cassidy/GlobalProtect-openconnect
1
0
Fork 0
mirror of https://github.com/yuezk/GlobalProtect-openconnect.git synced 2025-04-02 18:31:50 -04:00
Code Issues Projects Releases Wiki Activity

feat: gpauth support macos

Browse Source
This commit is contained in:
Kevin Yue 2025-01-05 23:42:03 +08:00
parent 0c9b8e6c63
commit 9803c615f1
No known key found for this signature in database
GPG Key ID: 4D3A6EE977B15AC4
28 changed files with 826 additions and 790 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
.vscode/c_cpp_properties.json vendored Normal file
View File

@ -0,0 +1,14 @@
{
"configurations": [
{
"name": "Mac",
"includePath": ["/opt/homebrew/include"],
"macFrameworkPath": ["/System/Library/Frameworks", "/Library/Frameworks"],
"intelliSenseMode": "macos-clang-x64",
"compilerPath": "/usr/bin/clang",
"cStandard": "c17",
"cppStandard": "c++17"
}
],
"version": 4
}

11
.vscode/settings.json vendored
View File

@ -23,8 +23,12 @@
"gpgui", "gpgui",
"gpservice", "gpservice",
"hidpi", "hidpi",
"Ivars",
"jnlp", "jnlp",
"LOGNAME", "LOGNAME",
"NSHTTPURL",
"NSURL",
"objc",
"oneshot", "oneshot",
"openconnect", "openconnect",
"pkcs", "pkcs",
@ -55,9 +59,16 @@
"Vite", "Vite",
"vpnc", "vpnc",
"vpninfo", "vpninfo",
"webbrowser",
"wmctrl", "wmctrl",
"XAUTHORITY", "XAUTHORITY",
"yuezk" "yuezk"
], ],
"rust-analyzer.cargo.features": "all", "rust-analyzer.cargo.features": "all",
"files.associations": {
"unistd.h": "c",
"utsname.h": "c",
"vpn.h": "c",
"openconnect.h": "c"
},
} }

4
Cargo.lock generated
View File

@ -178,9 +178,13 @@ name = "auth"
version = "2.4.0" version = "2.4.0"
dependencies = [ dependencies = [
"anyhow", "anyhow",
"block2",
"gpapi", "gpapi",
"html-escape", "html-escape",
"log", "log",
"objc2",
"objc2-foundation",
"objc2-web-kit",
"open", "open",
"regex", "regex",
"tauri", "tauri",

26
apps/gpauth/src/cli.rs
View File

@ -1,6 +1,4 @@
use std::borrow::Cow; use auth::{auth_prelogin, BrowserAuthenticator};
use auth::{auth_prelogin, Authenticator, BrowserAuthenticator};
use clap::Parser; use clap::Parser;
use gpapi::{ use gpapi::{
auth::{SamlAuthData, SamlAuthResult}, auth::{SamlAuthData, SamlAuthResult},
@ -33,7 +31,7 @@ const VERSION: &str = concat!(env!("CARGO_PKG_VERSION"), " (", compile_time::dat
See 'gpauth -h' for more information. See 'gpauth -h' for more information.
" "
)] )]
pub(crate) struct Cli { struct Cli {
#[arg(help = "The portal server to authenticate")] #[arg(help = "The portal server to authenticate")]
server: String, server: String,
@ -110,28 +108,26 @@ impl Cli {
let openssl_conf = self.prepare_env()?; let openssl_conf = self.prepare_env()?;
let server = normalize_server(&self.server)?; let server = normalize_server(&self.server)?;
let server: &'static str = Box::leak(server.into_boxed_str()); let gp_params = self.build_gp_params();
let gp_params: &'static GpParams = Box::leak(Box::new(self.build_gp_params()));
let auth_request = match self.saml_request.as_deref() { let auth_request = match self.saml_request.as_deref() {
Some(auth_request) => Cow::Borrowed(auth_request), Some(auth_request) => auth_request.to_string(),
None => Cow::Owned(auth_prelogin(server, gp_params).await?), None => auth_prelogin(&server, &gp_params).await?,
}; };
let auth_request: &'static str = Box::leak(auth_request.into_owned().into_boxed_str());
let authenticator = Authenticator::new(&server, gp_params).with_auth_request(&auth_request);
#[cfg(feature = "webview-auth")] #[cfg(feature = "webview-auth")]
let browser = self let browser = self
.browser .browser
.as_deref() .as_deref()
.or_else(|| self.default_browser.then_some("default")); .or_else(|| self.default_browser.then(|| "default"));
#[cfg(not(feature = "webview-auth"))] #[cfg(not(feature = "webview-auth"))]
let browser = self.browser.as_deref().or(Some("default")); let browser = self.browser.as_deref().or(Some("default"));
if browser.is_some() { if let Some(browser) = browser {
let auth_result = authenticator.browser_authenticate(browser).await; let authenticator = BrowserAuthenticator::new(&auth_request, browser);
let auth_result = authenticator.authenticate().await;
print_auth_result(auth_result); print_auth_result(auth_result);
// explicitly drop openssl_conf to avoid the unused variable warning // explicitly drop openssl_conf to avoid the unused variable warning
@ -140,7 +136,7 @@ impl Cli {
} }
#[cfg(feature = "webview-auth")] #[cfg(feature = "webview-auth")]
crate::webview_auth::authenticate(&self, authenticator, openssl_conf)?; crate::webview_auth::authenticate(server, gp_params, auth_request, self.clean, openssl_conf).await?;
Ok(()) Ok(())
} }

1
apps/gpauth/src/main.rs
View File

@ -1,6 +1,7 @@
#![cfg_attr(not(debug_assertions), windows_subsystem = "windows")] #![cfg_attr(not(debug_assertions), windows_subsystem = "windows")]
mod cli; mod cli;
#[cfg(feature = "webview-auth")] #[cfg(feature = "webview-auth")]
mod webview_auth; mod webview_auth;

21
apps/gpauth/src/webview_auth.rs
View File

@ -1,23 +1,28 @@
use auth::{Authenticator, WebviewAuthenticator}; use auth::WebviewAuthenticator;
use gpapi::gp_params::GpParams;
use log::info; use log::info;
use tauri::RunEvent; use tauri::RunEvent;
use tempfile::NamedTempFile; use tempfile::NamedTempFile;
use crate::cli::{print_auth_result, Cli}; use crate::cli::print_auth_result;
pub fn authenticate( pub async fn authenticate(
cli: &Cli, server: String,
authenticator: Authenticator<'static>, gp_params: GpParams,
auth_request: String,
clean: bool,
mut openssl_conf: Option<NamedTempFile>, mut openssl_conf: Option<NamedTempFile>,
) -> anyhow::Result<()> { ) -> anyhow::Result<()> {
let authenticator = authenticator.with_clean(cli.clean);
tauri::Builder::default() tauri::Builder::default()
.setup(move |app| { .setup(move |app| {
let app_handle = app.handle().clone(); let app_handle = app.handle().clone();
tauri::async_runtime::spawn(async move { tauri::async_runtime::spawn(async move {
let auth_result = authenticator.webview_authenticate(&app_handle).await; let authenticator = WebviewAuthenticator::new(&server, &gp_params)
.with_auth_request(&auth_request)
.with_clean(clean);
let auth_result = authenticator.authenticate(&app_handle).await;
print_auth_result(auth_result); print_auth_result(auth_result);
// Ensure the app exits after the authentication process // Ensure the app exits after the authentication process

