diff options
| -rw-r--r-- | libmproxy/authentication.py | 95 | ||||
| -rw-r--r-- | libmproxy/cmdline.py | 48 | ||||
| -rw-r--r-- | libmproxy/contrib/README | 1 | ||||
| -rw-r--r-- | libmproxy/contrib/md5crypt.py | 94 | ||||
| -rw-r--r-- | libmproxy/proxy.py | 79 | 
5 files changed, 288 insertions, 29 deletions
| diff --git a/libmproxy/authentication.py b/libmproxy/authentication.py new file mode 100644 index 00000000..e5383f5a --- /dev/null +++ b/libmproxy/authentication.py @@ -0,0 +1,95 @@ +import binascii +import contrib.md5crypt as md5crypt + +class NullProxyAuth(): +    """ No proxy auth at all (returns empty challange headers) """ +    def __init__(self, password_manager=None): +        self.password_manager = password_manager +        self.username = "" + +    def authenticate(self, auth_value): +        """ Tests that the specified user is allowed to use the proxy (stub) """ +        return True + +    def auth_challenge_headers(self): +        """ Returns a dictionary containing the headers require to challenge the user """ +        return {} + +    def get_username(self): +        return self.username + + +class BasicProxyAuth(NullProxyAuth): + +    def __init__(self, password_manager, realm="mitmproxy"): +        NullProxyAuth.__init__(self, password_manager) +        self.realm = "mitmproxy" + +    def authenticate(self, auth_value): +        if (not auth_value) or (not auth_value[0]): +            return False; +        try: +            scheme, username, password = self.parse_authorization_header(auth_value[0]) +        except: +            return False +        if scheme.lower()!='basic': +            return False +        if not self.password_manager.test(username, password): +            return False +        self.username = username +        return True + +    def auth_challenge_headers(self): +        return {'Proxy-Authenticate':'Basic realm="%s"'%self.realm} + +    def parse_authorization_header(self, auth_value): +        words = auth_value.split() +        scheme = words[0] +        user = binascii.a2b_base64(words[1]) +        username, password = user.split(':') +        return scheme, username, password + +class PasswordManager(): +    def __init__(self): +        pass + +    def test(self, username, password_token): +        return False + +class PermissivePasswordManager(PasswordManager): + +    def __init__(self): +        PasswordManager.__init__(self) + +    def test(self, username, password_token): +        if username: +            return True +        return False + +class HtpasswdPasswordManager(PasswordManager): +    """ Read usernames and passwords from a file created by Apache htpasswd""" + +    def __init__(self, filehandle): +        PasswordManager.__init__(self) +        entries = (line.strip().split(':') for line in filehandle) +        valid_entries = (entry for entry in entries if len(entry)==2) +        self.usernames = {username:token for username,token in valid_entries} + + +    def test(self, username, password_token): +        if username not in self.usernames: +            return False +        full_token = self.usernames[username] +        dummy, magic, salt, hashed_password = full_token.split('$') +        expected = md5crypt.md5crypt(password_token, salt, '$'+magic+'$') +        return expected==full_token + +class SingleUserPasswordManager(PasswordManager): + +    def __init__(self, username, password): +        PasswordManager.__init__(self) +        self.username = username +        self.password = password + +    def test(self, username, password_token): +        return self.username==username and self.password==password_token diff --git a/libmproxy/cmdline.py b/libmproxy/cmdline.py index 279c3cb4..db1ebf0d 100644 --- a/libmproxy/cmdline.py +++ b/libmproxy/cmdline.py @@ -15,7 +15,7 @@  import proxy  import re, filt - +import argparse  class ParseException(Exception): pass  class OptionException(Exception): pass @@ -334,4 +334,50 @@ def common_options(parser):          help="Header set pattern."      ) + +    group = parser.add_argument_group( +        "Proxy Authentication", +        """ +            Specification of which users are allowed to access the proxy and the method used for authenticating them. +            If authscheme is specified, one must specify a list of authorized users and their passwords. +            In case that authscheme is not specified, or set to None, any list of authorized users will be ignored. +        """.strip() +    ) + +    group.add_argument( +        "--authscheme", type=str, +        action="store", dest="authscheme", default=None, choices=["none", "basic"], +        help=""" +            Specify the scheme used by the proxy to identify users. +            If not none, requires the specification of a list of authorized users. +            This option is ignored if the proxy is in transparent or reverse mode. +            """.strip() + +    ) + +    user_specification_group = group.add_mutually_exclusive_group() + + +    user_specification_group.add_argument( +        "--nonanonymous", +        action="store_true", dest="auth_nonanonymous", +        help="Allow access to any user as long as a username is specified. Ignores the provided password." +    ) + +    user_specification_group.add_argument( +        "--singleuser", +        action="store", dest="auth_singleuser", type=str, +        help="Allows access to a single user as specified by the option value. Specify a username and password in the form username:password." +    ) + +    user_specification_group.add_argument( +        "--htpasswd", +        action="store", dest="auth_htpasswd", type=argparse.FileType('r'), +        help="Allow access to users specified in an Apache htpasswd file." +    ) + + + + +      proxy.certificate_option_group(parser) diff --git a/libmproxy/contrib/README b/libmproxy/contrib/README index 61ae29e2..2506ad6d 100644 --- a/libmproxy/contrib/README +++ b/libmproxy/contrib/README @@ -11,4 +11,5 @@ jsbeautifier, git checkout 25/03/12, MIT license  html2text, git checkout 18/08/12, GPLv3 +md5crypt, PSF license, http://code.activestate.com/recipes/325204/ diff --git a/libmproxy/contrib/md5crypt.py b/libmproxy/contrib/md5crypt.py new file mode 100644 index 00000000..d64ea8ac --- /dev/null +++ b/libmproxy/contrib/md5crypt.py @@ -0,0 +1,94 @@ +# Based on FreeBSD src/lib/libcrypt/crypt.c 1.2 +# http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/src/lib/libcrypt/crypt.c?rev=1.2&content-type=text/plain + +# Original license: +# * "THE BEER-WARE LICENSE" (Revision 42): +# * <phk@login.dknet.dk> wrote this file.  As long as you retain this notice you +# * can do whatever you want with this stuff. If we meet some day, and you think +# * this stuff is worth it, you can buy me a beer in return.   Poul-Henning Kamp + +# This port adds no further stipulations.  I forfeit any copyright interest. + +import md5 + +def md5crypt(password, salt, magic='$1$'): +    # /* The password first, since that is what is most unknown */ /* Then our magic string */ /* Then the raw salt */ +    m = md5.new() +    m.update(password + magic + salt) + +    # /* Then just as many characters of the MD5(pw,salt,pw) */ +    mixin = md5.md5(password + salt + password).digest() +    for i in range(0, len(password)): +        m.update(mixin[i % 16]) + +    # /* Then something really weird... */ +    # Also really broken, as far as I can tell.  -m +    i = len(password) +    while i: +        if i & 1: +            m.update('\x00') +        else: +            m.update(password[0]) +        i >>= 1 + +    final = m.digest() + +    # /* and now, just to make sure things don't run too fast */ +    for i in range(1000): +        m2 = md5.md5() +        if i & 1: +            m2.update(password) +        else: +            m2.update(final) + +        if i % 3: +            m2.update(salt) + +        if i % 7: +            m2.update(password) + +        if i & 1: +            m2.update(final) +        else: +            m2.update(password) + +        final = m2.digest() + +    # This is the bit that uses to64() in the original code. + +    itoa64 = './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz' + +    rearranged = '' +    for a, b, c in ((0, 6, 12), (1, 7, 13), (2, 8, 14), (3, 9, 15), (4, 10, 5)): +        v = ord(final[a]) << 16 | ord(final[b]) << 8 | ord(final[c]) +        for i in range(4): +            rearranged += itoa64[v & 0x3f]; v >>= 6 + +    v = ord(final[11]) +    for i in range(2): +        rearranged += itoa64[v & 0x3f]; v >>= 6 + +    return magic + salt + '$' + rearranged + +if __name__ == '__main__': + +    def test(clear_password, the_hash): +        magic, salt = the_hash[1:].split('$')[:2] +        magic = '$' + magic + '$' +        return md5crypt(clear_password, salt, magic) == the_hash + +    test_cases = ( +        (' ', '$1$yiiZbNIH$YiCsHZjcTkYd31wkgW8JF.'), +        ('pass', '$1$YeNsbWdH$wvOF8JdqsoiLix754LTW90'), +        ('____fifteen____', '$1$s9lUWACI$Kk1jtIVVdmT01p0z3b/hw1'), +        ('____sixteen_____', '$1$dL3xbVZI$kkgqhCanLdxODGq14g/tW1'), +        ('____seventeen____', '$1$NaH5na7J$j7y8Iss0hcRbu3kzoJs5V.'), +        ('__________thirty-three___________', '$1$HO7Q6vzJ$yGwp2wbL5D7eOVzOmxpsy.'), +        ('apache', '$apr1$J.w5a/..