cassidy/GlobalProtect-openconnect
1
0
Fork 0
mirror of https://github.com/yuezk/GlobalProtect-openconnect.git synced 2025-04-02 18:31:50 -04:00
Code Issues Projects Releases Wiki Activity

feat: gpauth support macos

Browse Source
This commit is contained in:
Kevin Yue 2025-01-05 23:42:03 +08:00
parent 0c9b8e6c63
commit 3b4397c77f
No known key found for this signature in database
GPG Key ID: 4D3A6EE977B15AC4
41 changed files with 1025 additions and 826 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
.vscode/c_cpp_properties.json vendored Normal file
View File

@ -0,0 +1,14 @@
{
"configurations": [
{
"name": "Mac",
"includePath": ["/opt/homebrew/include"],
"macFrameworkPath": ["/System/Library/Frameworks", "/Library/Frameworks"],
"intelliSenseMode": "macos-clang-x64",
"compilerPath": "/usr/bin/clang",
"cStandard": "c17",
"cppStandard": "c++17"
}
],
"version": 4
}

11
.vscode/settings.json vendored
View File

@ -23,8 +23,12 @@
"gpgui", "gpgui",
"gpservice", "gpservice",
"hidpi", "hidpi",
"Ivars",
"jnlp", "jnlp",
"LOGNAME", "LOGNAME",
"NSHTTPURL",
"NSURL",
"objc",
"oneshot", "oneshot",
"openconnect", "openconnect",
"pkcs", "pkcs",
@ -55,9 +59,16 @@
"Vite", "Vite",
"vpnc", "vpnc",
"vpninfo", "vpninfo",
"webbrowser",
"wmctrl", "wmctrl",
"XAUTHORITY", "XAUTHORITY",
"yuezk" "yuezk"
], ],
"rust-analyzer.cargo.features": "all", "rust-analyzer.cargo.features": "all",
"files.associations": {
"unistd.h": "c",
"utsname.h": "c",
"vpn.h": "c",
"openconnect.h": "c"
},
} }

16
Cargo.lock generated
View File

@ -178,9 +178,13 @@ name = "auth"
version = "2.4.0" version = "2.4.0"
dependencies = [ dependencies = [
"anyhow", "anyhow",
"block2",
"gpapi", "gpapi",
"html-escape", "html-escape",
"log", "log",
"objc2",
"objc2-foundation",
"objc2-web-kit",
"open", "open",
"regex", "regex",
"tauri", "tauri",
@ -550,6 +554,16 @@ dependencies = [
"clap_derive", "clap_derive",
] ]
[[package]]
name = "clap-verbosity-flag"
version = "3.0.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2678fade3b77aa3a8ff3aae87e9c008d3fb00473a41c71fbf74e91c8c7b37e84"
dependencies = [
"clap",
"log",
]
[[package]] [[package]]
name = "clap_builder" name = "clap_builder"
version = "4.5.23" version = "4.5.23"
@ -1582,6 +1596,7 @@ dependencies = [
"base64 0.22.1", "base64 0.22.1",
"chacha20poly1305", "chacha20poly1305",
"clap", "clap",
"clap-verbosity-flag",
"dns-lookup", "dns-lookup",
"log", "log",
"md5", "md5",
@ -1603,6 +1618,7 @@ dependencies = [
"url", "url",
"urlencoding", "urlencoding",
"uzers", "uzers",
"version-compare",
"whoami", "whoami",
] ]

1
Cargo.toml
View File

@ -15,6 +15,7 @@ license = "GPL-3.0"
anyhow = "1.0" anyhow = "1.0"
base64 = "0.22" base64 = "0.22"
clap = { version = "4", features = ["derive"] } clap = { version = "4", features = ["derive"] }
clap-verbosity-flag = "3"
ctrlc = "3.4" ctrlc = "3.4"
directories = "5.0" directories = "5.0"
dns-lookup = "2.0.4" dns-lookup = "2.0.4"

43
apps/gpauth/src/cli.rs
View File

@ -1,21 +1,19 @@
use std::borrow::Cow; use auth::{auth_prelogin, BrowserAuthenticator};
use auth::{auth_prelogin, Authenticator, BrowserAuthenticator};
use clap::Parser; use clap::Parser;
use gpapi::{ use gpapi::{
auth::{SamlAuthData, SamlAuthResult}, auth::{SamlAuthData, SamlAuthResult},
clap::{args::Os, handle_error, Args}, clap::{args::Os, handle_error, Args, InfoLevelVerbosity},
gp_params::{ClientOs, GpParams}, gp_params::{ClientOs, GpParams},
utils::{normalize_server, openssl}, utils::{normalize_server, openssl},
GP_USER_AGENT, GP_USER_AGENT,
}; };
use log::{info, LevelFilter}; use log::info;
use serde_json::json; use serde_json::json;
use tempfile::NamedTempFile; use tempfile::NamedTempFile;
const VERSION: &str = concat!(env!("CARGO_PKG_VERSION"), " (", compile_time::date_str!(), ")"); const VERSION: &str = concat!(env!("CARGO_PKG_VERSION"), " (", compile_time::date_str!(), ")");
#[derive(Parser, Clone)] #[derive(Parser)]
#[command( #[command(
version = VERSION, version = VERSION,
author, author,
@ -33,7 +31,7 @@ const VERSION: &str = concat!(env!("CARGO_PKG_VERSION"), " (", compile_time::dat
See 'gpauth -h' for more information. See 'gpauth -h' for more information.
" "
)] )]
pub(crate) struct Cli { struct Cli {
#[arg(help = "The portal server to authenticate")] #[arg(help = "The portal server to authenticate")]
server: String, server: String,
@ -75,6 +73,9 @@ pub(crate) struct Cli {
#[cfg(feature = "webview-auth")] #[cfg(feature = "webview-auth")]
#[arg(long, help = "Clean the cache of the embedded browser")] #[arg(long, help = "Clean the cache of the embedded browser")]
pub clean: bool, pub clean: bool,
#[command(flatten)]
verbose: InfoLevelVerbosity,
} }
impl Args for Cli { impl Args for Cli {
@ -110,28 +111,26 @@ impl Cli {
let openssl_conf = self.prepare_env()?; let openssl_conf = self.prepare_env()?;
let server = normalize_server(&self.server)?; let server = normalize_server(&self.server)?;
let server: &'static str = Box::leak(server.into_boxed_str()); let gp_params = self.build_gp_params();
let gp_params: &'static GpParams = Box::leak(Box::new(self.build_gp_params()));
let auth_request = match self.saml_request.as_deref() { let auth_request = match self.saml_request.as_deref() {
Some(auth_request) => Cow::Borrowed(auth_request), Some(auth_request) => auth_request.to_string(),
None => Cow::Owned(auth_prelogin(server, gp_params).await?), None => auth_prelogin(&server, &gp_params).await?,
}; };
let auth_request: &'static str = Box::leak(auth_request.into_owned().into_boxed_str());
let authenticator = Authenticator::new(&server, gp_params).with_auth_request(&auth_request);
#[cfg(feature = "webview-auth")] #[cfg(feature = "webview-auth")]
let browser = self let browser = self
.browser .browser
.as_deref() .as_deref()
.or_else(|| self.default_browser.then_some("default")); .or_else(|| self.default_browser.then(|| "default"));
#[cfg(not(feature = "webview-auth"))] #[cfg(not(feature = "webview-auth"))]
let browser = self.browser.as_deref().or(Some("default")); let browser = self.browser.as_deref().or(Some("default"));
if browser.is_some() { if let Some(browser) = browser {
let auth_result = authenticator.browser_authenticate(browser).await; let authenticator = BrowserAuthenticator::new(&auth_request, browser);
let auth_result = authenticator.authenticate().await;
print_auth_result(auth_result); print_auth_result(auth_result);
// explicitly drop openssl_conf to avoid the unused variable warning // explicitly drop openssl_conf to avoid the unused variable warning
@ -140,7 +139,7 @@ impl Cli {
} }
#[cfg(feature = "webview-auth")] #[cfg(feature = "webview-auth")]
crate::webview_auth::authenticate(&self, authenticator, openssl_conf)?; crate::webview_auth::authenticate(server, gp_params, auth_request, self.clean, openssl_conf).await?;
Ok(()) Ok(())
} }
@ -158,14 +157,16 @@ impl Cli {
} }
} }
fn init_logger() { fn init_logger(cli: &Cli) {
env_logger::builder().filter_level(LevelFilter::Info).init(); env_logger::builder()
.filter_level(cli.verbose.log_level_filter())
.init();
} }
pub async fn run() { pub async fn run() {
let cli = Cli::parse(); let cli = Cli::parse();
init_logger(); init_logger(&cli);
info!("gpauth started: {}", VERSION); info!("gpauth started: {}", VERSION);
if let Err(err) = cli.run().await { if let Err(err) = cli.run().await {

1
apps/gpauth/src/main.rs
View File

@ -1,6 +1,7 @@
#![cfg_attr(not(debug_assertions), windows_subsystem = "windows")] #![cfg_attr(not(debug_assertions), windows_subsystem = "windows")]
mod cli; mod cli;
#[cfg(feature = "webview-auth")] #[cfg(feature = "webview-auth")]
mod webview_auth; mod webview_auth;

21
apps/gpauth/src/webview_auth.rs
View File

@ -1,23 +1,28 @@
use auth::{Authenticator, WebviewAuthenticator}; use auth::WebviewAuthenticator;
use gpapi::gp_params::GpParams;
use log::info; use log::info;
use tauri::RunEvent; use tauri::RunEvent;
use tempfile::NamedTempFile; use tempfile::NamedTempFile;
use crate::cli::{print_auth_result, Cli}; use crate::cli::print_auth_result;
pub fn authenticate( pub async fn authenticate(
cli: &Cli, server: String,
authenticator: Authenticator<'static>, gp_params: GpParams,
auth_request: String,
clean: bool,
mut openssl_conf: Option<NamedTempFile>, mut openssl_conf: Option<NamedTempFile>,
) -> anyhow::Result<()> { ) -> anyhow::Result<()> {
let authenticator = authenticator.with_clean(cli.clean);
tauri::Builder::default() tauri::Builder::default()
.setup(move |app| { .setup(move |app| {
let app_handle = app.handle().clone(); let app_handle = app.handle().clone();
tauri::async_runtime::spawn(async move { tauri::async_runtime::spawn(async move {
let auth_result = authenticator.webview_authenticate(&app_handle).await; let authenticator = WebviewAuthenticator::new(&server, &gp_params)
.with_auth_request(&auth_request)
.with_clean(clean);
let auth_result = authenticator.authenticate(&app_handle).await;
print_auth_result(auth_result); print_auth_result(auth_result);
// Ensure the app exits after the authentication process // Ensure the app exits after the authentication process

