aboutsummaryrefslogtreecommitdiff
# SPDX-License-Identifier: BSD-3-Clause

"""
The core for a "virtual network" proxy.
"""

# This file is part of Haketilo.
#
# Copyright (c) 2015, inaz2
# Copyright (C) 2021 jahoti <jahoti@tilde.team>
# Copyright (C) 2021 Wojtek Kosior <koszko@koszko.org>
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice, this
#   list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
#   this list of conditions and the following disclaimer in the documentation
#   and/or other materials provided with the distribution.
#
# * Neither the name of proxy2 nor the names of its contributors may be used to
#   endorse or promote products derived from this software without specific
#   prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
#
# I, Wojtek Kosior, thereby promise not to sue for violation of this file's
# license. Although I request that you do not make use this code in a way
# incompliant with the license, I am not going to enforce this in court.

from pathlib import Path
import socket, ssl, subprocess, sys, threading
from http.server import HTTPServer, BaseHTTPRequestHandler
from socketserver import ThreadingMixIn

lock = threading.Lock()

class ProxyRequestHandler(BaseHTTPRequestHandler):
    """
    Handles a network request made to the proxy. Configures SSL encryption when
    needed.
    """
    def __init__(self, *args, **kwargs):
        """
        Initialize self. Uses the same arguments as
        http.server.BaseHTTPRequestHandler's constructor but also expect a
        `certdir` keyword argument with appropriate path.
        """
        self.certdir = Path(kwargs.pop('certdir')).resolve()
        super().__init__(*args, **kwargs)

    def log_error(self, *args, **kwargs):
        """
        Like log_error in http.server.BaseHTTPRequestHandler but suppresses
        "Request timed out: timeout('timed out',)".
        """
        if not isinstance(args[0], socket.timeout):
            super().log_error(*args, **kwargs)

    def get_cert(self, hostname):
        """
        If needed, generate a signed x509 certificate for `hostname`. Return
        paths to certificate's key file and to certificate itself in a tuple.
        """
        root_keyfile  = self.certdir / 'rootCA.key'
        root_certfile = self.certdir / 'rootCA.pem'
        keyfile       = self.certdir / 'site.key'
        certfile      = self.certdir / f'{hostname}.crt'

        with lock:
            requestfile = self.certdir / f'{hostname}.csr'
            if not certfile.exists():
                subprocess.run([
                    'openssl', 'req', '-new', '-key', str(keyfile),
                    '-subj', f'/CN={hostname}', '-out', str(requestfile)
                ], check=True)
                subprocess.run([
                    'openssl', 'x509', '-req', '-in', str(requestfile),
                    '-CA', str(root_certfile), '-CAkey', str(root_keyfile),
                    '-CAcreateserial', '-out', str(certfile), '-days', '1024'
                ], check=True)

        return keyfile, certfile

    def do_CONNECT(self):
        """Wrap the connection with SSL using on-demand signed certificate."""
        hostname = self.path.split(':')[0]
        sslargs = {'server_side': True}
        sslargs['keyfile'], sslargs['certfile'] = self.get_cert(hostname)

        self.send_response(200)
        self.end_headers()

        self.connection = ssl.wrap_socket(self.connection, **sslargs)
        self.rfile = self.connection.makefile('rb', self.rbufsize)
        self.wfile = self.connection.makefile('wb', self.wbufsize)

        connection_header = self.headers.get('Proxy-Connection', '').lower()
        self.close_connection = int(connection_header == 'close')

    def do_GET(self):
        content_length = int(self.headers.get('Content-Length', 0))
        req_body = self.rfile.read(content_length) if content_length else None

        if self.path[0] == '/':
            secure = 's' if isinstance(self.connection, ssl.SSLSocket) else ''
            self.path = f'http{secure}://{self.headers["Host"]}{self.path}'

        self.handle_request(req_body)

    do_OPTIONS = do_DELETE = do_PUT = do_HEAD = do_POST = do_GET

    def handle_request(self, req_body):
        """Default handler that does nothing. Please override."""
        pass


class ThreadingHTTPServer(ThreadingMixIn, HTTPServer):
    """The actual proxy server"""
    address_family, daemon_threads = socket.AF_INET6, True

    def handle_error(self, request, client_address):
        """
        Like handle_error in http.server.HTTPServer but suppresses socket/ssl
        related errors.
        """
        cls, e = sys.exc_info()[:2]
        if not (cls is socket.error or cls is ssl.SSLError):
            return super().handle_error(request, client_address)