From 298d788752a34a4e8bae1cbb60ab59a259e6978f Mon Sep 17 00:00:00 2001 From: Kevin Yue Date: Sun, 5 Jan 2025 23:42:03 +0800 Subject: [PATCH] feat: gpauth support macos --- .vscode/c_cpp_properties.json | 14 + .vscode/settings.json | 11 + Cargo.lock | 28 ++ Cargo.toml | 1 + apps/gpauth/src/cli.rs | 43 +-- apps/gpauth/src/main.rs | 1 + apps/gpauth/src/webview_auth.rs | 21 +- apps/gpclient/src/cli.rs | 19 +- apps/gpclient/src/connect.rs | 8 +- apps/gpgui-helper/src-tauri/Cargo.toml | 2 +- apps/gpgui-helper/src-tauri/src/cli.rs | 18 +- apps/gpservice/Cargo.toml | 2 +- apps/gpservice/src/cli.rs | 67 +++-- apps/gpservice/src/vpn_task.rs | 16 +- crates/auth/Cargo.toml | 12 +- crates/auth/src/authenticator.rs | 60 ---- crates/auth/src/browser.rs | 4 + .../{browser_auth => browser}/auth_server.rs | 0 .../browser_auth.rs} | 87 +++--- crates/auth/src/browser_auth.rs | 5 - .../auth/src/browser_auth/browser_auth_ext.rs | 22 -- crates/auth/src/lib.rs | 24 +- crates/auth/src/webview.rs | 8 + crates/auth/src/webview/auth_messenger.rs | 229 +++++++++++++++ crates/auth/src/webview/macos.rs | 58 ++++ crates/auth/src/webview/unix.rs | 105 +++++++ crates/auth/src/webview/webview_auth.rs | 277 ++++++++++++++++++ crates/auth/src/webview_auth.rs | 9 - .../auth/src/webview_auth/auth_messenger.rs | 108 ------- crates/auth/src/webview_auth/auth_response.rs | 152 ---------- crates/auth/src/webview_auth/auth_settings.rs | 25 -- crates/auth/src/webview_auth/unix.rs | 136 --------- .../auth/src/webview_auth/webview_auth_ext.rs | 194 ------------ crates/common/src/vpn_utils.rs | 8 +- crates/gpapi/Cargo.toml | 8 +- crates/gpapi/src/auth.rs | 19 +- crates/gpapi/src/clap/mod.rs | 55 +++- crates/gpapi/src/error.rs | 6 +- crates/gpapi/src/lib.rs | 3 + crates/gpapi/src/logger.rs | 49 ++++ crates/gpapi/src/portal/config.rs | 4 +- crates/gpapi/src/process/auth_launcher.rs | 11 + crates/gpapi/src/process/service_launcher.rs | 17 +- crates/gpapi/src/service/request.rs | 4 + crates/gpapi/src/utils/openssl.rs | 60 +++- crates/openconnect/build.rs | 7 +- 46 files changed, 1161 insertions(+), 856 deletions(-) create mode 100644 .vscode/c_cpp_properties.json delete mode 100644 crates/auth/src/authenticator.rs create mode 100644 crates/auth/src/browser.rs rename crates/auth/src/{browser_auth => browser}/auth_server.rs (100%) rename crates/auth/src/{browser_auth/browser_auth_impl.rs => browser/browser_auth.rs} (52%) delete mode 100644 crates/auth/src/browser_auth.rs delete mode 100644 crates/auth/src/browser_auth/browser_auth_ext.rs create mode 100644 crates/auth/src/webview.rs create mode 100644 crates/auth/src/webview/auth_messenger.rs create mode 100644 crates/auth/src/webview/macos.rs create mode 100644 crates/auth/src/webview/unix.rs create mode 100644 crates/auth/src/webview/webview_auth.rs delete mode 100644 crates/auth/src/webview_auth.rs delete mode 100644 crates/auth/src/webview_auth/auth_messenger.rs delete mode 100644 crates/auth/src/webview_auth/auth_response.rs delete mode 100644 crates/auth/src/webview_auth/auth_settings.rs delete mode 100644 crates/auth/src/webview_auth/unix.rs delete mode 100644 crates/auth/src/webview_auth/webview_auth_ext.rs create mode 100644 crates/gpapi/src/logger.rs diff --git a/.vscode/c_cpp_properties.json b/.vscode/c_cpp_properties.json new file mode 100644 index 0000000..dabbbe0 --- /dev/null +++ b/.vscode/c_cpp_properties.json @@ -0,0 +1,14 @@ +{ + "configurations": [ + { + "name": "Mac", + "includePath": ["/opt/homebrew/include"], + "macFrameworkPath": ["/System/Library/Frameworks", "/Library/Frameworks"], + "intelliSenseMode": "macos-clang-x64", + "compilerPath": "/usr/bin/clang", + "cStandard": "c17", + "cppStandard": "c++17" + } + ], + "version": 4 +} diff --git a/.vscode/settings.json b/.vscode/settings.json index ce40d5c..5b37155 100644 --- a/.vscode/settings.json +++ b/.vscode/settings.json @@ -23,8 +23,12 @@ "gpgui", "gpservice", "hidpi", + "Ivars", "jnlp", "LOGNAME", + "NSHTTPURL", + "NSURL", + "objc", "oneshot", "openconnect", "pkcs", @@ -55,9 +59,16 @@ "Vite", "vpnc", "vpninfo", + "webbrowser", "wmctrl", "XAUTHORITY", "yuezk" ], "rust-analyzer.cargo.features": "all", + "files.associations": { + "unistd.h": "c", + "utsname.h": "c", + "vpn.h": "c", + "openconnect.h": "c" + }, } diff --git a/Cargo.lock b/Cargo.lock index 851a918..5380ccd 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -178,9 +178,13 @@ name = "auth" version = "2.4.0" dependencies = [ "anyhow", + "block2", "gpapi", "html-escape", "log", + "objc2", + "objc2-foundation", + "objc2-web-kit", "open", "regex", "tauri", @@ -550,6 +554,16 @@ dependencies = [ "clap_derive", ] +[[package]] +name = "clap-verbosity-flag" +version = "3.0.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2678fade3b77aa3a8ff3aae87e9c008d3fb00473a41c71fbf74e91c8c7b37e84" +dependencies = [ + "clap", + "log", +] + [[package]] name = "clap_builder" version = "4.5.23" @@ -1582,8 +1596,11 @@ dependencies = [ "base64 0.22.1", "chacha20poly1305", "clap", + "clap-verbosity-flag", "dns-lookup", + "env_logger", "log", + "log-reload", "md5", "openssl", "pem", @@ -1603,6 +1620,7 @@ dependencies = [ "url", "urlencoding", "uzers", + "version-compare", "whoami", ] @@ -2425,6 +2443,16 @@ version = "0.4.22" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a7a70ba024b9dc04c27ea2f0c0548feb474ec5c54bba33a7f72f873a39d07b24" +[[package]] +name = "log-reload" +version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e99df759bfe829042ac9ad2d576ad0b3ffb3bad3c1f124dc0094b54441e89999" +dependencies = [ + "log", + "thiserror 1.0.69", +] + [[package]] name = "lzma-sys" version = "0.1.20" diff --git a/Cargo.toml b/Cargo.toml index 6176945..eb7d221 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -15,6 +15,7 @@ license = "GPL-3.0" anyhow = "1.0" base64 = "0.22" clap = { version = "4", features = ["derive"] } +clap-verbosity-flag = "3" ctrlc = "3.4" directories = "5.0" dns-lookup = "2.0.4" diff --git a/apps/gpauth/src/cli.rs b/apps/gpauth/src/cli.rs index 939773e..014875d 100644 --- a/apps/gpauth/src/cli.rs +++ b/apps/gpauth/src/cli.rs @@ -1,21 +1,19 @@ -use std::borrow::Cow; - -use auth::{auth_prelogin, Authenticator, BrowserAuthenticator}; +use auth::{auth_prelogin, BrowserAuthenticator}; use clap::Parser; use gpapi::{ auth::{SamlAuthData, SamlAuthResult}, - clap::{args::Os, handle_error, Args}, + clap::{args::Os, handle_error, Args, InfoLevelVerbosity}, gp_params::{ClientOs, GpParams}, utils::{normalize_server, openssl}, GP_USER_AGENT, }; -use log::{info, LevelFilter}; +use log::info; use serde_json::json; use tempfile::NamedTempFile; const VERSION: &str = concat!(env!("CARGO_PKG_VERSION"), " (", compile_time::date_str!(), ")"); -#[derive(Parser, Clone)] +#[derive(Parser)] #[command( version = VERSION, author, @@ -33,7 +31,7 @@ const VERSION: &str = concat!(env!("CARGO_PKG_VERSION"), " (", compile_time::dat See 'gpauth -h' for more information. " )] -pub(crate) struct Cli { +struct Cli { #[arg(help = "The portal server to authenticate")] server: String, @@ -75,6 +73,9 @@ pub(crate) struct Cli { #[cfg(feature = "webview-auth")] #[arg(long, help = "Clean the cache of the embedded browser")] pub clean: bool, + + #[command(flatten)] + verbose: InfoLevelVerbosity, } impl Args for Cli { @@ -110,28 +111,26 @@ impl Cli { let openssl_conf = self.prepare_env()?; let server = normalize_server(&self.server)?; - let server: &'static str = Box::leak(server.into_boxed_str()); - let gp_params: &'static GpParams = Box::leak(Box::new(self.build_gp_params())); + let gp_params = self.build_gp_params(); let auth_request = match self.saml_request.as_deref() { - Some(auth_request) => Cow::Borrowed(auth_request), - None => Cow::Owned(auth_prelogin(server, gp_params).await?), + Some(auth_request) => auth_request.to_string(), + None => auth_prelogin(&server, &gp_params).await?, }; - let auth_request: &'static str = Box::leak(auth_request.into_owned().into_boxed_str()); - let authenticator = Authenticator::new(&server, gp_params).with_auth_request(&auth_request); - #[cfg(feature = "webview-auth")] let browser = self .browser .as_deref() - .or_else(|| self.default_browser.then_some("default")); + .or_else(|| self.default_browser.then(|| "default")); #[cfg(not(feature = "webview-auth"))] let browser = self.browser.as_deref().or(Some("default")); - if browser.is_some() { - let auth_result = authenticator.browser_authenticate(browser).await; + if let Some(browser) = browser { + let authenticator = BrowserAuthenticator::new(&auth_request, browser); + let auth_result = authenticator.authenticate().await; + print_auth_result(auth_result); // explicitly drop openssl_conf to avoid the unused variable warning @@ -140,7 +139,7 @@ impl Cli { } #[cfg(feature = "webview-auth")] - crate::webview_auth::authenticate(&self, authenticator, openssl_conf)?; + crate::webview_auth::authenticate(server, gp_params, auth_request, self.clean, openssl_conf).await?; Ok(()) } @@ -158,14 +157,16 @@ impl Cli { } } -fn init_logger() { - env_logger::builder().filter_level(LevelFilter::Info).init(); +fn init_logger(cli: &Cli) { + env_logger::builder() + .filter_level(cli.verbose.log_level_filter()) + .init(); } pub async fn run() { let cli = Cli::parse(); - init_logger(); + init_logger(&cli); info!