[nu-vpn-proxy.git] / hipreport-modified.sh

#!/bin/sh

# openconnect will call this script with the follow command-line
# arguments, which are needed to populate the contents of the
# HIP report:
#
#   --cookie: a URL-encoded string, as output by openconnect
#             --authenticate --protocol=gp, which includes parameters
#             from the /ssl-vpn/login.esp response
#
#   --client-ip{,v6}: IPv4/6 addresses allocated by the GlobalProtect
#                     VPN for this client (included in
#                     /ssl-vpn/getconfig.esp response)
#
#   --md5: The md5 digest to encode into this HIP report. I'm not sure
#          exactly what this is the md5 digest *of*, but all that
#          really matters is that the value in the HIP report
#          submission should match the value in the HIP report check.
#
# This hipreport.sh does not work as-is on Android. The large here-doc
# (cat <<EOF) does not appear to work with Android's /system/bin/sh,
# likely due to an insufficient read buffer size.
# Try hipreport-android.sh instead.

# Read command line arguments into variables
COOKIE=
IP=
IPv6=
MD5=

while [ "$1" ]; do
    if [ "$1" = "--cookie" ];      then shift; COOKIE="$1"; fi
    if [ "$1" = "--client-ip" ];   then shift; IP="$1"; fi
    if [ "$1" = "--client-ipv6" ]; then shift; IPV6="$1"; fi
    if [ "$1" = "--md5" ];         then shift; MD5="$1"; fi
    shift
done

if [ -z "$COOKIE" -o -z "$MD5" -o -z "$IP$IPV6" ]; then
    echo "Parameters --cookie, --md5, and --client-ip and/or --client-ipv6 are required" >&2
    exit 1;
fi

# Extract username and domain and computer from cookie
USER=$(echo "$COOKIE" | sed -rn 's/(.+&|^)user=([^&]+)(&.+|$)/\2/p')
DOMAIN=$(echo "$COOKIE" | sed -rn 's/(.+&|^)domain=([^&]+)(&.+|$)/\2/p')
COMPUTER=$(echo "$COOKIE" | sed -rn 's/(.+&|^)computer=([^&]+)(&.+|$)/\2/p')

# Timestamp in the format expected by GlobalProtect server
NOW=$(date +'%m/%d/%Y %H:%M:%S')
DAY=$(date +'%d')
MONTH=$(date +'%m')
YEAR=$(date +'%Y')

# This value may need to be extracted from the official HIP report, if a made-up value is not accepted.
HOSTID="deadbeef-dead-beef-dead-beefdeadbeef"

cat <<EOF

<?xml version="1.0" encoding="UTF-8"?>
<hip-report>
    <md5-sum>$MD5</md5-sum>
    <user-name>$USER</user-name>
    <domain>$USER</domain>
    <host-name>$COMPUTER</host-name>
    <host-id>$HOSTID</host-id>
    <ip-address>$IP</ip-address>
    <ipv6-address>$IPV6</ipv6-address>
        <generate-time>$NOW</generate-time>
        <categories>
                <entry name="host-info">
                        <client-version>5.1.0-101</client-version>
                        <os>Linux 4.19.0-6-amd64</os>
                        <os-vendor>Linux</os-vendor>
                        <domain>domain.com</domain>
                        <host-name>spes</host-name>
                        <host-id>d6f838cc-2b6f-11b2-a85c-d7bcda6b231e</host-id>
                        <network-interface>
                                <entry name="pan1">
                                        <description>pan1</description>
                                        <mac-address>42:4e:62:fe:ef:87</mac-address>
                                        <ip-address>
                                                <entry name="$IP"/>
                                        </ip-address>
                                        <ipv6-address>
                                                <entry name="$IPV6"/>
                                        </ipv6-address>
                                </entry>
                        </network-interface>
                </entry>
        </categories>
</hip-report><?xml version="1.0" encoding="UTF-8"?>
<hip-report>
    <md5-sum>$MD5</md5-sum>
    <user-name>$USER</user-name>
    <domain>$USER</domain>
    <host-name>$COMPUTER</host-name>
    <host-id>$HOSTID</host-id>
    <ip-address>$IP</ip-address>
    <ipv6-address>$IPV6</ipv6-address>
        <generate-time>$NOW</generate-time>
        <hip-report-version>4</hip-report-version>
        <categories>
                <entry name="host-info">
                        <client-version>5.1.0-101</client-version>
                        <os>Linux 4.19.0-6-amd64</os>
                        <os-vendor>Linux</os-vendor>
                        <domain>domain.com</domain>
                        <host-name>spes</host-name>
                        <host-id>d6f838cc-2b6f-11b2-a85c-d7bcda6b231e</host-id>
                        <network-interface>
                                <entry name="pan1">
                                        <description>pan1</description>
                                        <mac-address>42:4e:62:fe:ef:87</mac-address>
                                        <ip-address>
                                                <entry name="$IP"/>
                                        </ip-address>
                                        <ipv6-address>
                                                <entry name="$IPV6"/>
                                        </ipv6-address>
                                </entry>
                        </network-interface>
                </entry>
                <entry name="anti-malware">
                        <list>
                        </list>
                </entry>
                <entry name="disk-backup">
                        <list>
                        </list>
                </entry>
                <entry name="disk-encryption">
                        <list>
                        </list>
                </entry>
                <entry name="firewall">
                        <list>
                        </list>
                </entry>
                <entry name="patch-management">
                        <list>
                        </list>
                </entry>
                <entry name="data-loss-prevention">
                        <list>
                        </list>
                </entry>
        </categories>
</hip-report>
EOF