From 25f1182556b92df01724c875886efa881fbef595 Mon Sep 17 00:00:00 2001 From: Kevin Yue Date: Fri, 3 Jan 2025 12:21:49 +0000 Subject: [PATCH] feat: gpauth support macos --- Cargo.lock | 124 ++++++++++- apps/gpauth/Cargo.toml | 10 +- apps/gpauth/build.rs | 4 +- apps/gpauth/src/cli.rs | 19 +- apps/gpauth/src/main.rs | 1 + apps/gpauth/src/webview_auth.rs | 74 ++++--- crates/auth/Cargo.toml | 7 +- crates/auth/src/authenticator.rs | 14 ++ crates/auth/src/browser.rs | 4 + .../{browser_auth => browser}/auth_server.rs | 0 .../browser_auth.rs} | 87 +++++--- crates/auth/src/browser_auth.rs | 5 - .../auth/src/browser_auth/browser_auth_ext.rs | 22 -- crates/auth/src/lib.rs | 10 +- crates/auth/src/webview.rs | 9 + .../auth_messenger.rs | 1 + .../auth_response.rs | 40 ++-- crates/auth/src/webview/unix.rs | 96 +++++++++ crates/auth/src/webview/webview_auth.rs | 127 ++++++++++++ crates/auth/src/webview_auth.rs | 9 - crates/auth/src/webview_auth/auth_settings.rs | 25 --- crates/auth/src/webview_auth/unix.rs | 136 ------------ .../auth/src/webview_auth/webview_auth_ext.rs | 194 ------------------ 23 files changed, 516 insertions(+), 502 deletions(-) create mode 100644 crates/auth/src/browser.rs rename crates/auth/src/{browser_auth => browser}/auth_server.rs (100%) rename crates/auth/src/{browser_auth/browser_auth_impl.rs => browser/browser_auth.rs} (52%) delete mode 100644 crates/auth/src/browser_auth.rs delete mode 100644 crates/auth/src/browser_auth/browser_auth_ext.rs create mode 100644 crates/auth/src/webview.rs rename crates/auth/src/{webview_auth => webview}/auth_messenger.rs (99%) rename crates/auth/src/{webview_auth => webview}/auth_response.rs (77%) create mode 100644 crates/auth/src/webview/unix.rs create mode 100644 crates/auth/src/webview/webview_auth.rs delete mode 100644 crates/auth/src/webview_auth.rs delete mode 100644 crates/auth/src/webview_auth/auth_settings.rs delete mode 100644 crates/auth/src/webview_auth/unix.rs delete mode 100644 crates/auth/src/webview_auth/webview_auth_ext.rs diff --git a/Cargo.lock b/Cargo.lock index 851a918..6effbec 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -183,7 +183,7 @@ dependencies = [ "log", "open", "regex", - "tauri", + "tao 0.31.0", "tiny_http", "tokio", "tokio-util", @@ -191,6 +191,7 @@ dependencies = [ "webbrowser", "webkit2gtk", "which", + "wry 0.48.0", ] [[package]] @@ -1618,8 +1619,7 @@ dependencies = [ "gpapi", "log", "serde_json", - "tauri", - "tauri-build", + "tao 0.31.0", "tempfile", "tokio", ] @@ -4299,6 +4299,44 @@ dependencies = [ "x11-dl", ] +[[package]] +name = "tao" +version = "0.31.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cc6b53216f32e60efc27dfa111268481e4dfba53e553e4cdebcaed9db36c11bb" +dependencies = [ + "bitflags 2.6.0", + "cocoa", + "core-foundation 0.10.0", + "core-graphics", + "crossbeam-channel", + "dispatch", + "dlopen2", + "dpi", + "gdkwayland-sys", + "gdkx11-sys", + "gtk", + "jni", + "lazy_static", + "libc", + "log", + "ndk", + "ndk-context", + "ndk-sys", + "objc", + "once_cell", + "parking_lot", + "raw-window-handle", + "scopeguard", + "tao-macros", + "unicode-segmentation", + "url", + "windows 0.58.0", + "windows-core 0.58.0", + "windows-version", + "x11-dl", +] + [[package]] name = "tao-macros" version = "0.1.3" @@ -4372,7 +4410,7 @@ dependencies = [ "url", "urlpattern", "webkit2gtk", - "webview2-com", + "webview2-com 0.33.0", "window-vibrancy", "windows 0.58.0", ] @@ -4475,14 +4513,14 @@ dependencies = [ "percent-encoding", "raw-window-handle", "softbuffer", - "tao", + "tao 0.30.8", "tauri-runtime", "tauri-utils", "url", "webkit2gtk", - "webview2-com", + "webview2-com 0.33.0", "windows 0.58.0", - "wry", + "wry 0.47.2", ] [[package]] @@ -5292,7 +5330,21 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6f61ff3d9d0ee4efcb461b14eb3acfda2702d10dc329f339303fc3e57215ae2c" dependencies = [ "webview2-com-macros", - "webview2-com-sys", + "webview2-com-sys 0.33.0", + "windows 0.58.0", + "windows-core 0.58.0", + "windows-implement 0.58.0", + "windows-interface 0.58.0", +] + +[[package]] +name = "webview2-com" +version = "0.34.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "823e7ebcfaea51e78f72c87fc3b65a1e602c321f407a0b36dbb327d7bb7cd921" +dependencies = [ + "webview2-com-macros", + "webview2-com-sys 0.34.0", "windows 0.58.0", "windows-core 0.58.0", "windows-implement 0.58.0", @@ -5321,6 +5373,17 @@ dependencies = [ "windows-core 0.58.0", ] +[[package]] +name = "webview2-com-sys" +version = "0.34.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7a82bce72db6e5ee83c68b5de1e2cd6ea195b9fbff91cb37df5884cbe3222df4" +dependencies = [ + "thiserror 1.0.69", + "windows 0.58.0", + "windows-core 0.58.0", +] + [[package]] name = "which" version = "7.0.1" @@ -5822,7 +5885,50 @@ dependencies = [ "url", "webkit2gtk", "webkit2gtk-sys", - "webview2-com", + "webview2-com 0.33.0", + "windows 0.58.0", + "windows-core 0.58.0", + "windows-version", + "x11-dl", +] + +[[package]] +name = "wry" +version = "0.48.