Skip to content

Allow --form-entry to override hidden fields' values or mark them as text fields

Daniel Lenski requested to merge hidden_form_field_override into master

Allow --form-entry to override hidden fields' values or mark them as text fields

This is intended to address two recent classes of issues, where authentication form fields are marked as "hidden", but in order to complete authentication successfully we need to either (1) override the field's value with a known, fixed value or (2) treat the field as a text input field instead.

  1. In #493 (closed), a hidden form field needs to have its as-submitted value overridden in order for authentication to proceed correctly. With the official clients, this is done using JavaScript.

    One potential workaround, at least for users of the OpenConnect CLI, is to simply allow overriding the value of the hidden field. With this patch, that can be done with:

    openconnect --protocol=f5 --form-entry hidden_form.my_result=DESIRED_VALUE

  2. In #489 (closed), and two similar reports from the mailing list, a Cisco challenge/2FA form appears to have marked the relevant code entry field as hidden (rather than text or password).

    One potential workaround, at least for users of the OpenConnect CLI, is to simply allow marking the hidden field as a text input field. With this patch, that can be done with:

    openconnect --protocol=anyconnect --form-entry challenge:challenge_code

Don't treat forms containing only hidden fields as non-empty

Filling an auth form that contains only hidden fields with fixed values shouldn't cause that form to be treated as non-empty.

However, our 'juniper-sso-auth' tests include a case where there are 2 consecutive forms containing only hidden fields, and will fail with no other change. Instead, we relax the limit of consecutive empty forms to 3, before deciding that we are stuck in an infinite loop.

Ensure that even hidden form fields have labels

Since --form-entry FORM:HIDDEN_OPTION will now cause a hidden form field to be shown as a text field, human-readable labels for such fields will be helpful. Use form field names to generate labels if needed.

Add f5-auth-and-config tests of hidden form followed by 2FA forms

Preliminaries:

  1. Rework fake F5 server to have a persistent configuration (as already done for fake GP server in c9b54dbf)
  2. Factor out some of the most repetitive elements of f5-auth-and-config (as already done for GP in 1172d807)

Secondly, add test cases to simulate those encountered in #464 (closed) and #493 (closed), where the initial login form (id="auth_form") is followed by a form with id="hidden_form", containing a single hidden field (type="hidden" name="choice" value="0").

In #493 (closed), the F5 VPN requires this hidden field to have its value overridden in order for authentication to complete. The official clients use JavaScript to do this; since OpenConnect's HTML form parsing doesn't execute JavaScript, the workaround is to override with the command-line option --form-entry hidden_form:choice=NEEDED_VALUE.

Edited by Daniel Lenski

Merge request reports