19
apps/gpclient/src/cli.rs
View File

@ -2,10 +2,10 @@ use std::{env::temp_dir, fs::File};
use clap::{Parser, Subcommand}; use clap::{Parser, Subcommand};
use gpapi::{ use gpapi::{
clap::{handle_error, Args}, clap::{handle_error, Args, InfoLevelVerbosity},
utils::openssl, utils::openssl,
}; };
use log::{info, LevelFilter}; use log::info;
use tempfile::NamedTempFile; use tempfile::NamedTempFile;
use crate::{ use crate::{
@ -16,9 +16,10 @@ use crate::{
const VERSION: &str = concat!(env!("CARGO_PKG_VERSION"), " (", compile_time::date_str!(), ")"); const VERSION: &str = concat!(env!("CARGO_PKG_VERSION"), " (", compile_time::date_str!(), ")");
pub(crate) struct SharedArgs { pub(crate) struct SharedArgs<'a> {
pub(crate) fix_openssl: bool, pub(crate) fix_openssl: bool,
pub(crate) ignore_tls_errors: bool, pub(crate) ignore_tls_errors: bool,
pub(crate) verbose: &'a InfoLevelVerbosity,
} }
#[derive(Subcommand)] #[derive(Subcommand)]
@ -60,6 +61,9 @@ struct Cli {
fix_openssl: bool, fix_openssl: bool,
#[arg(long, help = "Ignore the TLS errors")] #[arg(long, help = "Ignore the TLS errors")]
ignore_tls_errors: bool, ignore_tls_errors: bool,
#[command(flatten)]
verbose: InfoLevelVerbosity,
} }
impl Args for Cli { impl Args for Cli {
@ -89,6 +93,7 @@ impl Cli {
let shared_args = SharedArgs { let shared_args = SharedArgs {
fix_openssl: self.fix_openssl, fix_openssl: self.fix_openssl,
ignore_tls_errors: self.ignore_tls_errors, ignore_tls_errors: self.ignore_tls_errors,
verbose: &self.verbose,
}; };
if self.ignore_tls_errors { if self.ignore_tls_errors {
@ -103,12 +108,12 @@ impl Cli {
} }
} }
fn init_logger(command: &CliCommand) { fn init_logger(cli: &Cli) {
let mut builder = env_logger::builder(); let mut builder = env_logger::builder();
builder.filter_level(LevelFilter::Info); builder.filter_level(cli.verbose.log_level_filter());
// Output the log messages to a file if the command is the auth callback // Output the log messages to a file if the command is the auth callback
if let CliCommand::LaunchGui(args) = command { if let CliCommand::LaunchGui(args) = &cli.command {
let auth_data = args.auth_data.as_deref().unwrap_or_default(); let auth_data = args.auth_data.as_deref().unwrap_or_default();
if !auth_data.is_empty() { if !auth_data.is_empty() {
if let Ok(log_file) = File::create(temp_dir().join("gpcallback.log")) { if let Ok(log_file) = File::create(temp_dir().join("gpcallback.log")) {
@ -124,7 +129,7 @@ fn init_logger(command: &CliCommand) {
pub(crate) async fn run() { pub(crate) async fn run() {
let cli = Cli::parse(); let cli = Cli::parse();
init_logger(&cli.command); init_logger(&cli);
info!("gpclient started: {}", VERSION); info!("gpclient started: {}", VERSION);

5
apps/gpclient/src/connect.rs
View File

@ -128,7 +128,7 @@ impl ConnectArgs {
pub(crate) struct ConnectHandler<'a> { pub(crate) struct ConnectHandler<'a> {
args: &'a ConnectArgs, args: &'a ConnectArgs,
shared_args: &'a SharedArgs, shared_args: &'a SharedArgs<'a>,
latest_key_password: RefCell<Option<String>>, latest_key_password: RefCell<Option<String>>,
} }
@ -364,7 +364,8 @@ impl<'a> ConnectHandler<'a> {
.os_version(Some(&os_version)) .os_version(Some(&os_version))
.fix_openssl(self.shared_args.fix_openssl) .fix_openssl(self.shared_args.fix_openssl)
.ignore_tls_errors(self.shared_args.ignore_tls_errors) .ignore_tls_errors(self.shared_args.ignore_tls_errors)
.browser(browser); .browser(browser)
.verbose(self.shared_args.verbose);
#[cfg(feature = "webview-auth")] #[cfg(feature = "webview-auth")]
let use_default_browser = prelogin.support_default_browser() && self.args.default_browser; let use_default_browser = prelogin.support_default_browser() && self.args.default_browser;

2
apps/gpgui-helper/src-tauri/Cargo.toml
View File

@ -10,7 +10,7 @@ license.workspace = true
tauri-build = { version = "2", features = [] } tauri-build = { version = "2", features = [] }
[dependencies] [dependencies]
gpapi = { path = "../../../crates/gpapi", features = ["tauri"] } gpapi = { path = "../../../crates/gpapi", features = ["tauri", "clap"] }
tauri.workspace = true tauri.workspace = true
tokio.workspace = true tokio.workspace = true

18
apps/gpgui-helper/src-tauri/src/cli.rs
View File

@ -1,6 +1,9 @@
use clap::Parser; use clap::Parser;
use gpapi::utils::{base64, env_utils}; use gpapi::{
use log::{info, LevelFilter}; clap::InfoLevelVerbosity,
utils::{base64, env_utils},
};
use log::info;
use crate::app::App; use crate::app::App;
@ -15,6 +18,9 @@ struct Cli {
#[arg(long, default_value = env!("CARGO_PKG_VERSION"), help = "The version of the GUI")] #[arg(long, default_value = env!("CARGO_PKG_VERSION"), help = "The version of the GUI")]
gui_version: String, gui_version: String,
#[command(flatten)]
verbose: InfoLevelVerbosity,
} }
impl Cli { impl Cli {
@ -41,14 +47,16 @@ impl Cli {
} }
} }
fn init_logger() { fn init_logger(cli: &Cli) {
env_logger::builder().filter_level(LevelFilter::Info).init(); env_logger::builder()
.filter_level(cli.verbose.log_level_filter())
.init();
} }
pub fn run() { pub fn run() {
let cli = Cli::parse(); let cli = Cli::parse();
init_logger(); init_logger(&cli);
info!("gpgui-helper started: {}", VERSION); info!("gpgui-helper started: {}", VERSION);
if let Err(e) = cli.run() { if let Err(e) = cli.run() {

2
apps/gpservice/Cargo.toml
View File

@ -5,7 +5,7 @@ edition.workspace = true
license.workspace = true license.workspace = true
[dependencies] [dependencies]
gpapi = { path = "../../crates/gpapi" } gpapi = { path = "../../crates/gpapi", features = ["clap"] }
openconnect = { path = "../../crates/openconnect" } openconnect = { path = "../../crates/openconnect" }
clap.workspace = true clap.workspace = true
anyhow.workspace = true anyhow.workspace = true

14
apps/gpservice/src/cli.rs
View File

@ -3,13 +3,14 @@ use std::{collections::HashMap, io::Write};
use anyhow::bail; use anyhow::bail;
use clap::Parser; use clap::Parser;
use gpapi::clap::InfoLevelVerbosity;
use gpapi::{ use gpapi::{
process::gui_launcher::GuiLauncher, process::gui_launcher::GuiLauncher,
service::{request::WsRequest, vpn_state::VpnState}, service::{request::WsRequest, vpn_state::VpnState},
utils::{crypto::generate_key, env_utils, lock_file::LockFile, redact::Redaction, shutdown_signal}, utils::{crypto::generate_key, env_utils, lock_file::LockFile, redact::Redaction, shutdown_signal},
GP_SERVICE_LOCK_FILE, GP_SERVICE_LOCK_FILE,
}; };
use log::{info, warn, LevelFilter}; use log::{info, warn};
use tokio::sync::{mpsc, watch}; use tokio::sync::{mpsc, watch};
use crate::{vpn_task::VpnTask, ws_server::WsServer}; use crate::{vpn_task::VpnTask, ws_server::WsServer};
@ -26,6 +27,9 @@ struct Cli {
#[cfg(debug_assertions)] #[cfg(debug_assertions)]
#[clap(long)] #[clap(long)]
no_gui: bool, no_gui: bool,
#[command(flatten)]
verbose: InfoLevelVerbosity,
} }
impl Cli { impl Cli {
@ -102,12 +106,12 @@ impl Cli {
} }
} }
fn init_logger() -> Arc<Redaction> { fn init_logger(cli: &Cli) -> Arc<Redaction> {
let redaction = Arc::new(Redaction::new()); let redaction = Arc::new(Redaction::new());
let redaction_clone = Arc::clone(&redaction); let redaction_clone = Arc::clone(&redaction);
// let target = Box::new(File::create("log.txt").expect("Can't create file"));
env_logger::builder() env_logger::builder()
.filter_level(LevelFilter::Info) .filter_level(cli.verbose.log_level_filter())
.format(move |buf, record| { .format(move |buf, record| {
let timestamp = buf.timestamp(); let timestamp = buf.timestamp();
writeln!( writeln!(
@ -153,7 +157,7 @@ async fn launch_gui(envs: Option<HashMap<String, String>>, api_key: Vec<u8>, mut
pub async fn run() { pub async fn run() {
let mut cli = Cli::parse(); let mut cli = Cli::parse();
let redaction = init_logger(); let redaction = init_logger(&cli);
info!("gpservice started: {}", VERSION); info!("gpservice started: {}", VERSION);
if let Err(e) = cli.run(redaction).await { if let Err(e) = cli.run(redaction).await {

12
crates/auth/Cargo.toml
View File

@ -31,6 +31,12 @@ html-escape = { version = "0.2.13", optional = true }
[target.'cfg(not(target_os = "macos"))'.dependencies] [target.'cfg(not(target_os = "macos"))'.dependencies]
webkit2gtk = { version = "2", optional = true } webkit2gtk = { version = "2", optional = true }
[target.'cfg(target_os = "macos")'.dependencies]
block2 = { version = "0.5", optional = true }
objc2 = { version = "0.5", optional = true }
objc2-foundation = { version = "0.2", optional = true }
objc2-web-kit = { version = "0.2", optional = true }
[features] [features]
browser-auth = [ browser-auth = [
"dep:webbrowser", "dep:webbrowser",
@ -40,10 +46,14 @@ browser-auth = [
"dep:uuid", "dep:uuid",
] ]
webview-auth = [ webview-auth = [
"gpapi/tauri",
"dep:tauri", "dep:tauri",
"dep:regex", "dep:regex",
"dep:tokio-util", "dep:tokio-util",
"dep:html-escape", "dep:html-escape",
"dep:webkit2gtk", "dep:webkit2gtk",
"gpapi/tauri", "dep:block2",
"dep:objc2",
"dep:objc2-foundation",
"dep:objc2-web-kit",
] ]

60
crates/auth/src/authenticator.rs
View File

@ -1,60 +0,0 @@
use std::borrow::Cow;
use anyhow::bail;
use gpapi::{
gp_params::GpParams,
portal::{prelogin, Prelogin},
};
pub struct Authenticator<'a> {
server: &'a str,
auth_request: Option<&'a str>,
pub(crate) gp_params: &'a GpParams,
#[cfg(feature = "webview-auth")]
pub(crate) clean: bool,
#[cfg(feature = "webview-auth")]
pub(crate) is_retrying: tokio::sync::RwLock<bool>,
}
impl<'a> Authenticator<'a> {
pub fn new(server: &'a str, gp_params: &'a GpParams) -> Self {
Self {
server,
gp_params,
auth_request: None,
#[cfg(feature = "webview-auth")]
clean: false,
#[cfg(feature = "webview-auth")]
is_retrying: Default::default(),
}
}
pub fn with_auth_request(mut self, auth_request: &'a str) -> Self {
if !auth_request.is_empty() {
self.auth_request = Some(auth_request);
}
self
}
pub(crate) async fn initial_auth_request(&self) -> anyhow::Result<Cow<'a, str>> {
if let Some(auth_request) = self.auth_request {
return Ok(Cow::Borrowed(auth_request));
}
let auth_request = self.portal_prelogin().await?;
Ok(Cow::Owned(auth_request))
}
pub(crate) async fn portal_prelogin(&self) -> anyhow::Result<String> {
auth_prelogin(self.server, self.gp_params).await
}
}
pub async fn auth_prelogin(server: &str, gp_params: &GpParams) -> anyhow::Result<String> {
match prelogin(server, gp_params).await? {
Prelogin::Saml(prelogin) => Ok(prelogin.saml_request().to_string()),
Prelogin::Standard(_) => bail!("Received non-SAML prelogin response"),
}
}

4
crates/auth/src/browser.rs Normal file
View File

@ -0,0 +1,4 @@
mod auth_server;
mod browser_auth;
pub use browser_auth::BrowserAuthenticator;

0
crates/auth/src/browser_auth/auth_server.rs → crates/auth/src/browser/auth_server.rs
View File

85
crates/auth/src/browser_auth/browser_auth_impl.rs → crates/auth/src/browser/browser_auth.rs
View File

@ -4,30 +4,45 @@ use gpapi::{auth::SamlAuthData, GP_CALLBACK_PORT_FILENAME};
use log::info; use log::info;
use tokio::{io::AsyncReadExt, net::TcpListener}; use tokio::{io::AsyncReadExt, net::TcpListener};
use super::auth_server::AuthServer; use crate::browser::auth_server::AuthServer;
pub(super) struct BrowserAuthenticatorImpl<'a> { pub enum Browser<'a> {
Default,
Chrome,
Firefox,
Other(&'a str),
}
impl<'a> Browser<'a> {
pub fn from_str(browser: &'a str) -> Self {
match browser.to_lowercase().as_str() {
"default" => Browser::Default,
"chrome" => Browser::Chrome,
"firefox" => Browser::Firefox,
_ => Browser::Other(browser),
}
}
fn as_str(&self) -> &str {
match self {
Browser::Default => "default",
Browser::Chrome => "chrome",
Browser::Firefox => "firefox",
Browser::Other(browser) => browser,
}
}
}
pub struct BrowserAuthenticator<'a> {
auth_request: &'a str, auth_request: &'a str,
browser: Option<&'a str>, browser: Browser<'a>,
} }
impl BrowserAuthenticatorImpl<'_> { impl<'a> BrowserAuthenticator<'a> {
pub fn new(auth_request: &str) -> BrowserAuthenticatorImpl { pub fn new(auth_request: &'a str, browser: &'a str) -> Self {
BrowserAuthenticatorImpl { Self {
auth_request, auth_request,
browser: None, browser: Browser::from_str(browser),
}
}
pub fn new_with_browser<'a>(auth_request: &'a str, browser: &'a str) -> BrowserAuthenticatorImpl<'a> {
let browser = browser.trim();
BrowserAuthenticatorImpl {
auth_request,
browser: if browser.is_empty() || browser == "default" {
None
} else {
Some(browser)
},
} }
} }
@ -40,14 +55,17 @@ impl BrowserAuthenticatorImpl<'_> {
auth_server.serve_request(&auth_request); auth_server.serve_request(&auth_request);
}); });
if let Some(browser) = self.browser { match self.browser {
let app = find_browser_path(browser); Browser::Default => {
info!("Launching the default browser...");
webbrowser::open(&auth_url)?;
}
_ => {
let app = find_browser_path(&self.browser);
info!("Launching browser: {}", app); info!("Launching browser: {}", app);
open::with_detached(auth_url, app)?; open::with_detached(auth_url, app)?;
} else { }
info!("Launching the default browser...");
webbrowser::open(&auth_url)?;
} }
info!("Please continue the authentication process in the default browser"); info!("Please continue the authentication process in the default browser");
@ -55,15 +73,18 @@ impl BrowserAuthenticatorImpl<'_> {
} }
} }
fn find_browser_path(browser: &str) -> String { fn find_browser_path(browser: &Browser) -> String {
if browser == "chrome" { match browser {
which::which("google-chrome-stable") Browser::Chrome => {
.or_else(|_| which::which("google-chrome")) const CHROME_VARIANTS: &[&str] = &["google-chrome-stable", "google-chrome", "chromium"];
.or_else(|_| which::which("chromium"))
CHROME_VARIANTS
.iter()
.find_map(|&browser_name| which::which(browser_name).ok())
.map(|path| path.to_string_lossy().to_string()) .map(|path| path.to_string_lossy().to_string())
.unwrap_or_else(|_| browser.to_string()) .unwrap_or_else(|| browser.as_str().to_string())
} else { }
browser.into() _ => browser.as_str().to_string(),
} }
} }

5
crates/auth/src/browser_auth.rs
View File

@ -1,5 +0,0 @@
mod auth_server;
mod browser_auth_ext;
mod browser_auth_impl;
pub use browser_auth_ext::BrowserAuthenticator;

22
crates/auth/src/browser_auth/browser_auth_ext.rs
View File

@ -1,22 +0,0 @@
use std::future::Future;
use gpapi::auth::SamlAuthData;
use crate::{browser_auth::browser_auth_impl::BrowserAuthenticatorImpl, Authenticator};
pub trait BrowserAuthenticator {
fn browser_authenticate(&self, browser: Option<&str>) -> impl Future<Output = anyhow::Result<SamlAuthData>> + Send;
}
impl BrowserAuthenticator for Authenticator<'_> {
async fn browser_authenticate(&self, browser: Option<&str>) -> anyhow::Result<SamlAuthData> {
let auth_request = self.initial_auth_request().await?;
let browser_auth = if let Some(browser) = browser {
BrowserAuthenticatorImpl::new_with_browser(&auth_request, browser)
} else {
BrowserAuthenticatorImpl::new(&auth_request)
};
browser_auth.authenticate().await
}
}

24
crates/auth/src/lib.rs
View File

@ -1,13 +1,23 @@
mod authenticator; use anyhow::bail;
pub use authenticator::auth_prelogin; use gpapi::{
pub use authenticator::Authenticator; gp_params::GpParams,
portal::{prelogin, Prelogin},
};
#[cfg(feature = "browser-auth")] #[cfg(feature = "browser-auth")]
mod browser_auth; mod browser;
#[cfg(feature = "browser-auth")] #[cfg(feature = "browser-auth")]
pub use browser_auth::BrowserAuthenticator; pub use browser::*;
#[cfg(feature = "webview-auth")] #[cfg(feature = "webview-auth")]
mod webview_auth; mod webview;
#[cfg(feature = "webview-auth")] #[cfg(feature = "webview-auth")]
pub use webview_auth::WebviewAuthenticator; pub use webview::*;
pub async fn auth_prelogin(server: &str, gp_params: &GpParams) -> anyhow::Result<String> {
match prelogin(server, gp_params).await? {
Prelogin::Saml(prelogin) => Ok(prelogin.saml_request().to_string()),
Prelogin::Standard(_) => bail!("Received non-SAML prelogin response"),
}
}

8
crates/auth/src/webview.rs Normal file
View File

@ -0,0 +1,8 @@
mod auth_messenger;
mod webview_auth;
#[cfg_attr(not(target_os = "macos"), path = "webview/unix.rs")]
#[cfg_attr(target_os = "macos", path = "webview/macos.rs")]
mod platform_impl;
pub use webview_auth::WebviewAuthenticator;

229
crates/auth/src/webview/auth_messenger.rs Normal file
View File

@ -0,0 +1,229 @@
use anyhow::bail;
use gpapi::{auth::SamlAuthData, error::AuthDataParseError};
use log::{error, info};
use regex::Regex;
use tokio::sync::{mpsc, RwLock};
use tokio_util::sync::CancellationToken;
#[derive(Debug)]
pub(crate) enum AuthDataLocation {
#[cfg(not(target_os = "macos"))]
Headers,
Body,
}
#[derive(Debug)]
pub(crate) enum AuthError {
/// Failed to load page due to TLS error
#[cfg(not(target_os = "macos"))]
TlsError,
/// 1. Found auth data in headers/body but it's invalid
/// 2. Loaded an empty page, failed to load page. etc.
Invalid(anyhow::Error, AuthDataLocation),
/// No auth data found in headers/body
NotFound(AuthDataLocation),
}
impl AuthError {
pub fn invalid_from_body(err: anyhow::Error) -> Self {
Self::Invalid(err, AuthDataLocation::Body)
}
pub fn not_found_in_body() -> Self {
Self::NotFound(AuthDataLocation::Body)
}
}
#[cfg(not(target_os = "macos"))]
impl AuthError {
pub fn not_found_in_headers() -> Self {
Self::NotFound(AuthDataLocation::Headers)
}
}
pub(crate) enum AuthEvent {
Data(SamlAuthData, AuthDataLocation),
Error(AuthError),
RaiseWindow,
Close,
}
pub struct AuthMessenger {
tx: mpsc::UnboundedSender<AuthEvent>,
rx: RwLock<mpsc::UnboundedReceiver<AuthEvent>>,
raise_window_cancel_token: RwLock<Option<CancellationToken>>,
}
impl AuthMessenger {
pub fn new() -> Self {
let (tx, rx) = mpsc::unbounded_channel();
Self {
tx,
rx: RwLock::new(rx),
raise_window_cancel_token: Default::default(),
}
}
pub async fn subscribe(&self) -> anyhow::Result<AuthEvent> {
let mut rx = self.rx.write().await;
if let Some(event) = rx.recv().await {
return Ok(event);
}
bail!("Failed to receive auth event");
}
pub fn send_auth_event(&self, event: AuthEvent) {
if let Err(event) = self.tx.send(event) {
error!("Failed to send auth event: {}", event);
}
}
pub fn send_auth_error(&self, err: AuthError) {
self.send_auth_event(AuthEvent::Error(err));
}
fn send_auth_data(&self, data: SamlAuthData, location: AuthDataLocation) {
self.send_auth_event(AuthEvent::Data(data, location));
}
pub fn schedule_raise_window(&self, delay: u64) {
let Ok(mut guard) = self.raise_window_cancel_token.try_write() else {
return;
};
// Return if the previous raise window task is still running
if let Some(token) = guard.as_ref() {
if !token.is_cancelled() {
info!("Raise window task is still running, skipping...");
return;
}
}
let cancel_token = CancellationToken::new();
let cancel_token_clone = cancel_token.clone();
*guard = Some(cancel_token_clone);
let tx = self.tx.clone();
tokio::spawn(async move {
info!("Displaying the window in {} second(s)...", delay);
tokio::select! {
_ = tokio::time::sleep(tokio::time::Duration::from_secs(delay)) => {
cancel_token.cancel();
if let Err(err) = tx.send(AuthEvent::RaiseWindow) {
error!("Failed to send raise window event: {}", err);
}
}
_ = cancel_token.cancelled() => {
info!("Cancelled raise window task");
}
}
});
}
pub fn cancel_raise_window(&self) {
if let Ok(mut cancel_token) = self.raise_window_cancel_token.try_write() {
if let Some(token) = cancel_token.take() {
token.cancel();
}
}
}
pub fn read_from_html(&self, html: &str) {
if html.contains("Temporarily Unavailable") {
return self.send_auth_error(AuthError::invalid_from_body(anyhow::anyhow!("Temporarily Unavailable")));
}
let auth_result = SamlAuthData::from_html(html).or_else(|err| {
info!("Read auth data from html failed: {}, extracting gpcallback...", err);
if let Some(gpcallback) = extract_gpcallback(html) {
info!("Found gpcallback from html...");
SamlAuthData::from_gpcallback(&gpcallback)
} else {
Err(err)
}
});
match auth_result {
Ok(data) => self.send_auth_data(data, AuthDataLocation::Body),
Err(AuthDataParseError::Invalid(err)) => self.send_auth_error(AuthError::invalid_from_body(err)),
Err(AuthDataParseError::NotFound) => self.send_auth_error(AuthError::not_found_in_body()),
}
}
#[cfg(not(target_os = "macos"))]
pub fn read_from_response(&self, auth_response: &impl super::webview_auth::GetHeader) {
use log::warn;
let Some(status) = auth_response.get_header("saml-auth-status") else {
return self.send_auth_error(AuthError::not_found_in_headers());
};
// Do not send auth error when reading from headers, as the html body may contain the auth data
if status != "1" {
warn!("Found invalid saml-auth-status in headers: {}", status);
return;
}
let username = auth_response.get_header("saml-username");
let prelogin_cookie = auth_response.get_header("prelogin-cookie");
let portal_userauthcookie = auth_response.get_header("portal-userauthcookie");
match SamlAuthData::new(username, prelogin_cookie, portal_userauthcookie) {
Ok(auth_data) => self.send_auth_data(auth_data, AuthDataLocation::Headers),
Err(err) => {
warn!("Failed to read auth data from headers: {}", err);
}
}
}
}
fn extract_gpcallback(html: &str) -> Option<String> {
let re = Regex::new(r#"globalprotectcallback:[^"]+"#).unwrap();
re.captures(html)
.and_then(|captures| captures.get(0))
.map(|m| html_escape::decode_html_entities(m.as_str()).to_string())
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn extract_gpcallback_some() {
let html = r#"
<meta http-equiv="refresh" content="0; URL=globalprotectcallback:PGh0bWw+PCEtLSA8c">
<meta http-equiv="refresh" content="0; URL=globalprotectcallback:PGh0bWw+PCEtLSA8c">
"#;
assert_eq!(
extract_gpcallback(html).as_deref(),
Some("globalprotectcallback:PGh0bWw+PCEtLSA8c")
);
}
#[test]
fn extract_gpcallback_cas() {
let html = r#"
<meta http-equiv="refresh" content="0; URL=globalprotectcallback:cas-as=1&amp;un=xyz@email.com&amp;token=very_long_string">
"#;
assert_eq!(
extract_gpcallback(html).as_deref(),
Some("globalprotectcallback:cas-as=1&un=xyz@email.com&token=very_long_string")
);
}
#[test]
fn extract_gpcallback_none() {
let html = r#"
<meta http-equiv="refresh" content="0; URL=PGh0bWw+PCEtLSA8c">
"#;
assert_eq!(extract_gpcallback(html), None);
}
}

58
crates/auth/src/webview/macos.rs Normal file
View File

@ -0,0 +1,58 @@
use block2::RcBlock;
use log::warn;
use objc2::runtime::AnyObject;
use objc2_foundation::{NSError, NSString, NSURLRequest, NSURL};
use objc2_web_kit::WKWebView;
use tauri::webview::PlatformWebview;
use super::webview_auth::PlatformWebviewExt;
impl PlatformWebviewExt for PlatformWebview {
fn ignore_tls_errors(&self) -> anyhow::Result<()> {
warn!("Ignoring TLS errors is not supported on macOS");
Ok(())
}
fn load_url(&self, url: &str) -> anyhow::Result<()> {
unsafe {
let wv: &WKWebView = &*self.inner().cast();
let url = NSURL::URLWithString(&NSString::from_str(url)).ok_or_else(|| anyhow::anyhow!("Invalid URL"))?;
let request = NSURLRequest::requestWithURL(&url);
wv.loadRequest(&request);
}
Ok(())
}
fn load_html(&self, html: &str) -> anyhow::Result<()> {
unsafe {
let wv: &WKWebView = &*self.inner().cast();
wv.loadHTMLString_baseURL(&NSString::from_str(html), None);
}
Ok(())
}
fn get_html(&self, callback: Box<dyn Fn(anyhow::Result<String>) + 'static>) {
unsafe {
let wv: &WKWebView = &*self.inner().cast();
let js_callback = RcBlock::new(move |body: *mut AnyObject, err: *mut NSError| {
if let Some(err) = err.as_ref() {
let code = err.code();
let message = err.localizedDescription();
callback(Err(anyhow::anyhow!("Error {}: {}", code, message)));
} else {
let body: &NSString = &*body.cast();
callback(Ok(body.to_string()));
}
});
wv.evaluateJavaScript_completionHandler(
&NSString::from_str("document.documentElement.outerHTML"),
Some(&js_callback),
);
}
}
}

105
crates/auth/src/webview/unix.rs Normal file
View File

@ -0,0 +1,105 @@
use std::sync::Arc;
use anyhow::bail;
use gpapi::utils::redact::redact_uri;
use log::warn;
use tauri::webview::PlatformWebview;
use webkit2gtk::{
gio::Cancellable, glib::GString, LoadEvent, TLSErrorsPolicy, URIResponseExt, WebResource, WebResourceExt, WebViewExt,
WebsiteDataManagerExt,
};
use super::{
auth_messenger::AuthError,
webview_auth::{GetHeader, PlatformWebviewExt},
};
impl GetHeader for WebResource {
fn get_header(&self, key: &str) -> Option<String> {
self
.response()
.and_then(|response| response.http_headers())
.and_then(|headers| headers.one(key))
.map(GString::into)
}
}
impl PlatformWebviewExt for PlatformWebview {
fn ignore_tls_errors(&self) -> anyhow::Result<()> {
if let Some(manager) = self.inner().website_data_manager() {
manager.set_tls_errors_policy(TLSErrorsPolicy::Ignore);
return Ok(());
}
bail!("Failed to get website data manager");
}
fn load_url(&self, url: &str) -> anyhow::Result<()> {
self.inner().load_uri(url);
Ok(())
}
fn load_html(&self, html: &str) -> anyhow::Result<()> {
self.inner().load_html(html, None);
Ok(())
}
fn get_html(&self, callback: Box<dyn Fn(anyhow::Result<String>) + 'static>) {
let script = "document.documentElement.outerHTML";
self
.inner()
.evaluate_javascript(script, None, None, Cancellable::NONE, move |result| match result {
Ok(value) => callback(Ok(value.to_string())),
Err(err) => callback(Err(anyhow::anyhow!(err))),
});
}
}
pub trait PlatformWebviewOnResponse {
fn on_response(&self, callback: Box<dyn Fn(anyhow::Result<WebResource, AuthError>) + 'static>);
}
impl PlatformWebviewOnResponse for PlatformWebview {
fn on_response(&self, callback: Box<dyn Fn(anyhow::Result<WebResource, AuthError>) + 'static>) {
let wv = self.inner();
let callback = Arc::new(callback);
let callback_clone = Arc::clone(&callback);
wv.connect_load_changed(move |wv, event| {
if event != LoadEvent::Finished {
return;
}
let Some(web_resource) = wv.main_resource() else {
return;
};
let uri = web_resource.uri().unwrap_or("".into());
if uri.is_empty() {
callback_clone(Err(AuthError::invalid_from_body(anyhow::anyhow!("Empty URI"))));
} else {
callback_clone(Ok(web_resource));
}
});
wv.connect_load_failed_with_tls_errors(move |_wv, uri, cert, err| {
let redacted_uri = redact_uri(uri);
warn!(
"Failed to load uri: {} with error: {}, cert: {}",
redacted_uri, err, cert
);
callback(Err(AuthError::TlsError));
true
});
wv.connect_load_failed(move |_wv, _event, uri, err| {
let redacted_uri = redact_uri(uri);
if !uri.starts_with("globalprotectcallback:") {
warn!("Failed to load uri: {} with error: {}", redacted_uri, err);
}
// NOTE: Don't send error here, since load_changed event will be triggered after this
// true to stop other handlers from being invoked for the event. false to propagate the event further.
true
});
}
}

277
crates/auth/src/webview/webview_auth.rs Normal file
View File

@ -0,0 +1,277 @@
use std::{sync::Arc, time::Duration};
use anyhow::bail;
use gpapi::{auth::SamlAuthData, gp_params::GpParams, utils::redact::redact_uri};
use log::{info, warn};
use tauri::{
webview::{PageLoadEvent, PageLoadPayload},
AppHandle, WebviewUrl, WebviewWindow, WindowEvent,
};
use tokio::{sync::oneshot, time};
use crate::auth_prelogin;
use super::auth_messenger::{AuthError, AuthEvent, AuthMessenger};
pub trait PlatformWebviewExt {
fn ignore_tls_errors(&self) -> anyhow::Result<()>;
fn load_url(&self, url: &str) -> anyhow::Result<()>;
fn load_html(&self, html: &str) -> anyhow::Result<()>;
fn get_html(&self, callback: Box<dyn Fn(anyhow::Result<String>) + 'static>);
fn load_auth_request(&self, auth_request: &str) -> anyhow::Result<()> {
if auth_request.starts_with("http") {
info!("Loading auth request as URL: {}", redact_uri(auth_request));
self.load_url(auth_request)
} else {
info!("Loading auth request as HTML...");
self.load_html(auth_request)
}
}
}
#[cfg(not(target_os = "macos"))]
pub trait GetHeader {
fn get_header(&self, key: &str) -> Option<String>;
}
pub struct WebviewAuthenticator<'a> {
server: &'a str,
gp_params: &'a GpParams,
auth_request: Option<&'a str>,
clean: bool,
is_retrying: tokio::sync::RwLock<bool>,
}
impl<'a> WebviewAuthenticator<'a> {
pub fn new(server: &'a str, gp_params: &'a GpParams) -> Self {
Self {
server,
gp_params,
auth_request: None,
clean: false,
is_retrying: Default::default(),
}
}
pub fn with_auth_request(mut self, auth_request: &'a str) -> Self {
self.auth_request = Some(auth_request);
self
}
pub fn with_clean(mut self, clean: bool) -> Self {
self.clean = clean;
self
}
pub async fn authenticate(&self, app_handle: &AppHandle) -> anyhow::Result<SamlAuthData> {
let auth_messenger = Arc::new(AuthMessenger::new());
let auth_messenger_clone = Arc::clone(&auth_messenger);
let on_page_load = move |auth_window: WebviewWindow, event: PageLoadPayload<'_>| {
let auth_messenger_clone = Arc::clone(&auth_messenger_clone);
let redacted_url = redact_uri(event.url().as_str());
match event.event() {
PageLoadEvent::Started => {
info!("Started loading page: {}", redacted_url);
auth_messenger_clone.cancel_raise_window();
}
PageLoadEvent::Finished => {
info!("Finished loading page: {}", redacted_url);
}
}
// Read auth data from the page no matter whether it's finished loading or not
// Because we found that the finished event may not be triggered in some cases (e.g., on macOS)
let _ = auth_window.with_webview(move |wv| {
wv.get_html(Box::new(move |html| match html {
Ok(html) => auth_messenger_clone.read_from_html(&html),
Err(err) => warn!("Failed to get html: {}", err),
}));
});
};
let title_bar_height = if cfg!(target_os = "macos") { 28.0 } else { 0.0 };
let auth_window = WebviewWindow::builder(app_handle, "auth_window", WebviewUrl::default())
.on_page_load(on_page_load)
.title("GlobalProtect Login")
.inner_size(900.0, 650.0 + title_bar_height)
.focused(true)
.visible(false)
.center()
.build()?;
self
.setup_auth_window(&auth_window, Arc::clone(&auth_messenger))
.await?;
loop {
match auth_messenger.subscribe().await? {
AuthEvent::Close => bail!("Authentication cancelled"),
AuthEvent::RaiseWindow => self.raise_window(&auth_window),
#[cfg(not(target_os = "macos"))]
AuthEvent::Error(AuthError::TlsError) => bail!(gpapi::error::PortalError::TlsError),
AuthEvent::Error(AuthError::NotFound(location)) => {
info!(
"No auth data found in {:?}, it may not be the /SAML20/SP/ACS endpoint",
location
);
self.handle_not_found(&auth_window, &auth_messenger);
}
AuthEvent::Error(AuthError::Invalid(err, location)) => {
warn!("Got invalid auth data in {:?}: {}", location, err);
self.retry_auth(&auth_window).await;
}
AuthEvent::Data(auth_data, location) => {
info!("Got auth data from {:?}", location);
auth_window.close()?;
return Ok(auth_data);
}
}
}
}
async fn setup_auth_window(
&self,
auth_window: &WebviewWindow,
auth_messenger: Arc<AuthMessenger>,
) -> anyhow::Result<()> {
info!("Setting up auth window...");
if self.clean {
info!("Clearing all browsing data...");
auth_window.clear_all_browsing_data()?;
}
// Handle window close event
let auth_messenger_clone = Arc::clone(&auth_messenger);
auth_window.on_window_event(move |event| {
if let WindowEvent::CloseRequested { .. } = event {
auth_messenger_clone.send_auth_event(AuthEvent::Close);
}
});
// Show the window after 10 seconds, so that the user can see the window if the auth process is stuck
let auth_messenger_clone = Arc::clone(&auth_messenger);
tokio::spawn(async move {
time::sleep(Duration::from_secs(10)).await;
auth_messenger_clone.send_auth_event(AuthEvent::RaiseWindow);
});
let auth_request = match self.auth_request {
Some(auth_request) => auth_request.to_string(),
None => auth_prelogin(&self.server, &self.gp_params).await?,
};
let (tx, rx) = oneshot::channel::<anyhow::Result<()>>();
let ignore_tls_errors = self.gp_params.ignore_tls_errors();
// Set up webview
auth_window.with_webview(move |wv| {
#[cfg(not(target_os = "macos"))]
{
use super::platform_impl::PlatformWebviewOnResponse;
wv.on_response(Box::new(move |response| match response {
Ok(response) => auth_messenger.read_from_response(&response),
Err(err) => auth_messenger.send_auth_error(err),
}));
}
let result = || -> anyhow::Result<()> {
if ignore_tls_errors {
wv.ignore_tls_errors()?;
}
wv.load_auth_request(&auth_request)
}();
if let Err(result) = tx.send(result) {
warn!("Failed to send setup auth window result: {:?}", result);
}
})?;
rx.await??;
info!("Auth window setup completed");
Ok(())
}
fn handle_not_found(&self, auth_window: &WebviewWindow, auth_messenger: &Arc<AuthMessenger>) {
let visible = auth_window.is_visible().unwrap_or(false);
if visible {
return;
}
auth_messenger.schedule_raise_window(2);
}
async fn retry_auth(&self, auth_window: &WebviewWindow) {
let mut is_retrying = self.is_retrying.write().await;
if *is_retrying {
info!("Already retrying authentication, skipping...");
return;
}
*is_retrying = true;
drop(is_retrying);
if let Err(err) = self.retry_auth_impl(auth_window).await {
warn!("Failed to retry authentication: {}", err);
}
*self.is_retrying.write().await = false;
}
async fn retry_auth_impl(&self, auth_window: &WebviewWindow) -> anyhow::Result<()> {
info!("Retrying authentication...");
auth_window.eval( r#"
var loading = document.createElement("div");
loading.innerHTML = '<div style="position: absolute; width: 100%; text-align: center; font-size: 20px; font-weight: bold; top: 50%; left: 50%; transform: translate(-50%, -50%);">Got invalid token, retrying...</div>';
loading.style = "position: fixed; top: 0; left: 0; width: 100%; height: 100%; background: rgba(255, 255, 255, 0.85); z-index: 99999;";
document.body.appendChild(loading);
"#)?;
let auth_request = auth_prelogin(&self.server, &self.gp_params).await?;
let (tx, rx) = oneshot::channel::<anyhow::Result<()>>();
auth_window.with_webview(move |wv| {
let result = wv.load_auth_request(&auth_request);
if let Err(result) = tx.send(result) {
warn!("Failed to send retry auth result: {:?}", result);
}
})?;
rx.await??;
Ok(())
}
fn raise_window(&self, auth_window: &WebviewWindow) {
let visible = auth_window.is_visible().unwrap_or(false);
if visible {
return;
}
info!("Raising auth window...");
#[cfg(target_os = "macos")]
let result = auth_window.show();
#[cfg(not(target_os = "macos"))]
let result = {
use gpapi::utils::window::WindowExt;
auth_window.raise()
};
if let Err(err) = result {
warn!("Failed to raise window: {}", err);
}
}
}

9
crates/auth/src/webview_auth.rs
View File

@ -1,9 +0,0 @@
mod auth_messenger;
mod auth_response;
mod auth_settings;
mod webview_auth_ext;
#[cfg_attr(not(target_os = "macos"), path = "webview_auth/unix.rs")]
mod platform_impl;
pub use webview_auth_ext::WebviewAuthenticator;

108
crates/auth/src/webview_auth/auth_messenger.rs
View File

@ -1,108 +0,0 @@
use anyhow::bail;
use gpapi::auth::SamlAuthData;
use log::{error, info};
use tokio::sync::{mpsc, RwLock};
use tokio_util::sync::CancellationToken;
pub enum AuthError {
/// Failed to load page due to TLS error
TlsError,
/// 1. Found auth data in headers/body but it's invalid
/// 2. Loaded an empty page, failed to load page. etc.
Invalid,
/// No auth data found in headers/body
NotFound,
}
pub type AuthResult = anyhow::Result<SamlAuthData, AuthError>;
pub enum AuthEvent {
Data(SamlAuthData),
Error(AuthError),
RaiseWindow,
Close,
}
pub struct AuthMessenger {
tx: mpsc::UnboundedSender<AuthEvent>,
rx: RwLock<mpsc::UnboundedReceiver<AuthEvent>>,
raise_window_cancel_token: RwLock<Option<CancellationToken>>,
}
impl AuthMessenger {
pub fn new() -> Self {
let (tx, rx) = mpsc::unbounded_channel();
Self {
tx,
rx: RwLock::new(rx),
raise_window_cancel_token: Default::default(),
}
}
pub async fn subscribe(&self) -> anyhow::Result<AuthEvent> {
let mut rx = self.rx.write().await;
if let Some(event) = rx.recv().await {
return Ok(event);
}
bail!("Failed to receive auth event");
}
pub fn send_auth_event(&self, event: AuthEvent) {
if let Err(event) = self.tx.send(event) {
error!("Failed to send auth event: {}", event);
}
}
pub fn send_auth_result(&self, result: AuthResult) {
match result {
Ok(data) => self.send_auth_data(data),
Err(err) => self.send_auth_error(err),
}
}
pub fn send_auth_error(&self, err: AuthError) {
self.send_auth_event(AuthEvent::Error(err));
}
pub fn send_auth_data(&self, data: SamlAuthData) {
self.send_auth_event(AuthEvent::Data(data));
}
pub fn schedule_raise_window(&self, delay: u64) {
let cancel_token = CancellationToken::new();
let cancel_token_clone = cancel_token.clone();
if let Ok(mut guard) = self.raise_window_cancel_token.try_write() {
// Cancel the previous raise window task if it exists
if let Some(token) = guard.take() {
token.cancel();
}
*guard = Some(cancel_token_clone);
}
let tx = self.tx.clone();
tokio::spawn(async move {
info!("Displaying the window in {} second(s)...", delay);
tokio::select! {
_ = tokio::time::sleep(tokio::time::Duration::from_secs(delay)) => {
if let Err(err) = tx.send(AuthEvent::RaiseWindow) {
error!("Failed to send raise window event: {}", err);
}
}
_ = cancel_token.cancelled() => {
info!("Cancelled raise window task");
}
}
});
}
pub fn cancel_raise_window(&self) {
if let Ok(mut cancel_token) = self.raise_window_cancel_token.try_write() {
if let Some(token) = cancel_token.take() {
token.cancel();
}
}
}
}

