From 53065234466918daf36ebe6d3b10d264979fc8ae Mon Sep 17 00:00:00 2001
From: Guillem Anguera <ganguera@gmail.com>
Date: Thu, 11 Feb 2016 00:14:38 +0100
Subject: Added Basic Auth support for MITMWeb interface

---
 libmproxy/web/app.py | 37 ++++++++++++++++++++++++++++++++++---
 1 file changed, 34 insertions(+), 3 deletions(-)

(limited to 'libmproxy/web/app.py')

diff --git a/libmproxy/web/app.py b/libmproxy/web/app.py
index 958b8669..55711837 100644
--- a/libmproxy/web/app.py
+++ b/libmproxy/web/app.py
@@ -4,6 +4,7 @@ import tornado.web
 import tornado.websocket
 import logging
 import json
+import base64
 
 from netlib.http import CONTENT_MISSING
 from .. import version, filt
@@ -40,7 +41,31 @@ class APIError(tornado.web.HTTPError):
     pass
 
 
-class RequestHandler(tornado.web.RequestHandler):
+class BasicAuth(object):
+    def set_auth_headers(self):
+        self.set_status(401)
+        self.set_header('WWW-Authenticate', 'Basic realm=MITMWeb')
+        self._transforms = []
+        self.finish()
+
+    def initialize(self, **kwargs):
+        self.wauthenticator = kwargs.get("wauthenticator")
+
+    def prepare(self):
+        if self.wauthenticator:
+            auth_header = self.request.headers.get('Authorization')
+            if auth_header is None or not auth_header.startswith('Basic '):
+                self.set_auth_headers()
+            else:
+                self.auth_decoded = base64.decodestring(auth_header[6:])
+                self.username, self.password = self.auth_decoded.split(':', 2)
+                if not self.wauthenticator.test(self.username, self.password):
+                    self.set_auth_headers()
+                    raise APIError(401, "Invalid username or password.")
+
+
+
+class RequestHandler(BasicAuth, tornado.web.RequestHandler):
 
     def set_default_headers(self):
         super(RequestHandler, self).set_default_headers()
@@ -100,7 +125,7 @@ class FiltHelp(RequestHandler):
         ))
 
 
-class WebSocketEventBroadcaster(tornado.websocket.WebSocketHandler):
+class WebSocketEventBroadcaster(BasicAuth, tornado.websocket.WebSocketHandler):
     # raise an error if inherited class doesn't specify its own instance.
     connections = None
 
@@ -284,8 +309,11 @@ class Settings(RequestHandler):
 
 class Application(tornado.web.Application):
 
-    def __init__(self, master, debug):
+    def __init__(self, master, debug, wauthenticator):
         self.master = master
+        self.additional_args = dict(
+            wauthenticator=wauthenticator,
+        )
         handlers = [
             (r"/", IndexHandler),
             (r"/filter-help", FiltHelp),
@@ -302,6 +330,9 @@ class Application(tornado.web.Application):
             (r"/settings", Settings),
             (r"/clear", ClearAll),
         ]
+        for i, handler in enumerate(handlers):
+            handlers[i] += (self.additional_args,)
+
         settings = dict(
             template_path=os.path.join(os.path.dirname(__file__), "templates"),
             static_path=os.path.join(os.path.dirname(__file__), "static"),
-- 
cgit v1.2.3