RubyGems - snxvpn - Versions diffs - 0.1.0 → 0.1.1 - Mend

snxvpn 0.1.0 → 0.1.1

Files changed (8) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7ebfddca82d495bb99a638e2a8e0bb797cb99295b13ffacfd552254ff1480e93
-  data.tar.gz: 7f2d3fc406c4fead8ae9f0853d1141bcc45593b3ddaa0033d7be3b6502e5f08f
+  metadata.gz: c5a236667c5ac56a6d62ce31f2b7542fa191bc02b5da9d128ce2ef34f960f936
+  data.tar.gz: 2d21393ea95878e147fd7f7716f791ae0987e9e3074589084440e8fabb980019
 SHA512:
-  metadata.gz: 253421610acda74b6f0324fc49e5db3ded94d90f6a5b54809f654ef778a1f9dc67046e26f64799ce2e3e8159977207b74e95ec3ec793cb948f22828817d3daa5
-  data.tar.gz: c9eb6ce4e680b45fea302e24ec83ea0c56714963ea093187a0d1451c04ddcef76ad066a533b7f675e0493abe4a0a229ef2470999e5cec54c8955efa50bef2de5
+  metadata.gz: 1d377b517ca04c53eaed0baa5d9109d36775e1bd6e907ae6c8fa38a59d208fcfbdbd4bf78cad840d4e003ec00755c78c122250ad1d96894db34311b8a35f58d4
+  data.tar.gz: 2f6f07413208739239ae042e3b25d0b5080b71cc6e5623b1ea5609dd91a612cd5994b63680310d041d83ad5808fc81161839c1af937bda57333be94310036bc7