152
crates/auth/src/webview_auth/auth_response.rs
View File

@ -1,152 +0,0 @@
use std::sync::Arc;
use gpapi::{
auth::{AuthDataParseResult, SamlAuthData},
error::AuthDataParseError,
};
use log::{info, warn};
use regex::Regex;
use crate::webview_auth::auth_messenger::{AuthError, AuthMessenger};
/// Trait for handling authentication response
pub trait AuthResponse {
fn get_header(&self, key: &str) -> Option<String>;
fn get_body<F>(&self, cb: F)
where
F: FnOnce(anyhow::Result<Vec<u8>>) + 'static;
fn url(&self) -> Option<String>;
fn is_acs_endpoint(&self) -> bool {
self.url().map_or(false, |url| url.ends_with("/SAML20/SP/ACS"))
}
}
pub fn read_auth_data(auth_response: &impl AuthResponse, auth_messenger: &Arc<AuthMessenger>) {
let auth_messenger = Arc::clone(auth_messenger);
match read_from_headers(auth_response) {
Ok(auth_data) => {
info!("Found auth data in headers");
auth_messenger.send_auth_data(auth_data);
}
Err(header_err) => {
info!("Failed to read auth data from headers: {}", header_err);
let is_acs_endpoint = auth_response.is_acs_endpoint();
read_from_body(auth_response, move |auth_result| {
// If the endpoint is `/SAML20/SP/ACS` and no auth data found in body, it should be considered as invalid
let auth_result = auth_result.map_err(move |e| {
info!("Failed to read auth data from body: {}", e);
if is_acs_endpoint || e.is_invalid() || header_err.is_invalid() {
AuthError::Invalid
} else {
AuthError::NotFound
}
});
auth_messenger.send_auth_result(auth_result);
});
}
}
}
fn read_from_headers(auth_response: &impl AuthResponse) -> AuthDataParseResult {
let Some(status) = auth_response.get_header("saml-auth-status") else {
info!("No SAML auth status found in headers");
return Err(AuthDataParseError::NotFound);
};
if status != "1" {
info!("Found invalid auth status: {}", status);
return Err(AuthDataParseError::Invalid);
}
let username = auth_response.get_header("saml-username");
let prelogin_cookie = auth_response.get_header("prelogin-cookie");
let portal_userauthcookie = auth_response.get_header("portal-userauthcookie");
SamlAuthData::new(username, prelogin_cookie, portal_userauthcookie).map_err(|e| {
warn!("Found invalid auth data: {}", e);
AuthDataParseError::Invalid
})
}
fn read_from_body<F>(auth_response: &impl AuthResponse, cb: F)
where
F: FnOnce(AuthDataParseResult) + 'static,
{
auth_response.get_body(|body| match body {
Ok(body) => {
let html = String::from_utf8_lossy(&body);
cb(read_from_html(&html))
}
Err(err) => {
info!("Failed to read body: {}", err);
cb(Err(AuthDataParseError::Invalid))
}
});
}
fn read_from_html(html: &str) -> AuthDataParseResult {
if html.contains("Temporarily Unavailable") {
info!("Found 'Temporarily Unavailable' in HTML, auth failed");
return Err(AuthDataParseError::Invalid);
}
SamlAuthData::from_html(html).or_else(|err| {
if let Some(gpcallback) = extract_gpcallback(html) {
info!("Found gpcallback from html...");
SamlAuthData::from_gpcallback(&gpcallback)
} else {
Err(err)
}
})
}
fn extract_gpcallback(html: &str) -> Option<String> {
let re = Regex::new(r#"globalprotectcallback:[^"]+"#).unwrap();
re.captures(html)
.and_then(|captures| captures.get(0))
.map(|m| html_escape::decode_html_entities(m.as_str()).to_string())
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn extract_gpcallback_some() {
let html = r#"
<meta http-equiv="refresh" content="0; URL=globalprotectcallback:PGh0bWw+PCEtLSA8c">
<meta http-equiv="refresh" content="0; URL=globalprotectcallback:PGh0bWw+PCEtLSA8c">
"#;
assert_eq!(
extract_gpcallback(html).as_deref(),
Some("globalprotectcallback:PGh0bWw+PCEtLSA8c")
);
}
#[test]
fn extract_gpcallback_cas() {
let html = r#"
<meta http-equiv="refresh" content="0; URL=globalprotectcallback:cas-as=1&amp;un=xyz@email.com&amp;token=very_long_string">
"#;
assert_eq!(
extract_gpcallback(html).as_deref(),
Some("globalprotectcallback:cas-as=1&un=xyz@email.com&token=very_long_string")
);
}
#[test]
fn extract_gpcallback_none() {
let html = r#"
<meta http-equiv="refresh" content="0; URL=PGh0bWw+PCEtLSA8c">
"#;
assert_eq!(extract_gpcallback(html), None);
}
}

25
crates/auth/src/webview_auth/auth_settings.rs
View File

@ -1,25 +0,0 @@
use std::sync::Arc;
use super::auth_messenger::AuthMessenger;
pub struct AuthRequest<'a>(&'a str);
impl<'a> AuthRequest<'a> {
pub fn new(auth_request: &'a str) -> Self {
Self(auth_request)
}
pub fn is_url(&self) -> bool {
self.0.starts_with("http")
}
pub fn as_str(&self) -> &str {
self.0
}
}
pub struct AuthSettings<'a> {
pub auth_request: AuthRequest<'a>,
pub auth_messenger: Arc<AuthMessenger>,
pub ignore_tls_errors: bool,
}

136
crates/auth/src/webview_auth/unix.rs
View File

@ -1,136 +0,0 @@
use std::sync::Arc;
use anyhow::bail;
use gpapi::utils::redact::redact_uri;
use log::{info, warn};
use webkit2gtk::{
gio::Cancellable,
glib::{GString, TimeSpan},
LoadEvent, TLSErrorsPolicy, URIResponseExt, WebResource, WebResourceExt, WebView, WebViewExt, WebsiteDataManagerExt,
WebsiteDataManagerExtManual, WebsiteDataTypes,
};
use crate::webview_auth::{
auth_messenger::AuthError,
auth_response::read_auth_data,
auth_settings::{AuthRequest, AuthSettings},
};
use super::auth_response::AuthResponse;
impl AuthResponse for WebResource {
fn get_header(&self, key: &str) -> Option<String> {
self
.response()
.and_then(|response| response.http_headers())
.and_then(|headers| headers.one(key))
.map(GString::into)
}
fn get_body<F>(&self, cb: F)
where
F: FnOnce(anyhow::Result<Vec<u8>>) + 'static,
{
let cancellable = Cancellable::NONE;
self.data(cancellable, |data| cb(data.map_err(|e| anyhow::anyhow!(e))));
}
fn url(&self) -> Option<String> {
self.uri().map(GString::into)
}
}
pub fn clear_data<F>(wv: &WebView, cb: F)
where
F: FnOnce(anyhow::Result<()>) + Send + 'static,
{
let Some(data_manager) = wv.website_data_manager() else {
cb(Err(anyhow::anyhow!("Failed to get website data manager")));
return;
};
data_manager.clear(
WebsiteDataTypes::COOKIES,
TimeSpan(0),
Cancellable::NONE,
move |result| {
cb(result.map_err(|e| anyhow::anyhow!(e)));
},
);
}
pub fn setup_webview(wv: &WebView, auth_settings: AuthSettings) -> anyhow::Result<()> {
let AuthSettings {
auth_request,
auth_messenger,
ignore_tls_errors,
} = auth_settings;
let auth_messenger_clone = Arc::clone(&auth_messenger);
let Some(data_manager) = wv.website_data_manager() else {
bail!("Failed to get website data manager");
};
if ignore_tls_errors {
data_manager.set_tls_errors_policy(TLSErrorsPolicy::Ignore);
}
wv.connect_load_changed(move |wv, event| {
if event == LoadEvent::Started {
auth_messenger_clone.cancel_raise_window();
return;
}
if event != LoadEvent::Finished {
return;
}
let Some(main_resource) = wv.main_resource() else {
return;
};
let uri = main_resource.uri().unwrap_or("".into());
if uri.is_empty() {
warn!("Loaded an empty URI");
auth_messenger_clone.send_auth_error(AuthError::Invalid);
return;
}
read_auth_data(&main_resource, &auth_messenger_clone);
});
wv.connect_load_failed_with_tls_errors(move |_wv, uri, cert, err| {
let redacted_uri = redact_uri(uri);
warn!(
"Failed to load uri: {} with error: {}, cert: {}",
redacted_uri, err, cert
);
auth_messenger.send_auth_error(AuthError::TlsError);
true
});
wv.connect_load_failed(move |_wv, _event, uri, err| {
let redacted_uri = redact_uri(uri);
if !uri.starts_with("globalprotectcallback:") {
warn!("Failed to load uri: {} with error: {}", redacted_uri, err);
}
// NOTE: Don't send error here, since load_changed event will be triggered after this
// true to stop other handlers from being invoked for the event. false to propagate the event further.
true
});
load_auth_request(wv, &auth_request);
Ok(())
}
pub fn load_auth_request(wv: &WebView, auth_request: &AuthRequest) {
if auth_request.is_url() {
info!("Loading auth request as URI...");
wv.load_uri(auth_request.as_str());
} else {
info!("Loading auth request as HTML...");
wv.load_html(auth_request.as_str(), None);
}
}