$IW9y6DR0oO/ADuhlMF5/X1') +    ) + +    for clearpw, hashpw in test_cases: +        if test(clearpw, hashpw): +            print '%s: pass' % clearpw +        else: +            print '%s: FAIL' % clearpw diff --git a/libmproxy/proxy.py b/libmproxy/proxy.py index 961ee465..b1ce310c 100644 --- a/libmproxy/proxy.py +++ b/libmproxy/proxy.py @@ -18,16 +18,18 @@ import SocketServer  from OpenSSL import SSL  from netlib import odict, tcp, http, wsgi, certutils, http_status  import utils, flow, version, platform, controller +import authentication  class ProxyError(Exception): -    def __init__(self, code, msg): -        self.code, self.msg = code, msg +    def __init__(self, code, msg, headers=None): +        self.code, self.msg, self.headers = code, msg, headers      def __str__(self):          return "ProxyError(%s, %s)"%(self.code, self.msg) +  class Log(controller.Msg):      def __init__(self, msg):          controller.Msg.__init__(self) @@ -36,7 +38,7 @@ class Log(controller.Msg):  class ProxyConfig: -    def __init__(self, certfile = None, cacert = None, clientcerts = None, cert_wait_time=0, no_upstream_cert=False, body_size_limit = None, reverse_proxy=None, transparent_proxy=None, certdir = None): +    def __init__(self, certfile = None, cacert = None, clientcerts = None, cert_wait_time=0, no_upstream_cert=False, body_size_limit = None, reverse_proxy=None, transparent_proxy=None, certdir = None, authenticator=None):          assert not (reverse_proxy and transparent_proxy)          self.certfile = certfile          self.cacert = cacert @@ -47,7 +49,7 @@ class ProxyConfig:          self.body_size_limit = body_size_limit          self.reverse_proxy = reverse_proxy          self.transparent_proxy = transparent_proxy - +        self.authenticator = authenticator  class RequestReplayThread(threading.Thread):      def __init__(self, config, flow, masterq): @@ -217,7 +219,7 @@ class ProxyHandler(tcp.BaseHandler):                  self.log(cc, cc.error)              if isinstance(e, ProxyError): -                self.send_error(e.code, e.msg) +                self.send_error(e.code, e.msg, e.headers)          else:              return True @@ -283,9 +285,7 @@ class ProxyHandler(tcp.BaseHandler):              if not r:                  raise ProxyError(400, "Bad HTTP request line: %s"%repr(line))              method, path, httpversion = r -            headers = http.read_headers(self.rfile) -            if headers is None: -                raise ProxyError(400, "Invalid headers") +            headers = self.read_headers(authenticate=False)              content = http.read_http_body_request(                          self.rfile, self.wfile, headers, httpversion, self.config.body_size_limit                      ) @@ -299,9 +299,7 @@ class ProxyHandler(tcp.BaseHandler):              if not r:                  raise ProxyError(400, "Bad HTTP request line: %s"%repr(line))              method, path, httpversion = r -            headers = http.read_headers(self.rfile) -            if headers is None: -                raise ProxyError(400, "Invalid headers") +            headers = self.read_headers(authenticate=False)              content = http.read_http_body_request(                          self.rfile, self.wfile, headers, httpversion, self.config.body_size_limit                      ) @@ -315,12 +313,9 @@ class ProxyHandler(tcp.BaseHandler):                  if not r:                      raise ProxyError(400, "Bad HTTP request line: %s"%repr(line))                  host, port, httpversion = r -                # FIXME: Discard additional headers sent to the proxy. Should I expose -                # these to users? -                while 1: -                    d = self.rfile.readline() -                    if d == '\r\n' or d == '\n': -                        break + +                headers = self.read_headers(authenticate=True) +                  self.wfile.write(                              'HTTP/1.1 200 Connection established\r\n' +                              ('Proxy-agent: %s\r\n'%self.server_version) + @@ -340,9 +335,8 @@ class ProxyHandler(tcp.BaseHandler):                  if not r:                      raise ProxyError(400, "Bad HTTP request line: %s"%repr(line))                  method, path, httpversion = r -                headers = http.read_headers(self.rfile) -                if headers is None: -                    raise ProxyError(400, "Invalid