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1e644bf458e27b11b0ecafc9e5633d1304fdae82baca1d42185669752fe6ca4f" +dependencies = [ + "base64 0.22.1", + "block2", + "cookie", + "crossbeam-channel", + "dpi", + "dunce", + "gdkx11", + "gtk", + "html5ever", + "http", + "javascriptcore-rs", + "jni", + "kuchikiki", + "libc", + "ndk", + "objc2", + "objc2-app-kit", + "objc2-foundation", + "objc2-ui-kit", + "objc2-web-kit", + "once_cell", + "percent-encoding", + "raw-window-handle", + "sha2", + "soup3", + "tao-macros", + "thiserror 2.0.9", + "url", + "webkit2gtk", + "webkit2gtk-sys", + "webview2-com 0.34.0", "windows 0.58.0", "windows-core 0.58.0", "windows-version", diff --git a/apps/gpauth/Cargo.toml b/apps/gpauth/Cargo.toml index 3eb3e8d..b275465 100644 --- a/apps/gpauth/Cargo.toml +++ b/apps/gpauth/Cargo.toml @@ -6,8 +6,8 @@ version.workspace = true edition.workspace = true license.workspace = true -[build-dependencies] -tauri-build = { version = "2", features = [], optional = true } +# [build-dependencies] +# tauri-build = { version = "2", features = [], optional = true } [dependencies] gpapi = { path = "../../crates/gpapi", features = ["clap"] } @@ -25,8 +25,10 @@ tempfile.workspace = true compile-time.workspace = true # webview auth dependencies -tauri = { workspace = true, optional = true } +# tauri = { workspace = true, optional = true } +tao = { version = "0.31", optional = true } + [features] default = ["webview-auth"] -webview-auth = ["auth/webview-auth", "dep:tauri", "dep:tauri-build"] +webview-auth = ["auth/webview-auth", "dep:tao"] diff --git a/apps/gpauth/build.rs b/apps/gpauth/build.rs index 280edd3..61689b0 100644 --- a/apps/gpauth/build.rs +++ b/apps/gpauth/build.rs @@ -1,4 +1,4 @@ fn main() { - #[cfg(feature = "webview-auth")] - tauri_build::build() + // #[cfg(feature = "webview-auth")] + // tauri_build::build() } diff --git a/apps/gpauth/src/cli.rs b/apps/gpauth/src/cli.rs index 939773e..a23f179 100644 --- a/apps/gpauth/src/cli.rs +++ b/apps/gpauth/src/cli.rs @@ -1,6 +1,6 @@ use std::borrow::Cow; -use auth::{auth_prelogin, Authenticator, BrowserAuthenticator}; +use auth::{auth_prelogin, BrowserAuthenticator}; use clap::Parser; use gpapi::{ auth::{SamlAuthData, SamlAuthResult}, @@ -119,19 +119,20 @@ impl Cli { }; let auth_request: &'static str = Box::leak(auth_request.into_owned().into_boxed_str()); - let authenticator = Authenticator::new(&server, gp_params).with_auth_request(&auth_request); #[cfg(feature = "webview-auth")] let browser = self .browser .as_deref() - .or_else(|| self.default_browser.then_some("default")); + .or_else(|| self.default_browser.then(|| "default")); #[cfg(not(feature = "webview-auth"))] let browser = self.browser.as_deref().or(Some("default")); - if browser.is_some() { - let auth_result = authenticator.browser_authenticate(browser).await; + if let Some(browser) = browser { + let authenticator = BrowserAuthenticator::new(auth_request, browser); + let auth_result = authenticator.authenticate().await; + print_auth_result(auth_result); // explicitly drop openssl_conf to avoid the unused variable warning @@ -140,7 +141,13 @@ impl Cli { } #[cfg(feature = "webview-auth")] - crate::webview_auth::authenticate(&self, authenticator, openssl_conf)?; + { + let builder = auth::WebviewAuthenticator::builder(server, gp_params) + .auth_request(auth_request) + .clean(self.clean); + crate::webview_auth::authenticate(builder, openssl_conf).await?; + } + // crate::webview_auth::authenticate(self, openssl_conf).await?; Ok(()) } diff --git a/apps/gpauth/src/main.rs b/apps/gpauth/src/main.rs index 29246ad..393941d 100644 --- a/apps/gpauth/src/main.rs +++ b/apps/gpauth/src/main.rs @@ -1,6 +1,7 @@ #![cfg_attr(not(debug_assertions), windows_subsystem = "windows")] mod cli; + #[cfg(feature = "webview-auth")] mod webview_auth; diff --git a/apps/gpauth/src/webview_auth.rs b/apps/gpauth/src/webview_auth.rs index 61c2406..9700181 100644 --- a/apps/gpauth/src/webview_auth.rs +++ b/apps/gpauth/src/webview_auth.rs @@ -1,41 +1,63 @@ -use auth::{Authenticator, WebviewAuthenticator}; +use auth::WebviewAuthenticatorBuilder; use log::info; -use tauri::RunEvent; +use tao::{ + event::{Event, WindowEvent}, + event_loop::{ControlFlow, EventLoopBuilder}, +}; use tempfile::NamedTempFile; use crate::cli::{print_auth_result, Cli}; -pub fn authenticate( - cli: &Cli, - authenticator: Authenticator<'static>, +pub async fn authenticate<'a>( + builder: WebviewAuthenticatorBuilder<'a>, mut openssl_conf: Option, ) -> anyhow::Result<()> { - let authenticator = authenticator.with_clean(cli.clean); + let event_loop = EventLoopBuilder::with_user_event().build(); + let authenticator = builder.build(&event_loop)?; - tauri::Builder::default() - .setup(move |app| { - let app_handle = app.handle().clone(); + authenticator.authenticate().await?; - tauri::async_runtime::spawn(async move { - let auth_result = authenticator.webview_authenticate(&app_handle).await; - print_auth_result(auth_result); + event_loop.run(move |event, _, control_flow| { + *control_flow = ControlFlow::Wait; - // Ensure the app exits after the authentication process - app_handle.exit(0); - }); - - Ok(()) - }) - .build(tauri::generate_context!