cassidy/GlobalProtect-openconnect
1
0
Fork 0
mirror of https://github.com/yuezk/GlobalProtect-openconnect.git synced 2025-04-02 18:31:50 -04:00
Code Issues Projects Releases Wiki Activity

upgrade gpauth

Browse Source
This commit is contained in:
Kevin Yue 2024-12-13 10:58:39 +00:00
parent f474ab36c0
commit e6eb787674
No known key found for this signature in database
GPG Key ID: 4D3A6EE977B15AC4
26 changed files with 916 additions and 4276 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@ -8,3 +8,6 @@
.cargo .cargo
.build .build
SNAPSHOT SNAPSHOT
# Tauri generated files
gen

94
Cargo.lock generated
View File

@ -201,7 +201,7 @@ dependencies = [
"serde_path_to_error", "serde_path_to_error",
"serde_urlencoded", "serde_urlencoded",
"sha1", "sha1",
"sync_wrapper 1.0.2", "sync_wrapper",
"tokio", "tokio",
"tokio-tungstenite", "tokio-tungstenite",
"tower", "tower",
@ -225,7 +225,7 @@ dependencies = [
"mime", "mime",
"pin-project-lite", "pin-project-lite",
"rustversion", "rustversion",
"sync_wrapper 1.0.2", "sync_wrapper",
"tower-layer", "tower-layer",
"tower-service", "tower-service",
"tracing", "tracing",
@ -414,9 +414,9 @@ dependencies = [
[[package]] [[package]]
name = "cc" name = "cc"
version = "1.2.3" version = "1.2.4"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "27f657647bcff5394bf56c7317665bbf790a137a50eaaa5c6bfbb9e27a518f2d" checksum = "9157bbaa6b165880c27a4293a474c91cdcf265cc68cc829bf10be0964a391caf"
dependencies = [ dependencies = [
"shlex", "shlex",
] ]
@ -1552,7 +1552,7 @@ dependencies = [
"specta", "specta",
"tauri", "tauri",
"tempfile", "tempfile",
"thiserror 2.0.6", "thiserror 2.0.7",
"tokio", "tokio",
"url", "url",
"urlencoding", "urlencoding",
@ -1562,6 +1562,27 @@ dependencies = [
"whoami", "whoami",
] ]
[[package]]
name = "gpauth"
version = "2.3.9"
dependencies = [
"anyhow",
"clap",
"compile-time",
"env_logger",
"gpapi",
"html-escape",
"log",
"regex",
"serde_json",
"tauri",
"tauri-build",
"tempfile",
"tokio",
"tokio-util",
"webkit2gtk",
]
[[package]] [[package]]
name = "gpclient" name = "gpclient"
version = "2.3.9" version = "2.3.9"
@ -1733,6 +1754,15 @@ dependencies = [
"windows-sys 0.52.0", "windows-sys 0.52.0",
] ]
[[package]]
name = "html-escape"
version = "0.2.13"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6d1ad449764d627e22bfd7cd5e8868264fc9236e07c752972b4080cd351cb476"
dependencies = [
"utf8-width",
]
[[package]] [[package]]
name = "html5ever" name = "html5ever"
version = "0.26.0" version = "0.26.0"
@ -3406,9 +3436,9 @@ dependencies = [
[[package]] [[package]]
name = "redox_syscall" name = "redox_syscall"
version = "0.5.7" version = "0.5.8"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9b6dfecf2c74bce2466cabf93f6664d6998a69eb21e39f4207930065b27b771f" checksum = "03a862b389f93e68874fbf580b9de08dd02facb9a788ebadaf4a3fd33cf58834"
dependencies = [ dependencies = [
"bitflags 2.6.0", "bitflags 2.6.0",
] ]
@ -3484,7 +3514,7 @@ dependencies = [
"serde", "serde",
"serde_json", "serde_json",
"serde_urlencoded", "serde_urlencoded",
"sync_wrapper 1.0.2", "sync_wrapper",
"system-configuration", "system-configuration",
"tokio", "tokio",
"tokio-native-tls", "tokio-native-tls",
@ -3549,9 +3579,9 @@ dependencies = [
[[package]] [[package]]
name = "rustls" name = "rustls"
version = "0.23.19" version = "0.23.20"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "934b404430bb06b3fae2cba809eb45a1ab1aecd64491213d7c3301b88393f8d1" checksum = "5065c3f250cbd332cd894be57c40fa52387247659b14a2d6041d121547903b1b"
dependencies = [ dependencies = [
"once_cell", "once_cell",
"rustls-pki-types", "rustls-pki-types",
@ -3571,9 +3601,9 @@ dependencies = [
[[package]] [[package]]
name = "rustls-pki-types" name = "rustls-pki-types"
version = "1.10.0" version = "1.10.1"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "16f1201b3c9a7ee8039bcadc17b7e605e2945b27eee7631788c1bd2b0643674b" checksum = "d2bf47e6ff922db3825eb750c4e2ff784c6ff8fb9e13046ef6a1d1c5401b0b37"
[[package]] [[package]]
name = "rustls-webpki" name = "rustls-webpki"
@ -3694,9 +3724,9 @@ dependencies = [
[[package]] [[package]]
name = "semver" name = "semver"
version = "1.0.23" version = "1.0.24"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "61697e0a1c7e512e84a621326239844a24d8207b4669b41bc18b32ea5cbf988b" checksum = "3cb6eb87a131f756572d7fb904f6e7b68633f09cca868c5df1c4b8d1a694bbba"
dependencies = [ dependencies = [
"serde", "serde",
] ]
@ -4130,12 +4160,6 @@ dependencies = [
"unicode-ident", "unicode-ident",
] ]
[[package]]
name = "sync_wrapper"
version = "0.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2047c6ded9c721764247e62cd3b03c09ffc529b2ba5b10ec482ae507a4a70160"
[[package]] [[package]]
name = "sync_wrapper" name = "sync_wrapper"
version = "1.0.2" version = "1.0.2"
@ -4310,7 +4334,7 @@ dependencies = [
"tauri-runtime", "tauri-runtime",
"tauri-runtime-wry", "tauri-runtime-wry",
"tauri-utils", "tauri-utils",
"thiserror 2.0.6", "thiserror 2.0.7",
"tokio", "tokio",
"tray-icon", "tray-icon",
"url", "url",
@ -4363,7 +4387,7 @@ dependencies = [
"sha2", "sha2",
"syn 2.0.90", "syn 2.0.90",
"tauri-utils", "tauri-utils",
"thiserror 2.0.6", "thiserror 2.0.7",
"time", "time",
"url", "url",
"uuid", "uuid",
@ -4398,7 +4422,7 @@ dependencies = [
"serde", "serde",
"serde_json", "serde_json",
"tauri-utils", "tauri-utils",
"thiserror 2.0.6", "thiserror 2.0.7",
"url", "url",
"windows 0.58.0", "windows 0.58.0",
] ]
@ -4458,7 +4482,7 @@ dependencies = [
"serde_json", "serde_json",
"serde_with", "serde_with",
"swift-rs", "swift-rs",
"thiserror 2.0.6", "thiserror 2.0.7",
"toml 0.8.2", "toml 0.8.2",
"url", "url",
"urlpattern", "urlpattern",
@ -4517,11 +4541,11 @@ dependencies = [
[[package]] [[package]]
name = "thiserror" name = "thiserror"
version = "2.0.6" version = "2.0.7"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8fec2a1820ebd077e2b90c4df007bebf344cd394098a13c563957d0afc83ea47" checksum = "93605438cbd668185516ab499d589afb7ee1859ea3d5fc8f6b0755e1c7443767"
dependencies = [ dependencies = [
"thiserror-impl 2.0.6", "thiserror-impl 2.0.7",
] ]
[[package]] [[package]]
@ -4537,9 +4561,9 @@ dependencies = [
[[package]] [[package]]
name = "thiserror-impl" name = "thiserror-impl"
version = "2.0.6" version = "2.0.7"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d65750cab40f4ff1929fb1ba509e9914eb756131cef4210da8d5d700d26f6312" checksum = "e1d8749b4531af2117677a5fcd12b1348a3fe2b81e36e61ffeac5c4aa3273e36"
dependencies = [ dependencies = [
"proc-macro2", "proc-macro2",
"quote", "quote",
@ -4722,14 +4746,14 @@ dependencies = [
[[package]] [[package]]
name = "tower" name = "tower"
version = "0.5.1" version = "0.5.2"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2873938d487c3cfb9aed7546dc9f2711d867c9f90c46b889989a2cb84eba6b4f" checksum = "d039ad9159c98b70ecfd540b2573b97f7f52c3e8d9f8ad57a24b916a536975f9"
dependencies = [ dependencies = [
"futures-core", "futures-core",
"futures-util", "futures-util",
"pin-project-lite", "pin-project-lite",
"sync_wrapper 0.1.2", "sync_wrapper",
"tokio", "tokio",
"tower-layer", "tower-layer",
"tower-service", "tower-service",
@ -4942,6 +4966,12 @@ version = "1.0.5"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c8232dd3cdaed5356e0f716d285e4b40b932ac434100fe9b7e0e8e935b9e6246" checksum = "c8232dd3cdaed5356e0f716d285e4b40b932ac434100fe9b7e0e8e935b9e6246"
[[package]]
name = "utf8-width"
version = "0.1.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "86bd8d4e895da8537e5315b8254664e6b769c4ff3db18321b297a1e7004392e3"
[[package]] [[package]]
name = "utf8_iter" name = "utf8_iter"
version = "1.0.4" version = "1.0.4"

2
Cargo.toml
View File

@ -1,7 +1,7 @@
[workspace] [workspace]
resolver = "2" resolver = "2"
members = ["crates/*", "apps/gpclient", "apps/gpservice", "apps/gpgui-helper/src-tauri"] members = ["crates/*", "apps/gpclient", "apps/gpservice", "apps/gpauth", "apps/gpgui-helper/src-tauri"]
[workspace.package] [workspace.package]
rust-version = "1.70" rust-version = "1.70"

10
apps/gpauth/Cargo.toml
View File

@ -6,7 +6,7 @@ edition.workspace = true
license.workspace = true license.workspace = true
[build-dependencies] [build-dependencies]
tauri-build = { version = "1.5", features = [] } tauri-build = { version = "2", features = [] }
[dependencies] [dependencies]
gpapi = { path = "../../crates/gpapi", features = [ gpapi = { path = "../../crates/gpapi", features = [
@ -14,6 +14,9 @@ gpapi = { path = "../../crates/gpapi", features = [
"clap", "clap",
"browser-auth", "browser-auth",
] } ] }
tauri = { workspace = true }
anyhow.workspace = true anyhow.workspace = true
clap.workspace = true clap.workspace = true
env_logger.workspace = true env_logger.workspace = true
@ -24,6 +27,7 @@ tokio.workspace = true
tokio-util.workspace = true tokio-util.workspace = true
tempfile.workspace = true tempfile.workspace = true
html-escape = "0.2.13" html-escape = "0.2.13"
webkit2gtk = "0.18.2"
tauri = { workspace = true, features = ["http-all"] }
compile-time.workspace = true compile-time.workspace = true
[target.'cfg(not(target_os = "macos"))'.dependencies]
webkit2gtk = "2"

108
apps/gpauth/src/auth_messenger.rs Normal file
View File

@ -0,0 +1,108 @@
use anyhow::bail;
use gpapi::auth::SamlAuthData;
use log::{error, info};
use tokio::sync::{mpsc, RwLock};
use tokio_util::sync::CancellationToken;
pub enum AuthError {
/// Failed to load page due to TLS error
TlsError,
/// 1. Found auth data in headers/body but it's invalid
/// 2. Loaded an empty page, failed to load page. etc.
Invalid,
/// No auth data found in headers/body
NotFound,
}
pub type AuthResult = anyhow::Result<SamlAuthData, AuthError>;
pub enum AuthEvent {
Data(SamlAuthData),
Error(AuthError),
RaiseWindow,
Close,
}
pub struct AuthMessenger {
tx: mpsc::UnboundedSender<AuthEvent>,
rx: RwLock<mpsc::UnboundedReceiver<AuthEvent>>,
raise_window_cancel_token: RwLock<Option<CancellationToken>>,
}
impl AuthMessenger {
pub fn new() -> Self {
let (tx, rx) = mpsc::unbounded_channel();
Self {
tx,
rx: RwLock::new(rx),
raise_window_cancel_token: Default::default(),
}
}
pub async fn subscribe(&self) -> anyhow::Result<AuthEvent> {
let mut rx = self.rx.write().await;
if let Some(event) = rx.recv().await {
return Ok(event);
}
bail!("Failed to receive auth event");
}
pub fn send_auth_event(&self, event: AuthEvent) {
if let Err(event) = self.tx.send(event) {
error!("Failed to send auth event: {}", event);
}
}
pub fn send_auth_result(&self, result: AuthResult) {
match result {
Ok(data) => self.send_auth_data(data),
Err(err) => self.send_auth_error(err),
}
}
pub fn send_auth_error(&self, err: AuthError) {
self.send_auth_event(AuthEvent::Error(err));
}
pub fn send_auth_data(&self, data: SamlAuthData) {
self.send_auth_event(AuthEvent::Data(data));
}
pub fn schedule_raise_window(&self, delay: u64) {
let cancel_token = CancellationToken::new();
let cancel_token_clone = cancel_token.clone();
if let Ok(mut guard) = self.raise_window_cancel_token.try_write() {
// Cancel the previous raise window task if it exists
if let Some(token) = guard.take() {
token.cancel();
}
*guard = Some(cancel_token_clone);
}
let tx = self.tx.clone();
tokio::spawn(async move {
info!("Displaying the window in {} second(s)...", delay);
tokio::select! {
_ = tokio::time::sleep(tokio::time::Duration::from_secs(delay)) => {
if let Err(err) = tx.send(AuthEvent::RaiseWindow) {
error!("Failed to send raise window event: {}", err);
}
}
_ = cancel_token.cancelled() => {
info!("Cancelled raise window task");
}
}
});
}
pub fn cancel_raise_window(&self) {
if let Ok(mut cancel_token) = self.raise_window_cancel_token.try_write() {
if let Some(token) = cancel_token.take() {
token.cancel();
}
}
}
}

658
apps/gpauth/src/auth_window.rs
View File

@ -1,5 +1,8 @@
use std::{ use std::{
rc::Rc, borrow::Cow,
env::temp_dir,
fs,
os::unix::fs::PermissionsExt,
sync::Arc, sync::Arc,
time::{Duration, Instant}, time::{Duration, Instant},
}; };
@ -7,517 +10,278 @@ use std::{
use anyhow::bail; use anyhow::bail;
use gpapi::{ use gpapi::{
auth::SamlAuthData, auth::SamlAuthData,
error::AuthDataParseError, error::PortalError,
gp_params::GpParams, gp_params::GpParams,
portal::{prelogin, Prelogin}, portal::{prelogin, Prelogin},
utils::{redact::redact_uri, window::WindowExt}, process::browser_authenticator::BrowserAuthenticator,
utils::window::WindowExt,
GP_CALLBACK_PORT_FILENAME,
}; };
use log::{info, warn}; use log::{info, warn};
use regex::Regex; use tauri::{AppHandle, WebviewUrl, WebviewWindow, WindowEvent};
use tauri::{AppHandle, Window, WindowEvent, WindowUrl}; use tokio::{
use tokio::sync::{mpsc, oneshot, RwLock}; io::AsyncReadExt,
use tokio_util::sync::CancellationToken; net::TcpListener,
use webkit2gtk::{ sync::{oneshot, RwLock},
gio::Cancellable, time,
glib::{GString, TimeSpan},
LoadEvent, SettingsExt, TLSErrorsPolicy, URIResponse, URIResponseExt, WebContextExt, WebResource, WebResourceExt,
WebView, WebViewExt, WebsiteDataManagerExtManual, WebsiteDataTypes,
}; };
enum AuthDataError { use crate::{
/// Failed to load page due to TLS error auth_messenger::{AuthError, AuthEvent, AuthMessenger},
TlsError, common::{AuthRequest, AuthSettings},
/// 1. Found auth data in headers/body but it's invalid platform_impl,
/// 2. Loaded an empty page, failed to load page. etc. };
Invalid,
/// No auth data found in headers/body
NotFound,
}
type AuthResult = Result<SamlAuthData, AuthDataError>; pub struct AuthWindow<'a> {
pub(crate) struct AuthWindow<'a> {
app_handle: AppHandle,
server: &'a str, server: &'a str,
saml_request: &'a str, gp_params: &'a GpParams,
user_agent: &'a str, auth_request: Option<&'a str>,
gp_params: Option<GpParams>,
clean: bool, clean: bool,
is_retrying: RwLock<bool>,
} }
impl<'a> AuthWindow<'a> { impl<'a> AuthWindow<'a> {
pub fn new(app_handle: AppHandle) -> Self { pub fn new(server: &'a str, gp_params: &'a GpParams) -> Self {
Self { Self {
app_handle, server,
server: "", gp_params,
saml_request: "", auth_request: None,
user_agent: "",
gp_params: None,
clean: false, clean: false,
is_retrying: Default::default(),
} }
} }
pub fn server(mut self, server: &'a str) -> Self { pub fn with_auth_request(mut self, auth_request: &'a str) -> Self {
self.server = server; if !auth_request.is_empty() {
self.auth_request = Some(auth_request);
}
self self
} }
pub fn saml_request(mut self, saml_request: &'a str) -> Self { pub fn with_clean(mut self, clean: bool) -> Self {
self.saml_request = saml_request;
self
}
pub fn user_agent(mut self, user_agent: &'a str) -> Self {
self.user_agent = user_agent;
self
}
pub fn gp_params(mut self, gp_params: GpParams) -> Self {
self.gp_params.replace(gp_params);
self
}
pub fn clean(mut self, clean: bool) -> Self {
self.clean = clean; self.clean = clean;
self self
} }
pub async fn open(&self) -> anyhow::Result<SamlAuthData> { pub async fn browser_authenticate(&self, browser: Option<&str>) -> anyhow::Result<SamlAuthData> {
info!("Open auth window, user_agent: {}", self.user_agent); let auth_request = self.initial_auth_request().await?;
let browser_auth = if let Some(browser) = browser {
BrowserAuthenticator::new_with_browser(&auth_request, browser)
} else {
BrowserAuthenticator::new(&auth_request)
};
let window = Window::builder(&self.app_handle, "auth_window", WindowUrl::default()) browser_auth.authenticate()?;
info!("Please continue the authentication process in the default browser");
wait_auth_data().await
}
pub async fn webview_authenticate(&self, app_handle: &AppHandle) -> anyhow::Result<SamlAuthData> {
let auth_window = WebviewWindow::builder(app_handle, "auth_window", WebviewUrl::default())
.title("GlobalProtect Login") .title("GlobalProtect Login")
// .user_agent(self.user_agent)
.focused(true) .focused(true)
.visible(false) .visible(false)
.center() .center()
.build()?; .build()?;
let window = Arc::new(window); self.auth_loop(&auth_window).await
let cancel_token = CancellationToken::new();
let cancel_token_clone = cancel_token.clone();
window.on_window_event(move |event| {
if let WindowEvent::CloseRequested { .. } = event {
cancel_token_clone.cancel();
}
});
let window_clone = Arc::clone(&window);
let timeout_secs = 15;
tokio::spawn(async move {
tokio::time::sleep(Duration::from_secs(timeout_secs)).await;
let visible = window_clone.is_visible().unwrap_or(false);
if !visible {
info!("Try to raise auth window after {} seconds", timeout_secs);
raise_window(&window_clone);
}
});
tokio::select! {
_ = cancel_token.cancelled() => {
bail!("Auth cancelled");
}
saml_result = self.auth_loop(&window) => {
window.close()?;
saml_result
}
}
} }
async fn auth_loop(&self, window: &Arc<Window>) -> anyhow::Result<SamlAuthData> { async fn auth_loop(&self, auth_window: &WebviewWindow) -> anyhow::Result<SamlAuthData> {
let saml_request = self.saml_request.to_string();
let (auth_result_tx, mut auth_result_rx) = mpsc::unbounded_channel::<AuthResult>();
let raise_window_cancel_token: Arc<RwLock<Option<CancellationToken>>> = Default::default();
let gp_params = self.gp_params.as_ref().unwrap();
let tls_err_policy = if gp_params.ignore_tls_errors() {
TLSErrorsPolicy::Ignore
} else {
TLSErrorsPolicy::Fail
};
if self.clean { if self.clean {
clear_webview_cookies(window).await?; self.clear_webview_data(&auth_window).await?;
} }
let raise_window_cancel_token_clone = Arc::clone(&raise_window_cancel_token); let auth_messenger = self.setup_auth_window(&auth_window).await?;
window.with_webview(move |wv| {
let wv = wv.inner();
if let Some(context) = wv.context() {
context.set_tls_errors_policy(tls_err_policy);
}
if let Some(settings) = wv.settings() {
let ua = settings.user_agent().unwrap_or("".into());
info!("Auth window user agent: {}", ua);
}
// Load the initial SAML request
load_saml_request(&wv, &saml_request);
let auth_result_tx_clone = auth_result_tx.clone();
wv.connect_load_changed(move |wv, event| {
if event == LoadEvent::Started {
let Ok(mut cancel_token) = raise_window_cancel_token_clone.try_write() else {
return;
};
// Cancel the raise window task
if let Some(cancel_token) = cancel_token.take() {
cancel_token.cancel();
}
return;
}
if event != LoadEvent::Finished {
return;
}
if let Some(main_resource) = wv.main_resource() {
let uri = main_resource.uri().unwrap_or("".into());
if uri.is_empty() {
warn!("Loaded an empty uri");
send_auth_result(&auth_result_tx_clone, Err(AuthDataError::Invalid));
return;
}
info!("Loaded uri: {}", redact_uri(&uri));
if uri.starts_with("globalprotectcallback:") {
return;
}
read_auth_data(&main_resource, auth_result_tx_clone.clone());
}
});
let auth_result_tx_clone = auth_result_tx.clone();
wv.connect_load_failed_with_tls_errors(move |_wv, uri, cert, err| {
let redacted_uri = redact_uri(uri);
warn!(
"Failed to load uri: {} with error: {}, cert: {}",
redacted_uri, err, cert
);
send_auth_result(&auth_result_tx_clone, Err(AuthDataError::TlsError));
true
});
wv.connect_load_failed(move |_wv, _event, uri, err| {
let redacted_uri = redact_uri(uri);
if !uri.starts_with("globalprotectcallback:") {
warn!("Failed to load uri: {} with error: {}", redacted_uri, err);
}
// NOTE: Don't send error here, since load_changed event will be triggered after this
// send_auth_result(&auth_result_tx, Err(AuthDataError::Invalid));
// true to stop other handlers from being invoked for the event. false to propagate the event further.
true
});
})?;
let portal = self.server.to_string();
loop { loop {
if let Some(auth_result) = auth_result_rx.recv().await { match auth_messenger.subscribe().await? {
match auth_result { AuthEvent::Close => bail!("Authentication cancelled"),
Ok(auth_data) => return Ok(auth_data), AuthEvent::RaiseWindow => self.raise_window(auth_window),
Err(AuthDataError::TlsError) => bail!("TLS error: certificate verify failed"), AuthEvent::Error(AuthError::TlsError) => bail!(PortalError::TlsError),
Err(AuthDataError::NotFound) => { AuthEvent::Error(AuthError::NotFound) => self.handle_not_found(auth_window, &auth_messenger),
info!("No auth data found, it may not be the /SAML20/SP/ACS endpoint"); AuthEvent::Error(AuthError::Invalid) => self.retry_auth(auth_window).await,
AuthEvent::Data(auth_data) => {
// The user may need to interact with the auth window, raise it in 3 seconds auth_window.close()?;
if !window.is_visible().unwrap_or(false) { return Ok(auth_data);
let window = Arc::clone(window);
let cancel_token = CancellationToken::new();
raise_window_cancel_token.write().await.replace(cancel_token.clone());
tokio::spawn(async move {
let delay_secs = 1;
info!("Raise window in {} second(s)", delay_secs);
tokio::select! {
_ = tokio::time::sleep(Duration::from_secs(delay_secs)) => {
raise_window(&window);
} }
_ = cancel_token.cancelled() => {
info!("Raise window cancelled");
} }
} }
}
async fn initial_auth_request(&self) -> anyhow::Result<Cow<'a, str>> {
if let Some(auth_request) = self.auth_request {
return Ok(Cow::Borrowed(auth_request));
}
let auth_request = portal_prelogin(&self.server, &self.gp_params).await?;
Ok(Cow::Owned(auth_request))
}
async fn clear_webview_data(&self, auth_window: &WebviewWindow) -> anyhow::Result<()> {
info!("Clearing webview data...");
let (tx, rx) = oneshot::channel::<anyhow::Result<()>>();
let now = Instant::now();
auth_window.with_webview(|webview| {
platform_impl::clear_data(&webview.inner(), |result| {
if let Err(result) = tx.send(result) {
warn!("Failed to send clear data result: {:?}", result);
}
})
})?;
rx.await??;
info!("Webview data cleared in {:?}", now.elapsed());
Ok(())
}
async fn setup_auth_window(&self, auth_window: &WebviewWindow) -> anyhow::Result<Arc<AuthMessenger>> {
info!("Setting up auth window...");
let auth_messenger = Arc::new(AuthMessenger::new());
let auth_request = self.initial_auth_request().await?.into_owned();
let ignore_tls_errors = self.gp_params.ignore_tls_errors();
// Handle window close event
let auth_messenger_clone = Arc::clone(&auth_messenger);
auth_window.on_window_event(move |event| {
if let WindowEvent::CloseRequested { .. } = event {
auth_messenger_clone.send_auth_event(AuthEvent::Close);
}
}); });
}
}
Err(AuthDataError::Invalid) => {
info!("Got invalid auth data, retrying...");
window.with_webview(|wv| { // Show the window after 10 seconds, so that the user can see the window if the auth process is stuck
let wv = wv.inner(); let auth_messenger_clone = Arc::clone(&auth_messenger);
wv.run_javascript(r#" tokio::spawn(async move {
time::sleep(Duration::from_secs(10)).await;
auth_messenger_clone.send_auth_event(AuthEvent::RaiseWindow);
});
// setup webview
let auth_messenger_clone = Arc::clone(&auth_messenger);
let (tx, rx) = oneshot::channel::<anyhow::Result<()>>();
auth_window.with_webview(move |webview| {
let auth_settings = AuthSettings {
