@app.route('/')
def root():
realms = request.args.get('realms')
+ roles = request.args.get('roles')
confirm = bool(request.args.get('confirm'))
token_form = request.args.get('token_form')
session.update(step='initial-GET', realms=realms and realms.split(','),
+ roles=roles and roles.split(','),
confirm=confirm, token_form=token_form)
# print(session)
return redirect(url_for('frmLogin'))
realms = session.get('realms')
confirm = session.get('confirm')
token_form = session.get('token_form')
+ roles = session.get('roles')
if realms:
assert 0 <= int(request.form.get('realm',-1)) < len(realms)
session.update(step='POST-login', username=request.form.get('username'),
return redirect(url_for('frm2FA'))
elif need_confirm:
return redirect(url_for('frmConfirmation'))
+ elif roles:
+ return redirect(url_for('frmSelectRoles'))
else:
resp = redirect(url_for('webtop'))
resp.set_cookie('DSID', cookify(dict(session)))
return resp
+# frmSelectRoles
+# This is some insane post-login realm-ish select-y thing
+@app.route('/dana-na/auth/url_default/select_role.cgi')
+def frmSelectRoles():
+ session.update(step='GET-frmSelectRoles')
+ roles = session.get('roles')
+ dest = url_for('frmSelectRoles_AFTER')
+ roles = '\n'.join('<tr><td><a href="%s?role=%d">%s</a></td></tr>' % (dest, nn, role) for (nn, role) in enumerate(roles))
+ return '''
+<html><body><form name="frmSelectRoles">
+<table id="TABLE_SelectRole_1">
+<tr><td>You have access to the following roles:</td></tr>
+%s
+<tr><td>Each role allows you to access certain resources. Click on the role you want to join for this session. Please contact your administrator if you need help choosing a role.</td></tr>
+</table>
+</form></body></form>''' % roles
+
+
+# Note the URL is shared with the frmLogin POST URL... so weird
+@app.route('/dana-na/auth/url_default/login.cgi', methods=['GET'])
+def frmSelectRoles_AFTER():
+ roles = session.get('roles')
+ assert roles
+ assert 0 <= int(request.args.get('role',-1)) < len(roles)
+ session.update(step='AFTER-frmSelectRoles', role=request.form.get('role'))
+ resp = redirect(url_for('webtop'))
+ resp.set_cookie('DSID', cookify(dict(session)))
+ return resp
+
+
# 2FA forms (frmDefender, frmNextToken, or frmTotpToken)
# This redirects back to frmLogin_POST
@app.route('/dana-na/auth/url_default/token.cgi')
( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --protocol=nc -q $ADDRESS:443/?token_form=frmNextToken -u test $FAKE_TOKEN $FINGERPRINT --cookieonly >/dev/null 2>&1) ||
fail $PID "Could not receive cookie from fake Juniper server"
+ok
+
+# only one role because we don't have a way to auto-fill this
+# (TODO: make --authgroup fill in the role instead, if there's no realm?)
+echo -n "frmLogin with username/password → frmConfirmation → frmSelectRoles"
+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --protocol=nc -q "$ADDRESS:443/?confirm=1&roles=only_one_role" -u test $FINGERPRINT --cookieonly >/dev/null 2>&1) ||
+ fail $PID "Could not receive cookie from fake Juniper server"
+
echo ok
echo -n "frmLogin with username/password, then proceeding to tunnel stage... "
projects / users / dwmw2 / openconnect.git / commitdiff