())? - .run(move |_app_handle, event| { - if let RunEvent::Exit = event { - if let Some(file) = openssl_conf.take() { - if let Err(err) = file.close() { - info!("Error closing OpenSSL config file: {}", err); - } + if let Event::WindowEvent { + event: WindowEvent::CloseRequested, + .. + } = event + { + *control_flow = ControlFlow::Exit; + if let Some(file) = openssl_conf.take() { + if let Err(err) = file.close() { + info!("Error closing OpenSSL config file: {}", err); } } - }); + } + }); Ok(()) + + // tauri::Builder::default() + // .setup(move |app| { + // let app_handle = app.handle().clone(); + + // tauri::async_runtime::spawn(async move { + // let auth_result = authenticator.webview_authenticate(&app_handle).await; + // print_auth_result(auth_result); + + // // Ensure the app exits after the authentication process + // app_handle.exit(0); + // }); + + // Ok(()) + // }) + // .build(tauri::generate_context!())? + // .run(move |_app_handle, event| { + // if let RunEvent::Exit = event { + // if let Some(file) = openssl_conf.take() { + // if let Err(err) = file.close() { + // info!("Error closing OpenSSL config file: {}", err); + // } + // } + // } + // }); } diff --git a/crates/auth/Cargo.toml b/crates/auth/Cargo.toml index 9e640f2..8221f8d 100644 --- a/crates/auth/Cargo.toml +++ b/crates/auth/Cargo.toml @@ -23,7 +23,8 @@ tiny_http = { version = "0.12", optional = true } uuid = { version = "1", optional = true, features = ["v4"] } # Webview auth dependencies -tauri = { workspace = true, optional = true } +wry = { version = "0.48", optional = true } +tao = { version = "0.31", optional = true } regex = { workspace = true, optional = true } tokio-util = { workspace = true, optional = true } html-escape = { version = "0.2.13", optional = true } @@ -40,10 +41,10 @@ browser-auth = [ "dep:uuid", ] webview-auth = [ - "dep:tauri", + "dep:wry", + "dep:tao", "dep:regex", "dep:tokio-util", "dep:html-escape", "dep:webkit2gtk", - "gpapi/tauri", ] diff --git a/crates/auth/src/authenticator.rs b/crates/auth/src/authenticator.rs index 200d4fa..935e134 100644 --- a/crates/auth/src/authenticator.rs +++ b/crates/auth/src/authenticator.rs @@ -6,11 +6,20 @@ use gpapi::{ portal::{prelogin, Prelogin}, }; +#[cfg(feature = "webview-auth")] +pub trait ResponseReader { +} + pub struct Authenticator<'a> { server: &'a str, auth_request: Option<&'a str>, pub(crate) gp_params: &'a GpParams, + #[cfg(feature = "webview-auth")] + pub(crate) window: Option, + // #[cfg(feature = "webview-auth")] + // pub(crate) response_reader: Option>, + #[cfg(feature = "webview-auth")] pub(crate) clean: bool, #[cfg(feature = "webview-auth")] @@ -24,6 +33,11 @@ impl<'a> Authenticator<'a> { gp_params, auth_request: None, + #[cfg(feature = "webview-auth")] + window: None, + // #[cfg(feature = "webview-auth")] + // response_reader: None, + #[cfg(feature = "webview-auth")] clean: false, #[cfg(feature = "webview-auth")] diff --git a/crates/auth/src/browser.rs b/crates/auth/src/browser.rs new file mode 100644 index 0000000..f800eb3 --- /dev/null +++ b/crates/auth/src/browser.rs @@ -0,0 +1,4 @@ +mod auth_server; +mod browser_auth; + +pub use browser_auth::BrowserAuthenticator; diff --git a/crates/auth/src/browser_auth/auth_server.rs b/crates/auth/src/browser/auth_server.rs similarity index 100% rename from crates/auth/src/browser_auth/auth_server.rs rename to crates/auth/src/browser/auth_server.rs diff --git a/crates/auth/src/browser_auth/browser_auth_impl.rs b/crates/auth/src/browser/browser_auth.rs similarity index 52% rename from crates/auth/src/browser_auth/browser_auth_impl.rs rename to crates/auth/src/browser/browser_auth.rs index 2d31152..c68e8b9 100644 --- a/crates/auth/src/browser_auth/browser_auth_impl.rs +++ b/crates/auth/src/browser/browser_auth.rs @@ -4,30 +4,45 @@ use gpapi::{auth::SamlAuthData, GP_CALLBACK_PORT_FILENAME}; use log::info; use tokio::{io::AsyncReadExt, net::TcpListener}; -use super::auth_server::AuthServer; +use crate::browser::auth_server::AuthServer; -pub(super) struct BrowserAuthenticatorImpl<'a> { - auth_request: &'a str, - browser: Option<&'a str>, +pub enum Browser<'a> { + Default, + Chrome, + Firefox, + Other(&'a str), } -impl BrowserAuthenticatorImpl<'_> { - pub fn new(auth_request: &str) -> BrowserAuthenticatorImpl { - BrowserAuthenticatorImpl { - auth_request, - browser: None, +impl<'a> Browser<'a> { + pub fn from_str(browser: &'a str) -> Self { + match