cassidy/GlobalProtect-openconnect
1
0
Fork 0
mirror of https://github.com/yuezk/GlobalProtect-openconnect.git synced 2025-05-20 07:26:58 -04:00
Code Issues Projects Releases Wiki Activity

Support CAS authentication

Browse Source
This commit is contained in:
Kevin Yue
2024-04-01 06:28:20 -04:00
committed by Kevin Yue
parent b2ca82e105
commit cec0d22dc8
11 changed files with 212 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
crates/gpapi/src/auth.rs
View File

@@ -1,4 +1,4 @@
use anyhow::bail;
use anyhow::anyhow;
use regex::Regex;
use serde::{Deserialize, Serialize};
@@ -35,7 +35,7 @@ impl SamlAuthData {
}
}
pub fn parse_html(html: &str) -> anyhow::Result<SamlAuthData> {
pub fn from_html(html: &str) -> anyhow::Result<SamlAuthData> {
match parse_xml_tag(html, "saml-auth-status") {
Some(saml_status) if saml_status == "1" => {
let username = parse_xml_tag(html, "saml-username");
@@ -43,21 +43,17 @@ impl SamlAuthData {
let portal_userauthcookie = parse_xml_tag(html, "portal-userauthcookie");
if SamlAuthData::check(&username, &prelogin_cookie, &portal_userauthcookie) {
return Ok(SamlAuthData::new(
Ok(SamlAuthData::new(
username.unwrap(),
prelogin_cookie,
portal_userauthcookie,
));
))
} else {
Err(anyhow!("Found invalid auth data in HTML"))
}
bail!("Found invalid auth data in HTML");
}
Some(status) => {
bail!("Found invalid SAML status {} in HTML", status);
}
None => {
bail!("No auth data found in HTML");
}
Some(status) => Err(anyhow!("Found invalid SAML status {} in HTML", status)),
None => Err(anyhow!("No auth data found in HTML")),
}
}