("gpauth started: {}", VERSION); if let Err(err) = cli.run().await { diff --git a/apps/gpauth/src/main.rs b/apps/gpauth/src/main.rs index 29246ad..393941d 100644 --- a/apps/gpauth/src/main.rs +++ b/apps/gpauth/src/main.rs @@ -1,6 +1,7 @@ #![cfg_attr(not(debug_assertions), windows_subsystem = "windows")] mod cli; + #[cfg(feature = "webview-auth")] mod webview_auth; diff --git a/apps/gpauth/src/webview_auth.rs b/apps/gpauth/src/webview_auth.rs index 61c2406..8325622 100644 --- a/apps/gpauth/src/webview_auth.rs +++ b/apps/gpauth/src/webview_auth.rs @@ -1,23 +1,28 @@ -use auth::{Authenticator, WebviewAuthenticator}; +use auth::WebviewAuthenticator; +use gpapi::gp_params::GpParams; use log::info; use tauri::RunEvent; use tempfile::NamedTempFile; -use crate::cli::{print_auth_result, Cli}; +use crate::cli::print_auth_result; -pub fn authenticate( - cli: &Cli, - authenticator: Authenticator<'static>, +pub async fn authenticate( + server: String, + gp_params: GpParams, + auth_request: String, + clean: bool, mut openssl_conf: Option, ) -> anyhow::Result<()> { - let authenticator = authenticator.with_clean(cli.clean); - tauri::Builder::default() .setup(move |app| { let app_handle = app.handle().clone(); tauri::async_runtime::spawn(async move { - let auth_result = authenticator.webview_authenticate(&app_handle).await; + let authenticator = WebviewAuthenticator::new(&server, &gp_params) + .with_auth_request(&auth_request) + .with_clean(clean); + + let auth_result = authenticator.authenticate(&app_handle).await; print_auth_result(auth_result); // Ensure the app exits after the authentication process diff --git a/apps/gpclient/src/cli.rs b/apps/gpclient/src/cli.rs index 005373b..3d83272 100644 --- a/apps/gpclient/src/cli.rs +++ b/apps/gpclient/src/cli.rs @@ -2,10 +2,10 @@ use std::{env::temp_dir, fs::File}; use clap::{Parser, Subcommand}; use gpapi::{ - clap::{handle_error, Args}, + clap::{handle_error, Args, InfoLevelVerbosity}, utils::openssl, }; -use log::{info, LevelFilter}; +use log::info; use tempfile::NamedTempFile; use crate::{ @@ -16,9 +16,10 @@ use crate::{ const VERSION: &str = concat!(env!("CARGO_PKG_VERSION"), " (", compile_time::date_str!(), ")"); -pub(crate) struct SharedArgs { +pub(crate) struct SharedArgs<'a> { pub(crate) fix_openssl: bool, pub(crate) ignore_tls_errors: bool, + pub(crate) verbose: &'a InfoLevelVerbosity, } #[derive(Subcommand)] @@ -60,6 +61,9 @@ struct Cli { fix_openssl: bool, #[arg(long, help = "Ignore the TLS errors")] ignore_tls_errors: bool, + + #[command(flatten)] + verbose: InfoLevelVerbosity, } impl Args for Cli { @@ -89,6 +93,7 @@ impl Cli { let shared_args = SharedArgs { fix_openssl: self.fix_openssl, ignore_tls_errors: self.ignore_tls_errors, + verbose: &self.verbose, }; if self.ignore_tls_errors { @@ -103,12 +108,12 @@ impl Cli { } } -fn init_logger(command: &CliCommand) { +fn init_logger(cli: &Cli) { let mut builder = env_logger::builder(); - builder.filter_level(LevelFilter::Info); + builder.filter_level(cli.verbose.log_level_filter()); // Output the log messages to a file if the command is the auth callback - if let CliCommand::LaunchGui(args) = command { + if let CliCommand::LaunchGui(args) = &cli.command { let auth_data = args.auth_data.as_deref().unwrap_or_default(); if !auth_data.is_empty() { if let Ok(log_file) = File::create(temp_dir().join("gpcallback.log")) { @@ -124,7 +129,7 @@ fn init_logger(command: &CliCommand) { pub(crate) async fn run() { let cli = Cli::parse(); - init_logger(&cli.command); + init_logger(&cli); info!("gpclient started: {}", VERSION); diff --git a/apps/gpclient/src/connect.rs b/apps/gpclient/src/connect.rs index 0a0ed9a..874820f 100644 --- a/apps/gpclient/src/connect.rs +++ b/apps/gpclient/src/connect.rs @@ -5,7 +5,7 @@ use clap::Args; use common::vpn_utils::find_csd_wrapper; use gpapi::{ auth::SamlAuthResult, - clap::args::Os, + clap::{args::Os, ToVerboseArg}, credential::{Credential, PasswordCredential}, error::PortalError, gateway::{gateway_login, GatewayLogin}, @@ -128,7 +128,7 @@ impl ConnectArgs { pub(crate) struct ConnectHandler<'a> { args: &'a ConnectArgs, - shared_args: &'a SharedArgs, + shared_args: &'a SharedArgs<'a>, latest_key_password: RefCell>, } @@ -356,6 +356,7 @@ impl<'a> ConnectHandler<'a> { }; let os_version = self.args.os_version(); + let verbose = self.shared_args.verbose.to_verbose_arg(); let auth_launcher = SamlAuthLauncher::new(&self.args.server) .gateway(is_gateway) .saml_request(prelogin.saml_request()) @@ -364,7 +365,8 @@ impl<'a> ConnectHandler<'a> { .os_version(Some(&os_version)) .fix_openssl(self.shared_args.fix_openssl) .ignore_tls_errors(self.shared_args.ignore_tls_errors) - .browser(browser); + .browser(browser) + .verbose(verbose); #[cfg(feature = "webview-auth")] let use_default_browser = prelogin.support_default_browser() && self.args.default_browser; diff --git a/apps/gpgui-helper/src-tauri/Cargo.toml b/apps/gpgui-helper/src-tauri/Cargo.toml index 363d928..364d2f8 100644 --- a/apps/gpgui-helper/src-tauri/Cargo.toml +++ b/apps/gpgui-helper/src-tauri/Cargo.toml @@ -10,7 +10,7 @@ license.workspace = true tauri-build = { version = "2", features = [] } [dependencies] -gpapi = { path = "../../../crates/gpapi", features = ["tauri"] } +gpapi = { path = "../../../crates/gpapi", features = ["tauri", "clap"] } tauri.workspace = true tokio.workspace = true diff --git a/apps/gpgui-helper/src-tauri/src/cli.rs b/apps/gpgui-helper/src-tauri/src/cli.rs index 8a01f55..ed92ffe 100644 --- a/apps/gpgui-helper/src-tauri/src/cli.rs +++ b/apps/gpgui-helper/src-tauri/src/cli.rs @@ -1,6 +1,9 @@ use clap::Parser; -use gpapi::utils::{base64, env_utils}; -use log::{info, LevelFilter}; +use gpapi::{ + clap::InfoLevelVerbosity, + utils::{base64, env_utils}, +}; +use log::info; use crate::app::App; @@ -15,6 +18,9 @@ struct Cli { #[arg(long, default_value = env!("CARGO_PKG_VERSION"), help = "The version of the GUI")] gui_version: String, + + #[command(flatten)] + verbose: InfoLevelVerbosity, } impl Cli { @@ -41,14 +47,16 @@ impl Cli { } } -fn init_logger() { - env_logger::builder().filter_level(LevelFilter::Info).init(); +fn init_logger(cli: &Cli) { + env_logger::builder() + .filter_level(cli.verbose.log_level_filter()) + .init(); } pub fn run() { let cli = Cli::parse(); - init_logger(); + init_logger(&cli); info!("gpgui-helper started: {}", VERSION); if let Err(e) = cli.run() { diff --git a/apps/gpservice/Cargo.toml b/apps/gpservice/Cargo.toml index 4212f43..fdff703 100644 --- a/apps/gpservice/Cargo.toml +++ b/apps/gpservice/Cargo.toml @@ -5,7 +5,7 @@ edition.workspace = true license.workspace = true [dependencies] -gpapi = { path = "../../crates/gpapi" } +gpapi = { path = "../../crates/gpapi", features = ["clap", "logger"] } openconnect = { path = "../../crates/openconnect" } clap.workspace = true anyhow.workspace = true diff --git a/apps/gpservice/src/cli.rs b/apps/gpservice/src/cli.rs index b379bb6..4fc0f61 100644 --- a/apps/gpservice/src/cli.rs +++ b/apps/gpservice/src/cli.rs @@ -3,13 +3,15 @@ use std::{collections::HashMap, io::Write}; use anyhow::bail; use clap::Parser; +use gpapi::clap::InfoLevelVerbosity; +use gpapi::logger; use gpapi::{ process::gui_launcher::GuiLauncher, service::{request::WsRequest, vpn_state::VpnState}, utils::{crypto::generate_key, env_utils, lock_file::LockFile, redact::Redaction, shutdown_signal}, GP_SERVICE_LOCK_FILE, }; -use log::{info, warn, LevelFilter}; +use log::{info, warn}; use tokio::sync::{mpsc, watch}; use crate::{vpn_task::VpnTask, ws_server::WsServer}; @@ -26,10 +28,16 @@ struct Cli { #[cfg(debug_assertions)] #[clap(long)] no_gui: bool, + + #[command(flatten)] + verbose: InfoLevelVerbosity, } impl Cli { - async fn run(&mut self, redaction: Arc) -> anyhow::Result<()> { + async fn run(&mut self) -> anyhow::Result<()> { + let redaction = self.init_logger()?; + info!("gpservice started: {}", VERSION); + let lock_file = Arc::new(LockFile::new(GP_SERVICE_LOCK_FILE)); if lock_file.check_health().await { @@ -92,6 +100,33 @@ impl Cli { Ok(()) } + fn init_logger(&self) -> anyhow::Result> { + let redaction = Arc::new(Redaction::new()); + let redaction_clone = Arc::clone(&redaction); + + let inner_logger = env_logger::builder() + // Set the log level to the Trace level, the logs will be filtered + .filter_level(log::LevelFilter::Trace) + .format(move |buf, record| { + let timestamp = buf.timestamp(); + writeln!( + buf, + "[{} {} {}] {}", + timestamp, + record.level(), + record.module_path().unwrap_or_default(), + redaction_clone.redact_str(&record.args().to_string()) + ) + }) + .build(); + + let level = self.verbose.log_level_filter().to_level().unwrap_or(log::Level::Info); + + logger::init_with_logger(level, inner_logger)?; + + Ok(redaction) + } + fn prepare_api_key(&self) -> Vec { #[cfg(debug_assertions)] if self.no_gui { @@ -102,29 +137,6 @@ impl Cli { } } -fn init_logger() -> Arc { - let redaction = Arc::new(Redaction::new()); - let redaction_clone = Arc::clone(&redaction); - // let target = Box::new(File::create("log.txt").expect("Can't create file")); - env_logger::builder() - .filter_level(LevelFilter::Info) - .format(move |buf, record| { - let timestamp = buf.timestamp(); - writeln!( - buf, - "[{} {} {}] {}", - timestamp, - record.level(), - record.module_path().unwrap_or_default(), - redaction_clone.redact_str(&record.args().to_string()) - ) - }) - // .target(env_logger::Target::Pipe(target)) - .init(); - - redaction -} - async fn launch_gui(envs: Option>, api_key: Vec, mut minimized: bool) { loop { let gui_launcher = GuiLauncher::new(env!("CARGO_PKG_VERSION"), &api_key) @@ -153,10 +165,7 @@ async fn launch_gui(envs: Option>, api_key: Vec, mut pub async fn run() { let mut cli = Cli::parse(); - let redaction = init_logger(); - info!("gpservice started: {}", VERSION); - - if let Err(e) = cli.run(redaction).await { + if let Err(e) = cli.run().await { eprintln!("Error: {}", e); std::process::exit(1); } diff --git a/apps/gpservice/src/vpn_task.rs b/apps/gpservice/src/vpn_task.rs index 9866f8a..11577d1 100644 --- a/apps/gpservice/src/vpn_task.rs +++ b/apps/gpservice/src/vpn_task.rs @@ -1,8 +1,11 @@ use std::{sync::Arc, thread}; -use gpapi::service::{ - request::{ConnectRequest, WsRequest}, - vpn_state::VpnState, +use gpapi::{ + logger, + service::{ + request::{ConnectRequest, UpdateLogLevelRequest, WsRequest}, + vpn_state::VpnState, + }, }; use log::{info, warn}; use openconnect::Vpn; @@ -158,5 +161,12 @@ async fn process_ws_req(req: WsRequest, ctx: Arc) { WsRequest::Disconnect(_) => { ctx.disconnect().await; } + WsRequest::UpdateLogLevel(UpdateLogLevelRequest(level)) => { + let level = level.parse().unwrap_or_else(|_| log::Level::Info); + info!("Updating log level to: {}", level); + if let Err(err) = logger::set_max_level(level) { + warn!