile, headers, httpversion, self.config.body_size_limit ) @@ -315,12 +313,9 @@ class ProxyHandler(tcp.BaseHandler): if not r: raise ProxyError(400, "Bad HTTP request line: %s"%repr(line)) host, port, httpversion = r - # FIXME: Discard additional headers sent to the proxy. Should I expose - # these to users? - while 1: - d = self.rfile.readline() - if d == '\r\n' or d == '\n': - break + + headers = self.read_headers(authenticate=True) + self.wfile.write( 'HTTP/1.1 200 Connection established\r\n' + ('Proxy-agent: %s\r\n'%self.server_version) + @@ -340,9 +335,8 @@ class ProxyHandler(tcp.BaseHandler): if not r: raise ProxyError(400, "Bad HTTP request line: %s"%repr(line)) method, path, httpversion = r - headers = http.read_headers(self.rfile) - if headers is None: - raise ProxyError(400, "Invalid headers") + headers = self.read_headers(authenticate=False) + content = http.read_http_body_request( self.rfile, self.wfile, headers, httpversion, self.config.body_size_limit ) @@ -352,14 +346,20 @@ class ProxyHandler(tcp.BaseHandler): if not r: raise ProxyError(400, "Bad HTTP request line: %s"%repr(line)) method, scheme, host, port, path, httpversion = http.parse_init_proxy(line) - headers = http.read_headers(self.rfile) - if headers is None: - raise ProxyError(400, "Invalid headers") + headers = self.read_headers(authenticate=True) content = http.read_http_body_request( self.rfile, self.wfile, headers, httpversion, self.config.body_size_limit ) return flow.Request(client_conn, httpversion, host, port, scheme, method, path, headers, content) + def read_headers(self, authenticate=False): + headers = http.read_headers(self.rfile) + if headers is None: + raise ProxyError(400, "Invalid headers") + if authenticate and self.config.authenticator and not self.config.authenticator.authenticate(headers.get('Proxy-Authorization', [])): + raise ProxyError(407, "Proxy Authentication Required", self.config.authenticator.auth_challenge_headers()) + return headers + def send_response(self, response): d = response._assemble() if not d: @@ -367,16 +367,19 @@ class ProxyHandler(tcp.BaseHandler): self.wfile.write(d) self.wfile.flush() - def send_error(self, code, body): + def send_error(self, code, body, headers): try: response = http_status.RESPONSES.get(code, "Unknown") + html_content = '\n%d %s\n\n\n%s\n\n'%(code, response, body) self.wfile.write("HTTP/1.1 %s %s\r\n" % (code, response)) self.wfile.write("Server: %s\r\n"%self.server_version) - self.wfile.write("Connection: close\r\n") self.wfile.write("Content-type: text/html\r\n") + self.wfile.write("Content-Length: %d\r\n"%len(html_content)) + for key, value in headers.items(): + self.wfile.write("%s: %s\r\n"%(key, value)) + self.wfile.write("Connection: close\r\n") self.wfile.write("\r\n") - self.wfile.write('\n%d %s\n\n' - '\n%s\n\n' % (code, response, body)) + self.wfile.write(html_content) self.wfile.flush() except: pass @@ -531,6 +534,25 @@ def process_proxy_options(parser, options): if not os.path.exists(options.certdir) or not os.path.isdir(options.certdir): parser.error("Dummy cert directory does not exist or is not a directory: %s"%options.certdir) + if options.authscheme and (options.authscheme!='none'): + if not (options.auth_nonanonymous or options.auth_singleuser or options.auth_htpasswd): + parser.error("Proxy authentication scheme is specified, but no allowed user list is given.") + if options.auth_singleuser and len(options.auth_singleuser.split(':'))!=2: + parser.error("Authorized user is not given in correct format username:password") + if options.auth_nonanonymous: + password_manager = authentication.PermissivePasswordManager() + elif options.auth_singleuser: + username, password = options.auth_singleuser.split(':') + password_manager = authentication.SingleUserPasswordManager(username, password) + elif options.auth_htpasswd: + password_manager = authentication.HtpasswdPasswordManager(options.auth_htpasswd) + # in the meanwhile, basic auth is the only true authentication scheme we support + # so just use it + authenticator = authentication.BasicProxyAuth(password_manager) + else: + authenticator = authentication.NullProxyAuth(None) + + return ProxyConfig( certfile = options.cert, cacert = cacert, @@ -540,5 +562,6 @@ def process_proxy_options(parser, options): no_upstream_cert = options.no_upstream_cert, reverse_proxy = rp, transparent_proxy = trans, - certdir = options.certdir + certdir = options.certdir, + authenticator = authenticator ) -- cgit v1.2.3