cassidy/GlobalProtect-openconnect
1
0
Fork 0
mirror of https://github.com/yuezk/GlobalProtect-openconnect.git synced 2025-04-02 18:31:50 -04:00
Code Issues Projects Releases Wiki Activity

Move new code

Browse Source
This commit is contained in:
Kevin Yue 2024-01-16 05:23:44 -05:00
parent 1a98c3b863
commit b32c0416ce
80 changed files with 9908 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
.devcontainer/Dockerfile Normal file
View File

@ -0,0 +1,62 @@
FROM ubuntu:18.04
ARG USERNAME=vscode
ARG USER_UID=1000
ARG USER_GID=$USER_UID
ENV RUSTUP_HOME=/usr/local/rustup \
CARGO_HOME=/usr/local/cargo \
PATH=/usr/local/cargo/bin:$PATH \
RUST_VERSION=1.75.0
RUN set -eux; \
apt-get update; \
apt-get install -y --no-install-recommends \
sudo \
ca-certificates \
curl \
gnupg \
git \
less \
software-properties-common \
# Tauri dependencies
libwebkit2gtk-4.0-dev build-essential wget libssl-dev libgtk-3-dev libayatana-appindicator3-dev librsvg2-dev; \
# Install openconnect
add-apt-repository ppa:yuezk/globalprotect-openconnect; \
apt-get update; \
apt-get install -y openconnect libopenconnect-dev; \
# Create a non-root user
groupadd --gid $USER_GID $USERNAME; \
useradd --uid $USER_UID --gid $USER_GID -m $USERNAME; \
echo $USERNAME ALL=\(root\) NOPASSWD:ALL > /etc/sudoers.d/$USERNAME; \
chmod 0440 /etc/sudoers.d/$USERNAME; \
# Install Node.js
mkdir -p /etc/apt/keyrings; \
curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg; \
echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_16.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list; \
apt-get update; \
apt-get install -y nodejs; \
corepack enable; \
# Install diff-so-fancy
npm install -g diff-so-fancy; \
# Install Rust
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain $RUST_VERSION; \
chown -R $USERNAME:$USERNAME $RUSTUP_HOME $CARGO_HOME; \
rustup --version; \
cargo --version; \
rustc --version
USER $USERNAME
# Install Oh My Zsh
RUN sh -c "$(wget -O- https://github.com/deluan/zsh-in-docker/releases/download/v1.1.5/zsh-in-docker.sh)" -- \
-t https://github.com/denysdovhan/spaceship-prompt \
-a 'SPACESHIP_PROMPT_ADD_NEWLINE="false"' \
-a 'SPACESHIP_PROMPT_SEPARATE_LINE="false"' \
-p git \
-p https://github.com/zsh-users/zsh-autosuggestions \
-p https://github.com/zsh-users/zsh-completions; \
# Change the default shell
sudo chsh -s /bin/zsh $USERNAME; \
# Change the XTERM to xterm-256color
sed -i 's/TERM=xterm/TERM=xterm-256color/g' $HOME/.zshrc;

10
.devcontainer/devcontainer.json Normal file
View File

@ -0,0 +1,10 @@
{
"build": {
"dockerfile": "Dockerfile"
},
"runArgs": [
"--privileged",
"--cap-add=NET_ADMIN",
"--device=/dev/net/tun"
]
}

9
.editorconfig Normal file
View File

@ -0,0 +1,9 @@
root = true
[*]
charset = utf-8
indent_style = space
indent_size = 2
end_of_line = lf
insert_final_newline = true
trim_trailing_whitespace = true

4
.gitignore vendored Normal file
View File

@ -0,0 +1,4 @@
.idea
/target
.pnpm-store
.env

9
.vscode/extensions.json vendored Normal file
View File

@ -0,0 +1,9 @@
{
"recommendations": [
"rust-lang.rust-analyzer",
"tamasfe.even-better-toml",
"eamodio.gitlens",
"EditorConfig.EditorConfig",
"streetsidesoftware.code-spell-checker",
]
}

51
.vscode/settings.json vendored Normal file
View File

@ -0,0 +1,51 @@
{
"cSpell.words": [
"authcookie",
"bincode",
"chacha",
"clientos",
"datetime",
"disconnectable",
"distro",
"dotenv",
"dotenvy",
"getconfig",
"gpapi",
"gpauth",
"gpclient",
"gpcommon",
"gpgui",
"gpservice",
"hidpi",
"jnlp",
"LOGNAME",
"oneshot",
"openconnect",
"pkexec",
"Prelogin",
"prelogon",
"prelogonuserauthcookie",
"repr",
"reqwest",
"roxmltree",
"rspc",
"servercert",
"specta",
"sysinfo",
"tanstack",
"tauri",
"tempfile",
"thiserror",
"tungstenite",
"unistd",
"unlisten",
"urlencoding",
"userauthcookie",
"utsbuf",
"Vite",
"vpnc",
"vpninfo",
"wmctrl",
"XAUTHORITY"
]
}

5052
Cargo.lock generated Normal file
View File

File diff suppressed because it is too large Load Diff

52
Cargo.toml Normal file
View File

@ -0,0 +1,52 @@
[workspace]
resolver = "2"
members = ["crates/*", "apps/gpclient", "apps/gpservice", "apps/gpauth"]
[workspace.package]
version = "2.0.0-beta.1"
authors = ["Kevin Yue <k3vinyue@gmail.com>"]
homepage = "https://github.com/yuezk/GlobalProtect-openconnect"
edition = "2021"
license = "GPL-3.0"
[workspace.dependencies]
anyhow = "1.0"
base64 = "0.21"
clap = { version = "4.4.2", features = ["derive"] }
ctrlc = "3.4"
directories = "5.0"
env_logger = "0.10"
is_executable = "1.0"
log = "0.4"
regex = "1"
reqwest = { version = "0.11", features = ["native-tls-vendored", "json"] }
roxmltree = "0.18"
serde = { version = "1.0", features = ["derive"] }
serde_json = "1.0"
sysinfo = "0.29"
tempfile = "3.8"
tokio = { version = "1", features = ["full"] }
tokio-util = "0.7"
url = "2.4"
urlencoding = "2.1.3"
axum = "0.7"
futures = "0.3"
futures-util = "0.3"
tokio-tungstenite = "0.20.1"
specta = "=2.0.0-rc.1"
specta-macros = "=2.0.0-rc.1"
users = "0.11"
whoami = "1"
tauri = { version = "1.5" }
thiserror = "1"
redact-engine = "0.1"
dotenvy_macro = "0.15"
compile-time = "0.2"
[profile.release]
opt-level = 'z' # Optimize for size
lto = true # Enable link-time optimization
codegen-units = 1 # Reduce number of codegen units to increase optimizations
panic = 'abort' # Abort on panic
strip = true # Strip symbols from binary*

23
apps/gpauth/Cargo.toml Normal file
View File

@ -0,0 +1,23 @@
[package]
name = "gpauth"
version.workspace = true
edition.workspace = true
license.workspace = true
[build-dependencies]
tauri-build = { version = "1.5", features = [] }
[dependencies]
gpapi = { path = "../../crates/gpapi", features = ["tauri"] }
anyhow.workspace = true
clap.workspace = true
env_logger.workspace = true
log.workspace = true
regex.workspace = true
serde_json.workspace = true
tokio.workspace = true
tokio-util.workspace = true
tempfile.workspace = true
webkit2gtk = "0.18.2"
tauri = { workspace = true, features = ["http-all"] }
compile-time.workspace = true

3
apps/gpauth/build.rs Normal file
View File

@ -0,0 +1,3 @@
fn main() {
tauri_build::build()
}

BIN
apps/gpauth/icons/128x128.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.4 KiB

BIN
apps/gpauth/icons/128x128@2x.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.8 KiB

BIN
apps/gpauth/icons/32x32.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 974 B

BIN
apps/gpauth/icons/icon.icns Normal file
View File

Binary file not shown.

BIN
apps/gpauth/icons/icon.ico Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 85 KiB

BIN
apps/gpauth/icons/icon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

11
apps/gpauth/index.html Normal file
View File

@ -0,0 +1,11 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>GlobalProtect Login</title>
</head>
<body>
<p>Redirecting to GlobalProtect Login...</p>
</body>
</html>

449
apps/gpauth/src/auth_window.rs Normal file
View File

@ -0,0 +1,449 @@
use std::{
rc::Rc,
sync::Arc,
time::{Duration, Instant},
};
use anyhow::bail;
use gpapi::{
auth::SamlAuthData,
portal::{prelogin, Prelogin},
utils::{redact::redact_uri, window::WindowExt},
};
use log::{info, warn};
use regex::Regex;
use tauri::{AppHandle, Window, WindowEvent, WindowUrl};
use tokio::sync::{mpsc, oneshot, RwLock};
use tokio_util::sync::CancellationToken;
use webkit2gtk::{
gio::Cancellable,
glib::{GString, TimeSpan},
LoadEvent, URIResponse, URIResponseExt, WebContextExt, WebResource, WebResourceExt, WebView,
WebViewExt, WebsiteDataManagerExtManual, WebsiteDataTypes,
};
enum AuthDataError {
/// 1. Found auth data in headers/body but it's invalid
/// 2. Loaded an empty page, failed to load page. etc.
Invalid,
/// No auth data found in headers/body
NotFound,
}
type AuthResult = Result<SamlAuthData, AuthDataError>;
pub(crate) struct AuthWindow<'a> {
app_handle: AppHandle,
server: &'a str,
saml_request: &'a str,
user_agent: &'a str,
clean: bool,
}
impl<'a> AuthWindow<'a> {
pub fn new(app_handle: AppHandle) -> Self {
Self {
app_handle,
server: "",
saml_request: "",
user_agent: "",
clean: false,
}
}
pub fn server(mut self, server: &'a str) -> Self {
self.server = server;
self
}
pub fn saml_request(mut self, saml_request: &'a str) -> Self {
self.saml_request = saml_request;
self
}
pub fn user_agent(mut self, user_agent: &'a str) -> Self {
self.user_agent = user_agent;
self
}
pub fn clean(mut self, clean: bool) -> Self {
self.clean = clean;
self
}
pub async fn open(&self) -> anyhow::Result<SamlAuthData> {
info!("Open auth window, user_agent: {}", self.user_agent);
let window = Window::builder(&self.app_handle, "auth_window", WindowUrl::default())
.title("GlobalProtect Login")
.user_agent(self.user_agent)
.focused(true)
.visible(false)
.center()
.build()?;
let window = Arc::new(window);
let cancel_token = CancellationToken::new();
let cancel_token_clone = cancel_token.clone();
window.on_window_event(move |event| {
if let WindowEvent::CloseRequested { .. } = event {
cancel_token_clone.cancel();
}
});
let window_clone = Arc::clone(&window);
let timeout_secs = 15;
tokio::spawn(async move {
tokio::time::sleep(Duration::from_secs(timeout_secs)).await;
let visible = window_clone.is_visible().unwrap_or(false);
if !visible {
info!("Try to raise auth window after {} seconds", timeout_secs);
raise_window(&window_clone);
}
});
tokio::select! {
_ = cancel_token.cancelled() => {
bail!("Auth cancelled");
}
saml_result = self.auth_loop(&window) => {
window.close()?;
saml_result
}
}
}
async fn auth_loop(&self, window: &Arc<Window>) -> anyhow::Result<SamlAuthData> {
let saml_request = self.saml_request.to_string();
let (auth_result_tx, mut auth_result_rx) = mpsc::unbounded_channel::<AuthResult>();
let raise_window_cancel_token: Arc<RwLock<Option<CancellationToken>>> = Default::default();
if self.clean {
clear_webview_cookies(window).await?;
}
let raise_window_cancel_token_clone = Arc::clone(&raise_window_cancel_token);
window.with_webview(move |wv| {
let wv = wv.inner();
// Load the initial SAML request
load_saml_request(&wv, &saml_request);
let auth_result_tx_clone = auth_result_tx.clone();
wv.connect_load_changed(move |wv, event| {
if event == LoadEvent::Started {
let Ok(mut cancel_token) = raise_window_cancel_token_clone.try_write() else {
return;
};
// Cancel the raise window task
if let Some(cancel_token) = cancel_token.take() {
cancel_token.cancel();
}
return;
}
if event != LoadEvent::Finished {
return;
}
if let Some(main_resource) = wv.main_resource() {
let uri = main_resource.uri().unwrap_or("".into());
if uri.is_empty() {
warn!("Loaded an empty uri");
send_auth_result(&auth_result_tx_clone, Err(AuthDataError::Invalid));
return;
}
info!("Loaded uri: {}", redact_uri(&uri));
read_auth_data(&main_resource, auth_result_tx_clone.clone());
}
});
wv.connect_load_failed_with_tls_errors(|_wv, uri, cert, err| {
let redacted_uri = redact_uri(uri);
warn!(
"Failed to load uri: {} with error: {}, cert: {}",
redacted_uri, err, cert
);
true
});
wv.connect_load_failed(move |_wv, _event, uri, err| {
let redacted_uri = redact_uri(uri);
warn!("Failed to load uri: {} with error: {}", redacted_uri, err);
send_auth_result(&auth_result_tx, Err(AuthDataError::Invalid));
// true to stop other handlers from being invoked for the event. false to propagate the event further.
true
});
})?;
let portal = self.server.to_string();
let user_agent = self.user_agent.to_string();
loop {
if let Some(auth_result) = auth_result_rx.recv().await {
match auth_result {
Ok(auth_data) => return Ok(auth_data),
Err(AuthDataError::NotFound) => {
info!("No auth data found, it may not be the /SAML20/SP/ACS endpoint");
// The user may need to interact with the auth window, raise it in 3 seconds
if !window.is_visible().unwrap_or(false) {
let window = Arc::clone(window);
let cancel_token = CancellationToken::new();
raise_window_cancel_token
.write()
.await
.replace(cancel_token.clone());
tokio::spawn(async move {
let delay_secs = 1;
info!("Raise window in {} second(s)", delay_secs);
tokio::select! {
_ = tokio::time::sleep(Duration::from_secs(delay_secs)) => {
raise_window(&window);
}
_ = cancel_token.cancelled() => {
info!("Raise window cancelled");
}
}
});
}
}
Err(AuthDataError::Invalid) => {
info!("Got invalid auth data, retrying...");
window.with_webview(|wv| {
let wv = wv.inner();
wv.run_javascript(r#"
var loading = document.createElement("div");
loading.innerHTML = '<div style="position: absolute; width: 100%; text-align: center; font-size: 20px; font-weight: bold; top: 50%; left: 50%; transform: translate(-50%, -50%);">Got invalid token, retrying...</div>';
loading.style = "position: fixed; top: 0; left: 0; width: 100%; height: 100%; background: rgba(255, 255, 255, 0.85); z-index: 99999;";
document.body.appendChild(loading);
"#,
Cancellable::NONE,
|_| info!("Injected loading element successfully"),
);
})?;
let saml_request = portal_prelogin(&portal, &user_agent).await?;
window.with_webview(move |wv| {
let wv = wv.inner();
load_saml_request(&wv, &saml_request);
})?;
}
}
}
}
}
}
fn raise_window(window: &Arc<Window>) {
let visible = window.is_visible().unwrap_or(false);
if !visible {
if let Err(err) = window.raise() {
warn!("Failed to raise window: {}", err);
}
}
}
pub(crate) async fn portal_prelogin(portal: &str, user_agent: &str) -> anyhow::Result<String> {
info!("Portal prelogin...");
match prelogin(portal, user_agent).await? {
Prelogin::Saml(prelogin) => Ok(prelogin.saml_request().to_string()),
Prelogin::Standard(_) => Err(anyhow::anyhow!("Received non-SAML prelogin response")),
}
}
fn send_auth_result(auth_result_tx: &mpsc::UnboundedSender<AuthResult>, auth_result: AuthResult) {
if let Err(err) = auth_result_tx.send(auth_result) {
warn!("Failed to send auth event: {}", err);
}
}
fn load_saml_request(wv: &Rc<WebView>, saml_request: &str) {
if saml_request.starts_with("http") {
info!("Load the SAML request as URI...");
wv.load_uri(saml_request);
} else {
info!("Load the SAML request as HTML...");
wv.load_html(saml_request, None);
}
}
fn read_auth_data_from_headers(response: &URIResponse) -> AuthResult {
response.http_headers().map_or_else(
|| {
info!("No headers found in response");
Err(AuthDataError::NotFound)
},
|mut headers| match headers.get("saml-auth-status") {
Some(status) if status == "1" => {
let username = headers.get("saml-username").map(GString::into);
let prelogin_cookie = headers.get("prelogin-cookie").map(GString::into);
let portal_userauthcookie = headers.get("portal-userauthcookie").map(GString::into);
if SamlAuthData::check(&username, &prelogin_cookie, &portal_userauthcookie) {
return Ok(SamlAuthData::new(
username.unwrap(),
prelogin_cookie,
portal_userauthcookie,
));
}
info!("Found invalid auth data in headers");
Err(AuthDataError::Invalid)
}
Some(status) => {
info!("Found invalid SAML status: {} in headers", status);
Err(AuthDataError::Invalid)
}
None => {
info!("No saml-auth-status header found");
Err(AuthDataError::NotFound)
}
},
)
}
fn read_auth_data_from_body<F>(main_resource: &WebResource, callback: F)
where
F: FnOnce(AuthResult) + Send + 'static,
{
main_resource.data(Cancellable::NONE, |data| match data {
Ok(data) => {
let html = String::from_utf8_lossy(&data);
callback(read_auth_data_from_html(&html));
}
Err(err) => {
info!("Failed to read response body: {}", err);
callback(Err(AuthDataError::Invalid))
}
});
}
fn read_auth_data_from_html(html: &str) -> AuthResult {
if html.contains("Temporarily Unavailable") {
info!("Found 'Temporarily Unavailable' in HTML, auth failed");
return Err(AuthDataError::Invalid);
}
match parse_xml_tag(html, "saml-auth-status") {
Some(saml_status) if saml_status == "1" => {
let username = parse_xml_tag(html, "saml-username");
let prelogin_cookie = parse_xml_tag(html, "prelogin-cookie");
let portal_userauthcookie = parse_xml_tag(html, "portal-userauthcookie");
if SamlAuthData::check(&username, &prelogin_cookie, &portal_userauthcookie) {
return Ok(SamlAuthData::new(
username.unwrap(),
prelogin_cookie,
portal_userauthcookie,
));
}
info!("Found invalid auth data in HTML");
Err(AuthDataError::Invalid)
}
Some(status) => {
info!("Found invalid SAML status {} in HTML", status);
Err(AuthDataError::Invalid)
}
None => {
info!("No auth data found in HTML");
Err(AuthDataError::NotFound)
}
}
}
fn read_auth_data(main_resource: &WebResource, auth_result_tx: mpsc::UnboundedSender<AuthResult>) {
if main_resource.response().is_none() {
info!("No response found in main resource");
send_auth_result(&auth_result_tx, Err(AuthDataError::Invalid));
return;
}
let response = main_resource.response().unwrap();
info!("Trying to read auth data from response headers...");
match read_auth_data_from_headers(&response) {
Ok(auth_data) => {
info!("Got auth data from headers");
send_auth_result(&auth_result_tx, Ok(auth_data));
}
Err(AuthDataError::Invalid) => {
info!("Found invalid auth data in headers, trying to read from body...");
read_auth_data_from_body(main_resource, move |auth_result| {
// Since we have already found invalid auth data in headers, which means this could be the `/SAML20/SP/ACS` endpoint
// any error result from body should be considered as invalid, and trigger a retry
let auth_result = auth_result.map_err(|_| AuthDataError::Invalid);
send_auth_result(&auth_result_tx, auth_result);
});
}
Err(AuthDataError::NotFound) => {
info!("No auth data found in headers, trying to read from body...");
read_auth_data_from_body(main_resource, move |auth_result| {
send_auth_result(&auth_result_tx, auth_result)
});
}
}
}
fn parse_xml_tag(html: &str, tag: &str) -> Option<String> {
let re = Regex::new(&format!("<{}>(.*)</{}>", tag, tag)).unwrap();
re.captures(html)
.and_then(|captures| captures.get(1))
.map(|m| m.as_str().to_string())
}
pub(crate) async fn clear_webview_cookies(window: &Window) -> anyhow::Result<()> {
let (tx, rx) = oneshot::channel::<Result<(), String>>();
window.with_webview(|wv| {
let send_result = move |result: Result<(), String>| {
if let Err(err) = tx.send(result) {
info!("Failed to send result: {:?}", err);
}
};
let wv = wv.inner();
let context = match wv.context() {
Some(context) => context,
None => {
send_result(Err("No webview context found".into()));
return;
}
};
let data_manager = match context.website_data_manager() {
Some(manager) => manager,
None => {
send_result(Err("No data manager found".into()));
return;
}
};
let now = Instant::now();
data_manager.clear(
WebsiteDataTypes::COOKIES,
TimeSpan(0),
Cancellable::NONE,
move |result| match result {
Err(err) => {
send_result(Err(err.to_string()));
}
Ok(_) => {
info!("Cookies cleared in {} ms", now.elapsed().as_millis());
send_result(Ok(()));
}
},
);
})?;
rx.await?.map_err(|err| anyhow::anyhow!(err))
}