("Failed to update log level: {}", err); + } + } } } diff --git a/crates/auth/Cargo.toml b/crates/auth/Cargo.toml index 9e640f2..21e456a 100644 --- a/crates/auth/Cargo.toml +++ b/crates/auth/Cargo.toml @@ -31,6 +31,12 @@ html-escape = { version = "0.2.13", optional = true } [target.'cfg(not(target_os = "macos"))'.dependencies] webkit2gtk = { version = "2", optional = true } +[target.'cfg(target_os = "macos")'.dependencies] +block2 = { version = "0.5", optional = true } +objc2 = { version = "0.5", optional = true } +objc2-foundation = { version = "0.2", optional = true } +objc2-web-kit = { version = "0.2", optional = true } + [features] browser-auth = [ "dep:webbrowser", @@ -40,10 +46,14 @@ browser-auth = [ "dep:uuid", ] webview-auth = [ + "gpapi/tauri", "dep:tauri", "dep:regex", "dep:tokio-util", "dep:html-escape", "dep:webkit2gtk", - "gpapi/tauri", + "dep:block2", + "dep:objc2", + "dep:objc2-foundation", + "dep:objc2-web-kit", ] diff --git a/crates/auth/src/authenticator.rs b/crates/auth/src/authenticator.rs deleted file mode 100644 index 200d4fa..0000000 --- a/crates/auth/src/authenticator.rs +++ /dev/null @@ -1,60 +0,0 @@ -use std::borrow::Cow; - -use anyhow::bail; -use gpapi::{ - gp_params::GpParams, - portal::{prelogin, Prelogin}, -}; - -pub struct Authenticator<'a> { - server: &'a str, - auth_request: Option<&'a str>, - pub(crate) gp_params: &'a GpParams, - - #[cfg(feature = "webview-auth")] - pub(crate) clean: bool, - #[cfg(feature = "webview-auth")] - pub(crate) is_retrying: tokio::sync::RwLock, -} - -impl<'a> Authenticator<'a> { - pub fn new(server: &'a str, gp_params: &'a GpParams) -> Self { - Self { - server, - gp_params, - auth_request: None, - - #[cfg(feature = "webview-auth")] - clean: false, - #[cfg(feature = "webview-auth")] - is_retrying: Default::default(), - } - } - - pub fn with_auth_request(mut self, auth_request: &'a str) -> Self { - if !auth_request.is_empty() { - self.auth_request = Some(auth_request); - } - self - } - - pub(crate) async fn initial_auth_request(&self) -> anyhow::Result> { - if let Some(auth_request) = self.auth_request { - return Ok(Cow::Borrowed(auth_request)); - } - - let auth_request = self.portal_prelogin().await?; - Ok(Cow::Owned(auth_request)) - } - - pub(crate) async fn portal_prelogin(&self) -> anyhow::Result { - auth_prelogin(self.server, self.gp_params).await - } -} - -pub async fn auth_prelogin(server: &str, gp_params: &GpParams) -> anyhow::Result { - match prelogin(server, gp_params).await? { - Prelogin::Saml(prelogin) => Ok(prelogin.saml_request().to_string()), - Prelogin::Standard(_) => bail!("Received non-SAML prelogin response"), - } -} diff --git a/crates/auth/src/browser.rs b/crates/auth/src/browser.rs new file mode 100644 index 0000000..f800eb3 --- /dev/null +++ b/crates/auth/src/browser.rs @@ -0,0 +1,4 @@ +mod auth_server; +mod browser_auth; + +pub use browser_auth::BrowserAuthenticator; diff --git a/crates/auth/src/browser_auth/auth_server.rs b/crates/auth/src/browser/auth_server.rs similarity index 100% rename from crates/auth/src/browser_auth/auth_server.rs rename to crates/auth/src/browser/auth_server.rs diff --git a/crates/auth/src/browser_auth/browser_auth_impl.rs b/crates/auth/src/browser/browser_auth.rs similarity index 52% rename from crates/auth/src/browser_auth/browser_auth_impl.rs rename to crates/auth/src/browser/browser_auth.rs index 2d31152..c68e8b9 100644 --- a/crates/auth/src/browser_auth/browser_auth_impl.rs +++ b/crates/auth/src/browser/browser_auth.rs @@ -4,30 +4,45 @@ use gpapi::{auth::SamlAuthData, GP_CALLBACK_PORT_FILENAME}; use log::info; use tokio::{io::AsyncReadExt, net::TcpListener}; -use super::auth_server::AuthServer; +use crate::browser::auth_server::AuthServer; -pub(super) struct BrowserAuthenticatorImpl<'a> { - auth_request: &'a str, - browser: Option<&'a str>, +pub enum Browser<'a> { + Default, + Chrome, + Firefox, + Other(&'a str), } -impl BrowserAuthenticatorImpl<'_> { - pub fn new(auth_request: &str) -> BrowserAuthenticatorImpl { - BrowserAuthenticatorImpl { - auth_request, - browser: None, +impl<'a> Browser<'a> { + pub fn from_str(browser: &'a str) -> Self { + match browser.to_lowercase().as_str() { + "default" => Browser::Default, + "chrome" => Browser::Chrome, + "firefox" => Browser::Firefox, + _ => Browser::Other(browser), } } - pub fn new_with_browser<'a>(auth_request: &'a str, browser: &'a str) -> BrowserAuthenticatorImpl<'a> { - let browser = browser.trim(); - BrowserAuthenticatorImpl { + fn as_str(&self) -> &str { + match self { + Browser::Default => "default", + Browser::Chrome => "chrome", + Browser::Firefox => "firefox", + Browser::Other(browser) => browser, + } + } +} + +pub struct BrowserAuthenticator<'a> { + auth_request: &'a str, + browser: Browser<'a>, +} + +impl<'a> BrowserAuthenticator<'a> { + pub fn new(auth_request: &'a str, browser: &'a str) -> Self { + Self { auth_request, - browser: if browser.is_empty() || browser == "default" { - None - } else { - Some(browser) - }, + browser: Browser::from_str(browser), } } @@ -40,14 +55,17 @@ impl BrowserAuthenticatorImpl<'_> { auth_server.serve_request(&auth_request); }); - if let Some(browser) = self.browser { - let app = find_browser_path(browser); + match self.browser { + Browser::Default => { + info!("Launching the default browser..."); + webbrowser::open(&auth_url)?; + } + _ => { + let app = find_browser_path(&self.browser); - info!("Launching browser: {}", app); - open::with_detached(auth_url, app)?; - } else { - info!("Launching the default browser..."); - webbrowser::open(&auth_url)?; + info!("Launching browser: {}", app); + open::with_detached(auth_url, app)?; + } } info!("Please continue the authentication process in the default browser"); @@ -55,15 +73,18 @@ impl BrowserAuthenticatorImpl<'_> { } } -fn find_browser_path(browser: &str) -> String { - if browser == "chrome" { - which::which("google-chrome-stable") - .or_else(|_| which::which("google-chrome")) - .or_else(|_| which::which("chromium")) - .map(|path| path.to_string_lossy().to_string()) - .unwrap_or_else(|_| browser.to_string()) - } else { - browser.into() +fn find_browser_path(browser: &Browser) -> String { + match browser { + Browser::Chrome => { + const CHROME_VARIANTS: &[&str] = &["google-chrome-stable", "google-chrome", "chromium"]; + + CHROME_VARIANTS + .iter() + .find_map(|&browser_name| which::which(browser_name).ok()) + .map(|path| path.to_string_lossy().to_string()) + .unwrap_or_else(|| browser.as_str().to_string()) + } + _ => browser.as_str().to_string(), } } diff --git a/crates/auth/src/browser_auth.rs b/crates/auth/src/browser_auth.rs deleted file mode 100644 index b8917d6..0000000 --- a/crates/auth/src/browser_auth.rs +++ /dev/null @@ -1,5 +0,0 @@ -mod auth_server; -mod browser_auth_ext; -mod browser_auth_impl; - -pub use browser_auth_ext::BrowserAuthenticator; diff --git a/crates/auth/src/browser_auth/browser_auth_ext.rs b/crates/auth/src/browser_auth/browser_auth_ext.rs deleted file mode 100644 index fe6e815..0000000 --- a/crates/auth/src/browser_auth/browser_auth_ext.rs +++ /dev/null @@ -1,22 +0,0 @@ -use std::future::Future; - -use gpapi::auth::SamlAuthData; - -use crate::{browser_auth::browser_auth_impl::BrowserAuthenticatorImpl, Authenticator}; - -pub trait BrowserAuthenticator { - fn browser_authenticate(&self, browser: Option<&str>) -> impl Future> + Send; -} - -impl BrowserAuthenticator for Authenticator<'_> { - async fn browser_authenticate(&self, browser: Option<&str>) -> anyhow::Result { - let auth_request = self.initial_auth_request().await?; - let browser_auth = if let Some(browser) = browser { - BrowserAuthenticatorImpl::new_with_browser(&auth_request, browser) - } else { - BrowserAuthenticatorImpl::new(&auth_request) - }; - - browser_auth.authenticate().await - } -} diff --git a/crates/auth/src/lib.rs b/crates/auth/src/lib.rs index ef46475..165da6d 100644 --- a/crates/auth/src/lib.rs +++ b/crates/auth/src/lib.rs @@ -1,13 +1,23 @@ -mod authenticator; -pub use authenticator::auth_prelogin; -pub use authenticator::Authenticator; +use anyhow::bail; +use gpapi::{ + gp_params::GpParams, + portal::{prelogin, Prelogin}, +}; #[cfg(feature = "browser-auth")] -mod browser_auth; +mod browser; + #[cfg(feature = "browser-auth")] -pub use browser_auth::BrowserAuthenticator; +pub use browser::*; #[cfg(feature = "webview-auth")] -mod webview_auth; +mod webview; #[cfg(feature = "webview-auth")] -pub use webview_auth::WebviewAuthenticator; +pub use webview::*; + +pub async fn auth_prelogin(server: &str, gp_params: &GpParams) -> anyhow::Result { + match prelogin(server, gp_params).await? { + Prelogin::Saml(prelogin) => Ok(prelogin.saml_request().to_string()), + Prelogin::Standard(_) => bail!("Received non-SAML prelogin response"), + } +} diff --git a/crates/auth/src/webview.rs b/crates/auth/src/webview.rs new file mode 100644 index 0000000..fc0a97a --- /dev/null +++ b/crates/auth/src/webview.rs @@ -0,0 +1,8 @@ +mod auth_messenger; +mod webview_auth; + +#[cfg_attr(not(target_os = "macos"), path = "webview/unix.rs")] +#[cfg_attr(target_os = "macos", path = "webview/macos.rs")] +mod platform_impl; + +pub use webview_auth::WebviewAuthenticator; diff --git a/crates/auth/src/webview/auth_messenger.rs b/crates/auth/src/webview/auth_messenger.rs new file mode 100644 index 0000000..5d70f41 --- /dev/null +++ b/crates/auth/src/webview/auth_messenger.rs @@ -0,0 +1,229 @@ +use anyhow::bail; +use gpapi::{auth::SamlAuthData, error::AuthDataParseError}; +use log::{error, info}; +use regex::Regex; +use tokio::sync::{mpsc, RwLock}; +use tokio_util::sync::CancellationToken; + +#[derive(Debug)] +pub(crate) enum AuthDataLocation { + #[cfg(not(target_os = "macos"))] + Headers, + Body, +} + +#[derive(Debug)] +pub(crate) enum AuthError { + /// Failed to load page due to TLS error + #[cfg(not(target_os = "macos"))] + TlsError, + /// 1. Found auth data in headers/body but it's invalid + /// 2. Loaded an empty page, failed to load page. etc. + Invalid(anyhow::Error, AuthDataLocation), + /// No auth data found in headers/body + NotFound(AuthDataLocation), +} + +impl AuthError { + pub fn invalid_from_body(err: anyhow::Error) -> Self { + Self::Invalid(err, AuthDataLocation::Body) + } + + pub fn not_found_in_body() -> Self { + Self::NotFound(AuthDataLocation::Body) + } +} + +#[cfg(not(target_os = "macos"))] +impl AuthError { + pub fn not_found_in_headers() -> Self { + Self::NotFound(AuthDataLocation::Headers) + } +} + +pub(crate) enum AuthEvent { + Data(SamlAuthData, AuthDataLocation), + Error(AuthError), + RaiseWindow, + Close, +} + +pub struct AuthMessenger { + tx: mpsc::UnboundedSender, + rx: RwLock>, + raise_window_cancel_token: RwLock>, +} + +impl AuthMessenger { + pub fn new() -> Self { + let (tx, rx) = mpsc::unbounded_channel(); + + Self { + tx, + rx: RwLock::new(rx), + raise_window_cancel_token: Default::default(), + } + } + + pub async fn subscribe(&self) -> anyhow::Result { + let mut rx = self.rx.write().await; + if let Some(event) = rx.recv().await { + return Ok(event); + } + bail!