data/bin/snxvpn CHANGED Viewed

@@ -2,233 +2,14 @@
 $stderr.sync = true
-require 'yaml'
-require 'optparse'
-require 'net/http'
-require 'logger'
-require 'openssl'
-require 'base64'
-require 'socket'
-require 'ipaddr'
-require 'open3'
-class RetryableError < StandardError; end
-class FunkyRSA < OpenSSL::PKey::RSA
-  def initialize(mod, exp)
-    pubkey = create_encoded_pubkey_from([mod].pack("H*"), [exp].pack("H*"))
-    hexkey = [pubkey].pack("H*")
-    pemkey =  "-----BEGIN RSA PUBLIC KEY-----\n#{Base64.encode64 hexkey}-----END RSA PUBLIC KEY-----"
-    super(pemkey)
-  end
-  def hex_encrypt(s)
-    public_encrypt(s).reverse.unpack("H*").first
-  end
-  private
-  def create_encoded_pubkey_from(rawmod, rawexp)
-    modulus_hex = prepad_signed(rawmod.unpack('H*').first)
-    exponent_hex = prepad_signed(rawexp.unpack('H*').first)
-    modlen = modulus_hex.length / 2
-    explen = exponent_hex.length / 2
-    encoded_modlen = encode_length_hex(modlen)
-    encoded_explen = encode_length_hex(explen)
-    full_hex_len = modlen + explen + encoded_modlen.length/2 + encoded_explen.length/2 + 2
-    encoded_hex_len = encode_length_hex(full_hex_len)
-    "30#{encoded_hex_len}02#{encoded_modlen}#{modulus_hex}02#{encoded_explen}#{exponent_hex}"
-  end
-  def prepad_signed(hex)
-    msb = hex[0]
-    (msb < '0' || msb > '7') ? "00#{hex}" : hex
-  end
-  def encode_length_hex(der_len) # encode ASN.1 DER length field
-    return int_to_hex(der_len) if der_len <= 127
-    hex = int_to_hex(der_len)
-    size = 128 + hex.length/2
-    "#{int_to_hex(size)}#{hex}"
-  end
-  def int_to_hex(num)
-    hex = num.to_s(16)
-    hex.length.odd? ? "0#{hex}" : hex
-  end
-end
-class Runner
-  ENTRY_PATH = '/SNX/Portal/Main'.freeze
-  DEFAULTS = {
-    'realm'      => 'ssl_vpn',
-    'login_type' => 'Standard',
-    'username'   => 'anonymous',
-    'password'   => 'secret',
-    'snxpath'    => 'snx',
-  }.freeze
-  def initialize(profile, config_path: File.join(ENV['HOME'], '.snxvpn'))
-    stat = File.stat(config_path)
-    raise ArgumentError, "#{config_path} is not owned by #{ENV['USER']}" unless stat.owned?
-    raise ArgumentError, "#{config_path} mode must be 600" if stat.world_readable? || stat.world_writable?
-    raw_config = YAML.load_file(config_path)
-    raise ArgumentError, "#{config_path} contains invalid config" unless raw_config.is_a?(Hash)
-    @config = if profile
-      raise ArgumentError, "Unable to find configuration for profile '#{profile}'" unless raw_config.key?(profile)
-      DEFAULTS.merge(raw_config[profile])
-    elsif raw_config.size == 1
-      DEFAULTS.merge(raw_config.values.first)
-    else
-      raise ArgumentError, 'No profile selected'
-    end
-    @http = Net::HTTP.new(@config['host'], 443)
-    @http.use_ssl = true
-    @cookies = ["selected_realm=#{@config['realm']}"]
-  end
-  def run(retries = 10)
-    # find RSA.js
-    resp       = get(ENTRY_PATH)
-    rsa_path   = resp.body.match(/<script .*?src *\= *["'](.*RSA.js)["']/).to_a[1]
-    raise RetryableError, "Unable to detect a RSA.js script reference on login page" unless rsa_path
-    # store paths
-    login_path = resp.uri
-    rsa_path   = File.expand_path(rsa_path, File.dirname(login_path))
-    # fetch RSA.js and scan modulus and exponent
-    body     = get(rsa_path).body
-    modulus  = body.match(/var *modulus *\= *\'(\w+)\'/).to_a[1]
-    exponent = body.match(/var *exponent *\= *\'(\w+)\'/).to_a[1]
-    raise RetryableError "Unable to detect modulus/exponent in RSA.js script" unless modulus && exponent
-    # build RSA
-    rsa = FunkyRSA.new(modulus, exponent)
-    # post to login
-    resp = post(login_path,
-      password: rsa.hex_encrypt(@config['password']),
-      userName: @config['username'],
-      selectedRealm: @config['realm'],