browser.to_lowercase().as_str() { + "default" => Browser::Default, + "chrome" => Browser::Chrome, + "firefox" => Browser::Firefox, + _ => Browser::Other(browser), } } - pub fn new_with_browser<'a>(auth_request: &'a str, browser: &'a str) -> BrowserAuthenticatorImpl<'a> { - let browser = browser.trim(); - BrowserAuthenticatorImpl { + fn as_str(&self) -> &str { + match self { + Browser::Default => "default", + Browser::Chrome => "chrome", + Browser::Firefox => "firefox", + Browser::Other(browser) => browser, + } + } +} + +pub struct BrowserAuthenticator<'a> { + auth_request: &'a str, + browser: Browser<'a>, +} + +impl<'a> BrowserAuthenticator<'a> { + pub fn new(auth_request: &'a str, browser: &'a str) -> Self { + Self { auth_request, - browser: if browser.is_empty() || browser == "default" { - None - } else { - Some(browser) - }, + browser: Browser::from_str(browser), } } @@ -40,14 +55,17 @@ impl BrowserAuthenticatorImpl<'_> { auth_server.serve_request(&auth_request); }); - if let Some(browser) = self.browser { - let app = find_browser_path(browser); + match self.browser { + Browser::Default => { + info!("Launching the default browser..."); + webbrowser::open(&auth_url)?; + } + _ => { + let app = find_browser_path(&self.browser); - info!("Launching browser: {}", app); - open::with_detached(auth_url, app)?; - } else { - info!("Launching the default browser..."); - webbrowser::open(&auth_url)?; + info!("Launching browser: {}", app); + open::with_detached(auth_url, app)?; + } } info!("Please continue the authentication process in the default browser"); @@ -55,15 +73,18 @@ impl BrowserAuthenticatorImpl<'_> { } } -fn find_browser_path(browser: &str) -> String { - if browser == "chrome" { - which::which("google-chrome-stable") - .or_else(|_| which::which("google-chrome")) - .or_else(|_| which::which("chromium")) - .map(|path| path.to_string_lossy().to_string()) - .unwrap_or_else(|_| browser.to_string()) - } else { - browser.into() +fn find_browser_path(browser: &Browser) -> String { + match browser { + Browser::Chrome => { + const CHROME_VARIANTS: &[&str] = &["google-chrome-stable", "google-chrome", "chromium"]; + + CHROME_VARIANTS + .iter() + .find_map(|&browser_name| which::which(browser_name).ok()) + .map(|path| path.to_string_lossy().to_string()) + .unwrap_or_else(|| browser.as_str().to_string()) + } + _ => browser.as_str().to_string(), } } diff --git a/crates/auth/src/browser_auth.rs b/crates/auth/src/browser_auth.rs deleted file mode 100644 index b8917d6..0000000 --- a/crates/auth/src/browser_auth.rs +++ /dev/null @@ -1,5 +0,0 @@ -mod auth_server; -mod browser_auth_ext; -mod browser_auth_impl; - -pub use browser_auth_ext::BrowserAuthenticator; diff --git a/crates/auth/src/browser_auth/browser_auth_ext.rs b/crates/auth/src/browser_auth/browser_auth_ext.rs deleted file mode 100644 index fe6e815..0000000 --- a/crates/auth/src/browser_auth/browser_auth_ext.rs +++ /dev/null @@ -1,22 +0,0 @@ -use std::future::Future; - -use gpapi::auth::SamlAuthData; - -use crate::{browser_auth::browser_auth_impl::BrowserAuthenticatorImpl, Authenticator}; - -pub trait BrowserAuthenticator { - fn browser_authenticate(&self, browser: Option<&str>) -> impl Future> + Send; -} - -impl BrowserAuthenticator for Authenticator<'_> { - async fn browser_authenticate(&self, browser: Option<&str>) -> anyhow::Result { - let auth_request = self.initial_auth_request().await?; - let browser_auth = if let Some(browser) = browser { - BrowserAuthenticatorImpl::new_with_browser(&auth_request, browser) - } else { - BrowserAuthenticatorImpl::new(&auth_request) - }; - - browser_auth.authenticate().await - } -} diff --git a/crates/auth/src/lib.rs b/crates/auth/src/lib.rs index ef46475..e8b10f1 100644 --- a/crates/auth/src/lib.rs +++ b/crates/auth/src/lib.rs @@ -3,11 +3,13 @@ pub use authenticator::auth_prelogin; pub use authenticator::Authenticator; #[cfg(feature = "browser-auth")] -mod browser_auth; +mod browser; + #[cfg(feature = "browser-auth")] -pub use browser_auth::BrowserAuthenticator; +pub use browser::*; #[cfg(feature = "webview-auth")] -mod webview_auth; +mod webview; + #[cfg(feature = "webview-auth")] -pub use webview_auth::WebviewAuthenticator; +pub use webview::*; diff --git a/crates/auth/src/webview.rs b/crates/auth/src/webview.rs new file mode 100644 index 0000000..e56c4c1 --- /dev/null +++ b/crates/auth/src/webview.rs @@ -0,0 +1,9 @@ +mod auth_messenger; +mod auth_response; + +#[cfg_attr(not(target_os = "macos"), path = "webview/unix.rs")] +mod platform_impl; +mod webview_auth; + +pub use webview_auth::WebviewAuthenticator; +pub use webview_auth::WebviewAuthenticatorBuilder; diff --git a/crates/auth/src/webview_auth/auth_messenger.rs b/crates/auth/src/webview/auth_messenger.rs similarity index 99% rename from crates/auth/src/webview_auth/auth_messenger.rs rename to crates/auth/src/webview/auth_messenger.rs index 29e4da8..3a11608 100644 --- a/crates/auth/src/webview_auth/auth_messenger.rs +++ b/crates/auth/src/webview/auth_messenger.rs @@ -4,6 +4,7 @@ use log::{error, info}; use tokio::sync::{mpsc, RwLock}; use tokio_util::sync::CancellationToken; +#[derive(Debug)] pub enum AuthError { /// Failed to load page due to TLS error TlsError, diff --git a/crates/auth/src/webview_auth/auth_response.rs b/crates/auth/src/webview/auth_response.rs similarity index 77% rename from crates/auth/src/webview_auth/auth_response.rs rename to crates/auth/src/webview/auth_response.rs index 75a5a65..854ca73 100644 --- a/crates/auth/src/webview_auth/auth_response.rs +++ b/crates/auth/src/webview/auth_response.rs @@ -1,5 +1,3 @@ -use std::sync::Arc; - use gpapi::{ auth::{AuthDataParseResult, SamlAuthData}, error::AuthDataParseError, @@ -7,35 +5,29 @@ use gpapi::{ use log::{info, warn}; use regex::Regex; -use crate::webview_auth::auth_messenger::{AuthError, AuthMessenger}; +use crate::webview::auth_messenger::AuthError; -/// Trait for handling authentication response -pub trait AuthResponse { - fn get_header(&self, key: &str) -> Option; - fn get_body(&self, cb: F) - where - F: FnOnce(anyhow::Result>) + 'static; +use super::{auth_messenger::AuthResult, platform_impl::AuthResponse}; - fn url(&self) -> Option; - - fn is_acs_endpoint(&self) -> bool { - self.url().map_or(false, |url| url.ends_with("/SAML20/SP/ACS")) - } +fn is_acs_endpoint(auth_response: &AuthResponse) -> bool { + auth_response.url().map_or(false, |url| url.ends_with("/SAML20/SP/ACS")) } -pub fn read_auth_data(auth_response: &impl AuthResponse, auth_messenger: &Arc) { - let auth_messenger = Arc::clone(auth_messenger); - - match read_from_headers(auth_response) { +pub fn read_auth_data(auth_response: AuthResponse, cb: F) +where + F: Fn(AuthResult) + 'static, +{ + match read_from_headers(&auth_response) { Ok(auth_data) => { info!("Found auth data in headers"); - auth_messenger.send_auth_data(auth_data); + cb(Ok(auth_data)) } + Err(header_err) => { info!("Failed to read auth data from headers: {}", header_err); - let is_acs_endpoint = auth_response.is_acs_endpoint(); - read_from_body(auth_response, move |auth_result| { + let is_acs_endpoint = is_acs_endpoint(&auth_response); + read_from_body(&auth_response, move |auth_result| { // If the endpoint is `/SAML20/SP/ACS` and no auth data found in body, it should be considered as invalid let auth_result = auth_result.map_err(move |e| { info!("Failed to read auth data from body: {}", e); @@ -46,13 +38,13 @@ pub fn read_auth_data(auth_response: &impl AuthResponse, auth_messenger: &Arc AuthDataParseResult { +fn read_from_headers(auth_response: &AuthResponse) -> AuthDataParseResult { let Some(status) = auth_response.get_header("saml-auth-status") else { info!("No SAML auth status found in headers"); return Err(AuthDataParseError::NotFound); @@ -73,7 +65,7 @@ fn read_from_headers(auth_response: &impl AuthResponse) -> AuthDataParseResult { }) } -fn read_from_body(auth_response: &impl AuthResponse, cb: F) +fn read_from_body(auth_response: &AuthResponse, cb: F) where F: FnOnce(AuthDataParseResult) + 'static, { diff --git a/crates/auth/src/webview/unix.rs b/crates/auth/src/webview/unix.rs new file mode 100644 index 0000000..41dbbce --- /dev/null +++ b/crates/auth/src/webview/unix.rs @@ -0,0 +1,96 @@ +use std::sync::Arc; + +use gpapi::utils::redact::redact_uri; +use log::warn; +use webkit2gtk::{ + gio::Cancellable, glib::GString, LoadEvent, URIResponseExt, WebResource, WebResourceExt, WebView, WebViewExt, +}; +use wry::WebViewExtUnix; + +use crate::webview::auth_messenger::AuthError; + +pub struct AuthResponse { + web_resource: WebResource, +} + +impl AuthResponse { + pub fn url(&self) -> Option { + self.web_resource.uri().map(GString::into) + } + + pub fn get_header(&self, key: &str) -> Option { + self + .web_resource + .response() + .and_then(|response| response.http_headers()) + .and_then(|headers| headers.one(key)) + .map(GString::into) + } + + pub fn get_body(&self, cb: F) + where + F: FnOnce(anyhow::Result>) + 'static, + { + let cancellable = Cancellable::NONE; + self.web_resource.data(cancellable, move |data| { + cb(data.map_err(|e| anyhow::anyhow!(e))); + }); + } +} + +pub fn connect_webview_response(wv: &wry::WebView, cb: F) +where + F: Fn(anyhow::Result) + 'static, +{ + let wv = wv.webview(); + let cb = Arc::new(cb); + + let cb_clone = Arc::clone(&cb); + wv.connect_load_changed(move |wv, event| { + if event == LoadEvent::Started { + // TODO; + // auth_messenger_clone.cancel_raise_window(); + return; + } + + if event != LoadEvent::Finished { + return; + } + + let Some(web_resource) = wv.main_resource() else { + return; + }; + + let uri = web_resource.uri().unwrap_or("".into()); + if uri.is_empty() { + warn!("Loaded an empty URI"); + cb_clone(Err(AuthError::Invalid)); + return; + } + + let response = AuthResponse { web_resource }; + + cb_clone(Ok(response)); + }); + + wv.connect_load_failed_with_tls_errors(move |_wv, uri, cert, err| { + let redacted_uri = redact_uri(uri); + warn!