("Failed to receive auth event"); + } + + pub fn send_auth_event(&self, event: AuthEvent) { + if let Err(event) = self.tx.send(event) { + error!("Failed to send auth event: {}", event); + } + } + + pub fn send_auth_error(&self, err: AuthError) { + self.send_auth_event(AuthEvent::Error(err)); + } + + fn send_auth_data(&self, data: SamlAuthData, location: AuthDataLocation) { + self.send_auth_event(AuthEvent::Data(data, location)); + } + + pub fn schedule_raise_window(&self, delay: u64) { + let Ok(mut guard) = self.raise_window_cancel_token.try_write() else { + return; + }; + + // Return if the previous raise window task is still running + if let Some(token) = guard.as_ref() { + if !token.is_cancelled() { + info!("Raise window task is still running, skipping..."); + return; + } + } + + let cancel_token = CancellationToken::new(); + let cancel_token_clone = cancel_token.clone(); + + *guard = Some(cancel_token_clone); + + let tx = self.tx.clone(); + tokio::spawn(async move { + info!("Displaying the window in {} second(s)...", delay); + + tokio::select! { + _ = tokio::time::sleep(tokio::time::Duration::from_secs(delay)) => { + cancel_token.cancel(); + + if let Err(err) = tx.send(AuthEvent::RaiseWindow) { + error!("Failed to send raise window event: {}", err); + } + } + _ = cancel_token.cancelled() => { + info!("Cancelled raise window task"); + } + } + }); + } + + pub fn cancel_raise_window(&self) { + if let Ok(mut cancel_token) = self.raise_window_cancel_token.try_write() { + if let Some(token) = cancel_token.take() { + token.cancel(); + } + } + } + + pub fn read_from_html(&self, html: &str) { + if html.contains("Temporarily Unavailable") { + return self.send_auth_error(AuthError::invalid_from_body(anyhow::anyhow!("Temporarily Unavailable"))); + } + + let auth_result = SamlAuthData::from_html(html).or_else(|err| { + info!("Read auth data from html failed: {}, extracting gpcallback...", err); + + if let Some(gpcallback) = extract_gpcallback(html) { + info!("Found gpcallback from html..."); + SamlAuthData::from_gpcallback(&gpcallback) + } else { + Err(err) + } + }); + + match auth_result { + Ok(data) => self.send_auth_data(data, AuthDataLocation::Body), + Err(AuthDataParseError::Invalid(err)) => self.send_auth_error(AuthError::invalid_from_body(err)), + Err(AuthDataParseError::NotFound) => self.send_auth_error(AuthError::not_found_in_body()), + } + } + + #[cfg(not(target_os = "macos"))] + pub fn read_from_response(&self, auth_response: &impl super::webview_auth::GetHeader) { + use log::warn; + + let Some(status) = auth_response.get_header("saml-auth-status") else { + return self.send_auth_error(AuthError::not_found_in_headers()); + }; + + // Do not send auth error when reading from headers, as the html body may contain the auth data + if status != "1" { + warn!("Found invalid saml-auth-status in headers: {}", status); + return; + } + + let username = auth_response.get_header("saml-username"); + let prelogin_cookie = auth_response.get_header("prelogin-cookie"); + let portal_userauthcookie = auth_response.get_header("portal-userauthcookie"); + + match SamlAuthData::new(username, prelogin_cookie, portal_userauthcookie) { + Ok(auth_data) => self.send_auth_data(auth_data, AuthDataLocation::Headers), + Err(err) => { + warn!("Failed to read auth data from headers: {}", err); + } + } + } +} + +fn extract_gpcallback(html: &str) -> Option { + let re = Regex::new(r#"globalprotectcallback:[^"]+"#).unwrap(); + re.captures(html) + .and_then(|captures| captures.get(0)) + .map(|m| html_escape::decode_html_entities(m.as_str()).to_string()) +} + +#[cfg(test)] +mod tests { + use super::*; + + #[test] + fn extract_gpcallback_some() { + let html = r#" + + + "#; + + assert_eq!( + extract_gpcallback(html).as_deref(), + Some("globalprotectcallback:PGh0bWw+PCEtLSA8c") + ); + } + + #[test] + fn extract_gpcallback_cas() { + let html = r#" + + "#; + + assert_eq!( + extract_gpcallback(html).as_deref(), + Some("globalprotectcallback:cas-as=1&un=xyz@email.com&token=very_long_string") + ); + } + + #[test] + fn extract_gpcallback_none() { + let html = r#" + + "#; + + assert_eq!(extract_gpcallback(html), None); + } +} diff --git a/crates/auth/src/webview/macos.rs b/crates/auth/src/webview/macos.rs new file mode 100644 index 0000000..1c70697 --- /dev/null +++ b/crates/auth/src/webview/macos.rs @@ -0,0 +1,58 @@ +use block2::RcBlock; +use log::warn; +use objc2::runtime::AnyObject; +use objc2_foundation::{NSError, NSString, NSURLRequest, NSURL}; +use objc2_web_kit::WKWebView; +use tauri::webview::PlatformWebview; + +use super::webview_auth::PlatformWebviewExt; + +impl PlatformWebviewExt for PlatformWebview { + fn ignore_tls_errors(&self) -> anyhow::Result<()> { + warn!("Ignoring TLS errors is not supported on macOS"); + Ok(()) + } + + fn load_url(&self, url: &str) -> anyhow::Result<()> { + unsafe { + let wv: &WKWebView = &*self.inner().cast(); + let url = NSURL::URLWithString(&NSString::from_str(url)).ok_or_else(|| anyhow::anyhow!("Invalid URL"))?; + let request = NSURLRequest::requestWithURL(&url); + + wv.loadRequest(&request); + } + + Ok(()) + } + + fn load_html(&self, html: &str) -> anyhow::Result<()> { + unsafe { + let wv: &WKWebView = &*self.inner().cast(); + wv.loadHTMLString_baseURL(&NSString::from_str(html), None); + } + + Ok(()) + } + + fn get_html(&self, callback: Box) + 'static>) { + unsafe { + let wv: &WKWebView = &*self.inner().cast(); + + let js_callback = RcBlock::new(move |body: *mut AnyObject, err: *mut NSError| { + if let Some(err) = err.as_ref() { + let code = err.code(); + let message = err.localizedDescription(); + callback(Err(anyhow::anyhow!("Error {}: {}", code, message))); + } else { + let body: &NSString = &*body.cast(); + callback(Ok(body.to_string())); + } + }); + + wv.evaluateJavaScript_completionHandler( + &NSString::from_str("document.documentElement.outerHTML"), + Some(&js_callback), + ); + } + } +} diff --git a/crates/auth/src/webview/unix.rs b/crates/auth/src/webview/unix.rs new file mode 100644 index 0000000..31af707 --- /dev/null +++ b/crates/auth/src/webview/unix.rs @@ -0,0 +1,105 @@ +use std::sync::Arc; + +use anyhow::bail; +use gpapi::utils::redact::redact_uri; +use log::warn; +use tauri::webview::PlatformWebview; +use webkit2gtk::{ + gio::Cancellable, glib::GString, LoadEvent, TLSErrorsPolicy, URIResponseExt, WebResource, WebResourceExt, WebViewExt, + WebsiteDataManagerExt, +}; + +use super::{ + auth_messenger::AuthError, + webview_auth::{GetHeader, PlatformWebviewExt}, +}; + +impl GetHeader for WebResource { + fn get_header(&self, key: &str) -> Option { + self + .response() + .and_then(|response| response.http_headers()) + .and_then(|headers| headers.one(key)) + .map(GString::into) + } +} + +impl PlatformWebviewExt for PlatformWebview { + fn ignore_tls_errors(&self) -> anyhow::Result<()> { + if let Some(manager) = self.inner().website_data_manager() { + manager.set_tls_errors_policy(TLSErrorsPolicy::Ignore); + return Ok(()); + } + bail!("Failed to get website data manager"); + } + + fn load_url(&self, url: &str) -> anyhow::Result<()> { + self.inner().load_uri(url); + Ok(()) + } + + fn load_html(&self, html: &str) -> anyhow::Result<()> { + self.inner().load_html(html, None); + Ok(()) + } + + fn get_html(&self, callback: Box) + 'static>) { + let script = "document.documentElement.outerHTML"; + self + .inner() + .evaluate_javascript(script, None, None, Cancellable::NONE, move |result| match result { + Ok(value) => callback(Ok(value.to_string())), + Err(err) => callback(Err(anyhow::anyhow!(err))), + }); + } +} + +pub trait PlatformWebviewOnResponse { + fn on_response(&self, callback: Box) + 'static>); +} + +impl PlatformWebviewOnResponse for PlatformWebview { + fn on_response(&self, callback: Box) + 'static>) { + let wv = self.inner(); + let callback = Arc::new(callback); + let callback_clone = Arc::clone(&callback); + + wv.connect_load_changed(move |wv, event| { + if event != LoadEvent::Finished { + return; + } + + let Some(web_resource) = wv.main_resource() else { + return; + }; + + let uri = web_resource.uri().unwrap_or("".into()); + if uri.is_empty() { + callback_clone(Err(AuthError::invalid_from_body(anyhow::anyhow!("Empty URI")))); + } else { + callback_clone(Ok(web_resource)); + } + }); + + wv.connect_load_failed_with_tls_errors(move |_wv, uri, cert, err| { + let redacted_uri = redact_uri(uri); + warn!( + "Failed to load uri: {} with error: {}, cert: {}", + redacted_uri, err, cert + ); + + callback(Err(AuthError::TlsError)); + true + }); + + wv.connect_load_failed(move |_wv, _event, uri, err| { + let redacted_uri = redact_uri(uri); + if !uri.starts_with("globalprotectcallback:") { + warn!