-      loginType: @config['login_type'],
-      HeightData: '',
-      vpid_prefix: '',
-    )
-    raise RetryableError, "Expected redirect to multi-challenge, but got #{resp.uri}" unless resp.uri.include?('MultiChallenge')
-    # request OTP until successful
-    while resp.uri.include?('MultiChallenge')
-      inputs  = resp.body.scan(/<input.*?type="hidden".*?name="(username|params|HeightData)"(?:.*?value="(.+?)")?/)
-      payload = Hash[inputs]
-      print " + Enter one-time password: "
-      otp  = gets.strip
-      payload['password'] = rsa.hex_encrypt(otp)
-      resp = post(resp.uri, payload)
-    end
-    # request extender info
-    resp   = get("/SNX/extender")
-    extinf = Hash[resp.body.scan(/Extender.(\w+) *= *"(.*?)" *;/)]
-    raise RetryableError, "Unable to retrieve extender information" if extinf.empty?
-    host_ip = IPAddr.new(IPSocket.getaddress(extinf['host_name']))
-    snxinf  = [
-      "\x13\x11\x00\x00".encode('binary'),  # 4-byte magic
-      [976].pack('L<'),                     # 4-byte data length
-      [host_ip.to_i].pack('L<'),            # 4-byte host IP
-      extinf['host_name'].encode('binary').ljust(64, "\0"), # 64 bytes
-      [extinf['port'].to_i].pack('L<'),     # 4-byte port
-      ''.encode('binary').ljust(6, "\0"),   # 6-bytes blank
-      extinf['server_cn'].encode('binary').ljust(256, "\0"), # 256 bytes
-      extinf['user_name'].encode('binary').ljust(256, "\0"), # 256 bytes
-      extinf['password'].encode('binary').ljust(128, "\0"),  # 128 bytes
-      extinf['server_fingerprint'].encode('binary').ljust(256, "\0"), # 256 bytes
-      "\x01\x00".encode('binary'), # 2 bytes
-    ].join
-    output, status = Open3.capture2('snx', '-Z')
-    raise RetryableError, "Unable to start snx: #{output}" unless status.success?
-    Socket.tcp("127.0.0.1", 7776) do |sock|
-      sock.write(snxinf)
-      sock.recv(4096) # read answer
-      puts " = Connected! Please leave this running to keep VPN open."
-      sock.recv(4096) # block until snx process dies
-    end
-    puts " ! Connection closed. Exiting..."
-  rescue RetryableError
-    raise if retries < 1
-    puts " ! #{e.message}. Retrying..."
-    sleep 1
-    run(retries - 1)
-  end
-  private
-  def post(path, payload)
-    resp = @http.post(path, URI.encode_www_form(payload), headers)
-    handle_response(path, resp)
-    case resp
-    when Net::HTTPSuccess then
-      resp
-    when Net::HTTPRedirection then
-      get(resp['location'])
-    else
-      raise "unexpected response from POST #{path} - #{resp.code} #{resp.message}"
-    end
-  end
-  def get(path, retries = 10)
-    raise ArgumentError, 'too many HTTP redirects' if retries.zero?
-    resp = @http.get(path, headers)
-    handle_response(path, resp)
-    case resp
-    when Net::HTTPSuccess then
-      resp
-    when Net::HTTPRedirection then
-      get(resp['location'], retries - 1)
-    when Net::HTTPNotFound then
-      raise "unexpected response from GET #{path} - #{resp.code} #{resp.message}" unless path.include?(ENTRY_PATH)
-      resp
-    else
-      raise "unexpected response from GET #{path} - #{resp.code} #{resp.message}"
-    end
-  end
-  def headers
-    {'Cookie' => @cookies.join('; ')} unless @cookies.empty?
-  end
-  def handle_response(path, resp)
-    resp.uri = path
-    @cookies += Array(resp.get_fields('set-cookie')).map do |str|
-      str.split('; ')[0]
-    end
-    @cookies.uniq!
-  end
-end
+require 'snxvpn'
 begin
-  Runner.new(ARGV[0]).run
+  Snxvpn::CLI.new(ARGV[0]).run
 rescue OpenSSL::SSL::SSLError => e
   abort " ! #{e.message}. Are you already connected to the VPN?"
 rescue StandardError => e
   abort " ! #{e.message}. Exiting..."
+rescue SignalException => e
+  abort " ! Received #{e.class}. Exiting..."
 end if $0 == __FILE__