12
crates/auth/Cargo.toml
View File

@ -31,6 +31,12 @@ html-escape = { version = "0.2.13", optional = true }
[target.'cfg(not(target_os = "macos"))'.dependencies] [target.'cfg(not(target_os = "macos"))'.dependencies]
webkit2gtk = { version = "2", optional = true } webkit2gtk = { version = "2", optional = true }
[target.'cfg(target_os = "macos")'.dependencies]
block2 = { version = "0.5", optional = true }
objc2 = { version = "0.5", optional = true }
objc2-foundation = { version = "0.2", optional = true }
objc2-web-kit = { version = "0.2", optional = true }
[features] [features]
browser-auth = [ browser-auth = [
"dep:webbrowser", "dep:webbrowser",
@ -40,10 +46,14 @@ browser-auth = [
"dep:uuid", "dep:uuid",
] ]
webview-auth = [ webview-auth = [
"gpapi/tauri",
"dep:tauri", "dep:tauri",
"dep:regex", "dep:regex",
"dep:tokio-util", "dep:tokio-util",
"dep:html-escape", "dep:html-escape",
"dep:webkit2gtk", "dep:webkit2gtk",
"gpapi/tauri", "dep:block2",
"dep:objc2",
"dep:objc2-foundation",
"dep:objc2-web-kit",
] ]

60
crates/auth/src/authenticator.rs
View File

@ -1,60 +0,0 @@
use std::borrow::Cow;
use anyhow::bail;
use gpapi::{
gp_params::GpParams,
portal::{prelogin, Prelogin},
};
pub struct Authenticator<'a> {
server: &'a str,
auth_request: Option<&'a str>,
pub(crate) gp_params: &'a GpParams,
#[cfg(feature = "webview-auth")]
pub(crate) clean: bool,
#[cfg(feature = "webview-auth")]
pub(crate) is_retrying: tokio::sync::RwLock<bool>,
}
impl<'a> Authenticator<'a> {
pub fn new(server: &'a str, gp_params: &'a GpParams) -> Self {
Self {
server,
gp_params,
auth_request: None,
#[cfg(feature = "webview-auth")]
clean: false,
#[cfg(feature = "webview-auth")]
is_retrying: Default::default(),
}
}
pub fn with_auth_request(mut self, auth_request: &'a str) -> Self {
if !auth_request.is_empty() {
self.auth_request = Some(auth_request);
}
self
}
pub(crate) async fn initial_auth_request(&self) -> anyhow::Result<Cow<'a, str>> {
if let Some(auth_request) = self.auth_request {
return Ok(Cow::Borrowed(auth_request));
}
let auth_request = self.portal_prelogin().await?;
Ok(Cow::Owned(auth_request))
}
pub(crate) async fn portal_prelogin(&self) -> anyhow::Result<String> {
auth_prelogin(self.server, self.gp_params).await
}
}
pub async fn auth_prelogin(server: &str, gp_params: &GpParams) -> anyhow::Result<String> {
match prelogin(server, gp_params).await? {
Prelogin::Saml(prelogin) => Ok(prelogin.saml_request().to_string()),
Prelogin::Standard(_) => bail!("Received non-SAML prelogin response"),
}
}

4
crates/auth/src/browser.rs Normal file
View File

@ -0,0 +1,4 @@
mod auth_server;
mod browser_auth;
pub use browser_auth::BrowserAuthenticator;

0
crates/auth/src/browser_auth/auth_server.rs → crates/auth/src/browser/auth_server.rs
View File

85
crates/auth/src/browser_auth/browser_auth_impl.rs → crates/auth/src/browser/browser_auth.rs
View File

@ -4,30 +4,45 @@ use gpapi::{auth::SamlAuthData, GP_CALLBACK_PORT_FILENAME};
use log::info; use log::info;
use tokio::{io::AsyncReadExt, net::TcpListener}; use tokio::{io::AsyncReadExt, net::TcpListener};
use super::auth_server::AuthServer; use crate::browser::auth_server::AuthServer;
pub(super) struct BrowserAuthenticatorImpl<'a> { pub enum Browser<'a> {
Default,
Chrome,
Firefox,
Other(&'a str),
}
impl<'a> Browser<'a> {
pub fn from_str(browser: &'a str) -> Self {
match browser.to_lowercase().as_str() {
"default" => Browser::Default,
"chrome" => Browser::Chrome,
"firefox" => Browser::Firefox,
_ => Browser::Other(browser),
}
}
fn as_str(&self) -> &str {
match self {
Browser::Default => "default",
Browser::Chrome => "chrome",
Browser::Firefox => "firefox",
Browser::Other(browser) => browser,
}
}
}
pub struct BrowserAuthenticator<'a> {
auth_request: &'a str, auth_request: &'a str,
browser: Option<&'a str>, browser: Browser<'a>,
} }
impl BrowserAuthenticatorImpl<'_> { impl<'a> BrowserAuthenticator<'a> {
pub fn new(auth_request: &str) -> BrowserAuthenticatorImpl { pub fn new(auth_request: &'a str, browser: &'a str) -> Self {
BrowserAuthenticatorImpl { Self {
auth_request, auth_request,
browser: None, browser: Browser::from_str(browser),
}
}
pub fn new_with_browser<'a>(auth_request: &'a str, browser: &'a str) -> BrowserAuthenticatorImpl<'a> {
let browser = browser.trim();
BrowserAuthenticatorImpl {
auth_request,
browser: if browser.is_empty() || browser == "default" {
None
} else {
Some(browser)
},
} }
} }
@ -40,14 +55,17 @@ impl BrowserAuthenticatorImpl<'_> {
auth_server.serve_request(&auth_request); auth_server.serve_request(&auth_request);
}); });
if let Some(browser) = self.browser { match self.browser {
let app = find_browser_path(browser); Browser::Default => {
info!("Launching the default browser...");
webbrowser::open(&auth_url)?;
}
_ => {
let app = find_browser_path(&self.browser);
info!("Launching browser: {}", app); info!("Launching browser: {}", app);
open::with_detached(auth_url, app)?; open::with_detached(auth_url, app)?;
} else { }
info!("Launching the default browser...");
webbrowser::open(&auth_url)?;
} }
info!("Please continue the authentication process in the default browser"); info!("Please continue the authentication process in the default browser");
@ -55,15 +73,18 @@ impl BrowserAuthenticatorImpl<'_> {
} }
} }
fn find_browser_path(browser: &str) -> String { fn find_browser_path(browser: &Browser) -> String {
if browser == "chrome" { match browser {
which::which("google-chrome-stable") Browser::Chrome => {
.or_else(|_| which::which("google-chrome")) const CHROME_VARIANTS: &[&str] = &["google-chrome-stable", "google-chrome", "chromium"];
.or_else(|_| which::which("chromium"))
CHROME_VARIANTS
.iter()
.find_map(|&browser_name| which::which(browser_name).ok())
.map(|path| path.to_string_lossy().to_string()) .map(|path| path.to_string_lossy().to_string())
.unwrap_or_else(|_| browser.to_string()) .unwrap_or_else(|| browser.as_str().to_string())
} else { }
browser.into() _ => browser.as_str().to_string(),
} }
} }

5
crates/auth/src/browser_auth.rs
View File

@ -1,5 +0,0 @@
mod auth_server;
mod browser_auth_ext;
mod browser_auth_impl;
pub use browser_auth_ext::BrowserAuthenticator;

22
crates/auth/src/browser_auth/browser_auth_ext.rs
View File

@ -1,22 +0,0 @@
use std::future::Future;
use gpapi::auth::SamlAuthData;
use crate::{browser_auth::browser_auth_impl::BrowserAuthenticatorImpl, Authenticator};
pub trait BrowserAuthenticator {
fn browser_authenticate(&self, browser: Option<&str>) -> impl Future<Output = anyhow::Result<SamlAuthData>> + Send;
}
impl BrowserAuthenticator for Authenticator<'_> {
async fn browser_authenticate(&self, browser: Option<&str>) -> anyhow::Result<SamlAuthData> {
let auth_request = self.initial_auth_request().await?;
let browser_auth = if let Some(browser) = browser {
BrowserAuthenticatorImpl::new_with_browser(&auth_request, browser)
} else {
BrowserAuthenticatorImpl::new(&auth_request)
};
browser_auth.authenticate().await
}
}