("Failed to load uri: {} with error: {}", redacted_uri, err); + } + // NOTE: Don't send error here, since load_changed event will be triggered after this + // true to stop other handlers from being invoked for the event. false to propagate the event further. + true + }); + } +} diff --git a/crates/auth/src/webview/webview_auth.rs b/crates/auth/src/webview/webview_auth.rs new file mode 100644 index 0000000..4f1ec71 --- /dev/null +++ b/crates/auth/src/webview/webview_auth.rs @@ -0,0 +1,277 @@ +use std::{sync::Arc, time::Duration}; + +use anyhow::bail; +use gpapi::{auth::SamlAuthData, gp_params::GpParams, utils::redact::redact_uri}; +use log::{info, warn}; +use tauri::{ + webview::{PageLoadEvent, PageLoadPayload}, + AppHandle, WebviewUrl, WebviewWindow, WindowEvent, +}; +use tokio::{sync::oneshot, time}; + +use crate::auth_prelogin; + +use super::auth_messenger::{AuthError, AuthEvent, AuthMessenger}; + +pub trait PlatformWebviewExt { + fn ignore_tls_errors(&self) -> anyhow::Result<()>; + + fn load_url(&self, url: &str) -> anyhow::Result<()>; + + fn load_html(&self, html: &str) -> anyhow::Result<()>; + + fn get_html(&self, callback: Box) + 'static>); + + fn load_auth_request(&self, auth_request: &str) -> anyhow::Result<()> { + if auth_request.starts_with("http") { + info!("Loading auth request as URL: {}", redact_uri(auth_request)); + self.load_url(auth_request) + } else { + info!("Loading auth request as HTML..."); + self.load_html(auth_request) + } + } +} + +#[cfg(not(target_os = "macos"))] +pub trait GetHeader { + fn get_header(&self, key: &str) -> Option; +} + +pub struct WebviewAuthenticator<'a> { + server: &'a str, + gp_params: &'a GpParams, + auth_request: Option<&'a str>, + clean: bool, + + is_retrying: tokio::sync::RwLock, +} + +impl<'a> WebviewAuthenticator<'a> { + pub fn new(server: &'a str, gp_params: &'a GpParams) -> Self { + Self { + server, + gp_params, + auth_request: None, + clean: false, + is_retrying: Default::default(), + } + } + + pub fn with_auth_request(mut self, auth_request: &'a str) -> Self { + self.auth_request = Some(auth_request); + self + } + + pub fn with_clean(mut self, clean: bool) -> Self { + self.clean = clean; + self + } + + pub async fn authenticate(&self, app_handle: &AppHandle) -> anyhow::Result { + let auth_messenger = Arc::new(AuthMessenger::new()); + let auth_messenger_clone = Arc::clone(&auth_messenger); + + let on_page_load = move |auth_window: WebviewWindow, event: PageLoadPayload<'_>| { + let auth_messenger_clone = Arc::clone(&auth_messenger_clone); + let redacted_url = redact_uri(event.url().as_str()); + + match event.event() { + PageLoadEvent::Started => { + info!("Started loading page: {}", redacted_url); + auth_messenger_clone.cancel_raise_window(); + } + PageLoadEvent::Finished => { + info!("Finished loading page: {}", redacted_url); + } + } + + // Read auth data from the page no matter whether it's finished loading or not + // Because we found that the finished event may not be triggered in some cases (e.g., on macOS) + let _ = auth_window.with_webview(move |wv| { + wv.get_html(Box::new(move |html| match html { + Ok(html) => auth_messenger_clone.read_from_html(&html), + Err(err) => warn!("Failed to get html: {}", err), + })); + }); + }; + + let title_bar_height = if cfg!(target_os = "macos") { 28.0 } else { 0.0 }; + + let auth_window = WebviewWindow::builder(app_handle, "auth_window", WebviewUrl::default()) + .on_page_load(on_page_load) + .title("GlobalProtect Login") + .inner_size(900.0, 650.0 + title_bar_height) + .focused(true) + .visible(false) + .center() + .build()?; + + self + .setup_auth_window(&auth_window, Arc::clone(&auth_messenger)) + .await?; + + loop { + match auth_messenger.subscribe().await? { + AuthEvent::Close => bail!("Authentication cancelled"), + AuthEvent::RaiseWindow => self.raise_window(&auth_window), + #[cfg(not(target_os = "macos"))] + AuthEvent::Error(AuthError::TlsError) => bail!(gpapi::error::PortalError::TlsError), + AuthEvent::Error(AuthError::NotFound(location)) => { + info!( + "No auth data found in {:?}, it may not be the /SAML20/SP/ACS endpoint", + location + ); + self.handle_not_found(&auth_window, &auth_messenger); + } + AuthEvent::Error(AuthError::Invalid(err, location)) => { + warn!("Got invalid auth data in {:?}: {}", location, err); + self.retry_auth(&auth_window).await; + } + AuthEvent::Data(auth_data, location) => { + info!("Got auth data from {:?}", location); + + auth_window.close()?; + return Ok(auth_data); + } + } + } + } + + async fn setup_auth_window( + &self, + auth_window: &WebviewWindow, + auth_messenger: Arc, + ) -> anyhow::Result<()> { + info!("Setting up auth window..."); + + if self.clean { + info!("Clearing all browsing data..."); + auth_window.clear_all_browsing_data()?; + } + + // Handle window close event + let auth_messenger_clone = Arc::clone(&auth_messenger); + auth_window.on_window_event(move |event| { + if let WindowEvent::CloseRequested { .. } = event { + auth_messenger_clone.send_auth_event(AuthEvent::Close); + } + }); + + // Show the window after 10 seconds, so that the user can see the window if the auth process is stuck + let auth_messenger_clone = Arc::clone(&auth_messenger); + tokio::spawn(async move { + time::sleep(Duration::from_secs(10)).await; + auth_messenger_clone.send_auth_event(AuthEvent::RaiseWindow); + }); + + let auth_request = match self.auth_request { + Some(auth_request) => auth_request.to_string(), + None => auth_prelogin(&self.server, &self.gp_params).await?, + }; + + let (tx, rx) = oneshot::channel::>(); + let ignore_tls_errors = self.gp_params.ignore_tls_errors(); + + // Set up webview + auth_window.with_webview(move |wv| { + #[cfg(not(target_os = "macos"))] + { + use super::platform_impl::PlatformWebviewOnResponse; + wv.on_response(Box::new(move |response| match response { + Ok(response) => auth_messenger.read_from_response(&response), + Err(err) => auth_messenger.send_auth_error(err), + })); + } + + let result = || -> anyhow::Result<()> { + if ignore_tls_errors { + wv.ignore_tls_errors()?; + } + + wv.load_auth_request(&auth_request) + }(); + + if let Err(result) = tx.send(result) { + warn!("Failed to send setup auth window result: {:?}", result); + } + })?; + + rx.await??; + info!("Auth window setup completed"); + + Ok(()) + } + + fn handle_not_found(&self, auth_window: &WebviewWindow, auth_messenger: &Arc) { + let visible = auth_window.is_visible().unwrap_or(false); + if visible { + return; + } + + auth_messenger.schedule_raise_window(2); + } + + async fn retry_auth(&self, auth_window: &WebviewWindow) { + let mut is_retrying = self.is_retrying.write().await; + if *is_retrying { + info!("Already retrying authentication, skipping..."); + return; + } + + *is_retrying = true; + drop(is_retrying); + + if let Err(err) = self.retry_auth_impl(auth_window).await { + warn!("Failed to retry authentication: {}", err); + } + + *self.is_retrying.write().await = false; + } + + async fn retry_auth_impl(&self, auth_window: &WebviewWindow) -> anyhow::Result<()> { + info!("Retrying authentication..."); + + auth_window.eval( r#" + var loading = document.createElement("div"); + loading.innerHTML = '
Got invalid token, retrying...
'; + loading.style = "position: fixed; top: 0; left: 0; width: 100%; height: 100%; background: rgba(255, 255, 255, 0.85); z-index: 99999;"; + document.body.appendChild(loading); + "#)?; + + let auth_request = auth_prelogin(&self.server, &self.gp_params).await?; + let (tx, rx) = oneshot::channel::>(); + auth_window.with_webview(move |wv| { + let result = wv.load_auth_request(&auth_request); + if let Err(result) = tx.send(result) { + warn!("Failed to send retry auth result: {:?}", result); + } + })?; + + rx.await??; + + Ok(()) + } + + fn raise_window(&self, auth_window: &WebviewWindow) { + let visible = auth_window.is_visible().unwrap_or(false); + if visible { + return; + } + + info!("Raising auth window..."); + + #[cfg(target_os = "macos")] + let result = auth_window.show(); + + #[cfg(not(target_os = "macos"))] + let result = { + use gpapi::utils::window::WindowExt; + auth_window.raise() + }; + + if let Err(err) = result { + warn!("Failed to raise window: {}", err); + } + } +} diff --git a/crates/auth/src/webview_auth.rs b/crates/auth/src/webview_auth.rs deleted file mode 100644 index cc9e296..0000000 --- a/crates/auth/src/webview_auth.rs +++ /dev/null @@ -1,9 +0,0 @@ -mod auth_messenger; -mod auth_response; -mod auth_settings; -mod webview_auth_ext; - -#[cfg_attr(not(target_os = "macos"), path = "webview_auth/unix.rs")] -mod platform_impl; - -pub use webview_auth_ext::WebviewAuthenticator; diff --git a/crates/auth/src/webview_auth/auth_messenger.rs b/crates/auth/src/webview_auth/auth_messenger.rs deleted file mode 100644 index 29e4da8..0000000 --- a/crates/auth/src/webview_auth/auth_messenger.rs +++ /dev/null @@ -1,108 +0,0 @@ -use anyhow::bail; -use gpapi::auth::SamlAuthData; -use log::{error, info}; -use tokio::sync::{mpsc, RwLock}; -use tokio_util::sync::CancellationToken; - -pub enum AuthError { - /// Failed to load page due to TLS error - TlsError, - /// 1. Found auth data in headers/body but it's invalid - /// 2. Loaded an empty page, failed to load page. etc. - Invalid, - /// No auth data found in headers/body - NotFound, -} - -pub type AuthResult = anyhow::Result; - -pub enum AuthEvent { - Data(SamlAuthData), - Error(AuthError), - RaiseWindow, - Close, -} - -pub struct AuthMessenger { - tx: mpsc::UnboundedSender, - rx: RwLock>, - raise_window_cancel_token: RwLock>, -} - -impl AuthMessenger { - pub fn new() -> Self { - let (tx, rx) = mpsc::unbounded_channel(); - - Self { - tx, - rx: RwLock::new(rx), - raise_window_cancel_token: Default::default(), - } - } - - pub async fn subscribe(&self) -> anyhow::Result { - let mut rx = self.rx.write().await; - if let Some(event) = rx.recv().await { - return Ok(event); - } - bail!("Failed to receive auth event"); - } - - pub fn send_auth_event(&self, event: AuthEvent) { - if let Err(event) = self.tx.send(event) { - error!("Failed to send auth event: {}", event); - } - } - - pub fn send_auth_result(&self, result: AuthResult) { - match result { - Ok(data) => self.send_auth_data(data), - Err(err) => self.send_auth_error(err), - } - } - - pub fn send_auth_error(&self, err: AuthError) { - self.send_auth_event(AuthEvent::Error(err)); - } - - pub fn send_auth_data(&self, data: SamlAuthData) { - self.send_auth_event(AuthEvent::Data(data)); - } - - pub fn schedule_raise_window(&self, delay: u64) { - let cancel_token = CancellationToken::new(); - let cancel_token_clone = cancel_token.clone(); - - if let Ok(mut guard) = self.raise_window_cancel_token.try_write() { - // Cancel the previous raise window task if it exists - if let Some(token) = guard.take() { - token.cancel(); - } - *guard = Some(cancel_token_clone); - } - - let tx = self.tx.clone(); - tokio::spawn(async move { - info!("Displaying the window in {} second(s)...", delay); - - tokio::select! { - _ = tokio::time::sleep(tokio::time::Duration::from_secs(delay)) => { - if let Err(err) = tx.send(AuthEvent::RaiseWindow) { - error!("Failed to send raise window event: {}", err); - } - } - _ = cancel_token.cancelled() => { - info!("Cancelled raise window task"); - } - } - }); - } - - pub fn cancel_raise_window(&self) { - if let Ok(mut cancel_token) = self.raise_window_cancel_token.try_write() { - if let Some(token) = cancel_token.take() { - token.cancel(); - } - } - } -} diff --git a/crates/auth/src/webview_auth/auth_response.rs b/crates/auth/src/webview_auth/auth_response.rs deleted file mode 100644 index 75a5a65..0000000 --- a/crates/auth/src/webview_auth/auth_response.rs +++ /dev/null @@ -1,152 +0,0 @@ -use std::sync::Arc; - -use gpapi::{ - auth::{AuthDataParseResult, SamlAuthData}, - error::AuthDataParseError, -}; -use log::{info, warn}; -use regex::Regex; - -use crate::webview_auth::auth_messenger::{AuthError, AuthMessenger}; - -/// Trait for handling authentication response -pub trait AuthResponse { - fn get_header(&self, key: &str) -> Option; - fn get_body(&self, cb: F) - where - F: FnOnce(anyhow::Result>) + 'static; - - fn url(&self) -> Option; - - fn is_acs_endpoint(&self) -> bool { - self.url().map_or(false, |url| url.ends_with("/SAML20/SP/ACS")) - } -} - -pub fn read_auth_data(auth_response: &impl AuthResponse, auth_messenger: &Arc) { - let auth_messenger = Arc::clone(auth_messenger); - - match read_from_headers(auth_response) { - Ok(auth_data) => { - info!("Found auth data in headers"); - auth_messenger.send_auth_data(auth_data); - } - Err(header_err) => { - info!("Failed to read auth data from headers: {}", header_err); - - let is_acs_endpoint = auth_response.is_acs_endpoint(); - read_from_body(auth_response, move |auth_result| { - // If the endpoint is `/SAML20/SP/ACS` and no auth data found in body, it should be considered as invalid - let auth_result = auth_result.map_err(move |e| { - info!("Failed to read auth data from body: {}", e); - if is_acs_endpoint || e.is_invalid() || header_err.is_invalid() { - AuthError::Invalid - } else { - AuthError::NotFound - } - }); - - auth_messenger.send_auth_result(auth_result); - }); - } - } -} - -fn read_from_headers(auth_response: &impl AuthResponse) -> AuthDataParseResult { - let Some(status) = auth_response.get_header("saml-auth-status") else { - info!("No SAML auth status found in headers"); - return Err(AuthDataParseError::NotFound); - }; - - if status != "1" { - info!("Found invalid auth status: {}", status); - return Err(AuthDataParseError::Invalid); - } - - let username = auth_response.get_header("saml-username"); - let prelogin_cookie = auth_response.get_header("prelogin-cookie"); - let portal_userauthcookie = auth_response.get_header("portal-userauthcookie"); - - SamlAuthData::new(username, prelogin_cookie, portal_userauthcookie).map_err(|e| { - warn!("Found invalid auth data: {}", e); - AuthDataParseError::Invalid - }) -} - -fn read_from_body(auth_response: &impl AuthResponse, cb: F) -where - F: FnOnce(AuthDataParseResult) + 'static, -{ - auth_response.get_body(|body| match body { - Ok(body) => { - let html = String::from_utf8_lossy(&body); - cb(read_from_html(&html)) - } - Err(err) => { - info!("Failed to read body: {}", err); - cb(Err(AuthDataParseError::Invalid)) - } - }); -} - -fn read_from_html(html: &str) -> AuthDataParseResult { - if html.contains("Temporarily Unavailable") { - info!("Found 'Temporarily Unavailable' in HTML, auth failed"); - return Err(AuthDataParseError::Invalid); - } - - SamlAuthData::from_html(html).or_else(|err| { - if let Some(gpcallback) = extract_gpcallback(html) { - info!("Found gpcallback from html..."); - SamlAuthData::from_gpcallback(&gpcallback) - } else { - Err(err) - } - }) -} - -fn extract_gpcallback(html: &str) -> Option { - let re = Regex::new(r#"globalprotectcallback:[^"]+"#).unwrap(); - re.captures(html) - .and_then(|captures| captures.get(0)) - .map(|m| html_escape::decode_html_entities(m.as_str()).to_string()) -} - -#[cfg(test)] -mod tests { - use super::*; - - #[test] - fn extract_gpcallback_some() { - let html = r#" - - - "#; - - assert_eq!( - extract_gpcallback(html).as_deref(), - Some("globalprotectcallback:PGh0bWw+PCEtLSA8c") - ); - } - - #[test] - fn extract_gpcallback_cas() { - let html = r#" - - "#; - - assert_eq!( - extract_gpcallback(html).as_deref(), - Some("globalprotectcallback:cas-as=1&un=xyz@email.com&token=very_long_string") - ); - } - - #[test] - fn extract_gpcallback_none() { - let html = r#" - - "#; - - assert_eq!(extract_gpcallback(html), None); - } -} diff --git a/crates/auth/src/webview_auth/auth_settings.rs b/crates/auth/src/webview_auth/auth_settings.rs deleted file mode 100644 index 6adb90e..0000000 --- a/crates/auth/src/webview_auth/auth_settings.rs +++ /dev/null @@ -1,25 +0,0 @@ -use std::sync::Arc; - -use super::auth_messenger::AuthMessenger; - -pub struct AuthRequest<'a>(&'a str); - -impl<'a> AuthRequest<'a> { - pub fn new(auth_request: &'a str) -> Self { - Self(auth_request) - } - - pub fn is_url(&self) -> bool { - self.0.starts_with("http") - } - - pub fn as_str(&self) -> &str { - self.0 - } -} - -pub struct AuthSettings<'a> { - pub auth_request: AuthRequest<'a>, - pub auth_messenger: Arc, - pub ignore_tls_errors: bool, -} diff --git a/crates/auth/src/webview_auth/unix.rs b/crates/auth/src/webview_auth/unix.rs deleted file mode 100644 index 05ce655..0000000 --- a/crates/auth/src/webview_auth/unix.rs +++ /dev/null @@ -1,136 +0,0 @@ -use std::sync::Arc; - -use anyhow::bail; -use gpapi::utils::redact::redact_uri; -use log::{info, warn}; -use webkit2gtk::{ - gio::Cancellable, - glib::{GString, TimeSpan}, - LoadEvent, TLSErrorsPolicy, URIResponseExt, WebResource, WebResourceExt, WebView, WebViewExt, WebsiteDataManagerExt, - WebsiteDataManagerExtManual, WebsiteDataTypes, -}; - -use crate::webview_auth::{ - auth_messenger::AuthError, - auth_response::read_auth_data, - auth_settings::{AuthRequest, AuthSettings}, -}; - -use super::auth_response::AuthResponse; - -impl AuthResponse for WebResource { - fn get_header(&self, key: &str) -> Option { - self - .response() - .and_then(|response| response.http_headers()) - .and_then(|headers| headers.one(key)) - .map(GString::into) - } - - fn get_body(&self, cb: F) - where - F: FnOnce(anyhow::Result>) + 'static, - { - let cancellable = Cancellable::NONE; - self.data(cancellable, |data| cb(data.map_err(|e| anyhow::anyhow!(e)))); - } - - fn url(&self) -> Option { - self.uri().map(GString::into) - } -} - -pub fn clear_data(wv: &WebView, cb: F) -where - F: FnOnce(anyhow::Result<()>) + Send + 'static, -{ - let Some(data_manager) = wv.website_data_manager() else { - cb(Err(anyhow::anyhow!("Failed to get website data manager"))); - return; - }; - - data_manager.clear( - WebsiteDataTypes::COOKIES, - TimeSpan(0), - Cancellable::NONE, - move |result| { - cb(result.map_err(|e| anyhow::anyhow!(e))); - }, - ); -} - -pub fn setup_webview(wv: &WebView, auth_settings: AuthSettings) -> anyhow::Result<()> { - let AuthSettings { - auth_request, - auth_messenger, - ignore_tls_errors, - } = auth_settings; - let auth_messenger_clone = Arc::clone(&auth_messenger); - - let Some(data_manager) = wv.website_data_manager() else { - bail!("Failed to get website data manager"); - }; - - if ignore_tls_errors { - data_manager.set_tls_errors_policy(TLSErrorsPolicy::Ignore); - } - - wv.connect_load_changed(move |wv, event| { - if event == LoadEvent::Started { - auth_messenger_clone.cancel_raise_window(); - return; - } - - if event != LoadEvent::Finished { - return; - } - - let Some(main_resource) = wv.main_resource() else { - return; - }; - - let uri = main_resource.uri().unwrap_or("".into()); - if uri.is_empty() { - warn!("Loaded an empty URI"); - auth_messenger_clone.send_auth_error(AuthError::Invalid); - return; - } - - read_auth_data(&main_resource, &auth_messenger_clone); - }); - - wv.connect_load_failed_with_tls_errors(move |_wv, uri, cert, err| { - let redacted_uri = redact_uri(uri); - warn!( - "Failed to load uri: {} with error: {}, cert: {}", - redacted_uri, err, cert - ); - - auth_messenger.send_auth_error(AuthError::TlsError); - true - }); - - wv.connect_load_failed(move |_wv, _event, uri, err| { - let redacted_uri = redact_uri(uri); - if !uri.starts_with("globalprotectcallback:") { - warn!("Failed to load uri: {} with error: {}", redacted_uri, err); - } - // NOTE: Don't send error here, since load_changed event will be triggered after this - // true to stop other handlers from being invoked for the event. false to propagate the event further. - true - }); - - load_auth_request(wv, &auth_request); - - Ok(()) -} - -pub fn load_auth_request(wv: &WebView, auth_request: &AuthRequest) { - if auth_request.is_url() { - info!("Loading auth request as URI..."); - wv.load_uri(auth_request.as_str()); - } else { - info!