data/lib/snxvpn.rb ADDED Viewed

@@ -0,0 +1,17 @@
+require 'yaml'
+require 'optparse'
+require 'net/http'
+require 'logger'
+require 'openssl'
+require 'base64'
+require 'socket'
+require 'ipaddr'
+require 'open3'
+module Snxvpn
+  class RetryableError < ::StandardError; end
+end
+%w|config ext_info rsa cli|.each do |name|
+  require "snxvpn/#{name}"
+end

data/lib/snxvpn/cli.rb ADDED Viewed

@@ -0,0 +1,129 @@
+require 'yaml'
+require 'optparse'
+require 'net/http'
+require 'logger'
+require 'openssl'
+require 'base64'
+require 'socket'
+require 'ipaddr'
+require 'open3'
+module Snxvpn
+  class CLI
+    attr_reader :config, :http
+    def initialize(profile, config_path: File.join(ENV['HOME'], '.snxvpn'))
+      @config = Config.new(config_path, profile)
+      @http = Net::HTTP.new(@config[:host], 443)
+      @http.use_ssl = true
+      @cookies = ["selected_realm=#{@config[:realm]}"]
+    end
+    def run(retries = 10)
+      # find RSA.js
+      resp       = get(config[:entry_path])
+      rsa_path   = resp.body.match(/<script .*?src *\= *["'](.*RSA.js)["']/).to_a[1]
+      raise RetryableError, "Unable to detect a RSA.js script reference on login page" unless rsa_path
+      # store paths
+      login_path = resp.uri
+      rsa_path   = File.expand_path(rsa_path, File.dirname(login_path))
+      # fetch RSA.js and parse RSA
+      rsa  = RSA.parse(get(rsa_path).body)
+      raise RetryableError "Unable to detect modulus/exponent in RSA.js script" unless rsa
+      # post to login
+      resp = post(login_path,
+        password: rsa.hex_encrypt(config[:password]),
+        userName: config[:username],
+        selectedRealm: config[:realm],
+        loginType: config[:login_type],
+        HeightData: '',
+        vpid_prefix: '',
+      )
+      raise RetryableError, "Expected redirect to multi-challenge, but got #{resp.uri}" unless resp.uri.include?('MultiChallenge')
+      # request OTP until successful
+      inputs  = resp.body.scan(/<input.*?type="hidden".*?name="(username|params|HeightData)"(?:.*?value="(.+?)")?/)
+      payload = Hash[inputs]
+      while resp.uri.include?('MultiChallenge')
+        print " + Enter one-time password: "
+        otp  = gets.strip
+        payload['password'] = rsa.hex_encrypt(otp)
+        resp = post(resp.uri, payload)
+      end
+      # request extender info
+      ext_info = ExtInfo.new get("/SNX/extender").body
+      raise RetryableError, "Unable to retrieve extender information" if ext_info.empty?
+      output, status = Open3.capture2(config[:snx_path], '-Z')
+      raise RetryableError, "Unable to start snx: #{output}" unless status.success?
+      Socket.tcp('127.0.0.1', 7776) do |sock|
+        sock.write(ext_info.payload)
+        sock.recv(4096) # read answer
+        puts ' = Connected! Please leave this running to keep VPN open.'
+        sock.recv(4096) # block until snx process dies
+      end
+      puts ' ! Connection closed. Exiting...'
+    rescue RetryableError
+      raise if retries < 1
+      puts ' ! #{e.message}. Retrying...'
+      sleep 1
+      run(retries - 1)
+    end
+    private
+    def get(path, retries = 10)
+      raise ArgumentError, 'too many HTTP redirects' if retries.zero?
+      resp = @http.get(path, headers)
+      handle_response(path, resp)
+      case resp
+      when Net::HTTPSuccess then
+        resp
+      when Net::HTTPRedirection then
+        get(resp['location'], retries - 1)
+      when Net::HTTPNotFound then
+        raise "unexpected response from GET #{path} - #{resp.code} #{resp.message}" unless path.include?(config[:entry_path])
+        resp
+      else
+        raise "unexpected response from GET #{path} - #{resp.code} #{resp.message}"
+      end
+    end
+    def post(path, payload)
+      resp = @http.post(path, URI.encode_www_form(payload), headers)
+      handle_response(path, resp)
+      case resp
+      when Net::HTTPSuccess then
+        resp
+      when Net::HTTPRedirection then
+        get(resp['location'])
+      else
+        raise "unexpected response from POST #{path} - #{resp.code} #{resp.message}"
+      end
+    end
+    def headers
+      {'Cookie' => @cookies.join('; ')} unless @cookies.empty?
+    end
+    def handle_response(path, resp)
+      resp.uri = path
+      @cookies += Array(resp.get_fields('set-cookie')).map do |str|
+        str.split('; ')[0]
+      end
+      @cookies.uniq!
+    end
+  end
+end

data/lib/snxvpn/config.rb ADDED Viewed

@@ -0,0 +1,37 @@
+module Snxvpn
+  class Config < Hash
+    DEFAULTS = {
+      'realm'      => 'ssl_vpn',
+      'login_type' => 'Standard',
+      'username'   => 'anonymous',
+      'password'   => 'secret',
+      'snx_path'   => 'snx',
+      'entry_path' => '/SNX/Portal/Main',
+    }.freeze
+    def initialize(path, profile = nil)
+      stat = File.stat(path)
+      raise ArgumentError, "#{path} is not owned by the current user" unless stat.owned?
+      raise ArgumentError, "#{path} mode must be 600" if stat.world_readable? || stat.world_writable?
+      raw = YAML.load_file(path)
+      raise ArgumentError, "#{path} contains invalid config" unless raw.is_a?(Hash)
+      update DEFAULTS
+      if profile
+        raise ArgumentError, "Unable to find configuration for profile '#{profile}'" unless raw.key?(profile)
+        update raw[profile]
+      elsif raw.size == 1
+        update raw.values.first
+      else
+        raise ArgumentError, 'No profile selected'
+      end
+    end
+    def [](key)
+      super(key.to_s)
+    end
+  end
+end

