Fix CI

.github/workflows/build.yaml

@@ -25,9 +25,9 @@ jobs:
         id: set-matrix
         run: |
           if [[ "${{ github.ref }}" == "refs/tags/"* ]]; then
-            echo "matrix=[\"ubuntu-latest\", \"arm64\"]" >> $GITHUB_OUTPUT
+            echo 'matrix=[{"runner": "ubuntu-latest", "arch": "amd64"}, {"runner": "arm64", "arch": "arm64"}]' >> $GITHUB_OUTPUT
           else
-            echo "matrix=[\"ubuntu-latest\"]" >> $GITHUB_OUTPUT
+            echo 'matrix=[{"runner": "ubuntu-latest", "arch": "amd64"}]' >> $GITHUB_OUTPUT
           fi
 
   tarball:
@@ -70,7 +70,8 @@ jobs:
       matrix:
         os: ${{fromJson(needs.setup-matrix.outputs.matrix)}}
         package: [deb, rpm, pkg, binary]
-    runs-on: ${{ matrix.os }}
+    runs-on: ${{ matrix.os.runner }}
+    name: build-gp (${{ matrix.package }}, ${{ matrix.os.arch }})
     steps:
     - name: Prepare workspace
       run: |
@@ -98,7 +99,7 @@ jobs:
     - name: Upload ${{ matrix.package }} package
       uses: actions/upload-artifact@v3
       with:
-        name: artifact-gp-${{ matrix.os }}-${{ matrix.package }}
+        name: artifact-gp-${{ matrix.package }}-${{ matrix.os.arch }}
         if-no-files-found: error
         path: |
           build-gp-${{ matrix.package }}/artifacts/*
@@ -109,7 +110,8 @@ jobs:
     strategy:
       matrix:
         os: ${{fromJson(needs.setup-matrix.outputs.matrix)}}
-    runs-on: ${{ matrix.os }}
+    runs-on: ${{ matrix.os.runner }}
+    name: build-gpgui (${{ matrix.os.arch }})
     steps:
     - uses: pnpm/action-setup@v2
       with:
@@ -148,16 +150,17 @@ jobs:
     - name: Upload gpgui
       uses: actions/upload-artifact@v3
       with:
-        name: artifact-gpgui-${{ matrix.os }}
+        name: artifact-gpgui-${{ matrix.os.arch }}
         if-no-files-found: error
         path: |
           gpgui-source/*.bin.tar.xz
           gpgui-source/*.bin.tar.xz.sha256
 
   gh-release:
-    if: startsWith(github.ref, 'refs/tags/') || github.ref == 'refs/heads/dev'
+    if: ${{ github.ref == 'refs/heads/dev' || startsWith(github.ref, 'refs/tags/') }}
     runs-on: ubuntu-latest
     needs:
+      - tarball
       - build-gp
       - build-gpgui
 
@@ -172,12 +175,14 @@ jobs:
       env:
         GH_TOKEN: ${{ secrets.GH_PAT }}
         RELEASE_TAG: ${{ github.ref == 'refs/heads/dev' && 'snapshot' || github.ref_name }}
+        REPO: ${{ github.repository }}
+        NOTES: ${{ github.ref == 'refs/heads/dev' && '**!!! DO NOT USE THIS RELEASE IN PRODUCTION !!!**' || format('Release {0}', github.ref_name) }}
       run: |
-        gh release delete $RELEASE_TAG --yes --cleanup-tag || true
-        gh release create $RELEASE_TAG \
+        gh -R "$REPO" release delete $RELEASE_TAG --yes --cleanup-tag || true
+        gh -R "$REPO" release create $RELEASE_TAG \
           --title "$RELEASE_TAG" \
-          --notes "Release $RELEASE_TAG" \
-          --target ${{ github.ref}} \
+          --notes "$NOTES" \
+          ${{ github.ref == 'refs/heads/dev' && '--target dev' || '' }} \
           ${{ github.ref == 'refs/heads/dev' && '--prerelease' || '' }} \
-          "gh-release/artifact-source/*" \
-          "gh-release/artifact-gpgui-*/*"
+          gh-release/artifact-source/* \
+          gh-release/artifact-gpgui-*/*

Cargo.lock

@@ -564,7 +564,7 @@ dependencies = [
 
 [[package]]
 name = "common"
-version = "2.1.2"
+version = "2.1.3"
 dependencies = [
  "is_executable",
 ]
@@ -1430,7 +1430,7 @@ dependencies = [
 
 [[package]]
 name = "gpapi"
-version = "2.1.2"
+version = "2.1.3"
 dependencies = [
  "anyhow",
  "base64 0.21.5",
@@ -1462,13 +1462,14 @@ dependencies = [
 
 [[package]]
 name = "gpauth"
-version = "2.1.2"
+version = "2.1.3"
 dependencies = [
  "anyhow",
  "clap",
  "compile-time",
  "env_logger",
  "gpapi",
+ "html-escape",
  "log",
  "regex",
  "serde_json",
@@ -1482,7 +1483,7 @@ dependencies = [
 
 [[package]]
 name = "gpclient"
-version = "2.1.2"
+version = "2.1.3"
 dependencies = [
  "anyhow",
  "clap",
@@ -1504,7 +1505,7 @@ dependencies = [
 
 [[package]]
 name = "gpgui-helper"
-version = "2.1.2"
+version = "2.1.3"
 dependencies = [
  "anyhow",
  "clap",
@@ -1522,7 +1523,7 @@ dependencies = [
 
 [[package]]
 name = "gpservice"
-version = "2.1.2"
+version = "2.1.3"
 dependencies = [
  "anyhow",
  "axum",
@@ -1598,9 +1599,9 @@ dependencies = [
 
 [[package]]
 name = "h2"
-version = "0.3.24"
+version = "0.3.26"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bb2c4422095b67ee78da96fbb51a4cc413b3b25883c7717ff7ca1ab31022c9c9"
+checksum = "81fe527a889e1532da5c525686d96d4c2e74cdd345badf8dfef9f6b39dd5f5e8"
 dependencies = [
  "bytes",
  "fnv",
@@ -1617,9 +1618,9 @@ dependencies = [
 
 [[package]]
 name = "h2"
-version = "0.4.2"
+version = "0.4.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "31d030e59af851932b72ceebadf4a2b5986dba4c3b99dd2493f8273a0f151943"
+checksum = "816ec7294445779408f36fe57bc5b7fc1cf59664059096c65f905c1c61f58069"
 dependencies = [
  "bytes",
  "fnv",
@@ -1673,6 +1674,15 @@ version = "0.4.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
 
+[[package]]
+name = "html-escape"
+version = "0.2.13"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6d1ad449764d627e22bfd7cd5e8868264fc9236e07c752972b4080cd351cb476"
+dependencies = [
+ "utf8-width",
+]
+
 [[package]]
 name = "html5ever"
 version = "0.26.0"
@@ -1777,7 +1787,7 @@ dependencies = [
  "futures-channel",
  "futures-core",
  "futures-util",
- "h2 0.3.24",
+ "h2 0.3.26",
  "http 0.2.11",
  "http-body 0.4.6",
  "httparse",
@@ -1800,7 +1810,7 @@ dependencies = [
  "bytes",
  "futures-channel",
  "futures-util",
- "h2 0.4.2",
+ "h2 0.4.4",
  "http 1.0.0",
  "http-body 1.0.0",
  "httparse",
@@ -2527,7 +2537,7 @@ dependencies = [
 
 [[package]]
 name = "openconnect"
-version = "2.1.2"
+version = "2.1.3"
 dependencies = [
  "cc",
  "common",
@@ -3157,7 +3167,7 @@ dependencies = [
  "encoding_rs",
  "futures-core",
  "futures-util",
- "h2 0.3.24",
+ "h2 0.3.26",
  "http 0.2.11",
  "http-body 0.4.6",
  "hyper 0.14.28",
@@ -4484,6 +4494,12 @@ version = "0.7.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "09cc8ee72d2a9becf2f2febe0205bbed8fc6615b7cb429ad062dc7b7ddd036a9"
 
+[[package]]
+name = "utf8-width"
+version = "0.1.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "86bd8d4e895da8537e5315b8254664e6b769c4ff3db18321b297a1e7004392e3"
+
 [[package]]
 name = "utf8parse"
 version = "0.2.1"
@@ -4590,6 +4606,12 @@ version = "0.11.0+wasi-snapshot-preview1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423"
 
+[[package]]
+name = "wasite"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b8dad83b4f25e74f184f64c43b150b91efe7647395b42289f38e50566d82855b"
+
 [[package]]
 name = "wasm-bindgen"
 version = "0.2.89"
@@ -4766,11 +4788,12 @@ dependencies = [
 
 [[package]]
 name = "whoami"
-version = "1.4.1"
+version = "1.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "22fc3756b8a9133049b26c7f61ab35416c130e8c09b660f5b3958b446f52cc50"
+checksum = "a44ab49fad634e88f55bf8f9bb3abd2f27d7204172a112c7c9987e01c1c94ea9"
 dependencies = [
- "wasm-bindgen",
+ "redox_syscall",
+ "wasite",
  "web-sys",
 ]
 

Cargo.toml

@@ -5,7 +5,7 @@ members = ["crates/*", "apps/gpclient", "apps/gpservice", "apps/gpauth", "apps/g
 
 [workspace.package]
 rust-version = "1.70"
-version = "2.1.2"
+version = "2.1.3"
 authors = ["Kevin Yue <k3vinyue@gmail.com>"]
 homepage = "https://github.com/yuezk/GlobalProtect-openconnect"
 edition = "2021"

apps/gpauth/Cargo.toml

@@ -18,6 +18,7 @@ serde_json.workspace = true
 tokio.workspace = true
 tokio-util.workspace = true
 tempfile.workspace = true
+html-escape = "0.2.13"
 webkit2gtk = "0.18.2"
 tauri = { workspace = true, features = ["http-all"] }
 compile-time.workspace = true

apps/gpauth/src/auth_window.rs

@@ -7,6 +7,7 @@ use std::{
 use anyhow::bail;
 use gpapi::{
   auth::SamlAuthData,
+  error::AuthDataParseError,
   gp_params::GpParams,
   portal::{prelogin, Prelogin},
   utils::{redact::redact_uri, window::WindowExt},
@@ -184,6 +185,10 @@ impl<'a> AuthWindow<'a> {
           }
 
           info!("Loaded uri: {}", redact_uri(&uri));
+          if uri.starts_with("globalprotectcallback:") {
+            return;
+          }
+
           read_auth_data(&main_resource, auth_result_tx_clone.clone());
         }
       });
@@ -202,7 +207,9 @@ impl<'a> AuthWindow<'a> {
 
