mitmproxy/netlib/http/authentication.py

from __future__ import (absolute_import, print_function, division)
from argparse import Action, ArgumentTypeError
import binascii

from .. import http

def parse_http_basic_auth(s):
    words = s.split()
    if len(words) != 2:
        return None
    scheme = words[0]
    try:
        user = binascii.a2b_base64(words[1])
    except binascii.Error:
        return None
    parts = user.split(':')
    if len(parts) != 2:
        return None
    return scheme, parts[0], parts[1]


def assemble_http_basic_auth(scheme, username, password):
    v = binascii.b2a_base64(username + ":" + password)
    return scheme + " " + v


class NullProxyAuth(object):

    """
        No proxy auth at all (returns empty challange headers)
    """

    def __init__(self, password_manager):
        self.password_manager = password_manager

    def clean(self, headers_):
        """
            Clean up authentication headers, so they're not passed upstream.
        """
        pass

    def authenticate(self, headers_):
        """
            Tests that the user is allowed to use the proxy
        """
        return True

    def auth_challenge_headers(self):
        """
            Returns a dictionary containing the headers require to challenge the user
        """
        return {}


class BasicProxyAuth(NullProxyAuth):
    CHALLENGE_HEADER = 'Proxy-Authenticate'
    AUTH_HEADER = 'Proxy-Authorization'

    def __init__(self, password_manager, realm):
        NullProxyAuth.__init__(self, password_manager)
        self.realm = realm

    def clean(self, headers):
        del headers[self.AUTH_HEADER]

    def authenticate(self, headers):
        auth_value = headers.get(self.AUTH_HEADER, [])
        if not auth_value:
            return False
        parts = parse_http_basic_auth(auth_value[0])
        if not parts:
            return False
        scheme, username, password = parts
        if scheme.lower() != 'basic':
            return False
        if not self.password_manager.test(username, password):
            return False
        self.username = username
        return True

    def auth_challenge_headers(self):
        return {self.CHALLENGE_HEADER: 'Basic realm="%s"' % self.realm}


class PassMan(object):

    def test(self, username_, password_token_):
        return False


class PassManNonAnon(PassMan):

    """
        Ensure the user specifies a username, accept any password.
    """

    def test(self, username, password_token_):
        if username:
            return True
        return False


class PassManHtpasswd(PassMan):

    """
        Read usernames and passwords from an htpasswd file
    """

    def __init__(self, path):
        """
            Raises ValueError if htpasswd file is invalid.
        """
        import passlib.apache
        self.htpasswd = passlib.apache.HtpasswdFile(path)

    def test(self, username, password_token):
        return bool(self.htpasswd.check_password(username, password_token))


class PassManSingleUser(PassMan):

    def __init__(self, username, password):
        self.username, self.password = username, password

    def test(self, username, password_token):
        return self.username == username and self.password == password_token


class AuthAction(Action):

    """
    Helper class to allow seamless integration int argparse. Example usage:
    parser.add_argument(
        "--nonanonymous",
        action=NonanonymousAuthAction, nargs=0,
        help="Allow access to any user long as a credentials are specified."
    )
    """

    def __call__(self, parser, namespace, values, option_string=None):
        passman = self.getPasswordManager(values)
        authenticator = BasicProxyAuth(passman, "mitmproxy")
        setattr(namespace, self.dest, authenticator)

    def getPasswordManager(self, s):  # pragma: nocover
        raise NotImplementedError()


class SingleuserAuthAction(AuthAction):

    def getPasswordManager(self, s):
        if len(s.split(':')) != 2:
            raise ArgumentTypeError(
                "Invalid single-user specification. Please use the format username:password"
            )
        username, password = s.split(':')
        return PassManSingleUser(username, password)


class NonanonymousAuthAction(AuthAction):

    def getPasswordManager(self, s):
        return PassManNonAnon()


class HtpasswdAuthAction(AuthAction):

    def getPasswordManager(self, s):
        return PassManHtpasswd(s)
minor cleanups 2014-08-16 13:53:07 +00:00			`from __future__ import (absolute_import, print_function, division)`
add custom argparse actions to seamlessly integrate ProxyAuth classes 2013-11-21 00:07:56 +00:00			`from argparse import Action, ArgumentTypeError`
extract authentication methods from protocol 2015-07-15 20:32:14 +00:00			`import binascii`
move bits around 2015-07-14 21:02:14 +00:00
			`from .. import http`
Integrate HTTP auth, test to 100% 2013-03-02 21:37:28 +00:00
extract authentication methods from protocol 2015-07-15 20:32:14 +00:00			`def parse_http_basic_auth(s):`
			`words = s.split()`
			`if len(words) != 2:`
			`return None`
			`scheme = words[0]`
			`try:`
			`user = binascii.a2b_base64(words[1])`
			`except binascii.Error:`
			`return None`
			`parts = user.split(':')`
			`if len(parts) != 2:`
			`return None`
			`return scheme, parts[0], parts[1]`


