From 1c5572a671a168f4c812db524be7b74c7ddb0bc2 Mon Sep 17 00:00:00 2001 From: Daniel Lenski Date: Fri, 29 Sep 2023 13:51:07 -0700 Subject: [PATCH] Modify `fake-gp-server.py` to add regionalized priority-rules to the gateway list The fake GP server will now assign the connecting user to a random planet in its portal prelogin response, then randomly and haphazardly prioritize the gateways by planet. For example, start fake-gp-server.py, then configure it with 3 gateways: $ curl -k https://localhost:8080/CONFIGURE -d gateways=Red,Orange,Yellow $ curl -k https://localhost:8080/CONFIGURE Current configuration of fake GP server configuration: TestConfiguration(gateways=['Red', 'Orange', 'Yellow'], ...) Then attempt to connect to it: $ openconnect --protocol=gp --dump-http-traffic localhost:8080 ... Greetings, user from MERCURY. Please login to this fake GP VPN portal Username: bar Password: POST https://localhost:8080/global-protect/getconfig.esp ... < < 6.7.8-9 < < Red < < 1 < 99 < < < < Orange < < 2 < 1 < < < < Yellow < < 1 < 2 < < < < 600 < Portal reports GlobalProtect version 6.7.8-9; we will report the same client version. Portal set HIP report interval to 10 minutes). 5 gateway servers available: Red (localhost:8080) [priority 99] Orange (localhost:8080) [unprioritized] Yellow (localhost:8080) [priority 1] Please select GlobalProtect gateway. GATEWAY: [Yellow|Red|Orange]: Note that the gateways are now presented to the user in the priority order for the user's "region" of MERCURY. Signed-off-by: Daniel Lenski --- tests/fake-gp-server.py | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/tests/fake-gp-server.py b/tests/fake-gp-server.py index cb9f9b1b..98792e20 100755 --- a/tests/fake-gp-server.py +++ b/tests/fake-gp-server.py @@ -63,6 +63,8 @@ def check_form_against_session(*fields, use_query=False, on_failure=None): ######################################## +REGIONS = ['MERCURY', 'VENUS', 'EARTH', 'MARS', 'JUPITER', 'SATURN'] + if_path2name = {'global-protect': 'portal', 'ssl-vpn': 'gateway'} # Configure the fake server. These settings will persist unless/until reconfigured or restarted: @@ -130,7 +132,7 @@ def prelogin(interface): base64.standard_b64encode(url_for('saml_handler', ifname=ifname, token=token, _external=True).encode()).decode()) else: saml = '' - session.update(step='%s-prelogin' % ifname) + session.update(step='%s-prelogin' % ifname, region=choice(REGIONS)) return ''' Success @@ -138,12 +140,12 @@ def prelogin(interface): false -Please login to this fake GP VPN {ifname} +Greetings, user from {region}. Please login to this fake GP VPN {ifname} Username Password 1{saml} -EARTH -'''.format(ifname=ifname, saml=saml) +{region} +'''.format(ifname=ifname, saml=saml, region=session['region']) # In a "real" GP VPN with SAML, this lives on a completely different server like subdomain.okta.com @@ -243,8 +245,17 @@ def portal_config(): saml_user=None, saml_value=None, # clear inputStr to ensure failure if same form fields are blindly retried on another challenge form: inputStr=None) - gwlist = ''.join('{}'.format(app.config['HOST'], app.config['PORT'], gw) - for gw in C.gateways) + gwlist = ''.join(''' + + {} + + {} + +'''.format( + app.config['HOST'], app.config['PORT'], gw, + '\n '.join(f'{99 if region=="Any" else randint(1, len(REGIONS))}' + for region in REGIONS + ['Any'] if randint(0, 1))) + for gw in C.gateways) if C.portal_cookie: val = session[C.portal_cookie] = 'portal-cookie-%d' % randint(1, 10) pc = '<{0}>{1}'.format(C.portal_cookie, val) -- 2.50.1