Support CAS authentication

crates/gpapi/src/auth.rs

@@ -1,13 +1,17 @@
-use anyhow::anyhow;
+use log::{info, warn};
 use regex::Regex;
 use serde::{Deserialize, Serialize};
 
+use crate::{error::AuthDataParseError, utils::base64::decode_to_string};
+
 #[derive(Debug, Serialize, Deserialize)]
 #[serde(rename_all = "camelCase")]
 pub struct SamlAuthData {
+  #[serde(alias = "un")]
   username: String,
   prelogin_cookie: Option<String>,
   portal_userauthcookie: Option<String>,
+  token: Option<String>,
 }
 
 #[derive(Debug, Serialize, Deserialize)]
@@ -32,10 +36,11 @@ impl SamlAuthData {
       username,
       prelogin_cookie,
       portal_userauthcookie,
+      token: None,
     }
   }
 
-  pub fn from_html(html: &str) -> anyhow::Result<SamlAuthData> {
+  pub fn from_html(html: &str) -> anyhow::Result<SamlAuthData, AuthDataParseError> {
     match parse_xml_tag(html, "saml-auth-status") {
       Some(saml_status) if saml_status == "1" => {
         let username = parse_xml_tag(html, "saml-username");
@@ -49,11 +54,36 @@ impl SamlAuthData {
             portal_userauthcookie,
           ))
         } else {
-          Err(anyhow!("Found invalid auth data in HTML"))
+          Err(AuthDataParseError::Invalid)
         }
       }
-      Some(status) => Err(anyhow!("Found invalid SAML status {} in HTML", status)),
-      None => Err(anyhow!("No auth data found in HTML")),
+      Some(_) => Err(AuthDataParseError::Invalid),
+      None => Err(AuthDataParseError::NotFound),
+    }
+  }
+
+  pub fn from_gpcallback(data: &str) -> anyhow::Result<SamlAuthData, AuthDataParseError> {
+    let auth_data = data.trim_start_matches("globalprotectcallback:");
+
+    if auth_data.starts_with("cas-as") {
+      info!("Got token auth data: {}", auth_data);
+
+      let token_cred: SamlAuthData = serde_urlencoded::from_str(auth_data).map_err(|e| {
+        warn!("Failed to parse token auth data: {}", e);
+        AuthDataParseError::Invalid
+      })?;
+
+      Ok(token_cred)
+    } else {
+      info!("Parsing SAML auth data...");
+
+      let auth_data = decode_to_string(auth_data).map_err(|e| {
+        warn!("Failed to decode SAML auth data: {}", e);
+        AuthDataParseError::Invalid
+      })?;
+      let auth_data = Self::from_html(&auth_data)?;
+
+      Ok(auth_data)
     }
   }
 
@@ -65,6 +95,10 @@ impl SamlAuthData {
     self.prelogin_cookie.as_deref()
   }
 
+  pub fn token(&self) -> Option<&str> {
+    self.token.as_deref()
+  }
+
   pub fn check(
     username: &Option<String>,
     prelogin_cookie: &Option<String>,
@@ -74,7 +108,16 @@ impl SamlAuthData {
     let prelogin_cookie_valid = prelogin_cookie.as_ref().is_some_and(|val| val.len() > 5);
     let portal_userauthcookie_valid = portal_userauthcookie.as_ref().is_some_and(|val| val.len() > 5);
 
-    username_valid && (prelogin_cookie_valid || portal_userauthcookie_valid)
+    let is_valid = username_valid && (prelogin_cookie_valid || portal_userauthcookie_valid);
+
+    if !is_valid {
+      warn!(
+        "Invalid SAML auth data: username: {:?}, prelogin-cookie: {:?}, portal-userauthcookie: {:?}",
+        username, prelogin_cookie, portal_userauthcookie
+      );
+    }
+
+    is_valid
   }
 }
 
@@ -84,3 +127,28 @@ pub fn parse_xml_tag(html: &str, tag: &str) -> Option<String> {
     .and_then(|captures| captures.get(1))
     .map(|m| m.as_str().to_string())
 }
+
+#[cfg(test)]
+mod tests {
+  use super::*;
+
+  #[test]
+  fn auth_data_from_gpcallback_cas() {
+    let auth_data = "globalprotectcallback:cas-as=1&un=xyz@email.com&token=very_long_string";
+
+    let auth_data = SamlAuthData::from_gpcallback(auth_data).unwrap();
+
+    assert_eq!(auth_data.username(), "xyz@email.com");
+    assert_eq!(auth_data.token(), Some("very_long_string"));
+  }
+
+  #[test]
+  fn auth_data_from_gpcallback_non_cas() {
+    let auth_data = "PGh0bWw+PCEtLSA8c2FtbC1hdXRoLXN0YXR1cz4xPC9zYW1sLWF1dGgtc3RhdHVzPjxwcmVsb2dpbi1jb29raWU+cHJlbG9naW4tY29va2llPC9wcmVsb2dpbi1jb29raWU+PHNhbWwtdXNlcm5hbWU+eHl6QGVtYWlsLmNvbTwvc2FtbC11c2VybmFtZT48c2FtbC1zbG8+bm88L3NhbWwtc2xvPjxzYW1sLVNlc3Npb25Ob3RPbk9yQWZ0ZXI+PC9zYW1sLVNlc3Npb25Ob3RPbk9yQWZ0ZXI+IC0tPjwvaHRtbD4=";
+
+    let auth_data = SamlAuthData::from_gpcallback(auth_data).unwrap();
+
+    assert_eq!(auth_data.username(), "xyz@email.com");
+    assert_eq!(auth_data.prelogin_cookie(), Some("prelogin-cookie"));
+  }
+}