24
crates/auth/src/lib.rs
View File

@ -1,13 +1,23 @@
mod authenticator; use anyhow::bail;
pub use authenticator::auth_prelogin; use gpapi::{
pub use authenticator::Authenticator; gp_params::GpParams,
portal::{prelogin, Prelogin},
};
#[cfg(feature = "browser-auth")] #[cfg(feature = "browser-auth")]
mod browser_auth; mod browser;
#[cfg(feature = "browser-auth")] #[cfg(feature = "browser-auth")]
pub use browser_auth::BrowserAuthenticator; pub use browser::*;
#[cfg(feature = "webview-auth")] #[cfg(feature = "webview-auth")]
mod webview_auth; mod webview;
#[cfg(feature = "webview-auth")] #[cfg(feature = "webview-auth")]
pub use webview_auth::WebviewAuthenticator; pub use webview::*;
pub async fn auth_prelogin(server: &str, gp_params: &GpParams) -> anyhow::Result<String> {
match prelogin(server, gp_params).await? {
Prelogin::Saml(prelogin) => Ok(prelogin.saml_request().to_string()),
Prelogin::Standard(_) => bail!("Received non-SAML prelogin response"),
}
}

8
crates/auth/src/webview.rs Normal file
View File

@ -0,0 +1,8 @@
mod auth_messenger;
mod webview_auth;
#[cfg_attr(not(target_os = "macos"), path = "webview/unix.rs")]
#[cfg_attr(target_os = "macos", path = "webview/macos.rs")]
mod platform_impl;
pub use webview_auth::WebviewAuthenticator;

229
crates/auth/src/webview/auth_messenger.rs Normal file
View File

@ -0,0 +1,229 @@
use anyhow::bail;
use gpapi::{auth::SamlAuthData, error::AuthDataParseError};
use log::{error, info};
use regex::Regex;
use tokio::sync::{mpsc, RwLock};
use tokio_util::sync::CancellationToken;
#[derive(Debug)]
pub(crate) enum AuthDataLocation {
#[cfg(not(target_os = "macos"))]
Headers,
Body,
}
#[derive(Debug)]
pub(crate) enum AuthError {
/// Failed to load page due to TLS error
#[cfg(not(target_os = "macos"))]
TlsError,
/// 1. Found auth data in headers/body but it's invalid
/// 2. Loaded an empty page, failed to load page. etc.
Invalid(anyhow::Error, AuthDataLocation),
/// No auth data found in headers/body
NotFound(AuthDataLocation),
}
impl AuthError {
pub fn invalid_from_body(err: anyhow::Error) -> Self {
Self::Invalid(err, AuthDataLocation::Body)
}
pub fn not_found_in_body() -> Self {
Self::NotFound(AuthDataLocation::Body)
}
}
#[cfg(not(target_os = "macos"))]
impl AuthError {
pub fn not_found_in_headers() -> Self {
Self::NotFound(AuthDataLocation::Headers)
}
}
pub(crate) enum AuthEvent {
Data(SamlAuthData, AuthDataLocation),
Error(AuthError),
RaiseWindow,
Close,
}
pub struct AuthMessenger {
tx: mpsc::UnboundedSender<AuthEvent>,
rx: RwLock<mpsc::UnboundedReceiver<AuthEvent>>,
raise_window_cancel_token: RwLock<Option<CancellationToken>>,
}
impl AuthMessenger {
pub fn new() -> Self {
let (tx, rx) = mpsc::unbounded_channel();
Self {
tx,
rx: RwLock::new(rx),
raise_window_cancel_token: Default::default(),
}
}
pub async fn subscribe(&self) -> anyhow::Result<AuthEvent> {
let mut rx = self.rx.write().await;
if let Some(event) = rx.recv().await {
return Ok(event);
}
bail!("Failed to receive auth event");
}
pub fn send_auth_event(&self, event: AuthEvent) {
if let Err(event) = self.tx.send(event) {
error!("Failed to send auth event: {}", event);
}
}
pub fn send_auth_error(&self, err: AuthError) {
self.send_auth_event(AuthEvent::Error(err));
}
fn send_auth_data(&self, data: SamlAuthData, location: AuthDataLocation) {
self.send_auth_event(AuthEvent::Data(data, location));
}
pub fn schedule_raise_window(&self, delay: u64) {
let Ok(mut guard) = self.raise_window_cancel_token.try_write() else {
return;
};
// Return if the previous raise window task is still running
if let Some(token) = guard.as_ref() {
if !token.is_cancelled() {
info!("Raise window task is still running, skipping...");
return;
}
}
let cancel_token = CancellationToken::new();
let cancel_token_clone = cancel_token.clone();
*guard = Some(cancel_token_clone);
let tx = self.tx.clone();
tokio::spawn(async move {
info!("Displaying the window in {} second(s)...", delay);
tokio::select! {
_ = tokio::time::sleep(tokio::time::Duration::from_secs(delay)) => {
cancel_token.cancel();
if let Err(err) = tx.send(AuthEvent::RaiseWindow) {
error!("Failed to send raise window event: {}", err);
}
}
_ = cancel_token.cancelled() => {
info!("Cancelled raise window task");
}
}
});
}
pub fn cancel_raise_window(&self) {
if let Ok(mut cancel_token) = self.raise_window_cancel_token.try_write() {
if let Some(token) = cancel_token.take() {
token.cancel();
}
}
}
pub fn read_from_html(&self, html: &str) {
if html.contains("Temporarily Unavailable") {
return self.send_auth_error(AuthError::invalid_from_body(anyhow::anyhow!("Temporarily Unavailable")));
}
let auth_result = SamlAuthData::from_html(html).or_else(|err| {
info!("Read auth data from html failed: {}, extracting gpcallback...", err);
if let Some(gpcallback) = extract_gpcallback(html) {
info!("Found gpcallback from html...");
SamlAuthData::from_gpcallback(&gpcallback)
} else {
Err(err)
}
});
match auth_result {
Ok(data) => self.send_auth_data(data, AuthDataLocation::Body),
Err(AuthDataParseError::Invalid(err)) => self.send_auth_error(AuthError::invalid_from_body(err)),
Err(AuthDataParseError::NotFound) => self.send_auth_error(AuthError::not_found_in_body()),
}
}
#[cfg(not(target_os = "macos"))]
pub fn read_from_response(&self, auth_response: &impl super::webview_auth::GetHeader) {
use log::warn;
let Some(status) = auth_response.get_header("saml-auth-status") else {
return self.send_auth_error(AuthError::not_found_in_headers());
};
// Do not send auth error when reading from headers, as the html body may contain the auth data
if status != "1" {
warn!("Found invalid saml-auth-status in headers: {}", status);
return;
}
let username = auth_response.get_header("saml-username");
let prelogin_cookie = auth_response.get_header("prelogin-cookie");
let portal_userauthcookie = auth_response.get_header("portal-userauthcookie");
match SamlAuthData::new(username, prelogin_cookie, portal_userauthcookie) {
Ok(auth_data) => self.send_auth_data(auth_data, AuthDataLocation::Headers),
Err(err) => {
warn!("Failed to read auth data from headers: {}", err);
}
}
}
}
fn extract_gpcallback(html: &str) -> Option<String> {
let re = Regex::new(r#"globalprotectcallback:[^"]+"#).unwrap();
re.captures(html)
.and_then(|captures| captures.get(0))
.map(|m| html_escape::decode_html_entities(m.as_str()).to_string())
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn extract_gpcallback_some() {
let html = r#"
<meta http-equiv="refresh" content="0; URL=globalprotectcallback:PGh0bWw+PCEtLSA8c">
<meta http-equiv="refresh" content="0; URL=globalprotectcallback:PGh0bWw+PCEtLSA8c">
"#;
assert_eq!(
extract_gpcallback(html).as_deref(),
Some("globalprotectcallback:PGh0bWw+PCEtLSA8c")
);
}
#[test]
fn extract_gpcallback_cas() {
let html = r#"
<meta http-equiv="refresh" content="0; URL=globalprotectcallback:cas-as=1&amp;un=xyz@email.com&amp;token=very_long_string">
"#;
assert_eq!(
extract_gpcallback(html).as_deref(),
Some("globalprotectcallback:cas-as=1&un=xyz@email.com&token=very_long_string")
);
}
#[test]
fn extract_gpcallback_none() {
let html = r#"
<meta http-equiv="refresh" content="0; URL=PGh0bWw+PCEtLSA8c">
"#;
assert_eq!(extract_gpcallback(html), None);
}
}