       wv.connect_load_failed(move |_wv, _event, uri, err| {
         let redacted_uri = redact_uri(uri);
-        warn!("Failed to load uri: {} with error: {}", redacted_uri, err);
+        if !uri.starts_with("globalprotectcallback:") {
+          warn!("Failed to load uri: {} with error: {}", redacted_uri, err);
+        }
         // NOTE: Don't send error here, since load_changed event will be triggered after this
         // send_auth_result(&auth_result_tx, Err(AuthDataError::Invalid));
         // true to stop other handlers from being invoked for the event. false to propagate the event further.
@@ -339,7 +346,7 @@ fn read_auth_data_from_headers(response: &URIResponse) -> AuthResult {
 
 fn read_auth_data_from_body<F>(main_resource: &WebResource, callback: F)
 where
-  F: FnOnce(AuthResult) + Send + 'static,
+  F: FnOnce(Result<SamlAuthData, AuthDataParseError>) + Send + 'static,
 {
   main_resource.data(Cancellable::NONE, |data| match data {
     Ok(data) => {
@@ -348,53 +355,41 @@ where
     }
     Err(err) => {
       info!("Failed to read response body: {}", err);
-      callback(Err(AuthDataError::Invalid))
+      callback(Err(AuthDataParseError::Invalid))
     }
   });
 }
 
-fn read_auth_data_from_html(html: &str) -> AuthResult {
+fn read_auth_data_from_html(html: &str) -> Result<SamlAuthData, AuthDataParseError> {
   if html.contains("Temporarily Unavailable") {
     info!("Found 'Temporarily Unavailable' in HTML, auth failed");
-    return Err(AuthDataError::Invalid);
+    return Err(AuthDataParseError::Invalid);
   }
 
-  match parse_xml_tag(html, "saml-auth-status") {
-    Some(saml_status) if saml_status == "1" => {
-      let username = parse_xml_tag(html, "saml-username");
-      let prelogin_cookie = parse_xml_tag(html, "prelogin-cookie");
-      let portal_userauthcookie = parse_xml_tag(html, "portal-userauthcookie");
+  SamlAuthData::from_html(html).or_else(|err| {
+    if let Some(gpcallback) = extract_gpcallback(html) {
+      info!("Found gpcallback from html...");
+      SamlAuthData::from_gpcallback(&gpcallback)
+    } else {
+      Err(err)
+    }
+  })
+}
 
-      if SamlAuthData::check(&username, &prelogin_cookie, &portal_userauthcookie) {
-        return Ok(SamlAuthData::new(
-          username.unwrap(),
-          prelogin_cookie,
-          portal_userauthcookie,
-        ));
-      }
-
-      info!("Found invalid auth data in HTML");
-      Err(AuthDataError::Invalid)
-    }
-    Some(status) => {
-      info!("Found invalid SAML status {} in HTML", status);
-      Err(AuthDataError::Invalid)
-    }
-    None => {
-      info!("No auth data found in HTML");
-      Err(AuthDataError::NotFound)
-    }
-  }
+fn extract_gpcallback(html: &str) -> Option<String> {
+  let re = Regex::new(r#"globalprotectcallback:[^"]+"#).unwrap();
+  re.captures(html)
+    .and_then(|captures| captures.get(0))
+    .map(|m| html_escape::decode_html_entities(m.as_str()).to_string())
 }
 
 fn read_auth_data(main_resource: &WebResource, auth_result_tx: mpsc::UnboundedSender<AuthResult>) {
-  if main_resource.response().is_none() {
+  let Some(response) = main_resource.response() else {
     info!("No response found in main resource");
     send_auth_result(&auth_result_tx, Err(AuthDataError::Invalid));
     return;
-  }
+  };
 
-  let response = main_resource.response().unwrap();
   info!("Trying to read auth data from response headers...");
 
   match read_auth_data_from_headers(&response) {
@@ -407,22 +402,27 @@ fn read_auth_data(main_resource: &WebResource, auth_result_tx: mpsc::UnboundedSe
       read_auth_data_from_body(main_resource, move |auth_result| {
         // Since we have already found invalid auth data in headers, which means this could be the `/SAML20/SP/ACS` endpoint
         // any error result from body should be considered as invalid, and trigger a retry
-        let auth_result = auth_result.map_err(|_| AuthDataError::Invalid);
+        let auth_result = auth_result.map_err(|err| {
+          info!("Failed to read auth data from body: {}", err);
+          AuthDataError::Invalid
+        });
         send_auth_result(&auth_result_tx, auth_result);
       });
     }
     Err(AuthDataError::NotFound) => {
       info!("No auth data found in headers, trying to read from body...");
-      let url = main_resource.uri().unwrap_or("".into());
-      let is_acs_endpoint = url.contains("/SAML20/SP/ACS");
+
+      let is_acs_endpoint = main_resource.uri().map_or(false, |uri| uri.contains("/SAML20/SP/ACS"));
 
       read_auth_data_from_body(main_resource, move |auth_result| {
         // If the endpoint is `/SAML20/SP/ACS` and no auth data found in body, it should be considered as invalid
         let auth_result = auth_result.map_err(|err| {
-          if matches!(err, AuthDataError::NotFound) && is_acs_endpoint {
-            AuthDataError::Invalid
+          info!("Failed to read auth data from body: {}", err);
+
+          if !is_acs_endpoint && matches!(err, AuthDataParseError::NotFound) {
+            AuthDataError::NotFound
           } else {
-            err
+            AuthDataError::Invalid
           }
         });
 
@@ -437,13 +437,6 @@ fn read_auth_data(main_resource: &WebResource, auth_result_tx: mpsc::UnboundedSe
   }
 }
 