138
apps/gpauth/src/cli.rs Normal file
View File

@ -0,0 +1,138 @@
use clap::Parser;
use gpapi::{
auth::{SamlAuthData, SamlAuthResult},
utils::{normalize_server, openssl},
GP_USER_AGENT,
};
use log::{info, LevelFilter};
use serde_json::json;
use tauri::{App, AppHandle, RunEvent};
use tempfile::NamedTempFile;
use crate::auth_window::{portal_prelogin, AuthWindow};
const VERSION: &str = concat!(
env!("CARGO_PKG_VERSION"),
" (",
compile_time::date_str!(),
")"
);
#[derive(Parser, Clone)]
#[command(version = VERSION)]
struct Cli {
server: String,
#[arg(long)]
saml_request: Option<String>,
#[arg(long, default_value = GP_USER_AGENT)]
user_agent: String,
#[arg(long)]
hidpi: bool,
#[arg(long)]
fix_openssl: bool,
#[arg(long)]
clean: bool,
}
impl Cli {
async fn run(&mut self) -> anyhow::Result<()> {
let mut openssl_conf = self.prepare_env()?;
self.server = normalize_server(&self.server)?;
// Get the initial SAML request
let saml_request = match self.saml_request {
Some(ref saml_request) => saml_request.clone(),
None => portal_prelogin(&self.server, &self.user_agent).await?,
};
self.saml_request.replace(saml_request);
let app = create_app(self.clone())?;
app.run(move |_app_handle, event| {
if let RunEvent::Exit = event {
if let Some(file) = openssl_conf.take() {
if let Err(err) = file.close() {
info!("Error closing OpenSSL config file: {}", err);
}
}
}
});
Ok(())
}
fn prepare_env(&self) -> anyhow::Result<Option<NamedTempFile>> {
std::env::set_var("WEBKIT_DISABLE_COMPOSITING_MODE", "1");
if self.hidpi {
info!("Setting GDK_SCALE=2 and GDK_DPI_SCALE=0.5");
std::env::set_var("GDK_SCALE", "2");
std::env::set_var("GDK_DPI_SCALE", "0.5");
}
if self.fix_openssl {
info!("Fixing OpenSSL environment");
let file = openssl::fix_openssl_env()?;
return Ok(Some(file));
}
Ok(None)
}
async fn saml_auth(&self, app_handle: AppHandle) -> anyhow::Result<SamlAuthData> {
let auth_window = AuthWindow::new(app_handle)
.server(&self.server)
.user_agent(&self.user_agent)
.saml_request(self.saml_request.as_ref().unwrap())
.clean(self.clean);
auth_window.open().await
}
}
fn create_app(cli: Cli) -> anyhow::Result<App> {
let app = tauri::Builder::default()
.setup(|app| {
let app_handle = app.handle();
tauri::async_runtime::spawn(async move {
let auth_result = match cli.saml_auth(app_handle.clone()).await {
Ok(auth_data) => SamlAuthResult::Success(auth_data),
Err(err) => SamlAuthResult::Failure(format!("{}", err)),
};
println!("{}", json!(auth_result));
});
Ok(())
})
.build(tauri::generate_context!())?;
Ok(app)
}
fn init_logger() {
env_logger::builder().filter_level(LevelFilter::Info).init();
}
pub async fn run() {
let mut cli = Cli::parse();
init_logger();
info!("gpauth started: {}", VERSION);
if let Err(err) = cli.run().await {
eprintln!("\nError: {}", err);
if err.to_string().contains("unsafe legacy renegotiation") && !cli.fix_openssl {
eprintln!("\nRe-run it with the `--fix-openssl` option to work around this issue, e.g.:\n");
// Print the command
let args = std::env::args().collect::<Vec<_>>();
eprintln!("{} --fix-openssl {}\n", args[0], args[1..].join(" "));
}
std::process::exit(1);
}
}

9
apps/gpauth/src/main.rs Normal file
View File

@ -0,0 +1,9 @@
#![cfg_attr(not(debug_assertions), windows_subsystem = "windows")]
mod auth_window;
mod cli;
#[tokio::main]
async fn main() {
cli::run().await;
}

47
apps/gpauth/tauri.conf.json Normal file
View File

@ -0,0 +1,47 @@
{
"$schema": "https://cdn.jsdelivr.net/gh/tauri-apps/tauri@tauri-v1.5.0/tooling/cli/schema.json",
"build": {
"distDir": [
"index.html"
],
"devPath": [
"index.html"
],
"beforeDevCommand": "",
"beforeBuildCommand": "",
"withGlobalTauri": false
},
"package": {
"productName": "gpauth",
"version": "0.0.0"
},
"tauri": {
"allowlist": {
"all": false,
"http": {
"all": true,
"request": true,
"scope": [
"http://**",
"https://**"
]
}
},
"bundle": {
"active": true,
"targets": "deb",
"identifier": "com.yuezk.gpauth",
"icon": [
"icons/32x32.png",
"icons/128x128.png",
"icons/128x128@2x.png",
"icons/icon.icns",
"icons/icon.ico"
]
},
"security": {
"csp": null
},
"windows": []
}
}

23
apps/gpclient/Cargo.toml Normal file
View File

@ -0,0 +1,23 @@
[package]
name = "gpclient"
authors.workspace = true
version.workspace = true
edition.workspace = true
license.workspace = true
[dependencies]
gpapi = { path = "../../crates/gpapi" }
openconnect = { path = "../../crates/openconnect" }
anyhow.workspace = true
clap.workspace = true
env_logger.workspace = true
inquire = "0.6.2"
log.workspace = true
tokio.workspace = true
sysinfo.workspace = true
serde_json.workspace = true
whoami.workspace = true
tempfile.workspace = true
reqwest.workspace = true
directories = "5.0"
compile-time.workspace = true

101
apps/gpclient/src/cli.rs Normal file
View File

@ -0,0 +1,101 @@
use clap::{Parser, Subcommand};
use gpapi::utils::openssl;
use log::{info, LevelFilter};
use tempfile::NamedTempFile;
use crate::{
connect::{ConnectArgs, ConnectHandler},
disconnect::DisconnectHandler,
launch_gui::{LaunchGuiArgs, LaunchGuiHandler},
};
const VERSION: &str = concat!(
env!("CARGO_PKG_VERSION"),
" (",
compile_time::date_str!(),
")"
);
#[derive(Subcommand)]
enum CliCommand {
#[command(about = "Connect to a portal server")]
Connect(ConnectArgs),
#[command(about = "Disconnect from the server")]
Disconnect,
#[command(about = "Launch the GUI")]
LaunchGui(LaunchGuiArgs),
}
#[derive(Parser)]
#[command(
version = VERSION,
author,
about = "The GlobalProtect VPN client, based on OpenConnect, supports the SSO authentication method.",
help_template = "\
{before-help}{name} {version}
{author}
{about}
{usage-heading} {usage}
{all-args}{after-help}
"
)]
struct Cli {
#[command(subcommand)]
command: CliCommand,
#[arg(
long,
help = "Get around the OpenSSL `unsafe legacy renegotiation` error"
)]
fix_openssl: bool,
}
impl Cli {
fn fix_openssl(&self) -> anyhow::Result<Option<NamedTempFile>> {
if self.fix_openssl {
let file = openssl::fix_openssl_env()?;
return Ok(Some(file));
}
Ok(None)
}
async fn run(&self) -> anyhow::Result<()> {
// The temp file will be dropped automatically when the file handle is dropped
// So, declare it here to ensure it's not dropped
let _file = self.fix_openssl()?;
match &self.command {
CliCommand::Connect(args) => ConnectHandler::new(args, self.fix_openssl).handle().await,
CliCommand::Disconnect => DisconnectHandler::new().handle(),
CliCommand::LaunchGui(args) => LaunchGuiHandler::new(args).handle().await,
}
}
}
fn init_logger() {
env_logger::builder().filter_level(LevelFilter::Info).init();
}
pub(crate) async fn run() {
let cli = Cli::parse();
init_logger();
info!("gpclient started: {}", VERSION);
if let Err(err) = cli.run().await {
eprintln!("\nError: {}", err);
if err.to_string().contains("unsafe legacy renegotiation") && !cli.fix_openssl {
eprintln!("\nRe-run it with the `--fix-openssl` option to work around this issue, e.g.:\n");
// Print the command
let args = std::env::args().collect::<Vec<_>>();
eprintln!("{} --fix-openssl {}\n", args[0], args[1..].join(" "));
}
std::process::exit(1);
}
}

150
apps/gpclient/src/connect.rs Normal file
View File

@ -0,0 +1,150 @@
use std::{fs, sync::Arc};
use clap::Args;
use gpapi::{
credential::{Credential, PasswordCredential},
gateway::gateway_login,
gp_params::GpParams,
portal::{prelogin, retrieve_config, Prelogin},
process::auth_launcher::SamlAuthLauncher,
utils::{self, shutdown_signal},
GP_USER_AGENT,
};
use inquire::{Password, PasswordDisplayMode, Select, Text};
use log::info;
use openconnect::Vpn;
use crate::GP_CLIENT_LOCK_FILE;
#[derive(Args)]
pub(crate) struct ConnectArgs {
#[arg(help = "The portal server to connect to")]
server: String,
#[arg(
short,
long,
help = "The gateway to connect to, it will prompt if not specified"
)]
gateway: Option<String>,
#[arg(
short,
long,
help = "The username to use, it will prompt if not specified"
)]
user: Option<String>,
#[arg(long, short, help = "The VPNC script to use")]
script: Option<String>,
#[arg(long, default_value = GP_USER_AGENT, help = "The user agent to use")]
user_agent: String,
#[arg(long, help = "The HiDPI mode, useful for high resolution screens")]
hidpi: bool,
#[arg(long, help = "Do not reuse the remembered authentication cookie")]
clean: bool,
}
pub(crate) struct ConnectHandler<'a> {
args: &'a ConnectArgs,
fix_openssl: bool,
}
impl<'a> ConnectHandler<'a> {
pub(crate) fn new(args: &'a ConnectArgs, fix_openssl: bool) -> Self {
Self { args, fix_openssl }
}
pub(crate) async fn handle(&self) -> anyhow::Result<()> {
let portal = utils::normalize_server(self.args.server.as_str())?;
let gp_params = GpParams::builder()
.user_agent(&self.args.user_agent)
.build();
let prelogin = prelogin(&portal, &self.args.user_agent).await?;
let portal_credential = self.obtain_portal_credential(&prelogin).await?;
let mut portal_config = retrieve_config(&portal, &portal_credential, &gp_params).await?;
let selected_gateway = match &self.args.gateway {
Some(gateway) => portal_config
.find_gateway(gateway)
.ok_or_else(|| anyhow::anyhow!("Cannot find gateway {}", gateway))?,
None => {
portal_config.sort_gateways(prelogin.region());
let gateways = portal_config.gateways();
if gateways.len() > 1 {
Select::new("Which gateway do you want to connect to?", gateways)
.with_vim_mode(true)
.prompt()?
} else {
gateways[0]
}
}
};
let gateway = selected_gateway.server();
let cred = portal_config.auth_cookie().into();
let token = gateway_login(gateway, &cred, &gp_params).await?;
let vpn = Vpn::builder(gateway, &token)
.user_agent(self.args.user_agent.clone())
.script(self.args.script.clone())
.build();
let vpn = Arc::new(vpn);
let vpn_clone = vpn.clone();
// Listen for the interrupt signal in the background
tokio::spawn(async move {
shutdown_signal().await;
info!("Received the interrupt signal, disconnecting...");
vpn_clone.disconnect();
});
vpn.connect(write_pid_file);
if fs::metadata(GP_CLIENT_LOCK_FILE).is_ok() {
info!("Removing PID file");
fs::remove_file(GP_CLIENT_LOCK_FILE)?;
}
Ok(())
}
async fn obtain_portal_credential(&self, prelogin: &Prelogin) -> anyhow::Result<Credential> {
match prelogin {
Prelogin::Saml(prelogin) => {
SamlAuthLauncher::new(&self.args.server)
.user_agent(&self.args.user_agent)
.saml_request(prelogin.saml_request())
.hidpi(self.args.hidpi)
.fix_openssl(self.fix_openssl)
.clean(self.args.clean)
.launch()
.await
}
Prelogin::Standard(prelogin) => {
println!("{}", prelogin.auth_message());
let user = self.args.user.as_ref().map_or_else(
|| Text::new(&format!("{}:", prelogin.label_username())).prompt(),
|user| Ok(user.to_owned()),
)?;
let password = Password::new(&format!("{}:", prelogin.label_password()))
.without_confirmation()
.with_display_mode(PasswordDisplayMode::Masked)
.prompt()?;
let password_cred = PasswordCredential::new(&user, &password);
Ok(password_cred.into())
}
}
}
}
fn write_pid_file() {
let pid = std::process::id();
fs::write(GP_CLIENT_LOCK_FILE, pid.to_string()).unwrap();
info!("Wrote PID {} to {}", pid, GP_CLIENT_LOCK_FILE);
}

31
apps/gpclient/src/disconnect.rs Normal file
View File

@ -0,0 +1,31 @@
use crate::GP_CLIENT_LOCK_FILE;
use log::{info, warn};
use std::fs;
use sysinfo::{Pid, ProcessExt, Signal, System, SystemExt};
pub(crate) struct DisconnectHandler;
impl DisconnectHandler {
pub(crate) fn new() -> Self {
Self
}
pub(crate) fn handle(&self) -> anyhow::Result<()> {
if fs::metadata(GP_CLIENT_LOCK_FILE).is_err() {
warn!("PID file not found, maybe the client is not running");
return Ok(());
}
let pid = fs::read_to_string(GP_CLIENT_LOCK_FILE)?;
let pid = pid.trim().parse::<usize>()?;
let s = System::new_all();
if let Some(process) = s.process(Pid::from(pid)) {
info!("Found process {}, killing...", pid);
if process.kill_with(Signal::Interrupt).is_none() {
warn!("Failed to kill process {}", pid);
}
}
Ok(())
}
}

