From: Daniel Lenski Date: Sun, 26 Jan 2020 00:46:05 +0000 (-0800) Subject: this script should live here X-Git-Url: https://code.communitydata.science/nu-vpn-proxy.git/commitdiff_plain/b1c36bf95e8dba91c50b6e0b4a04c58b8de3188c?hp=-c this script should live here --- b1c36bf95e8dba91c50b6e0b4a04c58b8de3188c diff --git a/test-globalprotect-login.py b/test-globalprotect-login.py new file mode 100755 index 0000000..a4b453f --- /dev/null +++ b/test-globalprotect-login.py @@ -0,0 +1,128 @@ +#!/usr/bin/python3 + +from __future__ import print_function +from sys import stderr, version_info +if (version_info >= (3, 0)): + from urllib.parse import urlparse, urlencode + raw_input = input +else: + from urlparse import urlparse + from urllib import urlencode +import requests +import argparse +import getpass +import os +import xml.etree.ElementTree as ET +import posixpath +from binascii import a2b_base64 +from tempfile import NamedTemporaryFile +from shlex import quote + +p = argparse.ArgumentParser() +p.add_argument('-v','--verbose', default=0, action='count') +p.add_argument('endpoint', help='GlobalProtect server; can append /ssl-vpn/login.esp (default) or /global-protect/getconfig.esp') +p.add_argument('extra', nargs='*', help='Extra field to pass to include in the login query string (e.g. "portal-userauthcookie=deadbeef01234567")') +g = p.add_argument_group('Login credentials') +g.add_argument('-u','--user', help='Username (will prompt if unspecified)') +g.add_argument('-p','--password', help='Password (will prompt if unspecified)') +g.add_argument('-c','--cert', help='PEM file containing client certificate (and optionally private key)') +g.add_argument('--computer', default=os.uname()[1], help="Computer name (default is `hostname`)") +g.add_argument('--key', help='PEM file containing client private key (if not included in same file as certificate)') +p.add_argument('-b','--browse', action='store_true', help='Automatically spawn browser for SAML') +p.add_argument('--no-verify', dest='verify', action='store_false', default=True, help='Ignore invalid server certificate') +args = p.parse_args() + +extra = dict(x.split('=', 1) for x in args.extra) +endpoint = urlparse(('https://' if '//' not in args.endpoint else '') + args.endpoint, 'https:') +if not endpoint.path: + print("Endpoint path unspecified: defaulting to /ssl-vpn/login.esp", file=stderr) + endpoint = endpoint._replace(path = '/ssl-vpn/login.esp') +prelogin = (posixpath.split(endpoint.path)[-1] == 'prelogin.esp') + +if args.cert and args.key: + cert = (args.cert, args.key) +elif args.cert: + cert = (args.cert, None) +elif args.key: + p.error('--key specified without --cert') +else: + cert = None + +s = requests.Session() +s.headers['User-Agent'] = 'PAN GlobalProtect' +s.cert = cert + +if prelogin: + data = extra +else: + # same request params work for /global-protect/getconfig.esp as for /ssl-vpn/login.esp + if args.user == None: + args.user = raw_input('Username: ') + if args.password == None: + args.password = getpass.getpass('Password: ') + data=dict(user=args.user, passwd=args.password, + # required + jnlpReady='jnlpReady', ok='Login', direct='yes', + # optional but might affect behavior + clientVer=4100, server=endpoint.netloc, prot='https:', + computer=args.computer, + **extra) +res = s.post(endpoint.geturl(), verify=args.verify, data=data) + +if args.verbose: + print("Request body:\n", res.request.body, file=stderr) + +res.raise_for_status() + +# build openconnect "cookie" if the result is a + +try: + xml = ET.fromstring(res.text) +except Exception: + xml = None + +if xml is not None and xml.tag == 'jnlp': + arguments = [(t.text or '') for t in xml.iter('argument')] + arguments += [''] * (16-len(arguments)) + cookie = urlencode({'authcookie': arguments[1], 'portal': arguments[3], 'user': arguments[4], 'domain': arguments[7], + 'computer': args.computer, 'preferred-ip': arguments[15]}) + if cert: + cert_and_key = ' \\\n ' + ' '.join('%s "%s"' % (opt, quote(fn)) for opt, fn in zip(('-c','-k'), cert) if fn) + else: + cert_and_key = '' + + print(''' + +Extracted connection cookie from . Use this to connect: + + openconnect --protocol=gp --usergroup=gateway %s \\ + --cookie %s%s +''' % (quote(endpoint.netloc), quote(cookie), cert_and_key), file=stderr) + +# do SAML request if the result is + +elif xml is not None and xml.tag == 'prelogin-response' and None not in (xml.find('saml-auth-method'), xml.find('saml-request')): + import webbrowser + sam = xml.find('saml-auth-method').text + sr = xml.find('saml-request').text + if sam == 'POST': + with NamedTemporaryFile(delete=False, suffix='.html') as tf: + tf.write(a2b_base64(sr)) + if args.browse: + print("Got SAML POST, browsing to %s" % tf.name) + webbrowser.open('file://' + tf.name) + else: + print("Got SAML POST, saved to:\n\t%s" % tf.name) + elif sam == 'REDIRECT': + if args.browse: + print("Got SAML REDIRECT, browsing to %s" % sr) + webbrowser.open(sr) + else: + print("Got SAML REDIRECT to:\n\t%s" % sr) + +# Just print the result + +else: + if args.verbose: + print(res.headers, file=stderr) + print(res.text)