58
crates/auth/src/webview/macos.rs Normal file
View File

@ -0,0 +1,58 @@
use block2::RcBlock;
use log::warn;
use objc2::runtime::AnyObject;
use objc2_foundation::{NSError, NSString, NSURLRequest, NSURL};
use objc2_web_kit::WKWebView;
use tauri::webview::PlatformWebview;
use super::webview_auth::PlatformWebviewExt;
impl PlatformWebviewExt for PlatformWebview {
fn ignore_tls_errors(&self) -> anyhow::Result<()> {
warn!("Ignoring TLS errors is not supported on macOS");
Ok(())
}
fn load_url(&self, url: &str) -> anyhow::Result<()> {
unsafe {
let wv: &WKWebView = &*self.inner().cast();
let url = NSURL::URLWithString(&NSString::from_str(url)).ok_or_else(|| anyhow::anyhow!("Invalid URL"))?;
let request = NSURLRequest::requestWithURL(&url);
wv.loadRequest(&request);
}
Ok(())
}
fn load_html(&self, html: &str) -> anyhow::Result<()> {
unsafe {
let wv: &WKWebView = &*self.inner().cast();
wv.loadHTMLString_baseURL(&NSString::from_str(html), None);
}
Ok(())
}
fn get_html(&self, callback: Box<dyn Fn(anyhow::Result<String>) + 'static>) {
unsafe {
let wv: &WKWebView = &*self.inner().cast();
let js_callback = RcBlock::new(move |body: *mut AnyObject, err: *mut NSError| {
if let Some(err) = err.as_ref() {
let code = err.code();
let message = err.localizedDescription();
callback(Err(anyhow::anyhow!("Error {}: {}", code, message)));
} else {
let body: &NSString = &*body.cast();
callback(Ok(body.to_string()));
}
});
wv.evaluateJavaScript_completionHandler(
&NSString::from_str("document.documentElement.outerHTML"),
Some(&js_callback),
);
}
}
}

105
crates/auth/src/webview/unix.rs Normal file
View File

@ -0,0 +1,105 @@
use std::sync::Arc;
use anyhow::bail;
use gpapi::utils::redact::redact_uri;
use log::warn;
use tauri::webview::PlatformWebview;
use webkit2gtk::{
gio::Cancellable, glib::GString, LoadEvent, TLSErrorsPolicy, URIResponseExt, WebResource, WebResourceExt, WebViewExt,
WebsiteDataManagerExt,
};
use super::{
auth_messenger::AuthError,
webview_auth::{GetHeader, PlatformWebviewExt},
};
impl GetHeader for WebResource {
fn get_header(&self, key: &str) -> Option<String> {
self
.response()
.and_then(|response| response.http_headers())
.and_then(|headers| headers.one(key))
.map(GString::into)
}
}
impl PlatformWebviewExt for PlatformWebview {
fn ignore_tls_errors(&self) -> anyhow::Result<()> {
if let Some(manager) = self.inner().website_data_manager() {
manager.set_tls_errors_policy(TLSErrorsPolicy::Ignore);
return Ok(());
}
bail!("Failed to get website data manager");
}
fn load_url(&self, url: &str) -> anyhow::Result<()> {
self.inner().load_uri(url);
Ok(())
}
fn load_html(&self, html: &str) -> anyhow::Result<()> {
self.inner().load_html(html, None);
Ok(())
}
fn get_html(&self, callback: Box<dyn Fn(anyhow::Result<String>) + 'static>) {
let script = "document.documentElement.outerHTML";
self
.inner()
.evaluate_javascript(script, None, None, Cancellable::NONE, move |result| match result {
Ok(value) => callback(Ok(value.to_string())),
Err(err) => callback(Err(anyhow::anyhow!(err))),
});
}
}
pub trait PlatformWebviewOnResponse {
fn on_response(&self, callback: Box<dyn Fn(anyhow::Result<WebResource, AuthError>) + 'static>);
}
impl PlatformWebviewOnResponse for PlatformWebview {
fn on_response(&self, callback: Box<dyn Fn(anyhow::Result<WebResource, AuthError>) + 'static>) {
let wv = self.inner();
let callback = Arc::new(callback);
let callback_clone = Arc::clone(&callback);
wv.connect_load_changed(move |wv, event| {
if event != LoadEvent::Finished {
return;
}
let Some(web_resource) = wv.main_resource() else {
return;
};
let uri = web_resource.uri().unwrap_or("".into());
if uri.is_empty() {
callback_clone(Err(AuthError::invalid_from_body(anyhow::anyhow!("Empty URI"))));
} else {
callback_clone(Ok(web_resource));
}
});
wv.connect_load_failed_with_tls_errors(move |_wv, uri, cert, err| {
let redacted_uri = redact_uri(uri);
warn!(
"Failed to load uri: {} with error: {}, cert: {}",
redacted_uri, err, cert
);
callback(Err(AuthError::TlsError));
true
});
wv.connect_load_failed(move |_wv, _event, uri, err| {
let redacted_uri = redact_uri(uri);
if !uri.starts_with("globalprotectcallback:") {
warn!("Failed to load uri: {} with error: {}", redacted_uri, err);
}
// NOTE: Don't send error here, since load_changed event will be triggered after this
// true to stop other handlers from being invoked for the event. false to propagate the event further.
true
});
}
}

269
crates/auth/src/webview/webview_auth.rs Normal file
View File

@ -0,0 +1,269 @@
use std::{sync::Arc, time::Duration};
use anyhow::bail;
use gpapi::{auth::SamlAuthData, gp_params::GpParams, utils::redact::redact_uri};
use log::{info, warn};
use tauri::{
webview::{PageLoadEvent, PageLoadPayload},
AppHandle, WebviewUrl, WebviewWindow, WindowEvent,
};
use tokio::{sync::oneshot, time};
use crate::auth_prelogin;
use super::auth_messenger::{AuthError, AuthEvent, AuthMessenger};
pub trait PlatformWebviewExt {
fn ignore_tls_errors(&self) -> anyhow::Result<()>;
fn load_url(&self, url: &str) -> anyhow::Result<()>;
fn load_html(&self, html: &str) -> anyhow::Result<()>;
fn get_html(&self, callback: Box<dyn Fn(anyhow::Result<String>) + 'static>);
fn load_auth_request(&self, auth_request: &str) -> anyhow::Result<()> {
if auth_request.starts_with("http") {
info!("Loading auth request as URL: {}", redact_uri(auth_request));
self.load_url(auth_request)
} else {
info!("Loading auth request as HTML...");
self.load_html(auth_request)
}
}
}
#[cfg(not(target_os = "macos"))]
pub trait GetHeader {
fn get_header(&self, key: &str) -> Option<String>;
}
pub struct WebviewAuthenticator<'a> {
server: &'a str,
gp_params: &'a GpParams,
auth_request: Option<&'a str>,
clean: bool,
is_retrying: tokio::sync::RwLock<bool>,
}
impl<'a> WebviewAuthenticator<'a> {
pub fn new(server: &'a str, gp_params: &'a GpParams) -> Self {
Self {
server,
gp_params,
auth_request: None,
clean: false,
is_retrying: Default::default(),
}
}
pub fn with_auth_request(mut self, auth_request: &'a str) -> Self {
self.auth_request = Some(auth_request);
self
}
pub fn with_clean(mut self, clean: bool) -> Self {
self.clean = clean;
self
}
pub async fn authenticate(&self, app_handle: &AppHandle) -> anyhow::Result<SamlAuthData> {
let auth_messenger = Arc::new(AuthMessenger::new());
let auth_messenger_clone = Arc::clone(&auth_messenger);
let on_page_load = move |auth_window: WebviewWindow, event: PageLoadPayload<'_>| match event.event() {
PageLoadEvent::Started => {
info!("Started loading page: {}", redact_uri(event.url().as_str()));
auth_messenger_clone.cancel_raise_window();
}
PageLoadEvent::Finished => {
info!("Finished loading page: {}", redact_uri(event.url().as_str()));
let auth_messenger_clone = Arc::clone(&auth_messenger_clone);
let _ = auth_window.with_webview(move |wv| {
wv.get_html(Box::new(move |html| match html {
Ok(html) => auth_messenger_clone.read_from_html(&html),
Err(err) => warn!("Failed to get html: {}", err),
}));
});
}
};
let auth_window = WebviewWindow::builder(app_handle, "auth_window", WebviewUrl::default())
.on_page_load(on_page_load)
.title("GlobalProtect Login")
.inner_size(900.0, 650.0)
.focused(true)
.visible(false)
.center()
.build()?;
self
.setup_auth_window(&auth_window, Arc::clone(&auth_messenger))
.await?;
loop {
match auth_messenger.subscribe().await? {
AuthEvent::Close => bail!("Authentication cancelled"),
AuthEvent::RaiseWindow => self.raise_window(&auth_window),
#[cfg(not(target_os = "macos"))]
AuthEvent::Error(AuthError::TlsError) => bail!(gpapi::error::PortalError::TlsError),
AuthEvent::Error(AuthError::NotFound(location)) => {
info!(
"No auth data found in {:?}, it may not be the /SAML20/SP/ACS endpoint",
location
);
self.handle_not_found(&auth_window, &auth_messenger);
}
AuthEvent::Error(AuthError::Invalid(err, location)) => {
warn!("Got invalid auth data in {:?}: {}", location, err);
self.retry_auth(&auth_window).await;
}
AuthEvent::Data(auth_data, location) => {
info!("Got auth data from {:?}", location);
auth_window.close()?;
return Ok(auth_data);
}
}
}
}
async fn setup_auth_window(
&self,
auth_window: &WebviewWindow,
auth_messenger: Arc<AuthMessenger>,
) -> anyhow::Result<()> {
info!("Setting up auth window...");
if self.clean {
info!("Clearing all browsing data...");
auth_window.clear_all_browsing_data()?;
}
// Handle window close event
let auth_messenger_clone = Arc::clone(&auth_messenger);
auth_window.on_window_event(move |event| {
if let WindowEvent::CloseRequested { .. } = event {
auth_messenger_clone.send_auth_event(AuthEvent::Close);
}
});
// Show the window after 10 seconds, so that the user can see the window if the auth process is stuck
let auth_messenger_clone = Arc::clone(&auth_messenger);
tokio::spawn(async move {
time::sleep(Duration::from_secs(10)).await;
auth_messenger_clone.send_auth_event(AuthEvent::RaiseWindow);
});
let auth_request = match self.auth_request {
Some(auth_request) => auth_request.to_string(),
None => auth_prelogin(&self.server, &self.gp_params).await?,
};
let (tx, rx) = oneshot::channel::<anyhow::Result<()>>();
let ignore_tls_errors = self.gp_params.ignore_tls_errors();
// Set up webview
auth_window.with_webview(move |wv| {
#[cfg(not(target_os = "macos"))]
{
use super::platform_impl::PlatformWebviewOnResponse;
wv.on_response(Box::new(move |response| match response {
Ok(response) => auth_messenger.read_from_response(&response),
Err(err) => auth_messenger.send_auth_error(err),
}));
}
let result = || -> anyhow::Result<()> {
if ignore_tls_errors {
wv.ignore_tls_errors()?;
}
wv.load_auth_request(&auth_request)
}();
if let Err(result) = tx.send(result) {
warn!("Failed to send setup auth window result: {:?}", result);
}
})?;
rx.await??;
info!("Auth window setup completed");
Ok(())
}
fn handle_not_found(&self, auth_window: &WebviewWindow, auth_messenger: &Arc<AuthMessenger>) {
let visible = auth_window.is_visible().unwrap_or(false);
if visible {
return;
}
auth_messenger.schedule_raise_window(2);
}
async fn retry_auth(&self, auth_window: &WebviewWindow) {
let mut is_retrying = self.is_retrying.write().await;
if *is_retrying {
info!("Already retrying authentication, skipping...");
return;
}
*is_retrying = true;
drop(is_retrying);
if let Err(err) = self.retry_auth_impl(auth_window).await {
warn!("Failed to retry authentication: {}", err);
}
*self.is_retrying.write().await = false;
}
async fn retry_auth_impl(&self, auth_window: &WebviewWindow) -> anyhow::Result<()> {
info!("Retrying authentication...");
auth_window.eval( r#"
var loading = document.createElement("div");
loading.innerHTML = '<div style="position: absolute; width: 100%; text-align: center; font-size: 20px; font-weight: bold; top: 50%; left: 50%; transform: translate(-50%, -50%);">Got invalid token, retrying...</div>';
loading.style = "position: fixed; top: 0; left: 0; width: 100%; height: 100%; background: rgba(255, 255, 255, 0.85); z-index: 99999;";
document.body.appendChild(loading);
"#)?;
let auth_request = auth_prelogin(&self.server, &self.gp_params).await?;
let (tx, rx) = oneshot::channel::<anyhow::Result<()>>();
auth_window.with_webview(move |wv| {
let result = wv.load_auth_request(&auth_request);
if let Err(result) = tx.send(result) {
warn!("Failed to send retry auth result: {:?}", result);
}
})?;
rx.await??;
Ok(())
}
fn raise_window(&self, auth_window: &WebviewWindow) {
let visible = auth_window.is_visible().unwrap_or(false);
if visible {
return;
}
info!("Raising auth window...");
#[cfg(target_os = "macos")]
let result = auth_window.show();
#[cfg(not(target_os = "macos"))]
let result = {
use gpapi::utils::window::WindowExt;
auth_window.raise()
};
if let Err(err) = result {
warn!("Failed to raise window: {}", err);
}
}
}

9
crates/auth/src/webview_auth.rs
View File

@ -1,9 +0,0 @@
mod auth_messenger;
mod auth_response;
mod auth_settings;
mod webview_auth_ext;
#[cfg_attr(not(target_os = "macos"), path = "webview_auth/unix.rs")]
mod platform_impl;
pub use webview_auth_ext::WebviewAuthenticator;

108
crates/auth/src/webview_auth/auth_messenger.rs
View File

@ -1,108 +0,0 @@
use anyhow::bail;
use gpapi::auth::SamlAuthData;
use log::{error, info};
use tokio::sync::{mpsc, RwLock};
use tokio_util::sync::CancellationToken;
pub enum AuthError {
/// Failed to load page due to TLS error
TlsError,
/// 1. Found auth data in headers/body but it's invalid
/// 2. Loaded an empty page, failed to load page. etc.
Invalid,
/// No auth data found in headers/body
NotFound,
}
pub type AuthResult = anyhow::Result<SamlAuthData, AuthError>;
pub enum AuthEvent {
Data(SamlAuthData),
Error(AuthError),
RaiseWindow,
Close,
}
pub struct AuthMessenger {
tx: mpsc::UnboundedSender<AuthEvent>,
rx: RwLock<mpsc::UnboundedReceiver<AuthEvent>>,
raise_window_cancel_token: RwLock<Option<CancellationToken>>,
}
impl AuthMessenger {
pub fn new() -> Self {
let (tx, rx) = mpsc::unbounded_channel();
Self {
tx,
rx: RwLock::new(rx),
raise_window_cancel_token: Default::default(),
}
}
pub async fn subscribe(&self) -> anyhow::Result<AuthEvent> {
let mut rx = self.rx.write().await;
if let Some(event) = rx.recv().await {
return Ok(event);
}
bail!("Failed to receive auth event");
}
pub fn send_auth_event(&self, event: AuthEvent) {
if let Err(event) = self.tx.send(event) {
error!("Failed to send auth event: {}", event);
}
}
pub fn send_auth_result(&self, result: AuthResult) {
match result {
Ok(data) => self.send_auth_data(data),
Err(err) => self.send_auth_error(err),
}
}
pub fn send_auth_error(&self, err: AuthError) {
self.send_auth_event(AuthEvent::Error(err));
}
pub fn send_auth_data(&self, data: SamlAuthData) {
self.send_auth_event(AuthEvent::Data(data));
}
pub fn schedule_raise_window(&self, delay: u64) {
let cancel_token = CancellationToken::new();
let cancel_token_clone = cancel_token.clone();
if let Ok(mut guard) = self.raise_window_cancel_token.try_write() {
// Cancel the previous raise window task if it exists
if let Some(token) = guard.take() {
token.cancel();
}
*guard = Some(cancel_token_clone);
}
let tx = self.tx.clone();
tokio::spawn(async move {
info!("Displaying the window in {} second(s)...", delay);
tokio::select! {
_ = tokio::time::sleep(tokio::time::Duration::from_secs(delay)) => {
if let Err(err) = tx.send(AuthEvent::RaiseWindow) {
error!("Failed to send raise window event: {}", err);
}
}
_ = cancel_token.cancelled() => {
info!("Cancelled raise window task");
}
}
});
}
pub fn cancel_raise_window(&self) {
if let Ok(mut cancel_token) = self.raise_window_cancel_token.try_write() {
if let Some(token) = cancel_token.take() {
token.cancel();
}
}
}
}

152
crates/auth/src/webview_auth/auth_response.rs
View File

@ -1,152 +0,0 @@
use std::sync::Arc;
use gpapi::{
auth::{AuthDataParseResult, SamlAuthData},
error::AuthDataParseError,
};
use log::{info, warn};
use regex::Regex;
use crate::webview_auth::auth_messenger::{AuthError, AuthMessenger};
/// Trait for handling authentication response
pub trait AuthResponse {
fn get_header(&self, key: &str) -> Option<String>;
fn get_body<F>(&self, cb: F)
where
F: FnOnce(anyhow::Result<Vec<u8>>) + 'static;
fn url(&self) -> Option<String>;
fn is_acs_endpoint(&self) -> bool {
self.url().map_or(false, |url| url.ends_with("/SAML20/SP/ACS"))
}
}
pub fn read_auth_data(auth_response: &impl AuthResponse, auth_messenger: &Arc<AuthMessenger>) {
let auth_messenger = Arc::clone(auth_messenger);
match read_from_headers(auth_response) {
Ok(auth_data) => {
info!("Found auth data in headers");
auth_messenger.send_auth_data(auth_data);
}
Err(header_err) => {
info!("Failed to read auth data from headers: {}", header_err);
let is_acs_endpoint = auth_response.is_acs_endpoint();
read_from_body(auth_response, move |auth_result| {
// If the endpoint is `/SAML20/SP/ACS` and no auth data found in body, it should be considered as invalid
let auth_result = auth_result.map_err(move |e| {
info!("Failed to read auth data from body: {}", e);
if is_acs_endpoint || e.is_invalid() || header_err.is_invalid() {
AuthError::Invalid
} else {
AuthError::NotFound
}
});
auth_messenger.send_auth_result(auth_result);
});
}
}
}
fn read_from_headers(auth_response: &impl AuthResponse) -> AuthDataParseResult {
let Some(status) = auth_response.get_header("saml-auth-status") else {
info!("No SAML auth status found in headers");
return Err(AuthDataParseError::NotFound);
};
if status != "1" {
info!("Found invalid auth status: {}", status);
return Err(AuthDataParseError::Invalid);
}
let username = auth_response.get_header("saml-username");
let prelogin_cookie = auth_response.get_header("prelogin-cookie");
let portal_userauthcookie = auth_response.get_header("portal-userauthcookie");
SamlAuthData::new(username, prelogin_cookie, portal_userauthcookie).map_err(|e| {
warn!("Found invalid auth data: {}", e);
AuthDataParseError::Invalid
})
}
fn read_from_body<F>(auth_response: &impl AuthResponse, cb: F)
where
F: FnOnce(AuthDataParseResult) + 'static,
{
auth_response.get_body(|body| match body {
Ok(body) => {
let html = String::from_utf8_lossy(&body);
cb(read_from_html(&html))
}
Err(err) => {
info!("Failed to read body: {}", err);
cb(Err(AuthDataParseError::Invalid))
}
});
}
fn read_from_html(html: &str) -> AuthDataParseResult {
if html.contains("Temporarily Unavailable") {
info!("Found 'Temporarily Unavailable' in HTML, auth failed");
return Err(AuthDataParseError::Invalid);
}
SamlAuthData::from_html(html).or_else(|err| {
if let Some(gpcallback) = extract_gpcallback(html) {
info!("Found gpcallback from html...");
SamlAuthData::from_gpcallback(&gpcallback)
} else {
Err(err)
}
})
}
fn extract_gpcallback(html: &str) -> Option<String> {
let re = Regex::new(r#"globalprotectcallback:[^"]+"#).unwrap();
re.captures(html)
.and_then(|captures| captures.get(0))
.map(|m| html_escape::decode_html_entities(m.as_str()).to_string())
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn extract_gpcallback_some() {
let html = r#"
<meta http-equiv="refresh" content="0; URL=globalprotectcallback:PGh0bWw+PCEtLSA8c">
<meta http-equiv="refresh" content="0; URL=globalprotectcallback:PGh0bWw+PCEtLSA8c">
"#;
assert_eq!(
extract_gpcallback(html).as_deref(),
Some("globalprotectcallback:PGh0bWw+PCEtLSA8c")
);
}
#[test]
fn extract_gpcallback_cas() {
let html = r#"
<meta http-equiv="refresh" content="0; URL=globalprotectcallback:cas-as=1&amp;un=xyz@email.com&amp;token=very_long_string">
"#;
assert_eq!(
extract_gpcallback(html).as_deref(),
Some("globalprotectcallback:cas-as=1&un=xyz@email.com&token=very_long_string")
);
}
#[test]
fn extract_gpcallback_none() {
let html = r#"
<meta http-equiv="refresh" content="0; URL=PGh0bWw+PCEtLSA8c">
"#;
assert_eq!(extract_gpcallback(html), None);
}
}

25
crates/auth/src/webview_auth/auth_settings.rs
View File

@ -1,25 +0,0 @@
use std::sync::Arc;
use super::auth_messenger::AuthMessenger;
pub struct AuthRequest<'a>(&'a str);
impl<'a> AuthRequest<'a> {
pub fn new(auth_request: &'a str) -> Self {
Self(auth_request)
}
pub fn is_url(&self) -> bool {
self.0.starts_with("http")
}
pub fn as_str(&self) -> &str {
self.0
}
}
pub struct AuthSettings<'a> {
pub auth_request: AuthRequest<'a>,
pub auth_messenger: Arc<AuthMessenger>,
pub ignore_tls_errors: bool,
}

136
crates/auth/src/webview_auth/unix.rs
View File

@ -1,136 +0,0 @@
use std::sync::Arc;
use anyhow::bail;
use gpapi::utils::redact::redact_uri;
use log::{info, warn};
use webkit2gtk::{
gio::Cancellable,
glib::{GString, TimeSpan},
LoadEvent, TLSErrorsPolicy, URIResponseExt, WebResource, WebResourceExt, WebView, WebViewExt, WebsiteDataManagerExt,
WebsiteDataManagerExtManual, WebsiteDataTypes,
};
use crate::webview_auth::{
auth_messenger::AuthError,
auth_response::read_auth_data,
auth_settings::{AuthRequest, AuthSettings},
};
use super::auth_response::AuthResponse;
impl AuthResponse for WebResource {
fn get_header(&self, key: &str) -> Option<String> {
self
.response()
.and_then(|response| response.http_headers())
.and_then(|headers| headers.one(key))
.map(GString::into)
}
fn get_body<F>(&self, cb: F)
where
F: FnOnce(anyhow::Result<Vec<u8>>) + 'static,
{
let cancellable = Cancellable::NONE;
self.data(cancellable, |data| cb(data.map_err(|e| anyhow::anyhow!(e))));
}
fn url(&self) -> Option<String> {
self.uri().map(GString::into)
}
}
pub fn clear_data<F>(wv: &WebView, cb: F)
where
F: FnOnce(anyhow::Result<()>) + Send + 'static,
{
let Some(data_manager) = wv.website_data_manager() else {
cb(Err(anyhow::anyhow!("Failed to get website data manager")));
return;
};
data_manager.clear(
WebsiteDataTypes::COOKIES,
TimeSpan(0),
Cancellable::NONE,
move |result| {
cb(result.map_err(|e| anyhow::anyhow!(e)));
},
);
}
pub fn setup_webview(wv: &WebView, auth_settings: AuthSettings) -> anyhow::Result<()> {
let AuthSettings {
auth_request,
auth_messenger,
ignore_tls_errors,
} = auth_settings;
let auth_messenger_clone = Arc::clone(&auth_messenger);
let Some(data_manager) = wv.website_data_manager() else {
bail!("Failed to get website data manager");
};
if ignore_tls_errors {
data_manager.set_tls_errors_policy(TLSErrorsPolicy::Ignore);
}
wv.connect_load_changed(move |wv, event| {
if event == LoadEvent::Started {
auth_messenger_clone.cancel_raise_window();
return;
}
if event != LoadEvent::Finished {
return;
}
let Some(main_resource) = wv.main_resource() else {
return;
};
let uri = main_resource.uri().unwrap_or("".into());
if uri.is_empty() {
warn!("Loaded an empty URI");
auth_messenger_clone.send_auth_error(AuthError::Invalid);
return;
}
read_auth_data(&main_resource, &auth_messenger_clone);
});
wv.connect_load_failed_with_tls_errors(move |_wv, uri, cert, err| {
let redacted_uri = redact_uri(uri);
warn!(
"Failed to load uri: {} with error: {}, cert: {}",
redacted_uri, err, cert
);
auth_messenger.send_auth_error(AuthError::TlsError);
true
});
wv.connect_load_failed(move |_wv, _event, uri, err| {
let redacted_uri = redact_uri(uri);
if !uri.starts_with("globalprotectcallback:") {
warn!("Failed to load uri: {} with error: {}", redacted_uri, err);
}
// NOTE: Don't send error here, since load_changed event will be triggered after this
// true to stop other handlers from being invoked for the event. false to propagate the event further.
true
});
load_auth_request(wv, &auth_request);
Ok(())
}
pub fn load_auth_request(wv: &WebView, auth_request: &AuthRequest) {
if auth_request.is_url() {
info!("Loading auth request as URI...");
wv.load_uri(auth_request.as_str());
} else {
info!("Loading auth request as HTML...");
wv.load_html(auth_request.as_str(), None);
}
}