88
apps/gpclient/src/launch_gui.rs Normal file
View File

@ -0,0 +1,88 @@
use std::{collections::HashMap, fs, path::PathBuf};
use clap::Args;
use directories::ProjectDirs;
use gpapi::{
process::service_launcher::ServiceLauncher,
utils::{endpoint::http_endpoint, env_file, shutdown_signal},
};
use log::info;
#[derive(Args)]
pub(crate) struct LaunchGuiArgs {
#[clap(long, help = "Launch the GUI minimized")]
minimized: bool,
}
pub(crate) struct LaunchGuiHandler<'a> {
args: &'a LaunchGuiArgs,
}
impl<'a> LaunchGuiHandler<'a> {
pub(crate) fn new(args: &'a LaunchGuiArgs) -> Self {
Self { args }
}
pub(crate) async fn handle(&self) -> anyhow::Result<()> {
// `launch-gui`cannot be run as root
let user = whoami::username();
if user == "root" {
anyhow::bail!("`launch-gui` cannot be run as root");
}
if try_active_gui().await.is_ok() {
info!("The GUI is already running");
return Ok(());
}
tokio::spawn(async move {
shutdown_signal().await;
info!("Shutting down...");
});
let log_file = get_log_file()?;
let log_file_path = log_file.to_string_lossy().to_string();
info!("Log file: {}", log_file_path);
let mut extra_envs = HashMap::<String, String>::new();
extra_envs.insert("GP_LOG_FILE".into(), log_file_path.clone());
// Persist the environment variables to a file
let env_file = env_file::persist_env_vars(Some(extra_envs))?;
let env_file = env_file.into_temp_path();
let env_file_path = env_file.to_string_lossy().to_string();
let exit_status = ServiceLauncher::new()
.minimized(self.args.minimized)
.env_file(&env_file_path)
.log_file(&log_file_path)
.launch()
.await?;
info!("Service exited with status: {}", exit_status);
Ok(())
}
}
async fn try_active_gui() -> anyhow::Result<()> {
let service_endpoint = http_endpoint().await?;
reqwest::Client::default()
.post(format!("{}/active-gui", service_endpoint))
.send()
.await?
.error_for_status()?;
Ok(())
}
pub fn get_log_file() -> anyhow::Result<PathBuf> {
let dirs = ProjectDirs::from("com.yuezk", "GlobalProtect-openconnect", "gpclient")
.ok_or_else(|| anyhow::anyhow!("Failed to get project dirs"))?;
fs::create_dir_all(dirs.data_dir())?;
Ok(dirs.data_dir().join("gpclient.log"))
}

11
apps/gpclient/src/main.rs Normal file
View File

@ -0,0 +1,11 @@
mod cli;
mod connect;
mod disconnect;
mod launch_gui;
pub(crate) const GP_CLIENT_LOCK_FILE: &str = "/var/run/gpclient.lock";
#[tokio::main]
async fn main() {
cli::run().await;
}

19
apps/gpservice/Cargo.toml Normal file
View File

@ -0,0 +1,19 @@
[package]
name = "gpservice"
version.workspace = true
edition.workspace = true
license.workspace = true
[dependencies]
gpapi = { path = "../../crates/gpapi" }
openconnect = { path = "../../crates/openconnect" }
clap.workspace = true
anyhow.workspace = true
tokio.workspace = true
tokio-util.workspace = true
axum = { workspace = true, features = ["ws"] }
futures.workspace = true
serde_json.workspace = true
env_logger.workspace = true
log.workspace = true
compile-time.workspace = true

19
apps/gpservice/com.yuezk.gpservice.policy Normal file
View File

@ -0,0 +1,19 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<policyconfig>
<vendor>GlobalProtect-openconnect</vendor>
<vendor_url>https://github.com/yuezk/GlobalProtect-openconnect</vendor_url>
<icon_name>gpgui</icon_name>
<action id="com.yuezk.gpservice">
<description>Run GPService as root</description>
<message>Authentication is required to run the GPService as root</message>
<defaults>
<allow_any>yes</allow_any>
<allow_inactive>yes</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
<annotate key="org.freedesktop.policykit.exec.path">/home/kevin/Documents/repos/gp/target/debug/gpservice</annotate>
<annotate key="org.freedesktop.policykit.exec.argv1">--with-gui</annotate>
<annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
</action>
</policyconfig>

182
apps/gpservice/src/cli.rs Normal file
View File

@ -0,0 +1,182 @@
use std::sync::Arc;
use std::{collections::HashMap, io::Write};
use anyhow::bail;
use clap::Parser;
use gpapi::{
process::gui_launcher::GuiLauncher,
service::{request::WsRequest, vpn_state::VpnState},
utils::{
crypto::generate_key, env_file, lock_file::LockFile, redact::Redaction, shutdown_signal,
},
GP_SERVICE_LOCK_FILE,
};
use log::{info, warn, LevelFilter};
use tokio::sync::{mpsc, watch};
use crate::{vpn_task::VpnTask, ws_server::WsServer};
const VERSION: &str = concat!(
env!("CARGO_PKG_VERSION"),
" (",
compile_time::date_str!(),
")"
);
#[derive(Parser)]
#[command(version = VERSION)]
struct Cli {
#[clap(long)]
minimized: bool,
#[clap(long)]
env_file: Option<String>,
#[cfg(debug_assertions)]
#[clap(long)]
no_gui: bool,
}
impl Cli {
async fn run(&mut self, redaction: Arc<Redaction>) -> anyhow::Result<()> {
let lock_file = Arc::new(LockFile::new(GP_SERVICE_LOCK_FILE));
if lock_file.check_health().await {
bail!("Another instance of the service is already running");
}
let api_key = self.prepare_api_key();
// Channel for sending requests to the VPN task
let (ws_req_tx, ws_req_rx) = mpsc::channel::<WsRequest>(32);
// Channel for receiving the VPN state from the VPN task
let (vpn_state_tx, vpn_state_rx) = watch::channel(VpnState::Disconnected);
let mut vpn_task = VpnTask::new(ws_req_rx, vpn_state_tx);
let ws_server = WsServer::new(
api_key.clone(),
ws_req_tx,
vpn_state_rx,
lock_file.clone(),
redaction,
);
let (shutdown_tx, mut shutdown_rx) = mpsc::channel::<()>(4);
let shutdown_tx_clone = shutdown_tx.clone();
let vpn_task_token = vpn_task.cancel_token();
let server_token = ws_server.cancel_token();
let vpn_task_handle = tokio::spawn(async move { vpn_task.start(server_token).await });
let ws_server_handle = tokio::spawn(async move { ws_server.start(shutdown_tx_clone).await });
#[cfg(debug_assertions)]
let no_gui = self.no_gui;
#[cfg(not(debug_assertions))]
let no_gui = false;
if no_gui {
info!("GUI is disabled");
} else {
let envs = self
.env_file
.as_ref()
.map(env_file::load_env_vars)
.transpose()?;
let minimized = self.minimized;
tokio::spawn(async move {
launch_gui(envs, api_key, minimized).await;
let _ = shutdown_tx.send(()).await;
});
}
tokio::select! {
_ = shutdown_signal() => {
info!("Shutdown signal received");
}
_ = shutdown_rx.recv() => {
info!("Shutdown request received, shutting down");
}
}
vpn_task_token.cancel();
let _ = tokio::join!(vpn_task_handle, ws_server_handle);
lock_file.unlock()?;
info!("gpservice stopped");
Ok(())
}
fn prepare_api_key(&self) -> Vec<u8> {
#[cfg(debug_assertions)]
if self.no_gui {
return gpapi::GP_API_KEY.to_vec();
}
generate_key().to_vec()
}
}
fn init_logger() -> Arc<Redaction> {
let redaction = Arc::new(Redaction::new());
let redaction_clone = Arc::clone(&redaction);
// let target = Box::new(File::create("log.txt").expect("Can't create file"));
env_logger::builder()
.filter_level(LevelFilter::Info)
.format(move |buf, record| {
let timestamp = buf.timestamp();
writeln!(
buf,
"[{} {} {}] {}",
timestamp,
record.level(),
record.module_path().unwrap_or_default(),
redaction_clone.redact_str(&record.args().to_string())
)
})
// .target(env_logger::Target::Pipe(target))
.init();
redaction
}
async fn launch_gui(envs: Option<HashMap<String, String>>, api_key: Vec<u8>, mut minimized: bool) {
loop {
let api_key_clone = api_key.clone();
let gui_launcher = GuiLauncher::new()
.envs(envs.clone())
.api_key(api_key_clone)
.minimized(minimized);
match gui_launcher.launch().await {
Ok(exit_status) => {
// Exit code 99 means that the GUI needs to be restarted
if exit_status.code() != Some(99) {
info!("GUI exited with code {:?}", exit_status.code());
break;
}
info!("GUI exited with code 99, restarting");
minimized = false;
}
Err(err) => {
warn!("Failed to launch GUI: {}", err);
break;
}
}
}
}
pub async fn run() {
let mut cli = Cli::parse();
let redaction = init_logger();
info!("gpservice started: {}", VERSION);
if let Err(e) = cli.run(redaction).await {
eprintln!("Error: {}", e);
std::process::exit(1);
}
}

94
apps/gpservice/src/handlers.rs Normal file
View File

@ -0,0 +1,94 @@
use std::{borrow::Cow, ops::ControlFlow, sync::Arc};
use axum::{
extract::{
ws::{self, CloseFrame, Message, WebSocket},
State, WebSocketUpgrade,
},
response::IntoResponse,
};
use futures::{SinkExt, StreamExt};
use gpapi::service::event::WsEvent;
use log::{info, warn};
use crate::ws_server::WsServerContext;
pub(crate) async fn health() -> impl IntoResponse {
"OK"
}
pub(crate) async fn active_gui(State(ctx): State<Arc<WsServerContext>>) -> impl IntoResponse {
ctx.send_event(WsEvent::ActiveGui).await;
}
pub(crate) async fn ws_handler(
ws: WebSocketUpgrade,
State(ctx): State<Arc<WsServerContext>>,
) -> impl IntoResponse {
ws.on_upgrade(move |socket| handle_socket(socket, ctx))
}
async fn handle_socket(mut socket: WebSocket, ctx: Arc<WsServerContext>) {
// Send ping message
if let Err(err) = socket.send(Message::Ping("Hi".into())).await {
warn!("Failed to send ping: {}", err);
return;
}
// Wait for pong message
if socket.recv().await.is_none() {
warn!("Failed to receive pong");
return;
}
info!("New client connected");
let (mut sender, mut receiver) = socket.split();
let (connection, mut msg_rx) = ctx.add_connection().await;
let send_task = tokio::spawn(async move {
while let Some(msg) = msg_rx.recv().await {
if let Err(err) = sender.send(msg).await {
info!("Failed to send message: {}", err);
break;
}
}
let close_msg = Message::Close(Some(CloseFrame {
code: ws::close_code::NORMAL,
reason: Cow::from("Goodbye"),
}));
if let Err(err) = sender.send(close_msg).await {
warn!("Failed to close socket: {}", err);
}
});
let conn = Arc::clone(&connection);
let ctx_clone = Arc::clone(&ctx);
let recv_task = tokio::spawn(async move {
while let Some(Ok(msg)) = receiver.next().await {
let ControlFlow::Continue(ws_req) = conn.recv_msg(msg) else {
break;
};
if let Err(err) = ctx_clone.forward_req(ws_req).await {
info!("Failed to forward request: {}", err);
break;
}
}
});
tokio::select! {
_ = send_task => {
info!("WS server send task completed");
},
_ = recv_task => {
info!("WS server recv task completed");
}
}
info!("Client disconnected");
ctx.remove_connection(connection).await;
}

11
apps/gpservice/src/main.rs Normal file
View File

@ -0,0 +1,11 @@
mod cli;
mod handlers;
mod routes;
mod vpn_task;
mod ws_server;
mod ws_connection;
#[tokio::main]
async fn main() {
cli::run().await;
}

13
apps/gpservice/src/routes.rs Normal file
View File

@ -0,0 +1,13 @@
use std::sync::Arc;
use axum::{routing::{get, post}, Router};
use crate::{handlers, ws_server::WsServerContext};
pub(crate) fn routes(ctx: Arc<WsServerContext>) -> Router {
Router::new()
.route("/health", get(handlers::health))
.route("/active-gui", post(handlers::active_gui))
.route("/ws", get(handlers::ws_handler))
.with_state(ctx)
}

144
apps/gpservice/src/vpn_task.rs Normal file
View File

@ -0,0 +1,144 @@
use std::{sync::Arc, thread};
use gpapi::service::{
request::{ConnectRequest, WsRequest},
vpn_state::VpnState,
};
use log::info;
use openconnect::Vpn;
use tokio::sync::{mpsc, oneshot, watch, RwLock};
use tokio_util::sync::CancellationToken;
pub(crate) struct VpnTaskContext {
vpn_handle: Arc<RwLock<Option<Vpn>>>,
vpn_state_tx: Arc<watch::Sender<VpnState>>,
disconnect_rx: RwLock<Option<oneshot::Receiver<()>>>,
}
impl VpnTaskContext {
pub fn new(vpn_state_tx: watch::Sender<VpnState>) -> Self {
Self {
vpn_handle: Default::default(),
vpn_state_tx: Arc::new(vpn_state_tx),
disconnect_rx: Default::default(),
}
}
pub async fn connect(&self, req: ConnectRequest) {
let vpn_state = self.vpn_state_tx.borrow().clone();
if !matches!(vpn_state, VpnState::Disconnected) {
info!("VPN is not disconnected, ignore the request");
return;
}
let info = req.info().clone();
let vpn_handle = self.vpn_handle.clone();
let args = req.args();
let vpn = Vpn::builder(req.gateway().server(), args.cookie())
.user_agent(args.user_agent())
.script(args.vpnc_script())
.os(args.openconnect_os())
.build();
// Save the VPN handle
vpn_handle.write().await.replace(vpn);
let vpn_state_tx = self.vpn_state_tx.clone();
let connect_info = Box::new(info.clone());
vpn_state_tx.send(VpnState::Connecting(connect_info)).ok();
let (disconnect_tx, disconnect_rx) = oneshot::channel::<()>();
self.disconnect_rx.write().await.replace(disconnect_rx);
// Spawn a new thread to process the VPN connection, cannot use tokio::spawn here.
// Otherwise, it will block the tokio runtime and cannot send the VPN state to the channel
thread::spawn(move || {
let vpn_state_tx_clone = vpn_state_tx.clone();
vpn_handle.blocking_read().as_ref().map(|vpn| {
vpn.connect(move || {
let connect_info = Box::new(info.clone());
vpn_state_tx.send(VpnState::Connected(connect_info)).ok();
})
});
// Notify the VPN is disconnected
vpn_state_tx_clone.send(VpnState::Disconnected).ok();
// Remove the VPN handle
vpn_handle.blocking_write().take();
disconnect_tx.send(()).ok();
});
}
pub async fn disconnect(&self) {
if let Some(disconnect_rx) = self.disconnect_rx.write().await.take() {
if let Some(vpn) = self.vpn_handle.read().await.as_ref() {
self.vpn_state_tx.send(VpnState::Disconnecting).ok();
vpn.disconnect()
}
// Wait for the VPN to be disconnected
disconnect_rx.await.ok();
info!("VPN disconnected");
} else {
info!("VPN is not connected, skip disconnect");
self.vpn_state_tx.send(VpnState::Disconnected).ok();
}
}
}
pub(crate) struct VpnTask {
ws_req_rx: mpsc::Receiver<WsRequest>,
ctx: Arc<VpnTaskContext>,
cancel_token: CancellationToken,
}
impl VpnTask {
pub fn new(ws_req_rx: mpsc::Receiver<WsRequest>, vpn_state_tx: watch::Sender<VpnState>) -> Self {
let ctx = Arc::new(VpnTaskContext::new(vpn_state_tx));
let cancel_token = CancellationToken::new();
Self {
ws_req_rx,
ctx,
cancel_token,
}
}
pub fn cancel_token(&self) -> CancellationToken {
self.cancel_token.clone()
}
pub async fn start(&mut self, server_cancel_token: CancellationToken) {
let cancel_token = self.cancel_token.clone();
tokio::select! {
_ = self.recv() => {
info!("VPN task stopped");
}
_ = cancel_token.cancelled() => {
info!("VPN task cancelled");
self.ctx.disconnect().await;
}
}
server_cancel_token.cancel();
}
async fn recv(&mut self) {
while let Some(req) = self.ws_req_rx.recv().await {
tokio::spawn(process_ws_req(req, self.ctx.clone()));
}
}
}
async fn process_ws_req(req: WsRequest, ctx: Arc<VpnTaskContext>) {
match req {
WsRequest::Connect(req) => {
ctx.connect(*req).await;
}
WsRequest::Disconnect(_) => {
ctx.disconnect().await;
}
}
}

