Release 2.1.4

.github/workflows/build.yaml

@@ -25,7 +25,7 @@ jobs:
         id: set-matrix
         run: |
           if [[ "${{ github.ref }}" == "refs/tags/"* ]]; then
-            echo 'matrix=[{"runner": "ubuntu-latest", "arch": "amd64"}, {"runner": "arm64", "arch": "arm64"]' >> $GITHUB_OUTPUT
+            echo 'matrix=[{"runner": "ubuntu-latest", "arch": "amd64"}, {"runner": "arm64", "arch": "arm64"}]' >> $GITHUB_OUTPUT
           else
             echo 'matrix=[{"runner": "ubuntu-latest", "arch": "amd64"}]' >> $GITHUB_OUTPUT
           fi
@@ -182,7 +182,7 @@ jobs:
         gh -R "$REPO" release create $RELEASE_TAG \
           --title "$RELEASE_TAG" \
           --notes "$NOTES" \
-          --target ${{ github.ref }} \
+          ${{ github.ref == 'refs/heads/dev' && '--target dev' || '' }} \
           ${{ github.ref == 'refs/heads/dev' && '--prerelease' || '' }} \
           gh-release/artifact-source/* \
           gh-release/artifact-gpgui-*/*

Cargo.lock

@@ -564,7 +564,7 @@ dependencies = [
 
 [[package]]
 name = "common"
-version = "2.1.2"
+version = "2.1.4"
 dependencies = [
  "is_executable",
 ]
@@ -1430,7 +1430,7 @@ dependencies = [
 
 [[package]]
 name = "gpapi"
-version = "2.1.2"
+version = "2.1.4"
 dependencies = [
  "anyhow",
  "base64 0.21.5",
@@ -1462,7 +1462,7 @@ dependencies = [
 
 [[package]]
 name = "gpauth"
-version = "2.1.2"
+version = "2.1.4"
 dependencies = [
  "anyhow",
  "clap",
@@ -1483,7 +1483,7 @@ dependencies = [
 
 [[package]]
 name = "gpclient"
-version = "2.1.2"
+version = "2.1.4"
 dependencies = [
  "anyhow",
  "clap",
@@ -1505,7 +1505,7 @@ dependencies = [
 
 [[package]]
 name = "gpgui-helper"
-version = "2.1.2"
+version = "2.1.4"
 dependencies = [
  "anyhow",
  "clap",
@@ -1523,7 +1523,7 @@ dependencies = [
 
 [[package]]
 name = "gpservice"
-version = "2.1.2"
+version = "2.1.4"
 dependencies = [
  "anyhow",
  "axum",
@@ -2537,7 +2537,7 @@ dependencies = [
 
 [[package]]
 name = "openconnect"
-version = "2.1.2"
+version = "2.1.4"
 dependencies = [
  "cc",
  "common",

Cargo.toml

@@ -5,7 +5,7 @@ members = ["crates/*", "apps/gpclient", "apps/gpservice", "apps/gpauth", "apps/g
 
 [workspace.package]
 rust-version = "1.70"
-version = "2.1.2"
+version = "2.1.4"
 authors = ["Kevin Yue <k3vinyue@gmail.com>"]
 homepage = "https://github.com/yuezk/GlobalProtect-openconnect"
 edition = "2021"

apps/gpauth/src/auth_window.rs

@@ -366,17 +366,14 @@ fn read_auth_data_from_html(html: &str) -> Result<SamlAuthData, AuthDataParseErr
     return Err(AuthDataParseError::Invalid);
   }
 
-  match SamlAuthData::from_html(html) {
-    Ok(auth_data) => Ok(auth_data),
-    Err(err) => {
-      if let Some(gpcallback) = extract_gpcallback(html) {
-        info!("Found gpcallback from html...");
-        SamlAuthData::from_gpcallback(&gpcallback)
-      } else {
-        Err(err)
-      }
+  SamlAuthData::from_html(html).or_else(|err| {
+    if let Some(gpcallback) = extract_gpcallback(html) {
+      info!("Found gpcallback from html...");
+      SamlAuthData::from_gpcallback(&gpcallback)
+    } else {
+      Err(err)
     }
-  }
+  })
 }
 
 fn extract_gpcallback(html: &str) -> Option<String> {

apps/gpclient/src/connect.rs

@@ -6,7 +6,7 @@ use gpapi::{
   clap::args::Os,
   credential::{Credential, PasswordCredential},
   error::PortalError,
-  gateway::gateway_login,
+  gateway::{gateway_login, GatewayLogin},
   gp_params::{ClientOs, GpParams},
   portal::{prelogin, retrieve_config, Prelogin},
   process::{
@@ -32,7 +32,7 @@ pub(crate) struct ConnectArgs {
   user: Option<String>,
   #[arg(long, short, help = "The VPNC script to use")]
   script: Option<String>,
-  #[arg(long, help = "Treat the server as a gateway, instead of a portal")]
+  #[arg(long, help = "Connect the server as a gateway, instead of a portal")]
   as_gateway: bool,
 
   #[arg(
@@ -154,7 +154,7 @@ impl<'a> ConnectHandler<'a> {
     let gateway = selected_gateway.server();
     let cred = portal_config.auth_cookie().into();
 
-    let cookie = match gateway_login(gateway, &cred, &gp_params).await {
+    let cookie = match self.login_gateway(gateway, &cred, &gp_params).await {
       Ok(cookie) => cookie,
       Err(err) => {
         info!("Gateway login failed: {}", err);
@@ -174,11 +174,28 @@ impl<'a> ConnectHandler<'a> {
     let prelogin = prelogin(gateway, &gp_params).await?;
     let cred = self.obtain_credential(&prelogin, gateway).await?;
 
-    let cookie = gateway_login(gateway, &cred, &gp_params).await?;
+    let cookie = self.login_gateway(gateway, &cred, &gp_params).await?;
 
     self.connect_gateway(gateway, &cookie).await
   }
 
+  async fn login_gateway(&self, gateway: &str, cred: &Credential, gp_params: &GpParams) -> anyhow::Result<String> {
+    let mut gp_params = gp_params.clone();
+
+    loop {
+      match gateway_login(gateway, cred, &gp_params).await? {
+        GatewayLogin::Cookie(cookie) => return Ok(cookie),
+        GatewayLogin::Mfa(message, input_str) => {
+          let otp = Text::new(&message).prompt()?;
+          gp_params.set_input_str(&input_str);
+          gp_params.set_otp(&otp);
+
+          info!("Retrying gateway login with MFA...");
+        }
+      }
+    }
+  }
+
   async fn connect_gateway(&self, gateway: &str, cookie: &str) -> anyhow::Result<()> {
     let mtu = self.args.mtu.unwrap_or(0);
     let csd_uid = get_csd_uid(&self.args.csd_user)?;

changelog.md

@@ -1,5 +1,17 @@
 # Changelog
 
+## 2.1.4 - 2024-04-10
+
+- Support MFA authentication (fix [#343](https://github.com/yuezk/GlobalProtect-openconnect/issues/343))
+- Improve the Gateway switcher UI
+
+## 2.1.3 - 2024-04-07
+
+- Support CAS authentication (fix [#339](https://github.com/yuezk/GlobalProtect-openconnect/issues/339))
+- CLI: Add `--as-gateway` option to connect as gateway directly (fix [#318](https://github.com/yuezk/GlobalProtect-openconnect/issues/318))
+- GUI: Support connect the gateway directly (fix [#318](https://github.com/yuezk/GlobalProtect-openconnect/issues/318))
+- GUI: Add an option to use symbolic tray icon (fix [#341](https://github.com/yuezk/GlobalProtect-openconnect/issues/341))
+
 ## 2.1.2 - 2024-03-29
 
 - Treat portal as gateway when the gateway login is failed (fix #338)

crates/gpapi/src/credential.rs

@@ -162,7 +162,7 @@ pub enum Credential {
   Password(PasswordCredential),
   Prelogin(PreloginCredential),
   AuthCookie(AuthCookieCredential),
-  CachedCredential(CachedCredential),
+  Cached(CachedCredential),
 }
 
 impl Credential {
@@ -179,7 +179,7 @@ impl Credential {
       Credential::Password(cred) => cred.username(),
       Credential::Prelogin(cred) => cred.username(),
       Credential::AuthCookie(cred) => cred.username(),
-      Credential::CachedCredential(cred) => cred.username(),
+      Credential::Cached(cred) => cred.username(),
     }
   }
 
@@ -197,7 +197,7 @@ impl Credential {
         Some(cred.prelogon_user_auth_cookie()),
         None,
       ),
-      Credential::CachedCredential(cred) => (
+      Credential::Cached(cred) => (
         cred.password(),
         None,
         Some(cred.auth_cookie.user_auth_cookie()),
@@ -244,6 +244,6 @@ impl From<&AuthCookieCredential> for Credential {
 
 impl From<&CachedCredential> for Credential {
   fn from(value: &CachedCredential) -> Self {
-    Self::CachedCredential(value.clone())
+    Self::Cached(value.clone())
   }
 }

crates/gpapi/src/gateway/login.rs

@@ -11,7 +11,12 @@ use crate::{
   utils::{normalize_server, parse_gp_error, remove_url_scheme},
 };
 
-pub async fn gateway_login(gateway: &str, cred: &Credential, gp_params: &GpParams) -> anyhow::Result<String> {
+pub enum GatewayLogin {
+  Cookie(String),
+  Mfa(String, String),
+}
+
+pub async fn gateway_login(gateway: &str, cred: &Credential, gp_params: &GpParams) -> anyhow::Result<GatewayLogin> {
   let url = normalize_server(gateway)?;
   let gateway = remove_url_scheme(&url);
 
@@ -49,10 +54,22 @@ pub async fn gateway_login(gateway: &str, cred: &Credential, gp_params: &GpParam
     bail!("Gateway login error, reason: {}", reason);
   }
 
-  let res_xml = res.text().await?;
-  let doc = Document::parse(&res_xml)?;
+  let res = res.text().await?;
 
-  build_gateway_token(&doc, gp_params.computer())
+  // MFA detected
+  if res.contains("Challenge") {
+    let Some((message, input_str)) = parse_mfa(&res) else {
+      bail!("Failed to parse MFA challenge: {res}");
+    };
+
+    return Ok(GatewayLogin::Mfa(message, input_str));
+  }
+
+  let doc = Document::parse(&res)?;
+
+  let cookie = build_gateway_token(&doc, gp_params.computer())?;
+
+  Ok(GatewayLogin::Cookie(cookie))
 }
 
 fn build_gateway_token(doc: &Document, computer: &str) -> anyhow::Result<String> {
@@ -86,3 +103,33 @@ fn read_args<'a>(args: &'a [String], index: usize, key: &'a str) -> anyhow::Resu
     .ok_or_else(|| anyhow::anyhow!("Failed to read {key} from args"))
     .map(|s| (key, s.as_ref()))
 }
+
+fn parse_mfa(res: &str) -> Option<(String, String)> {
+  let message = res
+    .lines()
+    .find(|l| l.contains("respMsg"))
+    .and_then(|l| l.split('"').nth(1).map(|s| s.to_string()))?;
+
+  let input_str = res
+    .lines()
+    .find(|l| l.contains("inputStr"))
+    .and_then(|l| l.split('"').nth(1).map(|s| s.to_string()))?;
+
+  Some((message, input_str))
+}
+
+#[cfg(test)]
+mod tests {
+  use super::*;
+
+  #[test]
+  fn mfa() {
+    let res = r#"var respStatus = "Challenge";
+var respMsg = "MFA message";
+thisForm.inputStr.value = "5ef64e83000119ed";"#;
+
+    let (message, input_str) = parse_mfa(res).unwrap();
+    assert_eq!(message, "MFA message");
+    assert_eq!(input_str, "5ef64e83000119ed");
+  }
+}

crates/gpapi/src/gp_params.rs

@@ -42,7 +42,7 @@ impl ClientOs {
   }
 }
 
-#[derive(Debug, Serialize, Deserialize, Type, Default)]
+#[derive(Debug, Serialize, Deserialize, Type, Default, Clone)]
 pub struct GpParams {
   is_gateway: bool,
   user_agent: String,
@@ -51,6 +51,9 @@ pub struct GpParams {
   client_version: Option<String>,
   computer: String,
   ignore_tls_errors: bool,
+  // Used for MFA
+  input_str: Option<String>,
+  otp: Option<String>,
 }
 
 impl GpParams {
@@ -90,6 +93,14 @@ impl GpParams {
     self.client_version.as_deref()
   }
 
+  pub fn set_input_str(&mut self, input_str: &str) {
+    self.input_str = Some(input_str.to_string());
+  }
+
+  pub fn set_otp(&mut self, otp: &str) {
+    self.otp = Some(otp.to_string());
+  }
+
   pub(crate) fn to_params(&self) -> HashMap<&str, &str> {
     let mut params: HashMap<&str, &str> = HashMap::new();
     let client_os = self.client_os.as_str();
@@ -100,11 +111,16 @@ impl GpParams {
     params.insert("ok", "Login");
     params.insert("direct", "yes");
     params.insert("ipv6-support", "yes");
-    params.insert("inputStr", "");
     params.insert("clientVer", "4100");
     params.insert("clientos", client_os);
     params.insert("computer", &self.computer);
 
+    // MFA
+    params.insert("inputStr", self.input_str.as_deref().unwrap_or_default());
+    if let Some(otp) = &self.otp {
+      params.insert("passwd", otp);
+    }
+
     if let Some(os_version) = &self.os_version {
       params.insert("os-version", os_version);
     }
@@ -130,13 +146,15 @@ pub struct GpParamsBuilder {
 
 impl GpParamsBuilder {
   pub fn new() -> Self {
+    let computer = whoami::fallible::hostname().unwrap_or_else(|_| String::from("localhost"));
+
     Self {
       is_gateway: false,
       user_agent: GP_USER_AGENT.to_string(),
       client_os: ClientOs::Linux,
       os_version: Default::default(),
       client_version: Default::default(),
-      computer: whoami::hostname(),
+      computer,
       ignore_tls_errors: false,
     }
   }
@@ -185,6 +203,8 @@ impl GpParamsBuilder {
       client_version: self.client_version.clone(),
       computer: self.computer.clone(),
       ignore_tls_errors: self.ignore_tls_errors,
+      input_str: Default::default(),
+      otp: Default::default(),
     }
   }
 }