194
crates/auth/src/webview_auth/webview_auth_ext.rs
View File

@ -1,194 +0,0 @@
use std::{
future::Future,
sync::Arc,
time::{Duration, Instant},
};
use anyhow::bail;
use gpapi::{auth::SamlAuthData, error::PortalError, utils::window::WindowExt};
use log::{info, warn};
use tauri::{AppHandle, WebviewUrl, WebviewWindow, WindowEvent};
use tokio::{sync::oneshot, time};
use crate::{
webview_auth::{
auth_messenger::{AuthError, AuthEvent, AuthMessenger},
auth_settings::{AuthRequest, AuthSettings},
platform_impl,
},
Authenticator,
};
pub trait WebviewAuthenticator {
fn with_clean(self, clean: bool) -> Self;
fn webview_authenticate(&self, app_handle: &AppHandle) -> impl Future<Output = anyhow::Result<SamlAuthData>> + Send;
}
impl WebviewAuthenticator for Authenticator<'_> {
fn with_clean(mut self, clean: bool) -> Self {
self.clean = clean;
self
}
async fn webview_authenticate(&self, app_handle: &AppHandle) -> anyhow::Result<SamlAuthData> {
let auth_window = WebviewWindow::builder(app_handle, "auth_window", WebviewUrl::default())
.title("GlobalProtect Login")
.focused(true)
.visible(false)
.center()
.build()?;
self.auth_loop(&auth_window).await
}
}
impl Authenticator<'_> {
async fn auth_loop(&self, auth_window: &WebviewWindow) -> anyhow::Result<SamlAuthData> {
if self.clean {
self.clear_webview_data(&auth_window).await?;
}
let auth_messenger = self.setup_auth_window(&auth_window).await?;
loop {
match auth_messenger.subscribe().await? {
AuthEvent::Close => bail!("Authentication cancelled"),
AuthEvent::RaiseWindow => self.raise_window(auth_window),
AuthEvent::Error(AuthError::TlsError) => bail!(PortalError::TlsError),
AuthEvent::Error(AuthError::NotFound) => self.handle_not_found(auth_window, &auth_messenger),
AuthEvent::Error(AuthError::Invalid) => self.retry_auth(auth_window).await,
AuthEvent::Data(auth_data) => {
auth_window.close()?;
return Ok(auth_data);
}
}
}
}
async fn clear_webview_data(&self, auth_window: &WebviewWindow) -> anyhow::Result<()> {
info!("Clearing webview data...");
let (tx, rx) = oneshot::channel::<anyhow::Result<()>>();
let now = Instant::now();
auth_window.with_webview(|webview| {
platform_impl::clear_data(&webview.inner(), |result| {
if let Err(result) = tx.send(result) {
warn!("Failed to send clear data result: {:?}", result);
}
})
})?;
rx.await??;
info!("Webview data cleared in {:?}", now.elapsed());
Ok(())
}
async fn setup_auth_window(&self, auth_window: &WebviewWindow) -> anyhow::Result<Arc<AuthMessenger>> {
info!("Setting up auth window...");
let auth_messenger = Arc::new(AuthMessenger::new());
let auth_request = self.initial_auth_request().await?.into_owned();
let ignore_tls_errors = self.gp_params.ignore_tls_errors();
// Handle window close event
let auth_messenger_clone = Arc::clone(&auth_messenger);
auth_window.on_window_event(move |event| {
if let WindowEvent::CloseRequested { .. } = event {
auth_messenger_clone.send_auth_event(AuthEvent::Close);
}
});
// Show the window after 10 seconds, so that the user can see the window if the auth process is stuck
let auth_messenger_clone = Arc::clone(&auth_messenger);
tokio::spawn(async move {
time::sleep(Duration::from_secs(10)).await;
auth_messenger_clone.send_auth_event(AuthEvent::RaiseWindow);
});
// setup webview
let auth_messenger_clone = Arc::clone(&auth_messenger);
let (tx, rx) = oneshot::channel::<anyhow::Result<()>>();
auth_window.with_webview(move |webview| {
let auth_settings = AuthSettings {
auth_request: AuthRequest::new(&auth_request),
auth_messenger: auth_messenger_clone,
ignore_tls_errors,
};
let result = platform_impl::setup_webview(&webview.inner(), auth_settings);
if let Err(result) = tx.send(result) {
warn!("Failed to send setup auth window result: {:?}", result);
}
})?;
rx.await??;
info!("Auth window setup completed");
Ok(auth_messenger)
}
fn handle_not_found(&self, auth_window: &WebviewWindow, auth_messenger: &Arc<AuthMessenger>) {
info!("No auth data found, it may not be the /SAML20/SP/ACS endpoint");
let visible = auth_window.is_visible().unwrap_or(false);
if visible {
return;
}
auth_messenger.schedule_raise_window(1);
}
async fn retry_auth(&self, auth_window: &WebviewWindow) {
let mut is_retrying = self.is_retrying.write().await;
if *is_retrying {
info!("Already retrying authentication, skipping...");
return;
}
*is_retrying = true;
drop(is_retrying);
if let Err(err) = self.retry_auth_impl(auth_window).await {
warn!("Failed to retry authentication: {}", err);
}
*self.is_retrying.write().await = false;
}
async fn retry_auth_impl(&self, auth_window: &WebviewWindow) -> anyhow::Result<()> {
info!("Retrying authentication...");
auth_window.eval( r#"
var loading = document.createElement("div");
loading.innerHTML = '<div style="position: absolute; width: 100%; text-align: center; font-size: 20px; font-weight: bold; top: 50%; left: 50%; transform: translate(-50%, -50%);">Got invalid token, retrying...</div>';
loading.style = "position: fixed; top: 0; left: 0; width: 100%; height: 100%; background: rgba(255, 255, 255, 0.85); z-index: 99999;";
document.body.appendChild(loading);
"#)?;
let auth_request = self.portal_prelogin().await?;
let (tx, rx) = oneshot::channel::<()>();
auth_window.with_webview(move |webview| {
let auth_request = AuthRequest::new(&auth_request);
platform_impl::load_auth_request(&webview.inner(), &auth_request);
tx.send(()).expect("Failed to send message to the channel")
})?;
rx.await?;
Ok(())
}
fn raise_window(&self, auth_window: &WebviewWindow) {
let visible = auth_window.is_visible().unwrap_or(false);
if visible {
return;
}
info!("Raising auth window...");
if let Err(err) = auth_window.raise() {
warn!("Failed to raise window: {}", err);
}
}
}

8
crates/common/src/vpn_utils.rs
View File

@ -2,22 +2,26 @@ use std::{io, path::Path};
use is_executable::IsExecutable; use is_executable::IsExecutable;
const VPNC_SCRIPT_LOCATIONS: [&str; 6] = [ const VPNC_SCRIPT_LOCATIONS: &[&str] = &[
"/usr/local/share/vpnc-scripts/vpnc-script", "/usr/local/share/vpnc-scripts/vpnc-script",
"/usr/local/sbin/vpnc-script", "/usr/local/sbin/vpnc-script",
"/usr/share/vpnc-scripts/vpnc-script", "/usr/share/vpnc-scripts/vpnc-script",
"/usr/sbin/vpnc-script", "/usr/sbin/vpnc-script",
"/etc/vpnc/vpnc-script", "/etc/vpnc/vpnc-script",
"/etc/openconnect/vpnc-script", "/etc/openconnect/vpnc-script",
#[cfg(target_os = "macos")]
"/opt/homebrew/etc/vpnc/vpnc-script",
]; ];
const CSD_WRAPPER_LOCATIONS: [&str; 3] = [ const CSD_WRAPPER_LOCATIONS: &[&str] = &[
#[cfg(target_arch = "x86_64")] #[cfg(target_arch = "x86_64")]
"/usr/lib/x86_64-linux-gnu/openconnect/hipreport.sh", "/usr/lib/x86_64-linux-gnu/openconnect/hipreport.sh",
#[cfg(target_arch = "aarch64")] #[cfg(target_arch = "aarch64")]
"/usr/lib/aarch64-linux-gnu/openconnect/hipreport.sh", "/usr/lib/aarch64-linux-gnu/openconnect/hipreport.sh",
"/usr/lib/openconnect/hipreport.sh", "/usr/lib/openconnect/hipreport.sh",
"/usr/libexec/openconnect/hipreport.sh", "/usr/libexec/openconnect/hipreport.sh",
#[cfg(target_os = "macos")]
"/opt/homebrew/opt/openconnect/libexec/openconnect/hipreport.sh",
]; ];
fn find_executable(locations: &[&str]) -> Option<String> { fn find_executable(locations: &[&str]) -> Option<String> {

4
crates/gpapi/Cargo.toml
View File

@ -12,6 +12,7 @@ dns-lookup.workspace = true
log.workspace = true log.workspace = true
reqwest.workspace = true reqwest.workspace = true
openssl.workspace = true openssl.workspace = true
version-compare = "0.2"
pem.workspace = true pem.workspace = true
roxmltree.workspace = true roxmltree.workspace = true
serde.workspace = true serde.workspace = true
@ -33,8 +34,9 @@ sha256.workspace = true
tauri = { workspace = true, optional = true } tauri = { workspace = true, optional = true }
clap = { workspace = true, optional = true } clap = { workspace = true, optional = true }
clap-verbosity-flag = { workspace = true, optional = true }
[features] [features]
tauri = ["dep:tauri"] tauri = ["dep:tauri"]
clap = ["dep:clap"] clap = ["dep:clap", "dep:clap-verbosity-flag"]
webview-auth = [] webview-auth = []

19
crates/gpapi/src/auth.rs
View File

@ -72,15 +72,12 @@ impl SamlAuthData {
let prelogin_cookie = parse_xml_tag(html, "prelogin-cookie"); let prelogin_cookie = parse_xml_tag(html, "prelogin-cookie");
let portal_userauthcookie = parse_xml_tag(html, "portal-userauthcookie"); let portal_userauthcookie = parse_xml_tag(html, "portal-userauthcookie");
SamlAuthData::new(username, prelogin_cookie, portal_userauthcookie).map_err(|e| { SamlAuthData::new(username, prelogin_cookie, portal_userauthcookie).map_err(AuthDataParseError::Invalid)
warn!("Failed to parse auth data: {}", e);
AuthDataParseError::Invalid
})
}
Some(status) => {
warn!("Found invalid auth status: {}", status);
Err(AuthDataParseError::Invalid)
} }
Some(status) => Err(AuthDataParseError::Invalid(anyhow::anyhow!(
"SAML auth status: {}",
status
))),
None => Err(AuthDataParseError::NotFound), None => Err(AuthDataParseError::NotFound),
} }
} }
@ -100,7 +97,7 @@ impl SamlAuthData {
let auth_data: SamlAuthData = serde_urlencoded::from_str(auth_data.borrow()).map_err(|e| { let auth_data: SamlAuthData = serde_urlencoded::from_str(auth_data.borrow()).map_err(|e| {
warn!("Failed to parse token auth data: {}", e); warn!("Failed to parse token auth data: {}", e);
warn!("Auth data: {}", auth_data); warn!("Auth data: {}", auth_data);
AuthDataParseError::Invalid AuthDataParseError::Invalid(anyhow::anyhow!(e))
})?; })?;
return Ok(auth_data); return Ok(auth_data);
@ -108,7 +105,7 @@ impl SamlAuthData {
let auth_data = decode_to_string(auth_data).map_err(|e| { let auth_data = decode_to_string(auth_data).map_err(|e| {
warn!("Failed to decode SAML auth data: {}", e); warn!("Failed to decode SAML auth data: {}", e);
AuthDataParseError::Invalid AuthDataParseError::Invalid(anyhow::anyhow!(e))
})?; })?;
let auth_data = Self::from_html(&auth_data)?; let auth_data = Self::from_html(&auth_data)?;
@ -128,7 +125,7 @@ impl SamlAuthData {
} }
} }
pub fn parse_xml_tag(html: &str, tag: &str) -> Option<String> { fn parse_xml_tag(html: &str, tag: &str) -> Option<String> {
let re = Regex::new(&format!("<{}>(.*)</{}>", tag, tag)).unwrap(); let re = Regex::new(&format!("<{}>(.*)</{}>", tag, tag)).unwrap();
re.captures(html) re.captures(html)
.and_then(|captures| captures.get(1)) .and_then(|captures| captures.get(1))

