Startsida Utforska Hjälp
Logga in
vimacs
/
openconnect
Bevaka 1
Stjärnmärk 0
Fork 0
Filer Ärenden 0 Pull-förfrågningar 0 Wiki
Gren: h3cssl
Grenar Taggar
openconnect
/
tests
/
gp-auth-and-config

gp-auth-and-config 5.3 KB
Permalänk Historik

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127 
  1. #!/bin/sh
    2. 

  2. #
    3. 

  3. # Copyright © 2021 Daniel Lenski
    4. 

  4. #
    5. 

  5. # This file is part of openconnect.
    6. 

  6. #
    7. 

  7. # This is free software; you can redistribute it and/or
    8. 

  8. # modify it under the terms of the GNU Lesser General Public License
    9. 

  9. # as published by the Free Software Foundation; either version 2.1 of
    10. 

  10. # the License, or (at your option) any later version.
    11. 

  11. #
    12. 

  12. # This library is distributed in the hope that it will be useful, but
    13. 

  13. # WITHOUT ANY WARRANTY; without even the implied warranty of
    14. 

  14. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
    15. 

  15. # Lesser General Public License for more details.
    16. 

  16. #
    17. 

  17. # You should have received a copy of the GNU Lesser General Public License
    18. 

  18. # along with this program.  If not, see <http://www.gnu.org/licenses/>
    19. 

  19. 

  20. # This test uses LD_PRELOAD
    21. 

  21. PRELOAD=1
    22. 

  22. srcdir=${srcdir:-.}
    23. 

  23. top_builddir=${top_builddir:-..}
    24. 

  24. 

  25. . `dirname $0`/common.sh
    26. 

  26. 

  27. FINGERPRINT="--servercert=d66b507ae074d03b02eafca40d35f87dd81049d3"
    28. 

  28. CERT=$certdir/server-cert.pem
    29. 

  29. KEY=$certdir/server-key.pem
    30. 

  30. 

  31. echo "Testing GlobalProtect auth against fake server ..."
    32. 

  32. 

  33. OCSERV=${srcdir}/fake-gp-server.py
    34. 

  34. launch_simple_sr_server $ADDRESS 443 $CERT $KEY >/dev/null 2>&1
    35. 

  35. PID=$!
    36. 

  36. wait_server $PID
    37. 

  37. 

  38. SERVURL="https://$ADDRESS:443"
    39. 

  39. CLIENT="$OPENCONNECT -q --protocol=gp $FINGERPRINT -u test"
    40. 

  40. export LD_PRELOAD=libsocket_wrapper.so
    41. 

  41. 

  42. echo -n "Authenticating with username/password via portal... "
    43. 

  43. ( echo "test" | $CLIENT $SERVURL/portal --cookieonly >/dev/null 2>&1) ||
    44. 

  44.     fail $PID "Could not receive cookie from fake GlobalProtect server"
    45. 

  45. 

  46. echo ok
    47. 

  47. 

  48. echo -n "Authenticating with username/password via gateway... "
    49. 

  49. ( echo "test" | $CLIENT $SERVURL/gateway --cookieonly >/dev/null 2>&1) ||
    50. 

  50.     fail $PID "Could not receive cookie from fake GlobalProtect server"
    51. 

  51. 

  52. echo ok
    53. 

  53. 

  54. echo "Configuring fake server to present a choice of 3 gateways in the portal."
    55. 

  55. curl -sk $SERVURL/CONFIGURE -d gateways=foo,bar,baz
    56. 

  56. 

  57. echo -n "Authenticating with username/password, and selecting gateway, via portal... "
    58. 

  58. ( echo "test" | $CLIENT $SERVURL/portal --authgroup=bar --cookieonly >/dev/null 2>&1) ||
    59. 

  59.     fail $PID "Could not receive cookie from fake GlobalProtect server"
    60. 

  60. 

  61. echo ok
    62. 

  62. 

  63. echo "Configuring fake server to require 2FA-token and to propagate portal authentication to gateway."
    64. 

  64. curl -sk $SERVURL/CONFIGURE -d portal_2fa=1 -d gw_2fa=1 -d portal_cookie=portal-userauthcookie
    65. 

  65. 

  66. echo -n "Authenticating with username/password/2FA-token via portal, then continuing through 2FA-requiring gateway... "
    67. 

