-
-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
4 changed files
with
191 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,98 @@ | ||
|
|
||
| #include <proxy/filters/access_filter.hpp> | ||
| #include <service/http/webhooks.hpp> | ||
|
|
||
| void AccessFilter::update(socle::side_t side, buffer const& buf) { | ||
|
|
||
| // update entropy statistics | ||
| if(side == side_t::LEFT and not already_applied) { | ||
| _deb("AccessFilter[%c]: requesting webhook while received first %d bytes", socle::from_side(side), buf.size()); | ||
|
|
||
| nlohmann::json pay = { { "session", connection_label }, | ||
| { "policy", parent()->matched_policy() }, | ||
| { "require", "origin-info" } }; | ||
|
|
||
|
|
||
| auto process_reply = [&](auto code, auto response_data) { | ||
| if(code >= 200 and code < 300) { | ||
| auto json_obj = nlohmann::json::parse(response_data, nullptr, false); | ||
| if(json_obj.is_discarded()) { | ||
| _err("AccessFilter: received data are not JSON"); | ||
| return; | ||
| } | ||
|
|
||
| bool has_response = json_obj.contains("access-response"); | ||
|
|
||
| if(has_response and json_obj["access-response"] == "accept") { | ||
| _dia("AccessFilter: received 'accept' response"); | ||
| access_allowed = true; | ||
| } | ||
| else if(has_response and json_obj["access-response"] == "reject") { | ||
| _dia("AccessFilter: received 'reject' response"); | ||
| } | ||
| else { | ||
| _dia("AccessFilter: received unsupported response"); | ||
| } | ||
| } | ||
| else { | ||
| _err("AccessFilter: fail-open - requiring 2xx code and json response with result"); | ||
| } | ||
| }; | ||
|
|
||
|
|
||
| sx::http::webhooks::send_action_wait("access-request", connection_label, pay, | ||
| [&](sx::http::AsyncRequest::expected_reply const& reply){ | ||
|
|
||
| if(reply.has_value()) { | ||
| _dia("AccessFilter: received response"); | ||
|
|
||
| auto code = reply.value().first; | ||
| auto response_data = reply.value().second; | ||
|
|
||
| process_reply(code, response_data); | ||
| } | ||
| else { | ||
| _dia("AccessFilter: response NOT received"); | ||
| } | ||
| }); | ||
|
|
||
| // we are already called, so this won't trigger additional queries | ||
| already_applied = true; | ||
| } | ||
| } | ||
|
|
||
| void AccessFilter::proxy(baseHostCX *from, baseHostCX *to, socle::side_t side, bool redirected) { | ||
| update(side, from->to_read()); | ||
| } | ||
|
|
||
|
|
||
| bool AccessFilter::update_states() { | ||
| return true; | ||
| } | ||
|
|
||
| std::string AccessFilter::to_string(int verbosity) const { | ||
| std::stringstream ss; | ||
| ss << "\r\n === Access-Filter: ==="; | ||
|
|
||
| auto connection_str = connection_label; | ||
|
|
||
| ss << "\r\n " << connection_str; | ||
|
|
||
| ss << "\r\n === Access-Filter: ==="; | ||
| return ss.str(); | ||
| } | ||
|
|
||
| nlohmann::json AccessFilter::to_json(int verbosity) const { | ||
|
|
||
| auto json_all = nlohmann::json(); | ||
|
|
||
| json_all["info"] = { {"session", connection_label}, { "access_response", access_allowed } }; | ||
|
|
||
| return json_all; | ||
| } | ||
|
|
||
| AccessFilter::~AccessFilter() { | ||
| // there used to be useful code here | ||
| } | ||
|
|
||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,75 @@ | ||
| /* | ||
| Smithproxy- transparent proxy with SSL inspection capabilities. | ||
| Copyright (c) 2014, Ales Stibal <[email protected]>, All rights reserved. | ||
| Smithproxy is free software: you can redistribute it and/or modify | ||
| it under the terms of the GNU General Public License as published by | ||
| the Free Software Foundation, either version 3 of the License, or | ||
| (at your option) any later version. | ||
| Smithproxy is distributed in the hope that it will be useful, | ||
| but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
| GNU General Public License for more details. | ||
| You should have received a copy of the GNU General Public License | ||
| along with Smithproxy. If not, see <http://www.gnu.org/licenses/>. | ||
| Linking Smithproxy statically or dynamically with other modules is | ||
| making a combined work based on Smithproxy. Thus, the terms and | ||
| conditions of the GNU General Public License cover the whole combination. | ||
| In addition, as a special exception, the copyright holders of Smithproxy | ||
| give you permission to combine Smithproxy with free software programs | ||
| or libraries that are released under the GNU LGPL and with code | ||
| included in the standard release of OpenSSL under the OpenSSL's license | ||
| (or modified versions of such code, with unchanged license). | ||
| You may copy and distribute such a system following the terms | ||
| of the GNU GPL for Smithproxy and the licenses of the other code | ||
| concerned, provided that you include the source code of that other code | ||
| when and as the GNU GPL requires distribution of source code. | ||
| Note that people who make modified versions of Smithproxy are not | ||
| obligated to grant this special exception for their modified versions; | ||
| it is their choice whether to do so. The GNU General Public License | ||
| gives permission to release a modified version without this exception; | ||
| this exception also makes it possible to release a modified version | ||
| which carries forward this exception. | ||
| */ | ||
|
|
||
| #ifndef ACCESSFILTER_HPP | ||
| #define ACCESSFILTER_HPP | ||
|
|
||
| #include <proxy/filters/filterproxy.hpp> | ||
|
|
||
| #include <nlohmann/json.hpp> | ||
|
|
||
| class AccessFilter : public FilterProxy { | ||
|
|
||
| public: | ||
|
|
||
| std::string connection_label; | ||
|
|
||
| AccessFilter() = delete; | ||
| explicit AccessFilter(MitmProxy* parent) : FilterProxy(parent) { | ||
| if(parent) | ||
| connection_label = parent->to_connection_label(false); | ||
| } | ||
| ~AccessFilter() override; | ||
|
|
||
| bool update_states() override; | ||
| std::string to_string(int verbosity) const override; | ||
| nlohmann::json to_json(int verbosity) const override; | ||
|
|
||
| void proxy(baseHostCX *from, baseHostCX *to, socle::side_t side, bool redirected) override; | ||
| void update(socle::side_t side, buffer const& buf); | ||
|
|
||
| private: | ||
| bool access_allowed = false; | ||
| bool already_applied = false; | ||
|
|
||
| static inline logan_lite log {"proxy.accessfilter"}; | ||
| }; | ||
|
|
||
|
|
||
| #endif //ACCESSFILTER_HPP |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters