Added support for the Periodic Host Checker

russdill / juniper-vpn-py

Python Juniper VPN Authenticator

GNU Lesser General Public License v2.1

103 stars 80 forks source link

Added support for the Periodic Host Checker #27

Open ejpir opened 5 years ago

ejpir commented 5 years ago

Added support for Periodic Host Checker.

It uses the last DSPREAUTH cookie that is returned by the PCS to go into a timed loop to perform periodic host checking. Consecutive calls to the PCS uses a unique DSPREAUTH cookie that is returned after each successful host checking call.
Added setup_mechanize() so that each host checking call has a new/clean cookie jar and browser
Had to do str(s) for some reason, otherwise encode_0ce7() would break
Fixed main to use the correct variables
Support for openconnect in MR https://gitlab.com/openconnect/openconnect/merge_requests/19

aleksandrs-ledovskis commented 5 years ago

I noted that tncc.py remains alive and kicking after VPN connection is terminated.

Not sure what are available options, but maybe some kind of parent (openconnect) VPN PID check is sufficient?

ejpir commented 5 years ago

@aleksandrs-ledovskis wow, thanks for the thorough review so far, appreciated! I'll try to address the improvements per comment you made asap.

This version was hacked together, also need improve my coding skills to write cleaner code =)

dlenski commented 5 years ago

I noted that tncc.py remains alive and kicking after VPN connection is terminated.

Not sure what are available options, but maybe some kind of parent (openconnect) VPN PID check is sufficient?

Unfortunately, this won't work because it's actually running as a detached grandchild of openconnect.

However, openconnect takes care to close the socket from its end when it shuts down, so tncc.py should be able to decide to shut down when it sees EOF on the socket.

aleksandrs-ledovskis commented 5 years ago

@dlenski Indeed, that is the case in normal openconnect termination scenario, however I clearly remember when doing some lldb'ing and upon killing openconnect target a Python tncc.py script was still alive

aarnaud commented 5 years ago

Based on https://gitlab.com/openconnect/openconnect/issues/7

I found why we have HTTP Error 404: Not Found

User-Agent reject : that used 'Neoteris HC Http'. Seem rejected by the server
And the cookie used by the Periodic Check request was invalid (seem truncated), why create DSPREAUTH_HC ? i tried with DSPREAUTH, it's work

Good work, tncc with openconnect, it's the only solution that work for me on linux to replace PulseSecure Client

aleksandrs-ledovskis commented 5 years ago

@aarnaud Maybe some Pulse Secure server version differences come into play? I am sure that current branch works for cases I tested it with so far (for far longer connection duration than 10 minutes).

ejpir commented 5 years ago

@aarnaud I'm pretty sure the DSPREAUTH_HC is cookie is correct, I did it for a reason. It had to do with with the setcookie cmd by openconnect, which is the first cookie to be used for host checking. Don't fully remember, I'd have to dig in again and update this answer.

It might be that you got disconnected due to the userAgent, this can be configured per PCS or user/role mapping and would give you a 404 or 408 on the next (periodic) host checking interval.

Add a logging.info("hc interval: " + self.hc_interval) in line 583 to see your timeout, it might be longer than your 10 minutes and giving a false positive that your changes work.

as @aleksandrs-ledovskis mentioned it might also be due to different version of pulse server.