-fn parse_xml_tag(html: &str, tag: &str) -> Option<String> {
-  let re = Regex::new(&format!("<{}>(.*)</{}>", tag, tag)).unwrap();
-  re.captures(html)
-    .and_then(|captures| captures.get(1))
-    .map(|m| m.as_str().to_string())
-}
-
 pub(crate) async fn clear_webview_cookies(window: &Window) -> anyhow::Result<()> {
   let (tx, rx) = oneshot::channel::<Result<(), String>>();
 
@@ -489,3 +482,42 @@ pub(crate) async fn clear_webview_cookies(window: &Window) -> anyhow::Result<()>
 
   rx.await?.map_err(|err| anyhow::anyhow!(err))
 }
+
+#[cfg(test)]
+mod tests {
+  use super::*;
+
+  #[test]
+  fn extract_gpcallback_some() {
+    let html = r#"
+      <meta http-equiv="refresh" content="0; URL=globalprotectcallback:PGh0bWw+PCEtLSA8c">
+      <meta http-equiv="refresh" content="0; URL=globalprotectcallback:PGh0bWw+PCEtLSA8c">
+    "#;
+
+    assert_eq!(
+      extract_gpcallback(html).as_deref(),
+      Some("globalprotectcallback:PGh0bWw+PCEtLSA8c")
+    );
+  }
+
+  #[test]
+  fn extract_gpcallback_cas() {
+    let html = r#"
+      <meta http-equiv="refresh" content="0; URL=globalprotectcallback:cas-as=1&amp;un=xyz@email.com&amp;token=very_long_string">
+    "#;
+
+    assert_eq!(
+      extract_gpcallback(html).as_deref(),
+      Some("globalprotectcallback:cas-as=1&un=xyz@email.com&token=very_long_string")
+    );
+  }
+
+  #[test]
+  fn extract_gpcallback_none() {
+    let html = r#"
+      <meta http-equiv="refresh" content="0; URL=PGh0bWw+PCEtLSA8c">
+    "#;
+
+    assert_eq!(extract_gpcallback(html), None);
+  }
+}

apps/gpclient/src/connect.rs

@@ -32,6 +32,8 @@ pub(crate) struct ConnectArgs {
   user: Option<String>,
   #[arg(long, short, help = "The VPNC script to use")]
   script: Option<String>,
+  #[arg(long, help = "Connect the server as a gateway, instead of a portal")]
+  as_gateway: bool,
 
   #[arg(
     long,
@@ -95,6 +97,12 @@ impl<'a> ConnectHandler<'a> {
 
   pub(crate) async fn handle(&self) -> anyhow::Result<()> {
     let server = self.args.server.as_str();
+    let as_gateway = self.args.as_gateway;
+
+    if as_gateway {
+      info!("Treating the server as a gateway");
+      return self.connect_gateway_with_prelogin(server).await;
+    }
 
     let Err(err) = self.connect_portal_with_prelogin(server).await else {
       return Ok(());
@@ -103,10 +111,15 @@ impl<'a> ConnectHandler<'a> {
     info!("Failed to connect portal with prelogin: {}", err);
     if err.root_cause().downcast_ref::<PortalError>().is_some() {
       info!("Trying the gateway authentication workflow...");
-      return self.connect_gateway_with_prelogin(server).await;
-    }
+      self.connect_gateway_with_prelogin(server).await?;
 
-    Err(err)
+      eprintln!("\nNOTE: the server may be a gateway, not a portal.");
+      eprintln!("NOTE: try to use the `--as-gateway` option if you were authenticated twice.");
+
+      Ok(())
+    } else {
+      Err(err)
+    }
   }
 
   async fn connect_portal_with_prelogin(&self, portal: &str) -> anyhow::Result<()> {

apps/gpgui-helper/package.json

@@ -31,6 +31,6 @@
     "eslint-plugin-react-hooks": "^4.6.0",
     "prettier": "3.1.0",
     "typescript": "^5.0.2",
-    "vite": "^4.5.2"
+    "vite": "^4.5.3"
   }
 }

apps/gpgui-helper/pnpm-lock.yaml

@@ -48,7 +48,7 @@ devDependencies:
     version: 6.12.0(eslint@8.54.0)(typescript@5.0.2)
   '@vitejs/plugin-react':
     specifier: ^4.0.3
-    version: 4.0.3(vite@4.5.2)
+    version: 4.0.3(vite@4.5.3)
   eslint:
     specifier: ^8.54.0
     version: 8.54.0
@@ -68,8 +68,8 @@ devDependencies:
     specifier: ^5.0.2
     version: 5.0.2
   vite:
-    specifier: ^4.5.2
-    version: 4.5.2(@types/node@20.8.10)
+    specifier: ^4.5.3
+    version: 4.5.3(@types/node@20.8.10)
 
 packages:
 
@@ -1229,7 +1229,7 @@ packages:
     resolution: {integrity: sha512-zuVdFrMJiuCDQUMCzQaD6KL28MjnqqN8XnAqiEq9PNm/hCPTSGfrXCOfwj1ow4LFb/tNymJPwsNbVePc1xFqrQ==}
     dev: true
 
-  /@vitejs/plugin-react@4.0.3(vite@4.5.2):
+  /@vitejs/plugin-react@4.0.3(vite@4.5.3):
     resolution: {integrity: sha512-pwXDog5nwwvSIzwrvYYmA2Ljcd/ZNlcsSG2Q9CNDBwnsd55UGAyr2doXtB5j+2uymRCnCfExlznzzSFbBRcoCg==}
     engines: {node: ^14.18.0 || >=16.0.0}
     peerDependencies:
@@ -1239,7 +1239,7 @@ packages:
       '@babel/plugin-transform-react-jsx-self': 7.22.5(@babel/core@7.23.2)
       '@babel/plugin-transform-react-jsx-source': 7.22.5(@babel/core@7.23.2)
       react-refresh: 0.14.0
-      vite: 4.5.2(@types/node@20.8.10)
+      vite: 4.5.3(@types/node@20.8.10)
     transitivePeerDependencies:
       - supports-color
     dev: true
@@ -2979,8 +2979,8 @@ packages:
       punycode: 2.3.1
     dev: true
 