data/lib/snxvpn/ext_info.rb ADDED Viewed

@@ -0,0 +1,28 @@
+module Snxvpn
+  class ExtInfo < Hash
+    def initialize(body)
+      update Hash[body.scan(/Extender.(\w+) *= *"(.*?)" *;/)]
+    end
+    def payload
+      host_ip = IPAddr.new(IPSocket.getaddress(self['host_name']))
+      snxinf  = [
+        "\x13\x11\x00\x00".encode('binary'),  # 4-byte magic
+        [976].pack('L<'),                     # 4-byte data length
+        [host_ip.to_i].pack('L<'),            # 4-byte host IP
+        self['host_name'].encode('binary').ljust(64, "\0"), # 64 bytes
+        [self['port'].to_i].pack('L<'),     # 4-byte port
+        ''.encode('binary').ljust(6, "\0"),   # 6-bytes blank
+        self['server_cn'].encode('binary').ljust(256, "\0"), # 256 bytes
+        self['user_name'].encode('binary').ljust(256, "\0"), # 256 bytes
+        self['password'].encode('binary').ljust(128, "\0"),  # 128 bytes
+        self['server_fingerprint'].encode('binary').ljust(256, "\0"), # 256 bytes
+        "\x01\x00".encode('binary'), # 2 bytes
+      ].join
+    end
+  end
+end

data/lib/snxvpn/rsa.rb ADDED Viewed

@@ -0,0 +1,57 @@
+module Snxvpn
+  class RSA < OpenSSL::PKey::RSA
+    def self.parse(body)
+      mod = body.match(/var *modulus *\= *\'(\w+)\'/).to_a[1]
+      exp = body.match(/var *exponent *\= *\'(\w+)\'/).to_a[1]
+      new(mod, exp) if mod && exp
+    end
+    def initialize(mod, exp)
+      pubkey = create_encoded_pubkey_from([mod].pack("H*"), [exp].pack("H*"))
+      hexkey = [pubkey].pack("H*")
+      pemkey =  "-----BEGIN RSA PUBLIC KEY-----\n#{Base64.encode64 hexkey}-----END RSA PUBLIC KEY-----"
+      super(pemkey)
+    end
+    def hex_encrypt(s)
+      public_encrypt(s).reverse.unpack("H*").first
+    end
+    private
+    def create_encoded_pubkey_from(rawmod, rawexp)
+      modulus_hex = prepad_signed(rawmod.unpack('H*').first)
+      exponent_hex = prepad_signed(rawexp.unpack('H*').first)
+      modlen = modulus_hex.length / 2
+      explen = exponent_hex.length / 2
+      encoded_modlen = encode_length_hex(modlen)
+      encoded_explen = encode_length_hex(explen)
+      full_hex_len = modlen + explen + encoded_modlen.length/2 + encoded_explen.length/2 + 2
+      encoded_hex_len = encode_length_hex(full_hex_len)
+      "30#{encoded_hex_len}02#{encoded_modlen}#{modulus_hex}02#{encoded_explen}#{exponent_hex}"
+    end
+    def prepad_signed(hex)
+      msb = hex[0]
+      (msb < '0' || msb > '7') ? "00#{hex}" : hex
+    end
+    def encode_length_hex(der_len) # encode ASN.1 DER length field
+      return int_to_hex(der_len) if der_len <= 127
+      hex = int_to_hex(der_len)
+      size = 128 + hex.length/2
+      "#{int_to_hex(size)}#{hex}"
+    end
+    def int_to_hex(num)
+      hex = num.to_s(16)
+      hex.length.odd? ? "0#{hex}" : hex
+    end
+  end
+end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: snxvpn
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.1.1
 platform: ruby
 authors:
 - Dimitrij Denissenko
@@ -32,6 +32,11 @@ extensions: []
 extra_rdoc_files: []
 files:
 - bin/snxvpn
+- lib/snxvpn.rb
+- lib/snxvpn/cli.rb
+- lib/snxvpn/config.rb
+- lib/snxvpn/ext_info.rb
+- lib/snxvpn/rsa.rb
 homepage: https://bitbucket.org/bsm/snxvpn
 licenses: []
 metadata: {}