Support SSO using default browser

Bump version 2.0.0-beta4
Handle auth window auth fail
2025-05-20 07:26:58 -04:00 · 2024-01-22 09:43:44 -05:00 · 2024-01-21 11:05:15 -05:00 · 2024-01-21 11:04:35 -05:00 · 2024-01-21 08:54:08 -05:00 · 2024-01-21 05:43:49 -05:00
122 changed files with 10561 additions and 1798 deletions
--- a/.devcontainer/Dockerfile
+++ b/.devcontainer/Dockerfile
@@ -0,0 +1,62 @@
 FROM ubuntu:18.04
 ARG USERNAME=vscode
 ARG USER_UID=1000
 ARG USER_GID=$USER_UID
 ENV RUSTUP_HOME=/usr/local/rustup \
    CARGO_HOME=/usr/local/cargo \
    PATH=/usr/local/cargo/bin:$PATH \
    RUST_VERSION=1.75.0
 RUN set -eux; \
  apt-get update; \
  apt-get install -y --no-install-recommends \
    sudo \
    ca-certificates \
    curl \
    gnupg \
    git \
    less \
    software-properties-common \
    # Tauri dependencies
    libwebkit2gtk-4.0-dev build-essential wget libssl-dev libgtk-3-dev libayatana-appindicator3-dev librsvg2-dev; \
  # Install openconnect
  add-apt-repository ppa:yuezk/globalprotect-openconnect; \
  apt-get update; \
  apt-get install -y openconnect libopenconnect-dev; \
  # Create a non-root user
  groupadd --gid $USER_GID $USERNAME; \
  useradd --uid $USER_UID --gid $USER_GID -m $USERNAME; \
  echo $USERNAME ALL=\(root\) NOPASSWD:ALL > /etc/sudoers.d/$USERNAME; \
  chmod 0440 /etc/sudoers.d/$USERNAME; \
  # Install Node.js
  mkdir -p /etc/apt/keyrings; \
  curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg; \
  echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_16.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list; \
  apt-get update; \
  apt-get install -y nodejs; \
  corepack enable; \
  # Install diff-so-fancy
  npm install -g diff-so-fancy; \
  # Install Rust
  curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain $RUST_VERSION; \
  chown -R $USERNAME:$USERNAME $RUSTUP_HOME $CARGO_HOME; \
  rustup --version; \
  cargo --version; \
  rustc --version
 USER $USERNAME
 # Install Oh My Zsh
 RUN sh -c "$(wget -O- https://github.com/deluan/zsh-in-docker/releases/download/v1.1.5/zsh-in-docker.sh)" -- \
    -t https://github.com/denysdovhan/spaceship-prompt \
    -a 'SPACESHIP_PROMPT_ADD_NEWLINE="false"' \
    -a 'SPACESHIP_PROMPT_SEPARATE_LINE="false"' \
    -p git \
    -p https://github.com/zsh-users/zsh-autosuggestions \
    -p https://github.com/zsh-users/zsh-completions; \
    # Change the default shell
    sudo chsh -s /bin/zsh $USERNAME; \
    # Change the XTERM to xterm-256color
    sed -i 's/TERM=xterm/TERM=xterm-256color/g' $HOME/.zshrc;
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -0,0 +1,10 @@
 {
  "build": {
    "dockerfile": "Dockerfile"
  },
  "runArgs": [
    "--privileged",
    "--cap-add=NET_ADMIN",
    "--device=/dev/net/tun"
  ]
 }
--- a/.editorconfig
+++ b/.editorconfig
@@ -0,0 +1,9 @@
 root = true
 [*]
 charset = utf-8
 indent_style = space
 indent_size = 2
 end_of_line = lf
 insert_final_newline = true
 trim_trailing_whitespace = true
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -0,0 +1,2 @@
 ko_fi: yuezk
 custom: ["https://buymeacoffee.com/yuezk", "https://paypal.me/zongkun"]
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -0,0 +1,116 @@
 name: Build GPGUI
 on:
  push:
    paths-ignore:
      - LICENSE
      - "*.md"
      - .vscode
      - .devcontainer
    branches:
      - main
    # tags:
    #   - v*.*.*
 jobs:
  # Include arm64 if ref is a tag
  setup-matrix:
    runs-on: ubuntu-latest
    outputs:
      matrix: ${{ steps.set-matrix.outputs.matrix }}
    steps:
      - name: Set up matrix
        id: set-matrix
        run: |
          if [[ "${{ github.ref }}" == "refs/tags/"* ]]; then
            echo "matrix=[\"amd64\", \"arm64\"]" >> $GITHUB_OUTPUT
          else
            echo "matrix=[\"amd64\"]" >> $GITHUB_OUTPUT
          fi
  build-fe:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout gpgui repo
        uses: actions/checkout@v4
        with:
          token: ${{ secrets.GH_PAT }}
          repository: yuezk/gpgui
      - name: Install Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 18
      - uses: pnpm/action-setup@v2
        with:
          version: 8
      - name: Install dependencies
        run: |
          cd app
          pnpm install
      - name: Build
        run: |
          cd app
          pnpm run build
      - name: Upload artifacts
        uses: actions/upload-artifact@v4
        with:
          name: gpgui-fe
          path: app/dist
  build-tauri:
    needs: [setup-matrix, build-fe]
    runs-on: ubuntu-latest
    strategy:
      matrix:
        arch: ${{ fromJson(needs.setup-matrix.outputs.matrix) }}
    steps:
      - name: Checkout gpgui repo
        uses: actions/checkout@v4
        with:
          token: ${{ secrets.GH_PAT }}
          repository: yuezk/gpgui
          path: gpgui
      - name: Checkout gp repo
        uses: actions/checkout@v4
        with:
          token: ${{ secrets.GH_PAT }}
          repository: yuezk/GlobalProtect-openconnect
          path: gp
      - name: Download gpgui-fe artifact
        uses: actions/download-artifact@v4
        with:
          name: gpgui-fe
          path: gpgui/app/dist
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
        with:
          platforms: ${{ matrix.arch }}
      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKER_HUB_USERNAME }}
          password: ${{ secrets.DOCKER_HUB_TOKEN }}
      - name: Build Tauri in Docker
        run: |
          docker run \
            --rm \
            -v $(pwd):/${{ github.workspace }} \
            -w ${{ github.workspace }} \
            -e CI=true \
            --platform linux/${{ matrix.arch }} \
            yuezk/gpdev:main \
            "./gpgui/scripts/build.sh"
      - name: Upload artifacts
        uses: actions/upload-artifact@v4
        with:
          name: artifact-${{ matrix.arch }}-tauri
          path: |
            gpgui/.tmp/artifact
--- a/.gitignore
+++ b/.gitignore
@@ -1,56 +1,4 @@
-# Binaries
+.idea
-gpclient
+/target
-gpservice
+.pnpm-store
-
+.env
 # C++ objects and libs
 *.slo
 *.lo
 *.o
 *.a
 *.la
 *.lai
 *.so
 *.so.*
 *.dll
 *.dylib
 # Qt-es
 object_script.*.Release
 object_script.*.Debug
 *_plugin_import.cpp
 /.qmake.cache
 /.qmake.stash
 *.pro.user
 *.pro.user.*
 *.qbs.user
 *.qbs.user.*
 *.moc
 moc_*.cpp
 moc_*.h
 qrc_*.cpp
 ui_*.h
 *.qmlc
 *.jsc
 Makefile*
 *build-*
 *.qm
 *.prl
 # Qt unit tests
 target_wrapper.*
 # QtCreator
 *.autosave
 # QtCreator Qml
 *.qmlproject.user
 *.qmlproject.user.*
 # QtCreator CMake
 CMakeLists.txt.user*
 # QtCreator 4.8< compilation database 
 compile_commands.json
 # QtCreator local machine specific files for imported projects
 *creator.user*
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,3 +0,0 @@
 [submodule "singleapplication"]
 	path = singleapplication
 	url = https://github.com/itay-grudev/SingleApplication.git
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@@ -0,0 +1,9 @@
 {
    "recommendations": [
        "rust-lang.rust-analyzer",
        "tamasfe.even-better-toml",
        "eamodio.gitlens",
        "EditorConfig.EditorConfig",
        "streetsidesoftware.code-spell-checker",
    ]
 }
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -0,0 +1,57 @@
 {
    "cSpell.words": [
        "authcookie",
        "bincode",
        "chacha",
        "clientos",
        "datetime",
        "disconnectable",
        "distro",
        "dotenv",
        "dotenvy",
        "getconfig",
        "globalprotect",
        "globalprotectcallback",
        "gpapi",
        "gpauth",
        "gpcallback",
        "gpclient",
        "gpcommon",
        "gpgui",
        "gpservice",
        "hidpi",
        "jnlp",
        "LOGNAME",
        "oneshot",
        "openconnect",
        "pkexec",
        "Prelogin",
        "prelogon",
        "prelogonuserauthcookie",
        "repr",
        "reqwest",
        "roxmltree",
        "rspc",
        "servercert",
        "specta",
        "sysinfo",
        "tanstack",
        "tauri",
        "tempfile",
        "thiserror",
        "tungstenite",
        "unistd",
        "unlisten",
        "urlencoding",
        "userauthcookie",
        "utsbuf",
        "uzers",
        "Vite",
        "vpnc",
        "vpninfo",
        "wmctrl",
        "XAUTHORITY",
        "yuezk"
    ],
    "rust-analyzer.cargo.features": "all",
 }
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -0,0 +1,52 @@
 [workspace]
 resolver = "2"
 members = ["crates/*", "apps/gpclient", "apps/gpservice", "apps/gpauth"]
 [workspace.package]
 version = "2.0.0-beta5"
 authors = ["Kevin Yue <k3vinyue@gmail.com>"]
 homepage = "https://github.com/yuezk/GlobalProtect-openconnect"
 edition = "2021"
 license = "GPL-3.0"
 [workspace.dependencies]
 anyhow = "1.0"
 base64 = "0.21"
 clap = { version = "4.4.2", features = ["derive"] }
 ctrlc = "3.4"
 directories = "5.0"
 env_logger = "0.10"
 is_executable = "1.0"
 log = "0.4"
 regex = "1"
 reqwest = { version = "0.11", features = ["native-tls-vendored", "json"] }
 roxmltree = "0.18"
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 sysinfo = "0.29"
 tempfile = "3.8"
 tokio = { version = "1", features = ["full"] }
 tokio-util = "0.7"
 url = "2.4"
 urlencoding = "2.1.3"
 axum = "0.7"
 futures = "0.3"
 futures-util = "0.3"
 tokio-tungstenite = "0.20.1"
 specta = "=2.0.0-rc.1"
 specta-macros = "=2.0.0-rc.1"
 uzers = "0.11"
 whoami = "1"
 tauri = { version = "1.5" }
 thiserror = "1"
 redact-engine = "0.1"
 dotenvy_macro = "0.15"
 compile-time = "0.2"
 [profile.release]
 opt-level = 'z'   # Optimize for size
 lto = true        # Enable link-time optimization
 codegen-units = 1 # Reduce number of codegen units to increase optimizations
 panic = 'abort'   # Abort on panic
 strip = true      # Strip symbols from binary*
--- a/GPClient/GPClient.pro
+++ b/GPClient/GPClient.pro
@@ -1,59 +0,0 @@
 TARGET = gpclient
 QT       += core gui network websockets dbus webenginewidgets
 greaterThan(QT_MAJOR_VERSION, 4): QT += widgets
 CONFIG += c++11
 include(../singleapplication/singleapplication.pri)
 DEFINES += QAPPLICATION_CLASS=QApplication
 # The following define makes your compiler emit warnings if you use
 # any Qt feature that has been marked deprecated (the exact warnings
 # depend on your compiler). Please consult the documentation of the
 # deprecated API in order to know how to port your code away from it.
 DEFINES += QT_DEPRECATED_WARNINGS
 # You can also make your code fail to compile if it uses deprecated APIs.
 # In order to do so, uncomment the following line.
 # You can also select to disable deprecated APIs only up to a certain version of Qt.
 #DEFINES += QT_DISABLE_DEPRECATED_BEFORE=0x060000    # disables all the APIs deprecated before Qt 6.0.0
 SOURCES += \
    cdpcommand.cpp \
    cdpcommandmanager.cpp \
    enhancedwebview.cpp \
    main.cpp \
    samlloginwindow.cpp \
    gpclient.cpp
 HEADERS += \
    cdpcommand.h \
    cdpcommandmanager.h \
    enhancedwebview.h \
    samlloginwindow.h \
    gpclient.h
 FORMS += \
    gpclient.ui
 DBUS_INTERFACES += ../GPService/gpservice.xml
 # Default rules for deployment.
 target.path = /usr/bin
 INSTALLS += target
 DISTFILES += \
    com.yuezk.qt.GPClient.svg \
    com.yuezk.qt.gpclient.desktop
 desktop_entry.path = /usr/share/applications/
 desktop_entry.files = com.yuezk.qt.gpclient.desktop
 desktop_icon.path = /usr/share/pixmaps/
 desktop_icon.files = com.yuezk.qt.GPClient.svg
 INSTALLS += desktop_entry desktop_icon
 RESOURCES += \
    resources.qrc
--- a/GPClient/cdpcommand.cpp
+++ b/GPClient/cdpcommand.cpp
@@ -1,30 +0,0 @@
 #include "cdpcommand.h"
 #include <QVariantMap>
 #include <QJsonDocument>
 #include <QJsonObject>
 CDPCommand::CDPCommand(QObject *parent) : QObject(parent)
 {
 }
 CDPCommand::CDPCommand(int id, QString cmd, QVariantMap& params) :
    QObject(nullptr),
    id(id),
    cmd(cmd),
    params(&params)
 {
 }
 QByteArray CDPCommand::toJson()
 {
    QVariantMap payloadMap;
    payloadMap["id"] = id;
    payloadMap["method"] = cmd;
    payloadMap["params"] = *params;
    QJsonObject payloadJsonObject = QJsonObject::fromVariantMap(payloadMap);
    QJsonDocument payloadJson(payloadJsonObject);
    return payloadJson.toJson();
 }
--- a/GPClient/cdpcommand.h
+++ b/GPClient/cdpcommand.h
@@ -1,24 +0,0 @@
 #ifndef CDPCOMMAND_H
 #define CDPCOMMAND_H
 #include <QObject>
 class CDPCommand : public QObject
 {
    Q_OBJECT
 public:
    explicit CDPCommand(QObject *parent = nullptr);
    CDPCommand(int id, QString cmd, QVariantMap& params);
    QByteArray toJson();
 signals:
    void finished();
 private:
    int id;
    QString cmd;
    QVariantMap *params;
 };
 #endif // CDPCOMMAND_H
--- a/GPClient/cdpcommandmanager.cpp
+++ b/GPClient/cdpcommandmanager.cpp
@@ -1,85 +0,0 @@
 #include "cdpcommandmanager.h"
 #include <QVariantMap>
 CDPCommandManager::CDPCommandManager(QObject *parent)
    : QObject(parent)
    , networkManager(new QNetworkAccessManager)
    , socket(new QWebSocket)
 {
    // WebSocket setup
    QObject::connect(socket, &QWebSocket::connected, this, &CDPCommandManager::ready);
    QObject::connect(socket, &QWebSocket::textMessageReceived, this, &CDPCommandManager::onTextMessageReceived);
    QObject::connect(socket, &QWebSocket::disconnected, this, &CDPCommandManager::onSocketDisconnected);
    QObject::connect(socket, QOverload<QAbstractSocket::SocketError>::of(&QWebSocket::error), this, &CDPCommandManager::onSocketError);
 }
 CDPCommandManager::~CDPCommandManager()
 {
    delete networkManager;
    delete socket;
 }
 void CDPCommandManager::initialize(QString endpoint)
 {
    QNetworkReply *reply = networkManager->get(QNetworkRequest(endpoint));
    QObject::connect(
        reply, &QNetworkReply::finished,
        [reply, this]() {
            if (reply->error()) {
                qDebug() << "CDP request error";
                return;
            }
            QJsonDocument doc = QJsonDocument::fromJson(reply->readAll());
            QJsonArray pages = doc.array();
            QJsonObject page = pages.first().toObject();
            QString wsUrl = page.value("webSocketDebuggerUrl").toString();
            socket->open(wsUrl);
        }
    );
 }
 CDPCommand *CDPCommandManager::sendCommand(QString cmd)
 {
    QVariantMap emptyParams;
    return sendCommend(cmd, emptyParams);
 }
 CDPCommand *CDPCommandManager::sendCommend(QString cmd, QVariantMap &params)
 {
    int id = ++commandId;
    CDPCommand *command = new CDPCommand(id, cmd, params);
    socket->sendTextMessage(command->toJson());
    commandPool.insert(id, command);
    return command;
 }
 void CDPCommandManager::onTextMessageReceived(QString message)
 {
    QJsonDocument responseDoc = QJsonDocument::fromJson(message.toUtf8());
    QJsonObject response = responseDoc.object();
    // Response for method
    if (response.contains("id")) {
        int id = response.value("id").toInt();
        if (commandPool.contains(id)) {
            CDPCommand *command = commandPool.take(id);
            command->finished();
        }
    } else { // Response for event
        emit eventReceived(response.value("method").toString(), response.value("params").toObject());
    }
 }
 void CDPCommandManager::onSocketDisconnected()
 {
    qDebug() << "WebSocket disconnected";
 }
 void CDPCommandManager::onSocketError(QAbstractSocket::SocketError error)
 {
    qDebug() << "WebSocket error" << error;
 }
--- a/GPClient/cdpcommandmanager.h
+++ b/GPClient/cdpcommandmanager.h
@@ -1,39 +0,0 @@
 #ifndef CDPCOMMANDMANAGER_H
 #define CDPCOMMANDMANAGER_H
 #include "cdpcommand.h"
 #include <QObject>
 #include <QHash>
 #include <QtWebSockets>
 #include <QNetworkAccessManager>
 class CDPCommandManager : public QObject
 {
    Q_OBJECT
 public:
    explicit CDPCommandManager(QObject *parent = nullptr);
    ~CDPCommandManager();
    void initialize(QString endpoint);
    CDPCommand *sendCommand(QString cmd);
    CDPCommand *sendCommend(QString cmd, QVariantMap& params);
 signals:
    void ready();
    void eventReceived(QString eventName, QJsonObject params);
 private:
    QNetworkAccessManager *networkManager;
    QWebSocket *socket;
    int commandId = 0;
    QHash<int, CDPCommand*> commandPool;
 private slots:
    void onTextMessageReceived(QString message);
    void onSocketDisconnected();
    void onSocketError(QAbstractSocket::SocketError error);
 };
 #endif // CDPCOMMANDMANAGER_H
--- a/GPClient/com.yuezk.qt.GPClient.svg
+++ b/GPClient/com.yuezk.qt.GPClient.svg
@@ -1,99 +0,0 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!-- Generator: Adobe Illustrator 19.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
 <svg
   xmlns:dc="http://purl.org/dc/elements/1.1/"
   xmlns:cc="http://creativecommons.org/ns#"
   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
   xmlns:svg="http://www.w3.org/2000/svg"
   xmlns="http://www.w3.org/2000/svg"
   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
   version="1.1"
   id="Layer_1"
   x="0px"
   y="0px"
   viewBox="0 0 96 96"
   style="enable-background:new 0 0 96 96;"
   xml:space="preserve"
   sodipodi:docname="com.yuezk.qt.GPClient.svg"
   inkscape:version="0.92.4 5da689c313, 2019-01-14"><metadata
   id="metadata14"><rdf:RDF><cc:Work
       rdf:about=""><dc:format>image/svg+xml</dc:format><dc:type
         rdf:resource="http://purl.org/dc/dcmitype/StillImage" /><dc:title /></cc:Work></rdf:RDF></metadata><defs
   id="defs12" /><sodipodi:namedview
   pagecolor="#ffffff"
   bordercolor="#666666"
   borderopacity="1"
   objecttolerance="10"
   gridtolerance="10"
   guidetolerance="10"
   inkscape:pageopacity="0"
   inkscape:pageshadow="2"
   inkscape:window-width="1920"
   inkscape:window-height="1006"
   id="namedview10"
   showgrid="false"
   inkscape:zoom="6.9532168"
   inkscape:cx="7.9545315"
   inkscape:cy="59.062386"
   inkscape:window-x="0"
   inkscape:window-y="0"
   inkscape:window-maximized="1"
   inkscape:current-layer="g8499" />
 <style
   type="text/css"
   id="style2">
 	.st0{fill:#2980B9;}
 	.st1{fill:#3498DB;}
 	.st2{fill:#2ECC71;}
 	.st3{fill:#27AE60;}
 </style>
 <g
   id="g8499"
   transform="matrix(1.3407388,0,0,1.3407388,-16.409202,-16.355463)"><g
     id="XMLID_1_">
 	<circle
   r="32.5"
   cy="48"
   cx="48"
   class="st0"
   id="XMLID_3_"
   style="fill:#2980b9" />
 	<path
   d="m 48,15.5 v 65 C 65.9,80.5 80.5,65.7 80.5,48 80.5,30 65.9,15.5 48,15.5 Z"
   class="st1"
   id="XMLID_4_"
   inkscape:connector-curvature="0"
   style="fill:#3498db" />
 	<path
   d="m 48,15.5 v 0.6 l 1.2,-0.3 c 0.3,-0.3 0.4,-0.3 0.6,-0.3 h -1.1 z m 7.3,0.9 c -0.1,0 0.4,0.9 1.1,1.8 0.8,1.5 1.1,2.1 1.3,2.1 0.3,-0.3 1.9,-1.2 3,-2.1 -1.7,-0.9 -3.5,-1.5 -5.4,-1.8 z m 10.3,6.2 c -0.1,0 -0.4,0 -0.9,0.6 l -0.8,0.9 0.6,0.6 c 0.3,0.6 0.8,0.9 1,1.2 0.5,0.6 0.6,0.6 0.1,1.5 -0.2,0.6 -0.3,0.9 -0.3,0.9 0.1,0.3 0.3,0.3 1.4,0.3 h 1.6 c 0.1,0 0.3,-0.6 0.4,-1.2 l 0.1,-0.9 -1.1,-0.9 c -1,-0.9 -1,-0.9 -1.4,-1.8 -0.3,-0.6 -0.6,-1.2 -0.7,-1.2 z m -3,2.4 c -0.2,0 -1.3,2.1 -1.3,2.4 0,0 0.3,0.6 0.7,0.9 0.4,0.3 0.7,0.6 0.7,0.6 0.1,0 1.2,-1.2 1.4,-1.5 C 64.2,27.1 64,26.8 63.5,26.2 63.1,25.5 62.7,25 62.6,25 Z m 9.5,1.1 0.2,0.3 c 0,0.3 -0.7,0.9 -1.4,1.5 -1.2,0.9 -1.4,1.2 -2,1.2 -0.6,0 -0.9,0.3 -1.8,0.9 -0.6,0.6 -1.2,0.9 -1.2,1.2 0,0 0.2,0.3 0.6,0.9 0.7,0.6 0.7,0.9 0.2,1.8 l -0.4,0.3 h -1.1 c -0.6,0 -1.5,0 -1.8,-0.3 -0.9,0 -0.8,0 -0.1,2.1 1,3 1.1,3.2 1.3,3.2 0.1,0 1.3,-1.2 2.8,-2.4 1.5,-1.2 2.7,-2.4 2.8,-2.4 l 0.6,0.3 c 0.4,0.3 0.5,0 1.3,-0.6 l 0.8,-0.6 0.8,0.6 c 1.9,1.2 2.2,1.5 2.3,2.4 0.2,1.5 0.3,1.8 0.5,1.8 0.1,0 1.3,-1.5 1.6,-1.8 0.1,-0.3 -0.1,-0.6 -1.1,-2.1 -0.7,-0.9 -1.1,-1.8 -1.1,-2.1 0,0 0.1,0 0.3,-0.3 0.2,0 0.4,0.3 1,0.9 -1.6,-2.3 -3.2,-4.7 -5.1,-6.8 z m 2.8,10.7 c -0.2,0 -0.9,0.9 -0.8,1.2 l 0.5,0.3 H 75 c 0.2,0 0.3,0 0.2,-0.3 C 75.1,37.4 75,36.8 74.9,36.8 Z M 72.3,38 h -2.4 l -2.4,0.3 -4.5,3.5 -4.4,3.8 v 3.5 c 0,2.1 0,3.8 0.1,3.8 0.1,0 0.7,0.9 1.5,1.5 0.8,0.9 1.5,1.5 1.8,1.8 0.4,0.3 0.5,0.3 4,0.6 l 3.4,0.3 1.6,0.9 c 0.8,0.6 1.5,1.2 1.6,1.2 0.1,0 -0.3,0.3 -0.6,0.6 l -0.6,0.6 1,1.2 c 0.5,0.6 1.3,1.5 1.7,1.8 l 0.6,0.9 v 1.7 0.9 c 3.7,-5 5.9,-11.5 6.1,-18.3 0.1,-2.7 -0.3,-5.3 -0.8,-8 l -0.6,-0.3 c -0.1,0 -0.5,0.3 -1,0.6 -0.5,0.3 -1,0.9 -1.1,0.9 -0.1,0 -0.8,-0.3 -1.8,-0.6 l -1.8,-0.6 v -0.9 c 0,-0.6 0,-0.9 -0.6,-1.5 z M 48,63.7 V 64 h 0.2 z"
   class="st2"
   id="XMLID_13_"
   inkscape:connector-curvature="0"
   style="fill:#2ecc71" />
 	<path
   d="m 48,15.5 c -3.1,0 -6.2,0.5 -9,1.3 0.3,0.4 0.3,0.4 0.6,0.9 1.5,2.5 1.7,2.8 2.1,2.9 0.3,0 0.9,0.1 1.6,0.1 h 1.2 l 0.9,-2 0.8,-1.9 1.8,-0.6 z m -16.9,4.7 c -2.8,1.7 -5.4,3.9 -7.6,6.4 -3.8,4.3 -6.3,9.6 -7.4,15.4 0.5,0 0.9,-0.1 1.8,-0.1 2.8,0.1 2.5,0 3.4,1.4 0.5,0.8 0.6,0.8 1.4,0.8 1,0.1 0.9,0 0.5,-1.6 -0.2,-0.6 -0.3,-1.2 -0.3,-1.4 0,-0.2 0.5,-0.7 1.7,-1.6 1.9,-1.5 1.8,-1.3 1.5,-2.9 -0.1,-0.3 0.1,-0.6 0.6,-1.2 0.7,-0.7 0.7,-0.6 1.4,-0.6 h 0.7 l 0.1,-1.2 c 0.1,-0.7 0.1,-1.3 0.2,-1.3 0,0 1.9,-1.1 4.1,-2.3 2.2,-1.2 4.1,-2.2 4.2,-2.3 0.2,-0.2 -0.3,-0.8 -2.7,-3.8 -1.5,-1.9 -2.8,-3.6 -2.9,-3.7 z m -5.8,23 c -0.1,0 -0.1,0.3 -0.1,0.6 0,0.6 0,0.7 0.6,1 0.8,0.4 0.9,0.5 0.8,0.2 -0.1,-0.4 -1.2,-1.9 -1.3,-1.8 z m -3.4,2.1 -0.5,1.8 c 0.1,0.1 0.9,0.3 1.8,0.5 1,0.2 1.6,0.4 1.8,0.3 l 0.5,-1.3 z m -3.8,1 -1.1,0.6 c -0.6,0.3 -1.2,0.6 -1.4,0.6 h -0.1 c 0,1.4 0.1,2.8 0.3,4.2 l 0.6,0.4 1,-0.1 h 1 l 0.6,1.4 c 0.3,0.7 0.7,1.4 0.8,1.5 0.1,0.1 1,0.1 1.8,0.1 h 1.5 L 23,56.2 c 0,1.2 0,1.3 -0.6,2.2 -0.4,0.5 -0.6,1.2 -0.6,1.4 0,0.2 0.7,2.1 1.6,4.3 l 1.5,4 1.6,0.8 c 1.2,0.6 1.5,0.8 1.5,1 0,0.1 -0.4,2.1 -0.6,3.1 3,2.5 6.4,4.5 10.2,5.8 3.5,-3.6 6.8,-7.1 7.3,-7.6 l 0.7,-0.7 0.2,-1.9 c 0.2,-1.1 0.4,-2.1 0.4,-2.2 0,-0.1 0.5,-0.6 1,-1.2 0.5,-0.5 0.8,-1 0.8,-1.1 v -0.2 c -0.1,-0.1 -1.4,-1.1 -3,-2.2 l -3.1,-2.1 -1.1,-0.1 c -0.8,0 -1.2,0 -1.3,-0.2 C 39.4,59.2 39.2,58.5 39.1,57.7 39,56.9 38.9,56.2 38.8,56.1 38.8,56 38,56 37.1,56 36.2,56 35.4,55.9 35.3,55.8 35.2,55.7 35.2,55.1 35.1,54.3 35,53.6 34.9,53 34.8,52.9 34.7,52.8 33.7,52.7 32.5,52.6 30.5,52.5 30.1,52.5 29.1,52 l -1.2,-0.6 -1.6,0.7 -1.7,0.9 -1.8,-0.1 c -2,0 -1.9,0.2 -2.1,-1.6 C 20.6,50.7 20.6,50.1 20.5,50.1 20.4,50 20,50 19.6,49.9 L 18.9,49.7 19,49.2 c 0,-0.3 0,-1 0.1,-1.4 L 19.2,47 18.7,46.5 Z m 9.1,1.1 C 27.1,47.5 27.1,47.8 27,48 l -0.1,0.5 2.9,1.2 c 2.9,1.1 3.4,1.2 3.9,0.7 0.2,-0.2 0.1,-0.2 -0.3,-0.4 -0.3,-0.1 -1.7,-0.9 -3.2,-1.6 -1.7,-0.7 -2.9,-1.1 -3,-1 z"
   class="st3"
   id="XMLID_20_"
   inkscape:connector-curvature="0"
   style="fill:#27ae60" />
 </g><g
     transform="matrix(1.458069,0,0,1.458069,-22.631538,-19.615144)"
     id="g7664"><path
       inkscape:connector-curvature="0"
       id="XMLID_6_"
       class="st3"
       d="m 38.8,56.1 c 0,1.2 1,2.2 2.2,2.2 h 15.2 c 1.2,0 2.2,-1 2.2,-2.2 V 45.3 c 0,-1.2 -1,-2.2 -2.2,-2.2 H 40.9 c -1.2,0 -2.2,1 -2.2,2.2 v 10.8 z"
       style="fill:#f1aa27;fill-opacity:1" /><path
       style="fill:#e6e6e6"
       inkscape:connector-curvature="0"
       id="XMLID_7_"
       class="st4"
       d="m 55.5,43.1 h -3.3 v -3.7 c 0,-2.1 -1.7,-3.8 -3.8,-3.8 -2.1,0 -3.8,1.7 -3.8,3.8 v 3.8 h -3.1 v -3.8 c 0,-3.9 3.2,-7 7,-7 3.9,0 7,3.2 7,7 z" /><path
       style="fill:#e6e6e6;fill-opacity:1"
       inkscape:connector-curvature="0"
       id="XMLID_8_"
       class="st5"
       d="m 50.35,48.2 c 0,-1 -0.8,-1.8 -1.8,-1.8 -1,0 -1.8,0.8 -1.8,1.8 0,0.7 0.4,1.3 1,1.6 l -1,5.2 h 3.6 l -1,-5.2 c 0.6,-0.3 1,-0.9 1,-1.6 z" /></g></g></svg>
--- a/GPClient/com.yuezk.qt.gpclient.desktop
+++ b/GPClient/com.yuezk.qt.gpclient.desktop
@@ -1,10 +0,0 @@
 [Desktop Entry]
 Type=Application
 Version=1.0.0
 Name=GlobalProtect VPN
 Comment=GlobalProtect VPN client, supports SAML auth mode
 Exec=/usr/bin/gpclient
 Icon=com.yuezk.qt.GPClient
 Categories=Network;VPN;Utility;Qt;
 Keywords=GlobalProtect;Openconnect;SAML;connection;VPN;
--- a/GPClient/connected.png
+++ b/GPClient/connected.png
--- a/GPClient/enhancedwebview.cpp
+++ b/GPClient/enhancedwebview.cpp
@@ -1,36 +0,0 @@
 #include "enhancedwebview.h"
 #include "cdpcommandmanager.h"
 #include <QtWebEngineWidgets/QWebEngineView>
 #include <QProcessEnvironment>
 EnhancedWebView::EnhancedWebView(QWidget *parent)
    : QWebEngineView(parent)
    , cdp(new CDPCommandManager)
 {
    QObject::connect(cdp, &CDPCommandManager::ready, this, &EnhancedWebView::onCDPReady);
    QObject::connect(cdp, &CDPCommandManager::eventReceived, this, &EnhancedWebView::onEventReceived);
 }
 EnhancedWebView::~EnhancedWebView()
 {
    delete cdp;
 }
 void EnhancedWebView::initialize()
 {
    QString port = QProcessEnvironment::systemEnvironment().value(ENV_CDP_PORT);
    cdp->initialize("http://127.0.0.1:" + port + "/json");
 }
 void EnhancedWebView::onCDPReady()
 {
    cdp->sendCommand("Network.enable");
 }
 void EnhancedWebView::onEventReceived(QString eventName, QJsonObject params)
 {
    if (eventName == "Network.responseReceived") {
        emit responseReceived(params);
    }
 }
--- a/GPClient/enhancedwebview.h
+++ b/GPClient/enhancedwebview.h
@@ -1,29 +0,0 @@
 #ifndef ENHANCEDWEBVIEW_H
 #define ENHANCEDWEBVIEW_H
 #include "cdpcommandmanager.h"
 #include <QtWebEngineWidgets/QWebEngineView>
 #define ENV_CDP_PORT "QTWEBENGINE_REMOTE_DEBUGGING"
 class EnhancedWebView : public QWebEngineView
 {
    Q_OBJECT
 public:
    explicit EnhancedWebView(QWidget *parent = nullptr);
    ~EnhancedWebView();
    void initialize();
 signals:
    void responseReceived(QJsonObject params);
 private slots:
    void onCDPReady();
    void onEventReceived(QString eventName, QJsonObject params);
 private:
    CDPCommandManager *cdp;
 };
 #endif // ENHANCEDWEBVIEW_H
--- a/GPClient/gpclient.cpp
+++ b/GPClient/gpclient.cpp
@@ -1,223 +0,0 @@
 #include "gpclient.h"
 #include "ui_gpclient.h"
 #include "samlloginwindow.h"
 #include <QDesktopWidget>
 #include <QGraphicsScene>
 #include <QGraphicsView>
 #include <QGraphicsPixmapItem>
 #include <QImage>
 #include <QStyle>
 #include <QMessageBox>
 GPClient::GPClient(QWidget *parent)
    : QMainWindow(parent)
    , ui(new Ui::GPClient)
 {
    ui->setupUi(this);
    setFixedSize(width(), height());
    moveCenter();
    // Restore portal from the previous settings
    settings = new QSettings("com.yuezk.qt", "GPClient");
    ui->portalInput->setText(settings->value("portal", "").toString());
    QObject::connect(this, &GPClient::connectFailed, [this]() {
        updateConnectionStatus("not_connected");
    });
    // QNetworkAccessManager setup
    networkManager = new QNetworkAccessManager(this);
    // DBus service setup
    vpn = new com::yuezk::qt::GPService("com.yuezk.qt.GPService", "/", QDBusConnection::systemBus(), this);
    QObject::connect(vpn, &com::yuezk::qt::GPService::connected, this, &GPClient::onVPNConnected);
    QObject::connect(vpn, &com::yuezk::qt::GPService::disconnected, this, &GPClient::onVPNDisconnected);
    QObject::connect(vpn, &com::yuezk::qt::GPService::logAvailable, this, &GPClient::onVPNLogAvailable);
    initVpnStatus();
 }
 GPClient::~GPClient()
 {
    delete ui;
    delete networkManager;
    delete reply;
    delete vpn;
    delete settings;
 }
 void GPClient::on_connectButton_clicked()
 {
    QString btnText = ui->connectButton->text();
    if (btnText == "Connect") {
        QString portal = ui->portalInput->text();
        settings->setValue("portal", portal);
        ui->statusLabel->setText("Authenticating...");
        updateConnectionStatus("pending");
        doAuth(portal);
    } else if (btnText == "Cancel") {
        ui->statusLabel->setText("Canceling...");
        updateConnectionStatus("pending");
        if (reply->isRunning()) {
            reply->abort();
        }
        vpn->disconnect();
    } else {
        ui->statusLabel->setText("Disconnecting...");
        updateConnectionStatus("pending");
        vpn->disconnect();
    }
 }
 void GPClient::preloginResultFinished()
 {
    if (reply->error()) {
        qWarning() << "Prelogin request error";
        emit connectFailed();
        return;
    }
    QByteArray xmlBytes = reply->readAll();
    const QString tagMethod = "saml-auth-method";
    const QString tagRequest = "saml-request";
    QString samlMethod;
    QString samlRequest;
    QXmlStreamReader xml(xmlBytes);
    while (!xml.atEnd()) {
        xml.readNext();
        if (xml.tokenType() == xml.StartElement) {
            if (xml.name() == tagMethod) {
                samlMethod = xml.readElementText();
            } else if (xml.name() == tagRequest) {
                samlRequest = QByteArray::fromBase64(QByteArray::fromStdString(xml.readElementText().toStdString()));
            }
        }
    }
    if (samlMethod == nullptr || samlRequest == nullptr) {
        qWarning("This does not appear to be a SAML prelogin response (<saml-auth-method> or <saml-request> tags missing)");
        emit connectFailed();
        return;
    }
    if (samlMethod == "POST") {
        samlLogin(reply->url().toString(), samlRequest);
    } else if (samlMethod == "REDIRECT") {
        samlLogin(samlRequest);
    }
 }
 void GPClient::onLoginSuccess(QJsonObject loginResult)
 {
    QString fullpath = "/ssl-vpn/login.esp";
    QString shortpath = "gateway";
    QString user = loginResult.value("saml-username").toString();
    QString cookieName;
    QString cookieValue;
    QString cookies[]{"prelogin-cookie", "portal-userauthcookie"};
    for (int i = 0; i < cookies->length(); i++) {
        cookieValue = loginResult.value(cookies[i]).toString();
        if (cookieValue != nullptr) {
            cookieName = cookies[i];
            break;
        }
    }
    QString host = QString("https://%1/%2:%3").arg(loginResult.value("server").toString(), shortpath, cookieName);
    vpn->connect(host, user, cookieValue);
    ui->statusLabel->setText("Connecting...");
    updateConnectionStatus("pending");
 }
 void GPClient::updateConnectionStatus(QString status)
 {
    if (status == "not_connected") {
        ui->statusLabel->setText("Not Connected");
        ui->statusImage->setStyleSheet("image: url(:/images/not_connected.png); padding: 15;");
        ui->connectButton->setText("Connect");
        ui->connectButton->setDisabled(false);
    } else if (status == "pending") {
        ui->statusImage->setStyleSheet("image: url(:/images/pending.png); padding: 15;");
        ui->connectButton->setText("Cancel");
        ui->connectButton->setDisabled(false);
    } else if (status == "connected") {
        ui->statusLabel->setText("Connected");
        ui->statusImage->setStyleSheet("image: url(:/images/connected.png); padding: 15;");
        ui->connectButton->setText("Disconnect");
        ui->connectButton->setDisabled(false);
    }
 }
 void GPClient::onVPNConnected()
 {
    updateConnectionStatus("connected");
 }
 void GPClient::onVPNDisconnected()
 {
    updateConnectionStatus("not_connected");
 }
 void GPClient::onVPNLogAvailable(QString log)
 {
    qInfo() << log;
 }
 void GPClient::initVpnStatus() {
    int status = vpn->status();
    if (status == 1) {
        ui->statusLabel->setText("Connecting...");
        updateConnectionStatus("pending");
    } else if (status == 2) {
        updateConnectionStatus("connected");
    } else if (status == 3) {
        ui->statusLabel->setText("Disconnecting...");
        updateConnectionStatus("pending");
    }
 }
 void GPClient::moveCenter()
 {
    QDesktopWidget *desktop = QApplication::desktop();
    int screenWidth, width;
    int screenHeight, height;
    int x, y;
    QSize windowSize;
    screenWidth = desktop->width();
    screenHeight = desktop->height();
    windowSize = size();
    width = windowSize.width();
    height = windowSize.height();
    x = (screenWidth - width) / 2;
    y = (screenHeight - height) / 2;
    y -= 50;
    move(x, y);
 }
 void GPClient::doAuth(const QString portal)
 {
    const QString preloginUrl = "https://" + portal + "/ssl-vpn/prelogin.esp";
    reply = networkManager->post(QNetworkRequest(preloginUrl), (QByteArray) nullptr);
    connect(reply, &QNetworkReply::finished, this, &GPClient::preloginResultFinished);
 }
 void GPClient::samlLogin(const QString loginUrl, const QString html)
 {
    SAMLLoginWindow *loginWindow = new SAMLLoginWindow(this);
    QObject::connect(loginWindow, &SAMLLoginWindow::success, this, &GPClient::onLoginSuccess);
    QObject::connect(loginWindow, &SAMLLoginWindow::rejected, this, &GPClient::connectFailed);
    loginWindow->login(loginUrl, html);
    loginWindow->exec();
    delete loginWindow;
 }
--- a/GPClient/gpclient.h
+++ b/GPClient/gpclient.h
@@ -1,47 +0,0 @@
 #ifndef GPCLIENT_H
 #define GPCLIENT_H
 #include "gpservice_interface.h"
 #include <QMainWindow>
 #include <QNetworkAccessManager>
 #include <QNetworkReply>
 QT_BEGIN_NAMESPACE
 namespace Ui { class GPClient; }
 QT_END_NAMESPACE
 class GPClient : public QMainWindow
 {
    Q_OBJECT
 public:
    GPClient(QWidget *parent = nullptr);
    ~GPClient();
 signals:
    void connectFailed();
 private slots:
    void on_connectButton_clicked();
    void preloginResultFinished();
    void onLoginSuccess(QJsonObject loginResult);
    void onVPNConnected();
    void onVPNDisconnected();
    void onVPNLogAvailable(QString log);
 private:
    Ui::GPClient *ui;
    QNetworkAccessManager *networkManager;
    QNetworkReply *reply;
    com::yuezk::qt::GPService *vpn;
    QSettings *settings;
    void initVpnStatus();
    void moveCenter();
    void updateConnectionStatus(QString status);
    void doAuth(const QString portal);
    void samlLogin(const QString loginUrl, const QString html = "");
 };
 #endif // GPCLIENT_H
--- a/GPClient/gpclient.ui
+++ b/GPClient/gpclient.ui
@@ -1,127 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <ui version="4.0">
 <class>GPClient</class>
 <widget class="QMainWindow" name="GPClient">
  <property name="geometry">
   <rect>
    <x>0</x>
    <y>0</y>
    <width>260</width>
    <height>338</height>
   </rect>
  </property>
  <property name="windowTitle">
   <string>GP VPN Client</string>
  </property>
  <property name="windowIcon">
   <iconset resource="resources.qrc">
    <normaloff>:/images/logo.svg</normaloff>:/images/logo.svg</iconset>
  </property>
  <property name="styleSheet">
   <string notr="true"/>
  </property>
  <property name="iconSize">
   <size>
    <width>22</width>
    <height>22</height>
   </size>
  </property>
  <widget class="QWidget" name="centralwidget">
   <property name="sizePolicy">
    <sizepolicy hsizetype="Preferred" vsizetype="Preferred">
     <horstretch>0</horstretch>
     <verstretch>0</verstretch>
    </sizepolicy>
   </property>
   <property name="layoutDirection">
    <enum>Qt::LeftToRight</enum>
   </property>
   <layout class="QVBoxLayout" name="verticalLayout_3" stretch="1,0">
    <property name="leftMargin">
     <number>15</number>
    </property>
    <property name="topMargin">
     <number>15</number>
    </property>
    <property name="rightMargin">
     <number>15</number>
    </property>
    <property name="bottomMargin">
     <number>15</number>
    </property>
    <item>
     <layout class="QVBoxLayout" name="verticalLayout" stretch="1,0">
      <property name="bottomMargin">
       <number>15</number>
      </property>
      <item>
       <widget class="QLabel" name="statusImage">
        <property name="styleSheet">
         <string notr="true">#statusImage {
 	image: url(:/images/not_connected.png);
 	padding: 15
 }</string>
        </property>
        <property name="text">
         <string/>
        </property>
       </widget>
      </item>
      <item>
       <widget class="QLabel" name="statusLabel">
        <property name="font">
         <font>
          <pointsize>14</pointsize>
          <weight>50</weight>
          <bold>false</bold>
          <underline>false</underline>
         </font>
        </property>
        <property name="text">
         <string>Not Connected</string>
        </property>
        <property name="alignment">
         <set>Qt::AlignCenter</set>
        </property>
       </widget>
      </item>
     </layout>
    </item>
    <item>
     <layout class="QVBoxLayout" name="verticalLayout_2">
      <property name="bottomMargin">
       <number>0</number>
      </property>
      <item>
       <widget class="QLineEdit" name="portalInput">
        <property name="text">
         <string/>
        </property>
        <property name="placeholderText">
         <string>Please enter your portal address</string>
        </property>
       </widget>
      </item>
      <item>
       <widget class="QPushButton" name="connectButton">
        <property name="sizePolicy">
         <sizepolicy hsizetype="Expanding" vsizetype="Fixed">
          <horstretch>0</horstretch>
          <verstretch>0</verstretch>
         </sizepolicy>
        </property>
        <property name="text">
         <string>Connect</string>
        </property>
       </widget>
      </item>
     </layout>
    </item>
   </layout>
  </widget>
 </widget>
 <resources>
  <include location="resources.qrc"/>
 </resources>
 <connections/>
 </ui>
--- a/GPClient/gpservice_interface.cpp
+++ b/GPClient/gpservice_interface.cpp
@@ -1,25 +0,0 @@
 /*
 * This file was generated by qdbusxml2cpp version 0.8
 * Command line was: qdbusxml2cpp -i gpservice_interface.h -p :gpservice_interface.cpp ../GPService/gpservice.xml
 *
 * qdbusxml2cpp is Copyright (C) 2020 The Qt Company Ltd.
 *
 * This is an auto-generated file.
 * This file may have been hand-edited. Look for HAND-EDIT comments
 * before re-generating it.
 */
 #include "gpservice_interface.h"
 /*
 * Implementation of interface class ComYuezkQtGPServiceInterface
 */
 ComYuezkQtGPServiceInterface::ComYuezkQtGPServiceInterface(const QString &service, const QString &path, const QDBusConnection &connection, QObject *parent)
    : QDBusAbstractInterface(service, path, staticInterfaceName(), connection, parent)
 {
 }
 ComYuezkQtGPServiceInterface::~ComYuezkQtGPServiceInterface()
 {
 }
--- a/GPClient/gpservice_interface.h
+++ b/GPClient/gpservice_interface.h
@@ -1,71 +0,0 @@
 /*
 * This file was generated by qdbusxml2cpp version 0.8
 * Command line was: qdbusxml2cpp -p gpservice_interface.h: ../GPService/gpservice.xml
 *
 * qdbusxml2cpp is Copyright (C) 2020 The Qt Company Ltd.
 *
 * This is an auto-generated file.
 * Do not edit! All changes made to it will be lost.
 */
 #ifndef GPSERVICE_INTERFACE_H
 #define GPSERVICE_INTERFACE_H
 #include <QtCore/QObject>
 #include <QtCore/QByteArray>
 #include <QtCore/QList>
 #include <QtCore/QMap>
 #include <QtCore/QString>
 #include <QtCore/QStringList>
 #include <QtCore/QVariant>
 #include <QtDBus/QtDBus>
 /*
 * Proxy class for interface com.yuezk.qt.GPService
 */
 class ComYuezkQtGPServiceInterface: public QDBusAbstractInterface
 {
    Q_OBJECT
 public:
    static inline const char *staticInterfaceName()
    { return "com.yuezk.qt.GPService"; }
 public:
    ComYuezkQtGPServiceInterface(const QString &service, const QString &path, const QDBusConnection &connection, QObject *parent = nullptr);
    ~ComYuezkQtGPServiceInterface();
 public Q_SLOTS: // METHODS
    inline QDBusPendingReply<> connect(const QString &server, const QString &username, const QString &passwd)
    {
        QList<QVariant> argumentList;
        argumentList << QVariant::fromValue(server) << QVariant::fromValue(username) << QVariant::fromValue(passwd);
        return asyncCallWithArgumentList(QStringLiteral("connect"), argumentList);
    }
    inline QDBusPendingReply<> disconnect()
    {
        QList<QVariant> argumentList;
        return asyncCallWithArgumentList(QStringLiteral("disconnect"), argumentList);
    }
    inline QDBusPendingReply<int> status()
    {
        QList<QVariant> argumentList;
        return asyncCallWithArgumentList(QStringLiteral("status"), argumentList);
    }
 Q_SIGNALS: // SIGNALS
    void connected();
    void disconnected();
    void logAvailable(const QString &log);
 };
 namespace com {
  namespace yuezk {
    namespace qt {
      typedef ::ComYuezkQtGPServiceInterface GPService;
    }
  }
 }
 #endif
--- a/GPClient/main.cpp
+++ b/GPClient/main.cpp
@@ -1,18 +0,0 @@
 #include "singleapplication.h"
 #include "gpclient.h"
 #include "enhancedwebview.h"
 int main(int argc, char *argv[])
 {
    QString port = QString::fromLocal8Bit(qgetenv(ENV_CDP_PORT));
    if (port == "") {
        qputenv(ENV_CDP_PORT, "12315");
    }
    SingleApplication app(argc, argv);
    GPClient w;
    w.show();
    QObject::connect(&app, &SingleApplication::instanceStarted, &w, &GPClient::raise);
    return app.exec();
 }
--- a/GPClient/not_connected.png
+++ b/GPClient/not_connected.png
--- a/GPClient/pending.png
+++ b/GPClient/pending.png
--- a/GPClient/resources.qrc
+++ b/GPClient/resources.qrc
@@ -1,8 +0,0 @@
 <RCC>
    <qresource prefix="/images">
        <file alias="logo.svg">com.yuezk.qt.GPClient.svg</file>
        <file>connected.png</file>
        <file>pending.png</file>
        <file>not_connected.png</file>
    </qresource>
 </RCC>
--- a/GPClient/samlloginwindow.cpp
+++ b/GPClient/samlloginwindow.cpp
@@ -1,63 +0,0 @@
 #include "samlloginwindow.h"
 #include <QVBoxLayout>
 SAMLLoginWindow::SAMLLoginWindow(QWidget *parent)
    : QDialog(parent)
 {
    setWindowTitle("SAML Login");
    resize(610, 406);
    QVBoxLayout *verticalLayout = new QVBoxLayout(this);
    webView = new EnhancedWebView(this);
    webView->setUrl(QUrl("about:blank"));
    verticalLayout->addWidget(webView);
    webView->initialize();
    QObject::connect(webView, &EnhancedWebView::responseReceived, this, &SAMLLoginWindow::onResponseReceived);
 }
 SAMLLoginWindow::~SAMLLoginWindow()
 {
    delete webView;
 }
 void SAMLLoginWindow::closeEvent(QCloseEvent *event)
 {
    event->accept();
    reject();
 }
 void SAMLLoginWindow::login(QString url, QString html)
 {
    if (html == "") {
        webView->load(QUrl(url));
    } else {
        webView->setHtml(html, url);
    }
 }
 void SAMLLoginWindow::onResponseReceived(QJsonObject params)
 {
    QString type = params.value("type").toString();
    // Skip non-document response
    if (type != "Document") {
        return;
    }
    QJsonObject response = params.value("response").toObject();
    QJsonObject headers = response.value("headers").toObject();
    foreach (const QString& key, headers.keys()) {
        if (key.startsWith("saml-") || key == "prelogin-cookie" || key == "portal-userauthcookie") {
            samlResult.insert(key, headers.value(key));
        }
    }
    // Check the SAML result
    if (samlResult.contains("saml-username")
            && (samlResult.contains("prelogin-cookie") || samlResult.contains("portal-userauthcookie"))) {
        samlResult.insert("server", QUrl(response.value("url").toString()).authority());
        emit success(samlResult);
        accept();
    }
 }
--- a/GPClient/samlloginwindow.h
+++ b/GPClient/samlloginwindow.h
@@ -1,33 +0,0 @@
 #ifndef SAMLLOGINWINDOW_H
 #define SAMLLOGINWINDOW_H
 #include "enhancedwebview.h"
 #include <QDialog>
 #include <QJsonObject>
 #include <QCloseEvent>
 class SAMLLoginWindow : public QDialog
 {
    Q_OBJECT
 public:
    explicit SAMLLoginWindow(QWidget *parent = nullptr);
    ~SAMLLoginWindow();
    void login(QString url, QString html = "");
 signals:
    void success(QJsonObject samlResult);
 private slots:
    void onResponseReceived(QJsonObject params);
 private:
    EnhancedWebView *webView;
    QJsonObject samlResult;
    void closeEvent(QCloseEvent *event);
 };
 #endif // SAMLLOGINWINDOW_H
--- a/GPService/GPService.pro
+++ b/GPService/GPService.pro
@@ -1,52 +0,0 @@
 TARGET = gpservice
 QT += dbus
 QT -= gui
 CONFIG += c++11 console
 CONFIG -= app_bundle
 include(../singleapplication/singleapplication.pri)
 DEFINES += QAPPLICATION_CLASS=QCoreApplication
 # The following define makes your compiler emit warnings if you use
 # any Qt feature that has been marked deprecated (the exact warnings
 # depend on your compiler). Please consult the documentation of the
 # deprecated API in order to know how to port your code away from it.
 DEFINES += QT_DEPRECATED_WARNINGS
 # You can also make your code fail to compile if it uses deprecated APIs.
 # In order to do so, uncomment the following line.
 # You can also select to disable deprecated APIs only up to a certain version of Qt.
 #DEFINES += QT_DISABLE_DEPRECATED_BEFORE=0x060000    # disables all the APIs deprecated before Qt 6.0.0
 HEADERS += \
    gpservice.h \
    sigwatch.h
 SOURCES += \
        gpservice.cpp \
        main.cpp \
        sigwatch.cpp
 DBUS_ADAPTORS += gpservice.xml
 # Default rules for deployment.
 target.path = /usr/bin
 INSTALLS += target
 DISTFILES += \
    dbus/com.yuezk.qt.GPService.conf \
    dbus/com.yuezk.qt.GPService.service \
    systemd/gpservice.service
 dbus_config.path = /usr/share/dbus-1/system.d/
 dbus_config.files = dbus/com.yuezk.qt.GPService.conf
 dbus_service.path = /usr/share/dbus-1/system-services/
 dbus_service.files = dbus/com.yuezk.qt.GPService.service
 systemd_service.path = /etc/systemd/system/
 systemd_service.files = systemd/gpservice.service
 INSTALLS += dbus_config dbus_service systemd_service
--- a/GPService/dbus/com.yuezk.qt.GPService.conf
+++ b/GPService/dbus/com.yuezk.qt.GPService.conf
@@ -1,18 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE busconfig PUBLIC
 "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
 <busconfig>
        <policy user="root">
                <allow own="com.yuezk.qt.GPService"/>
        </policy>
        <policy context="default">
                <allow send_destination="com.yuezk.qt.GPService"
                        send_interface="com.yuezk.qt.GPService"
                        />
                <allow send_destination="com.yuezk.qt.GPService"
                        send_interface="org.freedesktop.DBus.Introspectable"
                        />
        </policy>
 </busconfig>
--- a/GPService/dbus/com.yuezk.qt.GPService.service
+++ b/GPService/dbus/com.yuezk.qt.GPService.service
@@ -1,5 +0,0 @@
 [D-BUS Service]
 Name=com.yuezk.qt.GPService
 Exec=/usr/bin/gpservice
 User=root
 SystemdService=gpservice.service
--- a/GPService/gpservice.cpp
+++ b/GPService/gpservice.cpp
@@ -1,135 +0,0 @@
 #include "gpservice.h"
 #include "gpservice_adaptor.h"
 #include <QFileInfo>
 #include <QtDBus>
 #include <QDateTime>
 #include <QVariant>
 GPService::GPService(QObject *parent)
    : QObject(parent)
    , openconnect(new QProcess)
 {
    // Register the DBus service
    new GPServiceAdaptor(this);
    QDBusConnection dbus = QDBusConnection::systemBus();
    dbus.registerObject("/", this);
    dbus.registerService("com.yuezk.qt.GPService");
    // Setup the openconnect process
    QObject::connect(openconnect, &QProcess::started, this, &GPService::onProcessStarted);
    QObject::connect(openconnect, &QProcess::errorOccurred, this, &GPService::onProcessError);
    QObject::connect(openconnect, &QProcess::readyReadStandardOutput, this, &GPService::onProcessStdout);
    QObject::connect(openconnect, &QProcess::readyReadStandardError, this, &GPService::onProcessStderr);
    QObject::connect(openconnect, QOverload<int, QProcess::ExitStatus>::of(&QProcess::finished), this, &GPService::onProcessFinished);
 }
 GPService::~GPService()
 {
    delete openconnect;
 }
 QString GPService::findBinary()
 {
    for (int i = 0; i < binaryPaths->length(); i++) {
        if (QFileInfo::exists(binaryPaths[i])) {
            return binaryPaths[i];
        }
    }
    return nullptr;
 }
 void GPService::quit()
 {
    if (openconnect->state() == QProcess::NotRunning) {
        exit(0);
    } else {
        aboutToQuit = true;
        openconnect->terminate();
    }
 }
 void GPService::connect(QString server, QString username, QString passwd)
 {
    if (vpnStatus != GPService::VpnNotConnected) {
        log("VPN status is: " + QVariant::fromValue(vpnStatus).toString());
        return;
    }
    QString bin = findBinary();
    if (bin == nullptr) {
        log("Could not found openconnect binary, make sure openconnect is installed, exiting.");
        return;
    }
    QStringList args;
    args << QCoreApplication::arguments().mid(1)
     << "--protocol=gp"
     << "-u" << username
     << "--passwd-on-stdin"
     << "--timestamp"
     << server;
    openconnect->start(bin, args);
    openconnect->write(passwd.toUtf8());
    openconnect->closeWriteChannel();
 }
 void GPService::disconnect()
 {
    if (openconnect->state() != QProcess::NotRunning) {
        vpnStatus = GPService::VpnDisconnecting;
        openconnect->terminate();
    }
 }
 int GPService::status()
 {
    return vpnStatus;
 }
 void GPService::onProcessStarted()
 {
    log("Openconnect started successfully, PID=" + QString::number(openconnect->processId()));
    vpnStatus = GPService::VpnConnecting;
 }
 void GPService::onProcessError(QProcess::ProcessError error)
 {
    log("Error occurred: " + QVariant::fromValue(error).toString());
    vpnStatus = GPService::VpnNotConnected;
    emit disconnected();
 }
 void GPService::onProcessStdout()
 {
    QString output = openconnect->readAllStandardOutput();
    log(output);
    if (output.indexOf("Connected as") >= 0) {
        vpnStatus = GPService::VpnConnected;
        emit connected();
    }
 }
 void GPService::onProcessStderr()
 {
    log(openconnect->readAllStandardError());
 }
 void GPService::onProcessFinished(int exitCode, QProcess::ExitStatus exitStatus)
 {
    log("Openconnect process exited with code " + QString::number(exitCode) + " and exit status " + QVariant::fromValue(exitStatus).toString());
    vpnStatus = GPService::VpnNotConnected;
    emit disconnected();
    if (aboutToQuit) {
        exit(0);
    };
 }
 void GPService::log(QString msg)
 {
    qInfo() << msg;
    emit logAvailable(msg);
 }
--- a/GPService/gpservice.h
+++ b/GPService/gpservice.h
@@ -1,58 +0,0 @@
 #ifndef GLOBALPROTECTSERVICE_H
 #define GLOBALPROTECTSERVICE_H
 #include <QObject>
 #include <QProcess>
 static const QString binaryPaths[] {
    "/usr/local/bin/openconnect",
    "/usr/local/sbin/openconnect",
    "/usr/bin/openconnect",
    "/usr/sbin/openconnect",
    "/opt/bin/openconnect",
    "/opt/sbin/openconnect"
 };
 class GPService : public QObject
 {
    Q_OBJECT
    Q_CLASSINFO("D-Bus Interface", "com.yuezk.qt.GPService")
 public:
    explicit GPService(QObject *parent = nullptr);
    ~GPService();
    enum VpnStatus {
        VpnNotConnected,
        VpnConnecting,
        VpnConnected,
        VpnDisconnecting,
    };
 signals:
    void connected();
    void disconnected();
    void logAvailable(QString log);
 public slots:
    void connect(QString server, QString username, QString passwd);
    void disconnect();
    int status();
    void quit();
 private slots:
    void onProcessStarted();
    void onProcessError(QProcess::ProcessError error);
    void onProcessStdout();
    void onProcessStderr();
    void onProcessFinished(int exitCode, QProcess::ExitStatus exitStatus);
 private:
    QProcess *openconnect;
    bool aboutToQuit = false;
    int vpnStatus = GPService::VpnNotConnected;
    void log(QString msg);
    static QString findBinary();
 };
 #endif // GLOBALPROTECTSERVICE_H
--- a/GPService/gpservice.xml
+++ b/GPService/gpservice.xml
@@ -1,22 +0,0 @@
 <!DOCTYPE node PUBLIC "-//freedesktop//DTD D-BUS Object Introspection 1.0//EN" "http://www.freedesktop.org/standards/dbus/1.0/introspect.dtd">
 <node>
  <interface name="com.yuezk.qt.GPService">
    <signal name="connected">
    </signal>
    <signal name="disconnected">
    </signal>
    <signal name="logAvailable">
      <arg name="log" type="s" />
    </signal>
    <method name="connect">
      <arg name="server" type="s" direction="in"/>
      <arg name="username" type="s" direction="in"/>
      <arg name="passwd" type="s" direction="in"/>
    </method>
    <method name="disconnect">
    </method>
    <method name="status">
      <arg type="i" direction="out"/>
    </method>
  </interface>
 </node>
--- a/GPService/gpservice_adaptor.cpp
+++ b/GPService/gpservice_adaptor.cpp
@@ -1,55 +0,0 @@
 /*
 * This file was generated by qdbusxml2cpp version 0.8
 * Command line was: qdbusxml2cpp -i gpservice_adaptor.h -a :gpservice_adaptor.cpp gpservice.xml
 *
 * qdbusxml2cpp is Copyright (C) 2020 The Qt Company Ltd.
 *
 * This is an auto-generated file.
 * Do not edit! All changes made to it will be lost.
 */
 #include "gpservice_adaptor.h"
 #include <QtCore/QMetaObject>
 #include <QtCore/QByteArray>
 #include <QtCore/QList>
 #include <QtCore/QMap>
 #include <QtCore/QString>
 #include <QtCore/QStringList>
 #include <QtCore/QVariant>
 /*
 * Implementation of adaptor class GPServiceAdaptor
 */
 GPServiceAdaptor::GPServiceAdaptor(QObject *parent)
    : QDBusAbstractAdaptor(parent)
 {
    // constructor
    setAutoRelaySignals(true);
 }
 GPServiceAdaptor::~GPServiceAdaptor()
 {
    // destructor
 }
 void GPServiceAdaptor::connect(const QString &server, const QString &username, const QString &passwd)
 {
    // handle method call com.yuezk.qt.GPService.connect
    QMetaObject::invokeMethod(parent(), "connect", Q_ARG(QString, server), Q_ARG(QString, username), Q_ARG(QString, passwd));
 }
 void GPServiceAdaptor::disconnect()
 {
    // handle method call com.yuezk.qt.GPService.disconnect
    QMetaObject::invokeMethod(parent(), "disconnect");
 }
 int GPServiceAdaptor::status()
 {
    // handle method call com.yuezk.qt.GPService.status
    int out0;
    QMetaObject::invokeMethod(parent(), "status", Q_RETURN_ARG(int, out0));
    return out0;
 }
--- a/GPService/gpservice_adaptor.h
+++ b/GPService/gpservice_adaptor.h
@@ -1,66 +0,0 @@
 /*
 * This file was generated by qdbusxml2cpp version 0.8
 * Command line was: qdbusxml2cpp -a gpservice_adaptor.h: gpservice.xml
 *
 * qdbusxml2cpp is Copyright (C) 2020 The Qt Company Ltd.
 *
 * This is an auto-generated file.
 * This file may have been hand-edited. Look for HAND-EDIT comments
 * before re-generating it.
 */
 #ifndef GPSERVICE_ADAPTOR_H
 #define GPSERVICE_ADAPTOR_H
 #include <QtCore/QObject>
 #include <QtDBus/QtDBus>
 QT_BEGIN_NAMESPACE
 class QByteArray;
 template<class T> class QList;
 template<class Key, class Value> class QMap;
 class QString;
 class QStringList;
 class QVariant;
 QT_END_NAMESPACE
 /*
 * Adaptor class for interface com.yuezk.qt.GPService
 */
 class GPServiceAdaptor: public QDBusAbstractAdaptor
 {
    Q_OBJECT
    Q_CLASSINFO("D-Bus Interface", "com.yuezk.qt.GPService")
    Q_CLASSINFO("D-Bus Introspection", ""
 "  <interface name=\"com.yuezk.qt.GPService\">\n"
 "    <signal name=\"connected\"/>\n"
 "    <signal name=\"disconnected\"/>\n"
 "    <signal name=\"logAvailable\">\n"
 "      <arg type=\"s\" name=\"log\"/>\n"
 "    </signal>\n"
 "    <method name=\"connect\">\n"
 "      <arg direction=\"in\" type=\"s\" name=\"server\"/>\n"
 "      <arg direction=\"in\" type=\"s\" name=\"username\"/>\n"
 "      <arg direction=\"in\" type=\"s\" name=\"passwd\"/>\n"
 "    </method>\n"
 "    <method name=\"disconnect\"/>\n"
 "    <method name=\"status\">\n"
 "      <arg direction=\"out\" type=\"i\"/>\n"
 "    </method>\n"
 "  </interface>\n"
        "")
 public:
    GPServiceAdaptor(QObject *parent);
    virtual ~GPServiceAdaptor();
 public: // PROPERTIES
 public Q_SLOTS: // METHODS
    void connect(const QString &server, const QString &username, const QString &passwd);
    void disconnect();
    int status();
 Q_SIGNALS: // SIGNALS
    void connected();
    void disconnected();
    void logAvailable(const QString &log);
 };
 #endif
--- a/GPService/main.cpp
+++ b/GPService/main.cpp
@@ -1,26 +0,0 @@
 #include <QtDBus>
 #include "gpservice.h"
 #include "singleapplication.h"
 #include "sigwatch.h"
 int main(int argc, char *argv[])
 {
    SingleApplication app(argc, argv);
    if (!QDBusConnection::systemBus().isConnected()) {
        qWarning("Cannot connect to the D-Bus session bus.\n"
                 "Please check your system settings and try again.\n");
        return 1;
    }
    GPService service;
    UnixSignalWatcher sigwatch;
    sigwatch.watchForSignal(SIGINT);
    sigwatch.watchForSignal(SIGTERM);
    sigwatch.watchForSignal(SIGQUIT);
    sigwatch.watchForSignal(SIGHUP);
    QObject::connect(&sigwatch, &UnixSignalWatcher::unixSignal, &service, &GPService::quit);
    return app.exec();
 }
--- a/GPService/sigwatch.cpp
+++ b/GPService/sigwatch.cpp
@@ -1,176 +0,0 @@
 /*
 * Unix signal watcher for Qt.
 *
 * Copyright (C) 2014 Simon Knopp
 *
 * Permission is hereby granted, free of charge, to any person obtaining a copy
 * of this software and associated documentation files (the "Software"), to deal
 * in the Software without restriction, including without limitation the rights
 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 * copies of the Software, and to permit persons to whom the Software is
 * furnished to do so, subject to the following conditions:
 *
 * The above copyright notice and this permission notice shall be included in
 * all copies or substantial portions of the Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 * SOFTWARE.
 */
 #include <sys/socket.h>
 #include <unistd.h>
 #include <errno.h>
 #include <QMap>
 #include <QSocketNotifier>
 #include <QDebug>
 #include "sigwatch.h"
 /*!
 * \brief The UnixSignalWatcherPrivate class implements the back-end signal
 * handling for the UnixSignalWatcher.
 *
 * \see http://qt-project.org/doc/qt-5.0/qtdoc/unix-signals.html
 */
 class UnixSignalWatcherPrivate : public QObject
 {
    UnixSignalWatcher * const q_ptr;
    Q_DECLARE_PUBLIC(UnixSignalWatcher)
 public:
    UnixSignalWatcherPrivate(UnixSignalWatcher *q);
    ~UnixSignalWatcherPrivate();
    void watchForSignal(int signal);
    static void signalHandler(int signal);
    void _q_onNotify(int sockfd);
 private:
    static int sockpair[2];
    QSocketNotifier *notifier;
    QList<int> watchedSignals;
 };
 int UnixSignalWatcherPrivate::sockpair[2];
 UnixSignalWatcherPrivate::UnixSignalWatcherPrivate(UnixSignalWatcher *q) :
    q_ptr(q)
 {
    // Create socket pair
    if (::socketpair(AF_UNIX, SOCK_STREAM, 0, sockpair)) {
        qDebug() << "UnixSignalWatcher: socketpair: " << ::strerror(errno);
        return;
    }
    // Create a notifier for the read end of the pair
    notifier = new QSocketNotifier(sockpair[1], QSocketNotifier::Read);
    QObject::connect(notifier, SIGNAL(activated(int)), q, SLOT(_q_onNotify(int)));
    notifier->setEnabled(true);
 }
 UnixSignalWatcherPrivate::~UnixSignalWatcherPrivate()
 {
    delete notifier;
 }
 /*!
 * Registers a handler for the given Unix \a signal. The handler will write to
 * a socket pair, the other end of which is connected to a QSocketNotifier.
 * This provides a way to break out of the asynchronous context from which the
 * signal handler is called and back into the Qt event loop.
 */
 void UnixSignalWatcherPrivate::watchForSignal(int signal)
 {
    if (watchedSignals.contains(signal)) {
        qDebug() << "Already watching for signal" << signal;
        return;
    }
    // Register a sigaction which will write to the socket pair
    struct sigaction sigact;
    sigact.sa_handler = UnixSignalWatcherPrivate::signalHandler;
    sigact.sa_flags = 0;
    ::sigemptyset(&sigact.sa_mask);
    sigact.sa_flags |= SA_RESTART;
    if (::sigaction(signal, &sigact, NULL)) {
        qDebug() << "UnixSignalWatcher: sigaction: " << ::strerror(errno);
        return;
    }
    watchedSignals.append(signal);
 }
 /*!
 * Called when a Unix \a signal is received. Write to the socket to wake up the
 * QSocketNotifier.
 */
 void UnixSignalWatcherPrivate::signalHandler(int signal)
 {
    ssize_t nBytes = ::write(sockpair[0], &signal, sizeof(signal));
    Q_UNUSED(nBytes);
 }
 /*!
 * Called when the signal handler has written to the socket pair. Emits the Unix
 * signal as a Qt signal.
 */
 void UnixSignalWatcherPrivate::_q_onNotify(int sockfd)
 {
    Q_Q(UnixSignalWatcher);
    int signal;
    ssize_t nBytes = ::read(sockfd, &signal, sizeof(signal));
    Q_UNUSED(nBytes);
    qDebug() << "Caught signal:" << ::strsignal(signal);
    emit q->unixSignal(signal);
 }
 /*!
 * Create a new UnixSignalWatcher as a child of the given \a parent.
 */
 UnixSignalWatcher::UnixSignalWatcher(QObject *parent) :
    QObject(parent),
    d_ptr(new UnixSignalWatcherPrivate(this))
 {
 }
 /*!
 * Destroy this UnixSignalWatcher.
 */
 UnixSignalWatcher::~UnixSignalWatcher()
 {
    delete d_ptr;
 }
 /*!
 * Register a signal handler for the given \a signal.
 *
 * After calling this method you can \c connect() to the unixSignal() Qt signal
 * to be notified when the Unix signal is received.
 */
 void UnixSignalWatcher::watchForSignal(int signal)
 {
    Q_D(UnixSignalWatcher);
    d->watchForSignal(signal);
 }
 /*!
 * \fn void UnixSignalWatcher::unixSignal(int signal)
 * Emitted when the given Unix \a signal is received.
 *
 * watchForSignal() must be called for each Unix signal that you want to receive
 * via the unixSignal() Qt signal. If a watcher is watching multiple signals,
 * unixSignal() will be emitted whenever *any* of the watched Unix signals are
 * received, and the \a signal argument can be inspected to find out which one
 * was actually received.
 */
 #include "moc_sigwatch.cpp"
--- a/GPService/sigwatch.h
+++ b/GPService/sigwatch.h
@@ -1,59 +0,0 @@
 /*
 * Unix signal watcher for Qt.
 *
 * Copyright (C) 2014 Simon Knopp
 *
 * Permission is hereby granted, free of charge, to any person obtaining a copy
 * of this software and associated documentation files (the "Software"), to deal
 * in the Software without restriction, including without limitation the rights
 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 * copies of the Software, and to permit persons to whom the Software is
 * furnished to do so, subject to the following conditions:
 *
 * The above copyright notice and this permission notice shall be included in
 * all copies or substantial portions of the Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 * SOFTWARE.
 */
 #ifndef SIGWATCH_H
 #define SIGWATCH_H
 #include <QObject>
 #include <signal.h>
 class UnixSignalWatcherPrivate;
 /*!
 * \brief The UnixSignalWatcher class converts Unix signals to Qt signals.
 *
 * To watch for a given signal, e.g. \c SIGINT, call \c watchForSignal(SIGINT)
 * and \c connect() your handler to unixSignal().
 */
 class UnixSignalWatcher : public QObject
 {
    Q_OBJECT
 public:
    explicit UnixSignalWatcher(QObject *parent = 0);
    ~UnixSignalWatcher();
    void watchForSignal(int signal);
 signals:
    void unixSignal(int signal);
 private:
    UnixSignalWatcherPrivate * const d_ptr;
    Q_DECLARE_PRIVATE(UnixSignalWatcher)
    Q_PRIVATE_SLOT(d_func(), void _q_onNotify(int))
 };
 #endif // SIGWATCH_H
--- a/GPService/systemd/gpservice.service
+++ b/GPService/systemd/gpservice.service
@@ -1,10 +0,0 @@
 [Unit]
 Description=GlobalProtect openconnect DBus service
 [Service]
 Type=dbus
 BusName=com.yuezk.qt.GPService
 ExecStart=/usr/bin/gpservice
 [Install]
 WantedBy=multi-user.target
--- a/GlobalProtect-openconnect.pro
+++ b/GlobalProtect-openconnect.pro
@@ -1,5 +0,0 @@
 TEMPLATE = subdirs
 SUBDIRS += \
    GPClient \
    GPService
--- a/README.md
+++ b/README.md
@@ -1,39 +1,128 @@
 # GlobalProtect-openconnect
-A GlobalProtect VPN client (GUI) for Linux based on Openconnect and built with Qt5, supports SAML auth mode, inspired by [gp-saml-gui](https://github.com/dlenski/gp-saml-gui).
+
 A GUI for GlobalProtect VPN, based on OpenConnect, supports the SSO authentication method. Inspired by [gp-saml-gui](https://github.com/dlenski/gp-saml-gui).
 <p align="center">
-  <img src="screenshot.png">
+  <img width="300" src="https://github.com/yuezk/GlobalProtect-openconnect/assets/3297602/9242df9c-217d-42ab-8c21-8f9f69cd4eb5">
 </p>
-## Prerequisites
+## Features
- Openconnect v8.x
+- [x] Better Linux support
- Qt5, qt5-webengine, qt5-websockets
+- [x] Support both CLI and GUI
 - [x] Support both SSO and non-SSO authentication
 - [x] Support authentication using default browser
 - [x] Support multiple portals
 - [x] Support gateway selection
 - [x] Support auto-connect on startup
 - [x] Support system tray icon
-### Ubuntu
+## Usage
 1. Install openconnect v8.x
    Update openconnect to 8.x, for ubuntu 18.04 you might need to [build the latest openconnect from source code](https://gist.github.com/yuezk/ab9a4b87a9fa0182bdb2df41fab5f613).
 2. Install the Qt dependencies
    ```sh
    sudo apt install qt5-default libqt5websockets5-dev qtwebengine5-dev
    ```
 ## Install
-### Install from AUR (Arch/Manjaro)
+### CLI
-Install [globalprotect-openconnect](https://aur.archlinux.org/packages/globalprotect-openconnect/).
+The CLI version is always free and open source in this repo. It has almost the same features as the GUI version.
 ### Build from source code
 ```sh
 git clone https://github.com/yuezk/GlobalProtect-openconnect.git
 cd GlobalProtect-openconnect
 git submodule update --init
 qmake CONFIG+=release
 make
 sudo make install
 ```
-Open `GlobalProtect VPN` in the application dashboard.
+Usage: gpclient [OPTIONS] <COMMAND>
 Commands:
  connect     Connect to a portal server
  disconnect  Disconnect from the server
  launch-gui  Launch the GUI
  help        Print this message or the help of the given subcommand(s)
 Options:
      --fix-openssl        Get around the OpenSSL `unsafe legacy renegotiation` error
      --ignore-tls-errors  Ignore the TLS errors
  -h, --help               Print help
  -V, --version            Print version
 See 'gpclient help <command>' for more information on a specific command.
 ```
 ### GUI
 The GUI version is also available after you installed it. You can launch it from the application menu or run `gpclient launch-gui` in the terminal.
 > [!Note]
 >
 > The GUI version is partially open source. Its background service is open sourced in this repo as [gpservice](./apps/gpservice/). The GUI part is a wrapper of the background service, which is not open sourced.
 ## Installation
 > [!Note]
 >
 > This instruction is for the 2.x version. The 1.x version is still available on the [1.x](https://github.com/yuezk/GlobalProtect-openconnect/tree/1.x) branch, you can build it from the source code by following the instructions in the `README.md` file.
 > [!Warning]
 >
 > The client requires `openconnect >= 8.20`, please make sure you have it installed, you can check it with `openconnect --version`.
 > Installing the client from PPA will automatically install the required version of `openconnect`.
 ### Debian/Ubuntu based distributions
 #### Install from PPA
 ```
 sudo add-apt-repository ppa:yuezk/globalprotect-openconnect
 sudo apt-get update
 sudo apt-get install globalprotect-openconnect
 ```
 > [!Note]
 >
 > For Linux Mint, you might need to import the GPG key with: `sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7937C393082992E5D6E4A60453FC26B43838D761` if you encountered an error `gpg: keyserver receive failed: General error`.
 #### Install from deb package
 Download the latest deb package from [releases](https://github.com/yuezk/GlobalProtect-openconnect/releases) page. Then install it with `dpkg`:
 ```bash
 sudo dpkg -i globalprotect-openconnect_*.deb
 ```
 ### Arch Linux / Manjaro
 #### Install from AUR
 Install from AUR: [globalprotect-openconnect-git](https://aur.archlinux.org/packages/globalprotect-openconnect-git/)
 ```
 yay -S globalprotect-openconnect-git
 ```
 #### Install from package
 Download the latest package from [releases](https://github.com/yuezk/GlobalProtect-openconnect/releases) page. Then install it with `pacman`:
 ```bash
 sudo pacman -U globalprotect-openconnect-*.pkg.tar.zst
 ```
 ### Fedora/OpenSUSE/CentOS/RHEL
 #### Install from COPR
 The package is available on [COPR](https://copr.fedorainfracloud.org/coprs/yuezk/globalprotect-openconnect/) for various RPM-based distributions. You can install it with the following commands:
 ```
 sudo dnf copr enable yuezk/globalprotect-openconnect
 sudo dnf install globalprotect-openconnect
 ```
 #### Install from OBS
 The package is also available on [OBS](https://build.opensuse.org/package/show/home:yuezk/globalprotect-openconnect) for various RPM-based distributions. You can follow the instructions [on this page](https://software.opensuse.org//download.html?project=home%3Ayuezk&package=globalprotect-openconnect) to install it.
 #### Install from RPM package
 Download the latest RPM package from [releases](https://github.com/yuezk/GlobalProtect-openconnect/releases) page.
 ### Other distributions
 The project depends on `openconnect >= 8.20`, `webkit2gtk`, `libsecret`, `libayatana-appindicator` or `libappindicator-gtk3`. You can install them first and then download the latest binary release (i.e., `*.bin.tar.gz`) from [releases](https://github.com/yuezk/GlobalProtect-openconnect/releases) page.
 ## [License](./LICENSE)
 GPLv3
--- a/apps/gpauth/Cargo.toml
+++ b/apps/gpauth/Cargo.toml
@@ -0,0 +1,23 @@
 [package]
 name = "gpauth"
 version.workspace = true
 edition.workspace = true
 license.workspace = true
 [build-dependencies]
 tauri-build = { version = "1.5", features = [] }
 [dependencies]
 gpapi = { path = "../../crates/gpapi", features = ["tauri", "clap"] }
 anyhow.workspace = true
 clap.workspace = true
 env_logger.workspace = true
 log.workspace = true
 regex.workspace = true
 serde_json.workspace = true
 tokio.workspace = true
 tokio-util.workspace = true
 tempfile.workspace = true
 webkit2gtk = "0.18.2"
 tauri = { workspace = true, features = ["http-all"] }
 compile-time.workspace = true
--- a/apps/gpauth/build.rs
+++ b/apps/gpauth/build.rs
@@ -0,0 +1,3 @@
 fn main() {
  tauri_build::build()
 }
--- a/apps/gpauth/icons/128x128.png
+++ b/apps/gpauth/icons/128x128.png
--- a/apps/gpauth/icons/128x128@2x.png
+++ b/apps/gpauth/icons/128x128@2x.png
--- a/apps/gpauth/icons/32x32.png
+++ b/apps/gpauth/icons/32x32.png
--- a/apps/gpauth/icons/icon.icns
+++ b/apps/gpauth/icons/icon.icns
--- a/apps/gpauth/icons/icon.ico
+++ b/apps/gpauth/icons/icon.ico
--- a/apps/gpauth/icons/icon.png
+++ b/apps/gpauth/icons/icon.png
--- a/apps/gpauth/index.html
+++ b/apps/gpauth/index.html
@@ -0,0 +1,11 @@
 <!DOCTYPE html>
 <html lang="en">
 <head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>GlobalProtect Login</title>
 </head>
 <body>
  <p>Redirecting to GlobalProtect Login...</p>
 </body>
 </html>
--- a/apps/gpauth/src/auth_window.rs
+++ b/apps/gpauth/src/auth_window.rs
@@ -0,0 +1,486 @@
 use std::{
  rc::Rc,
  sync::Arc,
  time::{Duration, Instant},
 };
 use anyhow::bail;
 use gpapi::{
  auth::SamlAuthData,
  gp_params::GpParams,
  portal::{prelogin, Prelogin},
  utils::{redact::redact_uri, window::WindowExt},
 };
 use log::{info, warn};
 use regex::Regex;
 use tauri::{AppHandle, Window, WindowEvent, WindowUrl};
 use tokio::sync::{mpsc, oneshot, RwLock};
 use tokio_util::sync::CancellationToken;
 use webkit2gtk::{
  gio::Cancellable,
  glib::{GString, TimeSpan},
  LoadEvent, SettingsExt, TLSErrorsPolicy, URIResponse, URIResponseExt, WebContextExt, WebResource,
  WebResourceExt, WebView, WebViewExt, WebsiteDataManagerExtManual, WebsiteDataTypes,
 };
 enum AuthDataError {
  /// Failed to load page due to TLS error
  TlsError,
  /// 1. Found auth data in headers/body but it's invalid
  /// 2. Loaded an empty page, failed to load page. etc.
  Invalid,
  /// No auth data found in headers/body
  NotFound,
 }
 type AuthResult = Result<SamlAuthData, AuthDataError>;
 pub(crate) struct AuthWindow<'a> {
  app_handle: AppHandle,
  server: &'a str,
  saml_request: &'a str,
  user_agent: &'a str,
  gp_params: Option<GpParams>,
  clean: bool,
 }
 impl<'a> AuthWindow<'a> {
  pub fn new(app_handle: AppHandle) -> Self {
    Self {
      app_handle,
      server: "",
      saml_request: "",
      user_agent: "",
      gp_params: None,
      clean: false,
    }
  }
  pub fn server(mut self, server: &'a str) -> Self {
    self.server = server;
    self
  }
  pub fn saml_request(mut self, saml_request: &'a str) -> Self {
    self.saml_request = saml_request;
    self
  }
  pub fn user_agent(mut self, user_agent: &'a str) -> Self {
    self.user_agent = user_agent;
    self
  }
  pub fn gp_params(mut self, gp_params: GpParams) -> Self {
    self.gp_params.replace(gp_params);
    self
  }
  pub fn clean(mut self, clean: bool) -> Self {
    self.clean = clean;
    self
  }
  pub async fn open(&self) -> anyhow::Result<SamlAuthData> {
    info!("Open auth window, user_agent: {}", self.user_agent);
    let window = Window::builder(&self.app_handle, "auth_window", WindowUrl::default())
      .title("GlobalProtect Login")
      // .user_agent(self.user_agent)
      .focused(true)
      .visible(false)
      .center()
      .build()?;
    let window = Arc::new(window);
    let cancel_token = CancellationToken::new();
    let cancel_token_clone = cancel_token.clone();
    window.on_window_event(move |event| {
      if let WindowEvent::CloseRequested { .. } = event {
        cancel_token_clone.cancel();
      }
    });
    let window_clone = Arc::clone(&window);
    let timeout_secs = 15;
    tokio::spawn(async move {
      tokio::time::sleep(Duration::from_secs(timeout_secs)).await;
      let visible = window_clone.is_visible().unwrap_or(false);
      if !visible {
        info!("Try to raise auth window after {} seconds", timeout_secs);
        raise_window(&window_clone);
      }
    });
    tokio::select! {
      _ = cancel_token.cancelled() => {
        bail!("Auth cancelled");
      }
      saml_result = self.auth_loop(&window) => {
        window.close()?;
        saml_result
      }
    }
  }
  async fn auth_loop(&self, window: &Arc<Window>) -> anyhow::Result<SamlAuthData> {
    let saml_request = self.saml_request.to_string();
    let (auth_result_tx, mut auth_result_rx) = mpsc::unbounded_channel::<AuthResult>();
    let raise_window_cancel_token: Arc<RwLock<Option<CancellationToken>>> = Default::default();
    let gp_params = self.gp_params.as_ref().unwrap();
    let tls_err_policy = if gp_params.ignore_tls_errors() {
      TLSErrorsPolicy::Ignore
    } else {
      TLSErrorsPolicy::Fail
    };
    if self.clean {
      clear_webview_cookies(window).await?;
    }
    let raise_window_cancel_token_clone = Arc::clone(&raise_window_cancel_token);
    window.with_webview(move |wv| {
      let wv = wv.inner();
      if let Some(context) = wv.context() {
        context.set_tls_errors_policy(tls_err_policy);
      }
      if let Some(settings) = wv.settings() {
        let ua = settings.user_agent().unwrap_or("".into());
        info!("Auth window user agent: {}", ua);
      }
      // Load the initial SAML request
      load_saml_request(&wv, &saml_request);
      let auth_result_tx_clone = auth_result_tx.clone();
      wv.connect_load_changed(move |wv, event| {
        if event == LoadEvent::Started {
          let Ok(mut cancel_token) = raise_window_cancel_token_clone.try_write() else {
            return;
          };
          // Cancel the raise window task
          if let Some(cancel_token) = cancel_token.take() {
            cancel_token.cancel();
          }
          return;
        }
        if event != LoadEvent::Finished {
          return;
        }
        if let Some(main_resource) = wv.main_resource() {
          let uri = main_resource.uri().unwrap_or("".into());
          if uri.is_empty() {
            warn!("Loaded an empty uri");
            send_auth_result(&auth_result_tx_clone, Err(AuthDataError::Invalid));
            return;
          }
          info!("Loaded uri: {}", redact_uri(&uri));
          read_auth_data(&main_resource, auth_result_tx_clone.clone());
        }
      });
      let auth_result_tx_clone = auth_result_tx.clone();
      wv.connect_load_failed_with_tls_errors(move |_wv, uri, cert, err| {
        let redacted_uri = redact_uri(uri);
        warn!(
          "Failed to load uri: {} with error: {}, cert: {}",
          redacted_uri, err, cert
        );
        send_auth_result(&auth_result_tx_clone, Err(AuthDataError::TlsError));
        true
      });
      wv.connect_load_failed(move |_wv, _event, uri, err| {
        let redacted_uri = redact_uri(uri);
        warn!("Failed to load uri: {} with error: {}", redacted_uri, err);
        // NOTE: Don't send error here, since load_changed event will be triggered after this
        // send_auth_result(&auth_result_tx, Err(AuthDataError::Invalid));
        // true to stop other handlers from being invoked for the event. false to propagate the event further.
        true
      });
    })?;
    let portal = self.server.to_string();
    loop {
      if let Some(auth_result) = auth_result_rx.recv().await {
        match auth_result {
          Ok(auth_data) => return Ok(auth_data),
          Err(AuthDataError::TlsError) => {
            return Err(anyhow::anyhow!("TLS error: certificate verify failed"))
          }
          Err(AuthDataError::NotFound) => {
            info!("No auth data found, it may not be the /SAML20/SP/ACS endpoint");
            // The user may need to interact with the auth window, raise it in 3 seconds
            if !window.is_visible().unwrap_or(false) {
              let window = Arc::clone(window);
              let cancel_token = CancellationToken::new();
              raise_window_cancel_token
                .write()
                .await
                .replace(cancel_token.clone());
              tokio::spawn(async move {
                let delay_secs = 1;
                info!("Raise window in {} second(s)", delay_secs);
                tokio::select! {
                  _ = tokio::time::sleep(Duration::from_secs(delay_secs)) => {
                    raise_window(&window);
                  }
                  _ = cancel_token.cancelled() => {
                    info!("Raise window cancelled");
                  }
                }
              });
            }
          }
          Err(AuthDataError::Invalid) => {
            info!("Got invalid auth data, retrying...");
            window.with_webview(|wv| {
              let wv = wv.inner();
              wv.run_javascript(r#"
                  var loading = document.createElement("div");
                  loading.innerHTML = '<div style="position: absolute; width: 100%; text-align: center; font-size: 20px; font-weight: bold; top: 50%; left: 50%; transform: translate(-50%, -50%);">Got invalid token, retrying...</div>';
                  loading.style = "position: fixed; top: 0; left: 0; width: 100%; height: 100%; background: rgba(255, 255, 255, 0.85); z-index: 99999;";
                  document.body.appendChild(loading);
              "#,
                  Cancellable::NONE,
                  |_| info!("Injected loading element successfully"),
              );
            })?;
            let saml_request = portal_prelogin(&portal, gp_params).await?;
            window.with_webview(move |wv| {
              let wv = wv.inner();
              load_saml_request(&wv, &saml_request);
            })?;
          }
        }
      }
    }
  }
 }
 fn raise_window(window: &Arc<Window>) {
  let visible = window.is_visible().unwrap_or(false);
  if !visible {
    if let Err(err) = window.raise() {
      warn!("Failed to raise window: {}", err);
    }
  }
 }
 pub(crate) async fn portal_prelogin(portal: &str, gp_params: &GpParams) -> anyhow::Result<String> {
  info!("Portal prelogin...");
  match prelogin(portal, gp_params).await? {
    Prelogin::Saml(prelogin) => Ok(prelogin.saml_request().to_string()),
    Prelogin::Standard(_) => Err(anyhow::anyhow!("Received non-SAML prelogin response")),
  }
 }
 fn send_auth_result(auth_result_tx: &mpsc::UnboundedSender<AuthResult>, auth_result: AuthResult) {
  if let Err(err) = auth_result_tx.send(auth_result) {
    warn!("Failed to send auth event: {}", err);
  }
 }
 fn load_saml_request(wv: &Rc<WebView>, saml_request: &str) {
  if saml_request.starts_with("http") {
    info!("Load the SAML request as URI...");
    wv.load_uri(saml_request);
  } else {
    info!("Load the SAML request as HTML...");
    wv.load_html(saml_request, None);
  }
 }
 fn read_auth_data_from_headers(response: &URIResponse) -> AuthResult {
  response.http_headers().map_or_else(
    || {
      info!("No headers found in response");
      Err(AuthDataError::NotFound)
    },
    |mut headers| match headers.get("saml-auth-status") {
      Some(status) if status == "1" => {
        let username = headers.get("saml-username").map(GString::into);
        let prelogin_cookie = headers.get("prelogin-cookie").map(GString::into);
        let portal_userauthcookie = headers.get("portal-userauthcookie").map(GString::into);
        if SamlAuthData::check(&username, &prelogin_cookie, &portal_userauthcookie) {
          return Ok(SamlAuthData::new(
            username.unwrap(),
            prelogin_cookie,
            portal_userauthcookie,
          ));
        }
        info!("Found invalid auth data in headers");
        Err(AuthDataError::Invalid)
      }
      Some(status) => {
        info!("Found invalid SAML status: {} in headers", status);
        Err(AuthDataError::Invalid)
      }
      None => {
        info!("No saml-auth-status header found");
        Err(AuthDataError::NotFound)
      }
    },
  )
 }
 fn read_auth_data_from_body<F>(main_resource: &WebResource, callback: F)
 where
  F: FnOnce(AuthResult) + Send + 'static,
 {
  main_resource.data(Cancellable::NONE, |data| match data {
    Ok(data) => {
      let html = String::from_utf8_lossy(&data);
      callback(read_auth_data_from_html(&html));
    }
    Err(err) => {
      info!("Failed to read response body: {}", err);
      callback(Err(AuthDataError::Invalid))
    }
  });
 }
 fn read_auth_data_from_html(html: &str) -> AuthResult {
  if html.contains("Temporarily Unavailable") {
    info!("Found 'Temporarily Unavailable' in HTML, auth failed");
    return Err(AuthDataError::Invalid);
  }
  match parse_xml_tag(html, "saml-auth-status") {
    Some(saml_status) if saml_status == "1" => {
      let username = parse_xml_tag(html, "saml-username");
      let prelogin_cookie = parse_xml_tag(html, "prelogin-cookie");
      let portal_userauthcookie = parse_xml_tag(html, "portal-userauthcookie");
      if SamlAuthData::check(&username, &prelogin_cookie, &portal_userauthcookie) {
        return Ok(SamlAuthData::new(
          username.unwrap(),
          prelogin_cookie,
          portal_userauthcookie,
        ));
      }
      info!("Found invalid auth data in HTML");
      Err(AuthDataError::Invalid)
    }
    Some(status) => {
      info!("Found invalid SAML status {} in HTML", status);
      Err(AuthDataError::Invalid)
    }
    None => {
      info!("No auth data found in HTML");
      Err(AuthDataError::NotFound)
    }
  }
 }
 fn read_auth_data(main_resource: &WebResource, auth_result_tx: mpsc::UnboundedSender<AuthResult>) {
  if main_resource.response().is_none() {
    info!("No response found in main resource");
    send_auth_result(&auth_result_tx, Err(AuthDataError::Invalid));
    return;
  }
  let response = main_resource.response().unwrap();
  info!("Trying to read auth data from response headers...");
  match read_auth_data_from_headers(&response) {
    Ok(auth_data) => {
      info!("Got auth data from headers");
      send_auth_result(&auth_result_tx, Ok(auth_data));
    }
    Err(AuthDataError::Invalid) => {
      info!("Found invalid auth data in headers, trying to read from body...");
      read_auth_data_from_body(main_resource, move |auth_result| {
        // Since we have already found invalid auth data in headers, which means this could be the `/SAML20/SP/ACS` endpoint
        // any error result from body should be considered as invalid, and trigger a retry
        let auth_result = auth_result.map_err(|_| AuthDataError::Invalid);
        send_auth_result(&auth_result_tx, auth_result);
      });
    }
    Err(AuthDataError::NotFound) => {
      info!("No auth data found in headers, trying to read from body...");
      read_auth_data_from_body(main_resource, move |auth_result| {
        send_auth_result(&auth_result_tx, auth_result)
      });
    }
    Err(AuthDataError::TlsError) => {
      // NOTE: This is unreachable
      info!("TLS error found in headers, trying to read from body...");
      send_auth_result(&auth_result_tx, Err(AuthDataError::TlsError));
    }
  }
 }
 fn parse_xml_tag(html: &str, tag: &str) -> Option<String> {
  let re = Regex::new(&format!("<{}>(.*)</{}>", tag, tag)).unwrap();
  re.captures(html)
    .and_then(|captures| captures.get(1))
    .map(|m| m.as_str().to_string())
 }
 pub(crate) async fn clear_webview_cookies(window: &Window) -> anyhow::Result<()> {
  let (tx, rx) = oneshot::channel::<Result<(), String>>();
  window.with_webview(|wv| {
    let send_result = move |result: Result<(), String>| {
      if let Err(err) = tx.send(result) {
        info!("Failed to send result: {:?}", err);
      }
    };
    let wv = wv.inner();
    let context = match wv.context() {
      Some(context) => context,
      None => {
        send_result(Err("No webview context found".into()));
        return;
      }
    };
    let data_manager = match context.website_data_manager() {
      Some(manager) => manager,
      None => {
        send_result(Err("No data manager found".into()));
        return;
      }
    };
    let now = Instant::now();
    data_manager.clear(
      WebsiteDataTypes::COOKIES,
      TimeSpan(0),
      Cancellable::NONE,
      move |result| match result {
        Err(err) => {
          send_result(Err(err.to_string()));
        }
        Ok(_) => {
          info!("Cookies cleared in {} ms", now.elapsed().as_millis());
          send_result(Ok(()));
        }
      },
    );
  })?;
  rx.await?.map_err(|err| anyhow::anyhow!(err))
 }
--- a/apps/gpauth/src/cli.rs
+++ b/apps/gpauth/src/cli.rs
@@ -0,0 +1,164 @@
 use clap::Parser;
 use gpapi::{
  auth::{SamlAuthData, SamlAuthResult},
  clap::args::Os,
  gp_params::{ClientOs, GpParams},
  utils::{normalize_server, openssl},
  GP_USER_AGENT,
 };
 use log::{info, LevelFilter};
 use serde_json::json;
 use tauri::{App, AppHandle, RunEvent};
 use tempfile::NamedTempFile;
 use crate::auth_window::{portal_prelogin, AuthWindow};
 const VERSION: &str = concat!(
  env!("CARGO_PKG_VERSION"),
  " (",
  compile_time::date_str!(),
  ")"
 );
 #[derive(Parser, Clone)]
 #[command(version = VERSION)]
 struct Cli {
  server: String,
  #[arg(long)]
  saml_request: Option<String>,
  #[arg(long, default_value = GP_USER_AGENT)]
  user_agent: String,
  #[arg(long, default_value = "Linux")]
  os: Os,
  #[arg(long)]
  os_version: Option<String>,
  #[arg(long)]
  hidpi: bool,
  #[arg(long)]
  fix_openssl: bool,
  #[arg(long)]
  ignore_tls_errors: bool,
  #[arg(long)]
  clean: bool,
 }
 impl Cli {
  async fn run(&mut self) -> anyhow::Result<()> {
    if self.ignore_tls_errors {
      info!("TLS errors will be ignored");
    }
    let mut openssl_conf = self.prepare_env()?;
    self.server = normalize_server(&self.server)?;
    let gp_params = self.build_gp_params();
    // Get the initial SAML request
    let saml_request = match self.saml_request {
      Some(ref saml_request) => saml_request.clone(),
      None => portal_prelogin(&self.server, &gp_params).await?,
    };
    self.saml_request.replace(saml_request);
    let app = create_app(self.clone())?;
    app.run(move |_app_handle, event| {
      if let RunEvent::Exit = event {
        if let Some(file) = openssl_conf.take() {
          if let Err(err) = file.close() {
            info!("Error closing OpenSSL config file: {}", err);
          }
        }
      }
    });
    Ok(())
  }
  fn prepare_env(&self) -> anyhow::Result<Option<NamedTempFile>> {
    std::env::set_var("WEBKIT_DISABLE_COMPOSITING_MODE", "1");
    if self.hidpi {
      info!("Setting GDK_SCALE=2 and GDK_DPI_SCALE=0.5");
      std::env::set_var("GDK_SCALE", "2");
      std::env::set_var("GDK_DPI_SCALE", "0.5");
    }
    if self.fix_openssl {
      info!("Fixing OpenSSL environment");
      let file = openssl::fix_openssl_env()?;
      return Ok(Some(file));
    }
    Ok(None)
  }
  fn build_gp_params(&self) -> GpParams {
    let gp_params = GpParams::builder()
      .user_agent(&self.user_agent)
      .client_os(ClientOs::from(&self.os))
      .os_version(self.os_version.clone())
      .ignore_tls_errors(self.ignore_tls_errors)
      .build();
    gp_params
  }
  async fn saml_auth(&self, app_handle: AppHandle) -> anyhow::Result<SamlAuthData> {
    let auth_window = AuthWindow::new(app_handle)
      .server(&self.server)
      .user_agent(&self.user_agent)
      .gp_params(self.build_gp_params())
      .saml_request(self.saml_request.as_ref().unwrap())
      .clean(self.clean);
    auth_window.open().await
  }
 }
 fn create_app(cli: Cli) -> anyhow::Result<App> {
  let app = tauri::Builder::default()
    .setup(|app| {
      let app_handle = app.handle();
      tauri::async_runtime::spawn(async move {
        let auth_result = match cli.saml_auth(app_handle.clone()).await {
          Ok(auth_data) => SamlAuthResult::Success(auth_data),
          Err(err) => SamlAuthResult::Failure(format!("{}", err)),
        };
        println!("{}", json!(auth_result));
      });
      Ok(())
    })
    .build(tauri::generate_context!())?;
  Ok(app)
 }
 fn init_logger() {
  env_logger::builder().filter_level(LevelFilter::Info).init();
 }
 pub async fn run() {
  let mut cli = Cli::parse();
  init_logger();
  info!("gpauth started: {}", VERSION);
  if let Err(err) = cli.run().await {
    eprintln!("\nError: {}", err);
    if err.to_string().contains("unsafe legacy renegotiation") && !cli.fix_openssl {
      eprintln!("\nRe-run it with the `--fix-openssl` option to work around this issue, e.g.:\n");
      // Print the command
      let args = std::env::args().collect::<Vec<_>>();
      eprintln!("{} --fix-openssl {}\n", args[0], args[1..].join(" "));
    }
    std::process::exit(1);
  }
 }
--- a/apps/gpauth/src/main.rs
+++ b/apps/gpauth/src/main.rs
@@ -0,0 +1,9 @@
 #![cfg_attr(not(debug_assertions), windows_subsystem = "windows")]
 mod auth_window;
 mod cli;
 #[tokio::main]
 async fn main() {
  cli::run().await;
 }
--- a/apps/gpauth/tauri.conf.json
+++ b/apps/gpauth/tauri.conf.json
@@ -0,0 +1,47 @@
 {
  "$schema": "https://cdn.jsdelivr.net/gh/tauri-apps/tauri@tauri-v1.5.0/tooling/cli/schema.json",
  "build": {
    "distDir": [
      "index.html"
    ],
    "devPath": [
      "index.html"
    ],
    "beforeDevCommand": "",
    "beforeBuildCommand": "",
    "withGlobalTauri": false
  },
  "package": {
    "productName": "gpauth",
    "version": "0.0.0"
  },
  "tauri": {
    "allowlist": {
      "all": false,
      "http": {
        "all": true,
        "request": true,
        "scope": [
          "http://**",
          "https://**"
        ]
      }
    },
    "bundle": {
      "active": true,
      "targets": "deb",
      "identifier": "com.yuezk.gpauth",
      "icon": [
        "icons/32x32.png",
        "icons/128x128.png",
        "icons/128x128@2x.png",
        "icons/icon.icns",
        "icons/icon.ico"
      ]
    },
    "security": {
      "csp": null
    },
    "windows": []
  }
 }
--- a/apps/gpclient/Cargo.toml
+++ b/apps/gpclient/Cargo.toml
@@ -0,0 +1,23 @@
 [package]
 name = "gpclient"
 authors.workspace = true
 version.workspace = true
 edition.workspace = true
 license.workspace = true
 [dependencies]
 gpapi = { path = "../../crates/gpapi", features = ["clap"] }
 openconnect = { path = "../../crates/openconnect" }
 anyhow.workspace = true
 clap.workspace = true
 env_logger.workspace = true
 inquire = "0.6.2"
 log.workspace = true
 tokio.workspace = true
 sysinfo.workspace = true
 serde_json.workspace = true
 whoami.workspace = true
 tempfile.workspace = true
 reqwest.workspace = true
 directories = "5.0"
 compile-time.workspace = true
--- a/apps/gpclient/src/cli.rs
+++ b/apps/gpclient/src/cli.rs
@@ -0,0 +1,129 @@
 use clap::{Parser, Subcommand};
 use gpapi::utils::openssl;
 use log::{info, LevelFilter};
 use tempfile::NamedTempFile;
 use crate::{
  connect::{ConnectArgs, ConnectHandler},
  disconnect::DisconnectHandler,
  launch_gui::{LaunchGuiArgs, LaunchGuiHandler},
 };
 const VERSION: &str = concat!(
  env!("CARGO_PKG_VERSION"),
  " (",
  compile_time::date_str!(),
  ")"
 );
 pub(crate) struct SharedArgs {
  pub(crate) fix_openssl: bool,
  pub(crate) ignore_tls_errors: bool,
 }
 #[derive(Subcommand)]
 enum CliCommand {
  #[command(about = "Connect to a portal server")]
  Connect(ConnectArgs),
  #[command(about = "Disconnect from the server")]
  Disconnect,
  #[command(about = "Launch the GUI")]
  LaunchGui(LaunchGuiArgs),
 }
 #[derive(Parser)]
 #[command(
  version = VERSION,
  author,
  about = "The GlobalProtect VPN client, based on OpenConnect, supports the SSO authentication method.",
  help_template = "\
 {before-help}{name} {version}
 {author}
 {about}
 {usage-heading} {usage}
 {all-args}{after-help}
 See 'gpclient help <command>' for more information on a specific command.
 "
 )]
 struct Cli {
  #[command(subcommand)]
  command: CliCommand,
  #[arg(
    long,
    help = "Get around the OpenSSL `unsafe legacy renegotiation` error"
  )]
  fix_openssl: bool,
  #[arg(long, help = "Ignore the TLS errors")]
  ignore_tls_errors: bool,
 }
 impl Cli {
  fn fix_openssl(&self) -> anyhow::Result<Option<NamedTempFile>> {
    if self.fix_openssl {
      let file = openssl::fix_openssl_env()?;
      return Ok(Some(file));
    }
    Ok(None)
  }
  async fn run(&self) -> anyhow::Result<()> {
    // The temp file will be dropped automatically when the file handle is dropped
    // So, declare it here to ensure it's not dropped
    let _file = self.fix_openssl()?;
    let shared_args = SharedArgs {
      fix_openssl: self.fix_openssl,
      ignore_tls_errors: self.ignore_tls_errors,
    };
    if self.ignore_tls_errors {
      info!("TLS errors will be ignored");
    }
    match &self.command {
      CliCommand::Connect(args) => ConnectHandler::new(args, &shared_args).handle().await,
      CliCommand::Disconnect => DisconnectHandler::new().handle(),
      CliCommand::LaunchGui(args) => LaunchGuiHandler::new(args).handle().await,
    }
  }
 }
 fn init_logger() {
  env_logger::builder().filter_level(LevelFilter::Info).init();
 }
 pub(crate) async fn run() {
  let cli = Cli::parse();
  init_logger();
  info!("gpclient started: {}", VERSION);
  if let Err(err) = cli.run().await {
    eprintln!("\nError: {}", err);
    let err = err.to_string();
    if err.contains("unsafe legacy renegotiation") && !cli.fix_openssl {
      eprintln!("\nRe-run it with the `--fix-openssl` option to work around this issue, e.g.:\n");
      // Print the command
      let args = std::env::args().collect::<Vec<_>>();
      eprintln!("{} --fix-openssl {}\n", args[0], args[1..].join(" "));
    }
    if err.contains("certificate verify failed") {
      eprintln!(
        "\nRe-run it with the `--ignore-tls-errors` option to ignore the certificate error, e.g.:\n"
      );
      // Print the command
      let args = std::env::args().collect::<Vec<_>>();
      eprintln!("{} --ignore-tls-errors {}\n", args[0], args[1..].join(" "));
    }
    std::process::exit(1);
  }
 }
--- a/apps/gpclient/src/connect.rs
+++ b/apps/gpclient/src/connect.rs
@@ -0,0 +1,175 @@
 use std::{fs, sync::Arc};
 use clap::Args;
 use gpapi::{
  clap::args::Os,
  credential::{Credential, PasswordCredential},
  gateway::gateway_login,
  gp_params::{ClientOs, GpParams},
  portal::{prelogin, retrieve_config, Prelogin},
  process::auth_launcher::SamlAuthLauncher,
  utils::{self, shutdown_signal},
  GP_USER_AGENT,
 };
 use inquire::{Password, PasswordDisplayMode, Select, Text};
 use log::info;
 use openconnect::Vpn;
 use crate::{cli::SharedArgs, GP_CLIENT_LOCK_FILE};
 #[derive(Args)]
 pub(crate) struct ConnectArgs {
  #[arg(help = "The portal server to connect to")]
  server: String,
  #[arg(
    short,
    long,
    help = "The gateway to connect to, it will prompt if not specified"
  )]
  gateway: Option<String>,
  #[arg(
    short,
    long,
    help = "The username to use, it will prompt if not specified"
  )]
  user: Option<String>,
  #[arg(long, short, help = "The VPNC script to use")]
  script: Option<String>,
  #[arg(long, default_value = GP_USER_AGENT, help = "The user agent to use")]
  user_agent: String,
  #[arg(long, default_value = "Linux")]
  os: Os,
  #[arg(long)]
  os_version: Option<String>,
  #[arg(long, help = "The HiDPI mode, useful for high resolution screens")]
  hidpi: bool,
  #[arg(long, help = "Do not reuse the remembered authentication cookie")]
  clean: bool,
 }
 impl ConnectArgs {
  fn os_version(&self) -> String {
    if let Some(os_version) = &self.os_version {
      return os_version.to_owned();
    }
    match self.os {
      Os::Linux => format!("Linux {}", whoami::distro()),
      Os::Windows => String::from("Microsoft Windows 11 Pro , 64-bit"),
      Os::Mac => String::from("Apple Mac OS X 13.4.0"),
    }
  }
 }
 pub(crate) struct ConnectHandler<'a> {
  args: &'a ConnectArgs,
  shared_args: &'a SharedArgs,
 }
 impl<'a> ConnectHandler<'a> {
  pub(crate) fn new(args: &'a ConnectArgs, shared_args: &'a SharedArgs) -> Self {
    Self { args, shared_args }
  }
  pub(crate) async fn handle(&self) -> anyhow::Result<()> {
    let portal = utils::normalize_server(self.args.server.as_str())?;
    let gp_params = GpParams::builder()
      .user_agent(&self.args.user_agent)
      .client_os(ClientOs::from(&self.args.os))
      .os_version(self.args.os_version())
      .ignore_tls_errors(self.shared_args.ignore_tls_errors)
      .build();
    let prelogin = prelogin(&portal, &gp_params).await?;
    let portal_credential = self.obtain_portal_credential(&prelogin).await?;
    let mut portal_config = retrieve_config(&portal, &portal_credential, &gp_params).await?;
    let selected_gateway = match &self.args.gateway {
      Some(gateway) => portal_config
        .find_gateway(gateway)
        .ok_or_else(|| anyhow::anyhow!("Cannot find gateway {}", gateway))?,
      None => {
        portal_config.sort_gateways(prelogin.region());
        let gateways = portal_config.gateways();
        if gateways.len() > 1 {
          Select::new("Which gateway do you want to connect to?", gateways)
            .with_vim_mode(true)
            .prompt()?
        } else {
          gateways[0]
        }
      }
    };
    let gateway = selected_gateway.server();
    let cred = portal_config.auth_cookie().into();
    let token = gateway_login(gateway, &cred, &gp_params).await?;
    let vpn = Vpn::builder(gateway, &token)
      .user_agent(self.args.user_agent.clone())
      .script(self.args.script.clone())
      .build();
    let vpn = Arc::new(vpn);
    let vpn_clone = vpn.clone();
    // Listen for the interrupt signal in the background
    tokio::spawn(async move {
      shutdown_signal().await;
      info!("Received the interrupt signal, disconnecting...");
      vpn_clone.disconnect();
    });
    vpn.connect(write_pid_file);
    if fs::metadata(GP_CLIENT_LOCK_FILE).is_ok() {
      info!("Removing PID file");
      fs::remove_file(GP_CLIENT_LOCK_FILE)?;
    }
    Ok(())
  }
  async fn obtain_portal_credential(&self, prelogin: &Prelogin) -> anyhow::Result<Credential> {
    match prelogin {
      Prelogin::Saml(prelogin) => {
        SamlAuthLauncher::new(&self.args.server)
          .saml_request(prelogin.saml_request())
          .user_agent(&self.args.user_agent)
          .os(self.args.os.as_str())
          .os_version(Some(&self.args.os_version()))
          .hidpi(self.args.hidpi)
          .fix_openssl(self.shared_args.fix_openssl)
          .ignore_tls_errors(self.shared_args.ignore_tls_errors)
          .clean(self.args.clean)
          .launch()
          .await
      }
      Prelogin::Standard(prelogin) => {
        println!("{}", prelogin.auth_message());
        let user = self.args.user.as_ref().map_or_else(
          || Text::new(&format!("{}:", prelogin.label_username())).prompt(),
          |user| Ok(user.to_owned()),
        )?;
        let password = Password::new(&format!("{}:", prelogin.label_password()))
          .without_confirmation()
          .with_display_mode(PasswordDisplayMode::Masked)
          .prompt()?;
        let password_cred = PasswordCredential::new(&user, &password);
        Ok(password_cred.into())
      }
    }
  }
 }
 fn write_pid_file() {
  let pid = std::process::id();
  fs::write(GP_CLIENT_LOCK_FILE, pid.to_string()).unwrap();
  info!("Wrote PID {} to {}", pid, GP_CLIENT_LOCK_FILE);
 }
--- a/apps/gpclient/src/disconnect.rs
+++ b/apps/gpclient/src/disconnect.rs
@@ -0,0 +1,31 @@
 use crate::GP_CLIENT_LOCK_FILE;
 use log::{info, warn};
 use std::fs;
 use sysinfo::{Pid, ProcessExt, Signal, System, SystemExt};
 pub(crate) struct DisconnectHandler;
 impl DisconnectHandler {
  pub(crate) fn new() -> Self {
    Self
  }
  pub(crate) fn handle(&self) -> anyhow::Result<()> {
    if fs::metadata(GP_CLIENT_LOCK_FILE).is_err() {
      warn!("PID file not found, maybe the client is not running");
      return Ok(());
    }
    let pid = fs::read_to_string(GP_CLIENT_LOCK_FILE)?;
    let pid = pid.trim().parse::<usize>()?;
    let s = System::new_all();
    if let Some(process) = s.process(Pid::from(pid)) {
      info!("Found process {}, killing...", pid);
      if process.kill_with(Signal::Interrupt).is_none() {
        warn!("Failed to kill process {}", pid);
      }
    }
    Ok(())
  }
 }
--- a/apps/gpclient/src/launch_gui.rs
+++ b/apps/gpclient/src/launch_gui.rs
@@ -0,0 +1,112 @@
 use std::{collections::HashMap, fs, path::PathBuf};
 use clap::Args;
 use directories::ProjectDirs;
 use gpapi::{
  process::service_launcher::ServiceLauncher,
  utils::{endpoint::http_endpoint, env_file, shutdown_signal},
 };
 use log::info;
 #[derive(Args)]
 pub(crate) struct LaunchGuiArgs {
  #[arg(
    required = false,
    help = "The authentication data, used for the default browser authentication"
  )]
  auth_data: Option<String>,
  #[arg(long, help = "Launch the GUI minimized")]
  minimized: bool,
 }
 pub(crate) struct LaunchGuiHandler<'a> {
  args: &'a LaunchGuiArgs,
 }
 impl<'a> LaunchGuiHandler<'a> {
  pub(crate) fn new(args: &'a LaunchGuiArgs) -> Self {
    Self { args }
  }
  pub(crate) async fn handle(&self) -> anyhow::Result<()> {
    // `launch-gui`cannot be run as root
    let user = whoami::username();
    if user == "root" {
      anyhow::bail!("`launch-gui` cannot be run as root");
    }
    let auth_data = self.args.auth_data.as_deref().unwrap_or_default();
    if !auth_data.is_empty() {
      // Process the authentication data, its format is `globalprotectcallback:<data>`
      return feed_auth_data(auth_data).await;
    }
    if try_active_gui().await.is_ok() {
      info!("The GUI is already running");
      return Ok(());
    }
    tokio::spawn(async move {
      shutdown_signal().await;
      info!("Shutting down...");
    });
    let log_file = get_log_file()?;
    let log_file_path = log_file.to_string_lossy().to_string();
    info!("Log file: {}", log_file_path);
    let mut extra_envs = HashMap::<String, String>::new();
    extra_envs.insert("GP_LOG_FILE".into(), log_file_path.clone());
    // Persist the environment variables to a file
    let env_file = env_file::persist_env_vars(Some(extra_envs))?;
    let env_file = env_file.into_temp_path();
    let env_file_path = env_file.to_string_lossy().to_string();
    let exit_status = ServiceLauncher::new()
      .minimized(self.args.minimized)
      .env_file(&env_file_path)
      .log_file(&log_file_path)
      .launch()
      .await?;
    info!("Service exited with status: {}", exit_status);
    Ok(())
  }
 }
 async fn feed_auth_data(auth_data: &str) -> anyhow::Result<()> {
  let service_endpoint = http_endpoint().await?;
  reqwest::Client::default()
    .post(format!("{}/auth-data", service_endpoint))
    .json(&auth_data)
    .send()
    .await?
    .error_for_status()?;
  Ok(())
 }
 async fn try_active_gui() -> anyhow::Result<()> {
  let service_endpoint = http_endpoint().await?;
  reqwest::Client::default()
    .post(format!("{}/active-gui", service_endpoint))
    .send()
    .await?
    .error_for_status()?;
  Ok(())
 }
 pub fn get_log_file() -> anyhow::Result<PathBuf> {
  let dirs = ProjectDirs::from("com.yuezk", "GlobalProtect-openconnect", "gpclient")
    .ok_or_else(|| anyhow::anyhow!("Failed to get project dirs"))?;
  fs::create_dir_all(dirs.data_dir())?;
  Ok(dirs.data_dir().join("gpclient.log"))
 }
--- a/apps/gpclient/src/main.rs
+++ b/apps/gpclient/src/main.rs
@@ -0,0 +1,11 @@
 mod cli;
 mod connect;
 mod disconnect;
 mod launch_gui;
 pub(crate) const GP_CLIENT_LOCK_FILE: &str = "/var/run/gpclient.lock";
 #[tokio::main]
 async fn main() {
  cli::run().await;
 }
--- a/apps/gpservice/Cargo.toml
+++ b/apps/gpservice/Cargo.toml
@@ -0,0 +1,19 @@
 [package]
 name = "gpservice"
 version.workspace = true
 edition.workspace = true
 license.workspace = true
 [dependencies]
 gpapi = { path = "../../crates/gpapi" }
 openconnect = { path = "../../crates/openconnect" }
 clap.workspace = true
 anyhow.workspace = true
 tokio.workspace = true
 tokio-util.workspace = true
 axum = { workspace = true, features = ["ws"] }
 futures.workspace = true
 serde_json.workspace = true
 env_logger.workspace = true
 log.workspace = true
 compile-time.workspace = true
--- a/apps/gpservice/src/cli.rs
+++ b/apps/gpservice/src/cli.rs
@@ -0,0 +1,182 @@
 use std::sync::Arc;
 use std::{collections::HashMap, io::Write};
 use anyhow::bail;
 use clap::Parser;
 use gpapi::{
  process::gui_launcher::GuiLauncher,
  service::{request::WsRequest, vpn_state::VpnState},
  utils::{
    crypto::generate_key, env_file, lock_file::LockFile, redact::Redaction, shutdown_signal,
  },
  GP_SERVICE_LOCK_FILE,
 };
 use log::{info, warn, LevelFilter};
 use tokio::sync::{mpsc, watch};
 use crate::{vpn_task::VpnTask, ws_server::WsServer};
 const VERSION: &str = concat!(
  env!("CARGO_PKG_VERSION"),
  " (",
  compile_time::date_str!(),
  ")"
 );
 #[derive(Parser)]
 #[command(version = VERSION)]
 struct Cli {
  #[clap(long)]
  minimized: bool,
  #[clap(long)]
  env_file: Option<String>,
  #[cfg(debug_assertions)]
  #[clap(long)]
  no_gui: bool,
 }
 impl Cli {
  async fn run(&mut self, redaction: Arc<Redaction>) -> anyhow::Result<()> {
    let lock_file = Arc::new(LockFile::new(GP_SERVICE_LOCK_FILE));
    if lock_file.check_health().await {
      bail!("Another instance of the service is already running");
    }
    let api_key = self.prepare_api_key();
    // Channel for sending requests to the VPN task
    let (ws_req_tx, ws_req_rx) = mpsc::channel::<WsRequest>(32);
    // Channel for receiving the VPN state from the VPN task
    let (vpn_state_tx, vpn_state_rx) = watch::channel(VpnState::Disconnected);
    let mut vpn_task = VpnTask::new(ws_req_rx, vpn_state_tx);
    let ws_server = WsServer::new(
      api_key.clone(),
      ws_req_tx,
      vpn_state_rx,
      lock_file.clone(),
      redaction,
    );
    let (shutdown_tx, mut shutdown_rx) = mpsc::channel::<()>(4);
    let shutdown_tx_clone = shutdown_tx.clone();
    let vpn_task_token = vpn_task.cancel_token();
    let server_token = ws_server.cancel_token();
    let vpn_task_handle = tokio::spawn(async move { vpn_task.start(server_token).await });
    let ws_server_handle = tokio::spawn(async move { ws_server.start(shutdown_tx_clone).await });
    #[cfg(debug_assertions)]
    let no_gui = self.no_gui;
    #[cfg(not(debug_assertions))]
    let no_gui = false;
    if no_gui {
      info!("GUI is disabled");
    } else {
      let envs = self
        .env_file
        .as_ref()
        .map(env_file::load_env_vars)
        .transpose()?;
      let minimized = self.minimized;
      tokio::spawn(async move {
        launch_gui(envs, api_key, minimized).await;
        let _ = shutdown_tx.send(()).await;
      });
    }
    tokio::select! {
        _ = shutdown_signal() => {
            info!("Shutdown signal received");
        }
        _ = shutdown_rx.recv() => {
            info!("Shutdown request received, shutting down");
        }
    }
    vpn_task_token.cancel();
    let _ = tokio::join!(vpn_task_handle, ws_server_handle);
    lock_file.unlock()?;
    info!("gpservice stopped");
    Ok(())
  }
  fn prepare_api_key(&self) -> Vec<u8> {
    #[cfg(debug_assertions)]
    if self.no_gui {
      return gpapi::GP_API_KEY.to_vec();
    }
    generate_key().to_vec()
  }
 }
 fn init_logger() -> Arc<Redaction> {
  let redaction = Arc::new(Redaction::new());
  let redaction_clone = Arc::clone(&redaction);
  // let target = Box::new(File::create("log.txt").expect("Can't create file"));
  env_logger::builder()
    .filter_level(LevelFilter::Info)
    .format(move |buf, record| {
      let timestamp = buf.timestamp();
      writeln!(
        buf,
        "[{} {} {}] {}",
        timestamp,
        record.level(),
        record.module_path().unwrap_or_default(),
        redaction_clone.redact_str(&record.args().to_string())
      )
    })
    // .target(env_logger::Target::Pipe(target))
    .init();
  redaction
 }
 async fn launch_gui(envs: Option<HashMap<String, String>>, api_key: Vec<u8>, mut minimized: bool) {
  loop {
    let api_key_clone = api_key.clone();
    let gui_launcher = GuiLauncher::new()
      .envs(envs.clone())
      .api_key(api_key_clone)
      .minimized(minimized);
    match gui_launcher.launch().await {
      Ok(exit_status) => {
        // Exit code 99 means that the GUI needs to be restarted
        if exit_status.code() != Some(99) {
          info!("GUI exited with code {:?}", exit_status.code());
          break;
        }
        info!("GUI exited with code 99, restarting");
        minimized = false;
      }
      Err(err) => {
        warn!("Failed to launch GUI: {}", err);
        break;
      }
    }
  }
 }
 pub async fn run() {
  let mut cli = Cli::parse();
  let redaction = init_logger();
  info!("gpservice started: {}", VERSION);
  if let Err(e) = cli.run(redaction).await {
    eprintln!("Error: {}", e);
    std::process::exit(1);
  }
 }
--- a/apps/gpservice/src/handlers.rs
+++ b/apps/gpservice/src/handlers.rs
@@ -0,0 +1,101 @@
 use std::{borrow::Cow, ops::ControlFlow, sync::Arc};
 use axum::{
  extract::{
    ws::{self, CloseFrame, Message, WebSocket},
    State, WebSocketUpgrade,
  },
  response::IntoResponse,
 };
 use futures::{SinkExt, StreamExt};
 use gpapi::service::event::WsEvent;
 use log::{info, warn};
 use crate::ws_server::WsServerContext;
 pub(crate) async fn health() -> impl IntoResponse {
  "OK"
 }
 pub(crate) async fn active_gui(State(ctx): State<Arc<WsServerContext>>) -> impl IntoResponse {
  ctx.send_event(WsEvent::ActiveGui).await;
 }
 pub(crate) async fn auth_data(
  State(ctx): State<Arc<WsServerContext>>,
  body: String,
 ) -> impl IntoResponse {
  ctx.send_event(WsEvent::AuthData(body)).await;
 }
 pub(crate) async fn ws_handler(
  ws: WebSocketUpgrade,
  State(ctx): State<Arc<WsServerContext>>,
 ) -> impl IntoResponse {
  ws.on_upgrade(move |socket| handle_socket(socket, ctx))
 }
 async fn handle_socket(mut socket: WebSocket, ctx: Arc<WsServerContext>) {
  // Send ping message
  if let Err(err) = socket.send(Message::Ping("Hi".into())).await {
    warn!("Failed to send ping: {}", err);
    return;
  }
  // Wait for pong message
  if socket.recv().await.is_none() {
    warn!("Failed to receive pong");
    return;
  }
  info!("New client connected");
  let (mut sender, mut receiver) = socket.split();
  let (connection, mut msg_rx) = ctx.add_connection().await;
  let send_task = tokio::spawn(async move {
    while let Some(msg) = msg_rx.recv().await {
      if let Err(err) = sender.send(msg).await {
        info!("Failed to send message: {}", err);
        break;
      }
    }
    let close_msg = Message::Close(Some(CloseFrame {
      code: ws::close_code::NORMAL,
      reason: Cow::from("Goodbye"),
    }));
    if let Err(err) = sender.send(close_msg).await {
      warn!("Failed to close socket: {}", err);
    }
  });
  let conn = Arc::clone(&connection);
  let ctx_clone = Arc::clone(&ctx);
  let recv_task = tokio::spawn(async move {
    while let Some(Ok(msg)) = receiver.next().await {
      let ControlFlow::Continue(ws_req) = conn.recv_msg(msg) else {
        break;
      };
      if let Err(err) = ctx_clone.forward_req(ws_req).await {
        info!("Failed to forward request: {}", err);
        break;
      }
    }
  });
  tokio::select! {
    _ = send_task => {
        info!("WS server send task completed");
    },
    _ = recv_task => {
        info!("WS server recv task completed");
    }
  }
  info!("Client disconnected");
  ctx.remove_connection(connection).await;
 }
--- a/apps/gpservice/src/main.rs
+++ b/apps/gpservice/src/main.rs
@@ -0,0 +1,11 @@
 mod cli;
 mod handlers;
 mod routes;
 mod vpn_task;
 mod ws_server;
 mod ws_connection;
 #[tokio::main]
 async fn main() {
  cli::run().await;
 }
--- a/apps/gpservice/src/routes.rs
+++ b/apps/gpservice/src/routes.rs
@@ -0,0 +1,14 @@
 use std::sync::Arc;
 use axum::{routing::{get, post}, Router};
 use crate::{handlers, ws_server::WsServerContext};
 pub(crate) fn routes(ctx: Arc<WsServerContext>) -> Router {
  Router::new()
    .route("/health", get(handlers::health))
    .route("/active-gui", post(handlers::active_gui))
    .route("/auth-data", post(handlers::auth_data))
    .route("/ws", get(handlers::ws_handler))
    .with_state(ctx)
 }
--- a/apps/gpservice/src/vpn_task.rs
+++ b/apps/gpservice/src/vpn_task.rs
@@ -0,0 +1,144 @@
 use std::{sync::Arc, thread};
 use gpapi::service::{
  request::{ConnectRequest, WsRequest},
  vpn_state::VpnState,
 };
 use log::info;
 use openconnect::Vpn;
 use tokio::sync::{mpsc, oneshot, watch, RwLock};
 use tokio_util::sync::CancellationToken;
 pub(crate) struct VpnTaskContext {
  vpn_handle: Arc<RwLock<Option<Vpn>>>,
  vpn_state_tx: Arc<watch::Sender<VpnState>>,
  disconnect_rx: RwLock<Option<oneshot::Receiver<()>>>,
 }
 impl VpnTaskContext {
  pub fn new(vpn_state_tx: watch::Sender<VpnState>) -> Self {
    Self {
      vpn_handle: Default::default(),
      vpn_state_tx: Arc::new(vpn_state_tx),
      disconnect_rx: Default::default(),
    }
  }
  pub async fn connect(&self, req: ConnectRequest) {
    let vpn_state = self.vpn_state_tx.borrow().clone();
    if !matches!(vpn_state, VpnState::Disconnected) {
      info!("VPN is not disconnected, ignore the request");
      return;
    }
    let info = req.info().clone();
    let vpn_handle = self.vpn_handle.clone();
    let args = req.args();
    let vpn = Vpn::builder(req.gateway().server(), args.cookie())
      .user_agent(args.user_agent())
      .script(args.vpnc_script())
      .os(args.openconnect_os())
      .build();
    // Save the VPN handle
    vpn_handle.write().await.replace(vpn);
    let vpn_state_tx = self.vpn_state_tx.clone();
    let connect_info = Box::new(info.clone());
    vpn_state_tx.send(VpnState::Connecting(connect_info)).ok();
    let (disconnect_tx, disconnect_rx) = oneshot::channel::<()>();
    self.disconnect_rx.write().await.replace(disconnect_rx);
    // Spawn a new thread to process the VPN connection, cannot use tokio::spawn here.
    // Otherwise, it will block the tokio runtime and cannot send the VPN state to the channel
    thread::spawn(move || {
      let vpn_state_tx_clone = vpn_state_tx.clone();
      vpn_handle.blocking_read().as_ref().map(|vpn| {
        vpn.connect(move || {
          let connect_info = Box::new(info.clone());
          vpn_state_tx.send(VpnState::Connected(connect_info)).ok();
        })
      });
      // Notify the VPN is disconnected
      vpn_state_tx_clone.send(VpnState::Disconnected).ok();
      // Remove the VPN handle
      vpn_handle.blocking_write().take();
      disconnect_tx.send(()).ok();
    });
  }
  pub async fn disconnect(&self) {
    if let Some(disconnect_rx) = self.disconnect_rx.write().await.take() {
      if let Some(vpn) = self.vpn_handle.read().await.as_ref() {
        self.vpn_state_tx.send(VpnState::Disconnecting).ok();
        vpn.disconnect()
      }
      // Wait for the VPN to be disconnected
      disconnect_rx.await.ok();
      info!("VPN disconnected");
    } else {
      info!("VPN is not connected, skip disconnect");
      self.vpn_state_tx.send(VpnState::Disconnected).ok();
    }
  }
 }
 pub(crate) struct VpnTask {
  ws_req_rx: mpsc::Receiver<WsRequest>,
  ctx: Arc<VpnTaskContext>,
  cancel_token: CancellationToken,
 }
 impl VpnTask {
  pub fn new(ws_req_rx: mpsc::Receiver<WsRequest>, vpn_state_tx: watch::Sender<VpnState>) -> Self {
    let ctx = Arc::new(VpnTaskContext::new(vpn_state_tx));
    let cancel_token = CancellationToken::new();
    Self {
      ws_req_rx,
      ctx,
      cancel_token,
    }
  }
  pub fn cancel_token(&self) -> CancellationToken {
    self.cancel_token.clone()
  }
  pub async fn start(&mut self, server_cancel_token: CancellationToken) {
    let cancel_token = self.cancel_token.clone();
    tokio::select! {
        _ = self.recv() => {
            info!("VPN task stopped");
        }
        _ = cancel_token.cancelled() => {
            info!("VPN task cancelled");
            self.ctx.disconnect().await;
        }
    }
    server_cancel_token.cancel();
  }
  async fn recv(&mut self) {
    while let Some(req) = self.ws_req_rx.recv().await {
      tokio::spawn(process_ws_req(req, self.ctx.clone()));
    }
  }
 }
 async fn process_ws_req(req: WsRequest, ctx: Arc<VpnTaskContext>) {
  match req {
    WsRequest::Connect(req) => {
      ctx.connect(*req).await;
    }
    WsRequest::Disconnect(_) => {
      ctx.disconnect().await;
    }
  }
 }
--- a/apps/gpservice/src/ws_connection.rs
+++ b/apps/gpservice/src/ws_connection.rs
@@ -0,0 +1,53 @@
 use std::{ops::ControlFlow, sync::Arc};
 use axum::extract::ws::{CloseFrame, Message};
 use gpapi::{
  service::{event::WsEvent, request::WsRequest},
  utils::crypto::Crypto,
 };
 use log::{info, warn};
 use tokio::sync::mpsc;
 pub(crate) struct WsConnection {
  crypto: Arc<Crypto>,
  tx: mpsc::Sender<Message>,
 }
 impl WsConnection {
  pub fn new(crypto: Arc<Crypto>, tx: mpsc::Sender<Message>) -> Self {
    Self { crypto, tx }
  }
  pub async fn send_event(&self, event: &WsEvent) -> anyhow::Result<()> {
    let encrypted = self.crypto.encrypt(event)?;
    let msg = Message::Binary(encrypted);
    self.tx.send(msg).await?;
    Ok(())
  }
  pub fn recv_msg(&self, msg: Message) -> ControlFlow<(), WsRequest> {
    match msg {
      Message::Binary(data) => match self.crypto.decrypt(data) {
        Ok(ws_req) => ControlFlow::Continue(ws_req),
        Err(err) => {
          info!("Failed to decrypt message: {}", err);
          ControlFlow::Break(())
        }
      },
      Message::Close(cf) => {
        if let Some(CloseFrame { code, reason }) = cf {
          info!("Client sent close, code {} and reason `{}`", code, reason);
        } else {
          info!("Client somehow sent close message without CloseFrame");
        }
        ControlFlow::Break(())
      }
      _ => {
        warn!("WS server received unexpected message: {:?}", msg);
        ControlFlow::Break(())
      }
    }
  }
 }
--- a/apps/gpservice/src/ws_server.rs
+++ b/apps/gpservice/src/ws_server.rs
@@ -0,0 +1,158 @@
 use std::sync::Arc;
 use axum::extract::ws::Message;
 use gpapi::{
  service::{event::WsEvent, request::WsRequest, vpn_state::VpnState},
  utils::{crypto::Crypto, lock_file::LockFile, redact::Redaction},
 };
 use log::{info, warn};
 use tokio::{
  net::TcpListener,
  sync::{mpsc, watch, RwLock},
 };
 use tokio_util::sync::CancellationToken;
 use crate::{routes, ws_connection::WsConnection};
 pub(crate) struct WsServerContext {
  crypto: Arc<Crypto>,
  ws_req_tx: mpsc::Sender<WsRequest>,
  vpn_state_rx: watch::Receiver<VpnState>,
  redaction: Arc<Redaction>,
  connections: RwLock<Vec<Arc<WsConnection>>>,
 }
 impl WsServerContext {
  pub fn new(
    api_key: Vec<u8>,
    ws_req_tx: mpsc::Sender<WsRequest>,
    vpn_state_rx: watch::Receiver<VpnState>,
    redaction: Arc<Redaction>,
  ) -> Self {
    Self {
      crypto: Arc::new(Crypto::new(api_key)),
      ws_req_tx,
      vpn_state_rx,
      redaction,
      connections: Default::default(),
    }
  }
  pub async fn send_event(&self, event: WsEvent) {
    let connections = self.connections.read().await;
    for conn in connections.iter() {
      let _ = conn.send_event(&event).await;
    }
  }
  pub async fn add_connection(&self) -> (Arc<WsConnection>, mpsc::Receiver<Message>) {
    let (tx, rx) = mpsc::channel::<Message>(32);
    let conn = Arc::new(WsConnection::new(Arc::clone(&self.crypto), tx));
    // Send current VPN state to new client
    info!("Sending current VPN state to new client");
    let vpn_state = self.vpn_state_rx.borrow().clone();
    if let Err(err) = conn.send_event(&WsEvent::VpnState(vpn_state)).await {
      warn!("Failed to send VPN state to new client: {}", err);
    }
    self.connections.write().await.push(Arc::clone(&conn));
    (conn, rx)
  }
  pub async fn remove_connection(&self, conn: Arc<WsConnection>) {
    let mut connections = self.connections.write().await;
    connections.retain(|c| !Arc::ptr_eq(c, &conn));
  }
  fn vpn_state_rx(&self) -> watch::Receiver<VpnState> {
    self.vpn_state_rx.clone()
  }
  pub async fn forward_req(&self, req: WsRequest) -> anyhow::Result<()> {
    if let WsRequest::Connect(ref req) = req {
      self
        .redaction
        .add_values(&[req.gateway().server(), req.args().cookie()])?
    }
    self.ws_req_tx.send(req).await?;
    Ok(())
  }
 }
 pub(crate) struct WsServer {
  ctx: Arc<WsServerContext>,
  cancel_token: CancellationToken,
  lock_file: Arc<LockFile>,
 }
 impl WsServer {
  pub fn new(
    api_key: Vec<u8>,
    ws_req_tx: mpsc::Sender<WsRequest>,
    vpn_state_rx: watch::Receiver<VpnState>,
    lock_file: Arc<LockFile>,
    redaction: Arc<Redaction>,
  ) -> Self {
    let ctx = Arc::new(WsServerContext::new(
      api_key,
      ws_req_tx,
      vpn_state_rx,
      redaction,
    ));
    let cancel_token = CancellationToken::new();
    Self {
      ctx,
      cancel_token,
      lock_file,
    }
  }
  pub fn cancel_token(&self) -> CancellationToken {
    self.cancel_token.clone()
  }
  pub async fn start(&self, shutdown_tx: mpsc::Sender<()>) {
    if let Ok(listener) = TcpListener::bind("127.0.0.1:0").await {
      let local_addr = listener.local_addr().unwrap();
      self.lock_file.lock(local_addr.port().to_string()).unwrap();
      info!("WS server listening on port: {}", local_addr.port());
      tokio::select! {
        _ = watch_vpn_state(self.ctx.vpn_state_rx(), Arc::clone(&self.ctx)) => {
          info!("VPN state watch task completed");
        }
        _ = start_server(listener, self.ctx.clone()) => {
            info!("WS server stopped");
        }
        _ = self.cancel_token.cancelled() => {
          info!("WS server cancelled");
        }
      }
    }
    let _ = shutdown_tx.send(()).await;
  }
 }
 async fn watch_vpn_state(mut vpn_state_rx: watch::Receiver<VpnState>, ctx: Arc<WsServerContext>) {
  while vpn_state_rx.changed().await.is_ok() {
    let vpn_state = vpn_state_rx.borrow().clone();
    ctx.send_event(WsEvent::VpnState(vpn_state)).await;
  }
 }
 async fn start_server(listener: TcpListener, ctx: Arc<WsServerContext>) -> anyhow::Result<()> {
  let routes = routes::routes(ctx);
  axum::serve(listener, routes).await?;
  Ok(())
 }
--- a/crates/gpapi/Cargo.toml
+++ b/crates/gpapi/Cargo.toml
@@ -0,0 +1,36 @@
 [package]
 name = "gpapi"
 version.workspace = true
 edition.workspace = true
 license = "MIT"
 [dependencies]
 anyhow.workspace = true
 base64.workspace = true
 log.workspace = true
 reqwest.workspace = true
 roxmltree.workspace = true
 serde.workspace = true
 specta.workspace = true
 specta-macros.workspace = true
 urlencoding.workspace = true
 tokio.workspace = true
 serde_json.workspace = true
 whoami.workspace = true
 tempfile.workspace = true
 thiserror.workspace = true
 chacha20poly1305 = { version = "0.10", features = ["std"] }
 redact-engine.workspace = true
 url.workspace = true
 regex.workspace = true
 dotenvy_macro.workspace = true
 uzers.workspace = true
 tauri = { workspace = true, optional = true }
 clap = { workspace = true, optional = true }
 open = { version = "5", optional = true }
 [features]
 tauri = ["dep:tauri"]
 clap = ["dep:clap"]
 browser-auth = ["dep:open"]
--- a/crates/gpapi/src/auth.rs
+++ b/crates/gpapi/src/auth.rs
@@ -0,0 +1,98 @@
 use anyhow::bail;
 use regex::Regex;
 use serde::{Deserialize, Serialize};
 #[derive(Debug, Serialize, Deserialize)]
 #[serde(rename_all = "camelCase")]
 pub struct SamlAuthData {
  username: String,
  prelogin_cookie: Option<String>,
  portal_userauthcookie: Option<String>,
 }
 #[derive(Debug, Serialize, Deserialize)]
 #[serde(rename_all = "camelCase")]
 pub enum SamlAuthResult {
  Success(SamlAuthData),
  Failure(String),
 }
 impl SamlAuthResult {
  pub fn is_success(&self) -> bool {
    match self {
      SamlAuthResult::Success(_) => true,
      SamlAuthResult::Failure(_) => false,
    }
  }
 }
 impl SamlAuthData {
  pub fn new(
    username: String,
    prelogin_cookie: Option<String>,
    portal_userauthcookie: Option<String>,
  ) -> Self {
    Self {
      username,
      prelogin_cookie,
      portal_userauthcookie,
    }
  }
  pub fn parse_html(html: &str) -> anyhow::Result<SamlAuthData> {
    match parse_xml_tag(html, "saml-auth-status") {
      Some(saml_status) if saml_status == "1" => {
        let username = parse_xml_tag(html, "saml-username");
        let prelogin_cookie = parse_xml_tag(html, "prelogin-cookie");
        let portal_userauthcookie = parse_xml_tag(html, "portal-userauthcookie");
        if SamlAuthData::check(&username, &prelogin_cookie, &portal_userauthcookie) {
          return Ok(SamlAuthData::new(
            username.unwrap(),
            prelogin_cookie,
            portal_userauthcookie,
          ));
        }
        bail!("Found invalid auth data in HTML");
      }
      Some(status) => {
        bail!("Found invalid SAML status {} in HTML", status);
      }
      None => {
        bail!("No auth data found in HTML");
      }
    }
  }
  pub fn username(&self) -> &str {
    &self.username
  }
  pub fn prelogin_cookie(&self) -> Option<&str> {
    self.prelogin_cookie.as_deref()
  }
  pub fn check(
    username: &Option<String>,
    prelogin_cookie: &Option<String>,
    portal_userauthcookie: &Option<String>,
  ) -> bool {
    let username_valid = username
      .as_ref()
      .is_some_and(|username| !username.is_empty());
    let prelogin_cookie_valid = prelogin_cookie.as_ref().is_some_and(|val| val.len() > 5);
    let portal_userauthcookie_valid = portal_userauthcookie
      .as_ref()
      .is_some_and(|val| val.len() > 5);
    username_valid && (prelogin_cookie_valid || portal_userauthcookie_valid)
  }
 }
 pub fn parse_xml_tag(html: &str, tag: &str) -> Option<String> {
  let re = Regex::new(&format!("<{}>(.*)</{}>", tag, tag)).unwrap();
  re.captures(html)
    .and_then(|captures| captures.get(1))
    .map(|m| m.as_str().to_string())
 }
--- a/crates/gpapi/src/clap/args.rs
+++ b/crates/gpapi/src/clap/args.rs
@@ -0,0 +1,64 @@
 use clap::{builder::PossibleValue, ValueEnum};
 use crate::gp_params::ClientOs;
 #[derive(Debug, Clone)]
 pub enum Os {
  Linux,
  Windows,
  Mac,
 }
 impl Os {
  pub fn as_str(&self) -> &'static str {
    match self {
      Os::Linux => "Linux",
      Os::Windows => "Windows",
      Os::Mac => "Mac",
    }
  }
 }
 impl From<&str> for Os {
  fn from(os: &str) -> Self {
    match os.to_lowercase().as_str() {
      "linux" => Os::Linux,
      "windows" => Os::Windows,
      "mac" => Os::Mac,
      _ => Os::Linux,
    }
  }
 }
 impl From<&Os> for ClientOs {
  fn from(value: &Os) -> Self {
    match value {
      Os::Linux => ClientOs::Linux,
      Os::Windows => ClientOs::Windows,
      Os::Mac => ClientOs::Mac,
    }
  }
 }
 impl ValueEnum for Os {
  fn value_variants<'a>() -> &'a [Self] {
    &[Os::Linux, Os::Windows, Os::Mac]
  }
  fn to_possible_value(&self) -> Option<clap::builder::PossibleValue> {
    match self {
      Os::Linux => Some(PossibleValue::new("Linux")),
      Os::Windows => Some(PossibleValue::new("Windows")),
      Os::Mac => Some(PossibleValue::new("Mac")),
    }
  }
  fn from_str(input: &str, _: bool) -> Result<Self, String> {
    match input.to_lowercase().as_str() {
      "linux" => Ok(Os::Linux),
      "windows" => Ok(Os::Windows),
      "mac" => Ok(Os::Mac),
      _ => Err(format!("Invalid OS: {}", input)),
    }
  }
 }
--- a/crates/gpapi/src/clap/mod.rs
+++ b/crates/gpapi/src/clap/mod.rs
@@ -0,0 +1 @@
 pub mod args;
--- a/crates/gpapi/src/credential.rs
+++ b/crates/gpapi/src/credential.rs
@@ -0,0 +1,237 @@
 use std::collections::HashMap;
 use serde::{Deserialize, Serialize};
 use specta::Type;
 use crate::{auth::SamlAuthData, utils::base64::decode_to_string};
 #[derive(Debug, Serialize, Deserialize, Type, Clone)]
 #[serde(rename_all = "camelCase")]
 pub struct PasswordCredential {
  username: String,
  password: String,
 }
 impl PasswordCredential {
  pub fn new(username: &str, password: &str) -> Self {
    Self {
      username: username.to_string(),
      password: password.to_string(),
    }
  }
  pub fn username(&self) -> &str {
    &self.username
  }
  pub fn password(&self) -> &str {
    &self.password
  }
 }
 impl From<&CachedCredential> for PasswordCredential {
  fn from(value: &CachedCredential) -> Self {
    Self::new(value.username(), value.password().unwrap_or_default())
  }
 }
 #[derive(Debug, Serialize, Deserialize, Type, Clone)]
 #[serde(rename_all = "camelCase")]
 pub struct PreloginCookieCredential {
  username: String,
  prelogin_cookie: String,
 }
 impl PreloginCookieCredential {
  pub fn new(username: &str, prelogin_cookie: &str) -> Self {
    Self {
      username: username.to_string(),
      prelogin_cookie: prelogin_cookie.to_string(),
    }
  }
  pub fn username(&self) -> &str {
    &self.username
  }
  pub fn prelogin_cookie(&self) -> &str {
    &self.prelogin_cookie
  }
 }
 impl TryFrom<SamlAuthData> for PreloginCookieCredential {
  type Error = anyhow::Error;
  fn try_from(value: SamlAuthData) -> Result<Self, Self::Error> {
    let username = value.username().to_string();
    let prelogin_cookie = value
      .prelogin_cookie()
      .ok_or_else(|| anyhow::anyhow!("Missing prelogin cookie"))?
      .to_string();
    Ok(Self::new(&username, &prelogin_cookie))
  }
 }
 #[derive(Debug, Serialize, Deserialize, Type, Clone)]
 #[serde(rename_all = "camelCase")]
 pub struct AuthCookieCredential {
  username: String,
  user_auth_cookie: String,
  prelogon_user_auth_cookie: String,
 }
 impl AuthCookieCredential {
  pub fn new(username: &str, user_auth_cookie: &str, prelogon_user_auth_cookie: &str) -> Self {
    Self {
      username: username.to_string(),
      user_auth_cookie: user_auth_cookie.to_string(),
      prelogon_user_auth_cookie: prelogon_user_auth_cookie.to_string(),
    }
  }
  pub fn username(&self) -> &str {
    &self.username
  }
  pub fn user_auth_cookie(&self) -> &str {
    &self.user_auth_cookie
  }
  pub fn prelogon_user_auth_cookie(&self) -> &str {
    &self.prelogon_user_auth_cookie
  }
 }
 #[derive(Debug, Serialize, Deserialize, Type, Clone)]
 #[serde(rename_all = "camelCase")]
 pub struct CachedCredential {
  username: String,
  password: Option<String>,
  auth_cookie: AuthCookieCredential,
 }
 impl CachedCredential {
  pub fn new(
    username: String,
    password: Option<String>,
    auth_cookie: AuthCookieCredential,
  ) -> Self {
    Self {
      username,
      password,
      auth_cookie,
    }
  }
  pub fn username(&self) -> &str {
    &self.username
  }
  pub fn password(&self) -> Option<&str> {
    self.password.as_deref()
  }
  pub fn auth_cookie(&self) -> &AuthCookieCredential {
    &self.auth_cookie
  }
  pub fn set_auth_cookie(&mut self, auth_cookie: AuthCookieCredential) {
    self.auth_cookie = auth_cookie;
  }
 }
 #[derive(Debug, Serialize, Deserialize, Type, Clone)]
 #[serde(tag = "type", rename_all = "camelCase")]
 pub enum Credential {
  Password(PasswordCredential),
  PreloginCookie(PreloginCookieCredential),
  AuthCookie(AuthCookieCredential),
  CachedCredential(CachedCredential),
 }
 impl Credential {
  /// Create a credential from a globalprotectcallback:<base64 encoded string>
  pub fn parse_gpcallback(auth_data: &str) -> anyhow::Result<Self> {
    // Remove the surrounding quotes
    let auth_data = auth_data.trim_matches('"');
    let auth_data = auth_data.trim_start_matches("globalprotectcallback:");
    let auth_data = decode_to_string(auth_data)?;
    let auth_data = SamlAuthData::parse_html(&auth_data)?;
    Self::try_from(auth_data)
  }
  pub fn username(&self) -> &str {
    match self {
      Credential::Password(cred) => cred.username(),
      Credential::PreloginCookie(cred) => cred.username(),
      Credential::AuthCookie(cred) => cred.username(),
      Credential::CachedCredential(cred) => cred.username(),
    }
  }
  pub fn to_params(&self) -> HashMap<&str, &str> {
    let mut params = HashMap::new();
    params.insert("user", self.username());
    let (passwd, prelogin_cookie, portal_userauthcookie, portal_prelogonuserauthcookie) = match self
    {
      Credential::Password(cred) => (Some(cred.password()), None, None, None),
      Credential::PreloginCookie(cred) => (None, Some(cred.prelogin_cookie()), None, None),
      Credential::AuthCookie(cred) => (
        None,
        None,
        Some(cred.user_auth_cookie()),
        Some(cred.prelogon_user_auth_cookie()),
      ),
      Credential::CachedCredential(cred) => (
        cred.password(),
        None,
        Some(cred.auth_cookie.user_auth_cookie()),
        Some(cred.auth_cookie.prelogon_user_auth_cookie()),
      ),
    };
    params.insert("passwd", passwd.unwrap_or_default());
    params.insert("prelogin-cookie", prelogin_cookie.unwrap_or_default());
    params.insert(
      "portal-userauthcookie",
      portal_userauthcookie.unwrap_or_default(),
    );
    params.insert(
      "portal-prelogonuserauthcookie",
      portal_prelogonuserauthcookie.unwrap_or_default(),
    );
    params
  }
 }
 impl TryFrom<SamlAuthData> for Credential {
  type Error = anyhow::Error;
  fn try_from(value: SamlAuthData) -> Result<Self, Self::Error> {
    let prelogin_cookie = PreloginCookieCredential::try_from(value)?;
    Ok(Self::PreloginCookie(prelogin_cookie))
  }
 }
 impl From<PasswordCredential> for Credential {
  fn from(value: PasswordCredential) -> Self {
    Self::Password(value)
  }
 }
 impl From<&AuthCookieCredential> for Credential {
  fn from(value: &AuthCookieCredential) -> Self {
    Self::AuthCookie(value.clone())
  }
 }
 impl From<&CachedCredential> for Credential {
  fn from(value: &CachedCredential) -> Self {
    Self::CachedCredential(value.clone())
  }
 }
--- a/crates/gpapi/src/gateway/login.rs
+++ b/crates/gpapi/src/gateway/login.rs
@@ -0,0 +1,68 @@
 use log::info;
 use reqwest::Client;
 use roxmltree::Document;
 use urlencoding::encode;
 use crate::{credential::Credential, gp_params::GpParams};
 pub async fn gateway_login(
  gateway: &str,
  cred: &Credential,
  gp_params: &GpParams,
 ) -> anyhow::Result<String> {
  let login_url = format!("https://{}/ssl-vpn/login.esp", gateway);
  let client = Client::builder()
    .user_agent(gp_params.user_agent())
    .build()?;
  let mut params = cred.to_params();
  let extra_params = gp_params.to_params();
  params.extend(extra_params);
  params.insert("server", gateway);
  info!("Gateway login, user_agent: {}", gp_params.user_agent());
  let res = client.post(&login_url).form(&params).send().await?;
  let res_xml = res.error_for_status()?.text().await?;
  let doc = Document::parse(&res_xml)?;
  build_gateway_token(&doc, gp_params.computer())
 }
 fn build_gateway_token(doc: &Document, computer: &str) -> anyhow::Result<String> {
  let args = doc
    .descendants()
    .filter(|n| n.has_tag_name("argument"))
    .map(|n| n.text().unwrap_or("").to_string())
    .collect::<Vec<_>>();
  let params = [
    read_args(&args, 1, "authcookie")?,
    read_args(&args, 3, "portal")?,
    read_args(&args, 4, "user")?,
    read_args(&args, 7, "domain")?,
    read_args(&args, 15, "preferred-ip")?,
    ("computer", computer),
  ];
  let token = params
    .iter()
    .map(|(k, v)| format!("{}={}", k, encode(v)))
    .collect::<Vec<_>>()
    .join("&");
  Ok(token)
 }
 fn read_args<'a>(
  args: &'a [String],
  index: usize,
  key: &'a str,
 ) -> anyhow::Result<(&'a str, &'a str)> {
  args
    .get(index)
    .ok_or_else(|| anyhow::anyhow!("Failed to read {key} from args"))
    .map(|s| (key, s.as_ref()))
 }
--- a/crates/gpapi/src/gateway/mod.rs
+++ b/crates/gpapi/src/gateway/mod.rs
@@ -0,0 +1,41 @@
 mod login;
 mod parse_gateways;
 pub use login::*;
 pub(crate) use parse_gateways::*;
 use serde::{Deserialize, Serialize};
 use specta::Type;
 use std::fmt::Display;
 #[derive(Debug, Serialize, Deserialize, Type, Clone)]
 pub(crate) struct PriorityRule {
  pub(crate) name: String,
  pub(crate) priority: u32,
 }
 #[derive(Debug, Serialize, Deserialize, Type, Clone)]
 #[serde(rename_all = "camelCase")]
 pub struct Gateway {
  pub(crate) name: String,
  pub(crate) address: String,
  pub(crate) priority: u32,
  pub(crate) priority_rules: Vec<PriorityRule>,
 }
 impl Display for Gateway {
  fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
    write!(f, "{} ({})", self.name, self.address)
  }
 }
 impl Gateway {
  pub fn name(&self) -> &str {
    &self.name
  }
  pub fn server(&self) -> &str {
    &self.address
  }
 }
--- a/crates/gpapi/src/gateway/parse_gateways.rs
+++ b/crates/gpapi/src/gateway/parse_gateways.rs
@@ -0,0 +1,63 @@
 use roxmltree::Document;
 use super::{Gateway, PriorityRule};
 pub(crate) fn parse_gateways(doc: &Document) -> Option<Vec<Gateway>> {
  let node_gateways = doc.descendants().find(|n| n.has_tag_name("gateways"))?;
  let list_gateway = node_gateways
    .descendants()
    .find(|n| n.has_tag_name("list"))?;
  let gateways = list_gateway
    .children()
    .filter_map(|gateway_item| {
      if !gateway_item.has_tag_name("entry") {
        return None;
      }
      let address = gateway_item.attribute("name").unwrap_or("").to_string();
      let name = gateway_item
        .children()
        .find(|n| n.has_tag_name("description"))
        .and_then(|n| n.text())
        .unwrap_or("")
        .to_string();
      let priority = gateway_item
        .children()
        .find(|n| n.has_tag_name("priority"))
        .and_then(|n| n.text())
        .and_then(|s| s.parse().ok())
        .unwrap_or(u32::MAX);
      let priority_rules = gateway_item
        .children()
        .find(|n| n.has_tag_name("priority-rule"))
        .map(|n| {
          n.children()
            .filter_map(|n| {
              if !n.has_tag_name("entry") {
                return None;
              }
              let name = n.attribute("name").unwrap_or("").to_string();
              let priority: u32 = n
                .children()
                .find(|n| n.has_tag_name("priority"))
                .and_then(|n| n.text())
                .and_then(|s| s.parse().ok())
                .unwrap_or(u32::MAX);
              Some(PriorityRule { name, priority })
            })
            .collect()
        })
        .unwrap_or_default();
      Some(Gateway {
        name,
        address,
        priority,
        priority_rules,
      })
    })
    .collect();
  Some(gateways)
 }
--- a/crates/gpapi/src/gp_params.rs
+++ b/crates/gpapi/src/gp_params.rs
@@ -0,0 +1,180 @@
 use std::collections::HashMap;
 use serde::{Deserialize, Serialize};
 use specta::Type;
 use crate::GP_USER_AGENT;
 #[derive(Debug, Serialize, Deserialize, Clone, Type, Default)]
 pub enum ClientOs {
  #[default]
  Linux,
  Windows,
  Mac,
 }
 impl From<&str> for ClientOs {
  fn from(os: &str) -> Self {
    match os {
      "Linux" => ClientOs::Linux,
      "Windows" => ClientOs::Windows,
      "Mac" => ClientOs::Mac,
      _ => ClientOs::Linux,
    }
  }
 }
 impl ClientOs {
  pub fn as_str(&self) -> &str {
    match self {
      ClientOs::Linux => "Linux",
      ClientOs::Windows => "Windows",
      ClientOs::Mac => "Mac",
    }
  }
  pub fn to_openconnect_os(&self) -> &str {
    match self {
      ClientOs::Linux => "linux",
      ClientOs::Windows => "win",
      ClientOs::Mac => "mac-intel",
    }
  }
 }
 #[derive(Debug, Serialize, Deserialize, Type, Default)]
 pub struct GpParams {
  user_agent: String,
  client_os: ClientOs,
  os_version: Option<String>,
  client_version: Option<String>,
  computer: String,
  ignore_tls_errors: bool,
  prefer_default_browser: bool,
 }
 impl GpParams {
  pub fn builder() -> GpParamsBuilder {
    GpParamsBuilder::new()
  }
  pub(crate) fn user_agent(&self) -> &str {
    &self.user_agent
  }
  pub(crate) fn computer(&self) -> &str {
    &self.computer
  }
  pub fn ignore_tls_errors(&self) -> bool {
    self.ignore_tls_errors
  }
  pub fn prefer_default_browser(&self) -> bool {
    self.prefer_default_browser
  }
  pub(crate) fn to_params(&self) -> HashMap<&str, &str> {
    let mut params: HashMap<&str, &str> = HashMap::new();
    let client_os = self.client_os.as_str();
    // Common params
    params.insert("prot", "https:");
    params.insert("jnlpReady", "jnlpReady");
    params.insert("ok", "Login");
    params.insert("direct", "yes");
    params.insert("ipv6-support", "yes");
    params.insert("inputStr", "");
    params.insert("clientVer", "4100");
    params.insert("clientos", client_os);
    params.insert("computer", &self.computer);
    if let Some(os_version) = &self.os_version {
      params.insert("os-version", os_version);
    }
    // NOTE: Do not include clientgpversion for now
    // if let Some(client_version) = &self.client_version {
    //   params.insert("clientgpversion", client_version);
    // }
    params
  }
 }
 pub struct GpParamsBuilder {
  user_agent: String,
  client_os: ClientOs,
  os_version: Option<String>,
  client_version: Option<String>,
  computer: String,
  ignore_tls_errors: bool,
  prefer_default_browser: bool,
 }
 impl GpParamsBuilder {
  pub fn new() -> Self {
    Self {
      user_agent: GP_USER_AGENT.to_string(),
      client_os: ClientOs::Linux,
      os_version: Default::default(),
      client_version: Default::default(),
      computer: whoami::hostname(),
      ignore_tls_errors: false,
      prefer_default_browser: false,
    }
  }
  pub fn user_agent(&mut self, user_agent: &str) -> &mut Self {
    self.user_agent = user_agent.to_string();
    self
  }
  pub fn client_os(&mut self, client_os: ClientOs) -> &mut Self {
    self.client_os = client_os;
    self
  }
  pub fn os_version<T: Into<Option<String>>>(&mut self, os_version: T) -> &mut Self {
    self.os_version = os_version.into();
    self
  }
  pub fn client_version<T: Into<Option<String>>>(&mut self, client_version: T) -> &mut Self {
    self.client_version = client_version.into();
    self
  }
  pub fn computer(&mut self, computer: &str) -> &mut Self {
    self.computer = computer.to_string();
    self
  }
  pub fn ignore_tls_errors(&mut self, ignore_tls_errors: bool) -> &mut Self {
    self.ignore_tls_errors = ignore_tls_errors;
    self
  }
  pub fn prefer_default_browser(&mut self, prefer_default_browser: bool) -> &mut Self {
    self.prefer_default_browser = prefer_default_browser;
    self
  }
  pub fn build(&self) -> GpParams {
    GpParams {
      user_agent: self.user_agent.clone(),
      client_os: self.client_os.clone(),
      os_version: self.os_version.clone(),
      client_version: self.client_version.clone(),
      computer: self.computer.clone(),
      ignore_tls_errors: self.ignore_tls_errors,
      prefer_default_browser: self.prefer_default_browser,
    }
  }
 }
 impl Default for GpParamsBuilder {
  fn default() -> Self {
    Self::new()
  }
 }
--- a/crates/gpapi/src/lib.rs
+++ b/crates/gpapi/src/lib.rs
@@ -0,0 +1,35 @@
 pub mod auth;
 pub mod credential;
 pub mod gateway;
 pub mod gp_params;
 pub mod portal;
 pub mod process;
 pub mod service;
 pub mod utils;
 #[cfg(feature = "clap")]
 pub mod clap;
 #[cfg(debug_assertions)]
 pub const GP_API_KEY: &[u8; 32] = &[0; 32];
 pub const GP_USER_AGENT: &str = "PAN GlobalProtect";
 pub const GP_SERVICE_LOCK_FILE: &str = "/var/run/gpservice.lock";
 #[cfg(not(debug_assertions))]
 pub const GP_CLIENT_BINARY: &str = "/usr/bin/gpclient";
 #[cfg(not(debug_assertions))]
 pub const GP_SERVICE_BINARY: &str = "/usr/bin/gpservice";
 #[cfg(not(debug_assertions))]
 pub const GP_GUI_BINARY: &str = "/usr/bin/gpgui";
 #[cfg(not(debug_assertions))]
 pub(crate) const GP_AUTH_BINARY: &str = "/usr/bin/gpauth";
 #[cfg(debug_assertions)]
 pub const GP_CLIENT_BINARY: &str = dotenvy_macro::dotenv!("GP_CLIENT_BINARY");
 #[cfg(debug_assertions)]
 pub const GP_SERVICE_BINARY: &str = dotenvy_macro::dotenv!("GP_SERVICE_BINARY");
 #[cfg(debug_assertions)]
 pub const GP_GUI_BINARY: &str = dotenvy_macro::dotenv!("GP_GUI_BINARY");
 #[cfg(debug_assertions)]
 pub(crate) const GP_AUTH_BINARY: &str = dotenvy_macro::dotenv!("GP_AUTH_BINARY");
--- a/crates/gpapi/src/portal/config.rs
+++ b/crates/gpapi/src/portal/config.rs
@@ -0,0 +1,174 @@
 use anyhow::ensure;
 use log::info;
 use reqwest::Client;
 use roxmltree::Document;
 use serde::Serialize;
 use specta::Type;
 use thiserror::Error;
 use crate::{
  credential::{AuthCookieCredential, Credential},
  gateway::{parse_gateways, Gateway},
  gp_params::GpParams,
  utils::{normalize_server, xml},
 };
 #[derive(Debug, Serialize, Type)]
 #[serde(rename_all = "camelCase")]
 pub struct PortalConfig {
  portal: String,
  auth_cookie: AuthCookieCredential,
  gateways: Vec<Gateway>,
  config_digest: Option<String>,
 }
 impl PortalConfig {
  pub fn new(
    portal: String,
    auth_cookie: AuthCookieCredential,
    gateways: Vec<Gateway>,
    config_digest: Option<String>,
  ) -> Self {
    Self {
      portal,
      auth_cookie,
      gateways,
      config_digest,
    }
  }
  pub fn portal(&self) -> &str {
    &self.portal
  }
  pub fn gateways(&self) -> Vec<&Gateway> {
    self.gateways.iter().collect()
  }
  pub fn auth_cookie(&self) -> &AuthCookieCredential {
    &self.auth_cookie
  }
  /// In-place sort the gateways by region
  pub fn sort_gateways(&mut self, region: &str) {
    let preferred_gateway = self.find_preferred_gateway(region);
    let preferred_gateway_index = self
      .gateways()
      .iter()
      .position(|gateway| gateway.name == preferred_gateway.name)
      .unwrap();
    // Move the preferred gateway to the front of the list
    self.gateways.swap(0, preferred_gateway_index);
  }
  /// Find a gateway by name or address
  pub fn find_gateway(&self, name_or_address: &str) -> Option<&Gateway> {
    self
      .gateways
      .iter()
      .find(|gateway| gateway.name == name_or_address || gateway.address == name_or_address)
  }
  /// Find the preferred gateway for the given region
  /// Iterates over the gateways and find the first one that
  /// has the lowest priority for the given region.
  /// If no gateway is found, returns the gateway with the lowest priority.
  pub fn find_preferred_gateway(&self, region: &str) -> &Gateway {
    let mut preferred_gateway: Option<&Gateway> = None;
    let mut lowest_region_priority = u32::MAX;
    for gateway in &self.gateways {
      for rule in &gateway.priority_rules {
        if (rule.name == region || rule.name == "Any") && rule.priority < lowest_region_priority {
          preferred_gateway = Some(gateway);
          lowest_region_priority = rule.priority;
        }
      }
    }
    // If no gateway is found, return the gateway with the lowest priority
    preferred_gateway.unwrap_or_else(|| {
      self
        .gateways
        .iter()
        .min_by_key(|gateway| gateway.priority)
        .unwrap()
    })
  }
 }
 #[derive(Error, Debug)]
 pub enum PortalConfigError {
  #[error("Empty response, retrying can help")]
  EmptyResponse,
  #[error("Empty auth cookie, retrying can help")]
  EmptyAuthCookie,
  #[error("Invalid auth cookie, retrying can help")]
  InvalidAuthCookie,
  #[error("Empty gateways, retrying can help")]
  EmptyGateways,
 }
 pub async fn retrieve_config(
  portal: &str,
  cred: &Credential,
  gp_params: &GpParams,
 ) -> anyhow::Result<PortalConfig> {
  let portal = normalize_server(portal)?;
  let server = remove_url_scheme(&portal);
  let url = format!("{}/global-protect/getconfig.esp", portal);
  let client = Client::builder()
    .user_agent(gp_params.user_agent())
    .build()?;
  let mut params = cred.to_params();
  let extra_params = gp_params.to_params();
  params.extend(extra_params);
  params.insert("server", &server);
  params.insert("host", &server);
  info!("Portal config, user_agent: {}", gp_params.user_agent());
  let res = client.post(&url).form(&params).send().await?;
  let res_xml = res.error_for_status()?.text().await?;
  ensure!(!res_xml.is_empty(), PortalConfigError::EmptyResponse);
  let doc = Document::parse(&res_xml)?;
  let gateways = parse_gateways(&doc).ok_or_else(|| anyhow::anyhow!("Failed to parse gateways"))?;
  let user_auth_cookie = xml::get_child_text(&doc, "portal-userauthcookie").unwrap_or_default();
  let prelogon_user_auth_cookie =
    xml::get_child_text(&doc, "portal-prelogonuserauthcookie").unwrap_or_default();
  let config_digest = xml::get_child_text(&doc, "config-digest");
  ensure!(
    !user_auth_cookie.is_empty() && !prelogon_user_auth_cookie.is_empty(),
    PortalConfigError::EmptyAuthCookie
  );
  ensure!(
    user_auth_cookie != "empty" && prelogon_user_auth_cookie != "empty",
    PortalConfigError::InvalidAuthCookie
  );
  ensure!(!gateways.is_empty(), PortalConfigError::EmptyGateways);
  Ok(PortalConfig::new(
    server.to_string(),
    AuthCookieCredential::new(
      cred.username(),
      &user_auth_cookie,
      &prelogon_user_auth_cookie,
    ),
    gateways,
    config_digest,
  ))
 }
 fn remove_url_scheme(s: &str) -> String {
  s.replace("http://", "").replace("https://", "")
 }
--- a/crates/gpapi/src/portal/mod.rs
+++ b/crates/gpapi/src/portal/mod.rs
@@ -0,0 +1,5 @@
 mod config;
 mod prelogin;
 pub use config::*;
 pub use prelogin::*;
--- a/crates/gpapi/src/portal/prelogin.rs
+++ b/crates/gpapi/src/portal/prelogin.rs
@@ -0,0 +1,167 @@
 use anyhow::bail;
 use log::{info, trace};
 use reqwest::Client;
 use roxmltree::Document;
 use serde::Serialize;
 use specta::Type;
 use crate::{
  gp_params::GpParams,
  utils::{base64, normalize_server, xml},
 };
 const REQUIRED_PARAMS: [&str; 8] = [
  "tmp",
  "clientVer",
  "clientos",
  "os-version",
  "host-id",
  "ipv6-support",
  "default-browser",
  "cas-support",
 ];
 #[derive(Debug, Serialize, Type, Clone)]
 #[serde(rename_all = "camelCase")]
 pub struct SamlPrelogin {
  region: String,
  saml_request: String,
  support_default_browser: bool,
 }
 impl SamlPrelogin {
  pub fn region(&self) -> &str {
    &self.region
  }
  pub fn saml_request(&self) -> &str {
    &self.saml_request
  }
  pub fn support_default_browser(&self) -> bool {
    self.support_default_browser
  }
 }
 #[derive(Debug, Serialize, Type, Clone)]
 #[serde(rename_all = "camelCase")]
 pub struct StandardPrelogin {
  region: String,
  auth_message: String,
  label_username: String,
  label_password: String,
 }
 impl StandardPrelogin {
  pub fn region(&self) -> &str {
    &self.region
  }
  pub fn auth_message(&self) -> &str {
    &self.auth_message
  }
  pub fn label_username(&self) -> &str {
    &self.label_username
  }
  pub fn label_password(&self) -> &str {
    &self.label_password
  }
 }
 #[derive(Debug, Serialize, Type, Clone)]
 #[serde(tag = "type", rename_all = "camelCase")]
 pub enum Prelogin {
  Saml(SamlPrelogin),
  Standard(StandardPrelogin),
 }
 impl Prelogin {
  pub fn region(&self) -> &str {
    match self {
      Prelogin::Saml(saml) => saml.region(),
      Prelogin::Standard(standard) => standard.region(),
    }
  }
 }
 pub async fn prelogin(portal: &str, gp_params: &GpParams) -> anyhow::Result<Prelogin> {
  let user_agent = gp_params.user_agent();
  info!("Portal prelogin, user_agent: {}", user_agent);
  let portal = normalize_server(portal)?;
  let prelogin_url = format!("{}/global-protect/prelogin.esp", portal);
  let mut params = gp_params.to_params();
  params.insert("tmp", "tmp");
  params.insert("cas-support", "yes");
  if gp_params.prefer_default_browser() {
    params.insert("default-browser", "1");
  }
  params.retain(|k, _| {
    REQUIRED_PARAMS
      .iter()
      .any(|required_param| required_param == k)
  });
  let client = Client::builder()
    .danger_accept_invalid_certs(gp_params.ignore_tls_errors())
    .user_agent(user_agent)
    .build()?;
  let res = client.post(&prelogin_url).form(&params).send().await?;
  let res_xml = res.error_for_status()?.text().await?;
  trace!("Prelogin response: {}", res_xml);
  let doc = Document::parse(&res_xml)?;
  let status = xml::get_child_text(&doc, "status")
    .ok_or_else(|| anyhow::anyhow!("Prelogin response does not contain status element"))?;
  // Check the status of the prelogin response
  if status.to_uppercase() != "SUCCESS" {
    let msg = xml::get_child_text(&doc, "msg").unwrap_or(String::from("Unknown error"));
    bail!("Prelogin failed: {}", msg)
  }
  let region = xml::get_child_text(&doc, "region")
    .ok_or_else(|| anyhow::anyhow!("Prelogin response does not contain region element"))?;
  let saml_method = xml::get_child_text(&doc, "saml-auth-method");
  let saml_request = xml::get_child_text(&doc, "saml-request");
  let saml_default_browser = xml::get_child_text(&doc, "saml-default-browser");
  // Check if the prelogin response is SAML
  if saml_method.is_some() && saml_request.is_some() {
    let saml_request = base64::decode_to_string(&saml_request.unwrap())?;
    let support_default_browser = saml_default_browser
      .map(|s| s.to_lowercase() == "yes")
      .unwrap_or(false);
    let saml_prelogin = SamlPrelogin {
      region,
      saml_request,
      support_default_browser,
    };
    return Ok(Prelogin::Saml(saml_prelogin));
  }
  let label_username = xml::get_child_text(&doc, "username-label");
  let label_password = xml::get_child_text(&doc, "password-label");
  // Check if the prelogin response is standard login
  if label_username.is_some() && label_password.is_some() {
    let auth_message = xml::get_child_text(&doc, "authentication-message")
      .unwrap_or(String::from("Please enter the login credentials"));
    let standard_prelogin = StandardPrelogin {
      region,
      auth_message,
      label_username: label_username.unwrap(),
      label_password: label_password.unwrap(),
    };
    return Ok(Prelogin::Standard(standard_prelogin));
  }
  bail!("Invalid prelogin response");
 }
--- a/crates/gpapi/src/process/auth_launcher.rs
+++ b/crates/gpapi/src/process/auth_launcher.rs
@@ -0,0 +1,129 @@
 use std::process::Stdio;
 use tokio::process::Command;
 use crate::{auth::SamlAuthResult, credential::Credential, GP_AUTH_BINARY};
 use super::command_traits::CommandExt;
 pub struct SamlAuthLauncher<'a> {
  server: &'a str,
  saml_request: Option<&'a str>,
  user_agent: Option<&'a str>,
  os: Option<&'a str>,
  os_version: Option<&'a str>,
  hidpi: bool,
  fix_openssl: bool,
  ignore_tls_errors: bool,
  clean: bool,
 }
 impl<'a> SamlAuthLauncher<'a> {
  pub fn new(server: &'a str) -> Self {
    Self {
      server,
      saml_request: None,
      user_agent: None,
      os: None,
      os_version: None,
      hidpi: false,
      fix_openssl: false,
      ignore_tls_errors: false,
      clean: false,
    }
  }
  pub fn saml_request(mut self, saml_request: &'a str) -> Self {
    self.saml_request = Some(saml_request);
    self
  }
  pub fn user_agent(mut self, user_agent: &'a str) -> Self {
    self.user_agent = Some(user_agent);
    self
  }
  pub fn os(mut self, os: &'a str) -> Self {
    self.os = Some(os);
    self
  }
  pub fn os_version(mut self, os_version: Option<&'a str>) -> Self {
    self.os_version = os_version;
    self
  }
  pub fn hidpi(mut self, hidpi: bool) -> Self {
    self.hidpi = hidpi;
    self
  }
  pub fn fix_openssl(mut self, fix_openssl: bool) -> Self {
    self.fix_openssl = fix_openssl;
    self
  }
  pub fn ignore_tls_errors(mut self, ignore_tls_errors: bool) -> Self {
    self.ignore_tls_errors = ignore_tls_errors;
    self
  }
  pub fn clean(mut self, clean: bool) -> Self {
    self.clean = clean;
    self
  }
  /// Launch the authenticator binary as the current user or SUDO_USER if available.
  pub async fn launch(self) -> anyhow::Result<Credential> {
    let mut auth_cmd = Command::new(GP_AUTH_BINARY);
    auth_cmd.arg(self.server);
    if let Some(saml_request) = self.saml_request {
      auth_cmd.arg("--saml-request").arg(saml_request);
    }
    if let Some(user_agent) = self.user_agent {
      auth_cmd.arg("--user-agent").arg(user_agent);
    }
    if let Some(os) = self.os {
      auth_cmd.arg("--os").arg(os);
    }
    if let Some(os_version) = self.os_version {
      auth_cmd.arg("--os-version").arg(os_version);
    }
    if self.hidpi {
      auth_cmd.arg("--hidpi");
    }
    if self.fix_openssl {
      auth_cmd.arg("--fix-openssl");
    }
    if self.ignore_tls_errors {
      auth_cmd.arg("--ignore-tls-errors");
    }
    if self.clean {
      auth_cmd.arg("--clean");
    }
    let mut non_root_cmd = auth_cmd.into_non_root()?;
    let output = non_root_cmd
      .kill_on_drop(true)
      .stdout(Stdio::piped())
      .spawn()?
      .wait_with_output()
      .await?;
    let auth_result: SamlAuthResult = serde_json::from_slice(&output.stdout)
      .map_err(|_| anyhow::anyhow!("Failed to parse auth data"))?;
    match auth_result {
      SamlAuthResult::Success(auth_data) => Credential::try_from(auth_data),
      SamlAuthResult::Failure(msg) => Err(anyhow::anyhow!(msg)),
    }
  }
 }
--- a/crates/gpapi/src/process/browser_authenticator.rs
+++ b/crates/gpapi/src/process/browser_authenticator.rs
@@ -0,0 +1,34 @@
 use std::{env::temp_dir, io::Write};
 pub struct BrowserAuthenticator<'a> {
  auth_request: &'a str,
 }
 impl BrowserAuthenticator<'_> {
  pub fn new(auth_request: &str) -> BrowserAuthenticator {
    BrowserAuthenticator { auth_request }
  }
  pub fn authenticate(&self) -> anyhow::Result<()> {
    if self.auth_request.starts_with("http") {
      open::that_detached(self.auth_request)?;
    } else {
      let html_file = temp_dir().join("gpauth.html");
      let mut file = std::fs::File::create(&html_file)?;
      file.write_all(self.auth_request.as_bytes())?;
      open::that_detached(html_file)?;
    }
    Ok(())
  }
 }
 impl Drop for BrowserAuthenticator<'_> {
  fn drop(&mut self) {
    // Cleanup the temporary file
    let html_file = temp_dir().join("gpauth.html");
    let _ = std::fs::remove_file(html_file);
  }
 }
--- a/crates/gpapi/src/process/command_traits.rs
+++ b/crates/gpapi/src/process/command_traits.rs
@@ -0,0 +1,64 @@
 use anyhow::bail;
 use std::{env, ffi::OsStr};
 use tokio::process::Command;
 use uzers::{os::unix::UserExt, User};
 pub trait CommandExt {
  fn new_pkexec<S: AsRef<OsStr>>(program: S) -> Command;
  fn into_non_root(self) -> anyhow::Result<Command>;
 }
 impl CommandExt for Command {
  fn new_pkexec<S: AsRef<OsStr>>(program: S) -> Command {
    let mut cmd = Command::new("pkexec");
    cmd
      .arg("--disable-internal-agent")
      .arg("--user")
      .arg("root")
      .arg(program);
    cmd
  }
  fn into_non_root(mut self) -> anyhow::Result<Command> {
    let user =
      get_non_root_user().map_err(|_| anyhow::anyhow!("{:?} cannot be run as root", self))?;
    self
      .env("HOME", user.home_dir())
      .env("USER", user.name())
      .env("LOGNAME", user.name())
      .env("USERNAME", user.name())
      .uid(user.uid())
      .gid(user.primary_group_id());
    Ok(self)
  }
 }
 fn get_non_root_user() -> anyhow::Result<User> {
  let current_user = whoami::username();
  let user = if current_user == "root" {
    get_real_user()?
  } else {
    uzers::get_user_by_name(&current_user)
      .ok_or_else(|| anyhow::anyhow!("User ({}) not found", current_user))?
  };
  if user.uid() == 0 {
    bail!("Non-root user not found")
  }
  Ok(user)
 }
 fn get_real_user() -> anyhow::Result<User> {
  // Read the UID from SUDO_UID or PKEXEC_UID environment variable if available.
  let uid = match env::var("SUDO_UID") {
    Ok(uid) => uid.parse::<u32>()?,
    _ => env::var("PKEXEC_UID")?.parse::<u32>()?,
  };
  uzers::get_user_by_uid(uid).ok_or_else(|| anyhow::anyhow!("User not found"))
 }
--- a/crates/gpapi/src/process/gui_launcher.rs
+++ b/crates/gpapi/src/process/gui_launcher.rs
@@ -0,0 +1,91 @@
 use std::{
  collections::HashMap,
  path::PathBuf,
  process::{ExitStatus, Stdio},
 };
 use tokio::{io::AsyncWriteExt, process::Command};
 use crate::{utils::base64, GP_GUI_BINARY};
 use super::command_traits::CommandExt;
 pub struct GuiLauncher {
  program: PathBuf,
  api_key: Option<Vec<u8>>,
  minimized: bool,
  envs: Option<HashMap<String, String>>,
 }
 impl Default for GuiLauncher {
  fn default() -> Self {
    Self::new()
  }
 }
 impl GuiLauncher {
  pub fn new() -> Self {
    Self {
      program: GP_GUI_BINARY.into(),
      api_key: None,
      minimized: false,
      envs: None,
    }
  }
  pub fn envs<T: Into<Option<HashMap<String, String>>>>(mut self, envs: T) -> Self {
    self.envs = envs.into();
    self
  }
  pub fn api_key(mut self, api_key: Vec<u8>) -> Self {
    self.api_key = Some(api_key);
    self
  }
  pub fn minimized(mut self, minimized: bool) -> Self {
    self.minimized = minimized;
    self
  }
  pub async fn launch(&self) -> anyhow::Result<ExitStatus> {
    let mut cmd = Command::new(&self.program);
    if let Some(envs) = &self.envs {
      cmd.env_clear();
      cmd.envs(envs);
    }
    if self.api_key.is_some() {
      cmd.arg("--api-key-on-stdin");
    }
    if self.minimized {
      cmd.arg("--minimized");
    }
    let mut non_root_cmd = cmd.into_non_root()?;
    let mut child = non_root_cmd
      .kill_on_drop(true)
      .stdin(Stdio::piped())
      .spawn()?;
    let mut stdin = child
      .stdin
      .take()
      .ok_or_else(|| anyhow::anyhow!("Failed to open stdin"))?;
    if let Some(api_key) = &self.api_key {
      let api_key = base64::encode(api_key);
      tokio::spawn(async move {
        stdin.write_all(api_key.as_bytes()).await.unwrap();
        drop(stdin);
      });
    }
    let exit_status = child.wait().await?;
    Ok(exit_status)
  }
 }
--- a/crates/gpapi/src/process/mod.rs
+++ b/crates/gpapi/src/process/mod.rs
@@ -0,0 +1,7 @@
 pub(crate) mod command_traits;
 pub mod auth_launcher;
 #[cfg(feature = "browser-auth")]
 pub mod browser_authenticator;
 pub mod gui_launcher;
 pub mod service_launcher;
--- a/crates/gpapi/src/process/service_launcher.rs
+++ b/crates/gpapi/src/process/service_launcher.rs
@@ -0,0 +1,72 @@
 use std::{
  fs::File,
  path::PathBuf,
  process::{ExitStatus, Stdio},
 };
 use tokio::process::Command;
 use crate::GP_SERVICE_BINARY;
 use super::command_traits::CommandExt;
 pub struct ServiceLauncher {
  program: PathBuf,
  minimized: bool,
  env_file: Option<String>,
  log_file: Option<String>,
 }
 impl Default for ServiceLauncher {
  fn default() -> Self {
    Self::new()
  }
 }
 impl ServiceLauncher {
  pub fn new() -> Self {
    Self {
      program: GP_SERVICE_BINARY.into(),
      minimized: false,
      env_file: None,
      log_file: None,
    }
  }
  pub fn minimized(mut self, minimized: bool) -> Self {
    self.minimized = minimized;
    self
  }
  pub fn env_file(mut self, env_file: &str) -> Self {
    self.env_file = Some(env_file.to_string());
    self
  }
  pub fn log_file(mut self, log_file: &str) -> Self {
    self.log_file = Some(log_file.to_string());
    self
  }
  pub async fn launch(&self) -> anyhow::Result<ExitStatus> {
    let mut cmd = Command::new_pkexec(&self.program);
    if self.minimized {
      cmd.arg("--minimized");
    }
    if let Some(env_file) = &self.env_file {
      cmd.arg("--env-file").arg(env_file);
    }
    if let Some(log_file) = &self.log_file {
      let log_file = File::create(log_file)?;
      let stdio = Stdio::from(log_file);
      cmd.stderr(stdio);
    }
    let exit_status = cmd.kill_on_drop(true).spawn()?.wait().await?;
    Ok(exit_status)
  }
 }
--- a/crates/gpapi/src/service/event.rs
+++ b/crates/gpapi/src/service/event.rs
@@ -0,0 +1,12 @@
 use serde::{Deserialize, Serialize};
 use super::vpn_state::VpnState;
 /// Events that can be emitted by the service
 #[derive(Debug, Serialize, Deserialize, Clone)]
 pub enum WsEvent {
  VpnState(VpnState),
  ActiveGui,
  /// External authentication data
  AuthData(String),
 }
--- a/crates/gpapi/src/service/mod.rs
+++ b/crates/gpapi/src/service/mod.rs
@@ -0,0 +1,3 @@
 pub mod event;
 pub mod request;
 pub mod vpn_state;
--- a/crates/gpapi/src/service/request.rs
+++ b/crates/gpapi/src/service/request.rs
@@ -0,0 +1,118 @@
 use std::collections::HashMap;
 use serde::{Deserialize, Serialize};
 use specta::Type;
 use crate::{gateway::Gateway, gp_params::ClientOs};
 use super::vpn_state::ConnectInfo;
 #[derive(Debug, Deserialize, Serialize)]
 pub struct LaunchGuiRequest {
  user: String,
  envs: HashMap<String, String>,
 }
 impl LaunchGuiRequest {
  pub fn new(user: String, envs: HashMap<String, String>) -> Self {
    Self { user, envs }
  }
  pub fn user(&self) -> &str {
    &self.user
  }
  pub fn envs(&self) -> &HashMap<String, String> {
    &self.envs
  }
 }
 #[derive(Debug, Deserialize, Serialize, Type)]
 pub struct ConnectArgs {
  cookie: String,
  vpnc_script: Option<String>,
  user_agent: Option<String>,
  os: Option<ClientOs>,
 }
 impl ConnectArgs {
  pub fn new(cookie: String) -> Self {
    Self {
      cookie,
      vpnc_script: None,
      user_agent: None,
      os: None,
    }
  }
  pub fn cookie(&self) -> &str {
    &self.cookie
  }
  pub fn vpnc_script(&self) -> Option<String> {
    self.vpnc_script.clone()
  }
  pub fn user_agent(&self) -> Option<String> {
    self.user_agent.clone()
  }
  pub fn openconnect_os(&self) -> Option<String> {
    self
      .os
      .as_ref()
      .map(|os| os.to_openconnect_os().to_string())
  }
 }
 #[derive(Debug, Deserialize, Serialize, Type)]
 pub struct ConnectRequest {
  info: ConnectInfo,
  args: ConnectArgs,
 }
 impl ConnectRequest {
  pub fn new(info: ConnectInfo, cookie: String) -> Self {
    Self {
      info,
      args: ConnectArgs::new(cookie),
    }
  }
  pub fn with_vpnc_script<T: Into<Option<String>>>(mut self, vpnc_script: T) -> Self {
    self.args.vpnc_script = vpnc_script.into();
    self
  }
  pub fn with_user_agent<T: Into<Option<String>>>(mut self, user_agent: T) -> Self {
    self.args.user_agent = user_agent.into();
    self
  }
  pub fn with_os<T: Into<Option<ClientOs>>>(mut self, os: T) -> Self {
    self.args.os = os.into();
    self
  }
  pub fn gateway(&self) -> &Gateway {
    self.info.gateway()
  }
  pub fn info(&self) -> &ConnectInfo {
    &self.info
  }
  pub fn args(&self) -> &ConnectArgs {
    &self.args
  }
 }
 #[derive(Debug, Deserialize, Serialize, Type)]
 pub struct DisconnectRequest;
 /// Requests that can be sent to the service
 #[derive(Debug, Deserialize, Serialize)]
 pub enum WsRequest {
  Connect(Box<ConnectRequest>),
  Disconnect(DisconnectRequest),
 }
--- a/crates/gpapi/src/service/vpn_state.rs
+++ b/crates/gpapi/src/service/vpn_state.rs
@@ -0,0 +1,34 @@
 use serde::{Deserialize, Serialize};
 use specta::Type;
 use crate::gateway::Gateway;
 #[derive(Debug, Deserialize, Serialize, Type, Clone)]
 pub struct ConnectInfo {
  portal: String,
  gateway: Gateway,
  gateways: Vec<Gateway>,
 }
 impl ConnectInfo {
  pub fn new(portal: String, gateway: Gateway, gateways: Vec<Gateway>) -> Self {
    Self {
      portal,
      gateway,
      gateways,
    }
  }
  pub fn gateway(&self) -> &Gateway {
    &self.gateway
  }
 }
 #[derive(Debug, Serialize, Deserialize, Clone)]
 #[serde(rename_all = "camelCase")]
 pub enum VpnState {
  Disconnected,
  Connecting(Box<ConnectInfo>),
  Connected(Box<ConnectInfo>),
  Disconnecting,
 }
--- a/crates/gpapi/src/utils/base64.rs
+++ b/crates/gpapi/src/utils/base64.rs
@@ -0,0 +1,21 @@
 use base64::{engine::general_purpose, Engine};
 pub fn encode(data: &[u8]) -> String {
  let engine = general_purpose::STANDARD;
  engine.encode(data)
 }
 pub fn decode_to_vec(s: &str) -> anyhow::Result<Vec<u8>> {
  let engine = general_purpose::STANDARD;
  let decoded = engine.decode(s)?;
  Ok(decoded)
 }
 pub(crate) fn decode_to_string(s: &str) -> anyhow::Result<String> {
  let decoded = decode_to_vec(s)?;
  let decoded = String::from_utf8(decoded)?;
  Ok(decoded)
 }
--- a/crates/gpapi/src/utils/crypto.rs
+++ b/crates/gpapi/src/utils/crypto.rs
@@ -0,0 +1,108 @@
 use chacha20poly1305::{
  aead::{Aead, OsRng},
  AeadCore, ChaCha20Poly1305, Key, KeyInit, Nonce,
 };
 use serde::{de::DeserializeOwned, Serialize};
 pub fn generate_key() -> Key {
  ChaCha20Poly1305::generate_key(&mut OsRng)
 }
 pub fn encrypt<T>(key: &Key, value: &T) -> anyhow::Result<Vec<u8>>
 where
  T: Serialize,
 {
  let cipher = ChaCha20Poly1305::new(key);
  let nonce = ChaCha20Poly1305::generate_nonce(&mut OsRng);
  let data = serde_json::to_vec(value)?;
  let cipher_text = cipher.encrypt(&nonce, data.as_ref())?;
  let mut encrypted = Vec::new();
  encrypted.extend_from_slice(&nonce);
  encrypted.extend_from_slice(&cipher_text);
  Ok(encrypted)
 }
 pub fn decrypt<T>(key: &Key, encrypted: Vec<u8>) -> anyhow::Result<T>
 where
  T: DeserializeOwned,
 {
  let cipher = ChaCha20Poly1305::new(key);
  let nonce = Nonce::from_slice(&encrypted[..12]);
  let cipher_text = &encrypted[12..];
  let plaintext = cipher.decrypt(nonce, cipher_text)?;
  let value = serde_json::from_slice(&plaintext)?;
  Ok(value)
 }
 pub struct Crypto {
  key: Vec<u8>,
 }
 impl Crypto {
  pub fn new(key: Vec<u8>) -> Self {
    Self { key }
  }
  pub fn encrypt<T: Serialize>(&self, plain: T) -> anyhow::Result<Vec<u8>> {
    let key: &[u8] = &self.key;
    let encrypted_data = encrypt(key.into(), &plain)?;
    Ok(encrypted_data)
  }
  pub fn decrypt<T: DeserializeOwned>(&self, encrypted: Vec<u8>) -> anyhow::Result<T> {
    let key: &[u8] = &self.key;
    decrypt(key.into(), encrypted)
  }
  pub fn encrypt_to<T: Serialize>(&self, path: &std::path::Path, plain: T) -> anyhow::Result<()> {
    let encrypted_data = self.encrypt(plain)?;
    std::fs::write(path, encrypted_data)?;
    Ok(())
  }
  pub fn decrypt_from<T: DeserializeOwned>(&self, path: &std::path::Path) -> anyhow::Result<T> {
    let encrypted_data = std::fs::read(path)?;
    self.decrypt(encrypted_data)
  }
 }
 #[cfg(test)]
 mod tests {
  use serde::Deserialize;
  use super::*;
  #[derive(Serialize, Deserialize)]
  struct User {
    name: String,
    age: u8,
  }
  #[test]
  fn it_works() -> anyhow::Result<()> {
    let key = generate_key();
    let user = User {
      name: "test".to_string(),
      age: 18,
    };
    let encrypted = encrypt(&key, &user)?;
    let decrypted_user = decrypt::<User>(&key, encrypted)?;
    assert_eq!(user.name, decrypted_user.name);
    assert_eq!(user.age, decrypted_user.age);
    Ok(())
  }
 }
--- a/crates/gpapi/src/utils/endpoint.rs
+++ b/crates/gpapi/src/utils/endpoint.rs
@@ -0,0 +1,20 @@
 use tokio::fs;
 use crate::GP_SERVICE_LOCK_FILE;
 async fn read_port() -> anyhow::Result<String> {
  let port = fs::read_to_string(GP_SERVICE_LOCK_FILE).await?;
  Ok(port.trim().to_string())
 }
 pub async fn http_endpoint() -> anyhow::Result<String> {
  let port = read_port().await?;
  Ok(format!("http://127.0.0.1:{}", port))
 }
 pub async fn ws_endpoint() -> anyhow::Result<String> {
  let port = read_port().await?;
  Ok(format!("ws://127.0.0.1:{}/ws", port))
 }
--- a/crates/gpapi/src/utils/env_file.rs
+++ b/crates/gpapi/src/utils/env_file.rs
@@ -0,0 +1,37 @@
 use std::collections::HashMap;
 use std::env;
 use std::io::Write;
 use std::path::Path;
 use tempfile::NamedTempFile;
 pub fn persist_env_vars(extra: Option<HashMap<String, String>>) -> anyhow::Result<NamedTempFile> {
  let mut env_file = NamedTempFile::new()?;
  let content = env::vars()
    .map(|(key, value)| format!("{}={}", key, value))
    .chain(
      extra
        .unwrap_or_default()
        .into_iter()
        .map(|(key, value)| format!("{}={}", key, value)),
    )
    .collect::<Vec<String>>()
    .join("\n");
  writeln!(env_file, "{}", content)?;
  Ok(env_file)
 }
 pub fn load_env_vars<T: AsRef<Path>>(env_file: T) -> anyhow::Result<HashMap<String, String>> {
  let content = std::fs::read_to_string(env_file)?;
  let mut env_vars: HashMap<String, String> = HashMap::new();
  for line in content.lines() {
    if let Some((key, value)) = line.split_once('=') {
      env_vars.insert(key.to_string(), value.to_string());
    }
  }
  Ok(env_vars)
 }
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1,2 @@`
							`ko_fi: yuezk`
							`custom: ["https://buymeacoffee.com/yuezk", "https://paypal.me/zongkun"]`