53
apps/gpservice/src/ws_connection.rs Normal file
View File

@ -0,0 +1,53 @@
use std::{ops::ControlFlow, sync::Arc};
use axum::extract::ws::{CloseFrame, Message};
use gpapi::{
service::{event::WsEvent, request::WsRequest},
utils::crypto::Crypto,
};
use log::{info, warn};
use tokio::sync::mpsc;
pub(crate) struct WsConnection {
crypto: Arc<Crypto>,
tx: mpsc::Sender<Message>,
}
impl WsConnection {
pub fn new(crypto: Arc<Crypto>, tx: mpsc::Sender<Message>) -> Self {
Self { crypto, tx }
}
pub async fn send_event(&self, event: &WsEvent) -> anyhow::Result<()> {
let encrypted = self.crypto.encrypt(event)?;
let msg = Message::Binary(encrypted);
self.tx.send(msg).await?;
Ok(())
}
pub fn recv_msg(&self, msg: Message) -> ControlFlow<(), WsRequest> {
match msg {
Message::Binary(data) => match self.crypto.decrypt(data) {
Ok(ws_req) => ControlFlow::Continue(ws_req),
Err(err) => {
info!("Failed to decrypt message: {}", err);
ControlFlow::Break(())
}
},
Message::Close(cf) => {
if let Some(CloseFrame { code, reason }) = cf {
info!("Client sent close, code {} and reason `{}`", code, reason);
} else {
info!("Client somehow sent close message without CloseFrame");
}
ControlFlow::Break(())
}
_ => {
warn!("WS server received unexpected message: {:?}", msg);
ControlFlow::Break(())
}
}
}
}

158
apps/gpservice/src/ws_server.rs Normal file
View File

@ -0,0 +1,158 @@
use std::sync::Arc;
use axum::extract::ws::Message;
use gpapi::{
service::{event::WsEvent, request::WsRequest, vpn_state::VpnState},
utils::{crypto::Crypto, lock_file::LockFile, redact::Redaction},
};
use log::{info, warn};
use tokio::{
net::TcpListener,
sync::{mpsc, watch, RwLock},
};
use tokio_util::sync::CancellationToken;
use crate::{routes, ws_connection::WsConnection};
pub(crate) struct WsServerContext {
crypto: Arc<Crypto>,
ws_req_tx: mpsc::Sender<WsRequest>,
vpn_state_rx: watch::Receiver<VpnState>,
redaction: Arc<Redaction>,
connections: RwLock<Vec<Arc<WsConnection>>>,
}
impl WsServerContext {
pub fn new(
api_key: Vec<u8>,
ws_req_tx: mpsc::Sender<WsRequest>,
vpn_state_rx: watch::Receiver<VpnState>,
redaction: Arc<Redaction>,
) -> Self {
Self {
crypto: Arc::new(Crypto::new(api_key)),
ws_req_tx,
vpn_state_rx,
redaction,
connections: Default::default(),
}
}
pub async fn send_event(&self, event: WsEvent) {
let connections = self.connections.read().await;
for conn in connections.iter() {
let _ = conn.send_event(&event).await;
}
}
pub async fn add_connection(&self) -> (Arc<WsConnection>, mpsc::Receiver<Message>) {
let (tx, rx) = mpsc::channel::<Message>(32);
let conn = Arc::new(WsConnection::new(Arc::clone(&self.crypto), tx));
// Send current VPN state to new client
info!("Sending current VPN state to new client");
let vpn_state = self.vpn_state_rx.borrow().clone();
if let Err(err) = conn.send_event(&WsEvent::VpnState(vpn_state)).await {
warn!("Failed to send VPN state to new client: {}", err);
}
self.connections.write().await.push(Arc::clone(&conn));
(conn, rx)
}
pub async fn remove_connection(&self, conn: Arc<WsConnection>) {
let mut connections = self.connections.write().await;
connections.retain(|c| !Arc::ptr_eq(c, &conn));
}
fn vpn_state_rx(&self) -> watch::Receiver<VpnState> {
self.vpn_state_rx.clone()
}
pub async fn forward_req(&self, req: WsRequest) -> anyhow::Result<()> {
if let WsRequest::Connect(ref req) = req {
self
.redaction
.add_values(&[req.gateway().server(), req.args().cookie()])?
}
self.ws_req_tx.send(req).await?;
Ok(())
}
}
pub(crate) struct WsServer {
ctx: Arc<WsServerContext>,
cancel_token: CancellationToken,
lock_file: Arc<LockFile>,
}
impl WsServer {
pub fn new(
api_key: Vec<u8>,
ws_req_tx: mpsc::Sender<WsRequest>,
vpn_state_rx: watch::Receiver<VpnState>,
lock_file: Arc<LockFile>,
redaction: Arc<Redaction>,
) -> Self {
let ctx = Arc::new(WsServerContext::new(
api_key,
ws_req_tx,
vpn_state_rx,
redaction,
));
let cancel_token = CancellationToken::new();
Self {
ctx,
cancel_token,
lock_file,
}
}
pub fn cancel_token(&self) -> CancellationToken {
self.cancel_token.clone()
}
pub async fn start(&self, shutdown_tx: mpsc::Sender<()>) {
if let Ok(listener) = TcpListener::bind("127.0.0.1:0").await {
let local_addr = listener.local_addr().unwrap();
self.lock_file.lock(local_addr.port().to_string()).unwrap();
info!("WS server listening on port: {}", local_addr.port());
tokio::select! {
_ = watch_vpn_state(self.ctx.vpn_state_rx(), Arc::clone(&self.ctx)) => {
info!("VPN state watch task completed");
}
_ = start_server(listener, self.ctx.clone()) => {
info!("WS server stopped");
}
_ = self.cancel_token.cancelled() => {
info!("WS server cancelled");
}
}
}
let _ = shutdown_tx.send(()).await;
}
}
async fn watch_vpn_state(mut vpn_state_rx: watch::Receiver<VpnState>, ctx: Arc<WsServerContext>) {
while vpn_state_rx.changed().await.is_ok() {
let vpn_state = vpn_state_rx.borrow().clone();
ctx.send_event(WsEvent::VpnState(vpn_state)).await;
}
}
async fn start_server(listener: TcpListener, ctx: Arc<WsServerContext>) -> anyhow::Result<()> {
let routes = routes::routes(ctx);
axum::serve(listener, routes).await?;
Ok(())
}

32
crates/gpapi/Cargo.toml Normal file
View File

@ -0,0 +1,32 @@
[package]
name = "gpapi"
version.workspace = true
edition.workspace = true
license = "MIT"
[dependencies]
anyhow.workspace = true
base64.workspace = true
log.workspace = true
reqwest.workspace = true
roxmltree.workspace = true
serde.workspace = true
specta.workspace = true
specta-macros.workspace = true
urlencoding.workspace = true
tokio.workspace = true
serde_json.workspace = true
whoami.workspace = true
tempfile.workspace = true
thiserror.workspace = true
chacha20poly1305 = { version = "0.10", features = ["std"] }
redact-engine.workspace = true
url.workspace = true
regex.workspace = true
dotenvy_macro.workspace = true
users.workspace = true
tauri = { workspace = true, optional = true }
[features]
tauri = ["dep:tauri"]

63
crates/gpapi/src/auth.rs Normal file
View File

@ -0,0 +1,63 @@
use serde::{Deserialize, Serialize};
#[derive(Debug, Serialize, Deserialize)]
#[serde(rename_all = "camelCase")]
pub struct SamlAuthData {
username: String,
prelogin_cookie: Option<String>,
portal_userauthcookie: Option<String>,
}
#[derive(Debug, Serialize, Deserialize)]
#[serde(rename_all = "camelCase")]
pub enum SamlAuthResult {
Success(SamlAuthData),
Failure(String),
}
impl SamlAuthResult {
pub fn is_success(&self) -> bool {
match self {
SamlAuthResult::Success(_) => true,
SamlAuthResult::Failure(_) => false,
}
}
}
impl SamlAuthData {
pub fn new(
username: String,
prelogin_cookie: Option<String>,
portal_userauthcookie: Option<String>,
) -> Self {
Self {
username,
prelogin_cookie,
portal_userauthcookie,
}
}
pub fn username(&self) -> &str {
&self.username
}
pub fn prelogin_cookie(&self) -> Option<&str> {
self.prelogin_cookie.as_deref()
}
pub fn check(
username: &Option<String>,
prelogin_cookie: &Option<String>,
portal_userauthcookie: &Option<String>,
) -> bool {
let username_valid = username
.as_ref()
.is_some_and(|username| !username.is_empty());
let prelogin_cookie_valid = prelogin_cookie.as_ref().is_some_and(|val| val.len() > 5);
let portal_userauthcookie_valid = portal_userauthcookie
.as_ref()
.is_some_and(|val| val.len() > 5);
username_valid && (prelogin_cookie_valid || portal_userauthcookie_valid)
}
}

223
crates/gpapi/src/credential.rs Normal file
View File

@ -0,0 +1,223 @@
use std::collections::HashMap;
use serde::{Deserialize, Serialize};
use specta::Type;
use crate::auth::SamlAuthData;
#[derive(Debug, Serialize, Deserialize, Type, Clone)]
#[serde(rename_all = "camelCase")]
pub struct PasswordCredential {
username: String,
password: String,
}
impl PasswordCredential {
pub fn new(username: &str, password: &str) -> Self {
Self {
username: username.to_string(),
password: password.to_string(),
}
}
pub fn username(&self) -> &str {
&self.username
}
pub fn password(&self) -> &str {
&self.password
}
}
impl From<&CachedCredential> for PasswordCredential {
fn from(value: &CachedCredential) -> Self {
Self::new(value.username(), value.password().unwrap_or_default())
}
}
#[derive(Debug, Serialize, Deserialize, Type, Clone)]
#[serde(rename_all = "camelCase")]
pub struct PreloginCookieCredential {
username: String,
prelogin_cookie: String,
}
impl PreloginCookieCredential {
pub fn new(username: &str, prelogin_cookie: &str) -> Self {
Self {
username: username.to_string(),
prelogin_cookie: prelogin_cookie.to_string(),
}
}
pub fn username(&self) -> &str {
&self.username
}
pub fn prelogin_cookie(&self) -> &str {
&self.prelogin_cookie
}
}
impl TryFrom<SamlAuthData> for PreloginCookieCredential {
type Error = anyhow::Error;
fn try_from(value: SamlAuthData) -> Result<Self, Self::Error> {
let username = value.username().to_string();
let prelogin_cookie = value
.prelogin_cookie()
.ok_or_else(|| anyhow::anyhow!("Missing prelogin cookie"))?
.to_string();
Ok(Self::new(&username, &prelogin_cookie))
}
}
#[derive(Debug, Serialize, Deserialize, Type, Clone)]
#[serde(rename_all = "camelCase")]
pub struct AuthCookieCredential {
username: String,
user_auth_cookie: String,
prelogon_user_auth_cookie: String,
}
impl AuthCookieCredential {
pub fn new(username: &str, user_auth_cookie: &str, prelogon_user_auth_cookie: &str) -> Self {
Self {
username: username.to_string(),
user_auth_cookie: user_auth_cookie.to_string(),
prelogon_user_auth_cookie: prelogon_user_auth_cookie.to_string(),
}
}
pub fn username(&self) -> &str {
&self.username
}
pub fn user_auth_cookie(&self) -> &str {
&self.user_auth_cookie
}
pub fn prelogon_user_auth_cookie(&self) -> &str {
&self.prelogon_user_auth_cookie
}
}
#[derive(Debug, Serialize, Deserialize, Type, Clone)]
#[serde(rename_all = "camelCase")]
pub struct CachedCredential {
username: String,
password: Option<String>,
auth_cookie: AuthCookieCredential,
}
impl CachedCredential {
pub fn new(
username: String,
password: Option<String>,
auth_cookie: AuthCookieCredential,
) -> Self {
Self {
username,
password,
auth_cookie,
}
}
pub fn username(&self) -> &str {
&self.username
}
pub fn password(&self) -> Option<&str> {
self.password.as_deref()
}
pub fn auth_cookie(&self) -> &AuthCookieCredential {
&self.auth_cookie
}
pub fn set_auth_cookie(&mut self, auth_cookie: AuthCookieCredential) {
self.auth_cookie = auth_cookie;
}
}
#[derive(Debug, Serialize, Deserialize, Type, Clone)]
#[serde(tag = "type", rename_all = "camelCase")]
pub enum Credential {
Password(PasswordCredential),
PreloginCookie(PreloginCookieCredential),
AuthCookie(AuthCookieCredential),
CachedCredential(CachedCredential),
}
impl Credential {
pub fn username(&self) -> &str {
match self {
Credential::Password(cred) => cred.username(),
Credential::PreloginCookie(cred) => cred.username(),
Credential::AuthCookie(cred) => cred.username(),
Credential::CachedCredential(cred) => cred.username(),
}
}
pub fn to_params(&self) -> HashMap<&str, &str> {
let mut params = HashMap::new();
params.insert("user", self.username());
match self {
Credential::Password(cred) => {
params.insert("passwd", cred.password());
}
Credential::PreloginCookie(cred) => {
params.insert("prelogin-cookie", cred.prelogin_cookie());
}
Credential::AuthCookie(cred) => {
params.insert("portal-userauthcookie", cred.user_auth_cookie());
params.insert(
"portal-prelogonuserauthcookie",
cred.prelogon_user_auth_cookie(),
);
}
Credential::CachedCredential(cred) => {
if let Some(password) = cred.password() {
params.insert("passwd", password);
}
params.insert("portal-userauthcookie", cred.auth_cookie.user_auth_cookie());
params.insert(
"portal-prelogonuserauthcookie",
cred.auth_cookie.prelogon_user_auth_cookie(),
);
}
}
params
}
}
impl TryFrom<SamlAuthData> for Credential {
type Error = anyhow::Error;
fn try_from(value: SamlAuthData) -> Result<Self, Self::Error> {
let prelogin_cookie = PreloginCookieCredential::try_from(value)?;
Ok(Self::PreloginCookie(prelogin_cookie))
}
}
impl From<PasswordCredential> for Credential {
fn from(value: PasswordCredential) -> Self {
Self::Password(value)
}
}
impl From<&AuthCookieCredential> for Credential {
fn from(value: &AuthCookieCredential) -> Self {
Self::AuthCookie(value.clone())
}
}
impl From<&CachedCredential> for Credential {
fn from(value: &CachedCredential) -> Self {
Self::CachedCredential(value.clone())
}
}

74
crates/gpapi/src/gateway/login.rs Normal file
View File

@ -0,0 +1,74 @@
use log::info;
use reqwest::Client;
use roxmltree::Document;
use urlencoding::encode;
use crate::{credential::Credential, gp_params::GpParams};
pub async fn gateway_login(
gateway: &str,
cred: &Credential,
gp_params: &GpParams,
) -> anyhow::Result<String> {
let login_url = format!("https://{}/ssl-vpn/login.esp", gateway);
let client = Client::builder()
.user_agent(gp_params.user_agent())
.build()?;
let mut params = cred.to_params();
let extra_params = gp_params.to_params();
params.extend(extra_params);
params.insert("server", gateway);
info!("Gateway login, user_agent: {}", gp_params.user_agent());
let res_xml = client
.post(&login_url)
.form(&params)
.send()
.await?
.error_for_status()?
.text()
.await?;
let doc = Document::parse(&res_xml)?;
build_gateway_token(&doc, gp_params.computer())
}
fn build_gateway_token(doc: &Document, computer: &str) -> anyhow::Result<String> {
let args = doc
.descendants()
.filter(|n| n.has_tag_name("argument"))
.map(|n| n.text().unwrap_or("").to_string())
.collect::<Vec<_>>();
let params = [
read_args(&args, 1, "authcookie")?,
read_args(&args, 3, "portal")?,
read_args(&args, 4, "user")?,
read_args(&args, 7, "domain")?,
read_args(&args, 15, "preferred-ip")?,
("computer", computer),
];
let token = params
.iter()
.map(|(k, v)| format!("{}={}", k, encode(v)))
.collect::<Vec<_>>()
.join("&");
Ok(token)
}
fn read_args<'a>(
args: &'a [String],
index: usize,
key: &'a str,
) -> anyhow::Result<(&'a str, &'a str)> {
args
.get(index)
.ok_or_else(|| anyhow::anyhow!("Failed to read {key} from args"))
.map(|s| (key, s.as_ref()))
}

41
crates/gpapi/src/gateway/mod.rs Normal file
View File

@ -0,0 +1,41 @@
mod login;
mod parse_gateways;
pub use login::*;
pub(crate) use parse_gateways::*;
use serde::{Deserialize, Serialize};
use specta::Type;
use std::fmt::Display;
#[derive(Debug, Serialize, Deserialize, Type, Clone)]
pub(crate) struct PriorityRule {
pub(crate) name: String,
pub(crate) priority: u32,
}
#[derive(Debug, Serialize, Deserialize, Type, Clone)]
#[serde(rename_all = "camelCase")]
pub struct Gateway {
pub(crate) name: String,
pub(crate) address: String,
pub(crate) priority: u32,
pub(crate) priority_rules: Vec<PriorityRule>,
}
impl Display for Gateway {
fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
write!(f, "{} ({})", self.name, self.address)
}
}
impl Gateway {
pub fn name(&self) -> &str {
&self.name
}
pub fn server(&self) -> &str {
&self.address
}
}

63
crates/gpapi/src/gateway/parse_gateways.rs Normal file
View File

@ -0,0 +1,63 @@
use roxmltree::Document;
use super::{Gateway, PriorityRule};
pub(crate) fn parse_gateways(doc: &Document) -> Option<Vec<Gateway>> {
let node_gateways = doc.descendants().find(|n| n.has_tag_name("gateways"))?;
let list_gateway = node_gateways
.descendants()
.find(|n| n.has_tag_name("list"))?;
let gateways = list_gateway
.children()
.filter_map(|gateway_item| {
if !gateway_item.has_tag_name("entry") {
return None;
}
let address = gateway_item.attribute("name").unwrap_or("").to_string();
let name = gateway_item
.children()
.find(|n| n.has_tag_name("description"))
.and_then(|n| n.text())
.unwrap_or("")
.to_string();
let priority = gateway_item
.children()
.find(|n| n.has_tag_name("priority"))
.and_then(|n| n.text())
.and_then(|s| s.parse().ok())
.unwrap_or(u32::MAX);
let priority_rules = gateway_item
.children()
.find(|n| n.has_tag_name("priority-rule"))
.map(|n| {
n.children()
.filter_map(|n| {
if !n.has_tag_name("entry") {
return None;
}
let name = n.attribute("name").unwrap_or("").to_string();
let priority: u32 = n
.children()
.find(|n| n.has_tag_name("priority"))
.and_then(|n| n.text())
.and_then(|s| s.parse().ok())
.unwrap_or(u32::MAX);
Some(PriorityRule { name, priority })
})
.collect()
})
.unwrap_or_default();
Some(Gateway {
name,
address,
priority,
priority_rules,
})
})
.collect();
Some(gateways)
}

153
crates/gpapi/src/gp_params.rs Normal file
View File

@ -0,0 +1,153 @@
use std::collections::HashMap;
use serde::{Deserialize, Serialize};
use specta::Type;
use crate::GP_USER_AGENT;
#[derive(Debug, Serialize, Deserialize, Clone, Type, Default)]
pub enum ClientOs {
Linux,
#[default]
Windows,
Mac,
}
impl From<&ClientOs> for &str {
fn from(os: &ClientOs) -> Self {
match os {
ClientOs::Linux => "Linux",
ClientOs::Windows => "Windows",
ClientOs::Mac => "Mac",
}
}
}
impl ClientOs {
pub fn to_openconnect_os(&self) -> &str {
match self {
ClientOs::Linux => "linux",
ClientOs::Windows => "win",
ClientOs::Mac => "mac-intel",
}
}
}
#[derive(Debug, Serialize, Deserialize, Type, Default)]
pub struct GpParams {
user_agent: String,
client_os: ClientOs,
os_version: Option<String>,
client_version: Option<String>,
computer: Option<String>,
}
impl GpParams {
pub fn builder() -> GpParamsBuilder {
GpParamsBuilder::new()
}
pub(crate) fn user_agent(&self) -> &str {
&self.user_agent
}
pub(crate) fn computer(&self) -> &str {
match self.computer {
Some(ref computer) => computer,
None => (&self.client_os).into()
}
}
pub(crate) fn to_params(&self) -> HashMap<&str, &str> {
let mut params: HashMap<&str, &str> = HashMap::new();
let client_os: &str = (&self.client_os).into();
// Common params
params.insert("prot", "https:");
params.insert("jnlpReady", "jnlpReady");
params.insert("ok", "Login");
params.insert("direct", "yes");
params.insert("ipv6-support", "yes");
params.insert("inputStr", "");
params.insert("clientVer", "4100");
params.insert("clientos", client_os);
if let Some(computer) = &self.computer {
params.insert("computer", computer);
} else {
params.insert("computer", client_os);
}
if let Some(os_version) = &self.os_version {
params.insert("os-version", os_version);
}
if let Some(client_version) = &self.client_version {
params.insert("clientgpversion", client_version);
}
params
}
}
pub struct GpParamsBuilder {
user_agent: String,
client_os: ClientOs,
os_version: Option<String>,
client_version: Option<String>,
computer: Option<String>,
}
impl GpParamsBuilder {
pub fn new() -> Self {
Self {
user_agent: GP_USER_AGENT.to_string(),
client_os: ClientOs::Linux,
os_version: Default::default(),
client_version: Default::default(),
computer: Default::default(),
}
}
pub fn user_agent(&mut self, user_agent: &str) -> &mut Self {
self.user_agent = user_agent.to_string();
self
}
pub fn client_os(&mut self, client_os: ClientOs) -> &mut Self {
self.client_os = client_os;
self
}
pub fn os_version(&mut self, os_version: &str) -> &mut Self {
self.os_version = Some(os_version.to_string());
self
}
pub fn client_version(&mut self, client_version: &str) -> &mut Self {
self.client_version = Some(client_version.to_string());
self
}
pub fn computer(&mut self, computer: &str) -> &mut Self {
self.computer = Some(computer.to_string());
self
}
pub fn build(&self) -> GpParams {
GpParams {
user_agent: self.user_agent.clone(),
client_os: self.client_os.clone(),
os_version: self.os_version.clone(),
client_version: self.client_version.clone(),
computer: self.computer.clone(),
}
}
}
impl Default for GpParamsBuilder {
fn default() -> Self {
Self::new()
}
}

28
crates/gpapi/src/lib.rs Normal file
View File

@ -0,0 +1,28 @@
pub mod auth;
pub mod credential;
pub mod gateway;
pub mod gp_params;
pub mod portal;
pub mod process;
pub mod service;
pub mod utils;
#[cfg(debug_assertions)]
pub const GP_API_KEY: &[u8; 32] = &[0; 32];
pub const GP_USER_AGENT: &str = "PAN GlobalProtect";
pub const GP_SERVICE_LOCK_FILE: &str = "/var/run/gpservice.lock";
#[cfg(not(debug_assertions))]
pub const GP_SERVICE_BINARY: &str = "/usr/bin/gpservice";
#[cfg(not(debug_assertions))]
pub const GP_GUI_BINARY: &str = "/usr/bin/gpgui";
#[cfg(not(debug_assertions))]
pub(crate) const GP_AUTH_BINARY: &str = "/usr/bin/gpauth";
#[cfg(debug_assertions)]
pub const GP_SERVICE_BINARY: &str = dotenvy_macro::dotenv!("GP_SERVICE_BINARY");
#[cfg(debug_assertions)]
pub const GP_GUI_BINARY: &str = dotenvy_macro::dotenv!("GP_GUI_BINARY");
#[cfg(debug_assertions)]
pub(crate) const GP_AUTH_BINARY: &str = dotenvy_macro::dotenv!("GP_AUTH_BINARY");

180
crates/gpapi/src/portal/config.rs Normal file
View File

@ -0,0 +1,180 @@
use anyhow::ensure;
use log::info;
use reqwest::Client;
use roxmltree::Document;
use serde::Serialize;
use specta::Type;
use thiserror::Error;
use crate::{
credential::{AuthCookieCredential, Credential},
gateway::{parse_gateways, Gateway},
gp_params::GpParams,
utils::{normalize_server, xml},
};
#[derive(Debug, Serialize, Type)]
#[serde(rename_all = "camelCase")]
pub struct PortalConfig {
portal: String,
auth_cookie: AuthCookieCredential,
gateways: Vec<Gateway>,
config_digest: Option<String>,
}
impl PortalConfig {
pub fn new(
portal: String,
auth_cookie: AuthCookieCredential,
gateways: Vec<Gateway>,
config_digest: Option<String>,
) -> Self {
Self {
portal,
auth_cookie,
gateways,
config_digest,
}
}
pub fn portal(&self) -> &str {
&self.portal
}
pub fn gateways(&self) -> Vec<&Gateway> {
self.gateways.iter().collect()
}
pub fn auth_cookie(&self) -> &AuthCookieCredential {
&self.auth_cookie
}
/// In-place sort the gateways by region
pub fn sort_gateways(&mut self, region: &str) {
let preferred_gateway = self.find_preferred_gateway(region);
let preferred_gateway_index = self
.gateways()
.iter()
.position(|gateway| gateway.name == preferred_gateway.name)
.unwrap();
// Move the preferred gateway to the front of the list
self.gateways.swap(0, preferred_gateway_index);
}
/// Find a gateway by name or address
pub fn find_gateway(&self, name_or_address: &str) -> Option<&Gateway> {
self
.gateways
.iter()
.find(|gateway| gateway.name == name_or_address || gateway.address == name_or_address)
}
/// Find the preferred gateway for the given region
/// Iterates over the gateways and find the first one that
/// has the lowest priority for the given region.
/// If no gateway is found, returns the gateway with the lowest priority.
pub fn find_preferred_gateway(&self, region: &str) -> &Gateway {
let mut preferred_gateway: Option<&Gateway> = None;
let mut lowest_region_priority = u32::MAX;
for gateway in &self.gateways {
for rule in &gateway.priority_rules {
if (rule.name == region || rule.name == "Any") && rule.priority < lowest_region_priority {
preferred_gateway = Some(gateway);
lowest_region_priority = rule.priority;
}
}
}
// If no gateway is found, return the gateway with the lowest priority
preferred_gateway.unwrap_or_else(|| {
self
.gateways
.iter()
.min_by_key(|gateway| gateway.priority)
.unwrap()
})
}
}
#[derive(Error, Debug)]
pub enum PortalConfigError {
#[error("Empty response, retrying can help")]
EmptyResponse,
#[error("Empty auth cookie, retrying can help")]
EmptyAuthCookie,
#[error("Invalid auth cookie, retrying can help")]
InvalidAuthCookie,
#[error("Empty gateways, retrying can help")]
EmptyGateways,
}
pub async fn retrieve_config(
portal: &str,
cred: &Credential,
gp_params: &GpParams,
) -> anyhow::Result<PortalConfig> {
let portal = normalize_server(portal)?;
let server = remove_url_scheme(&portal);
let url = format!("{}/global-protect/getconfig.esp", portal);
let client = Client::builder()
.user_agent(gp_params.user_agent())
.build()?;
let mut params = cred.to_params();
let extra_params = gp_params.to_params();
params.extend(extra_params);
params.insert("server", &server);
params.insert("host", &server);
info!("Portal config, user_agent: {}", gp_params.user_agent());
let res_xml = client
.post(&url)
.form(&params)
.send()
.await?
.error_for_status()?
.text()
.await?;
ensure!(!res_xml.is_empty(), PortalConfigError::EmptyResponse);
let doc = Document::parse(&res_xml)?;
let gateways = parse_gateways(&doc).ok_or_else(|| anyhow::anyhow!("Failed to parse gateways"))?;
let user_auth_cookie = xml::get_child_text(&doc, "portal-userauthcookie").unwrap_or_default();
let prelogon_user_auth_cookie =
xml::get_child_text(&doc, "portal-prelogonuserauthcookie").unwrap_or_default();
let config_digest = xml::get_child_text(&doc, "config-digest");
ensure!(
!user_auth_cookie.is_empty() && !prelogon_user_auth_cookie.is_empty(),
PortalConfigError::EmptyAuthCookie
);
ensure!(
user_auth_cookie != "empty" && prelogon_user_auth_cookie != "empty",
PortalConfigError::InvalidAuthCookie
);
ensure!(!gateways.is_empty(), PortalConfigError::EmptyGateways);
Ok(PortalConfig::new(
server.to_string(),
AuthCookieCredential::new(
cred.username(),
&user_auth_cookie,
&prelogon_user_auth_cookie,
),
gateways,
config_digest,
))
}
fn remove_url_scheme(s: &str) -> String {
s.replace("http://", "").replace("https://", "")
}

5
crates/gpapi/src/portal/mod.rs Normal file
View File

@ -0,0 +1,5 @@
mod config;
mod prelogin;
pub use config::*;
pub use prelogin::*;

129
crates/gpapi/src/portal/prelogin.rs Normal file
View File

@ -0,0 +1,129 @@
use anyhow::bail;
use log::{info, trace};
use reqwest::Client;
use roxmltree::Document;
use serde::Serialize;
use specta::Type;
use crate::utils::{base64, normalize_server, xml};
#[derive(Debug, Serialize, Type, Clone)]
#[serde(rename_all = "camelCase")]
pub struct SamlPrelogin {
region: String,
saml_request: String,
}
impl SamlPrelogin {
pub fn region(&self) -> &str {
&self.region
}
pub fn saml_request(&self) -> &str {
&self.saml_request
}
}
#[derive(Debug, Serialize, Type, Clone)]
#[serde(rename_all = "camelCase")]
pub struct StandardPrelogin {
region: String,
auth_message: String,
label_username: String,
label_password: String,
}
impl StandardPrelogin {
pub fn region(&self) -> &str {
&self.region
}
pub fn auth_message(&self) -> &str {
&self.auth_message
}
pub fn label_username(&self) -> &str {
&self.label_username
}
pub fn label_password(&self) -> &str {
&self.label_password
}
}
#[derive(Debug, Serialize, Type, Clone)]
#[serde(tag = "type", rename_all = "camelCase")]
pub enum Prelogin {
Saml(SamlPrelogin),
Standard(StandardPrelogin),
}
impl Prelogin {
pub fn region(&self) -> &str {
match self {
Prelogin::Saml(saml) => saml.region(),
Prelogin::Standard(standard) => standard.region(),
}
}
}
pub async fn prelogin(portal: &str, user_agent: &str) -> anyhow::Result<Prelogin> {
info!("Portal prelogin, user_agent: {}", user_agent);
let portal = normalize_server(portal)?;
let prelogin_url = format!("{}/global-protect/prelogin.esp", portal);
let client = Client::builder().user_agent(user_agent).build()?;
let res_xml = client
.get(&prelogin_url)
.send()
.await?
.error_for_status()?
.text()
.await?;
trace!("Prelogin response: {}", res_xml);
let doc = Document::parse(&res_xml)?;
let status = xml::get_child_text(&doc, "status")
.ok_or_else(|| anyhow::anyhow!("Prelogin response does not contain status element"))?;
// Check the status of the prelogin response
if status.to_uppercase() != "SUCCESS" {
let msg = xml::get_child_text(&doc, "msg").unwrap_or(String::from("Unknown error"));
bail!("Prelogin failed: {}", msg)
}
let region = xml::get_child_text(&doc, "region")
.ok_or_else(|| anyhow::anyhow!("Prelogin response does not contain region element"))?;
let saml_method = xml::get_child_text(&doc, "saml-auth-method");
let saml_request = xml::get_child_text(&doc, "saml-request");
// Check if the prelogin response is SAML
if saml_method.is_some() && saml_request.is_some() {
let saml_request = base64::decode_to_string(&saml_request.unwrap())?;
let saml_prelogin = SamlPrelogin {
region,
saml_request,
};
return Ok(Prelogin::Saml(saml_prelogin));
}
let label_username = xml::get_child_text(&doc, "username-label");
let label_password = xml::get_child_text(&doc, "password-label");
// Check if the prelogin response is standard login
if label_username.is_some() && label_password.is_some() {
let auth_message = xml::get_child_text(&doc, "authentication-message")
.unwrap_or(String::from("Please enter the login credentials"));
let standard_prelogin = StandardPrelogin {
region,
auth_message,
label_username: label_username.unwrap(),
label_password: label_password.unwrap(),
};
return Ok(Prelogin::Standard(standard_prelogin));
}
bail!("Invalid prelogin response");
}

96
crates/gpapi/src/process/auth_launcher.rs Normal file
View File

@ -0,0 +1,96 @@
use std::process::Stdio;
use tokio::process::Command;
use crate::{auth::SamlAuthResult, credential::Credential, GP_AUTH_BINARY};
use super::command_traits::CommandExt;
pub struct SamlAuthLauncher<'a> {
server: &'a str,
user_agent: Option<&'a str>,
saml_request: Option<&'a str>,
hidpi: bool,
fix_openssl: bool,
clean: bool,
}
impl<'a> SamlAuthLauncher<'a> {
pub fn new(server: &'a str) -> Self {
Self {
server,
user_agent: None,
saml_request: None,
hidpi: false,
fix_openssl: false,
clean: false,
}
}
pub fn user_agent(mut self, user_agent: &'a str) -> Self {
self.user_agent = Some(user_agent);
self
}
pub fn saml_request(mut self, saml_request: &'a str) -> Self {
self.saml_request = Some(saml_request);
self
}
pub fn hidpi(mut self, hidpi: bool) -> Self {
self.hidpi = hidpi;
self
}
pub fn fix_openssl(mut self, fix_openssl: bool) -> Self {
self.fix_openssl = fix_openssl;
self
}
pub fn clean(mut self, clean: bool) -> Self {
self.clean = clean;
self
}
/// Launch the authenticator binary as the current user or SUDO_USER if available.
pub async fn launch(self) -> anyhow::Result<Credential> {
let mut auth_cmd = Command::new(GP_AUTH_BINARY);
auth_cmd.arg(self.server);
if let Some(user_agent) = self.user_agent {
auth_cmd.arg("--user-agent").arg(user_agent);
}
if let Some(saml_request) = self.saml_request {
auth_cmd.arg("--saml-request").arg(saml_request);
}
if self.fix_openssl {
auth_cmd.arg("--fix-openssl");
}
if self.hidpi {
auth_cmd.arg("--hidpi");
}
if self.clean {
auth_cmd.arg("--clean");
}
let mut non_root_cmd = auth_cmd.into_non_root()?;
let output = non_root_cmd
.kill_on_drop(true)
.stdout(Stdio::piped())
.spawn()?
.wait_with_output()
.await?;
let auth_result: SamlAuthResult = serde_json::from_slice(&output.stdout)
.map_err(|_| anyhow::anyhow!("Failed to parse auth data"))?;
match auth_result {
SamlAuthResult::Success(auth_data) => Credential::try_from(auth_data),
SamlAuthResult::Failure(msg) => Err(anyhow::anyhow!(msg)),
}
}
}