			`def assemble_http_basic_auth(scheme, username, password):`
			`v = binascii.b2a_base64(username + ":" + password)`
			`return scheme + " " + v`

Integrate HTTP auth, test to 100% 2013-03-02 21:37:28 +00:00
fix code smell 2015-04-09 00:09:33 +00:00			`class NullProxyAuth(object):`
cleanup code with autopep8 run the following command: $ autopep8 -i -r -a -a . 2015-05-27 09:18:54 +00:00
Integrate HTTP auth, test to 100% 2013-03-02 21:37:28 +00:00			`"""`
			`No proxy auth at all (returns empty challange headers)`
			`"""`
cleanup code with autopep8 run the following command: $ autopep8 -i -r -a -a . 2015-05-27 09:18:54 +00:00
Integrate HTTP auth, test to 100% 2013-03-02 21:37:28 +00:00			`def __init__(self, password_manager):`
			`self.password_manager = password_manager`

mark unused variables and arguments 2015-06-18 13:32:52 +00:00			`def clean(self, headers_):`
Integrate HTTP auth, test to 100% 2013-03-02 21:37:28 +00:00			`"""`
			`Clean up authentication headers, so they're not passed upstream.`
			`"""`
mark unused variables and arguments 2015-06-18 13:32:52 +00:00			`pass`
Integrate HTTP auth, test to 100% 2013-03-02 21:37:28 +00:00
mark unused variables and arguments 2015-06-18 13:32:52 +00:00			`def authenticate(self, headers_):`
Integrate HTTP auth, test to 100% 2013-03-02 21:37:28 +00:00			`"""`
			`Tests that the user is allowed to use the proxy`
			`"""`
			`return True`

			`def auth_challenge_headers(self):`
			`"""`
			`Returns a dictionary containing the headers require to challenge the user`
			`"""`
			`return {}`


			`class BasicProxyAuth(NullProxyAuth):`
			`CHALLENGE_HEADER = 'Proxy-Authenticate'`
			`AUTH_HEADER = 'Proxy-Authorization'`
make AuthAction generic 2013-12-08 00:37:45 +00:00
Integrate HTTP auth, test to 100% 2013-03-02 21:37:28 +00:00			`def __init__(self, password_manager, realm):`
			`NullProxyAuth.__init__(self, password_manager)`
			`self.realm = realm`

			`def clean(self, headers):`
			`del headers[self.AUTH_HEADER]`

			`def authenticate(self, headers):`
			`auth_value = headers.get(self.AUTH_HEADER, [])`
			`if not auth_value:`
			`return False`
extract authentication methods from protocol 2015-07-15 20:32:14 +00:00			`parts = parse_http_basic_auth(auth_value[0])`
Integrate HTTP auth, test to 100% 2013-03-02 21:37:28 +00:00			`if not parts:`
			`return False`
			`scheme, username, password = parts`
cleanup code with autopep8 run the following command: $ autopep8 -i -r -a -a . 2015-05-27 09:18:54 +00:00			`if scheme.lower() != 'basic':`
Integrate HTTP auth, test to 100% 2013-03-02 21:37:28 +00:00			`return False`
			`if not self.password_manager.test(username, password):`
			`return False`
			`self.username = username`
			`return True`

			`def auth_challenge_headers(self):`
cleanup code with autopep8 run the following command: $ autopep8 -i -r -a -a . 2015-05-27 09:18:54 +00:00			`return {self.CHALLENGE_HEADER: 'Basic realm="%s"' % self.realm}`
Integrate HTTP auth, test to 100% 2013-03-02 21:37:28 +00:00

fix code smell 2015-04-09 00:09:33 +00:00			`class PassMan(object):`
cleanup code with autopep8 run the following command: $ autopep8 -i -r -a -a . 2015-05-27 09:18:54 +00:00
mark unused variables and arguments 2015-06-18 13:32:52 +00:00			`def test(self, username_, password_token_):`
Integrate HTTP auth, test to 100% 2013-03-02 21:37:28 +00:00			`return False`


fix code smell 2015-04-09 00:09:33 +00:00			`class PassManNonAnon(PassMan):`
cleanup code with autopep8 run the following command: $ autopep8 -i -r -a -a . 2015-05-27 09:18:54 +00:00
Integrate HTTP auth, test to 100% 2013-03-02 21:37:28 +00:00			`"""`
			`Ensure the user specifies a username, accept any password.`
			`"""`
cleanup code with autopep8 run the following command: $ autopep8 -i -r -a -a . 2015-05-27 09:18:54 +00:00
mark unused variables and arguments 2015-06-18 13:32:52 +00:00			`def test(self, username, password_token_):`
Integrate HTTP auth, test to 100% 2013-03-02 21:37:28 +00:00			`if username:`
			`return True`
			`return False`