89
crates/gpapi/src/credential.rs
View File

@@ -1,5 +1,6 @@
use std::collections::HashMap;
use log::info;
use serde::{Deserialize, Serialize};
use specta::Type;
@@ -155,25 +156,50 @@ impl From<PasswordCredential> for CachedCredential {
}
}
#[derive(Debug, Serialize, Deserialize, Type, Clone)]
pub struct TokenCredential {
#[serde(alias = "un")]
username: String,
token: String,
}
impl TokenCredential {
pub fn username(&self) -> &str {
&self.username
}
pub fn token(&self) -> &str {
&self.token
}
}
#[derive(Debug, Serialize, Deserialize, Type, Clone)]
#[serde(tag = "type", rename_all = "camelCase")]
pub enum Credential {
Password(PasswordCredential),
PreloginCookie(PreloginCookieCredential),
AuthCookie(AuthCookieCredential),
TokenCredential(TokenCredential),
CachedCredential(CachedCredential),
}
impl Credential {
/// Create a credential from a globalprotectcallback:<base64 encoded string>
pub fn parse_gpcallback(auth_data: &str) -> anyhow::Result<Self> {
// Remove the surrounding quotes
let auth_data = auth_data.trim_matches('"');
/// Create a credential from a globalprotectcallback:<base64 encoded string>,
/// or globalprotectcallback:cas-as=1&un=user@xyz.com&token=very_long_string
pub fn from_gpcallback(auth_data: &str) -> anyhow::Result<Self> {
let auth_data = auth_data.trim_start_matches("globalprotectcallback:");
let auth_data = decode_to_string(auth_data)?;
let auth_data = SamlAuthData::parse_html(&auth_data)?;
Self::try_from(auth_data)
if auth_data.starts_with("cas-as") {
info!("Got token auth data: {}", auth_data);
let token_cred: TokenCredential = serde_urlencoded::from_str(auth_data)?;
Ok(Self::TokenCredential(token_cred))
} else {
info!("Parsing SAML auth data...");
let auth_data = decode_to_string(auth_data)?;
let auth_data = SamlAuthData::from_html(&auth_data)?;
Self::try_from(auth_data)
}
}
pub fn username(&self) -> &str {
@@ -181,6 +207,7 @@ impl Credential {
Credential::Password(cred) => cred.username(),
Credential::PreloginCookie(cred) => cred.username(),
Credential::AuthCookie(cred) => cred.username(),
Credential::TokenCredential(cred) => cred.username(),
Credential::CachedCredential(cred) => cred.username(),
}
}
@@ -189,20 +216,23 @@ impl Credential {
let mut params = HashMap::new();
params.insert("user", self.username());
let (passwd, prelogin_cookie, portal_userauthcookie, portal_prelogonuserauthcookie) = match self {
Credential::Password(cred) => (Some(cred.password()), None, None, None),
Credential::PreloginCookie(cred) => (None, Some(cred.prelogin_cookie()), None, None),
let (passwd, prelogin_cookie, portal_userauthcookie, portal_prelogonuserauthcookie, token) = match self {
Credential::Password(cred) => (Some(cred.password()), None, None, None, None),
Credential::PreloginCookie(cred) => (None, Some(cred.prelogin_cookie()), None, None, None),
Credential::AuthCookie(cred) => (
None,
None,
Some(cred.user_auth_cookie()),
Some(cred.prelogon_user_auth_cookie()),
None,
),
Credential::TokenCredential(cred) => (None, None, None, None, Some(cred.token())),
Credential::CachedCredential(cred) => (
cred.password(),
None,
Some(cred.auth_cookie.user_auth_cookie()),
Some(cred.auth_cookie.prelogon_user_auth_cookie()),
None,
),
};
@@ -214,6 +244,10 @@ impl Credential {
portal_prelogonuserauthcookie.unwrap_or_default(),
);
if let Some(token) = token {
params.insert("token", token);
}
params
}
}
@@ -245,3 +279,38 @@ impl From<&CachedCredential> for Credential {
Self::CachedCredential(value.clone())
}
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn cred_from_gpcallback_cas() {
let auth_data = "globalprotectcallback:cas-as=1&un=xyz@email.com&token=very_long_string";
let cred = Credential::from_gpcallback(auth_data).unwrap();
match cred {
Credential::TokenCredential(token_cred) => {
assert_eq!(token_cred.username(), "xyz@email.com");
assert_eq!(token_cred.token(), "very_long_string");
}
_ => panic!("Expected TokenCredential"),
}
}
#[test]
fn cred_from_gpcallback_non_cas() {
let auth_data = "PGh0bWw+PCEtLSA8c2FtbC1hdXRoLXN0YXR1cz4xPC9zYW1sLWF1dGgtc3RhdHVzPjxwcmVsb2dpbi1jb29raWU+cHJlbG9naW4tY29va2llPC9wcmVsb2dpbi1jb29raWU+PHNhbWwtdXNlcm5hbWU+eHl6QGVtYWlsLmNvbTwvc2FtbC11c2VybmFtZT48c2FtbC1zbG8+bm88L3NhbWwtc2xvPjxzYW1sLVNlc3Npb25Ob3RPbk9yQWZ0ZXI+PC9zYW1sLVNlc3Npb25Ob3RPbk9yQWZ0ZXI+IC0tPjwvaHRtbD4=";
let cred = Credential::from_gpcallback(auth_data).unwrap();
match cred {
Credential::PreloginCookie(cred) => {
assert_eq!(cred.username(), "xyz@email.com");
assert_eq!(cred.prelogin_cookie(), "prelogin-cookie");
}
_ => panic!("Expected PreloginCookieCredential")
}
}
}

6
crates/gpapi/src/gp_params.rs
View File

@@ -42,7 +42,7 @@ impl ClientOs {
}
}
#[derive(Debug, Serialize, Deserialize, Type, Default)]
#[derive(Debug, Serialize, Deserialize, Type, Default, Clone)]
pub struct GpParams {
is_gateway: bool,
user_agent: String,
@@ -83,6 +83,10 @@ impl GpParams {
self.prefer_default_browser
}
pub fn set_prefer_default_browser(&mut self, prefer_default_browser: bool) {
self.prefer_default_browser = prefer_default_browser;
}
pub fn client_os(&self) -> &str {
self.client_os.as_str()
}