( + "Failed to load uri: {} with error: {}, cert: {}", + redacted_uri, err, cert + ); + + cb(Err(AuthError::TlsError)); + true + }); + + wv.connect_load_failed(move |_wv, _event, uri, err| { + let redacted_uri = redact_uri(uri); + if !uri.starts_with("globalprotectcallback:") { + warn!("Failed to load uri: {} with error: {}", redacted_uri, err); + } + // NOTE: Don't send error here, since load_changed event will be triggered after this + // true to stop other handlers from being invoked for the event. false to propagate the event further. + true + }); +} diff --git a/crates/auth/src/webview/webview_auth.rs b/crates/auth/src/webview/webview_auth.rs new file mode 100644 index 0000000..13bf66c --- /dev/null +++ b/crates/auth/src/webview/webview_auth.rs @@ -0,0 +1,127 @@ +use std::borrow::Cow; + +use gpapi::{auth::SamlAuthData, gp_params::GpParams}; +use tao::{ + event_loop::EventLoop, + window::{Window, WindowBuilder}, +}; +use wry::WebViewBuilder; + +use crate::{auth_prelogin, webview::auth_response::read_auth_data}; + +use super::platform_impl::connect_webview_response; + +pub struct WebviewAuthenticator<'a> { + server: &'a str, + gp_params: &'a GpParams, + auth_request: Option<&'a str>, + clean: bool, + + window: Window, + webview: wry::WebView, + // response_reader: AuthResponseReader, + // pub(crate) window: Option, + // #[cfg(feature = "webview-auth")] + // pub(crate) response_reader: Option>, + + // pub(crate) is_retrying: tokio::sync::RwLock, +} + +impl<'a> WebviewAuthenticator<'a> { + pub fn builder(server: &'a str, gp_params: &'a GpParams) -> WebviewAuthenticatorBuilder<'a> { + WebviewAuthenticatorBuilder { + server, + gp_params, + auth_request: None, + clean: false, + } + } + + pub async fn authenticate(&self) -> anyhow::Result<()> { + let auth_request = match self.auth_request { + Some(auth_request) => Cow::Borrowed(auth_request), + None => Cow::Owned(auth_prelogin(&self.server, &self.gp_params).await?), + }; + + if auth_request.starts_with("http") { + self.webview.load_url(&auth_request)?; + } else { + self.webview.load_html(&auth_request)?; + } + + Ok(()) + } +} + +pub struct WebviewAuthenticatorBuilder<'a> { + server: &'a str, + gp_params: &'a GpParams, + auth_request: Option<&'a str>, + clean: bool, +} + +impl<'a> WebviewAuthenticatorBuilder<'a> { + pub fn auth_request(mut self, auth_request: &'a str) -> Self { + self.auth_request = Some(auth_request); + self + } + + pub fn clean(mut self, clean: bool) -> Self { + self.clean = clean; + self + } + + pub fn build( + self, + event_loop: &'a EventLoop>, + ) -> anyhow::Result> { + let window = WindowBuilder::new() + .with_title("GlobalProtect Authentication") + .with_focused(true) + .build(event_loop)?; + + let builder = WebViewBuilder::new(); + + #[cfg(not(target_os = "macos"))] + let webview = { + use tao::platform::unix::WindowExtUnix; + use wry::WebViewBuilderExtUnix; + let vbox = window + .default_vbox() + .ok_or_else(|| anyhow::anyhow!("Failed to get default vbox"))?; + builder.build_gtk(vbox)? + }; + + connect_webview_response(&webview, |response| { + // println!("Received response: {:?}", response.unwrap().url()); + match response { + Ok(response) => read_auth_data(response, |auth_result| { + println!("Auth result: {:?}", auth_result); + }), + Err(err) => todo!(), + } + }); + + // let event_proxy = event_loop.create_proxy(); + + // let response_reader = AuthResponseReader::new(&webview).on_response(move |response| { + // // println!("Received response: {:?}", response.unwrap().url()); + // match response { + // Ok(response) => read_auth_data(response, |auth_result| { + // // println!("Auth result: {:?}", auth_result); + // }), + // Err(err) => todo!(), + // } + // }); + + Ok(WebviewAuthenticator { + server: self.server, + gp_params: self.gp_params, + auth_request: None, + clean: false, + window, + webview, + // response_reader, + }) + } +} diff --git a/crates/auth/src/webview_auth.rs b/crates/auth/src/webview_auth.rs deleted file mode 100644 index cc9e296..0000000 --- a/crates/auth/src/webview_auth.rs +++ /dev/null @@ -1,9 +0,0 @@ -mod auth_messenger; -mod auth_response; -mod auth_settings; -mod webview_auth_ext; - -#[cfg_attr(not(target_os = "macos"), path = "webview_auth/unix.rs")] -mod platform_impl; - -pub use webview_auth_ext::WebviewAuthenticator; diff --git a/crates/auth/src/webview_auth/auth_settings.rs b/crates/auth/src/webview_auth/auth_settings.rs deleted file mode 100644 index 6adb90e..0000000 --- a/crates/auth/src/webview_auth/auth_settings.rs +++ /dev/null @@ -1,25 +0,0 @@ -use std::sync::Arc; - -use super::auth_messenger::AuthMessenger; - -pub struct AuthRequest<'a>(&'a str); - -impl<'a> AuthRequest<'a> { - pub fn new(auth_request: &'a str) -> Self { - Self(auth_request) - } - - pub fn is_url(&self) -> bool { - self.0.starts_with("http") - } - - pub fn as_str(&self) -> &str { - self.0 - } -} - -pub struct AuthSettings<'a> { - pub auth_request: AuthRequest<'a>, - pub auth_messenger: Arc, - pub ignore_tls_errors: bool, -} diff --git a/crates/auth/src/webview_auth/unix.rs b/crates/auth/src/webview_auth/unix.rs deleted file mode 100644 index 05ce655..0000000 --- a/crates/auth/src/webview_auth/unix.rs +++ /dev/null @@ -1,136 +0,0 @@ -use std::sync::Arc; - -use anyhow::bail; -use gpapi::utils::redact::redact_uri; -use log::{info, warn}; -use webkit2gtk::{ - gio::Cancellable, - glib::{GString, TimeSpan}, - LoadEvent, TLSErrorsPolicy, URIResponseExt, WebResource, WebResourceExt, WebView, WebViewExt, WebsiteDataManagerExt, - WebsiteDataManagerExtManual, WebsiteDataTypes, -}; - -use crate::webview_auth::{ - auth_messenger::AuthError, - auth_response::read_auth_data, - auth_settings::{AuthRequest, AuthSettings}, -}; - -use super::auth_response::AuthResponse; - -impl AuthResponse for WebResource { - fn get_header(&self, key: &str) -> Option { - self - .response() - .and_then(|response| response.http_headers()) - .and_then(|headers| headers.one(key)) - .map(GString::into) - } - - fn get_body(&self, cb: F) - where - F: FnOnce(anyhow::Result>) + 'static, - { - let cancellable = Cancellable::NONE; - self.data(cancellable, |data| cb(data.map_err(|e| anyhow::anyhow!(e)))); - } - - fn url(&self) -> Option { - self.uri().map(GString::into) - } -} - -pub fn clear_data(wv: &WebView, cb: F) -where - F: FnOnce(anyhow::Result<()>) + Send + 'static, -{ - let Some(data_manager) = wv.website_data_manager() else { - cb(Err(anyhow::anyhow!("Failed to get website data manager"))); - return; - }; - - data_manager.clear( - WebsiteDataTypes::COOKIES, - TimeSpan(0), - Cancellable::NONE, - move |result| { - cb(result.map_err(|e| anyhow::anyhow!(e))); - }, - ); -} - -pub fn setup_webview(wv: &WebView, auth_settings: AuthSettings) -> anyhow::Result<()> { - let AuthSettings { - auth_request, - auth_messenger, - ignore_tls_errors, - } = auth_settings; - let auth_messenger_clone = Arc::clone(&auth_messenger); - - let Some(data_manager) = wv.website_data_manager() else { - bail!("Failed to get website data manager"); - }; - - if ignore_tls_errors { - data_manager.set_tls_errors_policy(TLSErrorsPolicy::Ignore); - } - - wv.connect_load_changed(move |wv, event| { - if event == LoadEvent::Started { - auth_messenger_clone.cancel_raise_window(); - return; - } - - if event != LoadEvent::Finished { - return; - } - - let Some(main_resource) = wv.main_resource() else { - return; - }; - - let uri = main_resource.uri().unwrap_or("".into()); - if uri.is_empty() { - warn!("Loaded an empty URI"); - auth_messenger_clone.send_auth_error(AuthError::Invalid); - return; - } - - read_auth_data(&main_resource, &auth_messenger_clone); - }); - - wv.connect_load_failed_with_tls_errors(move |_wv, uri, cert, err| { - let redacted_uri = redact_uri(uri); - warn!( - "Failed to load uri: {} with error: {}, cert: {}", - redacted_uri, err, cert - ); - - auth_messenger.send_auth_error(AuthError::TlsError); - true - }); - - wv.connect_load_failed(move |_wv, _event, uri, err| { - let redacted_uri = redact_uri(uri); - if !uri.starts_with("globalprotectcallback:") { - warn!("Failed to load uri: {} with error: {}", redacted_uri, err); - } - // NOTE: Don't send error here, since load_changed event will be triggered after this - // true to stop other handlers from being invoked for the event. false to propagate the event further. - true - }); - - load_auth_request(wv, &auth_request); - - Ok(()) -} - -pub fn load_auth_request(wv: &WebView, auth_request: &AuthRequest) { - if auth_request.is_url() { - info!("Loading auth request as URI..."); - wv.load_uri(auth_request.as_str()); - } else { - info!("Loading auth request as HTML..."); - wv.load_html(auth_request.as_str(), None); - } -} diff --git a/crates/auth/src/webview_auth/webview_auth_ext.rs b/crates/auth/src/webview_auth/webview_auth_ext.rs deleted file mode 100644 index 0b7b7e5..0000000 --- a/crates/auth/src/webview_auth/webview_auth_ext.rs +++ /dev/null @@ -1,194 +0,0 @@ -use std::{ - future::Future, - sync::Arc, - time::{Duration, Instant}, -}; - -use anyhow::bail; -use gpapi::{auth::SamlAuthData, error::PortalError, utils::window::WindowExt}; -use log::{info, warn}; -use tauri::{AppHandle, WebviewUrl, WebviewWindow, WindowEvent}; -use tokio::{sync::oneshot, time}; - -use crate::{ - webview_auth::{ - auth_messenger::{AuthError, AuthEvent, AuthMessenger}, - auth_settings::{AuthRequest, AuthSettings}, - platform_impl, - }, - Authenticator, -}; - -pub trait WebviewAuthenticator { - fn with_clean(self, clean: bool) -> Self; - fn webview_authenticate(&self, app_handle: &AppHandle) -> impl Future> + Send; -} - -impl WebviewAuthenticator for Authenticator<'_> { - fn with_clean(mut self, clean: bool) -> Self { - self.clean = clean; - self - } - - async fn webview_authenticate(&self, app_handle: &AppHandle) -> anyhow::Result { - let auth_window = WebviewWindow::builder(app_handle, "auth_window", WebviewUrl::default()) - .title("GlobalProtect Login") - .focused(true) - .visible(false) - .center() - .build()?; - - self.auth_loop(&auth_window).await - } -} - -impl Authenticator<'_> { - async fn auth_loop(&self, auth_window: &WebviewWindow) -> anyhow::Result { - if self.clean { - self.clear_webview_data(&auth_window).await?; - } - - let auth_messenger = self.setup_auth_window(&auth_window).await?; - - loop { - match auth_messenger.subscribe().await? { - AuthEvent::Close => bail!