auth_request: AuthRequest::new(&auth_request),
auth_messenger: auth_messenger_clone,
ignore_tls_errors,
};
let result = platform_impl::setup_webview(&webview.inner(), auth_settings);
if let Err(result) = tx.send(result) {
warn!("Failed to send setup auth window result: {:?}", result);
}
})?;
rx.await??;
info!("Auth window setup completed");
Ok(auth_messenger)
}
fn handle_not_found(&self, auth_window: &WebviewWindow, auth_messenger: &Arc<AuthMessenger>) {
info!("No auth data found, it may not be the /SAML20/SP/ACS endpoint");
let visible = auth_window.is_visible().unwrap_or(false);
if visible {
return;
}
auth_messenger.schedule_raise_window(1);
}
async fn retry_auth(&self, auth_window: &WebviewWindow) {
let mut is_retrying = self.is_retrying.write().await;
if *is_retrying {
info!("Already retrying authentication, skipping...");
return;
}
*is_retrying = true;
drop(is_retrying);
if let Err(err) = self.retry_auth_impl(auth_window).await {
warn!("Failed to retry authentication: {}", err);
}
*self.is_retrying.write().await = false;
}
async fn retry_auth_impl(&self, auth_window: &WebviewWindow) -> anyhow::Result<()> {
info!("Retrying authentication...");
auth_window.eval( r#"
var loading = document.createElement("div"); var loading = document.createElement("div");
loading.innerHTML = '<div style="position: absolute; width: 100%; text-align: center; font-size: 20px; font-weight: bold; top: 50%; left: 50%; transform: translate(-50%, -50%);">Got invalid token, retrying...</div>'; loading.innerHTML = '<div style="position: absolute; width: 100%; text-align: center; font-size: 20px; font-weight: bold; top: 50%; left: 50%; transform: translate(-50%, -50%);">Got invalid token, retrying...</div>';
loading.style = "position: fixed; top: 0; left: 0; width: 100%; height: 100%; background: rgba(255, 255, 255, 0.85); z-index: 99999;"; loading.style = "position: fixed; top: 0; left: 0; width: 100%; height: 100%; background: rgba(255, 255, 255, 0.85); z-index: 99999;";
document.body.appendChild(loading); document.body.appendChild(loading);
"#, "#)?;
Cancellable::NONE,
|_| info!("Injected loading element successfully"), let auth_request = portal_prelogin(&self.server, &self.gp_params).await?;
); let (tx, rx) = oneshot::channel::<()>();
auth_window.with_webview(move |webview| {
let auth_request = AuthRequest::new(&auth_request);
platform_impl::load_auth_request(&webview.inner(), &auth_request);
tx.send(()).expect("Failed to send message to the channel")
})?; })?;
let saml_request = portal_prelogin(&portal, gp_params).await?; rx.await?;
window.with_webview(move |wv| { Ok(())
let wv = wv.inner();
load_saml_request(&wv, &saml_request);
})?;
} }
}
}
}
}
}
fn raise_window(window: &Arc<Window>) { fn raise_window(&self, auth_window: &WebviewWindow) {
let visible = window.is_visible().unwrap_or(false); let visible = auth_window.is_visible().unwrap_or(false);
if !visible { if visible {
if let Err(err) = window.raise() { return;
}
info!("Raising auth window...");
if let Err(err) = auth_window.raise() {
warn!("Failed to raise window: {}", err); warn!("Failed to raise window: {}", err);
} }
} }
} }
pub async fn portal_prelogin(portal: &str, gp_params: &GpParams) -> anyhow::Result<String> { async fn portal_prelogin(portal: &str, gp_params: &GpParams) -> anyhow::Result<String> {
match prelogin(portal, gp_params).await? { match prelogin(portal, gp_params).await? {
Prelogin::Saml(prelogin) => Ok(prelogin.saml_request().to_string()), Prelogin::Saml(prelogin) => Ok(prelogin.saml_request().to_string()),
Prelogin::Standard(_) => bail!("Received non-SAML prelogin response"), Prelogin::Standard(_) => bail!("Received non-SAML prelogin response"),
} }
} }
fn send_auth_result(auth_result_tx: &mpsc::UnboundedSender<AuthResult>, auth_result: AuthResult) { async fn wait_auth_data() -> anyhow::Result<SamlAuthData> {
if let Err(err) = auth_result_tx.send(auth_result) { // Start a local server to receive the browser authentication data
warn!("Failed to send auth event: {}", err); let listener = TcpListener::bind("127.0.0.1:0").await?;
} let port = listener.local_addr()?.port();
} let port_file = temp_dir().join(GP_CALLBACK_PORT_FILENAME);
fn load_saml_request(wv: &Rc<WebView>, saml_request: &str) { // Write the port to a file
if saml_request.starts_with("http") { fs::write(&port_file, port.to_string())?;
info!("Load the SAML request as URI..."); fs::set_permissions(&port_file, fs::Permissions::from_mode(0o600))?;
wv.load_uri(saml_request);
} else {
info!("Load the SAML request as HTML...");
wv.load_html(saml_request, None);
}
}
fn read_auth_data_from_headers(response: &URIResponse) -> AuthResult { // Remove the previous log file
response.http_headers().map_or_else( let callback_log = temp_dir().join("gpcallback.log");
|| { let _ = fs::remove_file(&callback_log);
info!("No headers found in response");
Err(AuthDataError::NotFound)
},
|mut headers| match headers.get("saml-auth-status") {
Some(status) if status == "1" => {
let username = headers.get("saml-username").map(GString::into);
let prelogin_cookie = headers.get("prelogin-cookie").map(GString::into);
let portal_userauthcookie = headers.get("portal-userauthcookie").map(GString::into);
if SamlAuthData::check(&username, &prelogin_cookie, &portal_userauthcookie) { info!("Listening authentication data on port {}", port);
return Ok(SamlAuthData::new( info!(
username.unwrap(), "If it hangs, please check the logs at `{}` for more information",
prelogin_cookie, callback_log.display()
portal_userauthcookie,
));
}
info!("Found invalid auth data in headers");
Err(AuthDataError::Invalid)
}
Some(status) => {
info!("Found invalid SAML status: {} in headers", status);
Err(AuthDataError::Invalid)
}
None => {
info!("No saml-auth-status header found");
Err(AuthDataError::NotFound)
}
},
)
}
fn read_auth_data_from_body<F>(main_resource: &WebResource, callback: F)
where
F: FnOnce(Result<SamlAuthData, AuthDataParseError>) + Send + 'static,
{
main_resource.data(Cancellable::NONE, |data| match data {
Ok(data) => {
let html = String::from_utf8_lossy(&data);
callback(read_auth_data_from_html(&html));
}
Err(err) => {
info!("Failed to read response body: {}", err);
callback(Err(AuthDataParseError::Invalid))
}
});
}
fn read_auth_data_from_html(html: &str) -> Result<SamlAuthData, AuthDataParseError> {
if html.contains("Temporarily Unavailable") {
info!("Found 'Temporarily Unavailable' in HTML, auth failed");
return Err(AuthDataParseError::Invalid);
}
SamlAuthData::from_html(html).or_else(|err| {
if let Some(gpcallback) = extract_gpcallback(html) {
info!("Found gpcallback from html...");
SamlAuthData::from_gpcallback(&gpcallback)
} else {
Err(err)
}
})
}
fn extract_gpcallback(html: &str) -> Option<String> {
let re = Regex::new(r#"globalprotectcallback:[^"]+"#).unwrap();
re.captures(html)
.and_then(|captures| captures.get(0))
.map(|m| html_escape::decode_html_entities(m.as_str()).to_string())
}
fn read_auth_data(main_resource: &WebResource, auth_result_tx: mpsc::UnboundedSender<AuthResult>) {
let Some(response) = main_resource.response() else {
info!("No response found in main resource");
send_auth_result(&auth_result_tx, Err(AuthDataError::Invalid));
return;
};
info!("Trying to read auth data from response headers...");
match read_auth_data_from_headers(&response) {
Ok(auth_data) => {
info!("Got auth data from headers");
send_auth_result(&auth_result_tx, Ok(auth_data));
}
Err(AuthDataError::Invalid) => {
info!("Found invalid auth data in headers, trying to read from body...");
read_auth_data_from_body(main_resource, move |auth_result| {
// Since we have already found invalid auth data in headers, which means this could be the `/SAML20/SP/ACS` endpoint
// any error result from body should be considered as invalid, and trigger a retry
let auth_result = auth_result.map_err(|err| {
info!("Failed to read auth data from body: {}", err);
AuthDataError::Invalid
});
send_auth_result(&auth_result_tx, auth_result);
});
}
Err(AuthDataError::NotFound) => {
info!("No auth data found in headers, trying to read from body...");
let is_acs_endpoint = main_resource.uri().map_or(false, |uri| uri.contains("/SAML20/SP/ACS"));
read_auth_data_from_body(main_resource, move |auth_result| {
// If the endpoint is `/SAML20/SP/ACS` and no auth data found in body, it should be considered as invalid
let auth_result = auth_result.map_err(|err| {
info!("Failed to read auth data from body: {}", err);
if !is_acs_endpoint && matches!(err, AuthDataParseError::NotFound) {
AuthDataError::NotFound
} else {
AuthDataError::Invalid
}
});
send_auth_result(&auth_result_tx, auth_result)
});
}
Err(AuthDataError::TlsError) => {
// NOTE: This is unreachable
info!("TLS error found in headers, trying to read from body...");
send_auth_result(&auth_result_tx, Err(AuthDataError::TlsError));
}
}
}
pub(crate) async fn clear_webview_cookies(window: &Window) -> anyhow::Result<()> {
let (tx, rx) = oneshot::channel::<Result<(), String>>();
window.with_webview(|wv| {
let send_result = move |result: Result<(), String>| {
if let Err(err) = tx.send(result) {
info!("Failed to send result: {:?}", err);
}
};
let wv = wv.inner();
let context = match wv.context() {
Some(context) => context,
None => {
send_result(Err("No webview context found".into()));
return;
}
};
let data_manager = match context.website_data_manager() {
Some(manager) => manager,
None => {
send_result(Err("No data manager found".into()));
return;
}
};
let now = Instant::now();
data_manager.clear(
WebsiteDataTypes::COOKIES,
TimeSpan(0),
Cancellable::NONE,
move |result| match result {
Err(err) => {
send_result(Err(err.to_string()));
}
Ok(_) => {
info!("Cookies cleared in {} ms", now.elapsed().as_millis());
send_result(Ok(()));
}
},
); );
})?; let (mut socket, _) = listener.accept().await?;
rx.await?.map_err(|err| anyhow::anyhow!(err)) info!("Received the browser authentication data from the socket");
} let mut data = String::new();
socket.read_to_string(&mut data).await?;
#[cfg(test)]
mod tests { // Remove the port file
use super::*; fs::remove_file(&port_file)?;
#[test] let auth_data = SamlAuthData::from_gpcallback(&data)?;
fn extract_gpcallback_some() { Ok(auth_data)
let html = r#"
<meta http-equiv="refresh" content="0; URL=globalprotectcallback:PGh0bWw+PCEtLSA8c">
<meta http-equiv="refresh" content="0; URL=globalprotectcallback:PGh0bWw+PCEtLSA8c">
"#;
assert_eq!(
extract_gpcallback(html).as_deref(),
Some("globalprotectcallback:PGh0bWw+PCEtLSA8c")
);
}
#[test]
fn extract_gpcallback_cas() {
let html = r#"
<meta http-equiv="refresh" content="0; URL=globalprotectcallback:cas-as=1&amp;un=xyz@email.com&amp;token=very_long_string">
"#;
assert_eq!(
extract_gpcallback(html).as_deref(),
Some("globalprotectcallback:cas-as=1&un=xyz@email.com&token=very_long_string")
);
}
#[test]
fn extract_gpcallback_none() {
let html = r#"
<meta http-equiv="refresh" content="0; URL=PGh0bWw+PCEtLSA8c">
"#;
assert_eq!(extract_gpcallback(html), None);
}
} }