47
crates/gpapi/src/portal/prelogin.rs
View File

@@ -1,4 +1,4 @@
use anyhow::bail;
use anyhow::{anyhow, bail};
use log::{info, warn};
use reqwest::{Client, StatusCode};
use roxmltree::Document;
@@ -29,6 +29,7 @@ pub struct SamlPrelogin {
is_gateway: bool,
saml_request: String,
support_default_browser: bool,
is_cas: bool,
}
impl SamlPrelogin {
@@ -43,6 +44,14 @@ impl SamlPrelogin {
pub fn support_default_browser(&self) -> bool {
self.support_default_browser
}
pub fn is_cas(&self) -> bool {
self.is_cas
}
fn set_is_cas(&mut self, is_cas: bool) {
self.is_cas = is_cas;
}
}
#[derive(Debug, Serialize, Type, Clone)]
@@ -97,6 +106,29 @@ impl Prelogin {
}
pub async fn prelogin(portal: &str, gp_params: &GpParams) -> anyhow::Result<Prelogin> {
match prelogin_impl(portal, gp_params).await {
Ok(prelogin) => Ok(prelogin),
Err(e) => {
if e.to_string().contains("CAS is not supported by the client") {
info!("CAS authentication detected, retrying with default browser");
let mut gp_params = gp_params.clone();
gp_params.set_prefer_default_browser(true);
let mut prelogin = prelogin_impl(portal, &gp_params).await?;
// Mark the prelogin as CAS
if let Prelogin::Saml(saml) = &mut prelogin {
saml.set_is_cas(true);
}
Ok(prelogin)
} else {
Err(e)
}
}
}
}
pub async fn prelogin_impl(portal: &str, gp_params: &GpParams) -> anyhow::Result<Prelogin> {
let user_agent = gp_params.user_agent();
info!("Prelogin with user_agent: {}", user_agent);
@@ -107,12 +139,16 @@ pub async fn prelogin(portal: &str, gp_params: &GpParams) -> anyhow::Result<Prel
let mut params = gp_params.to_params();
params.insert("tmp", "tmp");
// CAS support requires external browser
if gp_params.prefer_default_browser() {
params.insert("default-browser", "1");
params.insert("cas-support", "yes");
}
params.retain(|k, _| REQUIRED_PARAMS.iter().any(|required_param| required_param == k));
info!("Prelogin with params: {:?}", params);
let client = Client::builder()
.danger_accept_invalid_certs(gp_params.ignore_tls_errors())
.user_agent(user_agent)
@@ -124,8 +160,8 @@ pub async fn prelogin(portal: &str, gp_params: &GpParams) -> anyhow::Result<Prel
.send()
.await
.map_err(|e| anyhow::anyhow!(PortalError::NetworkError(e.to_string())))?;
let status = res.status();
let status = res.status();
if status == StatusCode::NOT_FOUND {
bail!(PortalError::PreloginError("Prelogin endpoint not found".to_string()))
}
@@ -177,6 +213,7 @@ fn parse_res_xml(res_xml: String, is_gateway: bool) -> anyhow::Result<Prelogin>
is_gateway,
saml_request,
support_default_browser,
is_cas: false,
};
return Ok(Prelogin::Saml(saml_prelogin));
@@ -196,8 +233,8 @@ fn parse_res_xml(res_xml: String, is_gateway: bool) -> anyhow::Result<Prelogin>
label_password: label_password.unwrap(),
};
return Ok(Prelogin::Standard(standard_prelogin));
Ok(Prelogin::Standard(standard_prelogin))
} else {
Err(anyhow!("Invalid prelogin response"))
}
bail!("Invalid prelogin response");
}