-  /vite@4.5.2(@types/node@20.8.10):
-    resolution: {integrity: sha512-tBCZBNSBbHQkaGyhGCDUGqeo2ph8Fstyp6FMSvTtsXeZSPpSMGlviAOav2hxVTqFcx8Hj/twtWKsMJXNY0xI8w==}
+  /vite@4.5.3(@types/node@20.8.10):
+    resolution: {integrity: sha512-kQL23kMeX92v3ph7IauVkXkikdDRsYMGTVl5KY2E9OY4ONLvkHf04MDTbnfo6NKxZiDLWzVpP5oTa8hQD8U3dg==}
     engines: {node: ^14.18.0 || >=16.0.0}
     hasBin: true
     peerDependencies:

changelog.md

@@ -1,5 +1,12 @@
 # Changelog
 
+## 2.1.3 - 2024-04-07
+
+- Support CAS authentication (fix [#339](https://github.com/yuezk/GlobalProtect-openconnect/issues/339))
+- CLI: Add `--as-gateway` option to connect as gateway directly (fix [#318](https://github.com/yuezk/GlobalProtect-openconnect/issues/318))
+- GUI: Support connect the gateway directly (fix [#318](https://github.com/yuezk/GlobalProtect-openconnect/issues/318))
+- GUI: Add an option to use symbolic tray icon (fix [#341](https://github.com/yuezk/GlobalProtect-openconnect/issues/341))
+
 ## 2.1.2 - 2024-03-29
 
 - Treat portal as gateway when the gateway login is failed (fix #338)

crates/gpapi/src/auth.rs

@@ -1,13 +1,17 @@
-use anyhow::anyhow;
+use log::{info, warn};
 use regex::Regex;
 use serde::{Deserialize, Serialize};
 
+use crate::{error::AuthDataParseError, utils::base64::decode_to_string};
+
 #[derive(Debug, Serialize, Deserialize)]
 #[serde(rename_all = "camelCase")]
 pub struct SamlAuthData {
+  #[serde(alias = "un")]
   username: String,
   prelogin_cookie: Option<String>,
   portal_userauthcookie: Option<String>,
+  token: Option<String>,
 }
 
 #[derive(Debug, Serialize, Deserialize)]
@@ -32,10 +36,11 @@ impl SamlAuthData {
       username,
       prelogin_cookie,
       portal_userauthcookie,
+      token: None,
     }
   }
 
-  pub fn from_html(html: &str) -> anyhow::Result<SamlAuthData> {
+  pub fn from_html(html: &str) -> anyhow::Result<SamlAuthData, AuthDataParseError> {
     match parse_xml_tag(html, "saml-auth-status") {
       Some(saml_status) if saml_status == "1" => {
         let username = parse_xml_tag(html, "saml-username");
@@ -49,11 +54,36 @@ impl SamlAuthData {
             portal_userauthcookie,
           ))
         } else {
-          Err(anyhow!("Found invalid auth data in HTML"))
+          Err(AuthDataParseError::Invalid)
         }
       }
-      Some(status) => Err(anyhow!("Found invalid SAML status {} in HTML", status)),
-      None => Err(anyhow!("No auth data found in HTML")),
+      Some(_) => Err(AuthDataParseError::Invalid),
+      None => Err(AuthDataParseError::NotFound),
+    }
+  }
+
+  pub fn from_gpcallback(data: &str) -> anyhow::Result<SamlAuthData, AuthDataParseError> {
+    let auth_data = data.trim_start_matches("globalprotectcallback:");
+
+    if auth_data.starts_with("cas-as") {
+      info!("Got CAS auth data from globalprotectcallback");
+
+      let auth_data: SamlAuthData = serde_urlencoded::from_str(auth_data).map_err(|e| {
+        warn!("Failed to parse token auth data: {}", e);
+        AuthDataParseError::Invalid
+      })?;
+
+      Ok(auth_data)
+    } else {
+      info!("Parsing SAML auth data...");
+
+      let auth_data = decode_to_string(auth_data).map_err(|e| {
+        warn!("Failed to decode SAML auth data: {}", e);
+        AuthDataParseError::Invalid
+      })?;
+      let auth_data = Self::from_html(&auth_data)?;
+
+      Ok(auth_data)
     }
   }
 
@@ -65,6 +95,10 @@ impl SamlAuthData {
     self.prelogin_cookie.as_deref()
   }
 
+  pub fn token(&self) -> Option<&str> {
+    self.token.as_deref()
+  }
+
   pub fn check(
     username: &Option<String>,
     prelogin_cookie: &Option<String>,
@@ -74,7 +108,16 @@ impl SamlAuthData {
     let prelogin_cookie_valid = prelogin_cookie.as_ref().is_some_and(|val| val.len() > 5);
     let portal_userauthcookie_valid = portal_userauthcookie.as_ref().is_some_and(|val| val.len() > 5);
 
-    username_valid && (prelogin_cookie_valid || portal_userauthcookie_valid)
+    let is_valid = username_valid && (prelogin_cookie_valid || portal_userauthcookie_valid);
+
+    if !is_valid {
+      warn!(
+        "Invalid SAML auth data: username: {:?}, prelogin-cookie: {:?}, portal-userauthcookie: {:?}",
+        username, prelogin_cookie, portal_userauthcookie
+      );
+    }
+
+    is_valid
   }
 }
 