215
apps/gpauth/src/cli.rs
View File

@ -1,21 +1,16 @@
use std::{env::temp_dir, fs, os::unix::fs::PermissionsExt};
use clap::Parser; use clap::Parser;
use gpapi::{ use gpapi::{
auth::{SamlAuthData, SamlAuthResult}, auth::{SamlAuthData, SamlAuthResult},
clap::args::Os, clap::{args::Os, handle_error, Args},
gp_params::{ClientOs, GpParams}, gp_params::{ClientOs, GpParams},
process::browser_authenticator::BrowserAuthenticator,
utils::{env_utils, normalize_server, openssl}, utils::{env_utils, normalize_server, openssl},
GP_USER_AGENT, GP_USER_AGENT,
}; };
use gpauth::auth_window::AuthWindow;
use log::{info, LevelFilter}; use log::{info, LevelFilter};
use serde_json::json; use serde_json::json;
use tauri::{App, AppHandle, RunEvent}; use tauri::RunEvent;
use tempfile::NamedTempFile; use tempfile::NamedTempFile;
use tokio::{io::AsyncReadExt, net::TcpListener};
use crate::auth_window::{portal_prelogin, AuthWindow};
const VERSION: &str = concat!(env!("CARGO_PKG_VERSION"), " (", compile_time::date_str!(), ")"); const VERSION: &str = concat!(env!("CARGO_PKG_VERSION"), " (", compile_time::date_str!(), ")");
@ -78,65 +73,17 @@ struct Cli {
browser: Option<String>, browser: Option<String>,
} }
impl Args for Cli {
fn fix_openssl(&self) -> bool {
self.fix_openssl
}
fn ignore_tls_errors(&self) -> bool {
self.ignore_tls_errors
}
}
impl Cli { impl Cli {
async fn run(&mut self) -> anyhow::Result<()> {
if self.ignore_tls_errors {
info!("TLS errors will be ignored");
}
let mut openssl_conf = self.prepare_env()?;
self.server = normalize_server(&self.server)?;
let gp_params = self.build_gp_params();
// Get the initial SAML request
let saml_request = match self.saml_request {
Some(ref saml_request) => saml_request.clone(),
None => portal_prelogin(&self.server, &gp_params).await?,
};
let browser_auth = if let Some(browser) = &self.browser {
Some(BrowserAuthenticator::new_with_browser(&saml_request, browser))
} else if self.default_browser {
Some(BrowserAuthenticator::new(&saml_request))
} else {
None
};
if let Some(browser_auth) = browser_auth {
browser_auth.authenticate()?;
info!("Please continue the authentication process in the default browser");
let auth_result = match wait_auth_data().await {
Ok(auth_data) => SamlAuthResult::Success(auth_data),
Err(err) => SamlAuthResult::Failure(format!("{}", err)),
};
info!("Authentication completed");
println!("{}", json!(auth_result));
return Ok(());
}
self.saml_request.replace(saml_request);
let app = create_app(self.clone())?;
app.run(move |_app_handle, event| {
if let RunEvent::Exit = event {
if let Some(file) = openssl_conf.take() {
if let Err(err) = file.close() {
info!("Error closing OpenSSL config file: {}", err);
}
}
}
});
Ok(())
}
fn prepare_env(&self) -> anyhow::Result<Option<NamedTempFile>> { fn prepare_env(&self) -> anyhow::Result<Option<NamedTempFile>> {
env_utils::patch_gui_runtime_env(self.hidpi); env_utils::patch_gui_runtime_env(self.hidpi);
@ -150,6 +97,64 @@ impl Cli {
Ok(None) Ok(None)
} }
async fn run(&self) -> anyhow::Result<()> {
if self.ignore_tls_errors {
info!("TLS errors will be ignored");
}
let mut openssl_conf = self.prepare_env()?;
let server = normalize_server(&self.server)?;
let server: &'static str = Box::leak(server.into_boxed_str());
let gp_params: &'static GpParams = Box::leak(Box::new(self.build_gp_params()));
let auth_request = self.saml_request.clone().unwrap_or_default();
let auth_request: &'static str = Box::leak(Box::new(auth_request));
let auth_window = AuthWindow::new(&server, gp_params)
.with_auth_request(&auth_request)
.with_clean(self.clean);
let browser = if let Some(browser) = self.browser.as_deref() {
Some(browser)
} else if self.default_browser {
Some("default")
} else {
None
};
if browser.is_some() {
let auth_result = auth_window.browser_authenticate(browser).await;
print_auth_result(auth_result);
return Ok(());
}
tauri::Builder::default()
.setup(move |app| {
let app_handle = app.handle().clone();
tauri::async_runtime::spawn(async move {
let auth_result = auth_window.webview_authenticate(&app_handle).await;
print_auth_result(auth_result);
});
Ok(())
})
.build(tauri::generate_context!())?
.run(move |_app_handle, event| {
if let RunEvent::Exit = event {
if let Some(file) = openssl_conf.take() {
if let Err(err) = file.close() {
info!("Error closing OpenSSL config file: {}", err);
}
}
}
});
Ok(())
}
fn build_gp_params(&self) -> GpParams { fn build_gp_params(&self) -> GpParams {
let gp_params = GpParams::builder() let gp_params = GpParams::builder()
.user_agent(&self.user_agent) .user_agent(&self.user_agent)
@ -161,37 +166,6 @@ impl Cli {
gp_params gp_params
} }
async fn saml_auth(&self, app_handle: AppHandle) -> anyhow::Result<SamlAuthData> {
let auth_window = AuthWindow::new(app_handle)
.server(&self.server)
.user_agent(&self.user_agent)
.gp_params(self.build_gp_params())
.saml_request(self.saml_request.as_ref().unwrap())
.clean(self.clean);
auth_window.open().await
}
}
fn create_app(cli: Cli) -> anyhow::Result<App> {
let app = tauri::Builder::default()
.setup(|app| {
let app_handle = app.handle();
tauri::async_runtime::spawn(async move {
let auth_result = match cli.saml_auth(app_handle.clone()).await {
Ok(auth_data) => SamlAuthResult::Success(auth_data),
Err(err) => SamlAuthResult::Failure(format!("{}", err)),
};
println!("{}", json!(auth_result));
});
Ok(())
})
.build(tauri::generate_context!())?;
Ok(app)
} }
fn init_logger() { fn init_logger() {
@ -199,53 +173,22 @@ fn init_logger() {
} }
pub async fn run() { pub async fn run() {
let mut cli = Cli::parse(); let cli = Cli::parse();
init_logger(); init_logger();
info!("gpauth started: {}", VERSION); info!("gpauth started: {}", VERSION);
if let Err(err) = cli.run().await { if let Err(err) = cli.run().await {
eprintln!("\nError: {}", err); handle_error(err, &cli);
if err.to_string().contains("unsafe legacy renegotiation") && !cli.fix_openssl {
eprintln!("\nRe-run it with the `--fix-openssl` option to work around this issue, e.g.:\n");
// Print the command
let args = std::env::args().collect::<Vec<_>>();
eprintln!("{} --fix-openssl {}\n", args[0], args[1..].join(" "));
}
std::process::exit(1); std::process::exit(1);
} }
} }
async fn wait_auth_data() -> anyhow::Result<SamlAuthData> { fn print_auth_result(auth_result: anyhow::Result<SamlAuthData>) {
// Start a local server to receive the browser authentication data let auth_result = match auth_result {
let listener = TcpListener::bind("127.0.0.1:0").await?; Ok(auth_data) => SamlAuthResult::Success(auth_data),
let port = listener.local_addr()?.port(); Err(err) => SamlAuthResult::Failure(format!("{}", err)),
let port_file = temp_dir().join("gpcallback.port"); };
// Write the port to a file println!("{}", json!(auth_result));
fs::write(&port_file, port.to_string())?;
fs::set_permissions(&port_file, fs::Permissions::from_mode(0o600))?;
// Remove the previous log file
let callback_log = temp_dir().join("gpcallback.log");
let _ = fs::remove_file(&callback_log);
info!("Listening authentication data on port {}", port);
info!(
"If it hangs, please check the logs at `{}` for more information",
callback_log.display()
);
let (mut socket, _) = listener.accept().await?;
info!("Received the browser authentication data from the socket");
let mut data = String::new();
socket.read_to_string(&mut data).await?;
// Remove the port file
fs::remove_file(&port_file)?;
let auth_data = SamlAuthData::from_gpcallback(&data)?;
Ok(auth_data)
} }

