feat: add per-listener SOCKS5 server authentication (RFC 1929)

Per-listener username/password auth via `auth:` config key. When set, clients must negotiate method 0x02 and pass RFC 1929 subnegotiation; no-auth (0x00) is rejected to prevent downgrade. Listeners without `auth` keep current no-auth behavior. Includes auth_failures metric, API integration (/status auth flag, /config auth_users count without exposing passwords), config parsing with YAML int coercion, integration tests (success, failure, method rejection, no-auth unchanged), and documentation updates. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-21 17:03:03 +01:00
parent 76dac61eb6
commit fa3621806d
13 changed files with 505 additions and 13 deletions
--- a/tests/test_config.py
+++ b/tests/test_config.py
@@ -593,6 +593,61 @@ class TestListenerPoolCompat:
        assert lc.pool_hops == 0


+class TestAuthConfig:
+    """Test auth field in listener config."""
+
+    def test_auth_from_yaml(self, tmp_path):
+        cfg_file = tmp_path / "test.yaml"
+        cfg_file.write_text(
+            "listeners:\n"
+            "  - listen: 1080\n"
+            "    auth:\n"
+            "      alice: s3cret\n"
+            "      bob: hunter2\n"
+        )
+        c = load_config(cfg_file)
+        assert c.listeners[0].auth == {"alice": "s3cret", "bob": "hunter2"}
+
+    def test_auth_empty_default(self):
+        lc = ListenerConfig()
+        assert lc.auth == {}
+
+    def test_auth_absent_from_yaml(self, tmp_path):
+        cfg_file = tmp_path / "test.yaml"
+        cfg_file.write_text(
+            "listeners:\n"
+            "  - listen: 1080\n"
+        )
+        c = load_config(cfg_file)
+        assert c.listeners[0].auth == {}
+
+    def test_auth_numeric_password(self, tmp_path):
+        """YAML parses `admin: 12345` as int; must be coerced to str."""
+        cfg_file = tmp_path / "test.yaml"
+        cfg_file.write_text(
+            "listeners:\n"
+            "  - listen: 1080\n"
+            "    auth:\n"
+            "      admin: 12345\n"
+        )
+        c = load_config(cfg_file)
+        assert c.listeners[0].auth == {"admin": "12345"}
+
+    def test_auth_mixed_listeners(self, tmp_path):
+        """One listener with auth, one without."""
+        cfg_file = tmp_path / "test.yaml"
+        cfg_file.write_text(
+            "listeners:\n"
+            "  - listen: 1080\n"
+            "    auth:\n"
+            "      alice: pass\n"
+            "  - listen: 1081\n"
+        )
+        c = load_config(cfg_file)
+        assert c.listeners[0].auth == {"alice": "pass"}
+        assert c.listeners[1].auth == {}
+
+
 class TestBypassConfig:
    """Test bypass rules in listener config."""