@@ -84,3 +127,28 @@ pub fn parse_xml_tag(html: &str, tag: &str) -> Option<String> {
     .and_then(|captures| captures.get(1))
     .map(|m| m.as_str().to_string())
 }
+
+#[cfg(test)]
+mod tests {
+  use super::*;
+
+  #[test]
+  fn auth_data_from_gpcallback_cas() {
+    let auth_data = "globalprotectcallback:cas-as=1&un=xyz@email.com&token=very_long_string";
+
+    let auth_data = SamlAuthData::from_gpcallback(auth_data).unwrap();
+
+    assert_eq!(auth_data.username(), "xyz@email.com");
+    assert_eq!(auth_data.token(), Some("very_long_string"));
+  }
+
+  #[test]
+  fn auth_data_from_gpcallback_non_cas() {
+    let auth_data = "PGh0bWw+PCEtLSA8c2FtbC1hdXRoLXN0YXR1cz4xPC9zYW1sLWF1dGgtc3RhdHVzPjxwcmVsb2dpbi1jb29raWU+cHJlbG9naW4tY29va2llPC9wcmVsb2dpbi1jb29raWU+PHNhbWwtdXNlcm5hbWU+eHl6QGVtYWlsLmNvbTwvc2FtbC11c2VybmFtZT48c2FtbC1zbG8+bm88L3NhbWwtc2xvPjxzYW1sLVNlc3Npb25Ob3RPbk9yQWZ0ZXI+PC9zYW1sLVNlc3Npb25Ob3RPbk9yQWZ0ZXI+IC0tPjwvaHRtbD4=";
+
+    let auth_data = SamlAuthData::from_gpcallback(auth_data).unwrap();
+
+    assert_eq!(auth_data.username(), "xyz@email.com");
+    assert_eq!(auth_data.prelogin_cookie(), Some("prelogin-cookie"));
+  }
+}

crates/gpapi/src/credential.rs

@@ -1,10 +1,9 @@
 use std::collections::HashMap;
 
-use log::info;
 use serde::{Deserialize, Serialize};
 use specta::Type;
 
-use crate::{auth::SamlAuthData, utils::base64::decode_to_string};
+use crate::auth::SamlAuthData;
 
 #[derive(Debug, Serialize, Deserialize, Type, Clone)]
 #[serde(rename_all = "camelCase")]
@@ -38,16 +37,18 @@ impl From<&CachedCredential> for PasswordCredential {
 
 #[derive(Debug, Serialize, Deserialize, Type, Clone)]
 #[serde(rename_all = "camelCase")]
-pub struct PreloginCookieCredential {
+pub struct PreloginCredential {
   username: String,
-  prelogin_cookie: String,
+  prelogin_cookie: Option<String>,
+  token: Option<String>,
 }
 
-impl PreloginCookieCredential {
-  pub fn new(username: &str, prelogin_cookie: &str) -> Self {
+impl PreloginCredential {
+  pub fn new(username: &str, prelogin_cookie: Option<&str>, token: Option<&str>) -> Self {
     Self {
       username: username.to_string(),
-      prelogin_cookie: prelogin_cookie.to_string(),
+      prelogin_cookie: prelogin_cookie.map(|s| s.to_string()),
+      token: token.map(|s| s.to_string()),
     }
   }
 
@@ -55,22 +56,22 @@ impl PreloginCookieCredential {
     &self.username
   }
 
-  pub fn prelogin_cookie(&self) -> &str {
-    &self.prelogin_cookie
+  pub fn prelogin_cookie(&self) -> Option<&str> {
+    self.prelogin_cookie.as_deref()
+  }
+
+  pub fn token(&self) -> Option<&str> {
+    self.token.as_deref()
   }
 }
 
-impl TryFrom<SamlAuthData> for PreloginCookieCredential {
-  type Error = anyhow::Error;
-
-  fn try_from(value: SamlAuthData) -> Result<Self, Self::Error> {
+impl From<SamlAuthData> for PreloginCredential {
+  fn from(value: SamlAuthData) -> Self {
     let username = value.username().to_string();
-    let prelogin_cookie = value
-      .prelogin_cookie()
-      .ok_or_else(|| anyhow::anyhow!("Missing prelogin cookie"))?
-      .to_string();
+    let prelogin_cookie = value.prelogin_cookie();
+    let token = value.token();
 
-    Ok(Self::new(&username, &prelogin_cookie))
+    Self::new(&username, prelogin_cookie, token)
   }
 }
 
@@ -155,60 +156,30 @@ impl From<PasswordCredential> for CachedCredential {
     )
   }
 }
-
-#[derive(Debug, Serialize, Deserialize, Type, Clone)]
-pub struct TokenCredential {
-  #[serde(alias = "un")]
-  username: String,
-  token: String,
-}
-
-impl TokenCredential {
-  pub fn username(&self) -> &str {
-    &self.username
-  }
-
-  pub fn token(&self) -> &str {
-    &self.token
-  }
-}
-
 #[derive(Debug, Serialize, Deserialize, Type, Clone)]
 #[serde(tag = "type", rename_all = "camelCase")]
 pub enum Credential {
   Password(PasswordCredential),
-  PreloginCookie(PreloginCookieCredential),
+  Prelogin(PreloginCredential),
   AuthCookie(AuthCookieCredential),
-  TokenCredential(TokenCredential),
-  CachedCredential(CachedCredential),
+  Cached(CachedCredential),
 }
 
 impl Credential {
   /// Create a credential from a globalprotectcallback:<base64 encoded string>,
   /// or globalprotectcallback:cas-as=1&un=user@xyz.com&token=very_long_string
   pub fn from_gpcallback(auth_data: &str) -> anyhow::Result<Self> {
-    let auth_data = auth_data.trim_start_matches("globalprotectcallback:");
+    let auth_data = SamlAuthData::from_gpcallback(auth_data)?;
 