174
apps/gpauth/src/common.rs Normal file
View File

@ -0,0 +1,174 @@
use std::sync::Arc;
use gpapi::{
auth::{AuthDataParseResult, SamlAuthData},
error::AuthDataParseError,
};
use log::{info, warn};
use regex::Regex;
use crate::auth_messenger::{AuthError, AuthMessenger};
pub struct AuthSettings<'a> {
pub auth_request: AuthRequest<'a>,
pub auth_messenger: Arc<AuthMessenger>,
pub ignore_tls_errors: bool,
}
pub struct AuthRequest<'a>(&'a str);
impl<'a> AuthRequest<'a> {
pub fn new(auth_request: &'a str) -> Self {
Self(auth_request)
}
pub fn is_url(&self) -> bool {
self.0.starts_with("http")
}
pub fn as_str(&self) -> &str {
self.0
}
}
/// Trait for handling authentication response
pub trait AuthResponse {
fn get_header(&self, key: &str) -> Option<String>;
fn get_body<F>(&self, cb: F)
where
F: FnOnce(anyhow::Result<Vec<u8>>) + 'static;
fn url(&self) -> Option<String>;
fn is_acs_endpoint(&self) -> bool {
self.url().map_or(false, |url| url.ends_with("/SAML20/SP/ACS"))
}
}
pub fn read_auth_data(auth_response: &impl AuthResponse, auth_messenger: &Arc<AuthMessenger>) {
let auth_messenger = Arc::clone(auth_messenger);
match read_from_headers(auth_response) {
Ok(auth_data) => {
info!("Found auth data in headers");
auth_messenger.send_auth_data(auth_data);
}
Err(header_err) => {
info!("Failed to read auth data from headers: {}", header_err);
let is_acs_endpoint = auth_response.is_acs_endpoint();
read_from_body(auth_response, move |auth_result| {
// If the endpoint is `/SAML20/SP/ACS` and no auth data found in body, it should be considered as invalid
let auth_result = auth_result.map_err(move |e| {
info!("Failed to read auth data from body: {}", e);
if is_acs_endpoint || e.is_invalid() || header_err.is_invalid() {
AuthError::Invalid
} else {
AuthError::NotFound
}
});
auth_messenger.send_auth_result(auth_result);
});
}
}
}
fn read_from_headers(auth_response: &impl AuthResponse) -> AuthDataParseResult {
let Some(status) = auth_response.get_header("saml-auth-status") else {
info!("No SAML auth status found in headers");
return Err(AuthDataParseError::NotFound);
};
if status != "1" {
info!("Found invalid auth status: {}", status);
return Err(AuthDataParseError::Invalid);
}
let username = auth_response.get_header("saml-username");
let prelogin_cookie = auth_response.get_header("prelogin-cookie");
let portal_userauthcookie = auth_response.get_header("portal-userauthcookie");
SamlAuthData::new(username, prelogin_cookie, portal_userauthcookie).map_err(|e| {
warn!("Found invalid auth data: {}", e);
AuthDataParseError::Invalid
})
}
fn read_from_body<F>(auth_response: &impl AuthResponse, cb: F)
where
F: FnOnce(AuthDataParseResult) + 'static,
{
auth_response.get_body(|body| match body {
Ok(body) => {
let html = String::from_utf8_lossy(&body);
cb(read_from_html(&html))
}
Err(err) => {
info!("Failed to read body: {}", err);
cb(Err(AuthDataParseError::Invalid))
}
});
}
fn read_from_html(html: &str) -> AuthDataParseResult {
if html.contains("Temporarily Unavailable") {
info!("Found 'Temporarily Unavailable' in HTML, auth failed");
return Err(AuthDataParseError::Invalid);
}
SamlAuthData::from_html(html).or_else(|err| {
if let Some(gpcallback) = extract_gpcallback(html) {
info!("Found gpcallback from html...");
SamlAuthData::from_gpcallback(&gpcallback)
} else {
Err(err)
}
})
}
fn extract_gpcallback(html: &str) -> Option<String> {
let re = Regex::new(r#"globalprotectcallback:[^"]+"#).unwrap();
re.captures(html)
.and_then(|captures| captures.get(0))
.map(|m| html_escape::decode_html_entities(m.as_str()).to_string())
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn extract_gpcallback_some() {
let html = r#"
<meta http-equiv="refresh" content="0; URL=globalprotectcallback:PGh0bWw+PCEtLSA8c">
<meta http-equiv="refresh" content="0; URL=globalprotectcallback:PGh0bWw+PCEtLSA8c">
"#;
assert_eq!(
extract_gpcallback(html).as_deref(),
Some("globalprotectcallback:PGh0bWw+PCEtLSA8c")
);
}
#[test]
fn extract_gpcallback_cas() {
let html = r#"
<meta http-equiv="refresh" content="0; URL=globalprotectcallback:cas-as=1&amp;un=xyz@email.com&amp;token=very_long_string">
"#;
assert_eq!(
extract_gpcallback(html).as_deref(),
Some("globalprotectcallback:cas-as=1&un=xyz@email.com&token=very_long_string")
);
}
#[test]
fn extract_gpcallback_none() {
let html = r#"
<meta http-equiv="refresh" content="0; URL=PGh0bWw+PCEtLSA8c">
"#;
assert_eq!(extract_gpcallback(html), None);
}
}

7
apps/gpauth/src/lib.rs Normal file
View File

@ -0,0 +1,7 @@
mod auth_messenger;
mod common;
pub mod auth_window;
#[cfg_attr(not(target_os = "macos"), path = "unix.rs")]
mod platform_impl;

1
apps/gpauth/src/main.rs
View File

@ -1,6 +1,5 @@
#![cfg_attr(not(debug_assertions), windows_subsystem = "windows")] #![cfg_attr(not(debug_assertions), windows_subsystem = "windows")]
mod auth_window;
mod cli; mod cli;
#[tokio::main] #[tokio::main]

133
apps/gpauth/src/unix.rs Normal file
View File

@ -0,0 +1,133 @@
use std::sync::Arc;
use anyhow::bail;
use gpapi::utils::redact::redact_uri;
use log::{info, warn};
use webkit2gtk::{
gio::Cancellable,
glib::{GString, TimeSpan},
LoadEvent, TLSErrorsPolicy, URIResponseExt, WebResource, WebResourceExt, WebView, WebViewExt, WebsiteDataManagerExt,
WebsiteDataManagerExtManual, WebsiteDataTypes,
};
use crate::{
auth_messenger::AuthError,
common::{read_auth_data, AuthRequest, AuthResponse, AuthSettings},
};
impl AuthResponse for WebResource {
fn get_header(&self, key: &str) -> Option<String> {
self
.response()
.and_then(|response| response.http_headers())
.and_then(|headers| headers.one(key))
.map(GString::into)
}
fn get_body<F>(&self, cb: F)
where
F: FnOnce(anyhow::Result<Vec<u8>>) + 'static,
{
let cancellable = Cancellable::NONE;
self.data(cancellable, |data| cb(data.map_err(|e| anyhow::anyhow!(e))));
}
fn url(&self) -> Option<String> {
self.uri().map(GString::into)
}
}
pub fn clear_data<F>(wv: &WebView, cb: F)
where
F: FnOnce(anyhow::Result<()>) + Send + 'static,
{
let Some(data_manager) = wv.website_data_manager() else {
cb(Err(anyhow::anyhow!("Failed to get website data manager")));
return;
};
data_manager.clear(
WebsiteDataTypes::COOKIES,
TimeSpan(0),
Cancellable::NONE,
move |result| {
cb(result.map_err(|e| anyhow::anyhow!(e)));
},
);
}
pub fn setup_webview(wv: &WebView, auth_settings: AuthSettings) -> anyhow::Result<()> {
let AuthSettings {
auth_request,
auth_messenger,
ignore_tls_errors,
} = auth_settings;
let auth_messenger_clone = Arc::clone(&auth_messenger);
let Some(data_manager) = wv.website_data_manager() else {
bail!("Failed to get website data manager");
};
if ignore_tls_errors {
data_manager.set_tls_errors_policy(TLSErrorsPolicy::Ignore);
}
wv.connect_load_changed(move |wv, event| {
if event == LoadEvent::Started {
auth_messenger_clone.cancel_raise_window();
return;
}
if event != LoadEvent::Finished {
return;
}
let Some(main_resource) = wv.main_resource() else {
return;
};
let uri = main_resource.uri().unwrap_or("".into());
if uri.is_empty() {
warn!("Loaded an empty URI");
auth_messenger_clone.send_auth_error(AuthError::Invalid);
return;
}
read_auth_data(&main_resource, &auth_messenger_clone);
});
wv.connect_load_failed_with_tls_errors(move |_wv, uri, cert, err| {
let redacted_uri = redact_uri(uri);
warn!(
"Failed to load uri: {} with error: {}, cert: {}",
redacted_uri, err, cert
);
auth_messenger.send_auth_error(AuthError::TlsError);
true
});
wv.connect_load_failed(move |_wv, _event, uri, err| {
let redacted_uri = redact_uri(uri);
if !uri.starts_with("globalprotectcallback:") {
warn!("Failed to load uri: {} with error: {}", redacted_uri, err);
}
// NOTE: Don't send error here, since load_changed event will be triggered after this
// true to stop other handlers from being invoked for the event. false to propagate the event further.
true
});
load_auth_request(wv, &auth_request);
Ok(())
}
pub fn load_auth_request(wv: &WebView, auth_request: &AuthRequest) {
if auth_request.is_url() {
info!("Loading auth request as URI...");
wv.load_uri(auth_request.as_str());
} else {
info!("Loading auth request as HTML...");
wv.load_html(auth_request.as_str(), None);
}
}

