Parse f5vpn urls

[fwiesel]

After an endpoint-inspection, the webpage forwards
to an f5vpn url, which can now be passed on to
gof5 to extract the session-id itself.

Only missing to be a proper f5vpn handler is
logging

[kayrus]

@fwiesel can you provide an f5vpn URL example? I haven't seen it before.

[fwiesel]

Sure, it seems to have the following pattern:
f5-vpn://<server-fqdn>?server=<server-fqdn>&resourcename=<resource-path-with-slashes>&resourcetype=network_access&cmd=launch&protocol=https&port=443&sid=<32*n>&token=<32-hex>&otc=<32-hex>&otc=<32-hex>

I assume, OTC seems to stand for one-time-code, and we get two of them. The sid is presumably session-id, and it is bogus, as we provide it.

[chadcatlett]

Just as a voice of support for this PR. For nearly two months I've been using this PR to enable me to use gof5 with a F5 VPN endpoint that uses a web page based authentication flow.

It has consistently worked 100% of the time.

[dlenski]

I assume, OTC seems to stand for one-time-code, and we get two of them.

🤔
There are real-world examples of f5-vpn:// URLs which:

1. Don't contain any otc parameters at all, only a token parameter. See Support f5-vpn:// URIs #53 or https://gitlab.com/openconnect/openconnect/-/issues/639 for examples.
2. Contain only one otc parameter, not two. See https://lists.infradead.org/pipermail/openconnect-devel/2021-August/005035.html for an example of that.

It appears that this PR will mishandle both of those cases. Any idea how they should be detected and handled?

[hinricht]

There are real-world examples of f5-vpn:// URLs which:

1. Don't contain any otc parameters at all, only a token parameter. See Support f5-vpn:// URIs Support f5-vpn:// URIs #53 or
   https://gitlab.com/openconnect/openconnect/-/issues/639 for examples.

Both issues are from me, and I need to correct the URL, it does contain an &otc=... at the end now. Maybe at the time of creating these issues out F5 setup didn't inlcude the parameter, but now it does.

Contain only one otc parameter, not two. See https://lists.infradead.org/pipermail/openconnect-devel/2021-
August/005035.html for an example of that.
It appears that this PR will mishandle both of those cases. Any idea how they should be detected and handled?

This mail is from 2021. I'd rather say let's see if this PR works for ppl now rather than trying to take care of old f5 URLs found in the internet.

I'm currently testing this PR and will report back soon.

[hinricht]

I can't get further than this. From my understanding, the VPN username doesn't need to get asked because I already authenticated myself already before getting the f5-vpn URL containing token + otc.

$ gof5_linux_amd64 'f5-vpn://F5-DOMAIN?server=F5-DOMAIN&resourcename=/DEPARTMENT/DESCRIPTION&resourcetype=network_access&cmd=launch&protocol=https&port=443&sid=nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn&token=TOKEN$otc=OTC'
2025/01/27 16:05:35 gof5 v0.1.4-4-g9915e0e compiled with go1.23.4 for linux/amd64
Enter VPN username: 

The version includes the sha 9915e0e which points to the commit of this MR ( 9915e0e).

@fwiesel Do dou have an idea ?

[hinricht]

Ok, I made it working 🎉
I needed to login first using the session ID, obtained during the web browser authentication as specified in the README.md. Only after this, gof5 with f5-urls worked, even after logging out and in again.

Thanks for this PR, I hope it get merged soon !

Btw, a collegue of mine also made it work, so it has been tested at least by 4 persons.