194
crates/auth/src/webview_auth/webview_auth_ext.rs
View File

@ -1,194 +0,0 @@
use std::{
future::Future,
sync::Arc,
time::{Duration, Instant},
};
use anyhow::bail;
use gpapi::{auth::SamlAuthData, error::PortalError, utils::window::WindowExt};
use log::{info, warn};
use tauri::{AppHandle, WebviewUrl, WebviewWindow, WindowEvent};
use tokio::{sync::oneshot, time};
use crate::{
webview_auth::{
auth_messenger::{AuthError, AuthEvent, AuthMessenger},
auth_settings::{AuthRequest, AuthSettings},
platform_impl,
},
Authenticator,
};
pub trait WebviewAuthenticator {
fn with_clean(self, clean: bool) -> Self;
fn webview_authenticate(&self, app_handle: &AppHandle) -> impl Future<Output = anyhow::Result<SamlAuthData>> + Send;
}
impl WebviewAuthenticator for Authenticator<'_> {
fn with_clean(mut self, clean: bool) -> Self {
self.clean = clean;
self
}
async fn webview_authenticate(&self, app_handle: &AppHandle) -> anyhow::Result<SamlAuthData> {
let auth_window = WebviewWindow::builder(app_handle, "auth_window", WebviewUrl::default())
.title("GlobalProtect Login")
.focused(true)
.visible(false)
.center()
.build()?;
self.auth_loop(&auth_window).await
}
}
impl Authenticator<'_> {
async fn auth_loop(&self, auth_window: &WebviewWindow) -> anyhow::Result<SamlAuthData> {
if self.clean {
self.clear_webview_data(&auth_window).await?;
}
let auth_messenger = self.setup_auth_window(&auth_window).await?;
loop {
match auth_messenger.subscribe().await? {
AuthEvent::Close => bail!("Authentication cancelled"),
AuthEvent::RaiseWindow => self.raise_window(auth_window),
AuthEvent::Error(AuthError::TlsError) => bail!(PortalError::TlsError),
AuthEvent::Error(AuthError::NotFound) => self.handle_not_found(auth_window, &auth_messenger),
AuthEvent::Error(AuthError::Invalid) => self.retry_auth(auth_window).await,
AuthEvent::Data(auth_data) => {
auth_window.close()?;
return Ok(auth_data);
}
}
}
}
async fn clear_webview_data(&self, auth_window: &WebviewWindow) -> anyhow::Result<()> {
info!("Clearing webview data...");
let (tx, rx) = oneshot::channel::<anyhow::Result<()>>();
let now = Instant::now();
auth_window.with_webview(|webview| {
platform_impl::clear_data(&webview.inner(), |result| {
if let Err(result) = tx.send(result) {
warn!("Failed to send clear data result: {:?}", result);
}
})
})?;
rx.await??;
info!("Webview data cleared in {:?}", now.elapsed());
Ok(())
}
async fn setup_auth_window(&self, auth_window: &WebviewWindow) -> anyhow::Result<Arc<AuthMessenger>> {
info!("Setting up auth window...");
let auth_messenger = Arc::new(AuthMessenger::new());
let auth_request = self.initial_auth_request().await?.into_owned();
let ignore_tls_errors = self.gp_params.ignore_tls_errors();
// Handle window close event
let auth_messenger_clone = Arc::clone(&auth_messenger);
auth_window.on_window_event(move |event| {
if let WindowEvent::CloseRequested { .. } = event {
auth_messenger_clone.send_auth_event(AuthEvent::Close);
}
});
// Show the window after 10 seconds, so that the user can see the window if the auth process is stuck
let auth_messenger_clone = Arc::clone(&auth_messenger);
tokio::spawn(async move {
time::sleep(Duration::from_secs(10)).await;
auth_messenger_clone.send_auth_event(AuthEvent::RaiseWindow);
});
// setup webview
let auth_messenger_clone = Arc::clone(&auth_messenger);
let (tx, rx) = oneshot::channel::<anyhow::Result<()>>();
auth_window.with_webview(move |webview| {
let auth_settings = AuthSettings {
auth_request: AuthRequest::new(&auth_request),
auth_messenger: auth_messenger_clone,
ignore_tls_errors,
};
let result = platform_impl::setup_webview(&webview.inner(), auth_settings);
if let Err(result) = tx.send(result) {
warn!("Failed to send setup auth window result: {:?}", result);
}
})?;
rx.await??;
info!("Auth window setup completed");
Ok(auth_messenger)
}
fn handle_not_found(&self, auth_window: &WebviewWindow, auth_messenger: &Arc<AuthMessenger>) {
info!("No auth data found, it may not be the /SAML20/SP/ACS endpoint");
let visible = auth_window.is_visible().unwrap_or(false);
if visible {
return;
}
auth_messenger.schedule_raise_window(1);
}
async fn retry_auth(&self, auth_window: &WebviewWindow) {
let mut is_retrying = self.is_retrying.write().await;
if *is_retrying {
info!("Already retrying authentication, skipping...");
return;
}
*is_retrying = true;
drop(is_retrying);
if let Err(err) = self.retry_auth_impl(auth_window).await {
warn!("Failed to retry authentication: {}", err);
}
*self.is_retrying.write().await = false;
}
async fn retry_auth_impl(&self, auth_window: &WebviewWindow) -> anyhow::Result<()> {
info!("Retrying authentication...");
auth_window.eval( r#"
var loading = document.createElement("div");
loading.innerHTML = '<div style="position: absolute; width: 100%; text-align: center; font-size: 20px; font-weight: bold; top: 50%; left: 50%; transform: translate(-50%, -50%);">Got invalid token, retrying...</div>';
loading.style = "position: fixed; top: 0; left: 0; width: 100%; height: 100%; background: rgba(255, 255, 255, 0.85); z-index: 99999;";
document.body.appendChild(loading);
"#)?;
let auth_request = self.portal_prelogin().await?;
let (tx, rx) = oneshot::channel::<()>();
auth_window.with_webview(move |webview| {
let auth_request = AuthRequest::new(&auth_request);
platform_impl::load_auth_request(&webview.inner(), &auth_request);
tx.send(()).expect("Failed to send message to the channel")
})?;
rx.await?;
Ok(())
}
fn raise_window(&self, auth_window: &WebviewWindow) {
let visible = auth_window.is_visible().unwrap_or(false);
if visible {
return;
}
info!("Raising auth window...");
if let Err(err) = auth_window.raise() {
warn!("Failed to raise window: {}", err);
}
}
}

19
crates/gpapi/src/auth.rs
View File

@ -72,15 +72,12 @@ impl SamlAuthData {
let prelogin_cookie = parse_xml_tag(html, "prelogin-cookie"); let prelogin_cookie = parse_xml_tag(html, "prelogin-cookie");
let portal_userauthcookie = parse_xml_tag(html, "portal-userauthcookie"); let portal_userauthcookie = parse_xml_tag(html, "portal-userauthcookie");
SamlAuthData::new(username, prelogin_cookie, portal_userauthcookie).map_err(|e| { SamlAuthData::new(username, prelogin_cookie, portal_userauthcookie).map_err(AuthDataParseError::Invalid)
warn!("Failed to parse auth data: {}", e);
AuthDataParseError::Invalid
})
}
Some(status) => {
warn!("Found invalid auth status: {}", status);
Err(AuthDataParseError::Invalid)
} }
Some(status) => Err(AuthDataParseError::Invalid(anyhow::anyhow!(
"SAML auth status: {}",
status
))),
None => Err(AuthDataParseError::NotFound), None => Err(AuthDataParseError::NotFound),
} }
} }
@ -100,7 +97,7 @@ impl SamlAuthData {
let auth_data: SamlAuthData = serde_urlencoded::from_str(auth_data.borrow()).map_err(|e| { let auth_data: SamlAuthData = serde_urlencoded::from_str(auth_data.borrow()).map_err(|e| {
warn!("Failed to parse token auth data: {}", e); warn!("Failed to parse token auth data: {}", e);
warn!("Auth data: {}", auth_data); warn!("Auth data: {}", auth_data);
AuthDataParseError::Invalid AuthDataParseError::Invalid(anyhow::anyhow!(e))
})?; })?;
return Ok(auth_data); return Ok(auth_data);
@ -108,7 +105,7 @@ impl SamlAuthData {
let auth_data = decode_to_string(auth_data).map_err(|e| { let auth_data = decode_to_string(auth_data).map_err(|e| {
warn!("Failed to decode SAML auth data: {}", e); warn!("Failed to decode SAML auth data: {}", e);
AuthDataParseError::Invalid AuthDataParseError::Invalid(anyhow::anyhow!(e))
})?; })?;
let auth_data = Self::from_html(&auth_data)?; let auth_data = Self::from_html(&auth_data)?;
@ -128,7 +125,7 @@ impl SamlAuthData {
} }
} }
pub fn parse_xml_tag(html: &str, tag: &str) -> Option<String> { fn parse_xml_tag(html: &str, tag: &str) -> Option<String> {
let re = Regex::new(&format!("<{}>(.*)</{}>", tag, tag)).unwrap(); let re = Regex::new(&format!("<{}>(.*)</{}>", tag, tag)).unwrap();
re.captures(html) re.captures(html)
.and_then(|captures| captures.get(1)) .and_then(|captures| captures.get(1))

6
crates/gpapi/src/error.rs
View File

@ -26,12 +26,12 @@ impl PortalError {
pub enum AuthDataParseError { pub enum AuthDataParseError {
#[error("No auth data found")] #[error("No auth data found")]
NotFound, NotFound,
#[error("Invalid auth data")] #[error(transparent)]
Invalid, Invalid(#[from] anyhow::Error),
} }
impl AuthDataParseError { impl AuthDataParseError {
pub fn is_invalid(&self) -> bool { pub fn is_invalid(&self) -> bool {
matches!(self, AuthDataParseError::Invalid) matches!(self, AuthDataParseError::Invalid(_))
} }
} }

7
crates/openconnect/build.rs
View File

@ -1,9 +1,14 @@
fn main() { fn main() {
// Link to the native openconnect library // Link to the native openconnect library
println!("cargo:rustc-link-lib=openconnect"); println!("cargo:rustc-link-lib=openconnect");
println!("cargo:rustc-link-search=/opt/homebrew/lib"); // Homebrew path
println!("cargo:rerun-if-changed=src/ffi/vpn.c"); println!("cargo:rerun-if-changed=src/ffi/vpn.c");
println!("cargo:rerun-if-changed=src/ffi/vpn.h"); println!("cargo:rerun-if-changed=src/ffi/vpn.h");
// Compile the vpn.c file // Compile the vpn.c file
cc::Build::new().file("src/ffi/vpn.c").include("src/ffi").compile("vpn"); cc::Build::new()
.file("src/ffi/vpn.c")
.include("src/ffi")
.include("/opt/homebrew/include") // Homebrew path
.compile("vpn");
} }