  67. ( echo "test" | $CLIENT $SERVURL/portal --token-mode=totp --token-secret=FAKE --cookieonly >/dev/null 2>&1) ||
    68. 

  68.     fail $PID "Could not receive cookie from fake GlobalProtect server"
    69. 

  69. 

  70. echo ok
    71. 

  71. 

  72. echo "Configuring fake server to require SAML for portal and gateway authentication, and to propagate portal authentication to gateway."
    73. 

  73. curl -sk $SERVURL/CONFIGURE -d portal_saml=prelogin-cookie -d gateway_saml=prelogin-cookie -d portal_cookie=portal-userauthcookie
    74. 

  74. 

  75. echo -n "Simulating completed SAML to portal, then continuing through SAML-requiring gateway... "
    76. 

  76. ( echo "prelogin-cookie" | $CLIENT $SERVURL/portal:prelogin-cookie --cookieonly >/dev/null 2>&1) ||
    77. 

  77. test $? = 2 || # what OpenConnect returns when server rejects cookie upon tunnel connection, as the fake server does
    78. 

  78.     fail $PID "Something went wrong in fake GlobalProtect server (other than the expected rejection of cookie)"
    79. 

  79. 

  80. echo ok
    81. 

  81. 

  82. echo "Configuring fake server to require SAML for gateway authentication only."
    83. 

  83. curl -sk $SERVURL/CONFIGURE -d gateway_saml=prelogin-cookie
    84. 

  84. 

  85. echo -n "Simulating completed SAML to gateway... "
    86. 

  86. ( echo "prelogin-cookie" | $CLIENT $SERVURL/gateway:prelogin-cookie --cookieonly >/dev/null 2>&1) ||
    87. 

  87. test $? = 2 || # what OpenConnect returns when server rejects cookie upon tunnel connection, as the fake server does
    88. 

  88.     fail $PID "Something went wrong in fake GlobalProtect server (other than the expected rejection of cookie)"
    89. 

  89. 

  90. echo ok
    91. 

  91. 

  92. echo "Configuring fake server to require 2FA-token for gateway authentication."
    93. 

  93. curl -sk $SERVURL/CONFIGURE -d gw_2fa=1
    94. 

  94. 

  95. echo -n "Authenticating with username/password via portal, then +token via gateway... "
    96. 

  96. ( echo "test" | $CLIENT $SERVURL/portal --token-mode=totp --token-secret=FAKE --cookieonly >/dev/null 2>&1) ||
    97. 

  97.     fail $PID "Could not receive cookie from fake GlobalProtect server"
    98. 

  98. 

  99. echo ok
    100. 

  100. 

  101. echo -n "Authenticating with username/password/token via gateway... "
    102. 

  102. ( echo "test" | $CLIENT $SERVURL/gateway --token-mode=totp --token-secret=FAKE --cookieonly >/dev/null 2>&1) ||
    103. 

  103.     fail $PID "Could not receive cookie from fake GlobalProtect server"
    104. 

  104. 

  105. echo ok
    106. 

  106. 

  107. echo "Resetting fake server to default configuration."
    108. 

  108. curl -sk $SERVURL/CONFIGURE -d ''
    109. 

  109. 

  110. echo -n "Authenticating with username/password via portal, then proceeding to tunnel stage... "
    111. 

  111. echo "test" | $CLIENT $SERVURL/portal >/dev/null 2>&1
    112. 

  112. test $? = 2 || # what OpenConnect returns when server rejects cookie upon tunnel connection, as the fake server does
    113. 

  113.     fail $PID "Something went wrong in fake GlobalProtect server (other than the expected rejection of cookie)"
    114. 

  114. 

  115. echo ok
    116. 

  116. 

  117. echo -n "Authenticating with username/password via portal, then proceeding to tunnel stage (with IPv6 disabled)... "
    118. 

  118. echo "test" | $CLIENT $SERVURL/portal --disable-ipv6 >/dev/null 2>&1
    119. 

  119. test $? = 2 || # what OpenConnect returns when server rejects cookie upon tunnel connection, as the fake server does
    120. 

  120.     fail $PID "Something went wrong in fake GlobalProtect server (other than the expected rejection of cookie)"
    121. 

  121. 

  122. echo ok
    123. 

  123. 

  124. cleanup
    125. 

  125. 

  126. exit 0
    127. 

  127.