64
crates/gpapi/src/process/command_traits.rs Normal file
View File

@ -0,0 +1,64 @@
use anyhow::bail;
use std::{env, ffi::OsStr};
use tokio::process::Command;
use users::{os::unix::UserExt, User};
pub trait CommandExt {
fn new_pkexec<S: AsRef<OsStr>>(program: S) -> Command;
fn into_non_root(self) -> anyhow::Result<Command>;
}
impl CommandExt for Command {
fn new_pkexec<S: AsRef<OsStr>>(program: S) -> Command {
let mut cmd = Command::new("pkexec");
cmd
.arg("--disable-internal-agent")
.arg("--user")
.arg("root")
.arg(program);
cmd
}
fn into_non_root(mut self) -> anyhow::Result<Command> {
let user =
get_non_root_user().map_err(|_| anyhow::anyhow!("{:?} cannot be run as root", self))?;
self
.env("HOME", user.home_dir())
.env("USER", user.name())
.env("LOGNAME", user.name())
.env("USERNAME", user.name())
.uid(user.uid())
.gid(user.primary_group_id());
Ok(self)
}
}
fn get_non_root_user() -> anyhow::Result<User> {
let current_user = whoami::username();
let user = if current_user == "root" {
get_real_user()?
} else {
users::get_user_by_name(&current_user)
.ok_or_else(|| anyhow::anyhow!("User ({}) not found", current_user))?
};
if user.uid() == 0 {
bail!("Non-root user not found")
}
Ok(user)
}
fn get_real_user() -> anyhow::Result<User> {
// Read the UID from SUDO_UID or PKEXEC_UID environment variable if available.
let uid = match env::var("SUDO_UID") {
Ok(uid) => uid.parse::<u32>()?,
_ => env::var("PKEXEC_UID")?.parse::<u32>()?,
};
users::get_user_by_uid(uid).ok_or_else(|| anyhow::anyhow!("User not found"))
}

91
crates/gpapi/src/process/gui_launcher.rs Normal file
View File

@ -0,0 +1,91 @@
use std::{
collections::HashMap,
path::PathBuf,
process::{ExitStatus, Stdio},
};
use tokio::{io::AsyncWriteExt, process::Command};
use crate::{utils::base64, GP_GUI_BINARY};
use super::command_traits::CommandExt;
pub struct GuiLauncher {
program: PathBuf,
api_key: Option<Vec<u8>>,
minimized: bool,
envs: Option<HashMap<String, String>>,
}
impl Default for GuiLauncher {
fn default() -> Self {
Self::new()
}
}
impl GuiLauncher {
pub fn new() -> Self {
Self {
program: GP_GUI_BINARY.into(),
api_key: None,
minimized: false,
envs: None,
}
}
pub fn envs<T: Into<Option<HashMap<String, String>>>>(mut self, envs: T) -> Self {
self.envs = envs.into();
self
}
pub fn api_key(mut self, api_key: Vec<u8>) -> Self {
self.api_key = Some(api_key);
self
}
pub fn minimized(mut self, minimized: bool) -> Self {
self.minimized = minimized;
self
}
pub async fn launch(&self) -> anyhow::Result<ExitStatus> {
let mut cmd = Command::new(&self.program);
if let Some(envs) = &self.envs {
cmd.env_clear();
cmd.envs(envs);
}
if self.api_key.is_some() {
cmd.arg("--api-key-on-stdin");
}
if self.minimized {
cmd.arg("--minimized");
}
let mut non_root_cmd = cmd.into_non_root()?;
let mut child = non_root_cmd
.kill_on_drop(true)
.stdin(Stdio::piped())
.spawn()?;
let mut stdin = child
.stdin
.take()
.ok_or_else(|| anyhow::anyhow!("Failed to open stdin"))?;
if let Some(api_key) = &self.api_key {
let api_key = base64::encode(api_key);
tokio::spawn(async move {
stdin.write_all(api_key.as_bytes()).await.unwrap();
drop(stdin);
});
}
let exit_status = child.wait().await?;
Ok(exit_status)
}
}

5
crates/gpapi/src/process/mod.rs Normal file
View File

@ -0,0 +1,5 @@
pub(crate) mod command_traits;
pub mod auth_launcher;
pub mod gui_launcher;
pub mod service_launcher;

72
crates/gpapi/src/process/service_launcher.rs Normal file
View File

@ -0,0 +1,72 @@
use std::{
fs::File,
path::PathBuf,
process::{ExitStatus, Stdio},
};
use tokio::process::Command;
use crate::GP_SERVICE_BINARY;
use super::command_traits::CommandExt;
pub struct ServiceLauncher {
program: PathBuf,
minimized: bool,
env_file: Option<String>,
log_file: Option<String>,
}
impl Default for ServiceLauncher {
fn default() -> Self {
Self::new()
}
}
impl ServiceLauncher {
pub fn new() -> Self {
Self {
program: GP_SERVICE_BINARY.into(),
minimized: false,
env_file: None,
log_file: None,
}
}
pub fn minimized(mut self, minimized: bool) -> Self {
self.minimized = minimized;
self
}
pub fn env_file(mut self, env_file: &str) -> Self {
self.env_file = Some(env_file.to_string());
self
}
pub fn log_file(mut self, log_file: &str) -> Self {
self.log_file = Some(log_file.to_string());
self
}
pub async fn launch(&self) -> anyhow::Result<ExitStatus> {
let mut cmd = Command::new_pkexec(&self.program);
if self.minimized {
cmd.arg("--minimized");
}
if let Some(env_file) = &self.env_file {
cmd.arg("--env-file").arg(env_file);
}
if let Some(log_file) = &self.log_file {
let log_file = File::create(log_file)?;
let stdio = Stdio::from(log_file);
cmd.stderr(stdio);
}
let exit_status = cmd.kill_on_drop(true).spawn()?.wait().await?;
Ok(exit_status)
}
}

10
crates/gpapi/src/service/event.rs Normal file
View File

@ -0,0 +1,10 @@
use serde::{Deserialize, Serialize};
use super::vpn_state::VpnState;
/// Events that can be emitted by the service
#[derive(Debug, Serialize, Deserialize, Clone)]
pub enum WsEvent {
VpnState(VpnState),
ActiveGui,
}

3
crates/gpapi/src/service/mod.rs Normal file
View File

@ -0,0 +1,3 @@
pub mod event;
pub mod request;
pub mod vpn_state;

118
crates/gpapi/src/service/request.rs Normal file
View File

@ -0,0 +1,118 @@
use std::collections::HashMap;
use serde::{Deserialize, Serialize};
use specta::Type;
use crate::{gateway::Gateway, gp_params::ClientOs};
use super::vpn_state::ConnectInfo;
#[derive(Debug, Deserialize, Serialize)]
pub struct LaunchGuiRequest {
user: String,
envs: HashMap<String, String>,
}
impl LaunchGuiRequest {
pub fn new(user: String, envs: HashMap<String, String>) -> Self {
Self { user, envs }
}
pub fn user(&self) -> &str {
&self.user
}
pub fn envs(&self) -> &HashMap<String, String> {
&self.envs
}
}
#[derive(Debug, Deserialize, Serialize, Type)]
pub struct ConnectArgs {
cookie: String,
vpnc_script: Option<String>,
user_agent: Option<String>,
os: Option<ClientOs>,
}
impl ConnectArgs {
pub fn new(cookie: String) -> Self {
Self {
cookie,
vpnc_script: None,
user_agent: None,
os: None,
}
}
pub fn cookie(&self) -> &str {
&self.cookie
}
pub fn vpnc_script(&self) -> Option<String> {
self.vpnc_script.clone()
}
pub fn user_agent(&self) -> Option<String> {
self.user_agent.clone()
}
pub fn openconnect_os(&self) -> Option<String> {
self
.os
.as_ref()
.map(|os| os.to_openconnect_os().to_string())
}
}
#[derive(Debug, Deserialize, Serialize, Type)]
pub struct ConnectRequest {
info: ConnectInfo,
args: ConnectArgs,
}
impl ConnectRequest {
pub fn new(info: ConnectInfo, cookie: String) -> Self {
Self {
info,
args: ConnectArgs::new(cookie),
}
}
pub fn with_vpnc_script<T: Into<Option<String>>>(mut self, vpnc_script: T) -> Self {
self.args.vpnc_script = vpnc_script.into();
self
}
pub fn with_user_agent<T: Into<Option<String>>>(mut self, user_agent: T) -> Self {
self.args.user_agent = user_agent.into();
self
}
pub fn with_os<T: Into<Option<ClientOs>>>(mut self, os: T) -> Self {
self.args.os = os.into();
self
}
pub fn gateway(&self) -> &Gateway {
self.info.gateway()
}
pub fn info(&self) -> &ConnectInfo {
&self.info
}
pub fn args(&self) -> &ConnectArgs {
&self.args
}
}
#[derive(Debug, Deserialize, Serialize, Type)]
pub struct DisconnectRequest;
/// Requests that can be sent to the service
#[derive(Debug, Deserialize, Serialize)]
pub enum WsRequest {
Connect(Box<ConnectRequest>),
Disconnect(DisconnectRequest),
}

34
crates/gpapi/src/service/vpn_state.rs Normal file
View File

@ -0,0 +1,34 @@
use serde::{Deserialize, Serialize};
use specta::Type;
use crate::gateway::Gateway;
#[derive(Debug, Deserialize, Serialize, Type, Clone)]
pub struct ConnectInfo {
portal: String,
gateway: Gateway,
gateways: Vec<Gateway>,
}
impl ConnectInfo {
pub fn new(portal: String, gateway: Gateway, gateways: Vec<Gateway>) -> Self {
Self {
portal,
gateway,
gateways,
}
}
pub fn gateway(&self) -> &Gateway {
&self.gateway
}
}
#[derive(Debug, Serialize, Deserialize, Clone)]
#[serde(rename_all = "camelCase")]
pub enum VpnState {
Disconnected,
Connecting(Box<ConnectInfo>),
Connected(Box<ConnectInfo>),
Disconnecting,
}

21
crates/gpapi/src/utils/base64.rs Normal file
View File

@ -0,0 +1,21 @@
use base64::{engine::general_purpose, Engine};
pub fn encode(data: &[u8]) -> String {
let engine = general_purpose::STANDARD;
engine.encode(data)
}
pub fn decode_to_vec(s: &str) -> anyhow::Result<Vec<u8>> {
let engine = general_purpose::STANDARD;
let decoded = engine.decode(s)?;
Ok(decoded)
}
pub(crate) fn decode_to_string(s: &str) -> anyhow::Result<String> {
let decoded = decode_to_vec(s)?;
let decoded = String::from_utf8(decoded)?;
Ok(decoded)
}

108
crates/gpapi/src/utils/crypto.rs Normal file
View File

@ -0,0 +1,108 @@
use chacha20poly1305::{
aead::{Aead, OsRng},
AeadCore, ChaCha20Poly1305, Key, KeyInit, Nonce,
};
use serde::{de::DeserializeOwned, Serialize};
pub fn generate_key() -> Key {
ChaCha20Poly1305::generate_key(&mut OsRng)
}
pub fn encrypt<T>(key: &Key, value: &T) -> anyhow::Result<Vec<u8>>
where
T: Serialize,
{
let cipher = ChaCha20Poly1305::new(key);
let nonce = ChaCha20Poly1305::generate_nonce(&mut OsRng);
let data = serde_json::to_vec(value)?;
let cipher_text = cipher.encrypt(&nonce, data.as_ref())?;
let mut encrypted = Vec::new();
encrypted.extend_from_slice(&nonce);
encrypted.extend_from_slice(&cipher_text);
Ok(encrypted)
}
pub fn decrypt<T>(key: &Key, encrypted: Vec<u8>) -> anyhow::Result<T>
where
T: DeserializeOwned,
{
let cipher = ChaCha20Poly1305::new(key);
let nonce = Nonce::from_slice(&encrypted[..12]);
let cipher_text = &encrypted[12..];
let plaintext = cipher.decrypt(nonce, cipher_text)?;
let value = serde_json::from_slice(&plaintext)?;
Ok(value)
}
pub struct Crypto {
key: Vec<u8>,
}
impl Crypto {
pub fn new(key: Vec<u8>) -> Self {
Self { key }
}
pub fn encrypt<T: Serialize>(&self, plain: T) -> anyhow::Result<Vec<u8>> {
let key: &[u8] = &self.key;
let encrypted_data = encrypt(key.into(), &plain)?;
Ok(encrypted_data)
}
pub fn decrypt<T: DeserializeOwned>(&self, encrypted: Vec<u8>) -> anyhow::Result<T> {
let key: &[u8] = &self.key;
decrypt(key.into(), encrypted)
}
pub fn encrypt_to<T: Serialize>(&self, path: &std::path::Path, plain: T) -> anyhow::Result<()> {
let encrypted_data = self.encrypt(plain)?;
std::fs::write(path, encrypted_data)?;
Ok(())
}
pub fn decrypt_from<T: DeserializeOwned>(&self, path: &std::path::Path) -> anyhow::Result<T> {
let encrypted_data = std::fs::read(path)?;
self.decrypt(encrypted_data)
}
}
#[cfg(test)]
mod tests {
use serde::Deserialize;
use super::*;
#[derive(Serialize, Deserialize)]
struct User {
name: String,
age: u8,
}
#[test]
fn it_works() -> anyhow::Result<()> {
let key = generate_key();
let user = User {
name: "test".to_string(),
age: 18,
};
let encrypted = encrypt(&key, &user)?;
let decrypted_user = decrypt::<User>(&key, encrypted)?;
assert_eq!(user.name, decrypted_user.name);
assert_eq!(user.age, decrypted_user.age);
Ok(())
}
}

20
crates/gpapi/src/utils/endpoint.rs Normal file
View File

@ -0,0 +1,20 @@
use tokio::fs;
use crate::GP_SERVICE_LOCK_FILE;
async fn read_port() -> anyhow::Result<String> {
let port = fs::read_to_string(GP_SERVICE_LOCK_FILE).await?;
Ok(port.trim().to_string())
}
pub async fn http_endpoint() -> anyhow::Result<String> {
let port = read_port().await?;
Ok(format!("http://127.0.0.1:{}", port))
}
pub async fn ws_endpoint() -> anyhow::Result<String> {
let port = read_port().await?;
Ok(format!("ws://127.0.0.1:{}/ws", port))
}

37
crates/gpapi/src/utils/env_file.rs Normal file
View File

@ -0,0 +1,37 @@
use std::collections::HashMap;
use std::env;
use std::io::Write;
use std::path::Path;
use tempfile::NamedTempFile;
pub fn persist_env_vars(extra: Option<HashMap<String, String>>) -> anyhow::Result<NamedTempFile> {
let mut env_file = NamedTempFile::new()?;
let content = env::vars()
.map(|(key, value)| format!("{}={}", key, value))
.chain(
extra
.unwrap_or_default()
.into_iter()
.map(|(key, value)| format!("{}={}", key, value)),
)
.collect::<Vec<String>>()
.join("\n");
writeln!(env_file, "{}", content)?;
Ok(env_file)
}
pub fn load_env_vars<T: AsRef<Path>>(env_file: T) -> anyhow::Result<HashMap<String, String>> {
let content = std::fs::read_to_string(env_file)?;
let mut env_vars: HashMap<String, String> = HashMap::new();
for line in content.lines() {
if let Some((key, value)) = line.split_once('=') {
env_vars.insert(key.to_string(), value.to_string());
}
}
Ok(env_vars)
}

39
crates/gpapi/src/utils/lock_file.rs Normal file
View File

@ -0,0 +1,39 @@
use std::path::PathBuf;
pub struct LockFile {
path: PathBuf,
}
impl LockFile {
pub fn new<P: Into<PathBuf>>(path: P) -> Self {
Self { path: path.into() }
}
pub fn exists(&self) -> bool {
self.path.exists()
}
pub fn lock(&self, content: impl AsRef<[u8]>) -> anyhow::Result<()> {
std::fs::write(&self.path, content)?;
Ok(())
}
pub fn unlock(&self) -> anyhow::Result<()> {
std::fs::remove_file(&self.path)?;
Ok(())
}
pub async fn check_health(&self) -> bool {
match std::fs::read_to_string(&self.path) {
Ok(content) => {
let url = format!("http://127.0.0.1:{}/health", content.trim());
match reqwest::get(&url).await {
Ok(resp) => resp.status().is_success(),
Err(_) => false,
}
}
Err(_) => false,
}
}
}

40
crates/gpapi/src/utils/mod.rs Normal file
View File

@ -0,0 +1,40 @@
use reqwest::Url;
pub(crate) mod xml;
pub mod base64;
pub mod crypto;
pub mod endpoint;
pub mod env_file;
pub mod lock_file;
pub mod openssl;
pub mod redact;
#[cfg(feature = "tauri")]
pub mod window;
mod shutdown_signal;
pub use shutdown_signal::shutdown_signal;
/// Normalize the server URL to the format `https://<host>:<port>`
pub fn normalize_server(server: &str) -> anyhow::Result<String> {
let server = if server.starts_with("https://") || server.starts_with("http://") {
server.to_string()
} else {
format!("https://{}", server)
};
let normalized_url = Url::parse(&server)?;
let scheme = normalized_url.scheme();
let host = normalized_url
.host_str()
.ok_or(anyhow::anyhow!("Invalid server URL: missing host"))?;
let port: String = normalized_url
.port()
.map_or("".into(), |port| format!(":{}", port));
let normalized_url = format!("{}://{}{}", scheme, host, port);
Ok(normalized_url)
}