("Authentication cancelled"), - AuthEvent::RaiseWindow => self.raise_window(auth_window), - AuthEvent::Error(AuthError::TlsError) => bail!(PortalError::TlsError), - AuthEvent::Error(AuthError::NotFound) => self.handle_not_found(auth_window, &auth_messenger), - AuthEvent::Error(AuthError::Invalid) => self.retry_auth(auth_window).await, - AuthEvent::Data(auth_data) => { - auth_window.close()?; - return Ok(auth_data); - } - } - } - } - - async fn clear_webview_data(&self, auth_window: &WebviewWindow) -> anyhow::Result<()> { - info!("Clearing webview data..."); - - let (tx, rx) = oneshot::channel::>(); - let now = Instant::now(); - auth_window.with_webview(|webview| { - platform_impl::clear_data(&webview.inner(), |result| { - if let Err(result) = tx.send(result) { - warn!("Failed to send clear data result: {:?}", result); - } - }) - })?; - - rx.await??; - info!("Webview data cleared in {:?}", now.elapsed()); - - Ok(()) - } - - async fn setup_auth_window(&self, auth_window: &WebviewWindow) -> anyhow::Result> { - info!("Setting up auth window..."); - - let auth_messenger = Arc::new(AuthMessenger::new()); - let auth_request = self.initial_auth_request().await?.into_owned(); - let ignore_tls_errors = self.gp_params.ignore_tls_errors(); - - // Handle window close event - let auth_messenger_clone = Arc::clone(&auth_messenger); - auth_window.on_window_event(move |event| { - if let WindowEvent::CloseRequested { .. } = event { - auth_messenger_clone.send_auth_event(AuthEvent::Close); - } - }); - - // Show the window after 10 seconds, so that the user can see the window if the auth process is stuck - let auth_messenger_clone = Arc::clone(&auth_messenger); - tokio::spawn(async move { - time::sleep(Duration::from_secs(10)).await; - auth_messenger_clone.send_auth_event(AuthEvent::RaiseWindow); - }); - - // setup webview - let auth_messenger_clone = Arc::clone(&auth_messenger); - let (tx, rx) = oneshot::channel::>(); - - auth_window.with_webview(move |webview| { - let auth_settings = AuthSettings { - auth_request: AuthRequest::new(&auth_request), - auth_messenger: auth_messenger_clone, - ignore_tls_errors, - }; - - let result = platform_impl::setup_webview(&webview.inner(), auth_settings); - if let Err(result) = tx.send(result) { - warn!("Failed to send setup auth window result: {:?}", result); - } - })?; - - rx.await??; - info!("Auth window setup completed"); - - Ok(auth_messenger) - } - - fn handle_not_found(&self, auth_window: &WebviewWindow, auth_messenger: &Arc) { - info!("No auth data found, it may not be the /SAML20/SP/ACS endpoint"); - - let visible = auth_window.is_visible().unwrap_or(false); - if visible { - return; - } - - auth_messenger.schedule_raise_window(1); - } - - async fn retry_auth(&self, auth_window: &WebviewWindow) { - let mut is_retrying = self.is_retrying.write().await; - if *is_retrying { - info!("Already retrying authentication, skipping..."); - return; - } - - *is_retrying = true; - drop(is_retrying); - - if let Err(err) = self.retry_auth_impl(auth_window).await { - warn!("Failed to retry authentication: {}", err); - } - - *self.is_retrying.write().await = false; - } - - async fn retry_auth_impl(&self, auth_window: &WebviewWindow) -> anyhow::Result<()> { - info!("Retrying authentication..."); - - auth_window.eval( r#" - var loading = document.createElement("div"); - loading.innerHTML = '
Got invalid token, retrying...
'; - loading.style = "position: fixed; top: 0; left: 0; width: 100%; height: 100%; background: rgba(255, 255, 255, 0.85); z-index: 99999;"; - document.body.appendChild(loading); - "#)?; - - let auth_request = self.portal_prelogin().await?; - let (tx, rx) = oneshot::channel::<()>(); - auth_window.with_webview(move |webview| { - let auth_request = AuthRequest::new(&auth_request); - platform_impl::load_auth_request(&webview.inner(), &auth_request); - - tx.send(()).expect("Failed to send message to the channel") - })?; - - rx.await?; - Ok(()) - } - - fn raise_window(&self, auth_window: &WebviewWindow) { - let visible = auth_window.is_visible().unwrap_or(false); - if visible { - return; - } - - info!("Raising auth window..."); - if let Err(err) = auth_window.raise() { - warn!("Failed to raise window: {}", err); - } - } -}