headers") +                headers = self.read_headers(authenticate=False) +                  content = http.read_http_body_request(                      self.rfile, self.wfile, headers, httpversion, self.config.body_size_limit                  ) @@ -352,14 +346,20 @@ class ProxyHandler(tcp.BaseHandler):                  if not r:                      raise ProxyError(400, "Bad HTTP request line: %s"%repr(line))                  method, scheme, host, port, path, httpversion = http.parse_init_proxy(line) -                headers = http.read_headers(self.rfile) -                if headers is None: -                    raise ProxyError(400, "Invalid headers") +                headers = self.read_headers(authenticate=True)                  content = http.read_http_body_request(                      self.rfile, self.wfile, headers, httpversion, self.config.body_size_limit                  )                  return flow.Request(client_conn, httpversion, host, port, scheme, method, path, headers, content) +    def read_headers(self, authenticate=False): +        headers = http.read_headers(self.rfile) +        if headers is None: +            raise ProxyError(400, "Invalid headers") +        if authenticate and self.config.authenticator and not self.config.authenticator.authenticate(headers.get('Proxy-Authorization', [])): +            raise ProxyError(407, "Proxy Authentication Required", self.config.authenticator.auth_challenge_headers()) +        return headers +      def send_response(self, response):          d = response._assemble()          if not d: @@ -367,16 +367,19 @@ class ProxyHandler(tcp.BaseHandler):          self.wfile.write(d)          self.wfile.flush() -    def send_error(self, code, body): +    def send_error(self, code, body, headers):          try:              response = http_status.RESPONSES.get(code, "Unknown") +            html_content = '<html><head>\n<title>%d %s</title>\n</head>\n<body>\n%s\n</body>\n</html>'%(code, response, body)              self.wfile.write("HTTP/1.1 %s %s\r\n" % (code, response))              self.wfile.write("Server: %s\r\n"%self.server_version) -            self.wfile.write("Connection: close\r\n")              self.wfile.write("Content-type: text/html\r\n") +            self.wfile.write("Content-Length: %d\r\n"%len(html_content)) +            for key, value in headers.items(): +                self.wfile.write("%s: %s\r\n"%(key, value)) +            self.wfile.write("Connection: close\r\n")              self.wfile.write("\r\n") -            self.wfile.write('<html><head>\n<title>%d %s</title>\n</head>\n' -                    '<body>\n%s\n</body>\n</html>' % (code, response, body)) +            self.wfile.write(html_content)              self.wfile.flush()          except:              pass @@ -531,6 +534,25 @@ def process_proxy_options(parser, options):          if not os.path.exists(options.certdir) or not os.path.isdir(options.certdir):              parser.error("Dummy cert directory does not exist or is not a directory: %s"%options.certdir) +    if options.authscheme and (options.authscheme!='none'): +        if not (options.auth_nonanonymous or options.auth_singleuser or options.auth_htpasswd): +            parser.error("Proxy authentication scheme is specified, but no allowed user list is given.") +        if options.auth_singleuser and len(options.auth_singleuser.split(':'))!=2: +            parser.error("Authorized user is not given in correct format username:password") +        if options.auth_nonanonymous: +            password_manager = authentication.PermissivePasswordManager() +        elif options.auth_singleuser: +            username, password = options.auth_singleuser.split(':') +            password_manager = authentication.SingleUserPasswordManager(username, password) +        elif options.auth_htpasswd: +            password_manager = authentication.HtpasswdPasswordManager(options.auth_htpasswd) +        # in the meanwhile, basic auth is the only true authentication scheme we support +        # so just use it +        authenticator = authentication.BasicProxyAuth(password_manager) +    else: +        authenticator = authentication.NullProxyAuth(None) + +      return ProxyConfig(          certfile = options.cert,          cacert = cacert, @@ -540,5 +562,6 @@ def process_proxy_options(parser, options):          no_upstream_cert = options.no_upstream_cert,          reverse_proxy = rp,          transparent_proxy = trans, -        certdir = options.certdir +        certdir = options.certdir, +        authenticator = authenticator      ) | 