37
crates/gpapi/src/utils/openssl.rs Normal file
View File

@ -0,0 +1,37 @@
use std::path::Path;
use tempfile::NamedTempFile;
pub fn openssl_conf() -> String {
let option = "UnsafeLegacyServerConnect";
format!(
"openssl_conf = openssl_init
[openssl_init]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
Options = {}",
option
)
}
pub fn fix_openssl<P: AsRef<Path>>(path: P) -> anyhow::Result<()> {
let content = openssl_conf();
std::fs::write(path, content)?;
Ok(())
}
pub fn fix_openssl_env() -> anyhow::Result<NamedTempFile> {
let openssl_conf = NamedTempFile::new()?;
let openssl_conf_path = openssl_conf.path();
fix_openssl(openssl_conf_path)?;
std::env::set_var("OPENSSL_CONF", openssl_conf_path);
Ok(openssl_conf)
}

227
crates/gpapi/src/utils/redact.rs Normal file
View File

@ -0,0 +1,227 @@
use std::sync::RwLock;
use redact_engine::{Pattern, Redaction as RedactEngine};
use regex::Regex;
use url::{form_urlencoded, Url};
pub struct Redaction {
redact_engine: RwLock<Option<RedactEngine>>,
}
impl Default for Redaction {
fn default() -> Self {
Self::new()
}
}
impl Redaction {
pub fn new() -> Self {
let redact_engine = RedactEngine::custom("[**********]").add_pattern(Pattern {
test: Regex::new("(((25[0-5]|(2[0-4]|1\\d|[1-9]|)\\d)\\.?\\b){4})").unwrap(),
group: 1,
});
Self {
redact_engine: RwLock::new(Some(redact_engine)),
}
}
pub fn add_value(&self, text: &str) -> anyhow::Result<()> {
let mut redact_engine = self
.redact_engine
.write()
.map_err(|_| anyhow::anyhow!("Failed to acquire write lock on redact engine"))?;
*redact_engine = Some(
redact_engine
.take()
.ok_or_else(|| anyhow::anyhow!("Failed to take redact engine"))?
.add_value(text)?,
);
Ok(())
}
pub fn add_values(&self, texts: &[&str]) -> anyhow::Result<()> {
let mut redact_engine = self
.redact_engine
.write()
.map_err(|_| anyhow::anyhow!("Failed to acquire write lock on redact engine"))?;
*redact_engine = Some(
redact_engine
.take()
.ok_or_else(|| anyhow::anyhow!("Failed to take redact engine"))?
.add_values(texts.to_vec())?,
);
Ok(())
}
pub fn redact_str(&self, text: &str) -> String {
self
.redact_engine
.read()
.expect("Failed to acquire read lock on redact engine")
.as_ref()
.expect("Failed to get redact engine")
.redact_str(text)
}
}
/// Redact a value by replacing all but the first and last character with asterisks,
/// The length of the value to be redacted must be at least 3 characters.
/// e.g. "foo" -> "f**********o"
pub fn redact_value(text: &str) -> String {
if text.len() < 3 {
return text.to_string();
}
let mut redacted = String::new();
redacted.push_str(&text[0..1]);
redacted.push_str(&"*".repeat(10));
redacted.push_str(&text[text.len() - 1..]);
redacted
}
pub fn redact_uri(uri: &str) -> String {
let Ok(mut url) = Url::parse(uri) else {
return uri.to_string();
};
// Could be a data: URI
if url.cannot_be_a_base() {
if url.scheme() == "about" {
return uri.to_string();
}
if url.path().len() > 15 {
return format!(
"{}:{}{}",
url.scheme(),
&url.path()[0..10],
redact_value(&url.path()[10..])
);
}
return format!("{}:{}", url.scheme(), redact_value(url.path()));
}
let host = url.host_str().unwrap_or_default();
if url.set_host(Some(&redact_value(host))).is_err() {
let redacted_query = redact_query(url.query())
.as_deref()
.map(|query| format!("?{}", query))
.unwrap_or_default();
return format!(
"{}://[**********]{}{}",
url.scheme(),
url.path(),
redacted_query
);
}
let redacted_query = redact_query(url.query());
url.set_query(redacted_query.as_deref());
url.to_string()
}
fn redact_query(query: Option<&str>) -> Option<String> {
let query = query?;
let query_pairs = form_urlencoded::parse(query.as_bytes());
let mut redacted_pairs = query_pairs.map(|(key, value)| (key, redact_value(&value)));
let query = form_urlencoded::Serializer::new(String::new())
.extend_pairs(redacted_pairs.by_ref())
.finish();
Some(query)
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn it_should_not_redact_value() {
let text = "fo";
assert_eq!(redact_value(text), "fo");
}
#[test]
fn it_should_redact_value() {
let text = "foo";
assert_eq!(redact_value(text), "f**********o");
}
#[test]
fn it_should_redact_dynamic_value() {
let redaction = Redaction::new();
redaction.add_value("foo").unwrap();
assert_eq!(
redaction.redact_str("hello, foo, bar"),
"hello, [**********], bar"
);
}
#[test]
fn it_should_redact_dynamic_values() {
let redaction = Redaction::new();
redaction.add_values(&["foo", "bar"]).unwrap();
assert_eq!(
redaction.redact_str("hello, foo, bar"),
"hello, [**********], [**********]"
);
}
#[test]
fn it_should_redact_uri() {
let uri = "https://foo.bar";
assert_eq!(redact_uri(uri), "https://f**********r/");
let uri = "https://foo.bar/";
assert_eq!(redact_uri(uri), "https://f**********r/");
let uri = "https://foo.bar/baz";
assert_eq!(redact_uri(uri), "https://f**********r/baz");
let uri = "https://foo.bar/baz?qux=quux";
assert_eq!(redact_uri(uri), "https://f**********r/baz?qux=q**********x");
}
#[test]
fn it_should_redact_data_uri() {
let uri = "data:text/plain;a";
assert_eq!(redact_uri(uri), "data:t**********a");
let uri = "data:text/plain;base64,SGVsbG8sIFdvcmxkIQ==";
assert_eq!(redact_uri(uri), "data:text/plain;**********=");
let uri = "about:blank";
assert_eq!(redact_uri(uri), "about:blank");
}
#[test]
fn it_should_redact_ipv6() {
let uri = "https://[2001:db8::1]:8080";
assert_eq!(redact_uri(uri), "https://[**********]/");
let uri = "https://[2001:db8::1]:8080/";
assert_eq!(redact_uri(uri), "https://[**********]/");
let uri = "https://[2001:db8::1]:8080/baz";
assert_eq!(redact_uri(uri), "https://[**********]/baz");
let uri = "https://[2001:db8::1]:8080/baz?qux=quux";
assert_eq!(redact_uri(uri), "https://[**********]/baz?qux=q**********x");
}
}

22
crates/gpapi/src/utils/shutdown_signal.rs Normal file
View File

@ -0,0 +1,22 @@
use tokio::signal;
pub async fn shutdown_signal() {
let ctrl_c = async {
signal::ctrl_c()
.await
.expect("failed to install Ctrl+C handler");
};
#[cfg(unix)]
let terminate = async {
signal::unix::signal(signal::unix::SignalKind::terminate())
.expect("failed to install signal handler")
.recv()
.await;
};
tokio::select! {
_ = ctrl_c => {},
_ = terminate => {},
}
}

90
crates/gpapi/src/utils/window.rs Normal file
View File

@ -0,0 +1,90 @@
use std::{process::ExitStatus, time::Duration};
use anyhow::bail;
use log::{info, warn};
use tauri::{window::MenuHandle, Window};
use tokio::process::Command;
pub trait WindowExt {
fn raise(&self) -> anyhow::Result<()>;
}
impl WindowExt for Window {
fn raise(&self) -> anyhow::Result<()> {
raise_window(self)
}
}
pub fn raise_window(win: &Window) -> anyhow::Result<()> {
let is_wayland = std::env::var("XDG_SESSION_TYPE").unwrap_or_default() == "wayland";
if is_wayland {
win.hide()?;
win.show()?;
} else {
if !win.is_visible()? {
win.show()?;
}
let title = win.title()?;
tokio::spawn(async move {
info!("Raising window: {}", title);
if let Err(err) = wmctrl_raise_window(&title).await {
warn!("Failed to raise window: {}", err);
}
});
}
// Calling window.show() on Windows will cause the menu to be shown.
hide_menu(win.menu_handle());
Ok(())
}
async fn wmctrl_raise_window(title: &str) -> anyhow::Result<()> {
let mut counter = 0;
loop {
if let Ok(exit_status) = wmctrl_try_raise_window(title).await {
if exit_status.success() {
info!("Window raised after {} attempts", counter + 1);
return Ok(());
}
}
if counter >= 10 {
bail!("Failed to raise window: {}", title)
}
counter += 1;
tokio::time::sleep(Duration::from_millis(100)).await;
}
}
async fn wmctrl_try_raise_window(title: &str) -> anyhow::Result<ExitStatus> {
let exit_status = Command::new("wmctrl")
.arg("-F")
.arg("-a")
.arg(title)
.spawn()?
.wait()
.await?;
Ok(exit_status)
}
fn hide_menu(menu_handle: MenuHandle) {
tokio::spawn(async move {
loop {
let menu_visible = menu_handle.is_visible().unwrap_or(false);
if !menu_visible {
break;
}
if menu_visible {
let _ = menu_handle.hide();
tokio::time::sleep(Duration::from_millis(10)).await;
}
}
});
}

6
crates/gpapi/src/utils/xml.rs Normal file
View File

@ -0,0 +1,6 @@
use roxmltree::Document;
pub(crate) fn get_child_text(doc: &Document, name: &str) -> Option<String> {
let node = doc.descendants().find(|n| n.has_tag_name(name))?;
node.text().map(|s| s.to_string())
}

27
crates/gpapi/tests/files/gateway_login.xml Normal file
View File

@ -0,0 +1,27 @@
<?xml version="1.0" encoding="utf-8"?>
<jnlp>
<application-desc>
<argument>(null)</argument>
<argument>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</argument>
<argument>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</argument>
<argument>XXX-GP-Gateway-N</argument>
<argument>user</argument>
<argument>AD_Authentication</argument>
<argument>vsys1</argument>
<argument>corp.example.com</argument>
<argument>(null)</argument>
<argument></argument>
<argument></argument>
<argument></argument>
<argument>tunnel</argument>
<argument>-1</argument>
<argument>4100</argument>
<argument></argument>
<argument>xxxxxx</argument>
<argument>aaaaaa</argument>
<argument></argument>
<argument>4</argument>
<argument>unknown</argument>
<argument></argument>
</application-desc>
</jnlp>

212
crates/gpapi/tests/files/portal_config.xml Normal file
View File

@ -0,0 +1,212 @@
<?xml version="1.0" encoding="UTF-8"?>
<policy>
<portal-name>vpn.example.com</portal-name>
<portal-config-version>4100</portal-config-version>
<version>6.0.1-19 </version>
<client-role>global-protect-full</client-role>
<agent-user-override-key>****</agent-user-override-key>
<root-ca>
<entry name="DigiCert Global Root CA">
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<install-in-cert-store>yes</install-in-cert-store>
</entry>
<entry name="Thawte RSA CA 2018">
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<install-in-cert-store>yes</install-in-cert-store>
</entry>
<entry name="Temp_VPN_Root_Certificate">
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<install-in-cert-store>no</install-in-cert-store>
</entry>
</root-ca>
<connect-method>on-demand</connect-method>
<pre-logon-then-on-demand>yes</pre-logon-then-on-demand>
<refresh-config>yes</refresh-config>
<refresh-config-interval>24</refresh-config-interval>
<authentication-modifier>
<none />
</authentication-modifier>
<authentication-override>
<accept-cookie>yes</accept-cookie>
<generate-cookie>yes</generate-cookie>
<cookie-lifetime>
<lifetime-in-days>365</lifetime-in-days>
</cookie-lifetime>
<cookie-encrypt-decrypt-cert>vpn.example.com</cookie-encrypt-decrypt-cert>
</authentication-override>
<use-sso>yes</use-sso>
<ip-address></ip-address>
<host></host>
<gateways>
<cutoff-time>5</cutoff-time>
<external>
<list>
<entry name="xxx.xxx.xxx.xxx">
<priority-rule>
<entry name="Any">
<priority>1</priority>
</entry>
</priority-rule>
<priority>1</priority>
<description>vpn_gateway</description>
</entry>
</list>
</external>
</gateways>
<gateways-v6>
<cutoff-time>5</cutoff-time>
<external>
<list>
<entry name="vpn_gateway">
<ipv4>xxx.xxx.xxx.xxx</ipv4>
<priority-rule>
<entry name="Any">
<priority>1</priority>
</entry>
</priority-rule>
<priority>1</priority>
</entry>
</list>
</external>
</gateways-v6>
<agent-ui>
<can-save-password>yes</can-save-password>
<passcode></passcode>
<uninstall-passwd></uninstall-passwd>
<agent-user-override-timeout>0</agent-user-override-timeout>
<max-agent-user-overrides>0</max-agent-user-overrides>
<help-page></help-page>
<help-page-2></help-page-2>
<welcome-page>
<display>no</display>
<page></page>
</welcome-page>
<agent-user-override>allowed</agent-user-override>
<enable-advanced-view>yes</enable-advanced-view>
<enable-do-not-display-this-welcome-page-again>yes</enable-do-not-display-this-welcome-page-again>
<can-change-portal>yes</can-change-portal>
<show-agent-icon>yes</show-agent-icon>
<password-expiry-message></password-expiry-message>
<init-panel>no</init-panel>
<user-input-on-top>no</user-input-on-top>
</agent-ui>
<hip-collection>
<hip-report-interval>3600</hip-report-interval>
<max-wait-time>20</max-wait-time>
<collect-hip-data>yes</collect-hip-data>
<default>
<category>
<member>antivirus</member>
<member>anti-spyware</member>
<member>host-info</member>
<member>data-loss-prevention</member>
<member>patch-management</member>
<member>firewall</member>
<member>anti-malware</member>
<member>disk-backup</member>
<member>disk-encryption</member>
</category>
</default>
</hip-collection>
<agent-config>
<save-user-credentials>1</save-user-credentials>
<portal-2fa>no</portal-2fa>
<internal-gateway-2fa>no</internal-gateway-2fa>
<auto-discovery-external-gateway-2fa>no</auto-discovery-external-gateway-2fa>
<manual-only-gateway-2fa>no</manual-only-gateway-2fa>
<disconnect-reasons></disconnect-reasons>
<uninstall>allowed</uninstall>
<client-upgrade>prompt</client-upgrade>
<enable-signout>yes</enable-signout>
<use-sso-pin>no</use-sso-pin>
<use-sso-macos>no</use-sso-macos>
<logout-remove-sso>yes</logout-remove-sso>
<krb-auth-fail-fallback>yes</krb-auth-fail-fallback>
<default-browser>no</default-browser>
<retry-tunnel>30</retry-tunnel>
<retry-timeout>5</retry-timeout>
<traffic-enforcement>no</traffic-enforcement>
<enforce-globalprotect>no</enforce-globalprotect>
<enforcer-exception-list />
<enforcer-exception-list-domain />
<captive-portal-exception-timeout>0</captive-portal-exception-timeout>
<captive-portal-login-url></captive-portal-login-url>
<traffic-blocking-notification-delay>15</traffic-blocking-notification-delay>
<display-traffic-blocking-notification-msg>yes</display-traffic-blocking-notification-msg>
<traffic-blocking-notification-msg>&lt;div style=&quot;font-family:'Helvetica
Neue';&quot;&gt;&lt;h1 style=&quot;color:red;text-align:center; margin: 0; font-size:
30px;&quot;&gt;Notice&lt;/h1&gt;&lt;p style=&quot;margin: 0;font-size: 15px;
line-height: 1.2em;&quot;&gt;To access the network, you must first connect to
GlobalProtect.&lt;/p&gt;&lt;/div&gt;</traffic-blocking-notification-msg>
<allow-traffic-blocking-notification-dismissal>yes</allow-traffic-blocking-notification-dismissal>
<display-captive-portal-detection-msg>no</display-captive-portal-detection-msg>
<captive-portal-detection-msg>&lt;div style=&quot;font-family:'Helvetica
Neue';&quot;&gt;&lt;h1 style=&quot;color:red;text-align:center; margin: 0; font-size:
30px;&quot;&gt;Captive Portal Detected&lt;/h1&gt;&lt;p style=&quot;margin: 0; font-size:
15px; line-height: 1.2em;&quot;&gt;GlobalProtect has temporarily permitted network
access for you to connect to the Internet. Follow instructions from your internet
provider.&lt;/p&gt;&lt;p style=&quot;margin: 0; font-size: 15px; line-height:
1.2em;&quot;&gt;If you let the connection time out, open GlobalProtect and click Connect
to try again.&lt;/p&gt;&lt;/div&gt;</captive-portal-detection-msg>
<captive-portal-notification-delay>5</captive-portal-notification-delay>
<certificate-store-lookup>user-and-machine</certificate-store-lookup>
<scep-certificate-renewal-period>7</scep-certificate-renewal-period>
<ext-key-usage-oid-for-client-cert></ext-key-usage-oid-for-client-cert>
<retain-connection-smartcard-removal>yes</retain-connection-smartcard-removal>
<user-accept-terms-before-creating-tunnel>no</user-accept-terms-before-creating-tunnel>
<rediscover-network>yes</rediscover-network>
<resubmit-host-info>yes</resubmit-host-info>
<can-continue-if-portal-cert-invalid>yes</can-continue-if-portal-cert-invalid>
<user-switch-tunnel-rename-timeout>0</user-switch-tunnel-rename-timeout>
<pre-logon-tunnel-rename-timeout>0</pre-logon-tunnel-rename-timeout>
<preserve-tunnel-upon-user-logoff-timeout>0</preserve-tunnel-upon-user-logoff-timeout>
<ipsec-failover-ssl>0</ipsec-failover-ssl>
<display-tunnel-fallback-notification>yes</display-tunnel-fallback-notification>
<ssl-only-selection>0</ssl-only-selection>
<tunnel-mtu>1400</tunnel-mtu>
<max-internal-gateway-connection-attempts>0</max-internal-gateway-connection-attempts>
<adv-internal-host-detection>no</adv-internal-host-detection>
<portal-timeout>30</portal-timeout>
<connect-timeout>60</connect-timeout>
<receive-timeout>30</receive-timeout>
<split-tunnel-option>network-traffic</split-tunnel-option>
<enforce-dns>yes</enforce-dns>
<append-local-search-domain>no</append-local-search-domain>
<flush-dns>no</flush-dns>
<auto-proxy-pac></auto-proxy-pac>
<proxy-multiple-autodetect>no</proxy-multiple-autodetect>
<use-proxy>yes</use-proxy>
<wsc-autodetect>yes</wsc-autodetect>
<mfa-enabled>no</mfa-enabled>
<mfa-listening-port>4501</mfa-listening-port>
<mfa-trusted-host-list />
<mfa-notification-msg>You have attempted to access a protected resource that requires
additional authentication. Proceed to authenticate at</mfa-notification-msg>
<mfa-prompt-suppress-time>0</mfa-prompt-suppress-time>
<ipv6-preferred>yes</ipv6-preferred>
<change-password-message></change-password-message>
<log-gateway>no</log-gateway>
<cdl-log>no</cdl-log>
<dem-notification>yes</dem-notification>
<diagnostic-servers />
<dem-agent>not-install</dem-agent>
<quarantine-add-message>Access to the network from this device has been restricted as per
your organization's security policy. Please contact your IT Administrator.</quarantine-add-message>
<quarantine-remove-message>Access to the network from this device has been restored as per
your organization's security policy.</quarantine-remove-message>
</agent-config>
<user-email>user@example.com</user-email>
<portal-userauthcookie>xxxxxx</portal-userauthcookie>
<portal-prelogonuserauthcookie>xxxxxx</portal-prelogonuserauthcookie>
<config-digest>2d8e997765a2f59cbf80284b2f2fbd38</config-digest>
</policy>