("Loading auth request as HTML..."); - wv.load_html(auth_request.as_str(), None); - } -} diff --git a/crates/auth/src/webview_auth/webview_auth_ext.rs b/crates/auth/src/webview_auth/webview_auth_ext.rs deleted file mode 100644 index 0b7b7e5..0000000 --- a/crates/auth/src/webview_auth/webview_auth_ext.rs +++ /dev/null @@ -1,194 +0,0 @@ -use std::{ - future::Future, - sync::Arc, - time::{Duration, Instant}, -}; - -use anyhow::bail; -use gpapi::{auth::SamlAuthData, error::PortalError, utils::window::WindowExt}; -use log::{info, warn}; -use tauri::{AppHandle, WebviewUrl, WebviewWindow, WindowEvent}; -use tokio::{sync::oneshot, time}; - -use crate::{ - webview_auth::{ - auth_messenger::{AuthError, AuthEvent, AuthMessenger}, - auth_settings::{AuthRequest, AuthSettings}, - platform_impl, - }, - Authenticator, -}; - -pub trait WebviewAuthenticator { - fn with_clean(self, clean: bool) -> Self; - fn webview_authenticate(&self, app_handle: &AppHandle) -> impl Future> + Send; -} - -impl WebviewAuthenticator for Authenticator<'_> { - fn with_clean(mut self, clean: bool) -> Self { - self.clean = clean; - self - } - - async fn webview_authenticate(&self, app_handle: &AppHandle) -> anyhow::Result { - let auth_window = WebviewWindow::builder(app_handle, "auth_window", WebviewUrl::default()) - .title("GlobalProtect Login") - .focused(true) - .visible(false) - .center() - .build()?; - - self.auth_loop(&auth_window).await - } -} - -impl Authenticator<'_> { - async fn auth_loop(&self, auth_window: &WebviewWindow) -> anyhow::Result { - if self.clean { - self.clear_webview_data(&auth_window).await?; - } - - let auth_messenger = self.setup_auth_window(&auth_window).await?; - - loop { - match auth_messenger.subscribe().await? { - AuthEvent::Close => bail!("Authentication cancelled"), - AuthEvent::RaiseWindow => self.raise_window(auth_window), - AuthEvent::Error(AuthError::TlsError) => bail!(PortalError::TlsError), - AuthEvent::Error(AuthError::NotFound) => self.handle_not_found(auth_window, &auth_messenger), - AuthEvent::Error(AuthError::Invalid) => self.retry_auth(auth_window).await, - AuthEvent::Data(auth_data) => { - auth_window.close()?; - return Ok(auth_data); - } - } - } - } - - async fn clear_webview_data(&self, auth_window: &WebviewWindow) -> anyhow::Result<()> { - info!("Clearing webview data..."); - - let (tx, rx) = oneshot::channel::>(); - let now = Instant::now(); - auth_window.with_webview(|webview| { - platform_impl::clear_data(&webview.inner(), |result| { - if let Err(result) = tx.send(result) { - warn!("Failed to send clear data result: {:?}", result); - } - }) - })?; - - rx.await??; - info!("Webview data cleared in {:?}", now.elapsed()); - - Ok(()) - } - - async fn setup_auth_window(&self, auth_window: &WebviewWindow) -> anyhow::Result> { - info!("Setting up auth window..."); - - let auth_messenger = Arc::new(AuthMessenger::new()); - let auth_request = self.initial_auth_request().await?.into_owned(); - let ignore_tls_errors = self.gp_params.ignore_tls_errors(); - - // Handle window close event - let auth_messenger_clone = Arc::clone(&auth_messenger); - auth_window.on_window_event(move |event| { - if let WindowEvent::CloseRequested { .. } = event { - auth_messenger_clone.send_auth_event(AuthEvent::Close); - } - }); - - // Show the window after 10 seconds, so that the user can see the window if the auth process is stuck - let auth_messenger_clone = Arc::clone(&auth_messenger); - tokio::spawn(async move { - time::sleep(Duration::from_secs(10)).await; - auth_messenger_clone.send_auth_event(AuthEvent::RaiseWindow); - }); - - // setup webview - let auth_messenger_clone = Arc::clone(&auth_messenger); - let (tx, rx) = oneshot::channel::>(); - - auth_window.with_webview(move |webview| { - let auth_settings = AuthSettings { - auth_request: AuthRequest::new(&auth_request), - auth_messenger: auth_messenger_clone, - ignore_tls_errors, - }; - - let result = platform_impl::setup_webview(&webview.inner(), auth_settings); - if let Err(result) = tx.send(result) { - warn!("Failed to send setup auth window result: {:?}", result); - } - })?; - - rx.await??; - info!("Auth window setup completed"); - - Ok(auth_messenger) - } - - fn handle_not_found(&self, auth_window: &WebviewWindow, auth_messenger: &Arc) { - info!("No auth data found, it may not be the /SAML20/SP/ACS endpoint"); - - let visible = auth_window.is_visible().unwrap_or(false); - if visible { - return; - } - - auth_messenger.schedule_raise_window(1); - } - - async fn retry_auth(&self, auth_window: &WebviewWindow) { - let mut is_retrying = self.is_retrying.write().await; - if *is_retrying { - info!("Already retrying authentication, skipping..."); - return; - } - - *is_retrying = true; - drop(is_retrying); - - if let Err(err) = self.retry_auth_impl(auth_window).await { - warn!("Failed to retry authentication: {}", err); - } - - *self.is_retrying.write().await = false; - } - - async fn retry_auth_impl(&self, auth_window: &WebviewWindow) -> anyhow::Result<()> { - info!("Retrying authentication..."); - - auth_window.eval( r#" - var loading = document.createElement("div"); - loading.innerHTML = '
Got invalid token, retrying...
'; - loading.style = "position: fixed; top: 0; left: 0; width: 100%; height: 100%; background: rgba(255, 255, 255, 0.85); z-index: 99999;"; - document.body.appendChild(loading); - "#)?; - - let auth_request = self.portal_prelogin().await?; - let (tx, rx) = oneshot::channel::<()>(); - auth_window.with_webview(move |webview| { - let auth_request = AuthRequest::new(&auth_request); - platform_impl::load_auth_request(&webview.inner(), &auth_request); - - tx.send(()).expect("Failed to send message to the channel") - })?; - - rx.await?; - Ok(()) - } - - fn raise_window(&self, auth_window: &WebviewWindow) { - let visible = auth_window.is_visible().unwrap_or(false); - if visible { - return; - } - - info!("Raising auth window..."); - if let Err(err) = auth_window.raise() { - warn!("Failed to raise window: {}", err); - } - } -} diff --git a/crates/common/src/vpn_utils.rs b/crates/common/src/vpn_utils.rs index 5366154..229e33e 100644 --- a/crates/common/src/vpn_utils.rs +++ b/crates/common/src/vpn_utils.rs @@ -2,22 +2,26 @@ use std::{io, path::Path}; use is_executable::IsExecutable; -const VPNC_SCRIPT_LOCATIONS: [&str; 6] = [ +const VPNC_SCRIPT_LOCATIONS: &[&str] = &[ "/usr/local/share/vpnc-scripts/vpnc-script", "/usr/local/sbin/vpnc-script", "/usr/share/vpnc-scripts/vpnc-script", "/usr/sbin/vpnc-script", "/etc/vpnc/vpnc-script", "/etc/openconnect/vpnc-script", + #[cfg(target_os = "macos")] + "/opt/homebrew/etc/vpnc/vpnc-script", ]; -const CSD_WRAPPER_LOCATIONS: [&str; 3] = [ +const CSD_WRAPPER_LOCATIONS: &[&str] = &[ #[cfg(target_arch = "x86_64")] "/usr/lib/x86_64-linux-gnu/openconnect/hipreport.sh", #[cfg(target_arch = "aarch64")] "/usr/lib/aarch64-linux-gnu/openconnect/hipreport.sh", "/usr/lib/openconnect/hipreport.sh", "/usr/libexec/openconnect/hipreport.sh", + #[cfg(target_os = "macos")] + "/opt/homebrew/opt/openconnect/libexec/openconnect/hipreport.sh", ]; fn find_executable(locations: &[&str]) -> Option { diff --git a/crates/gpapi/Cargo.toml b/crates/gpapi/Cargo.toml index 68e3f5d..0b95b97 100644 --- a/crates/gpapi/Cargo.toml +++ b/crates/gpapi/Cargo.toml @@ -12,6 +12,7 @@ dns-lookup.workspace = true log.workspace = true reqwest.workspace = true openssl.workspace = true +version-compare = "0.2" pem.workspace = true roxmltree.workspace = true serde.workspace = true @@ -33,8 +34,13 @@ sha256.workspace = true tauri = { workspace = true, optional = true } clap = { workspace = true, optional = true } +clap-verbosity-flag = { workspace = true, optional = true } + +env_logger = { workspace = true, optional = true } +log-reload = { version = "0.1", optional = true } [features] tauri = ["dep:tauri"] -clap = ["dep:clap"] +clap = ["dep:clap", "dep:clap-verbosity-flag"] webview-auth = [] +logger = ["dep:env_logger", "dep:log-reload"] diff --git a/crates/gpapi/src/auth.rs b/crates/gpapi/src/auth.rs index dcabde3..aa6e559 100644 --- a/crates/gpapi/src/auth.rs +++ b/crates/gpapi/src/auth.rs @@ -72,15 +72,12 @@ impl SamlAuthData { let prelogin_cookie = parse_xml_tag(html, "prelogin-cookie"); let portal_userauthcookie = parse_xml_tag(html, "portal-userauthcookie"); - SamlAuthData::new(username, prelogin_cookie, portal_userauthcookie).map_err(|e| { - warn!("Failed to parse auth data: {}", e); - AuthDataParseError::Invalid - }) - } - Some(status) => { - warn!("Found invalid auth status: {}", status); - Err(AuthDataParseError::Invalid) + SamlAuthData::new(username, prelogin_cookie, portal_userauthcookie).map_err(AuthDataParseError::Invalid) } + Some(status) => Err(AuthDataParseError::Invalid(anyhow::anyhow!( + "SAML auth status: {}", + status + ))), None => Err(AuthDataParseError::NotFound), } } @@ -100,7 +97,7 @@ impl SamlAuthData { let auth_data: SamlAuthData = serde_urlencoded::from_str(auth_data.borrow()).map_err(|e| { warn!("Failed to parse token auth data: {}", e); warn!("Auth data: {}", auth_data); - AuthDataParseError::Invalid + AuthDataParseError::Invalid(anyhow::anyhow!(e)) })?; return Ok(auth_data); @@ -108,7 +105,7 @@ impl SamlAuthData { let auth_data = decode_to_string(auth_data).map_err(|e| { warn!("Failed to decode SAML auth data: {}", e); - AuthDataParseError::Invalid + AuthDataParseError::Invalid(anyhow::anyhow!(e)) })?; let auth_data = Self::from_html(&auth_data)?; @@ -128,7 +125,7 @@ impl SamlAuthData { } } -pub fn parse_xml_tag(html: &str, tag: &str) -> Option { +fn parse_xml_tag(html: &str, tag: &str) -> Option { let re = Regex::new(&format!("<{}>(.*)", tag, tag)).unwrap(); re.captures(html) .and_then(|captures| captures.get(1)) diff --git a/crates/gpapi/src/clap/mod.rs b/crates/gpapi/src/clap/mod.rs index 74bc6e3..62ca9e9 100644 --- a/crates/gpapi/src/clap/mod.rs +++ b/crates/gpapi/src/clap/mod.rs @@ -1,3 +1,6 @@ +use clap_verbosity_flag::{LogLevel, Verbosity, VerbosityFilter}; +use log::Level; + use crate::error::PortalError; pub mod args; @@ -8,7 +11,7 @@ pub trait Args { } pub fn handle_error(err: anyhow::Error, args: &impl Args) { - eprintln!("\nError: {}", err); + eprintln!("\nError: {:?}", err); let Some(err) = err.downcast_ref::() else { return; @@ -26,3 +29,53 @@ pub fn handle_error(err: anyhow::Error, args: &impl Args) { eprintln!