X-Git-Url: https://code.communitydata.science/nu-vpn-proxy.git/blobdiff_plain/d30ca2c9609a1f152db3df217a396548e9190820..70f96b0f2d19057d4c122f5cdb6a58aa809e8088:/gp-saml-gui.py diff --git a/gp-saml-gui.py b/gp-saml-gui.py index 195bc3b..0bd4248 100755 --- a/gp-saml-gui.py +++ b/gp-saml-gui.py @@ -9,7 +9,7 @@ import xml.etree.ElementTree as ET import os from sys import stderr -from binascii import a2b_base64 +from binascii import a2b_base64, b2a_base64 gi.require_version('Gtk', '3.0') from gi.repository import Gtk @@ -24,6 +24,8 @@ class SAMLLoginView: # API reference: https://lazka.github.io/pgi-docs/#WebKit2-4.0 self.success = False + self.saml_result = {} + self.verbose = verbose self.ctx = WebKit2.WebContext.get_default() self.cookies = self.ctx.get_cookie_manager() @@ -38,18 +40,24 @@ class SAMLLoginView: window.set_title("SAML Login") window.connect('delete-event', Gtk.main_quit) self.wview.connect('load-changed', self.get_saml_headers) + self.wview.connect('resource-load-started', self.log_resources) if html: self.wview.load_html(html, uri) else: self.wview.load_uri(uri) + def log_resources(self, webview, resource, request): + if self.verbose > 1: + print('%s for resource %s' % (request.get_http_method() or 'Request', resource.get_uri()), file=stderr) + def get_saml_headers(self, webview, event): if event != WebKit2.LoadEvent.FINISHED: return mr = webview.get_main_resource() - print("Finished loading %s..." % mr.get_uri(), file=stderr) + if self.verbose: + print("Finished loading %s" % mr.get_uri(), file=stderr) rs = mr.get_response() h = rs.get_http_headers() if h: @@ -58,15 +66,18 @@ class SAMLLoginView: if (name.startswith('saml-') or name in ('prelogin-cookie', 'portal-userauthcookie')): t.append((name, value)) h.foreach(listify) - self.saml_result = d = dict(l) - if d: - print("Got SAML relevant headers, done: %r" % d, file=stderr) + d = dict(l) + if d and self.verbose: + print("Got SAML result headers: %r" % d, file=stderr) + d = self.saml_result + d.update(dict(l)) + if 'saml-username' in d and ('prelogin-cookie' in d or 'portal-userauthcookie' in d): + print("Got all required SAML headers, done.", file=stderr) self.success = True Gtk.main_quit() def parse_args(args = None): p = argparse.ArgumentParser() - p.add_argument('-v','--verbose', default=0, action='count') p.add_argument('server', help='GlobalProtect server (portal or gateway)') p.add_argument('--no-verify', dest='verify', action='store_false', default=True, help='Ignore invalid server certificate') p.add_argument('-C', '--no-cookies', dest='cookies', action='store_const', const=None, @@ -77,6 +88,10 @@ def parse_args(args = None): g = p.add_argument_group('Client certificate') g.add_argument('-c','--cert', help='PEM file containing client certificate (and optionally private key)') g.add_argument('--key', help='PEM file containing client private key (if not included in same file as certificate)') + g = p.add_argument_group('Debugging and advanced options') + g.add_argument('-v','--verbose', default=0, action='count') + g.add_argument('-x','--external', action='store_true', help='Launch external browser (for debugging)') + g.add_argument('-u','--uri', action='store_true', help='Treat server as the complete URI of the SAML entry point, rather than GlobalProtect server') p.add_argument('extra', nargs='*', help='Extra form field(s) to pass to include in the login query string (e.g. "magic-cookie-value=deadbeef01234567")') args = p.parse_args(args = None) @@ -104,23 +119,37 @@ if __name__ == "__main__": s.cert = args.cert # query prelogin.esp and parse SAML bits - endpoint = 'https://{}/{}/prelogin.esp'.format(args.server, ('global-protect' if args.portal else 'ssl-vpn')) - res = s.post(endpoint, verify=args.verify, data=args.extra) - xml = ET.fromstring(res.content) - sam = xml.find('saml-auth-method') - sr = xml.find('saml-request') - if sam is None or sr is None: - p.error("This does not appear to be a SAML prelogin response ( or tags missing)") - elif sam.text == 'POST': - print("Got SAML POST content, opening browser...", file=stderr) - html, uri = a2b_base64(sr.text).decode(), None - elif sam.text == 'REDIRECT': - print("Got SAML REDIRECT to %s, opening browser..." % sr.text, file=stderr) - uri, html = sr.text, None + if args.uri: + sam, uri, html = 'URI', args.server, None else: - p.error("Unknown SAML method (%s)" % sam.text) + endpoint = 'https://{}/{}/prelogin.esp'.format(args.server, ('global-protect' if args.portal else 'ssl-vpn')) + res = s.post(endpoint, verify=args.verify, data=args.extra) + xml = ET.fromstring(res.content) + sam = xml.find('saml-auth-method') + sr = xml.find('saml-request') + if sam is None or sr is None: + p.error("This does not appear to be a SAML prelogin response ( or tags missing)") + sam = sam.text + sr = a2b_base64(sr.text).decode() + if sam == 'POST': + html, uri = sr, None + elif sam == 'REDIRECT': + uri, html = sr, None + else: + p.error("Unknown SAML method (%s)" % sam) + + # launch external browser for debugging + if args.external: + print("Got SAML %s, opening external browser for debugging..." % sam, file=stderr) + import webbrowser + if html: + uri = 'data:text/html;base64,' + b2a_base64(html.encode()).decode() + webbrowser.open(uri) + raise SystemExit # spawn WebKit view to do SAML interactive login + if args.verbose: + print("Got SAML %s, opening browser..." % sam, file=stderr) slv = SAMLLoginView(uri, html, verbose=args.verbose, cookies=args.cookies) Gtk.main() if not slv.success: