Add CI

fix link in Readme

.devcontainer/Dockerfile

@@ -0,0 +1,62 @@
+FROM ubuntu:18.04
+
+ARG USERNAME=vscode
+ARG USER_UID=1000
+ARG USER_GID=$USER_UID
+
+ENV RUSTUP_HOME=/usr/local/rustup \
+    CARGO_HOME=/usr/local/cargo \
+    PATH=/usr/local/cargo/bin:$PATH \
+    RUST_VERSION=1.75.0
+
+RUN set -eux; \
+  apt-get update; \
+  apt-get install -y --no-install-recommends \
+    sudo \
+    ca-certificates \
+    curl \
+    gnupg \
+    git \
+    less \
+    software-properties-common \
+    # Tauri dependencies
+    libwebkit2gtk-4.0-dev build-essential wget libssl-dev libgtk-3-dev libayatana-appindicator3-dev librsvg2-dev; \
+  # Install openconnect
+  add-apt-repository ppa:yuezk/globalprotect-openconnect; \
+  apt-get update; \
+  apt-get install -y openconnect libopenconnect-dev; \
+  # Create a non-root user
+  groupadd --gid $USER_GID $USERNAME; \
+  useradd --uid $USER_UID --gid $USER_GID -m $USERNAME; \
+  echo $USERNAME ALL=\(root\) NOPASSWD:ALL > /etc/sudoers.d/$USERNAME; \
+  chmod 0440 /etc/sudoers.d/$USERNAME; \
+  # Install Node.js
+  mkdir -p /etc/apt/keyrings; \
+  curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg; \
+  echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_16.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list; \
+  apt-get update; \
+  apt-get install -y nodejs; \
+  corepack enable; \
+  # Install diff-so-fancy
+  npm install -g diff-so-fancy; \
+  # Install Rust
+  curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain $RUST_VERSION; \
+  chown -R $USERNAME:$USERNAME $RUSTUP_HOME $CARGO_HOME; \
+  rustup --version; \
+  cargo --version; \
+  rustc --version
+
+USER $USERNAME
+
+# Install Oh My Zsh
+RUN sh -c "$(wget -O- https://github.com/deluan/zsh-in-docker/releases/download/v1.1.5/zsh-in-docker.sh)" -- \
+    -t https://github.com/denysdovhan/spaceship-prompt \
+    -a 'SPACESHIP_PROMPT_ADD_NEWLINE="false"' \
+    -a 'SPACESHIP_PROMPT_SEPARATE_LINE="false"' \
+    -p git \
+    -p https://github.com/zsh-users/zsh-autosuggestions \
+    -p https://github.com/zsh-users/zsh-completions; \
+    # Change the default shell
+    sudo chsh -s /bin/zsh $USERNAME; \
+    # Change the XTERM to xterm-256color
+    sed -i 's/TERM=xterm/TERM=xterm-256color/g' $HOME/.zshrc;

.devcontainer/devcontainer.json

@@ -0,0 +1,10 @@
+{
+  "build": {
+    "dockerfile": "Dockerfile"
+  },
+  "runArgs": [
+    "--privileged",
+    "--cap-add=NET_ADMIN",
+    "--device=/dev/net/tun"
+  ]
+}

.editorconfig

@@ -0,0 +1,9 @@
+root = true
+
+[*]
+charset = utf-8
+indent_style = space
+indent_size = 2
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true

.github/FUNDING.yml

@@ -0,0 +1,2 @@
+ko_fi: yuezk
+custom: ["https://buymeacoffee.com/yuezk", "https://paypal.me/zongkun"]

.github/workflows/build.yaml

@@ -0,0 +1,308 @@
+name: Build GPGUI
+on:
+  push:
+    paths-ignore:
+      - LICENSE
+      - "*.md"
+      - .vscode
+      - .devcontainer
+    branches:
+      - main
+    tags:
+      - latest
+      - v*.*.*
+jobs:
+  # Include arm64 if ref is a tag
+  setup-matrix:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+    steps:
+      - name: Set up matrix
+        id: set-matrix
+        run: |
+          if [[ "${{ github.ref }}" == "refs/tags/"* ]]; then
+            echo "matrix=[\"amd64\", \"arm64\"]" >> $GITHUB_OUTPUT
+          else
+            echo "matrix=[\"amd64\"]" >> $GITHUB_OUTPUT
+          fi
+
+  build-fe:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout gpgui repo
+        uses: actions/checkout@v3
+        with:
+          token: ${{ secrets.GH_PAT }}
+          repository: yuezk/gpgui
+
+      - name: Install Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 18
+
+      - uses: pnpm/action-setup@v2
+        with:
+          version: 8
+
+      - name: Install dependencies
+        run: |
+          cd app
+          pnpm install
+      - name: Build
+        run: |
+          cd app
+          pnpm run build
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: gpgui-fe
+          path: app/dist
+
+  build-tauri-amd64:
+    needs: [build-fe]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout gpgui repo
+        uses: actions/checkout@v3
+        with:
+          token: ${{ secrets.GH_PAT }}
+          repository: yuezk/gpgui
+          path: gpgui
+
+      - name: Checkout gp repo
+        uses: actions/checkout@v3
+        with:
+          token: ${{ secrets.GH_PAT }}
+          repository: yuezk/GlobalProtect-openconnect
+          path: gp
+
+      - name: Download gpgui-fe artifact
+        uses: actions/download-artifact@v3
+        with:
+          name: gpgui-fe
+          path: gpgui/app/dist
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_TOKEN }}
+
+      - name: Build Tauri in Docker
+        run: |
+          docker run \
+            --rm \
+            -v $(pwd):/${{ github.workspace }} \
+            -w ${{ github.workspace }} \
+            -e CI=true \
+            yuezk/gpdev:main \
+            "./gpgui/scripts/build.sh"
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: artifact-amd64-tauri
+          path: |
+            gpgui/.tmp/artifact
+
+  build-tauri-arm64:
+    if: startsWith(github.ref, 'refs/tags/')
+    needs: [build-fe]
+    runs-on: self-hosted
+    steps:
+      - name: Checkout gpgui repo
+        uses: actions/checkout@v3
+        with:
+          token: ${{ secrets.GH_PAT }}
+          repository: yuezk/gpgui
+          path: gpgui
+
+      - name: Checkout gp repo
+        uses: actions/checkout@v3
+        with:
+          token: ${{ secrets.GH_PAT }}
+          repository: yuezk/GlobalProtect-openconnect
+          path: gp
+
+      - name: Download gpgui-fe artifact
+        uses: actions/download-artifact@v3
+        with:
+          name: gpgui-fe
+          path: gpgui/app/dist
+      - name: Build Tauri
+        run: |
+          ./gpgui/scripts/build.sh
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: artifact-arm64-tauri
+          path: |
+            gpgui/.tmp/artifact
+
+  package-tarball:
+    needs: [build-tauri-amd64, build-tauri-arm64]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout gpgui repo
+        uses: actions/checkout@v3
+        with:
+          token: ${{ secrets.GH_PAT }}
+          repository: yuezk/gpgui
+          path: gpgui
+
+      - name: Download artifact-amd64-tauri
+        uses: actions/download-artifact@v3
+        with:
+          name: artifact-amd64-tauri
+          path: gpgui/.tmp/artifact
+
+      - name: Download artifact-arm64-tauri
+        uses: actions/download-artifact@v3
+        with:
+          name: artifact-arm64-tauri
+          path: gpgui/.tmp/artifact
+
+      - name: Create tarball
+        run: |
+          ./gpgui/scripts/build-tarball.sh
+
+      - name: Upload tarball
+        uses: actions/upload-artifact@v3
+        with:
+          name: artifact-tarball
+          path: |
+            gpgui/.tmp/tarball/*.tar.gz
+
+  package-rpm:
+    needs: [setup-matrix, package-tarball]
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        arch: ${{ fromJson(needs.setup-matrix.outputs.matrix) }}
+    steps:
+      - name: Checkout gpgui repo
+        uses: actions/checkout@v3
+        with:
+          token: ${{ secrets.GH_PAT }}
+          repository: yuezk/gpgui
+          path: gpgui
+
+      - name: Download package tarball
+        uses: actions/download-artifact@v3
+        with:
+          name: artifact-tarball
+          path: gpgui/.tmp/artifact
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: ${{ matrix.arch }}
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_TOKEN }}
+
+      - name: Create RPM package
+        run: |
+          docker run \
+            --rm \
+            -v $(pwd):/${{ github.workspace }} \
+            -w ${{ github.workspace }} \
+            --platform linux/${{ matrix.arch }} \
+            yuezk/gpdev:rpm-builder \
+            "./gpgui/scripts/build-rpm.sh"
+
+      - name: Upload rpm artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: artifact-${{ matrix.arch }}-rpm
+          path: |
+            gpgui/.tmp/artifact/*.rpm
+
+  package-pkgbuild:
+    needs: [setup-matrix, build-tauri-amd64, build-tauri-arm64]
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        arch: ${{ fromJson(needs.setup-matrix.outputs.matrix) }}
+    steps:
+      - name: Checkout gpgui repo
+        uses: actions/checkout@v3
+        with:
+          token: ${{ secrets.GH_PAT }}
+          repository: yuezk/gpgui
+          path: gpgui
+
+      - name: Download artifact-${{ matrix.arch }}
+        uses: actions/download-artifact@v3
+        with:
+          name: artifact-${{ matrix.arch }}-tauri
+          path: gpgui/.tmp/artifact
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: ${{ matrix.arch }}
+
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_TOKEN }}
+
+      - name: Generate PKGBUILD
+        run: |
+          export CI_ARCH=${{ matrix.arch }}
+          ./gpgui/scripts/generate-pkgbuild.sh
+
+      - name: Build PKGBUILD package
+        run: |
+          # Build package
+          docker run \
+            --rm \
+            -v $(pwd)/gpgui/.tmp/pkgbuild:/pkgbuild \
+            --platform linux/${{ matrix.arch }} \
+            yuezk/gpdev:pkgbuild
+
+      - name: Upload pkgbuild artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: artifact-${{ matrix.arch }}-pkgbuild
+          path: |
+            gpgui/.tmp/pkgbuild/*.pkg.tar.zst
+
+  gh-release:
+    if: startsWith(github.ref, 'refs/tags/')
+    runs-on: ubuntu-latest
+    needs:
+      - package-rpm
+      - package-pkgbuild
+
+    steps:
+      - name: Download artifact
+        uses: actions/download-artifact@v3
+        with:
+          path: artifact
+          # pattern: artifact-*
+          # merge-multiple: true
+
+      # - name: Generate checksum
+      #   uses: jmgilman/actions-generate-checksum@v1
+      #   with:
+      #     output: checksums.txt
+      #     patterns: |
+      #       artifact/*
+
+      - name: Create GH release
+        uses: softprops/action-gh-release@v1
+        with:
+          token: ${{ secrets.GH_PAT }}
+          prerelease: ${{ contains(github.ref, 'latest') }}
+          fail_on_unmatched_files: true
+          files: |
+            artifact/artifact-*/*

.gitignore

@@ -1,56 +1,4 @@
-# Binaries
-gpclient
-gpservice
-
-# C++ objects and libs
-*.slo
-*.lo
-*.o
-*.a
-*.la
-*.lai
-*.so
-*.so.*
-*.dll
-*.dylib
-
-# Qt-es
-object_script.*.Release
-object_script.*.Debug
-*_plugin_import.cpp
-/.qmake.cache
-/.qmake.stash
-*.pro.user
-*.pro.user.*
-*.qbs.user
-*.qbs.user.*
-*.moc
-moc_*.cpp
-moc_*.h
-qrc_*.cpp
-ui_*.h
-*.qmlc
-*.jsc
-Makefile*
-*build-*
-*.qm
-*.prl
-
-# Qt unit tests
-target_wrapper.*
-
-# QtCreator
-*.autosave
-
-# QtCreator Qml
-*.qmlproject.user
-*.qmlproject.user.*
-
-# QtCreator CMake
-CMakeLists.txt.user*
-
-# QtCreator 4.8< compilation database 
-compile_commands.json
-
-# QtCreator local machine specific files for imported projects
-*creator.user*
+.idea
+/target
+.pnpm-store
+.env

.gitmodules

@@ -1,3 +0,0 @@
-[submodule "singleapplication"]
-	path = singleapplication
-	url = https://github.com/itay-grudev/SingleApplication.git

.vscode/extensions.json

@@ -0,0 +1,9 @@
+{
+    "recommendations": [
+        "rust-lang.rust-analyzer",
+        "tamasfe.even-better-toml",
+        "eamodio.gitlens",
+        "EditorConfig.EditorConfig",
+        "streetsidesoftware.code-spell-checker",
+    ]
+}

.vscode/settings.json

@@ -0,0 +1,57 @@
+{
+    "cSpell.words": [
+        "authcookie",
+        "bincode",
+        "chacha",
+        "clientos",
+        "datetime",
+        "disconnectable",
+        "distro",
+        "dotenv",
+        "dotenvy",
+        "getconfig",
+        "globalprotect",
+        "globalprotectcallback",
+        "gpapi",
+        "gpauth",
+        "gpcallback",
+        "gpclient",
+        "gpcommon",
+        "gpgui",
+        "gpservice",
+        "hidpi",
+        "jnlp",
+        "LOGNAME",
+        "oneshot",
+        "openconnect",
+        "pkexec",
+        "Prelogin",
+        "prelogon",
+        "prelogonuserauthcookie",
+        "repr",
+        "reqwest",
+        "roxmltree",
+        "rspc",
+        "servercert",
+        "specta",
+        "sysinfo",
+        "tanstack",
+        "tauri",
+        "tempfile",
+        "thiserror",
+        "tungstenite",
+        "unistd",
+        "unlisten",
+        "urlencoding",
+        "userauthcookie",
+        "utsbuf",
+        "uzers",
+        "Vite",
+        "vpnc",
+        "vpninfo",
+        "wmctrl",
+        "XAUTHORITY",
+        "yuezk"
+    ],
+    "rust-analyzer.cargo.features": "all",
+}

Cargo.toml

@@ -0,0 +1,52 @@
+[workspace]
+resolver = "2"
+
+members = ["crates/*", "apps/gpclient", "apps/gpservice", "apps/gpauth"]
+
+[workspace.package]
+version = "2.0.0-beta8"
+authors = ["Kevin Yue <k3vinyue@gmail.com>"]
+homepage = "https://github.com/yuezk/GlobalProtect-openconnect"
+edition = "2021"
+license = "GPL-3.0"
+
+[workspace.dependencies]
+anyhow = "1.0"
+base64 = "0.21"
+clap = { version = "4.4.2", features = ["derive"] }
+ctrlc = "3.4"
+directories = "5.0"
+env_logger = "0.10"
+is_executable = "1.0"
+log = "0.4"
+regex = "1"
+reqwest = { version = "0.11", features = ["native-tls-vendored", "json"] }
+roxmltree = "0.18"
+serde = { version = "1.0", features = ["derive"] }
+serde_json = "1.0"
+sysinfo = "0.29"
+tempfile = "3.8"
+tokio = { version = "1", features = ["full"] }
+tokio-util = "0.7"
+url = "2.4"
+urlencoding = "2.1.3"
+axum = "0.7"
+futures = "0.3"
+futures-util = "0.3"
+tokio-tungstenite = "0.20.1"
+specta = "=2.0.0-rc.1"
+specta-macros = "=2.0.0-rc.1"
+uzers = "0.11"
+whoami = "1"
+tauri = { version = "1.5" }
+thiserror = "1"
+redact-engine = "0.1"
+dotenvy_macro = "0.15"
+compile-time = "0.2"
+
+[profile.release]
+opt-level = 'z'   # Optimize for size
+lto = true        # Enable link-time optimization
+codegen-units = 1 # Reduce number of codegen units to increase optimizations
+panic = 'abort'   # Abort on panic
+strip = true      # Strip symbols from binary*

GPClient/GPClient.pro

@@ -1,59 +0,0 @@
-TARGET = gpclient
-
-QT       += core gui network websockets dbus webenginewidgets
-
-greaterThan(QT_MAJOR_VERSION, 4): QT += widgets
-
-CONFIG += c++11
-
-include(../singleapplication/singleapplication.pri)
-DEFINES += QAPPLICATION_CLASS=QApplication
-
-# The following define makes your compiler emit warnings if you use
-# any Qt feature that has been marked deprecated (the exact warnings
-# depend on your compiler). Please consult the documentation of the
-# deprecated API in order to know how to port your code away from it.
-DEFINES += QT_DEPRECATED_WARNINGS
-
-# You can also make your code fail to compile if it uses deprecated APIs.
-# In order to do so, uncomment the following line.
-# You can also select to disable deprecated APIs only up to a certain version of Qt.
-#DEFINES += QT_DISABLE_DEPRECATED_BEFORE=0x060000    # disables all the APIs deprecated before Qt 6.0.0
-SOURCES += \
-    cdpcommand.cpp \
-    cdpcommandmanager.cpp \
-    enhancedwebview.cpp \
-    main.cpp \
-    samlloginwindow.cpp \
-    gpclient.cpp
-
-HEADERS += \
-    cdpcommand.h \
-    cdpcommandmanager.h \
-    enhancedwebview.h \
-    samlloginwindow.h \
-    gpclient.h
-
-FORMS += \
-    gpclient.ui
-
-DBUS_INTERFACES += ../GPService/gpservice.xml
-
-# Default rules for deployment.
-target.path = /usr/local/bin
-INSTALLS += target
-
-DISTFILES += \
-    com.yuezk.qt.GPClient.svg \
-    com.yuezk.qt.gpclient.desktop
-
-desktop_entry.path = /usr/share/applications/
-desktop_entry.files = com.yuezk.qt.gpclient.desktop
-
-desktop_icon.path = /usr/share/pixmaps/
-desktop_icon.files = com.yuezk.qt.GPClient.svg
-
-INSTALLS += desktop_entry desktop_icon
-
-RESOURCES += \
-    resources.qrc

GPClient/cdpcommand.cpp

@@ -1,30 +0,0 @@
-#include "cdpcommand.h"
-
-#include <QVariantMap>
-#include <QJsonDocument>
-#include <QJsonObject>
-
-CDPCommand::CDPCommand(QObject *parent) : QObject(parent)
-{
-}
-
-CDPCommand::CDPCommand(int id, QString cmd, QVariantMap& params) :
-    QObject(nullptr),
-    id(id),
-    cmd(cmd),
-    params(&params)
-{
-}
-
-QByteArray CDPCommand::toJson()
-{
-    QVariantMap payloadMap;
-    payloadMap["id"] = id;
-    payloadMap["method"] = cmd;
-    payloadMap["params"] = *params;
-
-    QJsonObject payloadJsonObject = QJsonObject::fromVariantMap(payloadMap);
-    QJsonDocument payloadJson(payloadJsonObject);
-
-    return payloadJson.toJson();
-}

GPClient/cdpcommand.h

@@ -1,24 +0,0 @@
-#ifndef CDPCOMMAND_H
-#define CDPCOMMAND_H
-
-#include <QObject>
-
-class CDPCommand : public QObject
-{
-    Q_OBJECT
-public:
-    explicit CDPCommand(QObject *parent = nullptr);
-    CDPCommand(int id, QString cmd, QVariantMap& params);
-
-    QByteArray toJson();
-
-signals:
-    void finished();
-
-private:
-    int id;
-    QString cmd;
-    QVariantMap *params;
-};
-
-#endif // CDPCOMMAND_H

GPClient/cdpcommandmanager.cpp

@@ -1,85 +0,0 @@
-#include "cdpcommandmanager.h"
-#include <QVariantMap>
-
-CDPCommandManager::CDPCommandManager(QObject *parent)
-    : QObject(parent)
-    , networkManager(new QNetworkAccessManager)
-    , socket(new QWebSocket)
-{
-    // WebSocket setup
-    QObject::connect(socket, &QWebSocket::connected, this, &CDPCommandManager::ready);
-    QObject::connect(socket, &QWebSocket::textMessageReceived, this, &CDPCommandManager::onTextMessageReceived);
-    QObject::connect(socket, &QWebSocket::disconnected, this, &CDPCommandManager::onSocketDisconnected);
-    QObject::connect(socket, QOverload<QAbstractSocket::SocketError>::of(&QWebSocket::error), this, &CDPCommandManager::onSocketError);
-}
-
-CDPCommandManager::~CDPCommandManager()
-{
-    delete networkManager;
-    delete socket;
-}
-
-void CDPCommandManager::initialize(QString endpoint)
-{
-    QNetworkReply *reply = networkManager->get(QNetworkRequest(endpoint));
-
-    QObject::connect(
-        reply, &QNetworkReply::finished,
-        [reply, this]() {
-            if (reply->error()) {
-                qDebug() << "CDP request error";
-                return;
-            }
-
-            QJsonDocument doc = QJsonDocument::fromJson(reply->readAll());
-            QJsonArray pages = doc.array();
-            QJsonObject page = pages.first().toObject();
-            QString wsUrl = page.value("webSocketDebuggerUrl").toString();
-
-            socket->open(wsUrl);
-        }
-    );
-}
-
-CDPCommand *CDPCommandManager::sendCommand(QString cmd)
-{
-    QVariantMap emptyParams;
-    return sendCommend(cmd, emptyParams);
-}
-
-CDPCommand *CDPCommandManager::sendCommend(QString cmd, QVariantMap &params)
-{
-    int id = ++commandId;
-    CDPCommand *command = new CDPCommand(id, cmd, params);
-    socket->sendTextMessage(command->toJson());
-    commandPool.insert(id, command);
-
-    return command;
-}
-
-void CDPCommandManager::onTextMessageReceived(QString message)
-{
-    QJsonDocument responseDoc = QJsonDocument::fromJson(message.toUtf8());
-    QJsonObject response = responseDoc.object();
-
-    // Response for method
-    if (response.contains("id")) {
-        int id = response.value("id").toInt();
-        if (commandPool.contains(id)) {
-            CDPCommand *command = commandPool.take(id);
-            command->finished();
-        }
-    } else { // Response for event
-        emit eventReceived(response.value("method").toString(), response.value("params").toObject());
-    }
-}
-
-void CDPCommandManager::onSocketDisconnected()
-{
-    qDebug() << "WebSocket disconnected";
-}
-
-void CDPCommandManager::onSocketError(QAbstractSocket::SocketError error)
-{
-    qDebug() << "WebSocket error" << error;
-}

GPClient/cdpcommandmanager.h

@@ -1,39 +0,0 @@
-#ifndef CDPCOMMANDMANAGER_H
-#define CDPCOMMANDMANAGER_H
-
-#include "cdpcommand.h"
-#include <QObject>
-#include <QHash>
-#include <QtWebSockets>
-#include <QNetworkAccessManager>
-
-class CDPCommandManager : public QObject
-{
-    Q_OBJECT
-public:
-    explicit CDPCommandManager(QObject *parent = nullptr);
-    ~CDPCommandManager();
-
-    void initialize(QString endpoint);
-
-    CDPCommand *sendCommand(QString cmd);
-    CDPCommand *sendCommend(QString cmd, QVariantMap& params);
-
-signals:
-    void ready();
-    void eventReceived(QString eventName, QJsonObject params);
-
-private:
-    QNetworkAccessManager *networkManager;
-    QWebSocket *socket;
-
-    int commandId = 0;
-    QHash<int, CDPCommand*> commandPool;
-
-private slots:
-    void onTextMessageReceived(QString message);
-    void onSocketDisconnected();
-    void onSocketError(QAbstractSocket::SocketError error);
-};
-
-#endif // CDPCOMMANDMANAGER_H

GPClient/com.yuezk.qt.GPClient.svg

@@ -1,99 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<!-- Generator: Adobe Illustrator 19.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
-
-<svg
-   xmlns:dc="http://purl.org/dc/elements/1.1/"
-   xmlns:cc="http://creativecommons.org/ns#"
-   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
-   xmlns:svg="http://www.w3.org/2000/svg"
-   xmlns="http://www.w3.org/2000/svg"
-   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
-   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
-   version="1.1"
-   id="Layer_1"
-   x="0px"
-   y="0px"
-   viewBox="0 0 96 96"
-   style="enable-background:new 0 0 96 96;"
-   xml:space="preserve"
-   sodipodi:docname="com.yuezk.qt.GPClient.svg"
-   inkscape:version="0.92.4 5da689c313, 2019-01-14"><metadata
-   id="metadata14"><rdf:RDF><cc:Work
-       rdf:about=""><dc:format>image/svg+xml</dc:format><dc:type
-         rdf:resource="http://purl.org/dc/dcmitype/StillImage" /><dc:title /></cc:Work></rdf:RDF></metadata><defs
-   id="defs12" /><sodipodi:namedview
-   pagecolor="#ffffff"
-   bordercolor="#666666"
-   borderopacity="1"
-   objecttolerance="10"
-   gridtolerance="10"
-   guidetolerance="10"
-   inkscape:pageopacity="0"
-   inkscape:pageshadow="2"
-   inkscape:window-width="1920"
-   inkscape:window-height="1006"
-   id="namedview10"
-   showgrid="false"
-   inkscape:zoom="6.9532168"
-   inkscape:cx="7.9545315"
-   inkscape:cy="59.062386"
-   inkscape:window-x="0"
-   inkscape:window-y="0"
-   inkscape:window-maximized="1"
-   inkscape:current-layer="g8499" />
-<style
-   type="text/css"
-   id="style2">
-	.st0{fill:#2980B9;}
-	.st1{fill:#3498DB;}
-	.st2{fill:#2ECC71;}
-	.st3{fill:#27AE60;}
-</style>
-
-<g
-   id="g8499"
-   transform="matrix(1.3407388,0,0,1.3407388,-16.409202,-16.355463)"><g
-     id="XMLID_1_">
-	<circle
-   r="32.5"
-   cy="48"
-   cx="48"
-   class="st0"
-   id="XMLID_3_"
-   style="fill:#2980b9" />
-	<path
-   d="m 48,15.5 v 65 C 65.9,80.5 80.5,65.7 80.5,48 80.5,30 65.9,15.5 48,15.5 Z"
-   class="st1"
-   id="XMLID_4_"
-   inkscape:connector-curvature="0"
-   style="fill:#3498db" />
-	<path
-   d="m 48,15.5 v 0.6 l 1.2,-0.3 c 0.3,-0.3 0.4,-0.3 0.6,-0.3 h -1.1 z m 7.3,0.9 c -0.1,0 0.4,0.9 1.1,1.8 0.8,1.5 1.1,2.1 1.3,2.1 0.3,-0.3 1.9,-1.2 3,-2.1 -1.7,-0.9 -3.5,-1.5 -5.4,-1.8 z m 10.3,6.2 c -0.1,0 -0.4,0 -0.9,0.6 l -0.8,0.9 0.6,0.6 c 0.3,0.6 0.8,0.9 1,1.2 0.5,0.6 0.6,0.6 0.1,1.5 -0.2,0.6 -0.3,0.9 -0.3,0.9 0.1,0.3 0.3,0.3 1.4,0.3 h 1.6 c 0.1,0 0.3,-0.6 0.4,-1.2 l 0.1,-0.9 -1.1,-0.9 c -1,-0.9 -1,-0.9 -1.4,-1.8 -0.3,-0.6 -0.6,-1.2 -0.7,-1.2 z m -3,2.4 c -0.2,0 -1.3,2.1 -1.3,2.4 0,0 0.3,0.6 0.7,0.9 0.4,0.3 0.7,0.6 0.7,0.6 0.1,0 1.2,-1.2 1.4,-1.5 C 64.2,27.1 64,26.8 63.5,26.2 63.1,25.5 62.7,25 62.6,25 Z m 9.5,1.1 0.2,0.3 c 0,0.3 -0.7,0.9 -1.4,1.5 -1.2,0.9 -1.4,1.2 -2,1.2 -0.6,0 -0.9,0.3 -1.8,0.9 -0.6,0.6 -1.2,0.9 -1.2,1.2 0,0 0.2,0.3 0.6,0.9 0.7,0.6 0.7,0.9 0.2,1.8 l -0.4,0.3 h -1.1 c -0.6,0 -1.5,0 -1.8,-0.3 -0.9,0 -0.8,0 -0.1,2.1 1,3 1.1,3.2 1.3,3.2 0.1,0 1.3,-1.2 2.8,-2.4 1.5,-1.2 2.7,-2.4 2.8,-2.4 l 0.6,0.3 c 0.4,0.3 0.5,0 1.3,-0.6 l 0.8,-0.6 0.8,0.6 c 1.9,1.2 2.2,1.5 2.3,2.4 0.2,1.5 0.3,1.8 0.5,1.8 0.1,0 1.3,-1.5 1.6,-1.8 0.1,-0.3 -0.1,-0.6 -1.1,-2.1 -0.7,-0.9 -1.1,-1.8 -1.1,-2.1 0,0 0.1,0 0.3,-0.3 0.2,0 0.4,0.3 1,0.9 -1.6,-2.3 -3.2,-4.7 -5.1,-6.8 z m 2.8,10.7 c -0.2,0 -0.9,0.9 -0.8,1.2 l 0.5,0.3 H 75 c 0.2,0 0.3,0 0.2,-0.3 C 75.1,37.4 75,36.8 74.9,36.8 Z M 72.3,38 h -2.4 l -2.4,0.3 -4.5,3.5 -4.4,3.8 v 3.5 c 0,2.1 0,3.8 0.1,3.8 0.1,0 0.7,0.9 1.5,1.5 0.8,0.9 1.5,1.5 1.8,1.8 0.4,0.3 0.5,0.3 4,0.6 l 3.4,0.3 1.6,0.9 c 0.8,0.6 1.5,1.2 1.6,1.2 0.1,0 -0.3,0.3 -0.6,0.6 l -0.6,0.6 1,1.2 c 0.5,0.6 1.3,1.5 1.7,1.8 l 0.6,0.9 v 1.7 0.9 c 3.7,-5 5.9,-11.5 6.1,-18.3 0.1,-2.7 -0.3,-5.3 -0.8,-8 l -0.6,-0.3 c -0.1,0 -0.5,0.3 -1,0.6 -0.5,0.3 -1,0.9 -1.1,0.9 -0.1,0 -0.8,-0.3 -1.8,-0.6 l -1.8,-0.6 v -0.9 c 0,-0.6 0,-0.9 -0.6,-1.5 z M 48,63.7 V 64 h 0.2 z"
-   class="st2"
-   id="XMLID_13_"
-   inkscape:connector-curvature="0"
-   style="fill:#2ecc71" />
-	<path
-   d="m 48,15.5 c -3.1,0 -6.2,0.5 -9,1.3 0.3,0.4 0.3,0.4 0.6,0.9 1.5,2.5 1.7,2.8 2.1,2.9 0.3,0 0.9,0.1 1.6,0.1 h 1.2 l 0.9,-2 0.8,-1.9 1.8,-0.6 z m -16.9,4.7 c -2.8,1.7 -5.4,3.9 -7.6,6.4 -3.8,4.3 -6.3,9.6 -7.4,15.4 0.5,0 0.9,-0.1 1.8,-0.1 2.8,0.1 2.5,0 3.4,1.4 0.5,0.8 0.6,0.8 1.4,0.8 1,0.1 0.9,0 0.5,-1.6 -0.2,-0.6 -0.3,-1.2 -0.3,-1.4 0,-0.2 0.5,-0.7 1.7,-1.6 1.9,-1.5 1.8,-1.3 1.5,-2.9 -0.1,-0.3 0.1,-0.6 0.6,-1.2 0.7,-0.7 0.7,-0.6 1.4,-0.6 h 0.7 l 0.1,-1.2 c 0.1,-0.7 0.1,-1.3 0.2,-1.3 0,0 1.9,-1.1 4.1,-2.3 2.2,-1.2 4.1,-2.2 4.2,-2.3 0.2,-0.2 -0.3,-0.8 -2.7,-3.8 -1.5,-1.9 -2.8,-3.6 -2.9,-3.7 z m -5.8,23 c -0.1,0 -0.1,0.3 -0.1,0.6 0,0.6 0,0.7 0.6,1 0.8,0.4 0.9,0.5 0.8,0.2 -0.1,-0.4 -1.2,-1.9 -1.3,-1.8 z m -3.4,2.1 -0.5,1.8 c 0.1,0.1 0.9,0.3 1.8,0.5 1,0.2 1.6,0.4 1.8,0.3 l 0.5,-1.3 z m -3.8,1 -1.1,0.6 c -0.6,0.3 -1.2,0.6 -1.4,0.6 h -0.1 c 0,1.4 0.1,2.8 0.3,4.2 l 0.6,0.4 1,-0.1 h 1 l 0.6,1.4 c 0.3,0.7 0.7,1.4 0.8,1.5 0.1,0.1 1,0.1 1.8,0.1 h 1.5 L 23,56.2 c 0,1.2 0,1.3 -0.6,2.2 -0.4,0.5 -0.6,1.2 -0.6,1.4 0,0.2 0.7,2.1 1.6,4.3 l 1.5,4 1.6,0.8 c 1.2,0.6 1.5,0.8 1.5,1 0,0.1 -0.4,2.1 -0.6,3.1 3,2.5 6.4,4.5 10.2,5.8 3.5,-3.6 6.8,-7.1 7.3,-7.6 l 0.7,-0.7 0.2,-1.9 c 0.2,-1.1 0.4,-2.1 0.4,-2.2 0,-0.1 0.5,-0.6 1,-1.2 0.5,-0.5 0.8,-1 0.8,-1.1 v -0.2 c -0.1,-0.1 -1.4,-1.1 -3,-2.2 l -3.1,-2.1 -1.1,-0.1 c -0.8,0 -1.2,0 -1.3,-0.2 C 39.4,59.2 39.2,58.5 39.1,57.7 39,56.9 38.9,56.2 38.8,56.1 38.8,56 38,56 37.1,56 36.2,56 35.4,55.9 35.3,55.8 35.2,55.7 35.2,55.1 35.1,54.3 35,53.6 34.9,53 34.8,52.9 34.7,52.8 33.7,52.7 32.5,52.6 30.5,52.5 30.1,52.5 29.1,52 l -1.2,-0.6 -1.6,0.7 -1.7,0.9 -1.8,-0.1 c -2,0 -1.9,0.2 -2.1,-1.6 C 20.6,50.7 20.6,50.1 20.5,50.1 20.4,50 20,50 19.6,49.9 L 18.9,49.7 19,49.2 c 0,-0.3 0,-1 0.1,-1.4 L 19.2,47 18.7,46.5 Z m 9.1,1.1 C 27.1,47.5 27.1,47.8 27,48 l -0.1,0.5 2.9,1.2 c 2.9,1.1 3.4,1.2 3.9,0.7 0.2,-0.2 0.1,-0.2 -0.3,-0.4 -0.3,-0.1 -1.7,-0.9 -3.2,-1.6 -1.7,-0.7 -2.9,-1.1 -3,-1 z"
-   class="st3"
-   id="XMLID_20_"
-   inkscape:connector-curvature="0"
-   style="fill:#27ae60" />
-</g><g
-     transform="matrix(1.458069,0,0,1.458069,-22.631538,-19.615144)"
-     id="g7664"><path
-       inkscape:connector-curvature="0"
-       id="XMLID_6_"
-       class="st3"
-       d="m 38.8,56.1 c 0,1.2 1,2.2 2.2,2.2 h 15.2 c 1.2,0 2.2,-1 2.2,-2.2 V 45.3 c 0,-1.2 -1,-2.2 -2.2,-2.2 H 40.9 c -1.2,0 -2.2,1 -2.2,2.2 v 10.8 z"
-       style="fill:#f1aa27;fill-opacity:1" /><path
-       style="fill:#e6e6e6"
-       inkscape:connector-curvature="0"
-       id="XMLID_7_"
-       class="st4"
-       d="m 55.5,43.1 h -3.3 v -3.7 c 0,-2.1 -1.7,-3.8 -3.8,-3.8 -2.1,0 -3.8,1.7 -3.8,3.8 v 3.8 h -3.1 v -3.8 c 0,-3.9 3.2,-7 7,-7 3.9,0 7,3.2 7,7 z" /><path
-       style="fill:#e6e6e6;fill-opacity:1"
-       inkscape:connector-curvature="0"
-       id="XMLID_8_"
-       class="st5"
-       d="m 50.35,48.2 c 0,-1 -0.8,-1.8 -1.8,-1.8 -1,0 -1.8,0.8 -1.8,1.8 0,0.7 0.4,1.3 1,1.6 l -1,5.2 h 3.6 l -1,-5.2 c 0.6,-0.3 1,-0.9 1,-1.6 z" /></g></g></svg>

GPClient/com.yuezk.qt.gpclient.desktop

@@ -1,10 +0,0 @@
-[Desktop Entry]
-
-Type=Application
-Version=1.0.0
-Name=GlobalProtect VPN
-Comment=GlobalProtect VPN client, supports SAML auth mode
-Exec=/usr/local/bin/gpclient
-Icon=com.yuezk.qt.GPClient
-Categories=Network;VPN;Utility;Qt;
-Keywords=GlobalProtect;Openconnect;SAML;connection;VPN;

GPClient/enhancedwebview.cpp

@@ -1,36 +0,0 @@
-#include "enhancedwebview.h"
-#include "cdpcommandmanager.h"
-
-#include <QtWebEngineWidgets/QWebEngineView>
-#include <QProcessEnvironment>
-
-EnhancedWebView::EnhancedWebView(QWidget *parent)
-    : QWebEngineView(parent)
-    , cdp(new CDPCommandManager)
-{
-    QObject::connect(cdp, &CDPCommandManager::ready, this, &EnhancedWebView::onCDPReady);
-    QObject::connect(cdp, &CDPCommandManager::eventReceived, this, &EnhancedWebView::onEventReceived);
-}
-
-EnhancedWebView::~EnhancedWebView()
-{
-    delete cdp;
-}
-
-void EnhancedWebView::initialize()
-{
-    QString port = QProcessEnvironment::systemEnvironment().value(ENV_CDP_PORT);
-    cdp->initialize("http://127.0.0.1:" + port + "/json");
-}
-
-void EnhancedWebView::onCDPReady()
-{
-    cdp->sendCommand("Network.enable");
-}
-
-void EnhancedWebView::onEventReceived(QString eventName, QJsonObject params)
-{
-    if (eventName == "Network.responseReceived") {
-        emit responseReceived(params);
-    }
-}

GPClient/enhancedwebview.h

@@ -1,29 +0,0 @@
-#ifndef ENHANCEDWEBVIEW_H
-#define ENHANCEDWEBVIEW_H
-
-#include "cdpcommandmanager.h"
-#include <QtWebEngineWidgets/QWebEngineView>
-
-#define ENV_CDP_PORT "QTWEBENGINE_REMOTE_DEBUGGING"
-
-class EnhancedWebView : public QWebEngineView
-{
-    Q_OBJECT
-public:
-    explicit EnhancedWebView(QWidget *parent = nullptr);
-    ~EnhancedWebView();
-
-    void initialize();
-
-signals:
-    void responseReceived(QJsonObject params);
-
-private slots:
-    void onCDPReady();
-    void onEventReceived(QString eventName, QJsonObject params);
-
-private:
-    CDPCommandManager *cdp;
-};
-
-#endif // ENHANCEDWEBVIEW_H

GPClient/gpclient.cpp

@@ -1,227 +0,0 @@
-#include "gpclient.h"
-#include "ui_gpclient.h"
-#include "samlloginwindow.h"
-
-#include <QDesktopWidget>
-#include <QGraphicsScene>
-#include <QGraphicsView>
-#include <QGraphicsPixmapItem>
-#include <QImage>
-#include <QStyle>
-#include <QMessageBox>
-
-GPClient::GPClient(QWidget *parent)
-    : QMainWindow(parent)
-    , ui(new Ui::GPClient)
-{
-    ui->setupUi(this);
-    setFixedSize(width(), height());
-    moveCenter();
-
-    // Restore portal from the previous settings
-    settings = new QSettings("com.yuezk.qt", "GPClient");
-    ui->portalInput->setText(settings->value("portal", "").toString());
-
-    QObject::connect(this, &GPClient::connectFailed, [this]() {
-        updateConnectionStatus("not_connected");
-    });
-
-    // QNetworkAccessManager setup
-    networkManager = new QNetworkAccessManager(this);
-
-    // DBus service setup
-    vpn = new com::yuezk::qt::GPService("com.yuezk.qt.GPService", "/", QDBusConnection::systemBus(), this);
-    QObject::connect(vpn, &com::yuezk::qt::GPService::connected, this, &GPClient::onVPNConnected);
-    QObject::connect(vpn, &com::yuezk::qt::GPService::disconnected, this, &GPClient::onVPNDisconnected);
-    QObject::connect(vpn, &com::yuezk::qt::GPService::logAvailable, this, &GPClient::onVPNLogAvailable);
-
-    initVpnStatus();
-}
-
-GPClient::~GPClient()
-{
-    delete ui;
-    delete networkManager;
-    delete reply;
-    delete vpn;
-    delete settings;
-}
-
-void GPClient::on_connectButton_clicked()
-{
-    QString btnText = ui->connectButton->text();
-
-    if (btnText == "Connect") {
-        QString portal = ui->portalInput->text();
-        settings->setValue("portal", portal);
-        ui->statusLabel->setText("Authenticating...");
-        updateConnectionStatus("pending");
-        doAuth(portal);
-    } else if (btnText == "Cancel") {
-        ui->statusLabel->setText("Canceling...");
-        updateConnectionStatus("pending");
-
-        if (reply->isRunning()) {
-            reply->abort();
-        }
-        vpn->disconnect();
-    } else {
-        ui->statusLabel->setText("Disconnecting...");
-        updateConnectionStatus("pending");
-        vpn->disconnect();
-    }
-}
-
-void GPClient::preloginResultFinished()
-{
-    if (reply->error()) {
-        qWarning() << "Prelogin request error";
-        emit connectFailed();
-        return;
-    }
-
-    QByteArray bytes = reply->readAll();
-    const QString tagMethod = "saml-auth-method";
-    const QString tagRequest = "saml-request";
-    QString samlMethod;
-    QString samlRequest;
-
-    QXmlStreamReader xml(bytes);
-    while (!xml.atEnd()) {
-        xml.readNext();
-        if (xml.tokenType() == xml.StartElement) {
-            if (xml.name() == tagMethod) {
-                samlMethod = xml.readElementText();
-            } else if (xml.name() == tagRequest) {
-                samlRequest = QByteArray::fromBase64(QByteArray::fromStdString(xml.readElementText().toStdString()));
-            }
-        }
-    }
-
-    if (samlMethod == nullptr || samlRequest == nullptr) {
-        qWarning("This does not appear to be a SAML prelogin response (<saml-auth-method> or <saml-request> tags missing)");
-        emit connectFailed();
-        return;
-    }
-
-    if (samlMethod == "POST") {
-        // TODO
-        emit connectFailed();
-        QMessageBox msgBox;
-        msgBox.setText("TODO: SAML method is POST");
-        msgBox.exec();
-    } else if (samlMethod == "REDIRECT") {
-        samlLogin(samlRequest);
-    }
-}
-
-void GPClient::onLoginSuccess(QJsonObject loginResult)
-{
-    QString fullpath = "/ssl-vpn/login.esp";
-    QString shortpath = "gateway";
-    QString user = loginResult.value("saml-username").toString();
-    QString cookieName;
-    QString cookieValue;
-    QString cookies[]{"prelogin-cookie", "portal-userauthcookie"};
-
-    for (int i = 0; i < cookies->length(); i++) {
-        cookieValue = loginResult.value(cookies[i]).toString();
-        if (cookieValue != nullptr) {
-            cookieName = cookies[i];
-            break;
-        }
-    }
-
-    QString host = QString("https://%1/%2:%3").arg(loginResult.value("server").toString(), shortpath, cookieName);
-    vpn->connect(host, user, cookieValue);
-    ui->statusLabel->setText("Connecting...");
-    updateConnectionStatus("pending");
-}
-
-void GPClient::updateConnectionStatus(QString status)
-{
-    if (status == "not_connected") {
-        ui->statusLabel->setText("Not Connected");
-        ui->statusImage->setStyleSheet("image: url(:/images/not_connected.png); padding: 15;");
-        ui->connectButton->setText("Connect");
-        ui->connectButton->setDisabled(false);
-    } else if (status == "pending") {
-        ui->statusImage->setStyleSheet("image: url(:/images/pending.png); padding: 15;");
-        ui->connectButton->setText("Cancel");
-        ui->connectButton->setDisabled(false);
-    } else if (status == "connected") {
-        ui->statusLabel->setText("Connected");
-        ui->statusImage->setStyleSheet("image: url(:/images/connected.png); padding: 15;");
-        ui->connectButton->setText("Disconnect");
-        ui->connectButton->setDisabled(false);
-    }
-}
-
-void GPClient::onVPNConnected()
-{
-    updateConnectionStatus("connected");
-}
-
-void GPClient::onVPNDisconnected()
-{
-    updateConnectionStatus("not_connected");
-}
-
-void GPClient::onVPNLogAvailable(QString log)
-{
-    qInfo() << log;
-}
-
-void GPClient::initVpnStatus() {
-    int status = vpn->status();
-    if (status == 1) {
-        ui->statusLabel->setText("Connecting...");
-        updateConnectionStatus("pending");
-    } else if (status == 2) {
-        updateConnectionStatus("connected");
-    } else if (status == 3) {
-        ui->statusLabel->setText("Disconnecting...");
-        updateConnectionStatus("pending");
-    }
-}
-
-void GPClient::moveCenter()
-{
-    QDesktopWidget *desktop = QApplication::desktop();
-
-    int screenWidth, width;
-    int screenHeight, height;
-    int x, y;
-    QSize windowSize;
-
-    screenWidth = desktop->width();
-    screenHeight = desktop->height();
-
-    windowSize = size();
-    width = windowSize.width();
-    height = windowSize.height();
-
-    x = (screenWidth - width) / 2;
-    y = (screenHeight - height) / 2;
-    y -= 50;
-    move(x, y);
-}
-
-void GPClient::doAuth(const QString portal)
-{
-    const QString preloginUrl = "https://" + portal + "/ssl-vpn/prelogin.esp";
-    reply = networkManager->post(QNetworkRequest(preloginUrl), (QByteArray) nullptr);
-    connect(reply, &QNetworkReply::finished, this, &GPClient::preloginResultFinished);
-}
-
-void GPClient::samlLogin(const QString loginUrl)
-{
-    SAMLLoginWindow *loginWindow = new SAMLLoginWindow(this);
-
-    QObject::connect(loginWindow, &SAMLLoginWindow::success, this, &GPClient::onLoginSuccess);
-    QObject::connect(loginWindow, &SAMLLoginWindow::rejected, this, &GPClient::connectFailed);
-
-    loginWindow->login(loginUrl);
-    loginWindow->exec();
-    delete loginWindow;
-}

GPClient/gpclient.h

@@ -1,47 +0,0 @@
-#ifndef GPCLIENT_H
-#define GPCLIENT_H
-
-#include "gpservice_interface.h"
-#include <QMainWindow>
-#include <QNetworkAccessManager>
-#include <QNetworkReply>
-
-QT_BEGIN_NAMESPACE
-namespace Ui { class GPClient; }
-QT_END_NAMESPACE
-
-class GPClient : public QMainWindow
-{
-    Q_OBJECT
-
-public:
-    GPClient(QWidget *parent = nullptr);
-    ~GPClient();
-
-signals:
-    void connectFailed();
-
-private slots:
-    void on_connectButton_clicked();
-    void preloginResultFinished();
-
-    void onLoginSuccess(QJsonObject loginResult);
-
-    void onVPNConnected();
-    void onVPNDisconnected();
-    void onVPNLogAvailable(QString log);
-
-private:
-    Ui::GPClient *ui;
-    QNetworkAccessManager *networkManager;
-    QNetworkReply *reply;
-    com::yuezk::qt::GPService *vpn;
-    QSettings *settings;
-
-    void initVpnStatus();
-    void moveCenter();
-    void updateConnectionStatus(QString status);
-    void doAuth(const QString portal);
-    void samlLogin(const QString loginUrl);
-};
-#endif // GPCLIENT_H

GPClient/gpclient.ui

@@ -1,127 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<ui version="4.0">
- <class>GPClient</class>
- <widget class="QMainWindow" name="GPClient">
-  <property name="geometry">
-   <rect>
-    <x>0</x>
-    <y>0</y>
-    <width>260</width>
-    <height>338</height>
-   </rect>
-  </property>
-  <property name="windowTitle">
-   <string>GP VPN Client</string>
-  </property>
-  <property name="windowIcon">
-   <iconset resource="resources.qrc">
-    <normaloff>:/images/logo.svg</normaloff>:/images/logo.svg</iconset>
-  </property>
-  <property name="styleSheet">
-   <string notr="true"/>
-  </property>
-  <property name="iconSize">
-   <size>
-    <width>22</width>
-    <height>22</height>
-   </size>
-  </property>
-  <widget class="QWidget" name="centralwidget">
-   <property name="sizePolicy">
-    <sizepolicy hsizetype="Preferred" vsizetype="Preferred">
-     <horstretch>0</horstretch>
-     <verstretch>0</verstretch>
-    </sizepolicy>
-   </property>
-   <property name="layoutDirection">
-    <enum>Qt::LeftToRight</enum>
-   </property>
-   <layout class="QVBoxLayout" name="verticalLayout_3" stretch="1,0">
-    <property name="leftMargin">
-     <number>15</number>
-    </property>
-    <property name="topMargin">
-     <number>15</number>
-    </property>
-    <property name="rightMargin">
-     <number>15</number>
-    </property>
-    <property name="bottomMargin">
-     <number>15</number>
-    </property>
-    <item>
-     <layout class="QVBoxLayout" name="verticalLayout" stretch="1,0">
-      <property name="bottomMargin">
-       <number>15</number>
-      </property>
-      <item>
-       <widget class="QLabel" name="statusImage">
-        <property name="styleSheet">
-         <string notr="true">#statusImage {
-	image: url(:/images/not_connected.png);
-	padding: 15
-}</string>
-        </property>
-        <property name="text">
-         <string/>
-        </property>
-       </widget>
-      </item>
-      <item>
-       <widget class="QLabel" name="statusLabel">
-        <property name="font">
-         <font>
-          <pointsize>14</pointsize>
-          <weight>50</weight>
-          <bold>false</bold>
-          <underline>false</underline>
-         </font>
-        </property>
-        <property name="text">
-         <string>Not Connected</string>
-        </property>
-        <property name="alignment">
-         <set>Qt::AlignCenter</set>
-        </property>
-       </widget>
-      </item>
-     </layout>
-    </item>
-    <item>
-     <layout class="QVBoxLayout" name="verticalLayout_2">
-      <property name="bottomMargin">
-       <number>0</number>
-      </property>
-      <item>
-       <widget class="QLineEdit" name="portalInput">
-        <property name="text">
-         <string/>
-        </property>
-        <property name="placeholderText">
-         <string>Please enter your portal address</string>
-        </property>
-       </widget>
-      </item>
-      <item>
-       <widget class="QPushButton" name="connectButton">
-        <property name="sizePolicy">
-         <sizepolicy hsizetype="Expanding" vsizetype="Fixed">
-          <horstretch>0</horstretch>
-          <verstretch>0</verstretch>
-         </sizepolicy>
-        </property>
-        <property name="text">
-         <string>Connect</string>
-        </property>
-       </widget>
-      </item>
-     </layout>
-    </item>
-   </layout>
-  </widget>
- </widget>
- <resources>
-  <include location="resources.qrc"/>
- </resources>
- <connections/>
-</ui>

GPClient/gpservice_interface.cpp

@@ -1,25 +0,0 @@
-/*
- * This file was generated by qdbusxml2cpp version 0.8
- * Command line was: qdbusxml2cpp -i gpservice_interface.h -p :gpservice_interface.cpp ../GPService/gpservice.xml
- *
- * qdbusxml2cpp is Copyright (C) 2020 The Qt Company Ltd.
- *
- * This is an auto-generated file.
- * This file may have been hand-edited. Look for HAND-EDIT comments
- * before re-generating it.
- */
-
-#include "gpservice_interface.h"
-/*
- * Implementation of interface class ComYuezkQtGPServiceInterface
- */
-
-ComYuezkQtGPServiceInterface::ComYuezkQtGPServiceInterface(const QString &service, const QString &path, const QDBusConnection &connection, QObject *parent)
-    : QDBusAbstractInterface(service, path, staticInterfaceName(), connection, parent)
-{
-}
-
-ComYuezkQtGPServiceInterface::~ComYuezkQtGPServiceInterface()
-{
-}
-

GPClient/gpservice_interface.h

@@ -1,71 +0,0 @@
-/*
- * This file was generated by qdbusxml2cpp version 0.8
- * Command line was: qdbusxml2cpp -p gpservice_interface.h: ../GPService/gpservice.xml
- *
- * qdbusxml2cpp is Copyright (C) 2020 The Qt Company Ltd.
- *
- * This is an auto-generated file.
- * Do not edit! All changes made to it will be lost.
- */
-
-#ifndef GPSERVICE_INTERFACE_H
-#define GPSERVICE_INTERFACE_H
-
-#include <QtCore/QObject>
-#include <QtCore/QByteArray>
-#include <QtCore/QList>
-#include <QtCore/QMap>
-#include <QtCore/QString>
-#include <QtCore/QStringList>
-#include <QtCore/QVariant>
-#include <QtDBus/QtDBus>
-
-/*
- * Proxy class for interface com.yuezk.qt.GPService
- */
-class ComYuezkQtGPServiceInterface: public QDBusAbstractInterface
-{
-    Q_OBJECT
-public:
-    static inline const char *staticInterfaceName()
-    { return "com.yuezk.qt.GPService"; }
-
-public:
-    ComYuezkQtGPServiceInterface(const QString &service, const QString &path, const QDBusConnection &connection, QObject *parent = nullptr);
-
-    ~ComYuezkQtGPServiceInterface();
-
-public Q_SLOTS: // METHODS
-    inline QDBusPendingReply<> connect(const QString &server, const QString &username, const QString &passwd)
-    {
-        QList<QVariant> argumentList;
-        argumentList << QVariant::fromValue(server) << QVariant::fromValue(username) << QVariant::fromValue(passwd);
-        return asyncCallWithArgumentList(QStringLiteral("connect"), argumentList);
-    }
-
-    inline QDBusPendingReply<> disconnect()
-    {
-        QList<QVariant> argumentList;
-        return asyncCallWithArgumentList(QStringLiteral("disconnect"), argumentList);
-    }
-
-    inline QDBusPendingReply<int> status()
-    {
-        QList<QVariant> argumentList;
-        return asyncCallWithArgumentList(QStringLiteral("status"), argumentList);
-    }
-
-Q_SIGNALS: // SIGNALS
-    void connected();
-    void disconnected();
-    void logAvailable(const QString &log);
-};
-
-namespace com {
-  namespace yuezk {
-    namespace qt {
-      typedef ::ComYuezkQtGPServiceInterface GPService;
-    }
-  }
-}
-#endif

GPClient/main.cpp

@@ -1,18 +0,0 @@
-#include "singleapplication.h"
-#include "gpclient.h"
-#include "enhancedwebview.h"
-
-int main(int argc, char *argv[])
-{
-    QString port = QString::fromLocal8Bit(qgetenv(ENV_CDP_PORT));
-    if (port == "") {
-        qputenv(ENV_CDP_PORT, "12315");
-    }
-    SingleApplication app(argc, argv);
-    GPClient w;
-    w.show();
-
-    QObject::connect(&app, &SingleApplication::instanceStarted, &w, &GPClient::raise);
-
-    return app.exec();
-}

GPClient/resources.qrc

@@ -1,8 +0,0 @@
-<RCC>
-    <qresource prefix="/images">
-        <file alias="logo.svg">com.yuezk.qt.GPClient.svg</file>
-        <file>connected.png</file>
-        <file>pending.png</file>
-        <file>not_connected.png</file>
-    </qresource>
-</RCC>

GPClient/samlloginwindow.cpp

@@ -1,59 +0,0 @@
-#include "samlloginwindow.h"
-
-#include <QVBoxLayout>
-
-SAMLLoginWindow::SAMLLoginWindow(QWidget *parent)
-    : QDialog(parent)
-{
-    setWindowTitle("SAML Login");
-    resize(610, 406);
-    QVBoxLayout *verticalLayout = new QVBoxLayout(this);
-    webView = new EnhancedWebView(this);
-    webView->setUrl(QUrl("about:blank"));
-    verticalLayout->addWidget(webView);
-
-    webView->initialize();
-    QObject::connect(webView, &EnhancedWebView::responseReceived, this, &SAMLLoginWindow::onResponseReceived);
-}
-
-SAMLLoginWindow::~SAMLLoginWindow()
-{
-    delete webView;
-}
-
-void SAMLLoginWindow::closeEvent(QCloseEvent *event)
-{
-    event->accept();
-    reject();
-}
-
-void SAMLLoginWindow::login(QString url)
-{
-    webView->load(QUrl(url));
-}
-
-void SAMLLoginWindow::onResponseReceived(QJsonObject params)
-{
-    QString type = params.value("type").toString();
-    // Skip non-document response
-    if (type != "Document") {
-        return;
-    }
-
-    QJsonObject response = params.value("response").toObject();
-    QJsonObject headers = response.value("headers").toObject();
-
-    foreach (const QString& key, headers.keys()) {
-        if (key.startsWith("saml-") || key == "prelogin-cookie" || key == "portal-userauthcookie") {
-            samlResult.insert(key, headers.value(key));
-        }
-    }
-
-    // Check the SAML result
-    if (samlResult.contains("saml-username")
-            && (samlResult.contains("prelogin-cookie") || samlResult.contains("portal-userauthcookie"))) {
-        samlResult.insert("server", QUrl(response.value("url").toString()).authority());
-        emit success(samlResult);
-        accept();
-    }
-}

GPClient/samlloginwindow.h

@@ -1,33 +0,0 @@
-#ifndef SAMLLOGINWINDOW_H
-#define SAMLLOGINWINDOW_H
-
-#include "enhancedwebview.h"
-
-#include <QDialog>
-#include <QJsonObject>
-#include <QCloseEvent>
-
-class SAMLLoginWindow : public QDialog
-{
-    Q_OBJECT
-
-public:
-    explicit SAMLLoginWindow(QWidget *parent = nullptr);
-    ~SAMLLoginWindow();
-
-    void login(QString url);
-
-signals:
-    void success(QJsonObject samlResult);
-
-private slots:
-    void onResponseReceived(QJsonObject params);
-
-private:
-    EnhancedWebView *webView;
-    QJsonObject samlResult;
-
-    void closeEvent(QCloseEvent *event);
-};
-
-#endif // SAMLLOGINWINDOW_H

GPService/GPService.pro

@@ -1,52 +0,0 @@
-TARGET = gpservice
-
-QT += dbus
-QT -= gui
-
-CONFIG += c++11 console
-CONFIG -= app_bundle
-
-include(../singleapplication/singleapplication.pri)
-DEFINES += QAPPLICATION_CLASS=QCoreApplication
-
-# The following define makes your compiler emit warnings if you use
-# any Qt feature that has been marked deprecated (the exact warnings
-# depend on your compiler). Please consult the documentation of the
-# deprecated API in order to know how to port your code away from it.
-DEFINES += QT_DEPRECATED_WARNINGS
-
-# You can also make your code fail to compile if it uses deprecated APIs.
-# In order to do so, uncomment the following line.
-# You can also select to disable deprecated APIs only up to a certain version of Qt.
-#DEFINES += QT_DISABLE_DEPRECATED_BEFORE=0x060000    # disables all the APIs deprecated before Qt 6.0.0
-
-HEADERS += \
-    gpservice.h \
-    sigwatch.h
-
-SOURCES += \
-        gpservice.cpp \
-        main.cpp \
-        sigwatch.cpp
-
-DBUS_ADAPTORS += gpservice.xml
-
-# Default rules for deployment.
-target.path = /usr/local/bin
-INSTALLS += target
-
-DISTFILES += \
-    dbus/com.yuezk.qt.GPService.conf \
-    dbus/com.yuezk.qt.GPService.service \
-    systemd/gpservice.service
-
-dbus_config.path = /usr/share/dbus-1/system.d/
-dbus_config.files = dbus/com.yuezk.qt.GPService.conf
-
-dbus_service.path = /usr/share/dbus-1/system-services/
-dbus_service.files = dbus/com.yuezk.qt.GPService.service
-
-systemd_service.path = /etc/systemd/system/
-systemd_service.files = systemd/gpservice.service
-
-INSTALLS += dbus_config dbus_service systemd_service

GPService/dbus/com.yuezk.qt.GPService.conf

@@ -1,18 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE busconfig PUBLIC
-"-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
-"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
-<busconfig>
-        <policy user="root">
-                <allow own="com.yuezk.qt.GPService"/>
-        </policy>
-
-        <policy context="default">
-                <allow send_destination="com.yuezk.qt.GPService"
-                        send_interface="com.yuezk.qt.GPService"
-                        />
-                <allow send_destination="com.yuezk.qt.GPService"
-                        send_interface="org.freedesktop.DBus.Introspectable"
-                        />
-        </policy>
-</busconfig>

GPService/dbus/com.yuezk.qt.GPService.service

@@ -1,5 +0,0 @@
-[D-BUS Service]
-Name=com.yuezk.qt.GPService
-Exec=/usr/local/bin/gpservice
-User=root
-SystemdService=gpservice.service

GPService/gpservice.cpp

@@ -1,135 +0,0 @@
-#include "gpservice.h"
-#include "gpservice_adaptor.h"
-
-#include <QFileInfo>
-#include <QtDBus>
-#include <QDateTime>
-#include <QVariant>
-
-GPService::GPService(QObject *parent)
-    : QObject(parent)
-    , openconnect(new QProcess)
-{
-    // Register the DBus service
-    new GPServiceAdaptor(this);
-    QDBusConnection dbus = QDBusConnection::systemBus();
-    dbus.registerObject("/", this);
-    dbus.registerService("com.yuezk.qt.GPService");
-
-    // Setup the openconnect process
-    QObject::connect(openconnect, &QProcess::started, this, &GPService::onProcessStarted);
-    QObject::connect(openconnect, &QProcess::errorOccurred, this, &GPService::onProcessError);
-    QObject::connect(openconnect, &QProcess::readyReadStandardOutput, this, &GPService::onProcessStdout);
-    QObject::connect(openconnect, &QProcess::readyReadStandardError, this, &GPService::onProcessStderr);
-    QObject::connect(openconnect, QOverload<int, QProcess::ExitStatus>::of(&QProcess::finished), this, &GPService::onProcessFinished);
-}
-
-GPService::~GPService()
-{
-    delete openconnect;
-}
-
-QString GPService::findBinary()
-{
-    for (int i = 0; i < binaryPaths->length(); i++) {
-        if (QFileInfo::exists(binaryPaths[i])) {
-            return binaryPaths[i];
-        }
-    }
-    return nullptr;
-}
-
-void GPService::quit()
-{
-    if (openconnect->state() == QProcess::NotRunning) {
-        exit(0);
-    } else {
-        aboutToQuit = true;
-        openconnect->terminate();
-    }
-}
-
-void GPService::connect(QString server, QString username, QString passwd)
-{
-    if (vpnStatus != GPService::VpnNotConnected) {
-        log("VPN status is: " + QVariant::fromValue(vpnStatus).toString());
-        return;
-    }
-
-    QString bin = findBinary();
-    if (bin == nullptr) {
-        log("Could not found openconnect binary, make sure openconnect is installed, exiting.");
-        return;
-    }
-
-    QStringList args;
-    args << QCoreApplication::arguments().mid(1)
-     << "--protocol=gp"
-     << "-u" << username
-     << "--passwd-on-stdin"
-     << "--timestamp"
-     << server;
-
-    openconnect->start(bin, args);
-    openconnect->write(passwd.toUtf8());
-    openconnect->closeWriteChannel();
-}
-
-void GPService::disconnect()
-{
-    if (openconnect->state() != QProcess::NotRunning) {
-        vpnStatus = GPService::VpnDisconnecting;
-        openconnect->terminate();
-    }
-}
-
-int GPService::status()
-{
-    return vpnStatus;
-}
-
-void GPService::onProcessStarted()
-{
-    log("Openconnect started successfully, PID=" + QString::number(openconnect->processId()));
-    vpnStatus = GPService::VpnConnecting;
-}
-
-void GPService::onProcessError(QProcess::ProcessError error)
-{
-    log("Error occurred: " + QVariant::fromValue(error).toString());
-    vpnStatus = GPService::VpnNotConnected;
-    emit disconnected();
-}
-
-void GPService::onProcessStdout()
-{
-    QString output = openconnect->readAllStandardOutput();
-
-    log(output);
-    if (output.indexOf("Connected as") >= 0) {
-        vpnStatus = GPService::VpnConnected;
-        emit connected();
-    }
-}
-
-void GPService::onProcessStderr()
-{
-    log(openconnect->readAllStandardError());
-}
-
-void GPService::onProcessFinished(int exitCode, QProcess::ExitStatus exitStatus)
-{
-    log("Openconnect process exited with code " + QString::number(exitCode) + " and exit status " + QVariant::fromValue(exitStatus).toString());
-    vpnStatus = GPService::VpnNotConnected;
-    emit disconnected();
-
-    if (aboutToQuit) {
-        exit(0);
-    };
-}
-
-void GPService::log(QString msg)
-{
-    qInfo() << msg;
-    emit logAvailable(msg);
-}

GPService/gpservice.h

@@ -1,58 +0,0 @@
-#ifndef GLOBALPROTECTSERVICE_H
-#define GLOBALPROTECTSERVICE_H
-
-#include <QObject>
-#include <QProcess>
-
-static const QString binaryPaths[] {
-    "/usr/local/bin/openconnect",
-    "/usr/local/sbin/openconnect",
-    "/usr/bin/openconnect",
-    "/usr/sbin/openconnect",
-    "/opt/bin/openconnect",
-    "/opt/sbin/openconnect"
-};
-
-class GPService : public QObject
-{
-    Q_OBJECT
-    Q_CLASSINFO("D-Bus Interface", "com.yuezk.qt.GPService")
-public:
-    explicit GPService(QObject *parent = nullptr);
-    ~GPService();
-
-    enum VpnStatus {
-        VpnNotConnected,
-        VpnConnecting,
-        VpnConnected,
-        VpnDisconnecting,
-    };
-
-signals:
-    void connected();
-    void disconnected();
-    void logAvailable(QString log);
-
-public slots:
-    void connect(QString server, QString username, QString passwd);
-    void disconnect();
-    int status();
-    void quit();
-
-private slots:
-    void onProcessStarted();
-    void onProcessError(QProcess::ProcessError error);
-    void onProcessStdout();
-    void onProcessStderr();
-    void onProcessFinished(int exitCode, QProcess::ExitStatus exitStatus);
-
-private:
-    QProcess *openconnect;
-    bool aboutToQuit = false;
-    int vpnStatus = GPService::VpnNotConnected;
-
-    void log(QString msg);
-    static QString findBinary();
-};
-
-#endif // GLOBALPROTECTSERVICE_H

GPService/gpservice.xml

@@ -1,22 +0,0 @@
-<!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN" "http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
-<node>
-  <interface name="com.yuezk.qt.GPService">
-    <signal name="connected">
-    </signal>
-    <signal name="disconnected">
-    </signal>
-    <signal name="logAvailable">
-      <arg name="log" type="s" />
-    </signal>
-    <method name="connect">
-      <arg name="server" type="s" direction="in"/>
-      <arg name="username" type="s" direction="in"/>
-      <arg name="passwd" type="s" direction="in"/>
-    </method>
-    <method name="disconnect">
-    </method>
-    <method name="status">
-      <arg type="i" direction="out"/>
-    </method>
-  </interface>
-</node>

GPService/gpservice_adaptor.cpp

@@ -1,55 +0,0 @@
-/*
- * This file was generated by qdbusxml2cpp version 0.8
- * Command line was: qdbusxml2cpp -i gpservice_adaptor.h -a :gpservice_adaptor.cpp gpservice.xml
- *
- * qdbusxml2cpp is Copyright (C) 2020 The Qt Company Ltd.
- *
- * This is an auto-generated file.
- * Do not edit! All changes made to it will be lost.
- */
-
-#include "gpservice_adaptor.h"
-#include <QtCore/QMetaObject>
-#include <QtCore/QByteArray>
-#include <QtCore/QList>
-#include <QtCore/QMap>
-#include <QtCore/QString>
-#include <QtCore/QStringList>
-#include <QtCore/QVariant>
-
-/*
- * Implementation of adaptor class GPServiceAdaptor
- */
-
-GPServiceAdaptor::GPServiceAdaptor(QObject *parent)
-    : QDBusAbstractAdaptor(parent)
-{
-    // constructor
-    setAutoRelaySignals(true);
-}
-
-GPServiceAdaptor::~GPServiceAdaptor()
-{
-    // destructor
-}
-
-void GPServiceAdaptor::connect(const QString &server, const QString &username, const QString &passwd)
-{
-    // handle method call com.yuezk.qt.GPService.connect
-    QMetaObject::invokeMethod(parent(), "connect", Q_ARG(QString, server), Q_ARG(QString, username), Q_ARG(QString, passwd));
-}
-
-void GPServiceAdaptor::disconnect()
-{
-    // handle method call com.yuezk.qt.GPService.disconnect
-    QMetaObject::invokeMethod(parent(), "disconnect");
-}
-
-int GPServiceAdaptor::status()
-{
-    // handle method call com.yuezk.qt.GPService.status
-    int out0;
-    QMetaObject::invokeMethod(parent(), "status", Q_RETURN_ARG(int, out0));
-    return out0;
-}
-

GPService/gpservice_adaptor.h

@@ -1,66 +0,0 @@
-/*
- * This file was generated by qdbusxml2cpp version 0.8
- * Command line was: qdbusxml2cpp -a gpservice_adaptor.h: gpservice.xml
- *
- * qdbusxml2cpp is Copyright (C) 2020 The Qt Company Ltd.
- *
- * This is an auto-generated file.
- * This file may have been hand-edited. Look for HAND-EDIT comments
- * before re-generating it.
- */
-
-#ifndef GPSERVICE_ADAPTOR_H
-#define GPSERVICE_ADAPTOR_H
-
-#include <QtCore/QObject>
-#include <QtDBus/QtDBus>
-QT_BEGIN_NAMESPACE
-class QByteArray;
-template<class T> class QList;
-template<class Key, class Value> class QMap;
-class QString;
-class QStringList;
-class QVariant;
-QT_END_NAMESPACE
-
-/*
- * Adaptor class for interface com.yuezk.qt.GPService
- */
-class GPServiceAdaptor: public QDBusAbstractAdaptor
-{
-    Q_OBJECT
-    Q_CLASSINFO("D-Bus Interface", "com.yuezk.qt.GPService")
-    Q_CLASSINFO("D-Bus Introspection", ""
-"  <interface name=\"com.yuezk.qt.GPService\">\n"
-"    <signal name=\"connected\"/>\n"
-"    <signal name=\"disconnected\"/>\n"
-"    <signal name=\"logAvailable\">\n"
-"      <arg type=\"s\" name=\"log\"/>\n"
-"    </signal>\n"
-"    <method name=\"connect\">\n"
-"      <arg direction=\"in\" type=\"s\" name=\"server\"/>\n"
-"      <arg direction=\"in\" type=\"s\" name=\"username\"/>\n"
-"      <arg direction=\"in\" type=\"s\" name=\"passwd\"/>\n"
-"    </method>\n"
-"    <method name=\"disconnect\"/>\n"
-"    <method name=\"status\">\n"
-"      <arg direction=\"out\" type=\"i\"/>\n"
-"    </method>\n"
-"  </interface>\n"
-        "")
-public:
-    GPServiceAdaptor(QObject *parent);
-    virtual ~GPServiceAdaptor();
-
-public: // PROPERTIES
-public Q_SLOTS: // METHODS
-    void connect(const QString &server, const QString &username, const QString &passwd);
-    void disconnect();
-    int status();
-Q_SIGNALS: // SIGNALS
-    void connected();
-    void disconnected();
-    void logAvailable(const QString &log);
-};
-
-#endif

GPService/main.cpp

@@ -1,26 +0,0 @@
-#include <QtDBus>
-#include "gpservice.h"
-#include "singleapplication.h"
-#include "sigwatch.h"
-
-int main(int argc, char *argv[])
-{
-    SingleApplication app(argc, argv);
-
-    if (!QDBusConnection::systemBus().isConnected()) {
-        qWarning("Cannot connect to the D-Bus session bus.\n"
-                 "Please check your system settings and try again.\n");
-        return 1;
-    }
-
-    GPService service;
-
-    UnixSignalWatcher sigwatch;
-    sigwatch.watchForSignal(SIGINT);
-    sigwatch.watchForSignal(SIGTERM);
-    sigwatch.watchForSignal(SIGQUIT);
-    sigwatch.watchForSignal(SIGHUP);
-    QObject::connect(&sigwatch, &UnixSignalWatcher::unixSignal, &service, &GPService::quit);
-
-    return app.exec();
-}

GPService/sigwatch.cpp

@@ -1,176 +0,0 @@
-/*
- * Unix signal watcher for Qt.
- *
- * Copyright (C) 2014 Simon Knopp
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include <sys/socket.h>
-#include <unistd.h>
-#include <errno.h>
-#include <QMap>
-#include <QSocketNotifier>
-#include <QDebug>
-#include "sigwatch.h"
-
-
-/*!
- * \brief The UnixSignalWatcherPrivate class implements the back-end signal
- * handling for the UnixSignalWatcher.
- *
- * \see http://qt-project.org/doc/qt-5.0/qtdoc/unix-signals.html
- */
-class UnixSignalWatcherPrivate : public QObject
-{
-    UnixSignalWatcher * const q_ptr;
-    Q_DECLARE_PUBLIC(UnixSignalWatcher)
-
-public:
-    UnixSignalWatcherPrivate(UnixSignalWatcher *q);
-    ~UnixSignalWatcherPrivate();
-
-    void watchForSignal(int signal);
-    static void signalHandler(int signal);
-
-    void _q_onNotify(int sockfd);
-
-private:
-    static int sockpair[2];
-    QSocketNotifier *notifier;
-    QList<int> watchedSignals;
-};
-
-
-int UnixSignalWatcherPrivate::sockpair[2];
-
-UnixSignalWatcherPrivate::UnixSignalWatcherPrivate(UnixSignalWatcher *q) :
-    q_ptr(q)
-{
-    // Create socket pair
-    if (::socketpair(AF_UNIX, SOCK_STREAM, 0, sockpair)) {
-        qDebug() << "UnixSignalWatcher: socketpair: " << ::strerror(errno);
-        return;
-    }
-
-    // Create a notifier for the read end of the pair
-    notifier = new QSocketNotifier(sockpair[1], QSocketNotifier::Read);
-    QObject::connect(notifier, SIGNAL(activated(int)), q, SLOT(_q_onNotify(int)));
-    notifier->setEnabled(true);
-}
-
-UnixSignalWatcherPrivate::~UnixSignalWatcherPrivate()
-{
-    delete notifier;
-}
-
-/*!
- * Registers a handler for the given Unix \a signal. The handler will write to
- * a socket pair, the other end of which is connected to a QSocketNotifier.
- * This provides a way to break out of the asynchronous context from which the
- * signal handler is called and back into the Qt event loop.
- */
-void UnixSignalWatcherPrivate::watchForSignal(int signal)
-{
-    if (watchedSignals.contains(signal)) {
-        qDebug() << "Already watching for signal" << signal;
-        return;
-    }
-
-    // Register a sigaction which will write to the socket pair
-    struct sigaction sigact;
-    sigact.sa_handler = UnixSignalWatcherPrivate::signalHandler;
-    sigact.sa_flags = 0;
-    ::sigemptyset(&sigact.sa_mask);
-    sigact.sa_flags |= SA_RESTART;
-    if (::sigaction(signal, &sigact, NULL)) {
-        qDebug() << "UnixSignalWatcher: sigaction: " << ::strerror(errno);
-        return;
-    }
-
-    watchedSignals.append(signal);
-}
-
-/*!
- * Called when a Unix \a signal is received. Write to the socket to wake up the
- * QSocketNotifier.
- */
-void UnixSignalWatcherPrivate::signalHandler(int signal)
-{
-    ssize_t nBytes = ::write(sockpair[0], &signal, sizeof(signal));
-    Q_UNUSED(nBytes);
-}
-
-/*!
- * Called when the signal handler has written to the socket pair. Emits the Unix
- * signal as a Qt signal.
- */
-void UnixSignalWatcherPrivate::_q_onNotify(int sockfd)
-{
-    Q_Q(UnixSignalWatcher);
-
-    int signal;
-    ssize_t nBytes = ::read(sockfd, &signal, sizeof(signal));
-    Q_UNUSED(nBytes);
-    qDebug() << "Caught signal:" << ::strsignal(signal);
-    emit q->unixSignal(signal);
-}
-
-
-/*!
- * Create a new UnixSignalWatcher as a child of the given \a parent.
- */
-UnixSignalWatcher::UnixSignalWatcher(QObject *parent) :
-    QObject(parent),
-    d_ptr(new UnixSignalWatcherPrivate(this))
-{
-}
-
-/*!
- * Destroy this UnixSignalWatcher.
- */
-UnixSignalWatcher::~UnixSignalWatcher()
-{
-    delete d_ptr;
-}
-
-/*!
- * Register a signal handler for the given \a signal.
- *
- * After calling this method you can \c connect() to the unixSignal() Qt signal
- * to be notified when the Unix signal is received.
- */
-void UnixSignalWatcher::watchForSignal(int signal)
-{
-    Q_D(UnixSignalWatcher);
-    d->watchForSignal(signal);
-}
-
-/*!
- * \fn void UnixSignalWatcher::unixSignal(int signal)
- * Emitted when the given Unix \a signal is received.
- *
- * watchForSignal() must be called for each Unix signal that you want to receive
- * via the unixSignal() Qt signal. If a watcher is watching multiple signals,
- * unixSignal() will be emitted whenever *any* of the watched Unix signals are
- * received, and the \a signal argument can be inspected to find out which one
- * was actually received.
- */
-
-#include "moc_sigwatch.cpp"

GPService/sigwatch.h

@@ -1,59 +0,0 @@
-/*
- * Unix signal watcher for Qt.
- *
- * Copyright (C) 2014 Simon Knopp
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in
- * all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#ifndef SIGWATCH_H
-#define SIGWATCH_H
-
-#include <QObject>
-#include <signal.h>
-
-class UnixSignalWatcherPrivate;
-
-
-/*!
- * \brief The UnixSignalWatcher class converts Unix signals to Qt signals.
- *
- * To watch for a given signal, e.g. \c SIGINT, call \c watchForSignal(SIGINT)
- * and \c connect() your handler to unixSignal().
- */
-
-class UnixSignalWatcher : public QObject
-{
-    Q_OBJECT
-public:
-    explicit UnixSignalWatcher(QObject *parent = 0);
-    ~UnixSignalWatcher();
-
-    void watchForSignal(int signal);
-
-signals:
-    void unixSignal(int signal);
-
-private:
-    UnixSignalWatcherPrivate * const d_ptr;
-    Q_DECLARE_PRIVATE(UnixSignalWatcher)
-    Q_PRIVATE_SLOT(d_func(), void _q_onNotify(int))
-};
-
-#endif // SIGWATCH_H

GPService/systemd/gpservice.service

@@ -1,10 +0,0 @@
-[Unit]
-Description=GlobalProtect openconnect DBus service
-
-[Service]
-Type=dbus
-BusName=com.yuezk.qt.GPService
-ExecStart=/usr/local/bin/gpservice
-
-[Install]
-WantedBy=multi-user.target

GlobalProtect-openconnect.pro

@@ -1,5 +0,0 @@
-TEMPLATE = subdirs
-
-SUBDIRS += \
-    GPClient \
-    GPService

README.md

@@ -1,33 +1,137 @@
 # GlobalProtect-openconnect
-A GlobalProtect VPN client (GUI) for Linux based on Openconnect and built with Qt5, supports SAML auth mode, inspired by [gp-saml-gui](https://github.com/dlenski/gp-saml-gui).
+
+A GUI for GlobalProtect VPN, based on OpenConnect, supports the SSO authentication method. Inspired by [gp-saml-gui](https://github.com/dlenski/gp-saml-gui).
 
 <p align="center">
-  <img src="screenshot.png">
+  <img width="300" src="https://github.com/yuezk/GlobalProtect-openconnect/assets/3297602/9242df9c-217d-42ab-8c21-8f9f69cd4eb5">
 </p>
 
-## Prerequisites
+## Features
 
-- Openconnect v8.x
-- Qt5, qt5-webengine, qt5-websockets
+- [x] Better Linux support
+- [x] Support both CLI and GUI
+- [x] Support both SSO and non-SSO authentication
+- [x] Support the FIDO2 authentication (e.g., YubiKey)
+- [x] Support authentication using default browser
+- [x] Support multiple portals
+- [x] Support gateway selection
+- [x] Support connect gateway directly
+- [x] Support auto-connect on startup
+- [x] Support system tray icon
 
-### Ubuntu
-1. Install openconnect v8.x
-    Update openconnect to 8.x, for ubuntu 18.04 you might need to [build the latest openconnect from source code](https://gist.github.com/yuezk/ab9a4b87a9fa0182bdb2df41fab5f613).
-2. Install the Qt dependencies
-    ```sh
-    sudo apt install qt5-default libqt5websockets5-dev qtwebengine5-dev
-    ```
-## Install
+## Usage
+
+### CLI
+
+The CLI version is always free and open source in this repo. It has almost the same features as the GUI version.
 
-```sh
-git clone https://github.com/yuezk/GlobalProtect-openconnect.git
-cd GlobalProtect-openconnect
-git submodule init && git submodule update
-qmake CONFIG+=release
-make
-sudo make install
 ```
-Open `GlobalProtect VPN` in the application dashboard.
+Usage: gpclient [OPTIONS] <COMMAND>
+
+Commands:
+  connect     Connect to a portal server
+  disconnect  Disconnect from the server
+  launch-gui  Launch the GUI
+  help        Print this message or the help of the given subcommand(s)
+
+Options:
+      --fix-openssl        Get around the OpenSSL `unsafe legacy renegotiation` error
+      --ignore-tls-errors  Ignore the TLS errors
+  -h, --help               Print help
+  -V, --version            Print version
+
+See 'gpclient help <command>' for more information on a specific command.
+```
+
+### GUI
+
+The GUI version is also available after you installed it. You can launch it from the application menu or run `gpclient launch-gui` in the terminal.
+
+> [!Note]
+>
+> The GUI version is partially open source. Its background service is open sourced in this repo as [gpservice](./apps/gpservice/). The GUI part is a wrapper of the background service, which is not open sourced.
+
+## Installation
+
+> [!Note]
+>
+> This instruction is for the 2.x version. The 1.x version is still available on the [1.x](https://github.com/yuezk/GlobalProtect-openconnect/tree/1.x) branch, you can build it from the source code by following the instructions in the `README.md` file.
+
+> [!Warning]
+>
+> The client requires `openconnect >= 8.20`, please make sure you have it installed, you can check it with `openconnect --version`.
+> Installing the client from PPA will automatically install the required version of `openconnect`.
+
+### Debian/Ubuntu based distributions
+
+#### Install from PPA
+
+```
+sudo add-apt-repository ppa:yuezk/globalprotect-openconnect
+sudo apt-get update
+sudo apt-get install globalprotect-openconnect
+```
+
+> [!Note]
+>
+> For Linux Mint, you might need to import the GPG key with: `sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7937C393082992E5D6E4A60453FC26B43838D761` if you encountered an error `gpg: keyserver receive failed: General error`.
+
+#### Install from deb package
+
+Download the latest deb package from [releases](https://github.com/yuezk/GlobalProtect-openconnect/releases) page. Then install it with `dpkg`:
+
+```bash
+sudo dpkg -i globalprotect-openconnect_*.deb
+```
+
+### Arch Linux / Manjaro
+
+#### Install from AUR
+
+Install from AUR: [globalprotect-openconnect-git](https://aur.archlinux.org/packages/globalprotect-openconnect-git/)
+
+```
+yay -S globalprotect-openconnect-git
+```
+
+#### Install from package
+
+Download the latest package from [releases](https://github.com/yuezk/GlobalProtect-openconnect/releases) page. Then install it with `pacman`:
+
+```bash
+sudo pacman -U globalprotect-openconnect-*.pkg.tar.zst
+```
+
+### Fedora/OpenSUSE/CentOS/RHEL
+
+#### Install from COPR
+
+The package is available on [COPR](https://copr.fedorainfracloud.org/coprs/yuezk/globalprotect-openconnect/) for various RPM-based distributions. You can install it with the following commands:
+
+```
+sudo dnf copr enable yuezk/globalprotect-openconnect
+sudo dnf install globalprotect-openconnect
+```
+
+#### Install from OBS
+
+The package is also available on [OBS](https://build.opensuse.org/package/show/home:yuezk/globalprotect-openconnect) for various RPM-based distributions. You can follow the instructions [on this page](https://software.opensuse.org//download.html?project=home%3Ayuezk&package=globalprotect-openconnect) to install it.
+
+#### Install from RPM package
+
+Download the latest RPM package from [releases](https://github.com/yuezk/GlobalProtect-openconnect/releases) page.
+
+### Other distributions
+
+The project depends on `openconnect >= 8.20`, `webkit2gtk`, `libsecret`, `libayatana-appindicator` or `libappindicator-gtk3`. You can install them first and then download the latest binary release (i.e., `*.bin.tar.gz`) from [releases](https://github.com/yuezk/GlobalProtect-openconnect/releases) page.
+
+## About Trial
+
+The CLI version is always free, while the GUI version is paid. There two trial modes for the GUI version:
+
+1. 10-day trial: You can use the GUI stable release for 10 days after the installation.
+2. 14-day trial: Each beta release has a fresh trial period (at most 14 days) after released.
 
 ## [License](./LICENSE)
+
 GPLv3

apps/gpauth/Cargo.toml

@@ -0,0 +1,23 @@
+[package]
+name = "gpauth"
+version.workspace = true
+edition.workspace = true
+license.workspace = true
+
+[build-dependencies]
+tauri-build = { version = "1.5", features = [] }
+
+[dependencies]
+gpapi = { path = "../../crates/gpapi", features = ["tauri", "clap"] }
+anyhow.workspace = true
+clap.workspace = true
+env_logger.workspace = true
+log.workspace = true
+regex.workspace = true
+serde_json.workspace = true
+tokio.workspace = true
+tokio-util.workspace = true
+tempfile.workspace = true
+webkit2gtk = "0.18.2"
+tauri = { workspace = true, features = ["http-all"] }
+compile-time.workspace = true

apps/gpauth/build.rs

@@ -0,0 +1,3 @@
+fn main() {
+  tauri_build::build()
+}

apps/gpauth/index.html

@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>GlobalProtect Login</title>
+</head>
+<body>
+  <p>Redirecting to GlobalProtect Login...</p>
+</body>
+</html>

apps/gpauth/src/auth_window.rs

@@ -0,0 +1,479 @@
+use std::{
+  rc::Rc,
+  sync::Arc,
+  time::{Duration, Instant},
+};
+
+use anyhow::bail;
+use gpapi::{
+  auth::SamlAuthData,
+  gp_params::GpParams,
+  portal::{prelogin, Prelogin},
+  utils::{redact::redact_uri, window::WindowExt},
+};
+use log::{info, warn};
+use regex::Regex;
+use tauri::{AppHandle, Window, WindowEvent, WindowUrl};
+use tokio::sync::{mpsc, oneshot, RwLock};
+use tokio_util::sync::CancellationToken;
+use webkit2gtk::{
+  gio::Cancellable,
+  glib::{GString, TimeSpan},
+  LoadEvent, SettingsExt, TLSErrorsPolicy, URIResponse, URIResponseExt, WebContextExt, WebResource, WebResourceExt,
+  WebView, WebViewExt, WebsiteDataManagerExtManual, WebsiteDataTypes,
+};
+
+enum AuthDataError {
+  /// Failed to load page due to TLS error
+  TlsError,
+  /// 1. Found auth data in headers/body but it's invalid
+  /// 2. Loaded an empty page, failed to load page. etc.
+  Invalid,
+  /// No auth data found in headers/body
+  NotFound,
+}
+
+type AuthResult = Result<SamlAuthData, AuthDataError>;
+
+pub(crate) struct AuthWindow<'a> {
+  app_handle: AppHandle,
+  server: &'a str,
+  saml_request: &'a str,
+  user_agent: &'a str,
+  gp_params: Option<GpParams>,
+  clean: bool,
+}
+
+impl<'a> AuthWindow<'a> {
+  pub fn new(app_handle: AppHandle) -> Self {
+    Self {
+      app_handle,
+      server: "",
+      saml_request: "",
+      user_agent: "",
+      gp_params: None,
+      clean: false,
+    }
+  }
+
+  pub fn server(mut self, server: &'a str) -> Self {
+    self.server = server;
+    self
+  }
+
+  pub fn saml_request(mut self, saml_request: &'a str) -> Self {
+    self.saml_request = saml_request;
+    self
+  }
+
+  pub fn user_agent(mut self, user_agent: &'a str) -> Self {
+    self.user_agent = user_agent;
+    self
+  }
+
+  pub fn gp_params(mut self, gp_params: GpParams) -> Self {
+    self.gp_params.replace(gp_params);
+    self
+  }
+
+  pub fn clean(mut self, clean: bool) -> Self {
+    self.clean = clean;
+    self
+  }
+
+  pub async fn open(&self) -> anyhow::Result<SamlAuthData> {
+    info!("Open auth window, user_agent: {}", self.user_agent);
+
+    let window = Window::builder(&self.app_handle, "auth_window", WindowUrl::default())
+      .title("GlobalProtect Login")
+      // .user_agent(self.user_agent)
+      .focused(true)
+      .visible(false)
+      .center()
+      .build()?;
+
+    let window = Arc::new(window);
+
+    let cancel_token = CancellationToken::new();
+    let cancel_token_clone = cancel_token.clone();
+
+    window.on_window_event(move |event| {
+      if let WindowEvent::CloseRequested { .. } = event {
+        cancel_token_clone.cancel();
+      }
+    });
+
+    let window_clone = Arc::clone(&window);
+    let timeout_secs = 15;
+    tokio::spawn(async move {
+      tokio::time::sleep(Duration::from_secs(timeout_secs)).await;
+      let visible = window_clone.is_visible().unwrap_or(false);
+      if !visible {
+        info!("Try to raise auth window after {} seconds", timeout_secs);
+        raise_window(&window_clone);
+      }
+    });
+
+    tokio::select! {
+      _ = cancel_token.cancelled() => {
+        bail!("Auth cancelled");
+      }
+      saml_result = self.auth_loop(&window) => {
+        window.close()?;
+        saml_result
+      }
+    }
+  }
+
+  async fn auth_loop(&self, window: &Arc<Window>) -> anyhow::Result<SamlAuthData> {
+    let saml_request = self.saml_request.to_string();
+    let (auth_result_tx, mut auth_result_rx) = mpsc::unbounded_channel::<AuthResult>();
+    let raise_window_cancel_token: Arc<RwLock<Option<CancellationToken>>> = Default::default();
+    let gp_params = self.gp_params.as_ref().unwrap();
+    let tls_err_policy = if gp_params.ignore_tls_errors() {
+      TLSErrorsPolicy::Ignore
+    } else {
+      TLSErrorsPolicy::Fail
+    };
+
+    if self.clean {
+      clear_webview_cookies(window).await?;
+    }
+
+    let raise_window_cancel_token_clone = Arc::clone(&raise_window_cancel_token);
+    window.with_webview(move |wv| {
+      let wv = wv.inner();
+
+      if let Some(context) = wv.context() {
+        context.set_tls_errors_policy(tls_err_policy);
+      }
+
+      if let Some(settings) = wv.settings() {
+        let ua = settings.user_agent().unwrap_or("".into());
+        info!("Auth window user agent: {}", ua);
+      }
+
+      // Load the initial SAML request
+      load_saml_request(&wv, &saml_request);
+
+      let auth_result_tx_clone = auth_result_tx.clone();
+      wv.connect_load_changed(move |wv, event| {
+        if event == LoadEvent::Started {
+          let Ok(mut cancel_token) = raise_window_cancel_token_clone.try_write() else {
+            return;
+          };
+
+          // Cancel the raise window task
+          if let Some(cancel_token) = cancel_token.take() {
+            cancel_token.cancel();
+          }
+          return;
+        }
+
+        if event != LoadEvent::Finished {
+          return;
+        }
+
+        if let Some(main_resource) = wv.main_resource() {
+          let uri = main_resource.uri().unwrap_or("".into());
+
+          if uri.is_empty() {
+            warn!("Loaded an empty uri");
+            send_auth_result(&auth_result_tx_clone, Err(AuthDataError::Invalid));
+            return;
+          }
+
+          info!("Loaded uri: {}", redact_uri(&uri));
+          read_auth_data(&main_resource, auth_result_tx_clone.clone());
+        }
+      });
+
+      let auth_result_tx_clone = auth_result_tx.clone();
+      wv.connect_load_failed_with_tls_errors(move |_wv, uri, cert, err| {
+        let redacted_uri = redact_uri(uri);
+        warn!(
+          "Failed to load uri: {} with error: {}, cert: {}",
+          redacted_uri, err, cert
+        );
+
+        send_auth_result(&auth_result_tx_clone, Err(AuthDataError::TlsError));
+        true
+      });
+
+      wv.connect_load_failed(move |_wv, _event, uri, err| {
+        let redacted_uri = redact_uri(uri);
+        warn!("Failed to load uri: {} with error: {}", redacted_uri, err);
+        // NOTE: Don't send error here, since load_changed event will be triggered after this
+        // send_auth_result(&auth_result_tx, Err(AuthDataError::Invalid));
+        // true to stop other handlers from being invoked for the event. false to propagate the event further.
+        true
+      });
+    })?;
+
+    let portal = self.server.to_string();
+
+    loop {
+      if let Some(auth_result) = auth_result_rx.recv().await {
+        match auth_result {
+          Ok(auth_data) => return Ok(auth_data),
+          Err(AuthDataError::TlsError) => bail!("TLS error: certificate verify failed"),
+          Err(AuthDataError::NotFound) => {
+            info!("No auth data found, it may not be the /SAML20/SP/ACS endpoint");
+
+            // The user may need to interact with the auth window, raise it in 3 seconds
+            if !window.is_visible().unwrap_or(false) {
+              let window = Arc::clone(window);
+              let cancel_token = CancellationToken::new();
+
+              raise_window_cancel_token.write().await.replace(cancel_token.clone());
+
+              tokio::spawn(async move {
+                let delay_secs = 1;
+
+                info!("Raise window in {} second(s)", delay_secs);
+                tokio::select! {
+                  _ = tokio::time::sleep(Duration::from_secs(delay_secs)) => {
+                    raise_window(&window);
+                  }
+                  _ = cancel_token.cancelled() => {
+                    info!("Raise window cancelled");
+                  }
+                }
+              });
+            }
+          }
+          Err(AuthDataError::Invalid) => {
+            info!("Got invalid auth data, retrying...");
+
+            window.with_webview(|wv| {
+              let wv = wv.inner();
+              wv.run_javascript(r#"
+                  var loading = document.createElement("div");
+                  loading.innerHTML = '<div style="position: absolute; width: 100%; text-align: center; font-size: 20px; font-weight: bold; top: 50%; left: 50%; transform: translate(-50%, -50%);">Got invalid token, retrying...</div>';
+                  loading.style = "position: fixed; top: 0; left: 0; width: 100%; height: 100%; background: rgba(255, 255, 255, 0.85); z-index: 99999;";
+                  document.body.appendChild(loading);
+              "#,
+                  Cancellable::NONE,
+                  |_| info!("Injected loading element successfully"),
+              );
+            })?;
+
+            let saml_request = portal_prelogin(&portal, gp_params).await?;
+            window.with_webview(move |wv| {
+              let wv = wv.inner();
+              load_saml_request(&wv, &saml_request);
+            })?;
+          }
+        }
+      }
+    }
+  }
+}
+
+fn raise_window(window: &Arc<Window>) {
+  let visible = window.is_visible().unwrap_or(false);
+  if !visible {
+    if let Err(err) = window.raise() {
+      warn!("Failed to raise window: {}", err);
+    }
+  }
+}
+
+pub async fn portal_prelogin(portal: &str, gp_params: &GpParams) -> anyhow::Result<String> {
+  match prelogin(portal, gp_params).await? {
+    Prelogin::Saml(prelogin) => Ok(prelogin.saml_request().to_string()),
+    Prelogin::Standard(_) => bail!("Received non-SAML prelogin response"),
+  }
+}
+
+fn send_auth_result(auth_result_tx: &mpsc::UnboundedSender<AuthResult>, auth_result: AuthResult) {
+  if let Err(err) = auth_result_tx.send(auth_result) {
+    warn!("Failed to send auth event: {}", err);
+  }
+}
+
+fn load_saml_request(wv: &Rc<WebView>, saml_request: &str) {
+  if saml_request.starts_with("http") {
+    info!("Load the SAML request as URI...");
+    wv.load_uri(saml_request);
+  } else {
+    info!("Load the SAML request as HTML...");
+    wv.load_html(saml_request, None);
+  }
+}
+
+fn read_auth_data_from_headers(response: &URIResponse) -> AuthResult {
+  response.http_headers().map_or_else(
+    || {
+      info!("No headers found in response");
+      Err(AuthDataError::NotFound)
+    },
+    |mut headers| match headers.get("saml-auth-status") {
+      Some(status) if status == "1" => {
+        let username = headers.get("saml-username").map(GString::into);
+        let prelogin_cookie = headers.get("prelogin-cookie").map(GString::into);
+        let portal_userauthcookie = headers.get("portal-userauthcookie").map(GString::into);
+
+        if SamlAuthData::check(&username, &prelogin_cookie, &portal_userauthcookie) {
+          return Ok(SamlAuthData::new(
+            username.unwrap(),
+            prelogin_cookie,
+            portal_userauthcookie,
+          ));
+        }
+
+        info!("Found invalid auth data in headers");
+        Err(AuthDataError::Invalid)
+      }
+      Some(status) => {
+        info!("Found invalid SAML status: {} in headers", status);
+        Err(AuthDataError::Invalid)
+      }
+      None => {
+        info!("No saml-auth-status header found");
+        Err(AuthDataError::NotFound)
+      }
+    },
+  )
+}
+
+fn read_auth_data_from_body<F>(main_resource: &WebResource, callback: F)
+where
+  F: FnOnce(AuthResult) + Send + 'static,
+{
+  main_resource.data(Cancellable::NONE, |data| match data {
+    Ok(data) => {
+      let html = String::from_utf8_lossy(&data);
+      callback(read_auth_data_from_html(&html));
+    }
+    Err(err) => {
+      info!("Failed to read response body: {}", err);
+      callback(Err(AuthDataError::Invalid))
+    }
+  });
+}
+
+fn read_auth_data_from_html(html: &str) -> AuthResult {
+  if html.contains("Temporarily Unavailable") {
+    info!("Found 'Temporarily Unavailable' in HTML, auth failed");
+    return Err(AuthDataError::Invalid);
+  }
+
+  match parse_xml_tag(html, "saml-auth-status") {
+    Some(saml_status) if saml_status == "1" => {
+      let username = parse_xml_tag(html, "saml-username");
+      let prelogin_cookie = parse_xml_tag(html, "prelogin-cookie");
+      let portal_userauthcookie = parse_xml_tag(html, "portal-userauthcookie");
+
+      if SamlAuthData::check(&username, &prelogin_cookie, &portal_userauthcookie) {
+        return Ok(SamlAuthData::new(
+          username.unwrap(),
+          prelogin_cookie,
+          portal_userauthcookie,
+        ));
+      }
+
+      info!("Found invalid auth data in HTML");
+      Err(AuthDataError::Invalid)
+    }
+    Some(status) => {
+      info!("Found invalid SAML status {} in HTML", status);
+      Err(AuthDataError::Invalid)
+    }
+    None => {
+      info!("No auth data found in HTML");
+      Err(AuthDataError::NotFound)
+    }
+  }
+}
+
+fn read_auth_data(main_resource: &WebResource, auth_result_tx: mpsc::UnboundedSender<AuthResult>) {
+  if main_resource.response().is_none() {
+    info!("No response found in main resource");
+    send_auth_result(&auth_result_tx, Err(AuthDataError::Invalid));
+    return;
+  }
+
+  let response = main_resource.response().unwrap();
+  info!("Trying to read auth data from response headers...");
+
+  match read_auth_data_from_headers(&response) {
+    Ok(auth_data) => {
+      info!("Got auth data from headers");
+      send_auth_result(&auth_result_tx, Ok(auth_data));
+    }
+    Err(AuthDataError::Invalid) => {
+      info!("Found invalid auth data in headers, trying to read from body...");
+      read_auth_data_from_body(main_resource, move |auth_result| {
+        // Since we have already found invalid auth data in headers, which means this could be the `/SAML20/SP/ACS` endpoint
+        // any error result from body should be considered as invalid, and trigger a retry
+        let auth_result = auth_result.map_err(|_| AuthDataError::Invalid);
+        send_auth_result(&auth_result_tx, auth_result);
+      });
+    }
+    Err(AuthDataError::NotFound) => {
+      info!("No auth data found in headers, trying to read from body...");
+      read_auth_data_from_body(main_resource, move |auth_result| {
+        send_auth_result(&auth_result_tx, auth_result)
+      });
+    }
+    Err(AuthDataError::TlsError) => {
+      // NOTE: This is unreachable
+      info!("TLS error found in headers, trying to read from body...");
+      send_auth_result(&auth_result_tx, Err(AuthDataError::TlsError));
+    }
+  }
+}
+
+fn parse_xml_tag(html: &str, tag: &str) -> Option<String> {
+  let re = Regex::new(&format!("<{}>(.*)</{}>", tag, tag)).unwrap();
+  re.captures(html)
+    .and_then(|captures| captures.get(1))
+    .map(|m| m.as_str().to_string())
+}
+
+pub(crate) async fn clear_webview_cookies(window: &Window) -> anyhow::Result<()> {
+  let (tx, rx) = oneshot::channel::<Result<(), String>>();
+
+  window.with_webview(|wv| {
+    let send_result = move |result: Result<(), String>| {
+      if let Err(err) = tx.send(result) {
+        info!("Failed to send result: {:?}", err);
+      }
+    };
+
+    let wv = wv.inner();
+    let context = match wv.context() {
+      Some(context) => context,
+      None => {
+        send_result(Err("No webview context found".into()));
+        return;
+      }
+    };
+    let data_manager = match context.website_data_manager() {
+      Some(manager) => manager,
+      None => {
+        send_result(Err("No data manager found".into()));
+        return;
+      }
+    };
+
+    let now = Instant::now();
+    data_manager.clear(
+      WebsiteDataTypes::COOKIES,
+      TimeSpan(0),
+      Cancellable::NONE,
+      move |result| match result {
+        Err(err) => {
+          send_result(Err(err.to_string()));
+        }
+        Ok(_) => {
+          info!("Cookies cleared in {} ms", now.elapsed().as_millis());
+          send_result(Ok(()));
+        }
+      },
+    );
+  })?;
+
+  rx.await?.map_err(|err| anyhow::anyhow!(err))
+}

apps/gpauth/src/cli.rs

@@ -0,0 +1,162 @@
+use clap::Parser;
+use gpapi::{
+  auth::{SamlAuthData, SamlAuthResult},
+  clap::args::Os,
+  gp_params::{ClientOs, GpParams},
+  utils::{normalize_server, openssl},
+  GP_USER_AGENT,
+};
+use log::{info, LevelFilter};
+use serde_json::json;
+use tauri::{App, AppHandle, RunEvent};
+use tempfile::NamedTempFile;
+
+use crate::auth_window::{portal_prelogin, AuthWindow};
+
+const VERSION: &str = concat!(env!("CARGO_PKG_VERSION"), " (", compile_time::date_str!(), ")");
+
+#[derive(Parser, Clone)]
+#[command(version = VERSION)]
+struct Cli {
+  server: String,
+  #[arg(long)]
+  gateway: bool,
+  #[arg(long)]
+  saml_request: Option<String>,
+  #[arg(long, default_value = GP_USER_AGENT)]
+  user_agent: String,
+  #[arg(long, default_value = "Linux")]
+  os: Os,
+  #[arg(long)]
+  os_version: Option<String>,
+  #[arg(long)]
+  hidpi: bool,
+  #[arg(long)]
+  fix_openssl: bool,
+  #[arg(long)]
+  ignore_tls_errors: bool,
+  #[arg(long)]
+  clean: bool,
+}
+
+impl Cli {
+  async fn run(&mut self) -> anyhow::Result<()> {
+    if self.ignore_tls_errors {
+      info!("TLS errors will be ignored");
+    }
+
+    let mut openssl_conf = self.prepare_env()?;
+
+    self.server = normalize_server(&self.server)?;
+    let gp_params = self.build_gp_params();
+
+    // Get the initial SAML request
+    let saml_request = match self.saml_request {
+      Some(ref saml_request) => saml_request.clone(),
+      None => portal_prelogin(&self.server, &gp_params).await?,
+    };
+
+    self.saml_request.replace(saml_request);
+
+    let app = create_app(self.clone())?;
+
+    app.run(move |_app_handle, event| {
+      if let RunEvent::Exit = event {
+        if let Some(file) = openssl_conf.take() {
+          if let Err(err) = file.close() {
+            info!("Error closing OpenSSL config file: {}", err);
+          }
+        }
+      }
+    });
+
+    Ok(())
+  }
+
+  fn prepare_env(&self) -> anyhow::Result<Option<NamedTempFile>> {
+    std::env::set_var("WEBKIT_DISABLE_COMPOSITING_MODE", "1");
+
+    if self.hidpi {
+      info!("Setting GDK_SCALE=2 and GDK_DPI_SCALE=0.5");
+
+      std::env::set_var("GDK_SCALE", "2");
+      std::env::set_var("GDK_DPI_SCALE", "0.5");
+    }
+
+    if self.fix_openssl {
+      info!("Fixing OpenSSL environment");
+      let file = openssl::fix_openssl_env()?;
+
+      return Ok(Some(file));
+    }
+
+    Ok(None)
+  }
+
+  fn build_gp_params(&self) -> GpParams {
+    let gp_params = GpParams::builder()
+      .user_agent(&self.user_agent)
+      .client_os(ClientOs::from(&self.os))
+      .os_version(self.os_version.clone())
+      .ignore_tls_errors(self.ignore_tls_errors)
+      .is_gateway(self.gateway)
+      .build();
+
+    gp_params
+  }
+
+  async fn saml_auth(&self, app_handle: AppHandle) -> anyhow::Result<SamlAuthData> {
+    let auth_window = AuthWindow::new(app_handle)
+      .server(&self.server)
+      .user_agent(&self.user_agent)
+      .gp_params(self.build_gp_params())
+      .saml_request(self.saml_request.as_ref().unwrap())
+      .clean(self.clean);
+
+    auth_window.open().await
+  }
+}
+
+fn create_app(cli: Cli) -> anyhow::Result<App> {
+  let app = tauri::Builder::default()
+    .setup(|app| {
+      let app_handle = app.handle();
+
+      tauri::async_runtime::spawn(async move {
+        let auth_result = match cli.saml_auth(app_handle.clone()).await {
+          Ok(auth_data) => SamlAuthResult::Success(auth_data),
+          Err(err) => SamlAuthResult::Failure(format!("{}", err)),
+        };
+
+        println!("{}", json!(auth_result));
+      });
+      Ok(())
+    })
+    .build(tauri::generate_context!())?;
+
+  Ok(app)
+}
+
+fn init_logger() {
+  env_logger::builder().filter_level(LevelFilter::Info).init();
+}
+
+pub async fn run() {
+  let mut cli = Cli::parse();
+
+  init_logger();
+  info!("gpauth started: {}", VERSION);
+
+  if let Err(err) = cli.run().await {
+    eprintln!("\nError: {}", err);
+
+    if err.to_string().contains("unsafe legacy renegotiation") && !cli.fix_openssl {
+      eprintln!("\nRe-run it with the `--fix-openssl` option to work around this issue, e.g.:\n");
+      // Print the command
+      let args = std::env::args().collect::<Vec<_>>();
+      eprintln!("{} --fix-openssl {}\n", args[0], args[1..].join(" "));
+    }
+
+    std::process::exit(1);
+  }
+}

apps/gpauth/src/main.rs

@@ -0,0 +1,9 @@
+#![cfg_attr(not(debug_assertions), windows_subsystem = "windows")]
+
+mod auth_window;
+mod cli;
+
+#[tokio::main]
+async fn main() {
+  cli::run().await;
+}

apps/gpauth/tauri.conf.json

@@ -0,0 +1,47 @@
+{
+  "$schema": "https://cdn.jsdelivr.net/gh/tauri-apps/tauri@tauri-v1.5.0/tooling/cli/schema.json",
+  "build": {
+    "distDir": [
+      "index.html"
+    ],
+    "devPath": [
+      "index.html"
+    ],
+    "beforeDevCommand": "",
+    "beforeBuildCommand": "",
+    "withGlobalTauri": false
+  },
+  "package": {
+    "productName": "gpauth",
+    "version": "0.0.0"
+  },
+  "tauri": {
+    "allowlist": {
+      "all": false,
+      "http": {
+        "all": true,
+        "request": true,
+        "scope": [
+          "http://**",
+          "https://**"
+        ]
+      }
+    },
+    "bundle": {
+      "active": true,
+      "targets": "deb",
+      "identifier": "com.yuezk.gpauth",
+      "icon": [
+        "icons/32x32.png",
+        "icons/128x128.png",
+        "icons/128x128@2x.png",
+        "icons/icon.icns",
+        "icons/icon.ico"
+      ]
+    },
+    "security": {
+      "csp": null
+    },
+    "windows": []
+  }
+}

apps/gpclient/Cargo.toml

@@ -0,0 +1,23 @@
+[package]
+name = "gpclient"
+authors.workspace = true
+version.workspace = true
+edition.workspace = true
+license.workspace = true
+
+[dependencies]
+gpapi = { path = "../../crates/gpapi", features = ["clap"] }
+openconnect = { path = "../../crates/openconnect" }
+anyhow.workspace = true
+clap.workspace = true
+env_logger.workspace = true
+inquire = "0.6.2"
+log.workspace = true
+tokio.workspace = true
+sysinfo.workspace = true
+serde_json.workspace = true
+whoami.workspace = true
+tempfile.workspace = true
+reqwest.workspace = true
+directories = "5.0"
+compile-time.workspace = true

apps/gpclient/src/cli.rs

@@ -0,0 +1,119 @@
+use clap::{Parser, Subcommand};
+use gpapi::utils::openssl;
+use log::{info, LevelFilter};
+use tempfile::NamedTempFile;
+
+use crate::{
+  connect::{ConnectArgs, ConnectHandler},
+  disconnect::DisconnectHandler,
+  launch_gui::{LaunchGuiArgs, LaunchGuiHandler},
+};
+
+const VERSION: &str = concat!(env!("CARGO_PKG_VERSION"), " (", compile_time::date_str!(), ")");
+
+pub(crate) struct SharedArgs {
+  pub(crate) fix_openssl: bool,
+  pub(crate) ignore_tls_errors: bool,
+}
+
+#[derive(Subcommand)]
+enum CliCommand {
+  #[command(about = "Connect to a portal server")]
+  Connect(ConnectArgs),
+  #[command(about = "Disconnect from the server")]
+  Disconnect,
+  #[command(about = "Launch the GUI")]
+  LaunchGui(LaunchGuiArgs),
+}
+
+#[derive(Parser)]
+#[command(
+  version = VERSION,
+  author,
+  about = "The GlobalProtect VPN client, based on OpenConnect, supports the SSO authentication method.",
+  help_template = "\
+{before-help}{name} {version}
+{author}
+
+{about}
+
+{usage-heading} {usage}
+
+{all-args}{after-help}
+
+See 'gpclient help <command>' for more information on a specific command.
+"
+)]
+struct Cli {
+  #[command(subcommand)]
+  command: CliCommand,
+
+  #[arg(long, help = "Get around the OpenSSL `unsafe legacy renegotiation` error")]
+  fix_openssl: bool,
+  #[arg(long, help = "Ignore the TLS errors")]
+  ignore_tls_errors: bool,
+}
+
+impl Cli {
+  fn fix_openssl(&self) -> anyhow::Result<Option<NamedTempFile>> {
+    if self.fix_openssl {
+      let file = openssl::fix_openssl_env()?;
+      return Ok(Some(file));
+    }
+
+    Ok(None)
+  }
+
+  async fn run(&self) -> anyhow::Result<()> {
+    // The temp file will be dropped automatically when the file handle is dropped
+    // So, declare it here to ensure it's not dropped
+    let _file = self.fix_openssl()?;
+    let shared_args = SharedArgs {
+      fix_openssl: self.fix_openssl,
+      ignore_tls_errors: self.ignore_tls_errors,
+    };
+
+    if self.ignore_tls_errors {
+      info!("TLS errors will be ignored");
+    }
+
+    match &self.command {
+      CliCommand::Connect(args) => ConnectHandler::new(args, &shared_args).handle().await,
+      CliCommand::Disconnect => DisconnectHandler::new().handle(),
+      CliCommand::LaunchGui(args) => LaunchGuiHandler::new(args).handle().await,
+    }
+  }
+}
+
+fn init_logger() {
+  env_logger::builder().filter_level(LevelFilter::Info).init();
+}
+
+pub(crate) async fn run() {
+  let cli = Cli::parse();
+
+  init_logger();
+  info!("gpclient started: {}", VERSION);
+
+  if let Err(err) = cli.run().await {
+    eprintln!("\nError: {}", err);
+
+    let err = err.to_string();
+
+    if err.contains("unsafe legacy renegotiation") && !cli.fix_openssl {
+      eprintln!("\nRe-run it with the `--fix-openssl` option to work around this issue, e.g.:\n");
+      // Print the command
+      let args = std::env::args().collect::<Vec<_>>();
+      eprintln!("{} --fix-openssl {}\n", args[0], args[1..].join(" "));
+    }
+
+    if err.contains("certificate verify failed") && !cli.ignore_tls_errors {
+      eprintln!("\nRe-run it with the `--ignore-tls-errors` option to ignore the certificate error, e.g.:\n");
+      // Print the command
+      let args = std::env::args().collect::<Vec<_>>();
+      eprintln!("{} --ignore-tls-errors {}\n", args[0], args[1..].join(" "));
+    }
+
+    std::process::exit(1);
+  }
+}

apps/gpclient/src/connect.rs

@@ -0,0 +1,213 @@
+use std::{fs, sync::Arc};
+
+use clap::Args;
+use gpapi::{
+  clap::args::Os,
+  credential::{Credential, PasswordCredential},
+  gateway::gateway_login,
+  gp_params::{ClientOs, GpParams},
+  portal::{prelogin, retrieve_config, PortalError, Prelogin},
+  process::auth_launcher::SamlAuthLauncher,
+  utils::shutdown_signal,
+  GP_USER_AGENT,
+};
+use inquire::{Password, PasswordDisplayMode, Select, Text};
+use log::info;
+use openconnect::Vpn;
+
+use crate::{cli::SharedArgs, GP_CLIENT_LOCK_FILE};
+
+#[derive(Args)]
+pub(crate) struct ConnectArgs {
+  #[arg(help = "The portal server to connect to")]
+  server: String,
+  #[arg(short, long, help = "The gateway to connect to, it will prompt if not specified")]
+  gateway: Option<String>,
+  #[arg(short, long, help = "The username to use, it will prompt if not specified")]
+  user: Option<String>,
+  #[arg(long, short, help = "The VPNC script to use")]
+  script: Option<String>,
+  #[arg(long, default_value = GP_USER_AGENT, help = "The user agent to use")]
+  user_agent: String,
+  #[arg(long, default_value = "Linux")]
+  os: Os,
+  #[arg(long)]
+  os_version: Option<String>,
+  #[arg(long, help = "The HiDPI mode, useful for high resolution screens")]
+  hidpi: bool,
+  #[arg(long, help = "Do not reuse the remembered authentication cookie")]
+  clean: bool,
+}
+
+impl ConnectArgs {
+  fn os_version(&self) -> String {
+    if let Some(os_version) = &self.os_version {
+      return os_version.to_owned();
+    }
+
+    match self.os {
+      Os::Linux => format!("Linux {}", whoami::distro()),
+      Os::Windows => String::from("Microsoft Windows 11 Pro , 64-bit"),
+      Os::Mac => String::from("Apple Mac OS X 13.4.0"),
+    }
+  }
+}
+
+pub(crate) struct ConnectHandler<'a> {
+  args: &'a ConnectArgs,
+  shared_args: &'a SharedArgs,
+}
+
+impl<'a> ConnectHandler<'a> {
+  pub(crate) fn new(args: &'a ConnectArgs, shared_args: &'a SharedArgs) -> Self {
+    Self { args, shared_args }
+  }
+
+  fn build_gp_params(&self) -> GpParams {
+    GpParams::builder()
+      .user_agent(&self.args.user_agent)
+      .client_os(ClientOs::from(&self.args.os))
+      .os_version(self.args.os_version())
+      .ignore_tls_errors(self.shared_args.ignore_tls_errors)
+      .build()
+  }
+
+  pub(crate) async fn handle(&self) -> anyhow::Result<()> {
+    let server = self.args.server.as_str();
+
+    let Err(err) = self.connect_portal_with_prelogin(server).await else {
+      return Ok(());
+    };
+
+    info!("Failed to connect portal with prelogin: {}", err);
+    if err.root_cause().downcast_ref::<PortalError>().is_some() {
+      info!("Trying the gateway authentication workflow...");
+      return self.connect_gateway_with_prelogin(server).await;
+    }
+
+    Err(err)
+  }
+
+  async fn connect_portal_with_prelogin(&self, portal: &str) -> anyhow::Result<()> {
+    let gp_params = self.build_gp_params();
+
+    let prelogin = prelogin(portal, &gp_params).await?;
+
+    let cred = self.obtain_credential(&prelogin, portal).await?;
+    let mut portal_config = retrieve_config(portal, &cred, &gp_params).await?;
+
+    let selected_gateway = match &self.args.gateway {
+      Some(gateway) => portal_config
+        .find_gateway(gateway)
+        .ok_or_else(|| anyhow::anyhow!("Cannot find gateway {}", gateway))?,
+      None => {
+        portal_config.sort_gateways(prelogin.region());
+        let gateways = portal_config.gateways();
+
+        if gateways.len() > 1 {
+          Select::new("Which gateway do you want to connect to?", gateways)
+            .with_vim_mode(true)
+            .prompt()?
+        } else {
+          gateways[0]
+        }
+      }
+    };
+
+    let gateway = selected_gateway.server();
+    let cred = portal_config.auth_cookie().into();
+
+    let cookie = match gateway_login(gateway, &cred, &gp_params).await {
+      Ok(cookie) => cookie,
+      Err(err) => {
+        info!("Gateway login failed: {}", err);
+        return self.connect_gateway_with_prelogin(gateway).await;
+      }
+    };
+
+    self.connect_gateway(gateway, &cookie).await
+  }
+
+  async fn connect_gateway_with_prelogin(&self, gateway: &str) -> anyhow::Result<()> {
+    let mut gp_params = self.build_gp_params();
+    gp_params.set_is_gateway(true);
+
+    let prelogin = prelogin(gateway, &gp_params).await?;
+    let cred = self.obtain_credential(&prelogin, &gateway).await?;
+
+    let cookie = gateway_login(gateway, &cred, &gp_params).await?;
+
+    self.connect_gateway(gateway, &cookie).await
+  }
+
+  async fn connect_gateway(&self, gateway: &str, cookie: &str) -> anyhow::Result<()> {
+    let vpn = Vpn::builder(gateway, cookie)
+      .user_agent(self.args.user_agent.clone())
+      .script(self.args.script.clone())
+      .build();
+
+    let vpn = Arc::new(vpn);
+    let vpn_clone = vpn.clone();
+
+    // Listen for the interrupt signal in the background
+    tokio::spawn(async move {
+      shutdown_signal().await;
+      info!("Received the interrupt signal, disconnecting...");
+      vpn_clone.disconnect();
+    });
+
+    vpn.connect(write_pid_file);
+
+    if fs::metadata(GP_CLIENT_LOCK_FILE).is_ok() {
+      info!("Removing PID file");
+      fs::remove_file(GP_CLIENT_LOCK_FILE)?;
+    }
+
+    Ok(())
+  }
+
+  async fn obtain_credential(&self, prelogin: &Prelogin, server: &str) -> anyhow::Result<Credential> {
+    let is_gateway = prelogin.is_gateway();
+
+    match prelogin {
+      Prelogin::Saml(prelogin) => {
+        SamlAuthLauncher::new(&self.args.server)
+          .gateway(is_gateway)
+          .saml_request(prelogin.saml_request())
+          .user_agent(&self.args.user_agent)
+          .os(self.args.os.as_str())
+          .os_version(Some(&self.args.os_version()))
+          .hidpi(self.args.hidpi)
+          .fix_openssl(self.shared_args.fix_openssl)
+          .ignore_tls_errors(self.shared_args.ignore_tls_errors)
+          .clean(self.args.clean)
+          .launch()
+          .await
+      }
+      Prelogin::Standard(prelogin) => {
+        let prefix = if is_gateway { "Gateway" } else { "Portal" };
+        println!("{} ({}: {})", prelogin.auth_message(), prefix, server);
+
+        let user = self.args.user.as_ref().map_or_else(
+          || Text::new(&format!("{}:", prelogin.label_username())).prompt(),
+          |user| Ok(user.to_owned()),
+        )?;
+        let password = Password::new(&format!("{}:", prelogin.label_password()))
+          .without_confirmation()
+          .with_display_mode(PasswordDisplayMode::Masked)
+          .prompt()?;
+
+        let password_cred = PasswordCredential::new(&user, &password);
+
+        Ok(password_cred.into())
+      }
+    }
+  }
+}
+
+fn write_pid_file() {
+  let pid = std::process::id();
+
+  fs::write(GP_CLIENT_LOCK_FILE, pid.to_string()).unwrap();
+  info!("Wrote PID {} to {}", pid, GP_CLIENT_LOCK_FILE);
+}

apps/gpclient/src/disconnect.rs

@@ -0,0 +1,31 @@
+use crate::GP_CLIENT_LOCK_FILE;
+use log::{info, warn};
+use std::fs;
+use sysinfo::{Pid, ProcessExt, Signal, System, SystemExt};
+
+pub(crate) struct DisconnectHandler;
+
+impl DisconnectHandler {
+  pub(crate) fn new() -> Self {
+    Self
+  }
+
+  pub(crate) fn handle(&self) -> anyhow::Result<()> {
+    if fs::metadata(GP_CLIENT_LOCK_FILE).is_err() {
+      warn!("PID file not found, maybe the client is not running");
+      return Ok(());
+    }
+
+    let pid = fs::read_to_string(GP_CLIENT_LOCK_FILE)?;
+    let pid = pid.trim().parse::<usize>()?;
+    let s = System::new_all();
+
+    if let Some(process) = s.process(Pid::from(pid)) {
+      info!("Found process {}, killing...", pid);
+      if process.kill_with(Signal::Interrupt).is_none() {
+        warn!("Failed to kill process {}", pid);
+      }
+    }
+    Ok(())
+  }
+}

apps/gpclient/src/launch_gui.rs

@@ -0,0 +1,112 @@
+use std::{collections::HashMap, fs, path::PathBuf};
+
+use clap::Args;
+use directories::ProjectDirs;
+use gpapi::{
+  process::service_launcher::ServiceLauncher,
+  utils::{endpoint::http_endpoint, env_file, shutdown_signal},
+};
+use log::info;
+
+#[derive(Args)]
+pub(crate) struct LaunchGuiArgs {
+  #[arg(
+    required = false,
+    help = "The authentication data, used for the default browser authentication"
+  )]
+  auth_data: Option<String>,
+  #[arg(long, help = "Launch the GUI minimized")]
+  minimized: bool,
+}
+
+pub(crate) struct LaunchGuiHandler<'a> {
+  args: &'a LaunchGuiArgs,
+}
+
+impl<'a> LaunchGuiHandler<'a> {
+  pub(crate) fn new(args: &'a LaunchGuiArgs) -> Self {
+    Self { args }
+  }
+
+  pub(crate) async fn handle(&self) -> anyhow::Result<()> {
+    // `launch-gui`cannot be run as root
+    let user = whoami::username();
+    if user == "root" {
+      anyhow::bail!("`launch-gui` cannot be run as root");
+    }
+
+    let auth_data = self.args.auth_data.as_deref().unwrap_or_default();
+    if !auth_data.is_empty() {
+      // Process the authentication data, its format is `globalprotectcallback:<data>`
+      return feed_auth_data(auth_data).await;
+    }
+
+    if try_active_gui().await.is_ok() {
+      info!("The GUI is already running");
+      return Ok(());
+    }
+
+    tokio::spawn(async move {
+      shutdown_signal().await;
+      info!("Shutting down...");
+    });
+
+    let log_file = get_log_file()?;
+    let log_file_path = log_file.to_string_lossy().to_string();
+
+    info!("Log file: {}", log_file_path);
+
+    let mut extra_envs = HashMap::<String, String>::new();
+    extra_envs.insert("GP_LOG_FILE".into(), log_file_path.clone());
+
+    // Persist the environment variables to a file
+    let env_file = env_file::persist_env_vars(Some(extra_envs))?;
+    let env_file = env_file.into_temp_path();
+    let env_file_path = env_file.to_string_lossy().to_string();
+
+    let exit_status = ServiceLauncher::new()
+      .minimized(self.args.minimized)
+      .env_file(&env_file_path)
+      .log_file(&log_file_path)
+      .launch()
+      .await?;
+
+    info!("Service exited with status: {}", exit_status);
+
+    Ok(())
+  }
+}
+
+async fn feed_auth_data(auth_data: &str) -> anyhow::Result<()> {
+  let service_endpoint = http_endpoint().await?;
+
+  reqwest::Client::default()
+    .post(format!("{}/auth-data", service_endpoint))
+    .json(&auth_data)
+    .send()
+    .await?
+    .error_for_status()?;
+
+  Ok(())
+}
+
+async fn try_active_gui() -> anyhow::Result<()> {
+  let service_endpoint = http_endpoint().await?;
+
+  reqwest::Client::default()
+    .post(format!("{}/active-gui", service_endpoint))
+    .send()
+    .await?
+    .error_for_status()?;
+
+  Ok(())
+}
+
+pub fn get_log_file() -> anyhow::Result<PathBuf> {
+  let dirs = ProjectDirs::from("com.yuezk", "GlobalProtect-openconnect", "gpclient")
+    .ok_or_else(|| anyhow::anyhow!("Failed to get project dirs"))?;
+
+  fs::create_dir_all(dirs.data_dir())?;
+
+  Ok(dirs.data_dir().join("gpclient.log"))
+}

apps/gpclient/src/main.rs

@@ -0,0 +1,11 @@
+mod cli;
+mod connect;
+mod disconnect;
+mod launch_gui;
+
+pub(crate) const GP_CLIENT_LOCK_FILE: &str = "/var/run/gpclient.lock";
+
+#[tokio::main]
+async fn main() {
+  cli::run().await;
+}

apps/gpservice/Cargo.toml

@@ -0,0 +1,19 @@
+[package]
+name = "gpservice"
+version.workspace = true
+edition.workspace = true
+license.workspace = true
+
+[dependencies]
+gpapi = { path = "../../crates/gpapi" }
+openconnect = { path = "../../crates/openconnect" }
+clap.workspace = true
+anyhow.workspace = true
+tokio.workspace = true
+tokio-util.workspace = true
+axum = { workspace = true, features = ["ws"] }
+futures.workspace = true
+serde_json.workspace = true
+env_logger.workspace = true
+log.workspace = true
+compile-time.workspace = true

apps/gpservice/src/cli.rs

@@ -0,0 +1,165 @@
+use std::sync::Arc;
+use std::{collections::HashMap, io::Write};
+
+use anyhow::bail;
+use clap::Parser;
+use gpapi::{
+  process::gui_launcher::GuiLauncher,
+  service::{request::WsRequest, vpn_state::VpnState},
+  utils::{crypto::generate_key, env_file, lock_file::LockFile, redact::Redaction, shutdown_signal},
+  GP_SERVICE_LOCK_FILE,
+};
+use log::{info, warn, LevelFilter};
+use tokio::sync::{mpsc, watch};
+
+use crate::{vpn_task::VpnTask, ws_server::WsServer};
+
+const VERSION: &str = concat!(env!("CARGO_PKG_VERSION"), " (", compile_time::date_str!(), ")");
+
+#[derive(Parser)]
+#[command(version = VERSION)]
+struct Cli {
+  #[clap(long)]
+  minimized: bool,
+  #[clap(long)]
+  env_file: Option<String>,
+  #[cfg(debug_assertions)]
+  #[clap(long)]
+  no_gui: bool,
+}
+
+impl Cli {
+  async fn run(&mut self, redaction: Arc<Redaction>) -> anyhow::Result<()> {
+    let lock_file = Arc::new(LockFile::new(GP_SERVICE_LOCK_FILE));
+
+    if lock_file.check_health().await {
+      bail!("Another instance of the service is already running");
+    }
+
+    let api_key = self.prepare_api_key();
+
+    // Channel for sending requests to the VPN task
+    let (ws_req_tx, ws_req_rx) = mpsc::channel::<WsRequest>(32);
+    // Channel for receiving the VPN state from the VPN task
+    let (vpn_state_tx, vpn_state_rx) = watch::channel(VpnState::Disconnected);
+
+    let mut vpn_task = VpnTask::new(ws_req_rx, vpn_state_tx);
+    let ws_server = WsServer::new(api_key.clone(), ws_req_tx, vpn_state_rx, lock_file.clone(), redaction);
+
+    let (shutdown_tx, mut shutdown_rx) = mpsc::channel::<()>(4);
+    let shutdown_tx_clone = shutdown_tx.clone();
+    let vpn_task_token = vpn_task.cancel_token();
+    let server_token = ws_server.cancel_token();
+
+    let vpn_task_handle = tokio::spawn(async move { vpn_task.start(server_token).await });
+    let ws_server_handle = tokio::spawn(async move { ws_server.start(shutdown_tx_clone).await });
+
+    #[cfg(debug_assertions)]
+    let no_gui = self.no_gui;
+
+    #[cfg(not(debug_assertions))]
+    let no_gui = false;
+
+    if no_gui {
+      info!("GUI is disabled");
+    } else {
+      let envs = self.env_file.as_ref().map(env_file::load_env_vars).transpose()?;
+
+      let minimized = self.minimized;
+
+      tokio::spawn(async move {
+        launch_gui(envs, api_key, minimized).await;
+        let _ = shutdown_tx.send(()).await;
+      });
+    }
+
+    tokio::select! {
+        _ = shutdown_signal() => {
+            info!("Shutdown signal received");
+        }
+        _ = shutdown_rx.recv() => {
+            info!("Shutdown request received, shutting down");
+        }
+    }
+
+    vpn_task_token.cancel();
+    let _ = tokio::join!(vpn_task_handle, ws_server_handle);
+
+    lock_file.unlock()?;
+
+    info!("gpservice stopped");
+
+    Ok(())
+  }
+
+  fn prepare_api_key(&self) -> Vec<u8> {
+    #[cfg(debug_assertions)]
+    if self.no_gui {
+      return gpapi::GP_API_KEY.to_vec();
+    }
+
+    generate_key().to_vec()
+  }
+}
+
+fn init_logger() -> Arc<Redaction> {
+  let redaction = Arc::new(Redaction::new());
+  let redaction_clone = Arc::clone(&redaction);
+  // let target = Box::new(File::create("log.txt").expect("Can't create file"));
+  env_logger::builder()
+    .filter_level(LevelFilter::Info)
+    .format(move |buf, record| {
+      let timestamp = buf.timestamp();
+      writeln!(
+        buf,
+        "[{} {} {}] {}",
+        timestamp,
+        record.level(),
+        record.module_path().unwrap_or_default(),
+        redaction_clone.redact_str(&record.args().to_string())
+      )
+    })
+    // .target(env_logger::Target::Pipe(target))
+    .init();
+
+  redaction
+}
+
+async fn launch_gui(envs: Option<HashMap<String, String>>, api_key: Vec<u8>, mut minimized: bool) {
+  loop {
+    let api_key_clone = api_key.clone();
+    let gui_launcher = GuiLauncher::new()
+      .envs(envs.clone())
+      .api_key(api_key_clone)
+      .minimized(minimized);
+
+    match gui_launcher.launch().await {
+      Ok(exit_status) => {
+        // Exit code 99 means that the GUI needs to be restarted
+        if exit_status.code() != Some(99) {
+          info!("GUI exited with code {:?}", exit_status.code());
+          break;
+        }
+
+        info!("GUI exited with code 99, restarting");
+        minimized = false;
+      }
+      Err(err) => {
+        warn!("Failed to launch GUI: {}", err);
+        break;
+      }
+    }
+  }
+}
+
+pub async fn run() {
+  let mut cli = Cli::parse();
+
+  let redaction = init_logger();
+  info!("gpservice started: {}", VERSION);
+
+  if let Err(e) = cli.run(redaction).await {
+    eprintln!("Error: {}", e);
+    std::process::exit(1);
+  }
+}

apps/gpservice/src/handlers.rs

@@ -0,0 +1,95 @@
+use std::{borrow::Cow, ops::ControlFlow, sync::Arc};
+
+use axum::{
+  extract::{
+    ws::{self, CloseFrame, Message, WebSocket},
+    State, WebSocketUpgrade,
+  },
+  response::IntoResponse,
+};
+use futures::{SinkExt, StreamExt};
+use gpapi::service::event::WsEvent;
+use log::{info, warn};
+
+use crate::ws_server::WsServerContext;
+
+pub(crate) async fn health() -> impl IntoResponse {
+  "OK"
+}
+
+pub(crate) async fn active_gui(State(ctx): State<Arc<WsServerContext>>) -> impl IntoResponse {
+  ctx.send_event(WsEvent::ActiveGui).await;
+}
+
+pub(crate) async fn auth_data(State(ctx): State<Arc<WsServerContext>>, body: String) -> impl IntoResponse {
+  ctx.send_event(WsEvent::AuthData(body)).await;
+}
+
+pub(crate) async fn ws_handler(ws: WebSocketUpgrade, State(ctx): State<Arc<WsServerContext>>) -> impl IntoResponse {
+  ws.on_upgrade(move |socket| handle_socket(socket, ctx))
+}
+
+async fn handle_socket(mut socket: WebSocket, ctx: Arc<WsServerContext>) {
+  // Send ping message
+  if let Err(err) = socket.send(Message::Ping("Hi".into())).await {
+    warn!("Failed to send ping: {}", err);
+    return;
+  }
+
+  // Wait for pong message
+  if socket.recv().await.is_none() {
+    warn!("Failed to receive pong");
+    return;
+  }
+
+  info!("New client connected");
+
+  let (mut sender, mut receiver) = socket.split();
+  let (connection, mut msg_rx) = ctx.add_connection().await;
+
+  let send_task = tokio::spawn(async move {
+    while let Some(msg) = msg_rx.recv().await {
+      if let Err(err) = sender.send(msg).await {
+        info!("Failed to send message: {}", err);
+        break;
+      }
+    }
+
+    let close_msg = Message::Close(Some(CloseFrame {
+      code: ws::close_code::NORMAL,
+      reason: Cow::from("Goodbye"),
+    }));
+
+    if let Err(err) = sender.send(close_msg).await {
+      warn!("Failed to close socket: {}", err);
+    }
+  });
+
+  let conn = Arc::clone(&connection);
+  let ctx_clone = Arc::clone(&ctx);
+  let recv_task = tokio::spawn(async move {
+    while let Some(Ok(msg)) = receiver.next().await {
+      let ControlFlow::Continue(ws_req) = conn.recv_msg(msg) else {
+        break;
+      };
+
+      if let Err(err) = ctx_clone.forward_req(ws_req).await {
+        info!("Failed to forward request: {}", err);
+        break;
+      }
+    }
+  });
+
+  tokio::select! {
+    _ = send_task => {
+        info!("WS server send task completed");
+    },
+    _ = recv_task => {
+        info!("WS server recv task completed");
+    }
+  }
+
+  info!("Client disconnected");
+
+  ctx.remove_connection(connection).await;
+}

apps/gpservice/src/main.rs

@@ -0,0 +1,11 @@
+mod cli;
+mod handlers;
+mod routes;
+mod vpn_task;
+mod ws_connection;
+mod ws_server;
+
+#[tokio::main]
+async fn main() {
+  cli::run().await;
+}

apps/gpservice/src/routes.rs

@@ -0,0 +1,17 @@
+use std::sync::Arc;
+
+use axum::{
+  routing::{get, post},
+  Router,
+};
+
+use crate::{handlers, ws_server::WsServerContext};
+
+pub(crate) fn routes(ctx: Arc<WsServerContext>) -> Router {
+  Router::new()
+    .route("/health", get(handlers::health))
+    .route("/active-gui", post(handlers::active_gui))
+    .route("/auth-data", post(handlers::auth_data))
+    .route("/ws", get(handlers::ws_handler))
+    .with_state(ctx)
+}

apps/gpservice/src/vpn_task.rs

@@ -0,0 +1,144 @@
+use std::{sync::Arc, thread};
+
+use gpapi::service::{
+  request::{ConnectRequest, WsRequest},
+  vpn_state::VpnState,
+};
+use log::info;
+use openconnect::Vpn;
+use tokio::sync::{mpsc, oneshot, watch, RwLock};
+use tokio_util::sync::CancellationToken;
+
+pub(crate) struct VpnTaskContext {
+  vpn_handle: Arc<RwLock<Option<Vpn>>>,
+  vpn_state_tx: Arc<watch::Sender<VpnState>>,
+  disconnect_rx: RwLock<Option<oneshot::Receiver<()>>>,
+}
+
+impl VpnTaskContext {
+  pub fn new(vpn_state_tx: watch::Sender<VpnState>) -> Self {
+    Self {
+      vpn_handle: Default::default(),
+      vpn_state_tx: Arc::new(vpn_state_tx),
+      disconnect_rx: Default::default(),
+    }
+  }
+
+  pub async fn connect(&self, req: ConnectRequest) {
+    let vpn_state = self.vpn_state_tx.borrow().clone();
+    if !matches!(vpn_state, VpnState::Disconnected) {
+      info!("VPN is not disconnected, ignore the request");
+      return;
+    }
+
+    let info = req.info().clone();
+    let vpn_handle = self.vpn_handle.clone();
+    let args = req.args();
+    let vpn = Vpn::builder(req.gateway().server(), args.cookie())
+      .user_agent(args.user_agent())
+      .script(args.vpnc_script())
+      .os(args.openconnect_os())
+      .build();
+
+    // Save the VPN handle
+    vpn_handle.write().await.replace(vpn);
+
+    let vpn_state_tx = self.vpn_state_tx.clone();
+    let connect_info = Box::new(info.clone());
+    vpn_state_tx.send(VpnState::Connecting(connect_info)).ok();
+
+    let (disconnect_tx, disconnect_rx) = oneshot::channel::<()>();
+    self.disconnect_rx.write().await.replace(disconnect_rx);
+
+    // Spawn a new thread to process the VPN connection, cannot use tokio::spawn here.
+    // Otherwise, it will block the tokio runtime and cannot send the VPN state to the channel
+    thread::spawn(move || {
+      let vpn_state_tx_clone = vpn_state_tx.clone();
+
+      vpn_handle.blocking_read().as_ref().map(|vpn| {
+        vpn.connect(move || {
+          let connect_info = Box::new(info.clone());
+          vpn_state_tx.send(VpnState::Connected(connect_info)).ok();
+        })
+      });
+
+      // Notify the VPN is disconnected
+      vpn_state_tx_clone.send(VpnState::Disconnected).ok();
+      // Remove the VPN handle
+      vpn_handle.blocking_write().take();
+
+      disconnect_tx.send(()).ok();
+    });
+  }
+
+  pub async fn disconnect(&self) {
+    if let Some(disconnect_rx) = self.disconnect_rx.write().await.take() {
+      if let Some(vpn) = self.vpn_handle.read().await.as_ref() {
+        self.vpn_state_tx.send(VpnState::Disconnecting).ok();
+        vpn.disconnect()
+      }
+      // Wait for the VPN to be disconnected
+      disconnect_rx.await.ok();
+      info!("VPN disconnected");
+    } else {
+      info!("VPN is not connected, skip disconnect");
+      self.vpn_state_tx.send(VpnState::Disconnected).ok();
+    }
+  }
+}
+
+pub(crate) struct VpnTask {
+  ws_req_rx: mpsc::Receiver<WsRequest>,
+  ctx: Arc<VpnTaskContext>,
+  cancel_token: CancellationToken,
+}
+
+impl VpnTask {
+  pub fn new(ws_req_rx: mpsc::Receiver<WsRequest>, vpn_state_tx: watch::Sender<VpnState>) -> Self {
+    let ctx = Arc::new(VpnTaskContext::new(vpn_state_tx));
+    let cancel_token = CancellationToken::new();
+
+    Self {
+      ws_req_rx,
+      ctx,
+      cancel_token,
+    }
+  }
+
+  pub fn cancel_token(&self) -> CancellationToken {
+    self.cancel_token.clone()
+  }
+
+  pub async fn start(&mut self, server_cancel_token: CancellationToken) {
+    let cancel_token = self.cancel_token.clone();
+
+    tokio::select! {
+        _ = self.recv() => {
+            info!("VPN task stopped");
+        }
+        _ = cancel_token.cancelled() => {
+            info!("VPN task cancelled");
+            self.ctx.disconnect().await;
+        }
+    }
+
+    server_cancel_token.cancel();
+  }
+
+  async fn recv(&mut self) {
+    while let Some(req) = self.ws_req_rx.recv().await {
+      tokio::spawn(process_ws_req(req, self.ctx.clone()));
+    }
+  }
+}
+
+async fn process_ws_req(req: WsRequest, ctx: Arc<VpnTaskContext>) {
+  match req {
+    WsRequest::Connect(req) => {
+      ctx.connect(*req).await;
+    }
+    WsRequest::Disconnect(_) => {
+      ctx.disconnect().await;
+    }
+  }
+}

apps/gpservice/src/ws_connection.rs

@@ -0,0 +1,53 @@
+use std::{ops::ControlFlow, sync::Arc};
+
+use axum::extract::ws::{CloseFrame, Message};
+use gpapi::{
+  service::{event::WsEvent, request::WsRequest},
+  utils::crypto::Crypto,
+};
+use log::{info, warn};
+use tokio::sync::mpsc;
+
+pub(crate) struct WsConnection {
+  crypto: Arc<Crypto>,
+  tx: mpsc::Sender<Message>,
+}
+
+impl WsConnection {
+  pub fn new(crypto: Arc<Crypto>, tx: mpsc::Sender<Message>) -> Self {
+    Self { crypto, tx }
+  }
+
+  pub async fn send_event(&self, event: &WsEvent) -> anyhow::Result<()> {
+    let encrypted = self.crypto.encrypt(event)?;
+    let msg = Message::Binary(encrypted);
+
+    self.tx.send(msg).await?;
+
+    Ok(())
+  }
+
+  pub fn recv_msg(&self, msg: Message) -> ControlFlow<(), WsRequest> {
+    match msg {
+      Message::Binary(data) => match self.crypto.decrypt(data) {
+        Ok(ws_req) => ControlFlow::Continue(ws_req),
+        Err(err) => {
+          info!("Failed to decrypt message: {}", err);
+          ControlFlow::Break(())
+        }
+      },
+      Message::Close(cf) => {
+        if let Some(CloseFrame { code, reason }) = cf {
+          info!("Client sent close, code {} and reason `{}`", code, reason);
+        } else {
+          info!("Client somehow sent close message without CloseFrame");
+        }
+        ControlFlow::Break(())
+      }
+      _ => {
+        warn!("WS server received unexpected message: {:?}", msg);
+        ControlFlow::Break(())
+      }
+    }
+  }
+}

apps/gpservice/src/ws_server.rs

@@ -0,0 +1,153 @@
+use std::sync::Arc;
+
+use axum::extract::ws::Message;
+use gpapi::{
+  service::{event::WsEvent, request::WsRequest, vpn_state::VpnState},
+  utils::{crypto::Crypto, lock_file::LockFile, redact::Redaction},
+};
+use log::{info, warn};
+use tokio::{
+  net::TcpListener,
+  sync::{mpsc, watch, RwLock},
+};
+use tokio_util::sync::CancellationToken;
+
+use crate::{routes, ws_connection::WsConnection};
+
+pub(crate) struct WsServerContext {
+  crypto: Arc<Crypto>,
+  ws_req_tx: mpsc::Sender<WsRequest>,
+  vpn_state_rx: watch::Receiver<VpnState>,
+  redaction: Arc<Redaction>,
+  connections: RwLock<Vec<Arc<WsConnection>>>,
+}
+
+impl WsServerContext {
+  pub fn new(
+    api_key: Vec<u8>,
+    ws_req_tx: mpsc::Sender<WsRequest>,
+    vpn_state_rx: watch::Receiver<VpnState>,
+    redaction: Arc<Redaction>,
+  ) -> Self {
+    Self {
+      crypto: Arc::new(Crypto::new(api_key)),
+      ws_req_tx,
+      vpn_state_rx,
+      redaction,
+      connections: Default::default(),
+    }
+  }
+
+  pub async fn send_event(&self, event: WsEvent) {
+    let connections = self.connections.read().await;
+
+    for conn in connections.iter() {
+      let _ = conn.send_event(&event).await;
+    }
+  }
+
+  pub async fn add_connection(&self) -> (Arc<WsConnection>, mpsc::Receiver<Message>) {
+    let (tx, rx) = mpsc::channel::<Message>(32);
+    let conn = Arc::new(WsConnection::new(Arc::clone(&self.crypto), tx));
+
+    // Send current VPN state to new client
+    info!("Sending current VPN state to new client");
+    let vpn_state = self.vpn_state_rx.borrow().clone();
+    if let Err(err) = conn.send_event(&WsEvent::VpnState(vpn_state)).await {
+      warn!("Failed to send VPN state to new client: {}", err);
+    }
+
+    self.connections.write().await.push(Arc::clone(&conn));
+
+    (conn, rx)
+  }
+
+  pub async fn remove_connection(&self, conn: Arc<WsConnection>) {
+    let mut connections = self.connections.write().await;
+    connections.retain(|c| !Arc::ptr_eq(c, &conn));
+  }
+
+  fn vpn_state_rx(&self) -> watch::Receiver<VpnState> {
+    self.vpn_state_rx.clone()
+  }
+
+  pub async fn forward_req(&self, req: WsRequest) -> anyhow::Result<()> {
+    if let WsRequest::Connect(ref req) = req {
+      self
+        .redaction
+        .add_values(&[req.gateway().server(), req.args().cookie()])?
+    }
+
+    self.ws_req_tx.send(req).await?;
+
+    Ok(())
+  }
+}
+
+pub(crate) struct WsServer {
+  ctx: Arc<WsServerContext>,
+  cancel_token: CancellationToken,
+  lock_file: Arc<LockFile>,
+}
+
+impl WsServer {
+  pub fn new(
+    api_key: Vec<u8>,
+    ws_req_tx: mpsc::Sender<WsRequest>,
+    vpn_state_rx: watch::Receiver<VpnState>,
+    lock_file: Arc<LockFile>,
+    redaction: Arc<Redaction>,
+  ) -> Self {
+    let ctx = Arc::new(WsServerContext::new(api_key, ws_req_tx, vpn_state_rx, redaction));
+    let cancel_token = CancellationToken::new();
+
+    Self {
+      ctx,
+      cancel_token,
+      lock_file,
+    }
+  }
+
+  pub fn cancel_token(&self) -> CancellationToken {
+    self.cancel_token.clone()
+  }
+
+  pub async fn start(&self, shutdown_tx: mpsc::Sender<()>) {
+    if let Ok(listener) = TcpListener::bind("127.0.0.1:0").await {
+      let local_addr = listener.local_addr().unwrap();
+
+      self.lock_file.lock(local_addr.port().to_string()).unwrap();
+
+      info!("WS server listening on port: {}", local_addr.port());
+
+      tokio::select! {
+        _ = watch_vpn_state(self.ctx.vpn_state_rx(), Arc::clone(&self.ctx)) => {
+          info!("VPN state watch task completed");
+        }
+        _ = start_server(listener, self.ctx.clone()) => {
+            info!("WS server stopped");
+        }
+        _ = self.cancel_token.cancelled() => {
+          info!("WS server cancelled");
+        }
+      }
+    }
+
+    let _ = shutdown_tx.send(()).await;
+  }
+}
+
+async fn watch_vpn_state(mut vpn_state_rx: watch::Receiver<VpnState>, ctx: Arc<WsServerContext>) {
+  while vpn_state_rx.changed().await.is_ok() {
+    let vpn_state = vpn_state_rx.borrow().clone();
+    ctx.send_event(WsEvent::VpnState(vpn_state)).await;
+  }
+}
+
+async fn start_server(listener: TcpListener, ctx: Arc<WsServerContext>) -> anyhow::Result<()> {
+  let routes = routes::routes(ctx);
+
+  axum::serve(listener, routes).await?;
+
+  Ok(())
+}

crates/gpapi/Cargo.toml

@@ -0,0 +1,36 @@
+[package]
+name = "gpapi"
+version.workspace = true
+edition.workspace = true
+license = "MIT"
+
+[dependencies]
+anyhow.workspace = true
+base64.workspace = true
+log.workspace = true
+reqwest.workspace = true
+roxmltree.workspace = true
+serde.workspace = true
+specta.workspace = true
+specta-macros.workspace = true
+urlencoding.workspace = true
+tokio.workspace = true
+serde_json.workspace = true
+whoami.workspace = true
+tempfile.workspace = true
+thiserror.workspace = true
+chacha20poly1305 = { version = "0.10", features = ["std"] }
+redact-engine.workspace = true
+url.workspace = true
+regex.workspace = true
+dotenvy_macro.workspace = true
+uzers.workspace = true
+
+tauri = { workspace = true, optional = true }
+clap = { workspace = true, optional = true }
+open = { version = "5", optional = true }
+
+[features]
+tauri = ["dep:tauri"]
+clap = ["dep:clap"]
+browser-auth = ["dep:open"]

crates/gpapi/src/auth.rs

@@ -0,0 +1,90 @@
+use anyhow::bail;
+use regex::Regex;
+use serde::{Deserialize, Serialize};
+
+#[derive(Debug, Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub struct SamlAuthData {
+  username: String,
+  prelogin_cookie: Option<String>,
+  portal_userauthcookie: Option<String>,
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub enum SamlAuthResult {
+  Success(SamlAuthData),
+  Failure(String),
+}
+
+impl SamlAuthResult {
+  pub fn is_success(&self) -> bool {
+    match self {
+      SamlAuthResult::Success(_) => true,
+      SamlAuthResult::Failure(_) => false,
+    }
+  }
+}
+
+impl SamlAuthData {
+  pub fn new(username: String, prelogin_cookie: Option<String>, portal_userauthcookie: Option<String>) -> Self {
+    Self {
+      username,
+      prelogin_cookie,
+      portal_userauthcookie,
+    }
+  }
+
+  pub fn parse_html(html: &str) -> anyhow::Result<SamlAuthData> {
+    match parse_xml_tag(html, "saml-auth-status") {
+      Some(saml_status) if saml_status == "1" => {
+        let username = parse_xml_tag(html, "saml-username");
+        let prelogin_cookie = parse_xml_tag(html, "prelogin-cookie");
+        let portal_userauthcookie = parse_xml_tag(html, "portal-userauthcookie");
+
+        if SamlAuthData::check(&username, &prelogin_cookie, &portal_userauthcookie) {
+          return Ok(SamlAuthData::new(
+            username.unwrap(),
+            prelogin_cookie,
+            portal_userauthcookie,
+          ));
+        }
+
+        bail!("Found invalid auth data in HTML");
+      }
+      Some(status) => {
+        bail!("Found invalid SAML status {} in HTML", status);
+      }
+      None => {
+        bail!("No auth data found in HTML");
+      }
+    }
+  }
+
+  pub fn username(&self) -> &str {
+    &self.username
+  }
+
+  pub fn prelogin_cookie(&self) -> Option<&str> {
+    self.prelogin_cookie.as_deref()
+  }
+
+  pub fn check(
+    username: &Option<String>,
+    prelogin_cookie: &Option<String>,
+    portal_userauthcookie: &Option<String>,
+  ) -> bool {
+    let username_valid = username.as_ref().is_some_and(|username| !username.is_empty());
+    let prelogin_cookie_valid = prelogin_cookie.as_ref().is_some_and(|val| val.len() > 5);
+    let portal_userauthcookie_valid = portal_userauthcookie.as_ref().is_some_and(|val| val.len() > 5);
+
+    username_valid && (prelogin_cookie_valid || portal_userauthcookie_valid)
+  }
+}
+
+pub fn parse_xml_tag(html: &str, tag: &str) -> Option<String> {
+  let re = Regex::new(&format!("<{}>(.*)</{}>", tag, tag)).unwrap();
+  re.captures(html)
+    .and_then(|captures| captures.get(1))
+    .map(|m| m.as_str().to_string())
+}

crates/gpapi/src/clap/args.rs

@@ -0,0 +1,64 @@
+use clap::{builder::PossibleValue, ValueEnum};
+
+use crate::gp_params::ClientOs;
+
+#[derive(Debug, Clone)]
+pub enum Os {
+  Linux,
+  Windows,
+  Mac,
+}
+
+impl Os {
+  pub fn as_str(&self) -> &'static str {
+    match self {
+      Os::Linux => "Linux",
+      Os::Windows => "Windows",
+      Os::Mac => "Mac",
+    }
+  }
+}
+
+impl From<&str> for Os {
+  fn from(os: &str) -> Self {
+    match os.to_lowercase().as_str() {
+      "linux" => Os::Linux,
+      "windows" => Os::Windows,
+      "mac" => Os::Mac,
+      _ => Os::Linux,
+    }
+  }
+}
+
+impl From<&Os> for ClientOs {
+  fn from(value: &Os) -> Self {
+    match value {
+      Os::Linux => ClientOs::Linux,
+      Os::Windows => ClientOs::Windows,
+      Os::Mac => ClientOs::Mac,
+    }
+  }
+}
+
+impl ValueEnum for Os {
+  fn value_variants<'a>() -> &'a [Self] {
+    &[Os::Linux, Os::Windows, Os::Mac]
+  }
+
+  fn to_possible_value(&self) -> Option<clap::builder::PossibleValue> {
+    match self {
+      Os::Linux => Some(PossibleValue::new("Linux")),
+      Os::Windows => Some(PossibleValue::new("Windows")),
+      Os::Mac => Some(PossibleValue::new("Mac")),
+    }
+  }
+
+  fn from_str(input: &str, _: bool) -> Result<Self, String> {
+    match input.to_lowercase().as_str() {
+      "linux" => Ok(Os::Linux),
+      "windows" => Ok(Os::Windows),
+      "mac" => Ok(Os::Mac),
+      _ => Err(format!("Invalid OS: {}", input)),
+    }
+  }
+}

crates/gpapi/src/clap/mod.rs

@@ -0,0 +1 @@
+pub mod args;

crates/gpapi/src/credential.rs

@@ -0,0 +1,247 @@
+use std::collections::HashMap;
+
+use serde::{Deserialize, Serialize};
+use specta::Type;
+
+use crate::{auth::SamlAuthData, utils::base64::decode_to_string};
+
+#[derive(Debug, Serialize, Deserialize, Type, Clone)]
+#[serde(rename_all = "camelCase")]
+pub struct PasswordCredential {
+  username: String,
+  password: String,
+}
+
+impl PasswordCredential {
+  pub fn new(username: &str, password: &str) -> Self {
+    Self {
+      username: username.to_string(),
+      password: password.to_string(),
+    }
+  }
+
+  pub fn username(&self) -> &str {
+    &self.username
+  }
+
+  pub fn password(&self) -> &str {
+    &self.password
+  }
+}
+
+impl From<&CachedCredential> for PasswordCredential {
+  fn from(value: &CachedCredential) -> Self {
+    Self::new(value.username(), value.password().unwrap_or_default())
+  }
+}
+
+#[derive(Debug, Serialize, Deserialize, Type, Clone)]
+#[serde(rename_all = "camelCase")]
+pub struct PreloginCookieCredential {
+  username: String,
+  prelogin_cookie: String,
+}
+
+impl PreloginCookieCredential {
+  pub fn new(username: &str, prelogin_cookie: &str) -> Self {
+    Self {
+      username: username.to_string(),
+      prelogin_cookie: prelogin_cookie.to_string(),
+    }
+  }
+
+  pub fn username(&self) -> &str {
+    &self.username
+  }
+
+  pub fn prelogin_cookie(&self) -> &str {
+    &self.prelogin_cookie
+  }
+}
+
+impl TryFrom<SamlAuthData> for PreloginCookieCredential {
+  type Error = anyhow::Error;
+
+  fn try_from(value: SamlAuthData) -> Result<Self, Self::Error> {
+    let username = value.username().to_string();
+    let prelogin_cookie = value
+      .prelogin_cookie()
+      .ok_or_else(|| anyhow::anyhow!("Missing prelogin cookie"))?
+      .to_string();
+
+    Ok(Self::new(&username, &prelogin_cookie))
+  }
+}
+
+#[derive(Debug, Serialize, Deserialize, Type, Clone)]
+#[serde(rename_all = "camelCase")]
+pub struct AuthCookieCredential {
+  username: String,
+  user_auth_cookie: String,
+  prelogon_user_auth_cookie: String,
+}
+
+impl AuthCookieCredential {
+  pub fn new(username: &str, user_auth_cookie: &str, prelogon_user_auth_cookie: &str) -> Self {
+    Self {
+      username: username.to_string(),
+      user_auth_cookie: user_auth_cookie.to_string(),
+      prelogon_user_auth_cookie: prelogon_user_auth_cookie.to_string(),
+    }
+  }
+
+  pub fn username(&self) -> &str {
+    &self.username
+  }
+
+  pub fn user_auth_cookie(&self) -> &str {
+    &self.user_auth_cookie
+  }
+
+  pub fn prelogon_user_auth_cookie(&self) -> &str {
+    &self.prelogon_user_auth_cookie
+  }
+}
+
+#[derive(Debug, Serialize, Deserialize, Type, Clone)]
+#[serde(rename_all = "camelCase")]
+pub struct CachedCredential {
+  username: String,
+  password: Option<String>,
+  auth_cookie: AuthCookieCredential,
+}
+
+impl CachedCredential {
+  pub fn new(username: String, password: Option<String>, auth_cookie: AuthCookieCredential) -> Self {
+    Self {
+      username,
+      password,
+      auth_cookie,
+    }
+  }
+
+  pub fn username(&self) -> &str {
+    &self.username
+  }
+
+  pub fn password(&self) -> Option<&str> {
+    self.password.as_deref()
+  }
+
+  pub fn auth_cookie(&self) -> &AuthCookieCredential {
+    &self.auth_cookie
+  }
+
+  pub fn set_auth_cookie(&mut self, auth_cookie: AuthCookieCredential) {
+    self.auth_cookie = auth_cookie;
+  }
+
+  pub fn set_username(&mut self, username: String) {
+    self.username = username;
+  }
+
+  pub fn set_password(&mut self, password: Option<String>) {
+    self.password = password.map(|s| s.to_string());
+  }
+}
+
+impl From<PasswordCredential> for CachedCredential {
+  fn from(value: PasswordCredential) -> Self {
+    Self::new(
+      value.username().to_owned(),
+      Some(value.password().to_owned()),
+      AuthCookieCredential::new("", "", ""),
+    )
+  }
+}
+
+#[derive(Debug, Serialize, Deserialize, Type, Clone)]
+#[serde(tag = "type", rename_all = "camelCase")]
+pub enum Credential {
+  Password(PasswordCredential),
+  PreloginCookie(PreloginCookieCredential),
+  AuthCookie(AuthCookieCredential),
+  CachedCredential(CachedCredential),
+}
+
+impl Credential {
+  /// Create a credential from a globalprotectcallback:<base64 encoded string>
+  pub fn parse_gpcallback(auth_data: &str) -> anyhow::Result<Self> {
+    // Remove the surrounding quotes
+    let auth_data = auth_data.trim_matches('"');
+    let auth_data = auth_data.trim_start_matches("globalprotectcallback:");
+    let auth_data = decode_to_string(auth_data)?;
+    let auth_data = SamlAuthData::parse_html(&auth_data)?;
+
+    Self::try_from(auth_data)
+  }
+
+  pub fn username(&self) -> &str {
+    match self {
+      Credential::Password(cred) => cred.username(),
+      Credential::PreloginCookie(cred) => cred.username(),
+      Credential::AuthCookie(cred) => cred.username(),
+      Credential::CachedCredential(cred) => cred.username(),
+    }
+  }
+
+  pub fn to_params(&self) -> HashMap<&str, &str> {
+    let mut params = HashMap::new();
+    params.insert("user", self.username());
+
+    let (passwd, prelogin_cookie, portal_userauthcookie, portal_prelogonuserauthcookie) = match self {
+      Credential::Password(cred) => (Some(cred.password()), None, None, None),
+      Credential::PreloginCookie(cred) => (None, Some(cred.prelogin_cookie()), None, None),
+      Credential::AuthCookie(cred) => (
+        None,
+        None,
+        Some(cred.user_auth_cookie()),
+        Some(cred.prelogon_user_auth_cookie()),
+      ),
+      Credential::CachedCredential(cred) => (
+        cred.password(),
+        None,
+        Some(cred.auth_cookie.user_auth_cookie()),
+        Some(cred.auth_cookie.prelogon_user_auth_cookie()),
+      ),
+    };
+
+    params.insert("passwd", passwd.unwrap_or_default());
+    params.insert("prelogin-cookie", prelogin_cookie.unwrap_or_default());
+    params.insert("portal-userauthcookie", portal_userauthcookie.unwrap_or_default());
+    params.insert(
+      "portal-prelogonuserauthcookie",
+      portal_prelogonuserauthcookie.unwrap_or_default(),
+    );
+
+    params
+  }
+}
+
+impl TryFrom<SamlAuthData> for Credential {
+  type Error = anyhow::Error;
+
+  fn try_from(value: SamlAuthData) -> Result<Self, Self::Error> {
+    let prelogin_cookie = PreloginCookieCredential::try_from(value)?;
+
+    Ok(Self::PreloginCookie(prelogin_cookie))
+  }
+}
+
+impl From<PasswordCredential> for Credential {
+  fn from(value: PasswordCredential) -> Self {
+    Self::Password(value)
+  }
+}
+
+impl From<&AuthCookieCredential> for Credential {
+  fn from(value: &AuthCookieCredential) -> Self {
+    Self::AuthCookie(value.clone())
+  }
+}
+
+impl From<&CachedCredential> for Credential {
+  fn from(value: &CachedCredential) -> Self {
+    Self::CachedCredential(value.clone())
+  }
+}

crates/gpapi/src/gateway/login.rs

@@ -0,0 +1,74 @@
+use anyhow::bail;
+use log::info;
+use reqwest::Client;
+use roxmltree::Document;
+use urlencoding::encode;
+
+use crate::{
+  credential::Credential,
+  gp_params::GpParams,
+  utils::{normalize_server, remove_url_scheme},
+};
+
+pub async fn gateway_login(gateway: &str, cred: &Credential, gp_params: &GpParams) -> anyhow::Result<String> {
+  let url = normalize_server(gateway)?;
+  let gateway = remove_url_scheme(&url);
+
+  let login_url = format!("{}/ssl-vpn/login.esp", url);
+  let client = Client::builder()
+    .danger_accept_invalid_certs(gp_params.ignore_tls_errors())
+    .user_agent(gp_params.user_agent())
+    .build()?;
+
+  let mut params = cred.to_params();
+  let extra_params = gp_params.to_params();
+
+  params.extend(extra_params);
+  params.insert("server", &gateway);
+
+  info!("Gateway login, user_agent: {}", gp_params.user_agent());
+
+  let res = client.post(&login_url).form(&params).send().await?;
+  let status = res.status();
+
+  if status.is_client_error() || status.is_server_error() {
+    bail!("Gateway login error: {}", status)
+  }
+
+  let res_xml = res.text().await?;
+  let doc = Document::parse(&res_xml)?;
+
+  build_gateway_token(&doc, gp_params.computer())
+}
+
+fn build_gateway_token(doc: &Document, computer: &str) -> anyhow::Result<String> {
+  let args = doc
+    .descendants()
+    .filter(|n| n.has_tag_name("argument"))
+    .map(|n| n.text().unwrap_or("").to_string())
+    .collect::<Vec<_>>();
+
+  let params = [
+    read_args(&args, 1, "authcookie")?,
+    read_args(&args, 3, "portal")?,
+    read_args(&args, 4, "user")?,
+    read_args(&args, 7, "domain")?,
+    read_args(&args, 15, "preferred-ip")?,
+    ("computer", computer),
+  ];
+
+  let token = params
+    .iter()
+    .map(|(k, v)| format!("{}={}", k, encode(v)))
+    .collect::<Vec<_>>()
+    .join("&");
+
+  Ok(token)
+}
+
+fn read_args<'a>(args: &'a [String], index: usize, key: &'a str) -> anyhow::Result<(&'a str, &'a str)> {
+  args
+    .get(index)
+    .ok_or_else(|| anyhow::anyhow!("Failed to read {key} from args"))
+    .map(|s| (key, s.as_ref()))
+}

crates/gpapi/src/gateway/mod.rs

@@ -0,0 +1,50 @@
+mod login;
+mod parse_gateways;
+
+pub use login::*;
+pub(crate) use parse_gateways::*;
+
+use serde::{Deserialize, Serialize};
+use specta::Type;
+
+use std::fmt::Display;
+
+#[derive(Debug, Serialize, Deserialize, Type, Clone)]
+pub(crate) struct PriorityRule {
+  pub(crate) name: String,
+  pub(crate) priority: u32,
+}
+
+#[derive(Debug, Serialize, Deserialize, Type, Clone)]
+#[serde(rename_all = "camelCase")]
+pub struct Gateway {
+  pub(crate) name: String,
+  pub(crate) address: String,
+  pub(crate) priority: u32,
+  pub(crate) priority_rules: Vec<PriorityRule>,
+}
+
+impl Display for Gateway {
+  fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+    write!(f, "{} ({})", self.name, self.address)
+  }
+}
+
+impl Gateway {
+  pub fn new(name: String, address: String) -> Self {
+    Self {
+      name,
+      address,
+      priority: 0,
+      priority_rules: vec![],
+    }
+  }
+
+  pub fn name(&self) -> &str {
+    &self.name
+  }
+
+  pub fn server(&self) -> &str {
+    &self.address
+  }
+}

crates/gpapi/src/gateway/parse_gateways.rs

@@ -0,0 +1,61 @@
+use roxmltree::Document;
+
+use super::{Gateway, PriorityRule};
+
+pub(crate) fn parse_gateways(doc: &Document) -> Option<Vec<Gateway>> {
+  let node_gateways = doc.descendants().find(|n| n.has_tag_name("gateways"))?;
+  let list_gateway = node_gateways.descendants().find(|n| n.has_tag_name("list"))?;
+
+  let gateways = list_gateway
+    .children()
+    .filter_map(|gateway_item| {
+      if !gateway_item.has_tag_name("entry") {
+        return None;
+      }
+      let address = gateway_item.attribute("name").unwrap_or("").to_string();
+      let name = gateway_item
+        .children()
+        .find(|n| n.has_tag_name("description"))
+        .and_then(|n| n.text())
+        .unwrap_or("")
+        .to_string();
+      let priority = gateway_item
+        .children()
+        .find(|n| n.has_tag_name("priority"))
+        .and_then(|n| n.text())
+        .and_then(|s| s.parse().ok())
+        .unwrap_or(u32::MAX);
+      let priority_rules = gateway_item
+        .children()
+        .find(|n| n.has_tag_name("priority-rule"))
+        .map(|n| {
+          n.children()
+            .filter_map(|n| {
+              if !n.has_tag_name("entry") {
+                return None;
+              }
+              let name = n.attribute("name").unwrap_or("").to_string();
+              let priority: u32 = n
+                .children()
+                .find(|n| n.has_tag_name("priority"))
+                .and_then(|n| n.text())
+                .and_then(|s| s.parse().ok())
+                .unwrap_or(u32::MAX);
+
+              Some(PriorityRule { name, priority })
+            })
+            .collect()
+        })
+        .unwrap_or_default();
+
+      Some(Gateway {
+        name,
+        address,
+        priority,
+        priority_rules,
+      })
+    })
+    .collect();
+
+  Some(gateways)
+}

crates/gpapi/src/gp_params.rs

@@ -0,0 +1,197 @@
+use std::collections::HashMap;
+
+use serde::{Deserialize, Serialize};
+use specta::Type;
+
+use crate::GP_USER_AGENT;
+
+#[derive(Debug, Serialize, Deserialize, Clone, Type, Default)]
+pub enum ClientOs {
+  #[default]
+  Linux,
+  Windows,
+  Mac,
+}
+
+impl From<&str> for ClientOs {
+  fn from(os: &str) -> Self {
+    match os {
+      "Linux" => ClientOs::Linux,
+      "Windows" => ClientOs::Windows,
+      "Mac" => ClientOs::Mac,
+      _ => ClientOs::Linux,
+    }
+  }
+}
+
+impl ClientOs {
+  pub fn as_str(&self) -> &str {
+    match self {
+      ClientOs::Linux => "Linux",
+      ClientOs::Windows => "Windows",
+      ClientOs::Mac => "Mac",
+    }
+  }
+
+  pub fn to_openconnect_os(&self) -> &str {
+    match self {
+      ClientOs::Linux => "linux",
+      ClientOs::Windows => "win",
+      ClientOs::Mac => "mac-intel",
+    }
+  }
+}
+
+#[derive(Debug, Serialize, Deserialize, Type, Default)]
+pub struct GpParams {
+  is_gateway: bool,
+  user_agent: String,
+  client_os: ClientOs,
+  os_version: Option<String>,
+  client_version: Option<String>,
+  computer: String,
+  ignore_tls_errors: bool,
+  prefer_default_browser: bool,
+}
+
+impl GpParams {
+  pub fn builder() -> GpParamsBuilder {
+    GpParamsBuilder::new()
+  }
+
+  pub(crate) fn is_gateway(&self) -> bool {
+    self.is_gateway
+  }
+
+  pub fn set_is_gateway(&mut self, is_gateway: bool) {
+    self.is_gateway = is_gateway;
+  }
+
+  pub(crate) fn user_agent(&self) -> &str {
+    &self.user_agent
+  }
+
+  pub(crate) fn computer(&self) -> &str {
+    &self.computer
+  }
+
+  pub fn ignore_tls_errors(&self) -> bool {
+    self.ignore_tls_errors
+  }
+
+  pub fn prefer_default_browser(&self) -> bool {
+    self.prefer_default_browser
+  }
+
+  pub(crate) fn to_params(&self) -> HashMap<&str, &str> {
+    let mut params: HashMap<&str, &str> = HashMap::new();
+    let client_os = self.client_os.as_str();
+
+    // Common params
+    params.insert("prot", "https:");
+    params.insert("jnlpReady", "jnlpReady");
+    params.insert("ok", "Login");
+    params.insert("direct", "yes");
+    params.insert("ipv6-support", "yes");
+    params.insert("inputStr", "");
+    params.insert("clientVer", "4100");
+    params.insert("clientos", client_os);
+    params.insert("computer", &self.computer);
+
+    if let Some(os_version) = &self.os_version {
+      params.insert("os-version", os_version);
+    }
+
+    // NOTE: Do not include clientgpversion for now
+    // if let Some(client_version) = &self.client_version {
+    //   params.insert("clientgpversion", client_version);
+    // }
+
+    params
+  }
+}
+
+pub struct GpParamsBuilder {
+  is_gateway: bool,
+  user_agent: String,
+  client_os: ClientOs,
+  os_version: Option<String>,
+  client_version: Option<String>,
+  computer: String,
+  ignore_tls_errors: bool,
+  prefer_default_browser: bool,
+}
+
+impl GpParamsBuilder {
+  pub fn new() -> Self {
+    Self {
+      is_gateway: false,
+      user_agent: GP_USER_AGENT.to_string(),
+      client_os: ClientOs::Linux,
+      os_version: Default::default(),
+      client_version: Default::default(),
+      computer: whoami::hostname(),
+      ignore_tls_errors: false,
+      prefer_default_browser: false,
+    }
+  }
+
+  pub fn is_gateway(&mut self, is_gateway: bool) -> &mut Self {
+    self.is_gateway = is_gateway;
+    self
+  }
+
+  pub fn user_agent(&mut self, user_agent: &str) -> &mut Self {
+    self.user_agent = user_agent.to_string();
+    self
+  }
+
+  pub fn client_os(&mut self, client_os: ClientOs) -> &mut Self {
+    self.client_os = client_os;
+    self
+  }
+
+  pub fn os_version<T: Into<Option<String>>>(&mut self, os_version: T) -> &mut Self {
+    self.os_version = os_version.into();
+    self
+  }
+
+  pub fn client_version<T: Into<Option<String>>>(&mut self, client_version: T) -> &mut Self {
+    self.client_version = client_version.into();
+    self
+  }
+
+  pub fn computer(&mut self, computer: &str) -> &mut Self {
+    self.computer = computer.to_string();
+    self
+  }
+
+  pub fn ignore_tls_errors(&mut self, ignore_tls_errors: bool) -> &mut Self {
+    self.ignore_tls_errors = ignore_tls_errors;
+    self
+  }
+
+  pub fn prefer_default_browser(&mut self, prefer_default_browser: bool) -> &mut Self {
+    self.prefer_default_browser = prefer_default_browser;
+    self
+  }
+
+  pub fn build(&self) -> GpParams {
+    GpParams {
+      is_gateway: self.is_gateway,
+      user_agent: self.user_agent.clone(),
+      client_os: self.client_os.clone(),
+      os_version: self.os_version.clone(),
+      client_version: self.client_version.clone(),
+      computer: self.computer.clone(),
+      ignore_tls_errors: self.ignore_tls_errors,
+      prefer_default_browser: self.prefer_default_browser,
+    }
+  }
+}
+
+impl Default for GpParamsBuilder {
+  fn default() -> Self {
+    Self::new()
+  }
+}

crates/gpapi/src/lib.rs

@@ -0,0 +1,35 @@
+pub mod auth;
+pub mod credential;
+pub mod gateway;
+pub mod gp_params;
+pub mod portal;
+pub mod process;
+pub mod service;
+pub mod utils;
+
+#[cfg(feature = "clap")]
+pub mod clap;
+
+#[cfg(debug_assertions)]
+pub const GP_API_KEY: &[u8; 32] = &[0; 32];
+
+pub const GP_USER_AGENT: &str = "PAN GlobalProtect";
+pub const GP_SERVICE_LOCK_FILE: &str = "/var/run/gpservice.lock";
+
+#[cfg(not(debug_assertions))]
+pub const GP_CLIENT_BINARY: &str = "/usr/bin/gpclient";
+#[cfg(not(debug_assertions))]
+pub const GP_SERVICE_BINARY: &str = "/usr/bin/gpservice";
+#[cfg(not(debug_assertions))]
+pub const GP_GUI_BINARY: &str = "/usr/bin/gpgui";
+#[cfg(not(debug_assertions))]
+pub(crate) const GP_AUTH_BINARY: &str = "/usr/bin/gpauth";
+
+#[cfg(debug_assertions)]
+pub const GP_CLIENT_BINARY: &str = dotenvy_macro::dotenv!("GP_CLIENT_BINARY");
+#[cfg(debug_assertions)]
+pub const GP_SERVICE_BINARY: &str = dotenvy_macro::dotenv!("GP_SERVICE_BINARY");
+#[cfg(debug_assertions)]
+pub const GP_GUI_BINARY: &str = dotenvy_macro::dotenv!("GP_GUI_BINARY");
+#[cfg(debug_assertions)]
+pub(crate) const GP_AUTH_BINARY: &str = dotenvy_macro::dotenv!("GP_AUTH_BINARY");

crates/gpapi/src/portal/config.rs

@@ -0,0 +1,144 @@
+use anyhow::bail;
+use log::info;
+use reqwest::{Client, StatusCode};
+use roxmltree::Document;
+use serde::Serialize;
+use specta::Type;
+
+use crate::{
+  credential::{AuthCookieCredential, Credential},
+  gateway::{parse_gateways, Gateway},
+  gp_params::GpParams,
+  portal::PortalError,
+  utils::{normalize_server, remove_url_scheme, xml},
+};
+
+#[derive(Debug, Serialize, Type)]
+#[serde(rename_all = "camelCase")]
+pub struct PortalConfig {
+  portal: String,
+  auth_cookie: AuthCookieCredential,
+  config_cred: Credential,
+  gateways: Vec<Gateway>,
+  config_digest: Option<String>,
+}
+
+impl PortalConfig {
+  pub fn portal(&self) -> &str {
+    &self.portal
+  }
+
+  pub fn gateways(&self) -> Vec<&Gateway> {
+    self.gateways.iter().collect()
+  }
+
+  pub fn auth_cookie(&self) -> &AuthCookieCredential {
+    &self.auth_cookie
+  }
+
+  pub fn config_cred(&self) -> &Credential {
+    &self.config_cred
+  }
+
+  /// In-place sort the gateways by region
+  pub fn sort_gateways(&mut self, region: &str) {
+    let preferred_gateway = self.find_preferred_gateway(region);
+    let preferred_gateway_index = self
+      .gateways()
+      .iter()
+      .position(|gateway| gateway.name == preferred_gateway.name)
+      .unwrap();
+
+    // Move the preferred gateway to the front of the list
+    self.gateways.swap(0, preferred_gateway_index);
+  }
+
+  /// Find a gateway by name or address
+  pub fn find_gateway(&self, name_or_address: &str) -> Option<&Gateway> {
+    self
+      .gateways
+      .iter()
+      .find(|gateway| gateway.name == name_or_address || gateway.address == name_or_address)
+  }
+
+  /// Find the preferred gateway for the given region
+  /// Iterates over the gateways and find the first one that
+  /// has the lowest priority for the given region.
+  /// If no gateway is found, returns the gateway with the lowest priority.
+  pub fn find_preferred_gateway(&self, region: &str) -> &Gateway {
+    let mut preferred_gateway: Option<&Gateway> = None;
+    let mut lowest_region_priority = u32::MAX;
+
+    for gateway in &self.gateways {
+      for rule in &gateway.priority_rules {
+        if (rule.name == region || rule.name == "Any") && rule.priority < lowest_region_priority {
+          preferred_gateway = Some(gateway);
+          lowest_region_priority = rule.priority;
+        }
+      }
+    }
+
+    // If no gateway is found, return the gateway with the lowest priority
+    preferred_gateway.unwrap_or_else(|| self.gateways.iter().min_by_key(|gateway| gateway.priority).unwrap())
+  }
+}
+
+pub async fn retrieve_config(portal: &str, cred: &Credential, gp_params: &GpParams) -> anyhow::Result<PortalConfig> {
+  let portal = normalize_server(portal)?;
+  let server = remove_url_scheme(&portal);
+
+  let url = format!("{}/global-protect/getconfig.esp", portal);
+  let client = Client::builder()
+    .danger_accept_invalid_certs(gp_params.ignore_tls_errors())
+    .user_agent(gp_params.user_agent())
+    .build()?;
+
+  let mut params = cred.to_params();
+  let extra_params = gp_params.to_params();
+
+  params.extend(extra_params);
+  params.insert("server", &server);
+  params.insert("host", &server);
+
+  info!("Portal config, user_agent: {}", gp_params.user_agent());
+
+  let res = client.post(&url).form(&params).send().await?;
+  let status = res.status();
+
+  if status == StatusCode::NOT_FOUND {
+    bail!(PortalError::ConfigError("Config endpoint not found".to_string()))
+  }
+
+  if status.is_client_error() || status.is_server_error() {
+    bail!("Portal config error: {}", status)
+  }
+
+  let res_xml = res.text().await.map_err(|e| PortalError::ConfigError(e.to_string()))?;
+
+  if res_xml.is_empty() {
+    bail!(PortalError::ConfigError("Empty portal config response".to_string()))
+  }
+
+  let doc = Document::parse(&res_xml).map_err(|e| PortalError::ConfigError(e.to_string()))?;
+
+  let mut gateways = parse_gateways(&doc).unwrap_or_else(|| {
+    info!("No gateways found in portal config");
+    vec![]
+  });
+
+  let user_auth_cookie = xml::get_child_text(&doc, "portal-userauthcookie").unwrap_or_default();
+  let prelogon_user_auth_cookie = xml::get_child_text(&doc, "portal-prelogonuserauthcookie").unwrap_or_default();
+  let config_digest = xml::get_child_text(&doc, "config-digest");
+
+  if gateways.is_empty() {
+    gateways.push(Gateway::new(server.to_string(), server.to_string()));
+  }
+
+  Ok(PortalConfig {
+    portal: server.to_string(),
+    auth_cookie: AuthCookieCredential::new(cred.username(), &user_auth_cookie, &prelogon_user_auth_cookie),
+    config_cred: cred.clone(),
+    gateways,
+    config_digest,
+  })
+}

crates/gpapi/src/portal/mod.rs

@@ -0,0 +1,15 @@
+mod config;
+mod prelogin;
+
+pub use config::*;
+pub use prelogin::*;
+
+use thiserror::Error;
+
+#[derive(Error, Debug)]
+pub enum PortalError {
+  #[error("Portal prelogin error: {0}")]
+  PreloginError(String),
+  #[error("Portal config error: {0}")]
+  ConfigError(String),
+}

crates/gpapi/src/portal/prelogin.rs

@@ -0,0 +1,192 @@
+use anyhow::bail;
+use log::info;
+use reqwest::{Client, StatusCode};
+use roxmltree::Document;
+use serde::Serialize;
+use specta::Type;
+
+use crate::{
+  gp_params::GpParams,
+  portal::PortalError,
+  utils::{base64, normalize_server, xml},
+};
+
+const REQUIRED_PARAMS: [&str; 8] = [
+  "tmp",
+  "clientVer",
+  "clientos",
+  "os-version",
+  "host-id",
+  "ipv6-support",
+  "default-browser",
+  "cas-support",
+];
+
+#[derive(Debug, Serialize, Type, Clone)]
+#[serde(rename_all = "camelCase")]
+pub struct SamlPrelogin {
+  region: String,
+  is_gateway: bool,
+  saml_request: String,
+  support_default_browser: bool,
+}
+
+impl SamlPrelogin {
+  pub fn region(&self) -> &str {
+    &self.region
+  }
+
+  pub fn saml_request(&self) -> &str {
+    &self.saml_request
+  }
+
+  pub fn support_default_browser(&self) -> bool {
+    self.support_default_browser
+  }
+}
+
+#[derive(Debug, Serialize, Type, Clone)]
+#[serde(rename_all = "camelCase")]
+pub struct StandardPrelogin {
+  region: String,
+  is_gateway: bool,
+  auth_message: String,
+  label_username: String,
+  label_password: String,
+}
+
+impl StandardPrelogin {
+  pub fn region(&self) -> &str {
+    &self.region
+  }
+
+  pub fn auth_message(&self) -> &str {
+    &self.auth_message
+  }
+
+  pub fn label_username(&self) -> &str {
+    &self.label_username
+  }
+
+  pub fn label_password(&self) -> &str {
+    &self.label_password
+  }
+}
+
+#[derive(Debug, Serialize, Type, Clone)]
+#[serde(tag = "type", rename_all = "camelCase")]
+pub enum Prelogin {
+  Saml(SamlPrelogin),
+  Standard(StandardPrelogin),
+}
+
+impl Prelogin {
+  pub fn region(&self) -> &str {
+    match self {
+      Prelogin::Saml(saml) => saml.region(),
+      Prelogin::Standard(standard) => standard.region(),
+    }
+  }
+
+  pub fn is_gateway(&self) -> bool {
+    match self {
+      Prelogin::Saml(saml) => saml.is_gateway,
+      Prelogin::Standard(standard) => standard.is_gateway,
+    }
+  }
+}
+
+pub async fn prelogin(portal: &str, gp_params: &GpParams) -> anyhow::Result<Prelogin> {
+  let user_agent = gp_params.user_agent();
+  info!("Prelogin with user_agent: {}", user_agent);
+
+  let portal = normalize_server(portal)?;
+  let is_gateway = gp_params.is_gateway();
+  let path = if is_gateway { "ssl-vpn" } else { "global-protect" };
+  let prelogin_url = format!("{portal}/{}/prelogin.esp", path);
+  let mut params = gp_params.to_params();
+
+  params.insert("tmp", "tmp");
+  if gp_params.prefer_default_browser() {
+    params.insert("default-browser", "1");
+  }
+
+  params.retain(|k, _| REQUIRED_PARAMS.iter().any(|required_param| required_param == k));
+
+  let client = Client::builder()
+    .danger_accept_invalid_certs(gp_params.ignore_tls_errors())
+    .user_agent(user_agent)
+    .build()?;
+
+  let res = client.post(&prelogin_url).form(&params).send().await?;
+  let status = res.status();
+
+  if status == StatusCode::NOT_FOUND {
+    bail!(PortalError::PreloginError("Prelogin endpoint not found".to_string()))
+  }
+
+  if status.is_client_error() || status.is_server_error() {
+    bail!("Prelogin error: {}", status)
+  }
+
+  let res_xml = res
+    .text()
+    .await
+    .map_err(|e| PortalError::PreloginError(e.to_string()))?;
+
+  let prelogin = parse_res_xml(res_xml, is_gateway).map_err(|e| PortalError::PreloginError(e.to_string()))?;
+
+  Ok(prelogin)
+}
+
+fn parse_res_xml(res_xml: String, is_gateway: bool) -> anyhow::Result<Prelogin> {
+  let doc = Document::parse(&res_xml)?;
+
+  let status = xml::get_child_text(&doc, "status")
+    .ok_or_else(|| anyhow::anyhow!("Prelogin response does not contain status element"))?;
+  // Check the status of the prelogin response
+  if status.to_uppercase() != "SUCCESS" {
+    let msg = xml::get_child_text(&doc, "msg").unwrap_or(String::from("Unknown error"));
+    bail!("Prelogin failed: {}", msg)
+  }
+
+  let region = xml::get_child_text(&doc, "region")
+    .ok_or_else(|| anyhow::anyhow!("Prelogin response does not contain region element"))?;
+
+  let saml_method = xml::get_child_text(&doc, "saml-auth-method");
+  let saml_request = xml::get_child_text(&doc, "saml-request");
+  let saml_default_browser = xml::get_child_text(&doc, "saml-default-browser");
+  // Check if the prelogin response is SAML
+  if saml_method.is_some() && saml_request.is_some() {
+    let saml_request = base64::decode_to_string(&saml_request.unwrap())?;
+    let support_default_browser = saml_default_browser.map(|s| s.to_lowercase() == "yes").unwrap_or(false);
+
+    let saml_prelogin = SamlPrelogin {
+      region,
+      is_gateway,
+      saml_request,
+      support_default_browser,
+    };
+
+    return Ok(Prelogin::Saml(saml_prelogin));
+  }
+
+  let label_username = xml::get_child_text(&doc, "username-label");
+  let label_password = xml::get_child_text(&doc, "password-label");
+  // Check if the prelogin response is standard login
+  if label_username.is_some() && label_password.is_some() {
+    let auth_message =
+      xml::get_child_text(&doc, "authentication-message").unwrap_or(String::from("Please enter the login credentials"));
+    let standard_prelogin = StandardPrelogin {
+      region,
+      is_gateway,
+      auth_message,
+      label_username: label_username.unwrap(),
+      label_password: label_password.unwrap(),
+    };
+
+    return Ok(Prelogin::Standard(standard_prelogin));
+  }
+
+  bail!("Invalid prelogin response");
+}

crates/gpapi/src/process/auth_launcher.rs

@@ -0,0 +1,140 @@
+use std::process::Stdio;
+
+use tokio::process::Command;
+
+use crate::{auth::SamlAuthResult, credential::Credential, GP_AUTH_BINARY};
+
+use super::command_traits::CommandExt;
+
+pub struct SamlAuthLauncher<'a> {
+  server: &'a str,
+  gateway: bool,
+  saml_request: Option<&'a str>,
+  user_agent: Option<&'a str>,
+  os: Option<&'a str>,
+  os_version: Option<&'a str>,
+  hidpi: bool,
+  fix_openssl: bool,
+  ignore_tls_errors: bool,
+  clean: bool,
+}
+
+impl<'a> SamlAuthLauncher<'a> {
+  pub fn new(server: &'a str) -> Self {
+    Self {
+      server,
+      gateway: false,
+      saml_request: None,
+      user_agent: None,
+      os: None,
+      os_version: None,
+      hidpi: false,
+      fix_openssl: false,
+      ignore_tls_errors: false,
+      clean: false,
+    }
+  }
+
+  pub fn gateway(mut self, gateway: bool) -> Self {
+    self.gateway = gateway;
+    self
+  }
+
+  pub fn saml_request(mut self, saml_request: &'a str) -> Self {
+    self.saml_request = Some(saml_request);
+    self
+  }
+
+  pub fn user_agent(mut self, user_agent: &'a str) -> Self {
+    self.user_agent = Some(user_agent);
+    self
+  }
+
+  pub fn os(mut self, os: &'a str) -> Self {
+    self.os = Some(os);
+    self
+  }
+
+  pub fn os_version(mut self, os_version: Option<&'a str>) -> Self {
+    self.os_version = os_version;
+    self
+  }
+
+  pub fn hidpi(mut self, hidpi: bool) -> Self {
+    self.hidpi = hidpi;
+    self
+  }
+
+  pub fn fix_openssl(mut self, fix_openssl: bool) -> Self {
+    self.fix_openssl = fix_openssl;
+    self
+  }
+
+  pub fn ignore_tls_errors(mut self, ignore_tls_errors: bool) -> Self {
+    self.ignore_tls_errors = ignore_tls_errors;
+    self
+  }
+
+  pub fn clean(mut self, clean: bool) -> Self {
+    self.clean = clean;
+    self
+  }
+
+  /// Launch the authenticator binary as the current user or SUDO_USER if available.
+  pub async fn launch(self) -> anyhow::Result<Credential> {
+    let mut auth_cmd = Command::new(GP_AUTH_BINARY);
+    auth_cmd.arg(self.server);
+
+    if self.gateway {
+      auth_cmd.arg("--gateway");
+    }
+
+    if let Some(saml_request) = self.saml_request {
+      auth_cmd.arg("--saml-request").arg(saml_request);
+    }
+
+    if let Some(user_agent) = self.user_agent {
+      auth_cmd.arg("--user-agent").arg(user_agent);
+    }
+
+    if let Some(os) = self.os {
+      auth_cmd.arg("--os").arg(os);
+    }
+
+    if let Some(os_version) = self.os_version {
+      auth_cmd.arg("--os-version").arg(os_version);
+    }
+
+    if self.hidpi {
+      auth_cmd.arg("--hidpi");
+    }
+
+    if self.fix_openssl {
+      auth_cmd.arg("--fix-openssl");
+    }
+
+    if self.ignore_tls_errors {
+      auth_cmd.arg("--ignore-tls-errors");
+    }
+
+    if self.clean {
+      auth_cmd.arg("--clean");
+    }
+
+    let mut non_root_cmd = auth_cmd.into_non_root()?;
+    let output = non_root_cmd
+      .kill_on_drop(true)
+      .stdout(Stdio::piped())
+      .spawn()?
+      .wait_with_output()
+      .await?;
+
+    let auth_result = serde_json::from_slice::<SamlAuthResult>(&output.stdout)
+      .map_err(|_| anyhow::anyhow!("Failed to parse auth data"))?;
+
+    match auth_result {
+      SamlAuthResult::Success(auth_data) => Credential::try_from(auth_data),
+      SamlAuthResult::Failure(msg) => Err(anyhow::anyhow!(msg)),
+    }
+  }
+}

crates/gpapi/src/process/browser_authenticator.rs

@@ -0,0 +1,34 @@
+use std::{env::temp_dir, io::Write};
+
+pub struct BrowserAuthenticator<'a> {
+  auth_request: &'a str,
+}
+
+impl BrowserAuthenticator<'_> {
+  pub fn new(auth_request: &str) -> BrowserAuthenticator {
+    BrowserAuthenticator { auth_request }
+  }
+
+  pub fn authenticate(&self) -> anyhow::Result<()> {
+    if self.auth_request.starts_with("http") {
+      open::that_detached(self.auth_request)?;
+    } else {
+      let html_file = temp_dir().join("gpauth.html");
+      let mut file = std::fs::File::create(&html_file)?;
+
+      file.write_all(self.auth_request.as_bytes())?;
+
+      open::that_detached(html_file)?;
+    }
+
+    Ok(())
+  }
+}
+
+impl Drop for BrowserAuthenticator<'_> {
+  fn drop(&mut self) {
+    // Cleanup the temporary file
+    let html_file = temp_dir().join("gpauth.html");
+    let _ = std::fs::remove_file(html_file);
+  }
+}

crates/gpapi/src/process/command_traits.rs

@@ -0,0 +1,62 @@
+use anyhow::bail;
+use std::{env, ffi::OsStr};
+use tokio::process::Command;
+use uzers::{os::unix::UserExt, User};
+
+pub trait CommandExt {
+  fn new_pkexec<S: AsRef<OsStr>>(program: S) -> Command;
+  fn into_non_root(self) -> anyhow::Result<Command>;
+}
+
+impl CommandExt for Command {
+  fn new_pkexec<S: AsRef<OsStr>>(program: S) -> Command {
+    let mut cmd = Command::new("pkexec");
+    cmd
+      .arg("--disable-internal-agent")
+      .arg("--user")
+      .arg("root")
+      .arg(program);
+
+    cmd
+  }
+
+  fn into_non_root(mut self) -> anyhow::Result<Command> {
+    let user = get_non_root_user().map_err(|_| anyhow::anyhow!("{:?} cannot be run as root", self))?;
+
+    self
+      .env("HOME", user.home_dir())
+      .env("USER", user.name())
+      .env("LOGNAME", user.name())
+      .env("USERNAME", user.name())
+      .uid(user.uid())
+      .gid(user.primary_group_id());
+
+    Ok(self)
+  }
+}
+
+fn get_non_root_user() -> anyhow::Result<User> {
+  let current_user = whoami::username();
+
+  let user = if current_user == "root" {
+    get_real_user()?
+  } else {
+    uzers::get_user_by_name(&current_user).ok_or_else(|| anyhow::anyhow!("User ({}) not found", current_user))?
+  };
+
+  if user.uid() == 0 {
+    bail!("Non-root user not found")
+  }
+
+  Ok(user)
+}
+
+fn get_real_user() -> anyhow::Result<User> {
+  // Read the UID from SUDO_UID or PKEXEC_UID environment variable if available.
+  let uid = match env::var("SUDO_UID") {
+    Ok(uid) => uid.parse::<u32>()?,
+    _ => env::var("PKEXEC_UID")?.parse::<u32>()?,
+  };
+
+  uzers::get_user_by_uid(uid).ok_or_else(|| anyhow::anyhow!("User not found"))
+}

crates/gpapi/src/process/gui_launcher.rs

@@ -0,0 +1,88 @@
+use std::{
+  collections::HashMap,
+  path::PathBuf,
+  process::{ExitStatus, Stdio},
+};
+
+use tokio::{io::AsyncWriteExt, process::Command};
+
+use crate::{utils::base64, GP_GUI_BINARY};
+
+use super::command_traits::CommandExt;
+
+pub struct GuiLauncher {
+  program: PathBuf,
+  api_key: Option<Vec<u8>>,
+  minimized: bool,
+  envs: Option<HashMap<String, String>>,
+}
+
+impl Default for GuiLauncher {
+  fn default() -> Self {
+    Self::new()
+  }
+}
+
+impl GuiLauncher {
+  pub fn new() -> Self {
+    Self {
+      program: GP_GUI_BINARY.into(),
+      api_key: None,
+      minimized: false,
+      envs: None,
+    }
+  }
+
+  pub fn envs<T: Into<Option<HashMap<String, String>>>>(mut self, envs: T) -> Self {
+    self.envs = envs.into();
+    self
+  }
+
+  pub fn api_key(mut self, api_key: Vec<u8>) -> Self {
+    self.api_key = Some(api_key);
+    self
+  }
+
+  pub fn minimized(mut self, minimized: bool) -> Self {
+    self.minimized = minimized;
+    self
+  }
+
+  pub async fn launch(&self) -> anyhow::Result<ExitStatus> {
+    let mut cmd = Command::new(&self.program);
+
+    if let Some(envs) = &self.envs {
+      cmd.env_clear();
+      cmd.envs(envs);
+    }
+
+    if self.api_key.is_some() {
+      cmd.arg("--api-key-on-stdin");
+    }
+
+    if self.minimized {
+      cmd.arg("--minimized");
+    }
+
+    let mut non_root_cmd = cmd.into_non_root()?;
+
+    let mut child = non_root_cmd.kill_on_drop(true).stdin(Stdio::piped()).spawn()?;
+
+    let mut stdin = child
+      .stdin
+      .take()
+      .ok_or_else(|| anyhow::anyhow!("Failed to open stdin"))?;
+
+    if let Some(api_key) = &self.api_key {
+      let api_key = base64::encode(api_key);
+      tokio::spawn(async move {
+        stdin.write_all(api_key.as_bytes()).await.unwrap();
+        drop(stdin);
+      });
+    }
+
+    let exit_status = child.wait().await?;
+
+    Ok(exit_status)
+  }
+}

crates/gpapi/src/process/mod.rs

@@ -0,0 +1,7 @@
+pub(crate) mod command_traits;
+
+pub mod auth_launcher;
+#[cfg(feature = "browser-auth")]
+pub mod browser_authenticator;
+pub mod gui_launcher;
+pub mod service_launcher;

crates/gpapi/src/process/service_launcher.rs

@@ -0,0 +1,72 @@
+use std::{
+  fs::File,
+  path::PathBuf,
+  process::{ExitStatus, Stdio},
+};
+
+use tokio::process::Command;
+
+use crate::GP_SERVICE_BINARY;
+
+use super::command_traits::CommandExt;
+
+pub struct ServiceLauncher {
+  program: PathBuf,
+  minimized: bool,
+  env_file: Option<String>,
+  log_file: Option<String>,
+}
+
+impl Default for ServiceLauncher {
+  fn default() -> Self {
+    Self::new()
+  }
+}
+
+impl ServiceLauncher {
+  pub fn new() -> Self {
+    Self {
+      program: GP_SERVICE_BINARY.into(),
+      minimized: false,
+      env_file: None,
+      log_file: None,
+    }
+  }
+
+  pub fn minimized(mut self, minimized: bool) -> Self {
+    self.minimized = minimized;
+    self
+  }
+
+  pub fn env_file(mut self, env_file: &str) -> Self {
+    self.env_file = Some(env_file.to_string());
+    self
+  }
+
+  pub fn log_file(mut self, log_file: &str) -> Self {
+    self.log_file = Some(log_file.to_string());
+    self
+  }
+
+  pub async fn launch(&self) -> anyhow::Result<ExitStatus> {
+    let mut cmd = Command::new_pkexec(&self.program);
+
+    if self.minimized {
+      cmd.arg("--minimized");
+    }
+
+    if let Some(env_file) = &self.env_file {
+      cmd.arg("--env-file").arg(env_file);
+    }
+
+    if let Some(log_file) = &self.log_file {
+      let log_file = File::create(log_file)?;
+      let stdio = Stdio::from(log_file);
+      cmd.stderr(stdio);
+    }
+
+    let exit_status = cmd.kill_on_drop(true).spawn()?.wait().await?;
+
+    Ok(exit_status)
+  }
+}

crates/gpapi/src/service/event.rs

@@ -0,0 +1,12 @@
+use serde::{Deserialize, Serialize};
+
+use super::vpn_state::VpnState;
+
+/// Events that can be emitted by the service
+#[derive(Debug, Serialize, Deserialize, Clone)]
+pub enum WsEvent {
+  VpnState(VpnState),
+  ActiveGui,
+  /// External authentication data
+  AuthData(String),
+}

crates/gpapi/src/service/mod.rs

@@ -0,0 +1,3 @@
+pub mod event;
+pub mod request;
+pub mod vpn_state;

crates/gpapi/src/service/request.rs

@@ -0,0 +1,115 @@
+use std::collections::HashMap;
+
+use serde::{Deserialize, Serialize};
+use specta::Type;
+
+use crate::{gateway::Gateway, gp_params::ClientOs};
+
+use super::vpn_state::ConnectInfo;
+
+#[derive(Debug, Deserialize, Serialize)]
+pub struct LaunchGuiRequest {
+  user: String,
+  envs: HashMap<String, String>,
+}
+
+impl LaunchGuiRequest {
+  pub fn new(user: String, envs: HashMap<String, String>) -> Self {
+    Self { user, envs }
+  }
+
+  pub fn user(&self) -> &str {
+    &self.user
+  }
+
+  pub fn envs(&self) -> &HashMap<String, String> {
+    &self.envs
+  }
+}
+
+#[derive(Debug, Deserialize, Serialize, Type)]
+pub struct ConnectArgs {
+  cookie: String,
+  vpnc_script: Option<String>,
+  user_agent: Option<String>,
+  os: Option<ClientOs>,
+}
+
+impl ConnectArgs {
+  pub fn new(cookie: String) -> Self {
+    Self {
+      cookie,
+      vpnc_script: None,
+      user_agent: None,
+      os: None,
+    }
+  }
+
+  pub fn cookie(&self) -> &str {
+    &self.cookie
+  }
+
+  pub fn vpnc_script(&self) -> Option<String> {
+    self.vpnc_script.clone()
+  }
+
+  pub fn user_agent(&self) -> Option<String> {
+    self.user_agent.clone()
+  }
+
+  pub fn openconnect_os(&self) -> Option<String> {
+    self.os.as_ref().map(|os| os.to_openconnect_os().to_string())
+  }
+}
+
+#[derive(Debug, Deserialize, Serialize, Type)]
+pub struct ConnectRequest {
+  info: ConnectInfo,
+  args: ConnectArgs,
+}
+
+impl ConnectRequest {
+  pub fn new(info: ConnectInfo, cookie: String) -> Self {
+    Self {
+      info,
+      args: ConnectArgs::new(cookie),
+    }
+  }
+
+  pub fn with_vpnc_script<T: Into<Option<String>>>(mut self, vpnc_script: T) -> Self {
+    self.args.vpnc_script = vpnc_script.into();
+    self
+  }
+
+  pub fn with_user_agent<T: Into<Option<String>>>(mut self, user_agent: T) -> Self {
+    self.args.user_agent = user_agent.into();
+    self
+  }
+
+  pub fn with_os<T: Into<Option<ClientOs>>>(mut self, os: T) -> Self {
+    self.args.os = os.into();
+    self
+  }
+
+  pub fn gateway(&self) -> &Gateway {
+    self.info.gateway()
+  }
+
+  pub fn info(&self) -> &ConnectInfo {
+    &self.info
+  }
+
+  pub fn args(&self) -> &ConnectArgs {
+    &self.args
+  }
+}
+
+#[derive(Debug, Deserialize, Serialize, Type)]
+pub struct DisconnectRequest;
+
+/// Requests that can be sent to the service
+#[derive(Debug, Deserialize, Serialize)]
+pub enum WsRequest {
+  Connect(Box<ConnectRequest>),
+  Disconnect(DisconnectRequest),
+}

crates/gpapi/src/service/vpn_state.rs

@@ -0,0 +1,34 @@
+use serde::{Deserialize, Serialize};
+use specta::Type;
+
+use crate::gateway::Gateway;
+
+#[derive(Debug, Deserialize, Serialize, Type, Clone)]
+pub struct ConnectInfo {
+  portal: String,
+  gateway: Gateway,
+  gateways: Vec<Gateway>,
+}
+
+impl ConnectInfo {
+  pub fn new(portal: String, gateway: Gateway, gateways: Vec<Gateway>) -> Self {
+    Self {
+      portal,
+      gateway,
+      gateways,
+    }
+  }
+
+  pub fn gateway(&self) -> &Gateway {
+    &self.gateway
+  }
+}
+
+#[derive(Debug, Serialize, Deserialize, Clone)]
+#[serde(rename_all = "camelCase")]
+pub enum VpnState {
+  Disconnected,
+  Connecting(Box<ConnectInfo>),
+  Connected(Box<ConnectInfo>),
+  Disconnecting,
+}

crates/gpapi/src/utils/base64.rs

@@ -0,0 +1,21 @@
+use base64::{engine::general_purpose, Engine};
+
+pub fn encode(data: &[u8]) -> String {
+  let engine = general_purpose::STANDARD;
+
+  engine.encode(data)
+}
+
+pub fn decode_to_vec(s: &str) -> anyhow::Result<Vec<u8>> {
+  let engine = general_purpose::STANDARD;
+  let decoded = engine.decode(s)?;
+
+  Ok(decoded)
+}
+
+pub(crate) fn decode_to_string(s: &str) -> anyhow::Result<String> {
+  let decoded = decode_to_vec(s)?;
+  let decoded = String::from_utf8(decoded)?;
+
+  Ok(decoded)
+}

crates/gpapi/src/utils/crypto.rs

@@ -0,0 +1,108 @@
+use chacha20poly1305::{
+  aead::{Aead, OsRng},
+  AeadCore, ChaCha20Poly1305, Key, KeyInit, Nonce,
+};
+use serde::{de::DeserializeOwned, Serialize};
+
+pub fn generate_key() -> Key {
+  ChaCha20Poly1305::generate_key(&mut OsRng)
+}
+
+pub fn encrypt<T>(key: &Key, value: &T) -> anyhow::Result<Vec<u8>>
+where
+  T: Serialize,
+{
+  let cipher = ChaCha20Poly1305::new(key);
+  let nonce = ChaCha20Poly1305::generate_nonce(&mut OsRng);
+
+  let data = serde_json::to_vec(value)?;
+  let cipher_text = cipher.encrypt(&nonce, data.as_ref())?;
+
+  let mut encrypted = Vec::new();
+  encrypted.extend_from_slice(&nonce);
+  encrypted.extend_from_slice(&cipher_text);
+
+  Ok(encrypted)
+}
+
+pub fn decrypt<T>(key: &Key, encrypted: Vec<u8>) -> anyhow::Result<T>
+where
+  T: DeserializeOwned,
+{
+  let cipher = ChaCha20Poly1305::new(key);
+
+  let nonce = Nonce::from_slice(&encrypted[..12]);
+  let cipher_text = &encrypted[12..];
+
+  let plaintext = cipher.decrypt(nonce, cipher_text)?;
+
+  let value = serde_json::from_slice(&plaintext)?;
+
+  Ok(value)
+}
+
+pub struct Crypto {
+  key: Vec<u8>,
+}
+
+impl Crypto {
+  pub fn new(key: Vec<u8>) -> Self {
+    Self { key }
+  }
+
+  pub fn encrypt<T: Serialize>(&self, plain: T) -> anyhow::Result<Vec<u8>> {
+    let key: &[u8] = &self.key;
+    let encrypted_data = encrypt(key.into(), &plain)?;
+
+    Ok(encrypted_data)
+  }
+
+  pub fn decrypt<T: DeserializeOwned>(&self, encrypted: Vec<u8>) -> anyhow::Result<T> {
+    let key: &[u8] = &self.key;
+    decrypt(key.into(), encrypted)
+  }
+
+  pub fn encrypt_to<T: Serialize>(&self, path: &std::path::Path, plain: T) -> anyhow::Result<()> {
+    let encrypted_data = self.encrypt(plain)?;
+    std::fs::write(path, encrypted_data)?;
+
+    Ok(())
+  }
+
+  pub fn decrypt_from<T: DeserializeOwned>(&self, path: &std::path::Path) -> anyhow::Result<T> {
+    let encrypted_data = std::fs::read(path)?;
+    self.decrypt(encrypted_data)
+  }
+}
+
+#[cfg(test)]
+mod tests {
+  use serde::Deserialize;
+
+  use super::*;
+
+  #[derive(Serialize, Deserialize)]
+  struct User {
+    name: String,
+    age: u8,
+  }
+
+  #[test]
+  fn it_works() -> anyhow::Result<()> {
+    let key = generate_key();
+
+    let user = User {
+      name: "test".to_string(),
+      age: 18,
+    };
+
+    let encrypted = encrypt(&key, &user)?;
+
+    let decrypted_user = decrypt::<User>(&key, encrypted)?;
+
+    assert_eq!(user.name, decrypted_user.name);
+    assert_eq!(user.age, decrypted_user.age);
+
+    Ok(())
+  }
+}

crates/gpapi/src/utils/endpoint.rs

@@ -0,0 +1,20 @@
+use tokio::fs;
+
+use crate::GP_SERVICE_LOCK_FILE;
+
+async fn read_port() -> anyhow::Result<String> {
+  let port = fs::read_to_string(GP_SERVICE_LOCK_FILE).await?;
+  Ok(port.trim().to_string())
+}
+
+pub async fn http_endpoint() -> anyhow::Result<String> {
+  let port = read_port().await?;
+
+  Ok(format!("http://127.0.0.1:{}", port))
+}
+
+pub async fn ws_endpoint() -> anyhow::Result<String> {
+  let port = read_port().await?;
+
+  Ok(format!("ws://127.0.0.1:{}/ws", port))
+}

crates/gpapi/src/utils/env_file.rs

@@ -0,0 +1,37 @@
+use std::collections::HashMap;
+use std::env;
+use std::io::Write;
+use std::path::Path;
+
+use tempfile::NamedTempFile;
+
+pub fn persist_env_vars(extra: Option<HashMap<String, String>>) -> anyhow::Result<NamedTempFile> {
+  let mut env_file = NamedTempFile::new()?;
+  let content = env::vars()
+    .map(|(key, value)| format!("{}={}", key, value))
+    .chain(
+      extra
+        .unwrap_or_default()
+        .into_iter()
+        .map(|(key, value)| format!("{}={}", key, value)),
+    )
+    .collect::<Vec<String>>()
+    .join("\n");
+
+  writeln!(env_file, "{}", content)?;
+
+  Ok(env_file)
+}
+
+pub fn load_env_vars<T: AsRef<Path>>(env_file: T) -> anyhow::Result<HashMap<String, String>> {
+  let content = std::fs::read_to_string(env_file)?;
+  let mut env_vars: HashMap<String, String> = HashMap::new();
+
+  for line in content.lines() {
+    if let Some((key, value)) = line.split_once('=') {
+      env_vars.insert(key.to_string(), value.to_string());
+    }
+  }
+
+  Ok(env_vars)
+}