-    if auth_data.starts_with("cas-as") {
-      info!("Got token auth data: {}", auth_data);
-      let token_cred: TokenCredential = serde_urlencoded::from_str(auth_data)?;
-      Ok(Self::TokenCredential(token_cred))
-    } else {
-      info!("Parsing SAML auth data...");
-      let auth_data = decode_to_string(auth_data)?;
-      let auth_data = SamlAuthData::from_html(&auth_data)?;
-
-      Self::try_from(auth_data)
-    }
+    Ok(Self::from(auth_data))
   }
 
   pub fn username(&self) -> &str {
     match self {
       Credential::Password(cred) => cred.username(),
-      Credential::PreloginCookie(cred) => cred.username(),
+      Credential::Prelogin(cred) => cred.username(),
       Credential::AuthCookie(cred) => cred.username(),
-      Credential::TokenCredential(cred) => cred.username(),
-      Credential::CachedCredential(cred) => cred.username(),
+      Credential::Cached(cred) => cred.username(),
     }
   }
 
@@ -218,7 +189,7 @@ impl Credential {
 
     let (passwd, prelogin_cookie, portal_userauthcookie, portal_prelogonuserauthcookie, token) = match self {
       Credential::Password(cred) => (Some(cred.password()), None, None, None, None),
-      Credential::PreloginCookie(cred) => (None, Some(cred.prelogin_cookie()), None, None, None),
+      Credential::Prelogin(cred) => (None, cred.prelogin_cookie(), None, None, cred.token()),
       Credential::AuthCookie(cred) => (
         None,
         None,
@@ -226,8 +197,7 @@ impl Credential {
         Some(cred.prelogon_user_auth_cookie()),
         None,
       ),
-      Credential::TokenCredential(cred) => (None, None, None, None, Some(cred.token())),
-      Credential::CachedCredential(cred) => (
+      Credential::Cached(cred) => (
         cred.password(),
         None,
         Some(cred.auth_cookie.user_auth_cookie()),
@@ -252,13 +222,11 @@ impl Credential {
   }
 }
 
-impl TryFrom<SamlAuthData> for Credential {
-  type Error = anyhow::Error;
+impl From<SamlAuthData> for Credential {
+  fn from(value: SamlAuthData) -> Self {
+    let cred = PreloginCredential::from(value);
 
-  fn try_from(value: SamlAuthData) -> Result<Self, Self::Error> {
-    let prelogin_cookie = PreloginCookieCredential::try_from(value)?;
-
-    Ok(Self::PreloginCookie(prelogin_cookie))
+    Self::Prelogin(cred)
   }
 }
 
@@ -276,41 +244,6 @@ impl From<&AuthCookieCredential> for Credential {
 
 impl From<&CachedCredential> for Credential {
   fn from(value: &CachedCredential) -> Self {
-    Self::CachedCredential(value.clone())
-  }
-}
-
-#[cfg(test)]
-mod tests {
-  use super::*;
-
-  #[test]
-  fn cred_from_gpcallback_cas() {
-    let auth_data = "globalprotectcallback:cas-as=1&un=xyz@email.com&token=very_long_string";
-
-    let cred = Credential::from_gpcallback(auth_data).unwrap();
-
-    match cred {
-      Credential::TokenCredential(token_cred) => {
-        assert_eq!(token_cred.username(), "xyz@email.com");
-        assert_eq!(token_cred.token(), "very_long_string");
-      }
-      _ => panic!("Expected TokenCredential"),
-    }
-  }
-
-  #[test]
-  fn cred_from_gpcallback_non_cas() {
-    let auth_data = "PGh0bWw+PCEtLSA8c2FtbC1hdXRoLXN0YXR1cz4xPC9zYW1sLWF1dGgtc3RhdHVzPjxwcmVsb2dpbi1jb29raWU+cHJlbG9naW4tY29va2llPC9wcmVsb2dpbi1jb29raWU+PHNhbWwtdXNlcm5hbWU+eHl6QGVtYWlsLmNvbTwvc2FtbC11c2VybmFtZT48c2FtbC1zbG8+bm88L3NhbWwtc2xvPjxzYW1sLVNlc3Npb25Ob3RPbk9yQWZ0ZXI+PC9zYW1sLVNlc3Npb25Ob3RPbk9yQWZ0ZXI+IC0tPjwvaHRtbD4=";
-
-    let cred = Credential::from_gpcallback(auth_data).unwrap();
-
-    match cred {
-      Credential::PreloginCookie(cred) => {
-        assert_eq!(cred.username(), "xyz@email.com");
-        assert_eq!(cred.prelogin_cookie(), "prelogin-cookie");
-      }
-      _ => panic!("Expected PreloginCookieCredential")
-    }
+    Self::Cached(value.clone())
   }
 }

crates/gpapi/src/error.rs

@@ -9,3 +9,11 @@ pub enum PortalError {
   #[error("Network error: {0}")]
   NetworkError(String),
 }
+
+#[derive(Error, Debug)]
+pub enum AuthDataParseError {
+  #[error("No auth data found")]
+  NotFound,
+  #[error("Invalid auth data")]
+  Invalid,
+}

crates/gpapi/src/gp_params.rs

@@ -42,7 +42,7 @@ impl ClientOs {
   }
 }
 
-#[derive(Debug, Serialize, Deserialize, Type, Default, Clone)]
+#[derive(Debug, Serialize, Deserialize, Type, Default)]
 pub struct GpParams {
   is_gateway: bool,
   user_agent: String,
@@ -51,7 +51,6 @@ pub struct GpParams {
   client_version: Option<String>,
   computer: String,
   ignore_tls_errors: bool,
-  prefer_default_browser: bool,
 }
 
 impl GpParams {
@@ -79,14 +78,6 @@ impl GpParams {
     self.ignore_tls_errors
   }
 