45
apps/gpauth/tauri.conf.json
View File

@ -1,47 +1,16 @@
{ {
"$schema": "https://cdn.jsdelivr.net/gh/tauri-apps/tauri@tauri-v1.5.0/tooling/cli/schema.json", "$schema": "https://cdn.jsdelivr.net/gh/tauri-apps/tauri@tauri-v2.1.1/crates/tauri-cli/config.schema.json",
"build": { "build": {
"distDir": [ "frontendDist": ["index.html"],
"index.html"
],
"devPath": [
"index.html"
],
"beforeDevCommand": "", "beforeDevCommand": "",
"beforeBuildCommand": "", "beforeBuildCommand": ""
"withGlobalTauri": false
}, },
"package": {
"productName": "gpauth",
"version": "0.0.0"
},
"tauri": {
"allowlist": {
"all": false,
"http": {
"all": true,
"request": true,
"scope": [
"http://*",
"https://*"
]
}
},
"bundle": {
"active": true,
"targets": "deb",
"identifier": "com.yuezk.gpauth", "identifier": "com.yuezk.gpauth",
"icon": [ "productName": "gpauth",
"icons/32x32.png", "app": {
"icons/128x128.png", "withGlobalTauri": false,
"icons/128x128@2x.png",
"icons/icon.icns",
"icons/icon.ico"
]
},
"security": { "security": {
"csp": null "csp": null
}, }
"windows": []
} }
} }

39
apps/gpclient/src/cli.rs
View File

@ -1,7 +1,10 @@
use std::{env::temp_dir, fs::File}; use std::{env::temp_dir, fs::File};
use clap::{Parser, Subcommand}; use clap::{Parser, Subcommand};
use gpapi::utils::openssl; use gpapi::{
clap::{handle_error, Args},
utils::openssl,
};
use log::{info, LevelFilter}; use log::{info, LevelFilter};
use tempfile::NamedTempFile; use tempfile::NamedTempFile;
@ -50,12 +53,25 @@ struct Cli {
#[command(subcommand)] #[command(subcommand)]
command: CliCommand, command: CliCommand,
#[arg(long, help = "Uses extended compatibility mode for OpenSSL operations to support a broader range of systems and formats.")] #[arg(
long,
help = "Uses extended compatibility mode for OpenSSL operations to support a broader range of systems and formats."
)]
fix_openssl: bool, fix_openssl: bool,
#[arg(long, help = "Ignore the TLS errors")] #[arg(long, help = "Ignore the TLS errors")]
ignore_tls_errors: bool, ignore_tls_errors: bool,
} }
impl Args for Cli {
fn fix_openssl(&self) -> bool {
self.fix_openssl
}
fn ignore_tls_errors(&self) -> bool {
self.ignore_tls_errors
}
}
impl Cli { impl Cli {
fn fix_openssl(&self) -> anyhow::Result<Option<NamedTempFile>> { fn fix_openssl(&self) -> anyhow::Result<Option<NamedTempFile>> {
if self.fix_openssl { if self.fix_openssl {
@ -113,24 +129,7 @@ pub(crate) async fn run() {
info!("gpclient started: {}", VERSION); info!("gpclient started: {}", VERSION);
if let Err(err) = cli.run().await { if let Err(err) = cli.run().await {
eprintln!("\nError: {}", err); handle_error(err, &cli);
let err = err.to_string();
if err.contains("unsafe legacy renegotiation") && !cli.fix_openssl {
eprintln!("\nRe-run it with the `--fix-openssl` option to work around this issue, e.g.:\n");
// Print the command
let args = std::env::args().collect::<Vec<_>>();
eprintln!("{} --fix-openssl {}\n", args[0], args[1..].join(" "));
}
if err.contains("certificate verify failed") && !cli.ignore_tls_errors {
eprintln!("\nRe-run it with the `--ignore-tls-errors` option to ignore the certificate error, e.g.:\n");
// Print the command
let args = std::env::args().collect::<Vec<_>>();
eprintln!("{} --ignore-tls-errors {}\n", args[0], args[1..].join(" "));
}
std::process::exit(1); std::process::exit(1);
} }
} }

3
apps/gpclient/src/launch_gui.rs
View File

@ -5,6 +5,7 @@ use directories::ProjectDirs;
use gpapi::{ use gpapi::{
process::service_launcher::ServiceLauncher, process::service_launcher::ServiceLauncher,
utils::{endpoint::http_endpoint, env_utils, shutdown_signal}, utils::{endpoint::http_endpoint, env_utils, shutdown_signal},
GP_CALLBACK_PORT_FILENAME,
}; };
use log::info; use log::info;
use tokio::io::AsyncWriteExt; use tokio::io::AsyncWriteExt;
@ -115,7 +116,7 @@ async fn feed_auth_data_gui(auth_data: &str) -> anyhow::Result<()> {
async fn feed_auth_data_cli(auth_data: &str) -> anyhow::Result<()> { async fn feed_auth_data_cli(auth_data: &str) -> anyhow::Result<()> {
info!("Feeding auth data to the CLI"); info!("Feeding auth data to the CLI");
let port_file = temp_dir().join("gpcallback.port"); let port_file = temp_dir().join(GP_CALLBACK_PORT_FILENAME);
let port = tokio::fs::read_to_string(port_file).await?; let port = tokio::fs::read_to_string(port_file).await?;
let mut stream = tokio::net::TcpStream::connect(format!("127.0.0.1:{}", port.trim())).await?; let mut stream = tokio::net::TcpStream::connect(format!("127.0.0.1:{}", port.trim())).await?;

1
apps/gpgui-helper/src-tauri/gen/schemas/acl-manifests.json
View File

File diff suppressed because one or more lines are too long

1
apps/gpgui-helper/src-tauri/gen/schemas/capabilities.json
View File

@ -1 +0,0 @@
{"default":{"identifier":"default","description":"Capability for the main window","local":true,"windows":["main"],"permissions":["core:window:allow-start-dragging","core:event:allow-listen","core:event:allow-emit","core:event:allow-unlisten"]}}

1756
apps/gpgui-helper/src-tauri/gen/schemas/desktop-schema.json
View File

File diff suppressed because it is too large Load Diff

1756
apps/gpgui-helper/src-tauri/gen/schemas/linux-schema.json
View File

File diff suppressed because it is too large Load Diff

78
crates/gpapi/src/auth.rs
View File

@ -1,11 +1,14 @@
use std::borrow::{Borrow, Cow}; use std::borrow::{Borrow, Cow};
use anyhow::bail;
use log::{info, warn}; use log::{info, warn};
use regex::Regex; use regex::Regex;
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
use crate::{error::AuthDataParseError, utils::base64::decode_to_string}; use crate::{error::AuthDataParseError, utils::base64::decode_to_string};
pub type AuthDataParseResult = anyhow::Result<SamlAuthData, AuthDataParseError>;
#[derive(Debug, Serialize, Deserialize)] #[derive(Debug, Serialize, Deserialize)]
#[serde(rename_all = "camelCase")] #[serde(rename_all = "camelCase")]
pub struct SamlAuthData { pub struct SamlAuthData {
@ -33,33 +36,51 @@ impl SamlAuthResult {
} }
impl SamlAuthData { impl SamlAuthData {
pub fn new(username: String, prelogin_cookie: Option<String>, portal_userauthcookie: Option<String>) -> Self { pub fn new(
Self { username: Option<String>,
username, prelogin_cookie: Option<String>,
prelogin_cookie, portal_userauthcookie: Option<String>,
portal_userauthcookie, ) -> anyhow::Result<Self> {
token: None, let username = username.unwrap_or_default();
} if username.is_empty() {
bail!("Invalid username: <empty>");
} }
pub fn from_html(html: &str) -> anyhow::Result<SamlAuthData, AuthDataParseError> { let prelogin_cookie = prelogin_cookie.unwrap_or_default();
let portal_userauthcookie = portal_userauthcookie.unwrap_or_default();
if prelogin_cookie.len() <= 5 && portal_userauthcookie.len() <= 5 {
bail!(
"Invalid prelogin-cookie: {}, portal-userauthcookie: {}",
prelogin_cookie,
portal_userauthcookie
);
}
Ok(Self {
username,
prelogin_cookie: Some(prelogin_cookie),
portal_userauthcookie: Some(portal_userauthcookie),
token: None,
})
}
pub fn from_html(html: &str) -> AuthDataParseResult {
match parse_xml_tag(html, "saml-auth-status") { match parse_xml_tag(html, "saml-auth-status") {
Some(saml_status) if saml_status == "1" => { Some(status) if status == "1" => {
let username = parse_xml_tag(html, "saml-username"); let username = parse_xml_tag(html, "saml-username");
let prelogin_cookie = parse_xml_tag(html, "prelogin-cookie"); let prelogin_cookie = parse_xml_tag(html, "prelogin-cookie");
let portal_userauthcookie = parse_xml_tag(html, "portal-userauthcookie"); let portal_userauthcookie = parse_xml_tag(html, "portal-userauthcookie");
if SamlAuthData::check(&username, &prelogin_cookie, &portal_userauthcookie) { SamlAuthData::new(username, prelogin_cookie, portal_userauthcookie).map_err(|e| {
Ok(SamlAuthData::new( warn!("Failed to parse auth data: {}", e);
username.unwrap(), AuthDataParseError::Invalid
prelogin_cookie, })
portal_userauthcookie, }
)) Some(status) => {
} else { warn!("Found invalid auth status: {}", status);
Err(AuthDataParseError::Invalid) Err(AuthDataParseError::Invalid)
} }
}
Some(_) => Err(AuthDataParseError::Invalid),
None => Err(AuthDataParseError::NotFound), None => Err(AuthDataParseError::NotFound),
} }
} }
@ -105,27 +126,6 @@ impl SamlAuthData {
pub fn token(&self) -> Option<&str> { pub fn token(&self) -> Option<&str> {
self.token.as_deref() self.token.as_deref()
} }
pub fn check(
username: &Option<String>,
prelogin_cookie: &Option<String>,
portal_userauthcookie: &Option<String>,
) -> bool {
let username_valid = username.as_ref().is_some_and(|username| !username.is_empty());
let prelogin_cookie_valid = prelogin_cookie.as_ref().is_some_and(|val| val.len() > 5);
let portal_userauthcookie_valid = portal_userauthcookie.as_ref().is_some_and(|val| val.len() > 5);
let is_valid = username_valid && (prelogin_cookie_valid || portal_userauthcookie_valid);
if !is_valid {
warn!(
"Invalid SAML auth data: username: {:?}, prelogin-cookie: {:?}, portal-userauthcookie: {:?}",
username, prelogin_cookie, portal_userauthcookie
);
}
is_valid
}
} }
pub fn parse_xml_tag(html: &str, tag: &str) -> Option<String> { pub fn parse_xml_tag(html: &str, tag: &str) -> Option<String> {

27
crates/gpapi/src/clap/mod.rs
View File

@ -1 +1,28 @@
use crate::error::PortalError;
pub mod args; pub mod args;
pub trait Args {
fn fix_openssl(&self) -> bool;
fn ignore_tls_errors(&self) -> bool;
}
pub fn handle_error(err: anyhow::Error, args: &impl Args) {
eprintln!("\nError: {}", err);
let Some(err) = err.downcast_ref::<PortalError>() else {
return;
};
if err.is_legacy_openssl_error() && !args.fix_openssl() {
eprintln!("\nRe-run it with the `--fix-openssl` option to work around this issue, e.g.:\n");
let args = std::env::args().collect::<Vec<_>>();
eprintln!("{} --fix-openssl {}\n", args[0], args[1..].join(" "));
}
if err.is_tls_error() && !args.ignore_tls_errors() {
eprintln!("\nRe-run it with the `--ignore-tls-errors` option to ignore the certificate error, e.g.:\n");
let args = std::env::args().collect::<Vec<_>>();
eprintln!("{} --ignore-tls-errors {}\n", args[0], args[1..].join(" "));
}
}

20
crates/gpapi/src/error.rs
View File

@ -7,7 +7,19 @@ pub enum PortalError {
#[error("Portal config error: {0}")] #[error("Portal config error: {0}")]
ConfigError(String), ConfigError(String),
#[error("Network error: {0}")] #[error("Network error: {0}")]
NetworkError(String), NetworkError(#[from] reqwest::Error),
#[error("TLS error")]
TlsError,
}
impl PortalError {
pub fn is_legacy_openssl_error(&self) -> bool {
format!("{:?}", self).contains("unsafe legacy renegotiation")
}
pub fn is_tls_error(&self) -> bool {
matches!(self, PortalError::TlsError) || format!("{:?}", self).contains("certificate verify failed")
}
} }
#[derive(Error, Debug)] #[derive(Error, Debug)]
@ -17,3 +29,9 @@ pub enum AuthDataParseError {
#[error("Invalid auth data")] #[error("Invalid auth data")]
Invalid, Invalid,
} }
impl AuthDataParseError {
pub fn is_invalid(&self) -> bool {
matches!(self, AuthDataParseError::Invalid)
}
}

2
crates/gpapi/src/gateway/login.rs
View File

@ -36,7 +36,7 @@ pub async fn gateway_login(gateway: &str, cred: &Credential, gp_params: &GpParam
.form(&params) .form(&params)
.send() .send()
.await .await
.map_err(|e| anyhow::anyhow!(PortalError::NetworkError(e.to_string())))?; .map_err(|e| anyhow::anyhow!(PortalError::NetworkError(e)))?;
let res = parse_gp_response(res).await.map_err(|err| { let res = parse_gp_response(res).await.map_err(|err| {
warn!("{err}"); warn!("{err}");

1
crates/gpapi/src/lib.rs
View File

@ -16,6 +16,7 @@ pub const GP_API_KEY: &[u8; 32] = &[0; 32];
pub const GP_USER_AGENT: &str = "PAN GlobalProtect"; pub const GP_USER_AGENT: &str = "PAN GlobalProtect";
pub const GP_SERVICE_LOCK_FILE: &str = "/var/run/gpservice.lock"; pub const GP_SERVICE_LOCK_FILE: &str = "/var/run/gpservice.lock";
pub const GP_CALLBACK_PORT_FILENAME: &str = "gpcallback.port";
#[cfg(not(debug_assertions))] #[cfg(not(debug_assertions))]
pub const GP_CLIENT_BINARY: &str = "/usr/bin/gpclient"; pub const GP_CLIENT_BINARY: &str = "/usr/bin/gpclient";

2
crates/gpapi/src/portal/config.rs
View File

@ -116,7 +116,7 @@ pub async fn retrieve_config(portal: &str, cred: &Credential, gp_params: &GpPara
.form(&params) .form(&params)
.send() .send()
.await .await
.map_err(|e| anyhow::anyhow!(PortalError::NetworkError(e.to_string())))?; .map_err(|e| anyhow::anyhow!(PortalError::NetworkError(e)))?;
let res_xml = parse_gp_response(res).await.or_else(|err| { let res_xml = parse_gp_response(res).await.or_else(|err| {
if err.status == StatusCode::NOT_FOUND { if err.status == StatusCode::NOT_FOUND {

4
crates/gpapi/src/portal/prelogin.rs
View File

@ -116,14 +116,12 @@ pub async fn prelogin(portal: &str, gp_params: &GpParams) -> anyhow::Result<Prel
let client = Client::try_from(gp_params)?; let client = Client::try_from(gp_params)?;
info!("Perform prelogin, user_agent: {}", gp_params.user_agent());
let res = client let res = client
.post(&prelogin_url) .post(&prelogin_url)
.form(&params) .form(&params)
.send() .send()
.await .await
.map_err(|e| anyhow::anyhow!(PortalError::NetworkError(e.to_string())))?; .map_err(|e| anyhow::anyhow!(PortalError::NetworkError(e)))?;
let res_xml = parse_gp_response(res).await.or_else(|err| { let res_xml = parse_gp_response(res).await.or_else(|err| {
if err.status == StatusCode::NOT_FOUND { if err.status == StatusCode::NOT_FOUND {

26
crates/gpapi/src/utils/window.rs
View File

@ -7,17 +7,12 @@ use tokio::process::Command;
pub trait WindowExt { pub trait WindowExt {
fn raise(&self) -> anyhow::Result<()>; fn raise(&self) -> anyhow::Result<()>;
fn hide_menu(&self);
} }
impl WindowExt for WebviewWindow { impl WindowExt for WebviewWindow {
fn raise(&self) -> anyhow::Result<()> { fn raise(&self) -> anyhow::Result<()> {
raise_window(self) raise_window(self)
} }
fn hide_menu(&self) {
hide_menu(self);
}
} }
pub fn raise_window(win: &WebviewWindow) -> anyhow::Result<()> { pub fn raise_window(win: &WebviewWindow) -> anyhow::Result<()> {
@ -40,7 +35,7 @@ pub fn raise_window(win: &WebviewWindow) -> anyhow::Result<()> {
// Calling window.show() on Windows will cause the menu to be shown. // Calling window.show() on Windows will cause the menu to be shown.
// We need to hide it again. // We need to hide it again.
hide_menu(win); win.hide_menu()?;
Ok(()) Ok(())
} }
@ -76,22 +71,3 @@ async fn wmctrl_try_raise_window(title: &str) -> anyhow::Result<ExitStatus> {
Ok(exit_status) Ok(exit_status)
} }
fn hide_menu(win: &WebviewWindow) {
// let menu_handle = win.menu_handle();
// tokio::spawn(async move {
// loop {
// let menu_visible = menu_handle.is_visible().unwrap_or(false);
// if !menu_visible {
// break;
// }
// if menu_visible {
// let _ = menu_handle.hide();
// tokio::time::sleep(Duration::from_millis(10)).await;
// }
// }
// });
}