Skip camouflage check for authenticated users

Once a client has progressed through the initial
auth checks (and successfully passed the initial
camouflage check), it's safe to skip further camouflage
checks. This allows the Cisco Secure client continue
successfully through HTTP requests for /profiles//etc/ocserv/profile.xml
and /1/VPNManifest.xml.

Resolves: #544

Signed-off-by: Rob van Oostenrijk <robvanoostenrijk@users.noreply.github.com>

src/worker-vpn.c

@@ -759,6 +759,11 @@ static void check_camouflage_url(struct worker_st *ws)
 	if (WSCONFIG(ws)->camouflage_secret == NULL)
 		return;
 
+	if (ws->auth_state >= S_AUTH_COOKIE) {
+		ws->camouflage_check_passed = 1;
+		return;
+	}
+
 	char* url_camouflage_part = strchr(ws->req.url, '?');
 	if (url_camouflage_part
 		&& !strcmp(url_camouflage_part + 1, WSCONFIG(ws)->camouflage_secret))

tests/test-camouflage

@@ -65,6 +65,21 @@ if [ -z "${COOKIE}" ];then
 fi
 echo "OK"
 
+echo "Cookie: \"${COOKIE}\""
+
+# Ensure a valid HTTP cookie for cURL
+if echo "${COOKIE}" | grep -q -E "[a-z_]+=[^;]+"; then
+	HTTP_COOKIE=${COOKIE}
+else
+	HTTP_COOKIE="webvpn=${COOKIE}"
+fi
+
+echo "Checking with CURL that server returns HTTP 200 for user authenticated GET"
+http_result=$(curl --insecure https://localhost:${PORT}/cert.pem --output /dev/null --cookie "${HTTP_COOKIE}" --silent --write-out "%{http_code}")
+if [ "${http_result}" != "200" ]; then
+	fail ${PID} "Server returned ${http_result} instead of 200 for GET"
+fi
+echo "OK"
 
 echo "Connecting with cookie..."
 $OPENCONNECT -q localhost:${PORT} -u test -C "${COOKIE}" --servercert ${SERVERCERT} --script=/bin/true --verbose --pid-file "${CLIENTPIDFILE}" --background