X-Git-Url: https://code.communitydata.science/nu-vpn-proxy.git/blobdiff_plain/47b2c41af77f699b745dbfc2c4a870b10a08b39e..7e13b54cde944b15e2c48759b9e18e82d172b40f:/hipreport-modified.sh?ds=sidebyside

diff --git a/hipreport-modified.sh b/hipreport-modified.sh
new file mode 100755
index 0000000..5f280de
--- /dev/null
+++ b/hipreport-modified.sh
@@ -0,0 +1,150 @@
+#!/bin/sh
+
+# openconnect will call this script with the follow command-line
+# arguments, which are needed to populate the contents of the
+# HIP report:
+#
+#   --cookie: a URL-encoded string, as output by openconnect
+#             --authenticate --protocol=gp, which includes parameters
+#             from the /ssl-vpn/login.esp response
+#
+#   --client-ip{,v6}: IPv4/6 addresses allocated by the GlobalProtect
+#                     VPN for this client (included in
+#                     /ssl-vpn/getconfig.esp response)
+#
+#   --md5: The md5 digest to encode into this HIP report. I'm not sure
+#          exactly what this is the md5 digest *of*, but all that
+#          really matters is that the value in the HIP report
+#          submission should match the value in the HIP report check.
+#
+# This hipreport.sh does not work as-is on Android. The large here-doc
+# (cat <<EOF) does not appear to work with Android's /system/bin/sh,
+# likely due to an insufficient read buffer size.
+# Try hipreport-android.sh instead.
+
+# Read command line arguments into variables
+COOKIE=
+IP=
+IPv6=
+MD5=
+
+while [ "$1" ]; do
+    if [ "$1" = "--cookie" ];      then shift; COOKIE="$1"; fi
+    if [ "$1" = "--client-ip" ];   then shift; IP="$1"; fi
+    if [ "$1" = "--client-ipv6" ]; then shift; IPV6="$1"; fi
+    if [ "$1" = "--md5" ];         then shift; MD5="$1"; fi
+    shift
+done
+
+if [ -z "$COOKIE" -o -z "$MD5" -o -z "$IP$IPV6" ]; then
+    echo "Parameters --cookie, --md5, and --client-ip and/or --client-ipv6 are required" >&2
+    exit 1;
+fi
+
+# Extract username and domain and computer from cookie
+USER=$(echo "$COOKIE" | sed -rn 's/(.+&|^)user=([^&]+)(&.+|$)/\2/p')
+DOMAIN=$(echo "$COOKIE" | sed -rn 's/(.+&|^)domain=([^&]+)(&.+|$)/\2/p')
+COMPUTER=$(echo "$COOKIE" | sed -rn 's/(.+&|^)computer=([^&]+)(&.+|$)/\2/p')
+
+# Timestamp in the format expected by GlobalProtect server
+NOW=$(date +'%m/%d/%Y %H:%M:%S')
+DAY=$(date +'%d')
+MONTH=$(date +'%m')
+YEAR=$(date +'%Y')
+
+# This value may need to be extracted from the official HIP report, if a made-up value is not accepted.
+HOSTID="deadbeef-dead-beef-dead-beefdeadbeef"
+
+cat <<EOF
+
+<?xml version="1.0" encoding="UTF-8"?>
+<hip-report>
+    <md5-sum>$MD5</md5-sum>
+    <user-name>$USER</user-name>
+    <domain>$USER</domain>
+    <host-name>$COMPUTER</host-name>
+    <host-id>$HOSTID</host-id>
+    <ip-address>$IP</ip-address>
+    <ipv6-address>$IPV6</ipv6-address>
+	<generate-time>$NOW</generate-time>
+	<categories>
+		<entry name="host-info">
+			<client-version>5.1.0-101</client-version>
+			<os>Linux 4.19.0-6-amd64</os>
+			<os-vendor>Linux</os-vendor>
+			<domain>domain.com</domain>
+			<host-name>spes</host-name>
+			<host-id>d6f838cc-2b6f-11b2-a85c-d7bcda6b231e</host-id>
+			<network-interface>
+				<entry name="pan1">
+					<description>pan1</description>
+					<mac-address>42:4e:62:fe:ef:87</mac-address>
+					<ip-address>
+						<entry name="$IP"/>
+					</ip-address>
+					<ipv6-address>
+						<entry name="$IPV6"/>
+					</ipv6-address>
+				</entry>
+			</network-interface>
+		</entry>
+	</categories>
+</hip-report><?xml version="1.0" encoding="UTF-8"?>
+<hip-report>
+    <md5-sum>$MD5</md5-sum>
+    <user-name>$USER</user-name>
+    <domain>$USER</domain>
+    <host-name>$COMPUTER</host-name>
+    <host-id>$HOSTID</host-id>
+    <ip-address>$IP</ip-address>
+    <ipv6-address>$IPV6</ipv6-address>
+	<generate-time>$NOW</generate-time>
+	<hip-report-version>4</hip-report-version>
+	<categories>
+		<entry name="host-info">
+			<client-version>5.1.0-101</client-version>
+			<os>Linux 4.19.0-6-amd64</os>
+			<os-vendor>Linux</os-vendor>
+			<domain>domain.com</domain>
+			<host-name>spes</host-name>
+			<host-id>d6f838cc-2b6f-11b2-a85c-d7bcda6b231e</host-id>
+			<network-interface>
+				<entry name="pan1">
+					<description>pan1</description>
+					<mac-address>42:4e:62:fe:ef:87</mac-address>
+					<ip-address>
+						<entry name="$IP"/>
+					</ip-address>
+					<ipv6-address>
+						<entry name="$IPV6"/>
+					</ipv6-address>
+				</entry>
+			</network-interface>
+		</entry>
+		<entry name="anti-malware">
+			<list>
+			</list>
+		</entry>
+		<entry name="disk-backup">
+			<list>
+			</list>
+		</entry>
+		<entry name="disk-encryption">
+			<list>
+			</list>
+		</entry>
+		<entry name="firewall">
+			<list>
+			</list>
+		</entry>
+		<entry name="patch-management">
+			<list>
+			</list>
+		</entry>
+		<entry name="data-loss-prevention">
+			<list>
+			</list>
+		</entry>
+	</categories>
+</hip-report>
+EOF