mirror of
https://github.com/yuezk/GlobalProtect-openconnect.git
synced 2025-05-20 07:26:58 -04:00
Enhancements and Bug Fixes: Align Pre-login Behavior, TLS Error Ignorance, GUI Auto-Launch, and Documentation Improvements (#291)
This commit is contained in:
Kevin Yue
GitHub
@@ -7,6 +7,7 @@ use std::{
|
||||
use anyhow::bail;
|
||||
use gpapi::{
|
||||
auth::SamlAuthData,
|
||||
gp_params::GpParams,
|
||||
portal::{prelogin, Prelogin},
|
||||
utils::{redact::redact_uri, window::WindowExt},
|
||||
};
|
||||
@@ -18,11 +19,13 @@ use tokio_util::sync::CancellationToken;
|
||||
use webkit2gtk::{
|
||||
gio::Cancellable,
|
||||
glib::{GString, TimeSpan},
|
||||
LoadEvent, SettingsExt, URIResponse, URIResponseExt, WebContextExt, WebResource, WebResourceExt,
|
||||
WebView, WebViewExt, WebsiteDataManagerExtManual, WebsiteDataTypes,
|
||||
LoadEvent, SettingsExt, TLSErrorsPolicy, URIResponse, URIResponseExt, WebContextExt, WebResource,
|
||||
WebResourceExt, WebView, WebViewExt, WebsiteDataManagerExtManual, WebsiteDataTypes,
|
||||
};
|
||||
|
||||
enum AuthDataError {
|
||||
/// Failed to load page due to TLS error
|
||||
TlsError,
|
||||
/// 1. Found auth data in headers/body but it's invalid
|
||||
/// 2. Loaded an empty page, failed to load page. etc.
|
||||
Invalid,
|
||||
@@ -37,6 +40,7 @@ pub(crate) struct AuthWindow<'a> {
|
||||
server: &'a str,
|
||||
saml_request: &'a str,
|
||||
user_agent: &'a str,
|
||||
gp_params: Option<GpParams>,
|
||||
clean: bool,
|
||||
}
|
||||
|
||||
@@ -47,6 +51,7 @@ impl<'a> AuthWindow<'a> {
|
||||
server: "",
|
||||
saml_request: "",
|
||||
user_agent: "",
|
||||
gp_params: None,
|
||||
clean: false,
|
||||
}
|
||||
}
|
||||
@@ -66,6 +71,11 @@ impl<'a> AuthWindow<'a> {
|
||||
self
|
||||
}
|
||||
|
||||
pub fn gp_params(mut self, gp_params: GpParams) -> Self {
|
||||
self.gp_params.replace(gp_params);
|
||||
self
|
||||
}
|
||||
|
||||
pub fn clean(mut self, clean: bool) -> Self {
|
||||
self.clean = clean;
|
||||
self
|
||||
@@ -119,6 +129,12 @@ impl<'a> AuthWindow<'a> {
|
||||
let saml_request = self.saml_request.to_string();
|
||||
let (auth_result_tx, mut auth_result_rx) = mpsc::unbounded_channel::<AuthResult>();
|
||||
let raise_window_cancel_token: Arc<RwLock<Option<CancellationToken>>> = Default::default();
|
||||
let gp_params = self.gp_params.as_ref().unwrap();
|
||||
let tls_err_policy = if gp_params.ignore_tls_errors() {
|
||||
TLSErrorsPolicy::Ignore
|
||||
} else {
|
||||
TLSErrorsPolicy::Fail
|
||||
};
|
||||
|
||||
if self.clean {
|
||||
clear_webview_cookies(window).await?;
|
||||
@@ -128,6 +144,10 @@ impl<'a> AuthWindow<'a> {
|
||||
window.with_webview(move |wv| {
|
||||
let wv = wv.inner();
|
||||
|
||||
if let Some(context) = wv.context() {
|
||||
context.set_tls_errors_policy(tls_err_policy);
|
||||
}
|
||||
|
||||
if let Some(settings) = wv.settings() {
|
||||
let ua = settings.user_agent().unwrap_or("".into());
|
||||
info!("Auth window user agent: {}", ua);
|
||||
@@ -168,12 +188,15 @@ impl<'a> AuthWindow<'a> {
|
||||
}
|
||||
});
|
||||
|
||||
wv.connect_load_failed_with_tls_errors(|_wv, uri, cert, err| {
|
||||
let auth_result_tx_clone = auth_result_tx.clone();
|
||||
wv.connect_load_failed_with_tls_errors(move |_wv, uri, cert, err| {
|
||||
let redacted_uri = redact_uri(uri);
|
||||
warn!(
|
||||
"Failed to load uri: {} with error: {}, cert: {}",
|
||||
redacted_uri, err, cert
|
||||
);
|
||||
|
||||
send_auth_result(&auth_result_tx_clone, Err(AuthDataError::TlsError));
|
||||
true
|
||||
});
|
||||
|
||||
@@ -187,12 +210,14 @@ impl<'a> AuthWindow<'a> {
|
||||
})?;
|
||||
|
||||
let portal = self.server.to_string();
|
||||
let user_agent = self.user_agent.to_string();
|
||||
|
||||
loop {
|
||||
if let Some(auth_result) = auth_result_rx.recv().await {
|
||||
match auth_result {
|
||||
Ok(auth_data) => return Ok(auth_data),
|
||||
Err(AuthDataError::TlsError) => {
|
||||
return Err(anyhow::anyhow!("TLS error: certificate verify failed"))
|
||||
}
|
||||
Err(AuthDataError::NotFound) => {
|
||||
info!("No auth data found, it may not be the /SAML20/SP/ACS endpoint");
|
||||
|
||||
@@ -237,7 +262,7 @@ impl<'a> AuthWindow<'a> {
|
||||
);
|
||||
})?;
|
||||
|
||||
let saml_request = portal_prelogin(&portal, &user_agent).await?;
|
||||
let saml_request = portal_prelogin(&portal, gp_params).await?;
|
||||
window.with_webview(move |wv| {
|
||||
let wv = wv.inner();
|
||||
load_saml_request(&wv, &saml_request);
|
||||
@@ -258,9 +283,10 @@ fn raise_window(window: &Arc<Window>) {
|
||||
}
|
||||
}
|
||||
|
||||
pub(crate) async fn portal_prelogin(portal: &str, user_agent: &str) -> anyhow::Result<String> {
|
||||
pub(crate) async fn portal_prelogin(portal: &str, gp_params: &GpParams) -> anyhow::Result<String> {
|
||||
info!("Portal prelogin...");
|
||||
match prelogin(portal, user_agent).await? {
|
||||
|
||||
match prelogin(portal, gp_params).await? {
|
||||
Prelogin::Saml(prelogin) => Ok(prelogin.saml_request().to_string()),
|
||||
Prelogin::Standard(_) => Err(anyhow::anyhow!("Received non-SAML prelogin response")),
|
||||
}
|
||||
@@ -397,6 +423,11 @@ fn read_auth_data(main_resource: &WebResource, auth_result_tx: mpsc::UnboundedSe
|
||||
send_auth_result(&auth_result_tx, auth_result)
|
||||
});
|
||||
}
|
||||
Err(AuthDataError::TlsError) => {
|
||||
// NOTE: This is unreachable
|
||||
info!("TLS error found in headers, trying to read from body...");
|
||||
send_auth_result(&auth_result_tx, Err(AuthDataError::TlsError));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user