fix code smell 2015-04-09 00:09:33 +00:00			`class PassManHtpasswd(PassMan):`
cleanup code with autopep8 run the following command: $ autopep8 -i -r -a -a . 2015-05-27 09:18:54 +00:00
Integrate HTTP auth, test to 100% 2013-03-02 21:37:28 +00:00			`"""`
			`Read usernames and passwords from an htpasswd file`
			`"""`
cleanup code with autopep8 run the following command: $ autopep8 -i -r -a -a . 2015-05-27 09:18:54 +00:00
use passlib instead of md5crypt 2014-08-16 13:28:09 +00:00			`def __init__(self, path):`
Integrate HTTP auth, test to 100% 2013-03-02 21:37:28 +00:00			`"""`
			`Raises ValueError if htpasswd file is invalid.`
			`"""`
Simplify expected_http_body_size signature, fixing a traceback found in fuzzing 2014-11-07 02:59:00 +00:00			`import passlib.apache`
			`self.htpasswd = passlib.apache.HtpasswdFile(path)`
100% test coverage. 2013-03-02 23:16:09 +00:00
Integrate HTTP auth, test to 100% 2013-03-02 21:37:28 +00:00			`def test(self, username, password_token):`
use passlib instead of md5crypt 2014-08-16 13:28:09 +00:00			`return bool(self.htpasswd.check_password(username, password_token))`
Integrate HTTP auth, test to 100% 2013-03-02 21:37:28 +00:00

fix code smell 2015-04-09 00:09:33 +00:00			`class PassManSingleUser(PassMan):`
cleanup code with autopep8 run the following command: $ autopep8 -i -r -a -a . 2015-05-27 09:18:54 +00:00
Integrate HTTP auth, test to 100% 2013-03-02 21:37:28 +00:00			`def __init__(self, username, password):`
			`self.username, self.password = username, password`

			`def test(self, username, password_token):`
cleanup code with autopep8 run the following command: $ autopep8 -i -r -a -a . 2015-05-27 09:18:54 +00:00			`return self.username == username and self.password == password_token`
add custom argparse actions to seamlessly integrate ProxyAuth classes 2013-11-21 00:07:56 +00:00

			`class AuthAction(Action):`
cleanup code with autopep8 run the following command: $ autopep8 -i -r -a -a . 2015-05-27 09:18:54 +00:00
add custom argparse actions to seamlessly integrate ProxyAuth classes 2013-11-21 00:07:56 +00:00			`"""`
			`Helper class to allow seamless integration int argparse. Example usage:`
			`parser.add_argument(`
			`"--nonanonymous",`
			`action=NonanonymousAuthAction, nargs=0,`
			`help="Allow access to any user long as a credentials are specified."`
			`)`
			`"""`
cleanup code with autopep8 run the following command: $ autopep8 -i -r -a -a . 2015-05-27 09:18:54 +00:00
add custom argparse actions to seamlessly integrate ProxyAuth classes 2013-11-21 00:07:56 +00:00			`def __call__(self, parser, namespace, values, option_string=None):`
			`passman = self.getPasswordManager(values)`
make AuthAction generic 2013-12-08 00:37:45 +00:00			`authenticator = BasicProxyAuth(passman, "mitmproxy")`
			`setattr(namespace, self.dest, authenticator)`
add custom argparse actions to seamlessly integrate ProxyAuth classes 2013-11-21 00:07:56 +00:00
cleanup code with autopep8 run the following command: $ autopep8 -i -r -a -a . 2015-05-27 09:18:54 +00:00			`def getPasswordManager(self, s): # pragma: nocover`
add custom argparse actions to seamlessly integrate ProxyAuth classes 2013-11-21 00:07:56 +00:00			`raise NotImplementedError()`


			`class SingleuserAuthAction(AuthAction):`
cleanup code with autopep8 run the following command: $ autopep8 -i -r -a -a . 2015-05-27 09:18:54 +00:00
add custom argparse actions to seamlessly integrate ProxyAuth classes 2013-11-21 00:07:56 +00:00			`def getPasswordManager(self, s):`
			`if len(s.split(':')) != 2:`
Unit test auth actions. 2013-12-08 00:35:42 +00:00			`raise ArgumentTypeError(`
			`"Invalid single-user specification. Please use the format username:password"`
			`)`
add custom argparse actions to seamlessly integrate ProxyAuth classes 2013-11-21 00:07:56 +00:00			`username, password = s.split(':')`
			`return PassManSingleUser(username, password)`


			`class NonanonymousAuthAction(AuthAction):`
cleanup code with autopep8 run the following command: $ autopep8 -i -r -a -a . 2015-05-27 09:18:54 +00:00
add custom argparse actions to seamlessly integrate ProxyAuth classes 2013-11-21 00:07:56 +00:00			`def getPasswordManager(self, s):`
			`return PassManNonAnon()`


			`class HtpasswdAuthAction(AuthAction):`
cleanup code with autopep8 run the following command: $ autopep8 -i -r -a -a . 2015-05-27 09:18:54 +00:00
add custom argparse actions to seamlessly integrate ProxyAuth classes 2013-11-21 00:07:56 +00:00			`def getPasswordManager(self, s):`
use passlib instead of md5crypt 2014-08-16 13:28:09 +00:00			`return PassManHtpasswd(s)`