("{} --ignore-tls-errors {}\n", args[0], args[1..].join(" ")); } } + +#[derive(Debug)] +pub struct InfoLevel; + +pub type InfoLevelVerbosity = Verbosity; + +impl LogLevel for InfoLevel { + fn default_filter() -> VerbosityFilter { + VerbosityFilter::Info + } + + fn verbose_help() -> Option<&'static str> { + Some("Enable verbose output, -v for debug, -vv for trace") + } + + fn quiet_help() -> Option<&'static str> { + Some("Decrease logging verbosity, -q for warnings, -qq for errors") + } +} + +pub trait ToVerboseArg { + fn to_verbose_arg(&self) -> Option<&'static str>; +} + +/// Convert the verbosity to the CLI argument value +/// The default verbosity is `Info`, which means no argument is needed +impl ToVerboseArg for InfoLevelVerbosity { + fn to_verbose_arg(&self) -> Option<&'static str> { + match self.filter() { + VerbosityFilter::Off => Some("-qqq"), + VerbosityFilter::Error => Some("-qq"), + VerbosityFilter::Warn => Some("-q"), + VerbosityFilter::Info => None, + VerbosityFilter::Debug => Some("-v"), + VerbosityFilter::Trace => Some("-vv"), + } + } +} + +impl ToVerboseArg for Level { + fn to_verbose_arg(&self) -> Option<&'static str> { + match self { + Level::Error => Some("-qq"), + Level::Warn => Some("-q"), + Level::Info => None, + Level::Debug => Some("-v"), + Level::Trace => Some("-vv"), + } + } +} diff --git a/crates/gpapi/src/error.rs b/crates/gpapi/src/error.rs index 6af7085..9e1d1af 100644 --- a/crates/gpapi/src/error.rs +++ b/crates/gpapi/src/error.rs @@ -26,12 +26,12 @@ impl PortalError { pub enum AuthDataParseError { #[error("No auth data found")] NotFound, - #[error("Invalid auth data")] - Invalid, + #[error(transparent)] + Invalid(#[from] anyhow::Error), } impl AuthDataParseError { pub fn is_invalid(&self) -> bool { - matches!(self, AuthDataParseError::Invalid) + matches!(self, AuthDataParseError::Invalid(_)) } } diff --git a/crates/gpapi/src/lib.rs b/crates/gpapi/src/lib.rs index 663eb24..7b085eb 100644 --- a/crates/gpapi/src/lib.rs +++ b/crates/gpapi/src/lib.rs @@ -8,6 +8,9 @@ pub mod process; pub mod service; pub mod utils; +#[cfg(feature = "logger")] +pub mod logger; + #[cfg(feature = "clap")] pub mod clap; diff --git a/crates/gpapi/src/logger.rs b/crates/gpapi/src/logger.rs new file mode 100644 index 0000000..c94a44e --- /dev/null +++ b/crates/gpapi/src/logger.rs @@ -0,0 +1,49 @@ +use std::sync::OnceLock; + +use anyhow::bail; +use env_logger::Logger; +use log::Level; +use log_reload::{ReloadHandle, ReloadLog}; + +static LOG_HANDLE: OnceLock>> = OnceLock::new(); + +pub fn init(level: Level) -> anyhow::Result<()> { + // Initialize the env_logger and global max level to trace, the logs will be + // filtered by the outer logger + let logger = env_logger::builder().filter_level(log::LevelFilter::Trace).build(); + init_with_logger(level, logger)?; + + Ok(()) +} + +pub fn init_with_logger(level: Level, logger: Logger) -> anyhow::Result<()> { + if let Some(_) = LOG_HANDLE.get() { + bail!("Logger already initialized") + } else { + log::set_max_level(log::LevelFilter::Trace); + + // Create a new logger that will filter the logs based on the max level + let level_filter_logger = log_reload::LevelFilter::new(level, logger); + + let reload_log = ReloadLog::new(level_filter_logger); + let handle = reload_log.handle(); + + // Register the logger to be used by the log crate + log::set_boxed_logger(Box::new(reload_log))?; + LOG_HANDLE + .set(handle) + .map_err(|_| anyhow::anyhow!("Failed to set the logger"))?; + } + + Ok(()) +} + +pub fn set_max_level(level: Level) -> anyhow::Result<()> { + let Some(handle) = LOG_HANDLE.get() else { + bail!("Logger not initialized") + }; + + handle + .modify(|logger| logger.set_level(level)) + .map_err(|e| anyhow::anyhow!(e)) +} diff --git a/crates/gpapi/src/portal/config.rs b/crates/gpapi/src/portal/config.rs index 9be4c76..e5adeab 100644 --- a/crates/gpapi/src/portal/config.rs +++ b/crates/gpapi/src/portal/config.rs @@ -1,6 +1,6 @@ use anyhow::bail; use dns_lookup::lookup_addr; -use log::{debug, info, warn}; +use log::{info, warn}; use reqwest::{Client, StatusCode}; use roxmltree::{Document, Node}; use serde::Serialize; @@ -135,8 +135,6 @@ pub async fn retrieve_config(portal: &str, cred: &Credential, gp_params: &GpPara bail!(PortalError::ConfigError("Empty portal config response".to_string())) } - debug!("Portal config response: {}", res_xml); - let doc = Document::parse(&res_xml).map_err(|e| PortalError::ConfigError(e.to_string()))?; let root = doc.root(); diff --git a/crates/gpapi/src/process/auth_launcher.rs b/crates/gpapi/src/process/auth_launcher.rs index c5a3c44..11680fe 100644 --- a/crates/gpapi/src/process/auth_launcher.rs +++ b/crates/gpapi/src/process/auth_launcher.rs @@ -23,6 +23,7 @@ pub struct SamlAuthLauncher<'a> { #[cfg(feature = "webview-auth")] default_browser: bool, browser: Option<&'a str>, + verbose: Option<&'a str>, } impl<'a> SamlAuthLauncher<'a> { @@ -43,6 +44,7 @@ impl<'a> SamlAuthLauncher<'a> { #[cfg(feature = "webview-auth")] default_browser: false, browser: None, + verbose: None, } } @@ -104,6 +106,11 @@ impl<'a> SamlAuthLauncher<'a> { self } + pub fn verbose(mut self, verbose: Option<&'a str>) -> Self { + self.verbose = verbose; + self + } + /// Launch the authenticator binary as the current user or SUDO_USER if available. pub async fn launch(self) -> anyhow::Result { let mut auth_cmd = Command::new(GP_AUTH_BINARY); @@ -156,6 +163,10 @@ impl<'a> SamlAuthLauncher<'a> { auth_cmd.arg("--browser").arg(browser); } + if let Some(verbose) = self.verbose { + auth_cmd.arg(verbose); + } + let mut non_root_cmd = auth_cmd.into_non_root()?; let output = non_root_cmd .kill_on_drop(true) diff --git a/crates/gpapi/src/process/service_launcher.rs b/crates/gpapi/src/process/service_launcher.rs index 05bca37..aada481 100644 --- a/crates/gpapi/src/process/service_launcher.rs +++ b/crates/gpapi/src/process/service_launcher.rs @@ -10,26 +10,28 @@ use crate::GP_SERVICE_BINARY; use super::command_traits::CommandExt; -pub struct ServiceLauncher { +pub struct ServiceLauncher<'a> { program: PathBuf, minimized: bool, env_file: Option, log_file: Option, + verbose: Option<&'a str> } -impl Default for ServiceLauncher { +impl Default for ServiceLauncher<'_> { fn default() -> Self { Self::new() } } -impl ServiceLauncher { +impl<'a> ServiceLauncher<'a> { pub fn new() -> Self { Self { program: GP_SERVICE_BINARY.into(), minimized: false, env_file: None, log_file: None, + verbose: None } } @@ -48,6 +50,11 @@ impl ServiceLauncher { self } + pub fn verbose(mut self, verbose: Option<&'a str>) -> Self { + self.verbose = verbose; + self + } + pub async fn launch(&self) -> anyhow::Result { let mut cmd = Command::new_pkexec(&self.program); @@ -59,6 +66,10 @@ impl ServiceLauncher { cmd.arg("--env-file").arg(env_file); } + if let Some(verbose) = self.verbose { + cmd.arg(verbose); + } + if let Some(log_file) = &self.log_file { let log_file = File::create(log_file)?; let stdio = Stdio::from(log_file); diff --git a/crates/gpapi/src/service/request.rs b/crates/gpapi/src/service/request.rs index 96b0a69..abf2812 100644 --- a/crates/gpapi/src/service/request.rs +++ b/crates/gpapi/src/service/request.rs @@ -206,11 +206,15 @@ impl ConnectRequest { #[derive(Debug, Deserialize, Serialize, Type)] pub struct DisconnectRequest; +#[derive(Debug, Deserialize, Serialize)] +pub struct UpdateLogLevelRequest(pub String); + /// Requests that can be sent to the service #[derive(Debug, Deserialize, Serialize)] pub enum WsRequest { Connect(Box), Disconnect(DisconnectRequest), + UpdateLogLevel(UpdateLogLevelRequest), } #[derive(Debug, Deserialize, Serialize)] diff --git a/crates/gpapi/src/utils/openssl.rs b/crates/gpapi/src/utils/openssl.rs index 56af8a3..b076e15 100644 --- a/crates/gpapi/src/utils/openssl.rs +++ b/crates/gpapi/src/utils/openssl.rs @@ -1,9 +1,12 @@ use std::path::Path; +use log::{info, warn}; +use regex::Regex; use tempfile::NamedTempFile; +use version_compare::{compare_to, Cmp}; pub fn openssl_conf() -> String { - let option = "UnsafeLegacyServerConnect"; + let option = get_openssl_option(); format!( "openssl_conf = openssl_init @@ -47,3 +50,58 @@ pub fn fix_openssl_env() -> anyhow::Result { Ok(openssl_conf) } + +// See: https://stackoverflow.com/questions/75763525/curl-35-error0a000152ssl-routinesunsafe-legacy-renegotiation-disabled +fn get_openssl_option() -> &'static str { + let version_str = openssl::version::version(); + let default_option = "UnsafeLegacyServerConnect"; + + let Some(version) = extract_openssl_version(version_str) else { + warn!("Failed to extract OpenSSL version from '{}'", version_str); + return default_option; + }; + + let older_than_3_0_4 = match compare_to(version, "3.0.4", Cmp::Lt) { + Ok(result) => result, + Err(_) => { + warn!("Failed to compare OpenSSL version: {}", version); + return default_option; + } + }; + + if older_than_3_0_4 { + info!("Using 'UnsafeLegacyRenegotiation' option"); + "UnsafeLegacyRenegotiation" + } else { + info!("Using 'UnsafeLegacyServerConnect' option"); + default_option + } +} + +fn extract_openssl_version(version: &str) -> Option<&str> { + let re = Regex::new(r"OpenSSL (\d+\.\d+\.\d+[^\s]*)").unwrap(); + re.captures(version).and_then(|caps| caps.get(1)).map(|m| m.as_str()) +} + +#[cfg(test)] +mod tests { + use super::*; + + #[test] + fn test_extract_version() { + let input = "OpenSSL 3.4.0 22 Oct 2024 (Library: OpenSSL 3.4.0 22 Oct 2024)"; + assert_eq!(extract_openssl_version(input), Some("3.4.0")); + } + + #[test] + fn test_different_format() { + let input = "OpenSSL 1.1.1t 7 Feb 2023"; + assert_eq!(extract_openssl_version(input), Some("1.1.1t")); + } + + #[test] + fn test_invalid_input() { + let input = "Invalid string without version"; + assert_eq!(extract_openssl_version(input), None); + } +} diff --git a/crates/openconnect/build.rs b/crates/openconnect/build.rs index 0220ce0..bfba3a0 100644 --- a/crates/openconnect/build.rs +++ b/crates/openconnect/build.rs @@ -1,9 +1,14 @@ fn main() { // Link to the native openconnect library println!("cargo:rustc-link-lib=openconnect"); + println!("cargo:rustc-link-search=/opt/homebrew/lib"); // Homebrew path println!("cargo:rerun-if-changed=src/ffi/vpn.c"); println!("cargo:rerun-if-changed=src/ffi/vpn.h"); // Compile the vpn.c file - cc::Build::new().file("src/ffi/vpn.c").include("src/ffi").compile("vpn"); + cc::Build::new() + .file("src/ffi/vpn.c") + .include("src/ffi") + .include("/opt/homebrew/include") // Homebrew path + .compile("vpn"); }