cassidy/GlobalProtect-openconnect
1
0
Fork 0
mirror of https://github.com/yuezk/GlobalProtect-openconnect.git synced 2025-05-20 07:26:58 -04:00
Code Issues Projects Releases Wiki Activity

fix: enhance gpauth to support browser authentication

Browse Source
This commit is contained in:
Kevin Yue
2024-08-15 09:10:12 +00:00
parent 9317430968
commit 57e20fe478
13 changed files with 171 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
apps/gpclient/src/cli.rs
View File

@@ -1,3 +1,5 @@
use std::{env::temp_dir, fs::File};
use clap::{Parser, Subcommand};
use gpapi::utils::openssl;
use log::{info, LevelFilter};
@@ -85,14 +87,29 @@ impl Cli {
}
}
fn init_logger() {
env_logger::builder().filter_level(LevelFilter::Info).init();
fn init_logger(command: &CliCommand) {
let mut builder = env_logger::builder();
builder.filter_level(LevelFilter::Info);
// Output the log messages to a file if the command is the auth callback
if let CliCommand::LaunchGui(args) = command {
let auth_data = args.auth_data.as_deref().unwrap_or_default();
if !auth_data.is_empty() {
if let Ok(log_file) = File::create(temp_dir().join("gpcallback.log")) {
let target = Box::new(log_file);
builder.target(env_logger::Target::Pipe(target));
}
}
}
builder.init();
}
pub(crate) async fn run() {
let cli = Cli::parse();
init_logger();
init_logger(&cli.command);
info!("gpclient started: {}", VERSION);
if let Err(err) = cli.run().await {

57
apps/gpclient/src/connect.rs
View File

@@ -1,8 +1,10 @@
use std::{cell::RefCell, fs, sync::Arc};
use anyhow::bail;
use clap::Args;
use common::vpn_utils::find_csd_wrapper;
use gpapi::{
auth::SamlAuthResult,
clap::args::Os,
credential::{Credential, PasswordCredential},
error::PortalError,
@@ -19,9 +21,8 @@ use gpapi::{
use inquire::{Password, PasswordDisplayMode, Select, Text};
use log::info;
use openconnect::Vpn;
use tokio::{io::AsyncReadExt, net::TcpListener};
use crate::{cli::SharedArgs, GP_CLIENT_LOCK_FILE, GP_CLIENT_PORT_FILE};
use crate::{cli::SharedArgs, GP_CLIENT_LOCK_FILE};
#[derive(Args)]
pub(crate) struct ConnectArgs {
@@ -37,6 +38,9 @@ pub(crate) struct ConnectArgs {
#[arg(long, help = "Read the password from standard input")]
passwd_on_stdin: bool,
#[arg(long, help = "Read the cookie from standard input")]
cookie_on_stdin: bool,
#[arg(long, short, help = "The VPNC script to use")]
script: Option<String>,
@@ -89,7 +93,7 @@ pub(crate) struct ConnectArgs {
#[arg(long, help = "Disable DTLS and ESP")]
no_dtls: bool,
#[arg(long, help = "The HiDPI mode, useful for high resolution screens")]
#[arg(long, help = "The HiDPI mode, useful for high-resolution screens")]
hidpi: bool,
#[arg(long, help = "Do not reuse the remembered authentication cookie")]
@@ -100,7 +104,7 @@ pub(crate) struct ConnectArgs {
#[arg(
long,
help = "Use the specified browser to authenticate, e.g., firefox, chromium, chrome, or the path to the browser"
help = "Use the specified browser to authenticate, e.g., `default`, `firefox`, `chrome`, `chromium`, or the path to the browser executable"
)]
browser: Option<String>,
}
@@ -147,6 +151,10 @@ impl<'a> ConnectHandler<'a> {
}
pub(crate) async fn handle(&self) -> anyhow::Result<()> {
if self.args.default_browser && self.args.browser.is_some() {
bail!("Cannot use `--default-browser` and `--browser` options at the same time");
}
self.latest_key_password.replace(self.args.key_password.clone());
loop {
@@ -327,6 +335,10 @@ impl<'a> ConnectHandler<'a> {
}
async fn obtain_credential(&self, prelogin: &Prelogin, server: &str) -> anyhow::Result<Credential> {
if self.args.cookie_on_stdin {
return read_cookie_from_stdin();
}
let is_gateway = prelogin.is_gateway();
match prelogin {
@@ -353,18 +365,9 @@ impl<'a> ConnectHandler<'a> {
.launch()
.await?;
if let Some(cred) = cred {
return Ok(cred);
}
if !use_default_browser {
// This should never happen
unreachable!("SAML authentication failed without using the default browser");
}
info!("Waiting for the browser authentication to complete...");
wait_credentials().await
Ok(cred)
}
Prelogin::Standard(prelogin) => {
let prefix = if is_gateway { "Gateway" } else { "Portal" };
println!("{} ({}: {})", prelogin.auth_message(), prefix, server);
@@ -394,25 +397,17 @@ impl<'a> ConnectHandler<'a> {
}
}
async fn wait_credentials() -> anyhow::Result<Credential> {
// Start a local server to receive the browser authentication data
let listener = TcpListener::bind("127.0.0.1:0").await?;
let port = listener.local_addr()?.port();
fn read_cookie_from_stdin() -> anyhow::Result<Credential> {
info!("Reading cookie from standard input");
// Write the port to a file
fs::write(GP_CLIENT_PORT_FILE, port.to_string())?;
let mut cookie = String::new();
std::io::stdin().read_line(&mut cookie)?;
info!("Listening authentication data on port {}", port);
let (mut socket, _) = listener.accept().await?;
let Ok(auth_result) = serde_json::from_str::<SamlAuthResult>(cookie.trim_end()) else {
bail!("Failed to parse auth data")
};
info!("Received the browser authentication data from the socket");
let mut data = String::new();
socket.read_to_string(&mut data).await?;
// Remove the port file
fs::remove_file(GP_CLIENT_PORT_FILE)?;
Credential::from_gpcallback(&data)
Credential::try_from(auth_result)
}
fn write_pid_file() {

26
apps/gpclient/src/launch_gui.rs
View File

@@ -9,15 +9,13 @@ use gpapi::{
use log::info;
use tokio::io::AsyncWriteExt;
use crate::GP_CLIENT_PORT_FILE;
#[derive(Args)]
pub(crate) struct LaunchGuiArgs {
#[arg(
required = false,
help = "The authentication data, used for the default browser authentication"
)]
auth_data: Option<String>,
pub auth_data: Option<String>,
#[arg(long, help = "Launch the GUI minimized")]
minimized: bool,
}
@@ -40,6 +38,7 @@ impl<'a> LaunchGuiHandler<'a> {
let auth_data = self.args.auth_data.as_deref().unwrap_or_default();
if !auth_data.is_empty() {
info!("Received auth callback data");
// Process the authentication data, its format is `globalprotectcallback:<data>`
return feed_auth_data(auth_data).await;
}
@@ -81,16 +80,26 @@ impl<'a> LaunchGuiHandler<'a> {
}
async fn feed_auth_data(auth_data: &str) -> anyhow::Result<()> {
let _ = tokio::join!(feed_auth_data_gui(auth_data), feed_auth_data_cli(auth_data));
let (res_gui, res_cli) = tokio::join!(feed_auth_data_gui(auth_data), feed_auth_data_cli(auth_data));
if let Err(err) = res_gui {
info!("Failed to feed auth data to the GUI: {}", err);
}
if let Err(err) = res_cli {
info!("Failed to feed auth data to the CLI: {}", err);
}
// Cleanup the temporary file
let html_file = temp_dir().join("gpauth.html");
let _ = std::fs::remove_file(html_file);
if let Err(err) = std::fs::remove_file(&html_file) {
info!("Failed to remove {}: {}", html_file.display(), err);
}
Ok(())
}
async fn feed_auth_data_gui(auth_data: &str) -> anyhow::Result<()> {
info!("Feeding auth data to the GUI");
let service_endpoint = http_endpoint().await?;
reqwest::Client::default()
@@ -104,7 +113,10 @@ async fn feed_auth_data_gui(auth_data: &str) -> anyhow::Result<()> {
}
async fn feed_auth_data_cli(auth_data: &str) -> anyhow::Result<()> {
let port = tokio::fs::read_to_string(GP_CLIENT_PORT_FILE).await?;
info!("Feeding auth data to the CLI");
let port_file = temp_dir().join("gpcallback.port");
let port = tokio::fs::read_to_string(port_file).await?;
let mut stream = tokio::net::TcpStream::connect(format!("127.0.0.1:{}", port.trim())).await?;
stream.write_all(auth_data.as_bytes()).await?;
@@ -124,7 +136,7 @@ async fn try_active_gui() -> anyhow::Result<()> {
Ok(())
}
pub fn get_log_file() -> anyhow::Result<PathBuf> {
fn get_log_file() -> anyhow::Result<PathBuf> {
let dirs = ProjectDirs::from("com.yuezk", "GlobalProtect-openconnect", "gpclient")
.ok_or_else(|| anyhow::anyhow!("Failed to get project dirs"))?;

1
apps/gpclient/src/main.rs
View File

@@ -4,7 +4,6 @@ mod disconnect;
mod launch_gui;
pub(crate) const GP_CLIENT_LOCK_FILE: &str = "/var/run/gpclient.lock";
pub(crate) const GP_CLIENT_PORT_FILE: &str = "/var/run/gpclient.port";
#[tokio::main]
async fn main() {