42
crates/gpapi/src/clap/mod.rs
View File

@ -1,3 +1,5 @@
use clap_verbosity_flag::{LogLevel, Verbosity, VerbosityFilter};
use crate::error::PortalError; use crate::error::PortalError;
pub mod args; pub mod args;
@ -8,7 +10,7 @@ pub trait Args {
} }
pub fn handle_error(err: anyhow::Error, args: &impl Args) { pub fn handle_error(err: anyhow::Error, args: &impl Args) {
eprintln!("\nError: {}", err); eprintln!("\nError: {:?}", err);
let Some(err) = err.downcast_ref::<PortalError>() else { let Some(err) = err.downcast_ref::<PortalError>() else {
return; return;
@ -26,3 +28,41 @@ pub fn handle_error(err: anyhow::Error, args: &impl Args) {
eprintln!("{} --ignore-tls-errors {}\n", args[0], args[1..].join(" ")); eprintln!("{} --ignore-tls-errors {}\n", args[0], args[1..].join(" "));
} }
} }
#[derive(Debug)]
pub struct InfoLevel;
pub type InfoLevelVerbosity = Verbosity<InfoLevel>;
impl LogLevel for InfoLevel {
fn default_filter() -> VerbosityFilter {
VerbosityFilter::Info
}
fn verbose_help() -> Option<&'static str> {
Some("Enable verbose output, -v for debug, -vv for trace")
}
fn quiet_help() -> Option<&'static str> {
Some("Decrease logging verbosity, -q for warnings, -qq for errors")
}
}
pub trait VerbosityToCliArg {
fn to_cli_arg(&self) -> Option<&'static str>;
}
/// Convert the verbosity to the CLI argument value
/// The default verbosity is `Info`, which means no argument is needed
impl VerbosityToCliArg for InfoLevelVerbosity {
fn to_cli_arg(&self) -> Option<&'static str> {
match self.filter() {
VerbosityFilter::Off => Some("-qqq"),
VerbosityFilter::Error => Some("-qq"),
VerbosityFilter::Warn => Some("-q"),
VerbosityFilter::Info => None,
VerbosityFilter::Debug => Some("-v"),
VerbosityFilter::Trace => Some("-vv"),
}
}
}

6
crates/gpapi/src/error.rs
View File

@ -26,12 +26,12 @@ impl PortalError {
pub enum AuthDataParseError { pub enum AuthDataParseError {
#[error("No auth data found")] #[error("No auth data found")]
NotFound, NotFound,
#[error("Invalid auth data")] #[error(transparent)]
Invalid, Invalid(#[from] anyhow::Error),
} }
impl AuthDataParseError { impl AuthDataParseError {
pub fn is_invalid(&self) -> bool { pub fn is_invalid(&self) -> bool {
matches!(self, AuthDataParseError::Invalid) matches!(self, AuthDataParseError::Invalid(_))
} }
} }

4
crates/gpapi/src/portal/config.rs
View File

@ -1,6 +1,6 @@
use anyhow::bail; use anyhow::bail;
use dns_lookup::lookup_addr; use dns_lookup::lookup_addr;
use log::{debug, info, warn}; use log::{info, warn};
use reqwest::{Client, StatusCode}; use reqwest::{Client, StatusCode};
use roxmltree::{Document, Node}; use roxmltree::{Document, Node};
use serde::Serialize; use serde::Serialize;
@ -135,8 +135,6 @@ pub async fn retrieve_config(portal: &str, cred: &Credential, gp_params: &GpPara
bail!(PortalError::ConfigError("Empty portal config response".to_string())) bail!(PortalError::ConfigError("Empty portal config response".to_string()))
} }
debug!("Portal config response: {}", res_xml);
let doc = Document::parse(&res_xml).map_err(|e| PortalError::ConfigError(e.to_string()))?; let doc = Document::parse(&res_xml).map_err(|e| PortalError::ConfigError(e.to_string()))?;
let root = doc.root(); let root = doc.root();

19
crates/gpapi/src/process/auth_launcher.rs
View File

@ -3,7 +3,12 @@ use std::process::Stdio;
use anyhow::bail; use anyhow::bail;
use tokio::process::Command; use tokio::process::Command;
use crate::{auth::SamlAuthResult, credential::Credential, GP_AUTH_BINARY}; use crate::{
auth::SamlAuthResult,
clap::{InfoLevelVerbosity, VerbosityToCliArg},
credential::Credential,
GP_AUTH_BINARY,
};
use super::command_traits::CommandExt; use super::command_traits::CommandExt;
@ -23,6 +28,7 @@ pub struct SamlAuthLauncher<'a> {
#[cfg(feature = "webview-auth")] #[cfg(feature = "webview-auth")]
default_browser: bool, default_browser: bool,
browser: Option<&'a str>, browser: Option<&'a str>,
verbose: Option<&'a InfoLevelVerbosity>,
} }
impl<'a> SamlAuthLauncher<'a> { impl<'a> SamlAuthLauncher<'a> {
@ -43,6 +49,7 @@ impl<'a> SamlAuthLauncher<'a> {
#[cfg(feature = "webview-auth")] #[cfg(feature = "webview-auth")]
default_browser: false, default_browser: false,
browser: None, browser: None,
verbose: None,
} }
} }
@ -104,6 +111,11 @@ impl<'a> SamlAuthLauncher<'a> {
self self
} }
pub fn verbose(mut self, verbose: &'a InfoLevelVerbosity) -> Self {
self.verbose = Some(verbose);
self
}
/// Launch the authenticator binary as the current user or SUDO_USER if available. /// Launch the authenticator binary as the current user or SUDO_USER if available.
pub async fn launch(self) -> anyhow::Result<Credential> { pub async fn launch(self) -> anyhow::Result<Credential> {
let mut auth_cmd = Command::new(GP_AUTH_BINARY); let mut auth_cmd = Command::new(GP_AUTH_BINARY);
@ -156,6 +168,11 @@ impl<'a> SamlAuthLauncher<'a> {
auth_cmd.arg("--browser").arg(browser); auth_cmd.arg("--browser").arg(browser);
} }
if let Some(verbose) = self.verbose {
let arg = verbose.to_cli_arg();
arg.map(|arg| auth_cmd.arg(arg));
}
let mut non_root_cmd = auth_cmd.into_non_root()?; let mut non_root_cmd = auth_cmd.into_non_root()?;
let output = non_root_cmd let output = non_root_cmd
.kill_on_drop(true) .kill_on_drop(true)

60
crates/gpapi/src/utils/openssl.rs
View File

@ -1,9 +1,12 @@
use std::path::Path; use std::path::Path;
use log::{info, warn};
use regex::Regex;
use tempfile::NamedTempFile; use tempfile::NamedTempFile;
use version_compare::{compare_to, Cmp};
pub fn openssl_conf() -> String { pub fn openssl_conf() -> String {
let option = "UnsafeLegacyServerConnect"; let option = get_openssl_option();
format!( format!(
"openssl_conf = openssl_init "openssl_conf = openssl_init
@ -47,3 +50,58 @@ pub fn fix_openssl_env() -> anyhow::Result<NamedTempFile> {
Ok(openssl_conf) Ok(openssl_conf)
} }
// See: https://stackoverflow.com/questions/75763525/curl-35-error0a000152ssl-routinesunsafe-legacy-renegotiation-disabled
fn get_openssl_option() -> &'static str {
let version_str = openssl::version::version();
let default_option = "UnsafeLegacyServerConnect";
let Some(version) = extract_openssl_version(version_str) else {
warn!("Failed to extract OpenSSL version from '{}'", version_str);
return default_option;
};
let older_than_3_0_4 = match compare_to(version, "3.0.4", Cmp::Lt) {
Ok(result) => result,
Err(_) => {
warn!("Failed to compare OpenSSL version: {}", version);
return default_option;
}
};
if older_than_3_0_4 {
info!("Using 'UnsafeLegacyRenegotiation' option");
"UnsafeLegacyRenegotiation"
} else {
info!("Using 'UnsafeLegacyServerConnect' option");
default_option
}
}
fn extract_openssl_version(version: &str) -> Option<&str> {
let re = Regex::new(r"OpenSSL (\d+\.\d+\.\d+[^\s]*)").unwrap();
re.captures(version).and_then(|caps| caps.get(1)).map(|m| m.as_str())
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn test_extract_version() {
let input = "OpenSSL 3.4.0 22 Oct 2024 (Library: OpenSSL 3.4.0 22 Oct 2024)";
assert_eq!(extract_openssl_version(input), Some("3.4.0"));
}
#[test]
fn test_different_format() {
let input = "OpenSSL 1.1.1t 7 Feb 2023";
assert_eq!(extract_openssl_version(input), Some("1.1.1t"));
}
#[test]
fn test_invalid_input() {
let input = "Invalid string without version";
assert_eq!(extract_openssl_version(input), None);
}
}

7
crates/openconnect/build.rs
View File

@ -1,9 +1,14 @@
fn main() { fn main() {
// Link to the native openconnect library // Link to the native openconnect library
println!("cargo:rustc-link-lib=openconnect"); println!("cargo:rustc-link-lib=openconnect");
println!("cargo:rustc-link-search=/opt/homebrew/lib"); // Homebrew path
println!("cargo:rerun-if-changed=src/ffi/vpn.c"); println!("cargo:rerun-if-changed=src/ffi/vpn.c");
println!("cargo:rerun-if-changed=src/ffi/vpn.h"); println!("cargo:rerun-if-changed=src/ffi/vpn.h");
// Compile the vpn.c file // Compile the vpn.c file
cc::Build::new().file("src/ffi/vpn.c").include("src/ffi").compile("vpn"); cc::Build::new()
.file("src/ffi/vpn.c")
.include("src/ffi")
.include("/opt/homebrew/include") // Homebrew path
.compile("vpn");
} }