From: Daniel Lenski Date: Fri, 2 Apr 2021 07:57:14 +0000 (-0700) Subject: add test path including frmSelectRoles X-Git-Tag: v8.20~311^2~6 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=aed3a7c4ed8c496e81d62b6bcfc3528ca1f574aa;p=users%2Fdwmw2%2Fopenconnect.git add test path including frmSelectRoles frmSelectRoles is a "form" that sort of acts like a realm dropdown except that… (1) It comes AFTER the credentials have been submitted (¯\_(ツ)_/¯) (2) It doesn't actually contain any form fields. It only contains links to a small number of role choices. It then redirects to 'GET login.cgi'. Inane, but apparently used in the real world. See examples at: https://gitlab.gnome.org/GNOME/NetworkManager-openconnect/-/issues/30#note_988366 Signed-off-by: Daniel Lenski --- diff --git a/tests/fake-juniper-server.py b/tests/fake-juniper-server.py index 4cbb0562..79cec8af 100755 --- a/tests/fake-juniper-server.py +++ b/tests/fake-juniper-server.py @@ -76,9 +76,11 @@ def check_form_against_session(*fields, use_query=False): @app.route('/') def root(): realms = request.args.get('realms') + roles = request.args.get('roles') confirm = bool(request.args.get('confirm')) token_form = request.args.get('token_form') session.update(step='initial-GET', realms=realms and realms.split(','), + roles=roles and roles.split(','), confirm=confirm, token_form=token_form) # print(session) return redirect(url_for('frmLogin')) @@ -113,6 +115,7 @@ def frmLogin_post(): realms = session.get('realms') confirm = session.get('confirm') token_form = session.get('token_form') + roles = session.get('roles') if realms: assert 0 <= int(request.form.get('realm',-1)) < len(realms) session.update(step='POST-login', username=request.form.get('username'), @@ -134,12 +137,44 @@ def frmLogin_post(): return redirect(url_for('frm2FA')) elif need_confirm: return redirect(url_for('frmConfirmation')) + elif roles: + return redirect(url_for('frmSelectRoles')) else: resp = redirect(url_for('webtop')) resp.set_cookie('DSID', cookify(dict(session))) return resp +# frmSelectRoles +# This is some insane post-login realm-ish select-y thing +@app.route('/dana-na/auth/url_default/select_role.cgi') +def frmSelectRoles(): + session.update(step='GET-frmSelectRoles') + roles = session.get('roles') + dest = url_for('frmSelectRoles_AFTER') + roles = '\n'.join('%s' % (dest, nn, role) for (nn, role) in enumerate(roles)) + return ''' +''' % roles + + +# Note the URL is shared with the frmLogin POST URL... so weird +@app.route('/dana-na/auth/url_default/login.cgi', methods=['GET']) +def frmSelectRoles_AFTER(): + roles = session.get('roles') + assert roles + assert 0 <= int(request.args.get('role',-1)) < len(roles) + session.update(step='AFTER-frmSelectRoles', role=request.form.get('role')) + resp = redirect(url_for('webtop')) + resp.set_cookie('DSID', cookify(dict(session))) + return resp + + # 2FA forms (frmDefender, frmNextToken, or frmTotpToken) # This redirects back to frmLogin_POST @app.route('/dana-na/auth/url_default/token.cgi') diff --git a/tests/juniper-auth b/tests/juniper-auth index 75339721..f985df2a 100755 --- a/tests/juniper-auth +++ b/tests/juniper-auth @@ -70,6 +70,14 @@ echo -n "frmLogin with username/password â frmNextToken" ( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --protocol=nc -q $ADDRESS:443/?token_form=frmNextToken -u test $FAKE_TOKEN $FINGERPRINT --cookieonly >/dev/null 2>&1) || fail $PID "Could not receive cookie from fake Juniper server" +ok + +# only one role because we don't have a way to auto-fill this +# (TODO: make --authgroup fill in the role instead, if there's no realm?) +echo -n "frmLogin with username/password â frmConfirmation â frmSelectRoles" +( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --protocol=nc -q "$ADDRESS:443/?confirm=1&roles=only_one_role" -u test $FINGERPRINT --cookieonly >/dev/null 2>&1) || + fail $PID "Could not receive cookie from fake Juniper server" + echo ok echo -n "frmLogin with username/password, then proceeding to tunnel stage... "