-  pub fn prefer_default_browser(&self) -> bool {
-    self.prefer_default_browser
-  }
-
-  pub fn set_prefer_default_browser(&mut self, prefer_default_browser: bool) {
-    self.prefer_default_browser = prefer_default_browser;
-  }
-
   pub fn client_os(&self) -> &str {
     self.client_os.as_str()
   }
@@ -135,20 +126,20 @@ pub struct GpParamsBuilder {
   client_version: Option<String>,
   computer: String,
   ignore_tls_errors: bool,
-  prefer_default_browser: bool,
 }
 
 impl GpParamsBuilder {
   pub fn new() -> Self {
+    let computer = whoami::fallible::hostname().unwrap_or_else(|_| String::from("localhost"));
+
     Self {
       is_gateway: false,
       user_agent: GP_USER_AGENT.to_string(),
       client_os: ClientOs::Linux,
       os_version: Default::default(),
       client_version: Default::default(),
-      computer: whoami::hostname(),
+      computer,
       ignore_tls_errors: false,
-      prefer_default_browser: false,
     }
   }
 
@@ -187,11 +178,6 @@ impl GpParamsBuilder {
     self
   }
 
-  pub fn prefer_default_browser(&mut self, prefer_default_browser: bool) -> &mut Self {
-    self.prefer_default_browser = prefer_default_browser;
-    self
-  }
-
   pub fn build(&self) -> GpParams {
     GpParams {
       is_gateway: self.is_gateway,
@@ -201,7 +187,6 @@ impl GpParamsBuilder {
       client_version: self.client_version.clone(),
       computer: self.computer.clone(),
       ignore_tls_errors: self.ignore_tls_errors,
-      prefer_default_browser: self.prefer_default_browser,
     }
   }
 }

crates/gpapi/src/portal/prelogin.rs

@@ -29,7 +29,6 @@ pub struct SamlPrelogin {
   is_gateway: bool,
   saml_request: String,
   support_default_browser: bool,
-  is_cas: bool,
 }
 
 impl SamlPrelogin {
@@ -44,14 +43,6 @@ impl SamlPrelogin {
   pub fn support_default_browser(&self) -> bool {
     self.support_default_browser
   }
-
-  pub fn is_cas(&self) -> bool {
-    self.is_cas
-  }
-
-  fn set_is_cas(&mut self, is_cas: bool) {
-    self.is_cas = is_cas;
-  }
 }
 
 #[derive(Debug, Serialize, Type, Clone)]
@@ -106,29 +97,6 @@ impl Prelogin {
 }
 
 pub async fn prelogin(portal: &str, gp_params: &GpParams) -> anyhow::Result<Prelogin> {
-  match prelogin_impl(portal, gp_params).await {
-    Ok(prelogin) => Ok(prelogin),
-    Err(e) => {
-      if e.to_string().contains("CAS is not supported by the client") {
-        info!("CAS authentication detected, retrying with default browser");
-        let mut gp_params = gp_params.clone();
-        gp_params.set_prefer_default_browser(true);
-
-        let mut prelogin = prelogin_impl(portal, &gp_params).await?;
-        // Mark the prelogin as CAS
-        if let Prelogin::Saml(saml) = &mut prelogin {
-          saml.set_is_cas(true);
-        }
-
-        Ok(prelogin)
-      } else {
-        Err(e)
-      }
-    }
-  }
-}
-
-pub async fn prelogin_impl(portal: &str, gp_params: &GpParams) -> anyhow::Result<Prelogin> {
   let user_agent = gp_params.user_agent();
   info!("Prelogin with user_agent: {}", user_agent);
 
@@ -139,11 +107,8 @@ pub async fn prelogin_impl(portal: &str, gp_params: &GpParams) -> anyhow::Result
   let mut params = gp_params.to_params();
 
   params.insert("tmp", "tmp");
-  // CAS support requires external browser
-  if gp_params.prefer_default_browser() {
-    params.insert("default-browser", "1");
-    params.insert("cas-support", "yes");
-  }
+  params.insert("default-browser", "1");
+  params.insert("cas-support", "yes");
 
   params.retain(|k, _| REQUIRED_PARAMS.iter().any(|required_param| required_param == k));
 
@@ -213,7 +178,6 @@ fn parse_res_xml(res_xml: String, is_gateway: bool) -> anyhow::Result<Prelogin>
       is_gateway,
       saml_request,
       support_default_browser,
-      is_cas: false,
     };
 
     return Ok(Prelogin::Saml(saml_prelogin));

crates/gpapi/src/process/auth_launcher.rs

@@ -135,7 +135,7 @@ impl<'a> SamlAuthLauncher<'a> {
     };
 
     match auth_result {
-      SamlAuthResult::Success(auth_data) => Credential::try_from(auth_data),
+      SamlAuthResult::Success(auth_data) => Ok(Credential::from(auth_data)),
       SamlAuthResult::Failure(msg) => bail!(msg),
     }
   }