Support SSO using default browser

apps/gpclient/src/launch_gui.rs

@@ -10,7 +10,12 @@ use log::info;
 
 #[derive(Args)]
 pub(crate) struct LaunchGuiArgs {
-  #[clap(long, help = "Launch the GUI minimized")]
+  #[arg(
+    required = false,
+    help = "The authentication data, used for the default browser authentication"
+  )]
+  auth_data: Option<String>,
+  #[arg(long, help = "Launch the GUI minimized")]
   minimized: bool,
 }
 
@@ -30,6 +35,12 @@ impl<'a> LaunchGuiHandler<'a> {
       anyhow::bail!("`launch-gui` cannot be run as root");
     }
 
+    let auth_data = self.args.auth_data.as_deref().unwrap_or_default();
+    if !auth_data.is_empty() {
+      // Process the authentication data, its format is `globalprotectcallback:<data>`
+      return feed_auth_data(auth_data).await;
+    }
+
     if try_active_gui().await.is_ok() {
       info!("The GUI is already running");
       return Ok(());
@@ -66,6 +77,19 @@ impl<'a> LaunchGuiHandler<'a> {
   }
 }
 
+async fn feed_auth_data(auth_data: &str) -> anyhow::Result<()> {
+  let service_endpoint = http_endpoint().await?;
+
+  reqwest::Client::default()
+    .post(format!("{}/auth-data", service_endpoint))
+    .json(&auth_data)
+    .send()
+    .await?
+    .error_for_status()?;
+
+  Ok(())
+}
+
 async fn try_active_gui() -> anyhow::Result<()> {
   let service_endpoint = http_endpoint().await?;
 

apps/gpservice/com.yuezk.gpservice.policy

@@ -1,19 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
-<policyconfig>
-  <vendor>GlobalProtect-openconnect</vendor>
-  <vendor_url>https://github.com/yuezk/GlobalProtect-openconnect</vendor_url>
-  <icon_name>gpgui</icon_name>
-  <action id="com.yuezk.gpservice">
-    <description>Run GPService as root</description>
-    <message>Authentication is required to run the GPService as root</message>
-    <defaults>
-      <allow_any>yes</allow_any>
-      <allow_inactive>yes</allow_inactive>
-      <allow_active>yes</allow_active>
-    </defaults>
-    <annotate key="org.freedesktop.policykit.exec.path">/home/kevin/Documents/repos/gp/target/debug/gpservice</annotate>
-    <annotate key="org.freedesktop.policykit.exec.argv1">--with-gui</annotate>
-    <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate>
-  </action>
-</policyconfig>

apps/gpservice/src/handlers.rs

@@ -21,6 +21,13 @@ pub(crate) async fn active_gui(State(ctx): State<Arc<WsServerContext>>) -> impl
   ctx.send_event(WsEvent::ActiveGui).await;
 }
 
+pub(crate) async fn auth_data(
+  State(ctx): State<Arc<WsServerContext>>,
+  body: String,
+) -> impl IntoResponse {
+  ctx.send_event(WsEvent::AuthData(body)).await;
+}
+
 pub(crate) async fn ws_handler(
   ws: WebSocketUpgrade,
   State(ctx): State<Arc<WsServerContext>>,

apps/gpservice/src/routes.rs

@@ -8,6 +8,7 @@ pub(crate) fn routes(ctx: Arc<WsServerContext>) -> Router {
   Router::new()
     .route("/health", get(handlers::health))
     .route("/active-gui", post(handlers::active_gui))
+    .route("/auth-data", post(handlers::auth_data))
     .route("/ws", get(handlers::ws_handler))
     .with_state(ctx)
 }