Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Add tests of GlobalProtect auth with gateway selection and challenge-…
…based 2FA

Signed-off-by: Daniel Lenski <dlenski@gmail.com>
  • Loading branch information
dlenski committed May 3, 2021
1 parent 72c51de commit cbb75f7
Show file tree
Hide file tree
Showing 2 changed files with 52 additions and 10 deletions.
44 changes: 35 additions & 9 deletions tests/fake-gp-server.py
Expand Up @@ -60,16 +60,22 @@ def wrapped(*args, **kwargs):
########################################


# TODO: need a way to get parameters into the initial session setup (just as
# fake-{f5,fortinet,juniper}-server.py do), in order to configure gateways,
# 2FA requirement, etc.
# Get parameters into the initial session setup in order to configure gateways, 2FA requirement
@app.route('/global-protect/testconfig.esp', methods=('GET','POST',))
@app.route('/ssl-vpn/testconfig.esp', methods=('GET','POST',))
def testconfig():
gateways, portal_2fa, gw_2fa = request.args.get('gateways'), request.args.get('portal_2fa'), request.args.get('gw_2fa')
session.update(gateways=gateways and gateways.split(','),
portal_2fa=portal_2fa and bool(portal_2fa), gw_2fa=gw_2fa and bool(gw_2fa))
prelogin = '/'.join(request.path.split('/')[:-1] + ['prelogin.esp'])
return redirect(prelogin)


# Respond to initial prelogin requests
@app.route('/global-protect/prelogin.esp', methods=('GET','POST',))
@app.route('/ssl-vpn/prelogin.esp', methods=('GET','POST',))
def prelogin():
session.update(step='prelogin')
session.update(step='%s-prelogin' % ('portal' if 'global-protect' in request.path else 'gateway'))
return '''
<prelogin-response>
<status>Success</status>
Expand All @@ -85,13 +91,30 @@ def prelogin():
</prelogin-response>'''.format(request.path)


def challenge_2fa(where):
# select a random inputStr of 4 hex digits, and randomly return challenge in either XML or Javascript-y form
inputStr = '%04x' % randint(0x1000, 0xffff)
session.update(step='%s-2FA' % where, inputStr=inputStr)
if randint(1, 2) == 1:
tmpl = '<challenge><respmsg>2FA challenge from %s</respmsg><inputstr>%s</inputstr></challenge>'
else:
tmpl = ('var respStatus = "Challenge";\n'
'var respMsg = "2FA challenge from %s";\n'
'thisForm.inputStr.value = "%s";\n')
return tmpl % (where, inputStr)


# Respond to portal getconfig request
@app.route('/global-protect/getconfig.esp', methods=('POST',))
def portal_config():
session.update(step='portal-config', user=request.form.get('user'), passwd=request.form.get('passwd'))
if not (request.form.get('user') and request.form.get('passwd')):
portal_2fa = session.get('portal_2fa')
inputStr = request.form.get('inputStr') or None
if portal_2fa and not inputStr:
return challenge_2fa('portal')
if not (request.form.get('user') and request.form.get('passwd') and inputStr == session.get('inputStr')):
return 'Invalid username or password', 512

session.update(step='portal-config', user=request.form.get('user'), passwd=request.form.get('passwd'), inputStr=None)
gateways = session.get('gateways') or ('Default gateway',)
gwlist = ''.join('<entry name="{}:{}"><description>{}</description></entry>'.format(app.config['HOST'], app.config['PORT'], gw)
for gw in gateways)
Expand All @@ -105,10 +128,13 @@ def portal_config():
# Respond to gateway login request
@app.route('/ssl-vpn/login.esp', methods=('POST',))
def gateway_login():
session.update(step='gateway-login')
if not (request.form.get('user') and request.form.get('passwd')):
gw_2fa = session.get('gw_2fa')
inputStr = request.form.get('inputStr') or None
if gw_2fa and not inputStr:
return challenge_2fa('gateway')
if not (request.form.get('user') and request.form.get('passwd') and inputStr == session.get('inputStr')):
return 'Invalid username or password', 512
session.update(user=request.form.get('user'), passwd=request.form.get('passwd'))
session.update(step='gateway-login', user=request.form.get('user'), passwd=request.form.get('passwd'), inputStr=None)

for k, v in (('jnlpReady', 'jnlpReady'), ('ok', 'Login'), ('direct', 'yes'), ('clientVer', '4100'), ('prot', 'https:')):
if request.form.get(k) != v:
Expand Down
18 changes: 17 additions & 1 deletion tests/gp-auth-and-config
Expand Up @@ -41,13 +41,29 @@ echo -n "Authenticating with username/password via portal... "

echo ok

echo -n "Authenticating with username/password, and selecting gateway, via portal... "
( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --protocol=gp -q "$ADDRESS:443/global-protect/testconfig.esp?gateways=foo,bar,baz" --authgroup=bar -u test $FINGERPRINT --cookieonly >/dev/null 2>&1) ||
fail $PID "Could not receive cookie from fake GlobalProtect server"

echo ok

echo -n "Authenticating with username/password via gateway... "
( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --protocol=gp -q $ADDRESS:443/gateway -u test $FINGERPRINT --cookieonly >/dev/null 2>&1) ||
fail $PID "Could not receive cookie from fake GlobalProtect server"

echo ok

# TODO: add tests with 2FA
echo -n "Authenticating with username/password via portal, then +token via gateway... "
( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --protocol=gp -q "$ADDRESS:443/global-protect/testconfig.esp?gw_2fa=1" -u test --token-mode=totp --token-secret=FAKE $FINGERPRINT --cookieonly >/dev/null 2>&1) ||
fail $PID "Could not receive cookie from fake GlobalProtect server"

echo ok

echo -n "Authenticating with username/password/token via gateway... "
( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --protocol=gp -q "$ADDRESS:443/ssl-vpn/testconfig.esp?gw_2fa=1" -u test --token-mode=totp --token-secret=FAKE $FINGERPRINT --cookieonly >/dev/null 2>&1) ||
fail $PID "Could not receive cookie from fake GlobalProtect server"

ok

echo -n "Authenticating with username/password via portal, then proceeding to tunnel stage... "
echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --protocol=gp -q $ADDRESS:443/portal -u test $FINGERPRINT >/dev/null 2>&1
Expand Down

0 comments on commit cbb75f7

Please sign in to comment.