X-Git-Url: https://code.communitydata.science/nu-vpn-proxy.git/blobdiff_plain/f429acaa10d15792bf74a4c6cafcf890cd0676ad..b1c36bf95e8dba91c50b6e0b4a04c58b8de3188c:/gp-saml-gui.py diff --git a/gp-saml-gui.py b/gp-saml-gui.py index e34d123..2d29d62 100755 --- a/gp-saml-gui.py +++ b/gp-saml-gui.py @@ -7,9 +7,11 @@ import urllib import requests import xml.etree.ElementTree as ET import os +import ssl +from shlex import quote from sys import stderr -from binascii import a2b_base64 +from binascii import a2b_base64, b2a_base64 gi.require_version('Gtk', '3.0') from gi.repository import Gtk @@ -18,15 +20,18 @@ gi.require_version('WebKit2', '4.0') from gi.repository import WebKit2 class SAMLLoginView: - def __init__(self, uri, html=None, verbose=False, cookies=None): + def __init__(self, uri, html=None, verbose=False, cookies=None, verify=True): window = Gtk.Window() # API reference: https://lazka.github.io/pgi-docs/#WebKit2-4.0 self.success = False + self.saml_result = {} self.verbose = verbose self.ctx = WebKit2.WebContext.get_default() + if not args.verify: + self.ctx.set_tls_errors_policy(WebKit2.TLSErrorsPolicy.IGNORE) self.cookies = self.ctx.get_cookie_manager() if args.cookies: self.cookies.set_accept_policy(WebKit2.CookieAcceptPolicy.ALWAYS) @@ -65,16 +70,18 @@ class SAMLLoginView: if (name.startswith('saml-') or name in ('prelogin-cookie', 'portal-userauthcookie')): t.append((name, value)) h.foreach(listify) - self.saml_result = d = dict(l) - if d: - if self.verbose: - print("Got SAML relevant headers, done: %r" % d, file=stderr) + d = dict(l) + if d and self.verbose: + print("Got SAML result headers: %r" % d, file=stderr) + d = self.saml_result + d.update(dict(l)) + if 'saml-username' in d and ('prelogin-cookie' in d or 'portal-userauthcookie' in d): + print("Got all required SAML headers, done.", file=stderr) self.success = True Gtk.main_quit() def parse_args(args = None): p = argparse.ArgumentParser() - p.add_argument('-v','--verbose', default=0, action='count') p.add_argument('server', help='GlobalProtect server (portal or gateway)') p.add_argument('--no-verify', dest='verify', action='store_false', default=True, help='Ignore invalid server certificate') p.add_argument('-C', '--no-cookies', dest='cookies', action='store_const', const=None, @@ -85,6 +92,10 @@ def parse_args(args = None): g = p.add_argument_group('Client certificate') g.add_argument('-c','--cert', help='PEM file containing client certificate (and optionally private key)') g.add_argument('--key', help='PEM file containing client private key (if not included in same file as certificate)') + g = p.add_argument_group('Debugging and advanced options') + g.add_argument('-v','--verbose', default=0, action='count') + g.add_argument('-x','--external', action='store_true', help='Launch external browser (for debugging)') + g.add_argument('-u','--uri', action='store_true', help='Treat server as the complete URI of the SAML entry point, rather than GlobalProtect server') p.add_argument('extra', nargs='*', help='Extra form field(s) to pass to include in the login query string (e.g. "magic-cookie-value=deadbeef01234567")') args = p.parse_args(args = None) @@ -112,24 +123,54 @@ if __name__ == "__main__": s.cert = args.cert # query prelogin.esp and parse SAML bits - endpoint = 'https://{}/{}/prelogin.esp'.format(args.server, ('global-protect' if args.portal else 'ssl-vpn')) - res = s.post(endpoint, verify=args.verify, data=args.extra) - xml = ET.fromstring(res.content) - sam = xml.find('saml-auth-method') - sr = xml.find('saml-request') - if sam is None or sr is None: - p.error("This does not appear to be a SAML prelogin response ( or tags missing)") - elif sam.text == 'POST': - html, uri = a2b_base64(sr.text).decode(), None - elif sam.text == 'REDIRECT': - uri, html = sr.text, None + if args.uri: + sam, uri, html = 'URI', args.server, None else: - p.error("Unknown SAML method (%s)" % sam.text) + endpoint = 'https://{}/{}/prelogin.esp'.format(args.server, ('global-protect' if args.portal else 'ssl-vpn')) + print("Looking for SAML auth tags in response to %s..." % endpoint, file=stderr) + try: + res = s.post(endpoint, verify=args.verify, data=args.extra) + except Exception as ex: + rootex = ex + while True: + if isinstance(rootex, ssl.SSLError): + break + elif not rootex.__cause__ and not rootex.__context__: + break + rootex = rootex.__cause__ or rootex.__context__ + if isinstance(rootex, ssl.CertificateError): + p.error("SSL certificate error (try --no-verify to ignore): %s" % rootex) + elif isinstance(rootex, ssl.SSLError): + p.error("SSL error: %s" % rootex) + else: + raise + xml = ET.fromstring(res.content) + sam = xml.find('saml-auth-method') + sr = xml.find('saml-request') + if sam is None or sr is None: + p.error("This does not appear to be a SAML prelogin response ( or tags missing)") + sam = sam.text + sr = a2b_base64(sr.text).decode() + if sam == 'POST': + html, uri = sr, None + elif sam == 'REDIRECT': + uri, html = sr, None + else: + p.error("Unknown SAML method (%s)" % sam) + + # launch external browser for debugging + if args.external: + print("Got SAML %s, opening external browser for debugging..." % sam, file=stderr) + import webbrowser + if html: + uri = 'data:text/html;base64,' + b2a_base64(html.encode()).decode() + webbrowser.open(uri) + raise SystemExit # spawn WebKit view to do SAML interactive login if args.verbose: - print("Got SAML POST, opening browser...", file=stderr) - slv = SAMLLoginView(uri, html, verbose=args.verbose, cookies=args.cookies) + print("Got SAML %s, opening browser..." % sam, file=stderr) + slv = SAMLLoginView(uri, html, verbose=args.verbose, cookies=args.cookies, verify=args.verify) Gtk.main() if not slv.success: p.error('''Login window closed without producing SAML cookie''') @@ -143,9 +184,15 @@ if __name__ == "__main__": else: cn = None + fullpath = ('/global-protect/getconfig.esp' if args.portal else '/ssl-vpn/login.esp') + shortpath = ('portal' if args.portal else 'gateway') if args.verbose: print('''\n\nSAML response converted to OpenConnect command line invocation:\n''', file=stderr) - print(''' echo {!r} |\n openconnect --protocol=gp --user={!r} --usergroup={}:{} --passwd-on-stdin {}\n'''.format( - cv, un, ('portal' if args.portal else 'gateway'), cn, args.server), file=stderr) - - print("HOST={!r}\nUSER={!r}\nCOOKIE={!r}".format('https://%s/%s:%s' % (args.server, ('portal' if args.portal else 'gateway'), cn), un, cv)) + print(''' echo {} |\n openconnect --protocol=gp --user={} --usergroup={}:{} --passwd-on-stdin {}\n'''.format( + quote(cv), quote(un), quote(shortpath), quote(cn), quote(args.server)), file=stderr) + + varvals = { + 'HOST': quote('https://%s/%s:%s' % (args.server, shortpath, cn)), + 'USER': quote(un), 'COOKIE': quote(cv), + } + print('\n'.join('%s=%s' % pair for pair in varvals.items()))