mitmproxy/examples/contrib/tls_passthrough.py

# FIXME: This addon is currently not compatible with mitmproxy 7 and above.

"""
This inline script allows conditional TLS Interception based
on a user-defined strategy.

Example:

    > mitmdump -s tls_passthrough.py

    1. curl --proxy http://localhost:8080 https://example.com --insecure
    // works - we'll also see the contents in mitmproxy

    2. curl --proxy http://localhost:8080 https://example.com --insecure
    // still works - we'll also see the contents in mitmproxy

    3. curl --proxy http://localhost:8080 https://example.com
    // fails with a certificate error, which we will also see in mitmproxy

    4. curl --proxy http://localhost:8080 https://example.com
    // works again, but mitmproxy does not intercept and we do *not* see the contents

Authors: Maximilian Hils, Matthew Tuusberg
"""
import collections
import random

from enum import Enum

import mitmproxy
from mitmproxy import ctx
from mitmproxy.exceptions import TlsProtocolException
from mitmproxy.proxy.protocol import TlsLayer, RawTCPLayer


class InterceptionResult(Enum):
    success = True
    failure = False
    skipped = None


class _TlsStrategy:
    """
    Abstract base class for interception strategies.
    """

    def __init__(self):
        # A server_address -> interception results mapping
        self.history = collections.defaultdict(lambda: collections.deque(maxlen=200))

    def should_intercept(self, server_address):
        """
        Returns:
            True, if we should attempt to intercept the connection.
            False, if we want to employ pass-through instead.
        """
        raise NotImplementedError()

    def record_success(self, server_address):
        self.history[server_address].append(InterceptionResult.success)

    def record_failure(self, server_address):
        self.history[server_address].append(InterceptionResult.failure)

    def record_skipped(self, server_address):
        self.history[server_address].append(InterceptionResult.skipped)


class ConservativeStrategy(_TlsStrategy):
    """
    Conservative Interception Strategy - only intercept if there haven't been any failed attempts
    in the history.
    """

    def should_intercept(self, server_address):
        if InterceptionResult.failure in self.history[server_address]:
            return False
        return True


class ProbabilisticStrategy(_TlsStrategy):
    """
    Fixed probability that we intercept a given connection.
    """

    def __init__(self, p):
        self.p = p
        super().__init__()

    def should_intercept(self, server_address):
        return random.uniform(0, 1) < self.p


class TlsFeedback(TlsLayer):
    """
    Monkey-patch _establish_tls_with_client to get feedback if TLS could be established
    successfully on the client connection (which may fail due to cert pinning).
    """

    def _establish_tls_with_client(self):
        server_address = self.server_conn.address

        try:
            super()._establish_tls_with_client()
        except TlsProtocolException as e:
            tls_strategy.record_failure(server_address)
            raise e
        else:
            tls_strategy.record_success(server_address)


# inline script hooks below.

tls_strategy = None


def load(l):
    l.add_option(
        "tlsstrat", int, 0, "TLS passthrough strategy (0-100)",
    )


def configure(updated):
    global tls_strategy
    if ctx.options.tlsstrat > 0:
        tls_strategy = ProbabilisticStrategy(float(ctx.options.tlsstrat) / 100.0)
    else:
        tls_strategy = ConservativeStrategy()


def next_layer(next_layer):
    """
    This hook does the actual magic - if the next layer is planned to be a TLS layer,
    we check if we want to enter pass-through mode instead.
    """
    if isinstance(next_layer, TlsLayer) and next_layer._client_tls:
        server_address = next_layer.server_conn.address

        if tls_strategy.should_intercept(server_address):
            # We try to intercept.
            # Monkey-Patch the layer to get feedback from the TLSLayer if interception worked.
            next_layer.__class__ = TlsFeedback
        else:
            # We don't intercept - reply with a pass-through layer and add a "skipped" entry.
            mitmproxy.ctx.log("TLS passthrough for %s" % repr(next_layer.server_conn.address), "info")
            next_layer_replacement = RawTCPLayer(next_layer.ctx, ignore=True)
            next_layer.reply.send(next_layer_replacement)
            tls_strategy.record_skipped(server_address)
Update tls_passthrough.py 2021-06-18 06:49:48 +00:00			`# FIXME: This addon is currently not compatible with mitmproxy 7 and above.`

add inline script for conditional tls passthrough fix #646 2015-09-08 19:35:15 +00:00			`"""`
			`This inline script allows conditional TLS Interception based`
			`on a user-defined strategy.`

			`Example:`

			`> mitmdump -s tls_passthrough.py`

			`1. curl --proxy http://localhost:8080 https://example.com --insecure`
			`// works - we'll also see the contents in mitmproxy`

			`2. curl --proxy http://localhost:8080 https://example.com --insecure`
			`// still works - we'll also see the contents in mitmproxy`

			`3. curl --proxy http://localhost:8080 https://example.com`
			`// fails with a certificate error, which we will also see in mitmproxy`

			`4. curl --proxy http://localhost:8080 https://example.com`
			`// works again, but mitmproxy does not intercept and we do not see the contents`

			`Authors: Maximilian Hils, Matthew Tuusberg`
			`"""`
			`import collections`
			`import random`

			`from enum import Enum`

remove context from all scripts 2016-07-08 01:37:33 +00:00			`import mitmproxy`
Addons and addon testing - Fix some loading sequence bugs affecting command-line script invocation - Allow addons to over-ride existing options (with a warning). We need this for reloading. - Convert har_dump to new-style arguments, fix and re-instate its test suite. - Covnert miscelaneous other exmples to new-style args. 2017-04-25 23:45:15 +00:00			`from mitmproxy import ctx`
fix all libmproxy->mitmproxy references 2016-02-16 19:49:10 +00:00			`from mitmproxy.exceptions import TlsProtocolException`
mitmproxy.protocol -> mitmproxy.proxy.protocol The protocols here are compltely proxy-specific, are only used from within the proxy module, and are not exposed to users. 2016-10-19 10:11:56 +00:00			`from mitmproxy.proxy.protocol import TlsLayer, RawTCPLayer`
add inline script for conditional tls passthrough fix #646 2015-09-08 19:35:15 +00:00

			`class InterceptionResult(Enum):`
			`success = True`
			`failure = False`
			`skipped = None`


python3: clean up class brackets 2016-10-17 04:29:45 +00:00			`class _TlsStrategy:`
add inline script for conditional tls passthrough fix #646 2015-09-08 19:35:15 +00:00			`"""`
			`Abstract base class for interception strategies.`
			`"""`
format examples 2016-05-29 08:23:39 +00:00
add inline script for conditional tls passthrough fix #646 2015-09-08 19:35:15 +00:00			`def __init__(self):`
			`# A server_address -> interception results mapping`
			`self.history = collections.defaultdict(lambda: collections.deque(maxlen=200))`

			`def should_intercept(self, server_address):`
			`"""`
			`Returns:`
			`True, if we should attempt to intercept the connection.`
			`False, if we want to employ pass-through instead.`
			`"""`
			`raise NotImplementedError()`

			`def record_success(self, server_address):`
			`self.history[server_address].append(InterceptionResult.success)`

			`def record_failure(self, server_address):`
			`self.history[server_address].append(InterceptionResult.failure)`

			`def record_skipped(self, server_address):`
			`self.history[server_address].append(InterceptionResult.skipped)`


			`class ConservativeStrategy(_TlsStrategy):`
			`"""`
			`Conservative Interception Strategy - only intercept if there haven't been any failed attempts`
			`in the history.`
			`"""`

			`def should_intercept(self, server_address):`
			`if InterceptionResult.failure in self.history[server_address]:`
			`return False`
			`return True`


			`class ProbabilisticStrategy(_TlsStrategy):`
			`"""`
			`Fixed probability that we intercept a given connection.`
			`"""`
format examples 2016-05-29 08:23:39 +00:00
add inline script for conditional tls passthrough fix #646 2015-09-08 19:35:15 +00:00			`def __init__(self, p):`
			`self.p = p`
pyupgrade --py36-plus mitmproxy/*/.py 2020-11-20 18:25:26 +00:00			`super().__init__()`
add inline script for conditional tls passthrough fix #646 2015-09-08 19:35:15 +00:00
			`def should_intercept(self, server_address):`
			`return random.uniform(0, 1) < self.p`


			`class TlsFeedback(TlsLayer):`
			`"""`
			`Monkey-patch _establish_tls_with_client to get feedback if TLS could be established`
			`successfully on the client connection (which may fail due to cert pinning).`
			`"""`

