Modify `fake-gp-server.py` to add regionalized priority-rules to the gateway list

The fake GP server will now assign the connecting user to a random planet in
its portal prelogin response, then randomly and haphazardly prioritize the
gateways by planet.

For example, start fake-gp-server.py, then configure it with 3 gateways:

    $ curl -k https://localhost:8080/CONFIGURE -d gateways=Red,Orange,Yellow
    $ curl -k https://localhost:8080/CONFIGURE
    Current configuration of fake GP server configuration:
    TestConfiguration(gateways=['Red', 'Orange', 'Yellow'], ...)

Then attempt to connect to it:

    $ openconnect --protocol=gp --dump-http-traffic localhost:8080
    ...
    Greetings, user from MERCURY. Please login to this fake GP VPN portal
    Username: bar
    Password:
    POST https://localhost:8080/global-protect/getconfig.esp
    ...
    < <?xml version="1.0" encoding="UTF-8" ?>
    < <policy><version> 6.7.8-9 </version><gateways><external><list>
    < <entry name="localhost:8080">
    <   <description>Red</description>
    <   <priority-rule>
    <     <entry name="VENUS"><priority>1</priority></entry>
    <     <entry name="Any"><priority>99</priority></entry>
    <   </priority-rule>
    < </entry>
    < <entry name="localhost:8080">
    <   <description>Orange</description>
    <   <priority-rule>
    <     <entry name="JUPITER"><priority>2</priority></entry>
    <     <entry name="MARS"><priority>1</priority></entry>
    <   </priority-rule>
    < </entry>
    < <entry name="localhost:8080">
    <   <description>Yellow</description>
    <   <priority-rule>
    <     <entry name="MERCURY"><priority>1</priority></entry>
    <     <entry name="EARTH"><priority>2</priority></entry>
    <   </priority-rule>
    < </entry></list>
    < </external></gateways>
    < <hip-collection><hip-report-interval>600</hip-report-interval></hip-collection>
    < </policy>
    Portal reports GlobalProtect version 6.7.8-9; we will report the same client version.
    Portal set HIP report interval to 10 minutes).
    5 gateway servers available:
      Red (localhost:8080) [priority 99]
      Orange (localhost:8080) [unprioritized]
      Yellow (localhost:8080) [priority 1]
    Please select GlobalProtect gateway.
    GATEWAY: [Yellow|Red|Orange]:

Note that the gateways are now presented to the user in the priority order
for the user's "region" of MERCURY.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

diff --git a/tests/fake-gp-server.py b/tests/fake-gp-server.py
index cb9f9b1b5ff8d6be49aadedae1942af67fc41fe6..98792e20117b31bbd1fa6b326aa48776b9344710 100755 (executable)
--- a/tests/fake-gp-server.py
+++ b/tests/fake-gp-server.py
@@ -63,6 +63,8 @@ def check_form_against_session(*fields, use_query=False, on_failure=None):
 ########################################
 
 
+REGIONS = ['MERCURY', 'VENUS', 'EARTH', 'MARS', 'JUPITER', 'SATURN']
+
 if_path2name = {'global-protect': 'portal', 'ssl-vpn': 'gateway'}
 
 # Configure the fake server. These settings will persist unless/until reconfigured or restarted:
@@ -130,7 +132,7 @@ def prelogin(interface):
             base64.standard_b64encode(url_for('saml_handler', ifname=ifname, token=token, _external=True).encode()).decode())
     else:
         saml = ''
-    session.update(step='%s-prelogin' % ifname)
+    session.update(step='%s-prelogin' % ifname, region=choice(REGIONS))
     return '''
 <prelogin-response>
 <status>Success</status>
@@ -138,12 +140,12 @@ def prelogin(interface):
 <autosubmit>false</autosubmit>
 <msg/>
 <newmsg/>
-<authentication-message>Please login to this fake GP VPN {ifname}</authentication-message>
+<authentication-message>Greetings, user from {region}. Please login to this fake GP VPN {ifname}</authentication-message>
 <username-label>Username</username-label>
 <password-label>Password</password-label>
 <panos-version>1</panos-version>{saml}
-<region>EARTH</region>
-</prelogin-response>'''.format(ifname=ifname, saml=saml)
+<region>{region}</region>
+</prelogin-response>'''.format(ifname=ifname, saml=saml, region=session['region'])
 
 
 # In a "real" GP VPN with SAML, this lives on a completely different server like subdomain.okta.com
@@ -243,8 +245,17 @@ def portal_config():
                    saml_user=None, saml_value=None,
                    # clear inputStr to ensure failure if same form fields are blindly retried on another challenge form:
                    inputStr=None)
-    gwlist = ''.join('<entry name="{}:{}"><description>{}</description></entry>'.format(app.config['HOST'], app.config['PORT'], gw)
-                     for gw in C.gateways)
+    gwlist = ''.join('''
+<entry name="{}:{}">
+  <description>{}</description>
+  <priority-rule>
+    {}
+  </priority-rule>
+</entry>'''.format(
+        app.config['HOST'], app.config['PORT'], gw,
+        '\n    '.join(f'<entry name="{region}"><priority>{99 if region=="Any" else randint(1, len(REGIONS))}</priority></entry>'
+                      for region in REGIONS + ['Any'] if randint(0, 1)))
+        for gw in C.gateways)
     if C.portal_cookie:
         val = session[C.portal_cookie] = 'portal-cookie-%d' % randint(1, 10)
         pc = '<{0}>{1}</{0}>'.format(C.portal_cookie, val)