22
crates/gpapi/tests/files/prelogin_saml.xml Normal file
View File

@ -0,0 +1,22 @@
<?xml version="1.0" encoding="UTF-8"?>
<prelogin-response>
<status>Success</status>
<ccusername></ccusername>
<autosubmit>false</autosubmit>
<msg></msg>
<newmsg></newmsg>
<authentication-message>Enter login credentials</authentication-message>
<username-label>Username</username-label>
<password-label>Password</password-label>
<panos-version>1</panos-version>
<saml-default-browser>yes</saml-default-browser>
<cas-auth></cas-auth>
<saml-auth-status>0</saml-auth-status>
<saml-auth-method>REDIRECT</saml-auth-method>
<saml-request-timeout>600</saml-request-timeout>
<saml-request-id>0</saml-request-id>
<saml-request>U0FNTFJlcXVlc3Q9eHh4</saml-request>
<auth-api>no</auth-api>
<region>CN</region>
</prelogin-response>

15
crates/gpapi/tests/files/prelogin_standard.xml Normal file
View File

@ -0,0 +1,15 @@
<?xml version="1.0" encoding="UTF-8"?>
<prelogin-response>
<status>Success</status>
<ccusername></ccusername>
<autosubmit>false</autosubmit>
<msg></msg>
<newmsg></newmsg>
<authentication-message>Enter login credentials</authentication-message>
<username-label>Username</username-label>
<password-label>Password</password-label>
<panos-version>1</panos-version>
<saml-default-browser>yes</saml-default-browser>
<auth-api>no</auth-api>
<region>US</region>
</prelogin-response>

13
crates/openconnect/Cargo.toml Normal file
View File

@ -0,0 +1,13 @@
[package]
name = "openconnect"
version.workspace = true
edition.workspace = true
license.workspace = true
links = "openconnect"
[dependencies]
log.workspace = true
is_executable.workspace = true
[build-dependencies]
cc = "1"

12
crates/openconnect/build.rs Normal file
View File

@ -0,0 +1,12 @@
fn main() {
// Link to the native openconnect library
println!("cargo:rustc-link-lib=openconnect");
println!("cargo:rerun-if-changed=src/ffi/vpn.c");
println!("cargo:rerun-if-changed=src/ffi/vpn.h");
// Compile the vpn.c file
cc::Build::new()
.file("src/ffi/vpn.c")
.include("src/ffi")
.compile("vpn");
}

71
crates/openconnect/src/ffi/mod.rs Normal file
View File

@ -0,0 +1,71 @@
use crate::Vpn;
use log::{debug, info, trace, warn};
use std::ffi::{c_char, c_int, c_void};
#[repr(C)]
#[derive(Debug)]
pub(crate) struct ConnectOptions {
pub user_data: *mut c_void,
pub server: *const c_char,
pub cookie: *const c_char,
pub user_agent: *const c_char,
pub script: *const c_char,
pub os: *const c_char,
pub certificate: *const c_char,
pub servercert: *const c_char,
}
#[link(name = "vpn")]
extern "C" {
#[link_name = "vpn_connect"]
fn vpn_connect(
options: *const ConnectOptions,
callback: extern "C" fn(i32, *mut c_void),
) -> c_int;
#[link_name = "vpn_disconnect"]
fn vpn_disconnect();
}
pub(crate) fn connect(options: &ConnectOptions) -> i32 {
unsafe { vpn_connect(options, on_vpn_connected) }
}
pub(crate) fn disconnect() {
unsafe { vpn_disconnect() }
}
#[no_mangle]
extern "C" fn on_vpn_connected(pipe_fd: i32, vpn: *mut c_void) {
let vpn = unsafe { &*(vpn as *const Vpn) };
vpn.on_connected(pipe_fd);
}
// Logger used in the C code.
// level: 0 = error, 1 = info, 2 = debug, 3 = trace
// map the error level log in openconnect to the warning level
#[no_mangle]
extern "C" fn vpn_log(level: i32, message: *const c_char) {
let message = unsafe { std::ffi::CStr::from_ptr(message) };
let message = message.to_str().unwrap_or("Invalid log message");
// Strip the trailing newline
let message = message.trim_end_matches('\n');
if level == 0 {
warn!("{}", message);
} else if level == 1 {
info!("{}", message);
} else if level == 2 {
debug!("{}", message);
} else if level == 3 {
trace!("{}", message);
} else {
warn!(
"Unknown log level: {}, enable DEBUG log level to see more details",
level
);
debug!("{}", message);
}
}

144
crates/openconnect/src/ffi/vpn.c Normal file
View File

@ -0,0 +1,144 @@
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <unistd.h>
#include <sys/utsname.h>
#include <openconnect.h>
#include "vpn.h"
void *g_user_data;
static int g_cmd_pipe_fd;
static const char *g_vpnc_script;
static vpn_connected_callback on_vpn_connected;
/* Validate the peer certificate */
static int validate_peer_cert(__attribute__((unused)) void *_vpninfo, const char *reason)
{
INFO("Validating peer cert: %s", reason);
return 0;
}
/* Print progress messages */
static void print_progress(__attribute__((unused)) void *_vpninfo, int level, const char *format, ...)
{
va_list args;
va_start(args, format);
char *message = format_message(format, args);
va_end(args);
if (message == NULL)
{
ERROR("Failed to format log message");
}
else
{
LOG(level, message);
free(message);
}
}
static void setup_tun_handler(void *_vpninfo)
{
int ret = openconnect_setup_tun_device(_vpninfo, g_vpnc_script, NULL);
if (!ret) {
on_vpn_connected(g_cmd_pipe_fd, g_user_data);
}
}
/* Initialize VPN connection */
int vpn_connect(const vpn_options *options, vpn_connected_callback callback)
{
INFO("openconnect version: %s", openconnect_get_version());
struct openconnect_info *vpninfo;
struct utsname utsbuf;
g_user_data = options->user_data;
g_vpnc_script = options->script;
on_vpn_connected = callback;
INFO("User agent: %s", options->user_agent);
INFO("VPNC script: %s", options->script);
INFO("OS: %s", options->os);
vpninfo = openconnect_vpninfo_new(options->user_agent, validate_peer_cert, NULL, NULL, print_progress, NULL);
if (!vpninfo)
{
ERROR("openconnect_vpninfo_new failed");
return 1;
}
openconnect_set_loglevel(vpninfo, PRG_TRACE);
openconnect_init_ssl();
openconnect_set_protocol(vpninfo, "gp");
openconnect_set_hostname(vpninfo, options->server);
openconnect_set_cookie(vpninfo, options->cookie);
if (options->os) {
openconnect_set_reported_os(vpninfo, options->os);
}
if (options->certificate)
{
INFO("Setting client certificate: %s", options->certificate);
openconnect_set_client_cert(vpninfo, options->certificate, NULL);
}
if (options->servercert) {
INFO("Setting server certificate: %s", options->servercert);
openconnect_set_system_trust(vpninfo, 0);
}
g_cmd_pipe_fd = openconnect_setup_cmd_pipe(vpninfo);
if (g_cmd_pipe_fd < 0)
{
ERROR("openconnect_setup_cmd_pipe failed");
return 1;
}
if (!uname(&utsbuf))
{
openconnect_set_localname(vpninfo, utsbuf.nodename);
}
// Essential step
if (openconnect_make_cstp_connection(vpninfo) != 0)
{
ERROR("openconnect_make_cstp_connection failed");
return 1;
}
if (openconnect_setup_dtls(vpninfo, 60) != 0)
{
openconnect_disable_dtls(vpninfo);
}
// Essential step
openconnect_set_setup_tun_handler(vpninfo, setup_tun_handler);
while (1)
{
int ret = openconnect_mainloop(vpninfo, 300, 10);
if (ret)
{
INFO("openconnect_mainloop returned %d, exiting", ret);
openconnect_vpninfo_free(vpninfo);
return ret;
}
INFO("openconnect_mainloop returned 0, reconnecting");
}
}
/* Stop the VPN connection */
void vpn_disconnect()
{
char cmd = OC_CMD_CANCEL;
if (write(g_cmd_pipe_fd, &cmd, 1) < 0)
{
ERROR("Failed to write to command pipe, VPN connection may not be stopped");
}
}

68
crates/openconnect/src/ffi/vpn.h Normal file
View File

@ -0,0 +1,68 @@
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
#include <openconnect.h>
typedef void (*vpn_connected_callback)(int cmd_pipe_fd, void *user_data);
typedef struct vpn_options
{
void *user_data;
const char *server;
const char *cookie;
const char *user_agent;
const char *script;
const char *os;
const char *certificate;
const char *servercert;
} vpn_options;
int vpn_connect(const vpn_options *options, vpn_connected_callback callback);
void vpn_disconnect();
extern void vpn_log(int level, const char *msg);
static char *format_message(const char *format, va_list args)
{
va_list args_copy;
va_copy(args_copy, args);
int len = vsnprintf(NULL, 0, format, args_copy);
va_end(args_copy);
char *buffer = malloc(len + 1);
if (buffer == NULL)
{
return NULL;
}
vsnprintf(buffer, len + 1, format, args);
return buffer;
}
static void _log(int level, ...)
{
va_list args;
va_start(args, level);
char *format = va_arg(args, char *);
char *message = format_message(format, args);
va_end(args);
if (message == NULL)
{
vpn_log(PRG_ERR, "Failed to format log message");
}
else
{
vpn_log(level, message);
free(message);
}
}
#define LOG(level, ...) _log(level, __VA_ARGS__)
#define ERROR(...) LOG(PRG_ERR, __VA_ARGS__)
#define INFO(...) LOG(PRG_INFO, __VA_ARGS__)
#define DEBUG(...) LOG(PRG_DEBUG, __VA_ARGS__)
#define TRACE(...) LOG(PRG_TRACE, __VA_ARGS__)

5
crates/openconnect/src/lib.rs Normal file
View File

@ -0,0 +1,5 @@
mod ffi;
mod vpn;
mod vpnc_script;
pub use vpn::*;

131
crates/openconnect/src/vpn.rs Normal file
View File

@ -0,0 +1,131 @@
use std::{
ffi::{c_char, CString},
sync::{Arc, RwLock},
};
use log::info;
use crate::{ffi, vpnc_script::find_default_vpnc_script};
type OnConnectedCallback = Arc<RwLock<Option<Box<dyn FnOnce() + 'static + Send + Sync>>>>;
pub struct Vpn {
server: CString,
cookie: CString,
user_agent: CString,
script: CString,
os: CString,
certificate: Option<CString>,
servercert: Option<CString>,
callback: OnConnectedCallback,
}
impl Vpn {
pub fn builder(server: &str, cookie: &str) -> VpnBuilder {
VpnBuilder::new(server, cookie)
}
pub fn connect(&self, on_connected: impl FnOnce() + 'static + Send + Sync) -> i32 {
self
.callback
.write()
.unwrap()
.replace(Box::new(on_connected));
let options = self.build_connect_options();
ffi::connect(&options)
}
pub(crate) fn on_connected(&self, pipe_fd: i32) {
info!("Connected to VPN, pipe_fd: {}", pipe_fd);
if let Some(callback) = self.callback.write().unwrap().take() {
callback();
}
}
pub fn disconnect(&self) {
ffi::disconnect();
}
fn build_connect_options(&self) -> ffi::ConnectOptions {
ffi::ConnectOptions {
user_data: self as *const _ as *mut _,
server: self.server.as_ptr(),
cookie: self.cookie.as_ptr(),
user_agent: self.user_agent.as_ptr(),
script: self.script.as_ptr(),
os: self.os.as_ptr(),
certificate: Self::option_to_ptr(&self.certificate),
servercert: Self::option_to_ptr(&self.servercert),
}
}
fn option_to_ptr(option: &Option<CString>) -> *const c_char {
match option {
Some(value) => value.as_ptr(),
None => std::ptr::null(),
}
}
}
pub struct VpnBuilder {
server: String,
cookie: String,
user_agent: Option<String>,
script: Option<String>,
os: Option<String>,
}
impl VpnBuilder {
fn new(server: &str, cookie: &str) -> Self {
Self {
server: server.to_string(),
cookie: cookie.to_string(),
user_agent: None,
script: None,
os: None,
}
}
pub fn user_agent<T: Into<Option<String>>>(mut self, user_agent: T) -> Self {
self.user_agent = user_agent.into();
self
}
pub fn script<T: Into<Option<String>>>(mut self, script: T) -> Self {
self.script = script.into();
self
}
pub fn os<T: Into<Option<String>>>(mut self, os: T) -> Self {
self.os = os.into();
self
}
pub fn build(self) -> Vpn {
let user_agent = self.user_agent.unwrap_or_default();
let script = self
.script
.or_else(find_default_vpnc_script)
.unwrap_or_default();
let os = self.os.unwrap_or("linux".to_string());
Vpn {
server: Self::to_cstring(&self.server),
cookie: Self::to_cstring(&self.cookie),
user_agent: Self::to_cstring(&user_agent),
script: Self::to_cstring(&script),
os: Self::to_cstring(&os),
certificate: None,
servercert: None,
callback: Default::default(),
}
}
fn to_cstring(value: &str) -> CString {
CString::new(value.to_string()).expect("Failed to convert to CString")
}
}

23
crates/openconnect/src/vpnc_script.rs Normal file
View File

@ -0,0 +1,23 @@
use is_executable::IsExecutable;
use std::path::Path;
const VPNC_SCRIPT_LOCATIONS: [&str; 5] = [
"/usr/local/share/vpnc-scripts/vpnc-script",
"/usr/local/sbin/vpnc-script",
"/usr/share/vpnc-scripts/vpnc-script",
"/usr/sbin/vpnc-script",
"/etc/vpnc/vpnc-script",
];
pub(crate) fn find_default_vpnc_script() -> Option<String> {
for location in VPNC_SCRIPT_LOCATIONS.iter() {
let path = Path::new(location);
if path.is_executable() {
return Some(location.to_string());
}
}
log::warn!("vpnc-script not found");
None
}

8
rustfmt.toml Normal file
View File

@ -0,0 +1,8 @@
max_width = 100
hard_tabs = false
tab_spaces = 2
newline_style = "Unix"
reorder_imports = true
reorder_modules = true
edition = "2021"
merge_derives = true