			`def _establish_tls_with_client(self):`
			`server_address = self.server_conn.address`

			`try:`
pyupgrade --py36-plus mitmproxy/*/.py 2020-11-20 18:25:26 +00:00			`super()._establish_tls_with_client()`
use new netlib exceptions 2015-09-17 00:13:28 +00:00			`except TlsProtocolException as e:`
add inline script for conditional tls passthrough fix #646 2015-09-08 19:35:15 +00:00			`tls_strategy.record_failure(server_address)`
			`raise e`
			`else:`
			`tls_strategy.record_success(server_address)`


			`# inline script hooks below.`

remove context from all scripts 2016-07-08 01:37:33 +00:00			`tls_strategy = None`
add inline script for conditional tls passthrough fix #646 2015-09-08 19:35:15 +00:00
remove context from all scripts 2016-07-08 01:37:33 +00:00
addon loader: add boot_into, which replaces returning from start() While we're here, expand test coverage for addonmanager to 100%, and promote to individual coverage. 2017-03-23 22:29:36 +00:00			`def load(l):`
Addons and addon testing - Fix some loading sequence bugs affecting command-line script invocation - Allow addons to over-ride existing options (with a warning). We need this for reloading. - Convert har_dump to new-style arguments, fix and re-instate its test suite. - Covnert miscelaneous other exmples to new-style args. 2017-04-25 23:45:15 +00:00			`l.add_option(`
			`"tlsstrat", int, 0, "TLS passthrough strategy (0-100)",`
			`)`


			`def configure(updated):`
remove context from all scripts 2016-07-08 01:37:33 +00:00			`global tls_strategy`
Addons and addon testing - Fix some loading sequence bugs affecting command-line script invocation - Allow addons to over-ride existing options (with a warning). We need this for reloading. - Convert har_dump to new-style arguments, fix and re-instate its test suite. - Covnert miscelaneous other exmples to new-style args. 2017-04-25 23:45:15 +00:00			`if ctx.options.tlsstrat > 0:`
			`tls_strategy = ProbabilisticStrategy(float(ctx.options.tlsstrat) / 100.0)`
add inline script for conditional tls passthrough fix #646 2015-09-08 19:35:15 +00:00			`else:`
remove context from all scripts 2016-07-08 01:37:33 +00:00			`tls_strategy = ConservativeStrategy()`
add inline script for conditional tls passthrough fix #646 2015-09-08 19:35:15 +00:00

remove context from all scripts 2016-07-08 01:37:33 +00:00			`def next_layer(next_layer):`
add inline script for conditional tls passthrough fix #646 2015-09-08 19:35:15 +00:00			`"""`
			`This hook does the actual magic - if the next layer is planned to be a TLS layer,`
			`we check if we want to enter pass-through mode instead.`
			`"""`
			`if isinstance(next_layer, TlsLayer) and next_layer._client_tls:`
			`server_address = next_layer.server_conn.address`

remove context from all scripts 2016-07-08 01:37:33 +00:00			`if tls_strategy.should_intercept(server_address):`
add inline script for conditional tls passthrough fix #646 2015-09-08 19:35:15 +00:00			`# We try to intercept.`
			`# Monkey-Patch the layer to get feedback from the TLSLayer if interception worked.`
			`next_layer.__class__ = TlsFeedback`
			`else:`
			`# We don't intercept - reply with a pass-through layer and add a "skipped" entry.`
move script context to mitmproxy.ctx 2016-07-09 02:57:57 +00:00			`mitmproxy.ctx.log("TLS passthrough for %s" % repr(next_layer.server_conn.address), "info")`
remove context from all scripts 2016-07-08 01:37:33 +00:00			`next_layer_replacement = RawTCPLayer(next_layer.ctx, ignore=True)`
A new interface for reply Reply is now explicit - it's no longer a callable itself. Instead, we have: reply.kill() - kill the flow reply.ack() - ack, but don't send anything reply.send(message) - send a response This is part of an incremental move to detach reply from our flow objects, and unify the script and handler interfaces. 2016-06-07 22:44:20 +00:00			`next_layer.reply.send(next_layer_replacement)`
remove context from all scripts 2016-07-08 01:37:33 +00:00			`tls_strategy.record_skipped(server_address)`