Fix changelog date format

.github/workflows/build.yaml

@@ -13,6 +13,7 @@ on:
       - feature/*
       - release/*
     tags:
+      - latest
       - v*.*.*
 jobs:
   # Include arm64 if ref is a tag
@@ -25,9 +26,9 @@ jobs:
         id: set-matrix
         run: |
           if [[ "${{ github.ref }}" == "refs/tags/"* ]]; then
-            echo 'matrix=[{"runner": "ubuntu-latest", "arch": "amd64"}, {"runner": "arm64", "arch": "arm64"}]' >> $GITHUB_OUTPUT
+            echo "matrix=[\"ubuntu-latest\", \"arm64\"]" >> $GITHUB_OUTPUT
           else
-            echo 'matrix=[{"runner": "ubuntu-latest", "arch": "amd64"}]' >> $GITHUB_OUTPUT
+            echo "matrix=[\"ubuntu-latest\"]" >> $GITHUB_OUTPUT
           fi
 
   tarball:
@@ -49,10 +50,6 @@ jobs:
     - name: Create tarball
       run: |
         cd source/gp
-        # Generate the SNAPSHOT file for non-tagged commits
-        if [[ "${{ github.ref }}" != "refs/tags/"* ]]; then
-          touch SNAPSHOT
-        fi
         make tarball
     - name: Upload tarball
       uses: actions/upload-artifact@v3
@@ -70,8 +67,7 @@ jobs:
       matrix:
         os: ${{fromJson(needs.setup-matrix.outputs.matrix)}}
         package: [deb, rpm, pkg, binary]
-    runs-on: ${{ matrix.os.runner }}
-    name: build-gp (${{ matrix.package }}, ${{ matrix.os.arch }})
+    runs-on: ${{ matrix.os }}
     steps:
     - name: Prepare workspace
       run: |
@@ -99,7 +95,7 @@ jobs:
     - name: Upload ${{ matrix.package }} package
       uses: actions/upload-artifact@v3
       with:
-        name: artifact-gp-${{ matrix.package }}-${{ matrix.os.arch }}
+        name: artifact-gp-${{ matrix.os }}-${{ matrix.package }}
         if-no-files-found: error
         path: |
           build-gp-${{ matrix.package }}/artifacts/*
@@ -110,8 +106,7 @@ jobs:
     strategy:
       matrix:
         os: ${{fromJson(needs.setup-matrix.outputs.matrix)}}
-    runs-on: ${{ matrix.os.runner }}
-    name: build-gpgui (${{ matrix.os.arch }})
+    runs-on: ${{ matrix.os }}
     steps:
     - uses: pnpm/action-setup@v2
       with:
@@ -150,17 +145,16 @@ jobs:
     - name: Upload gpgui
       uses: actions/upload-artifact@v3
       with:
-        name: artifact-gpgui-${{ matrix.os.arch }}
+        name: artifact-gpgui-${{ matrix.os }}
         if-no-files-found: error
         path: |
           gpgui-source/*.bin.tar.xz
           gpgui-source/*.bin.tar.xz.sha256
 
   gh-release:
-    if: ${{ github.ref == 'refs/heads/dev' || startsWith(github.ref, 'refs/tags/') }}
+    if: startsWith(github.ref, 'refs/tags/')
     runs-on: ubuntu-latest
     needs:
-      - tarball
       - build-gp
       - build-gpgui
 
@@ -172,17 +166,10 @@ jobs:
       with:
         path: gh-release
     - name: Create GH release
-      env:
-        GH_TOKEN: ${{ secrets.GH_PAT }}
-        RELEASE_TAG: ${{ github.ref == 'refs/heads/dev' && 'snapshot' || github.ref_name }}
-        REPO: ${{ github.repository }}
-        NOTES: ${{ github.ref == 'refs/heads/dev' && '**!!! DO NOT USE THIS RELEASE IN PRODUCTION !!!**' || format('Release {0}', github.ref_name) }}
-      run: |
-        gh -R "$REPO" release delete $RELEASE_TAG --yes --cleanup-tag || true
-        gh -R "$REPO" release create $RELEASE_TAG \
-          --title "$RELEASE_TAG" \
-          --notes "$NOTES" \
-          ${{ github.ref == 'refs/heads/dev' && '--target dev' || '' }} \
-          ${{ github.ref == 'refs/heads/dev' && '--prerelease' || '' }} \
-          gh-release/artifact-source/* \
-          gh-release/artifact-gpgui-*/*
+      uses: softprops/action-gh-release@v1
+      with:
+        token: ${{ secrets.GH_PAT }}
+        prerelease: ${{ contains(github.ref, 'latest') }}
+        fail_on_unmatched_files: true
+        files: |
+          gh-release/artifact-*/*

.github/workflows/release.yaml

@@ -145,7 +145,7 @@ jobs:
       uses: softprops/action-gh-release@v1
       with:
         token: ${{ secrets.GH_PAT }}
-        prerelease: ${{ contains(github.ref, 'snapshot') }}
+        prerelease: ${{ contains(github.ref, 'latest') }}
         fail_on_unmatched_files: true
         tag_name: ${{ inputs.tag }}
         files: |

.gitignore

@@ -7,4 +7,3 @@
 
 .cargo
 .build
-SNAPSHOT

Cargo.lock

@@ -564,7 +564,7 @@ dependencies = [
 
 [[package]]
 name = "common"
-version = "2.2.1"
+version = "2.1.2"
 dependencies = [
  "is_executable",
 ]
@@ -1430,7 +1430,7 @@ dependencies = [
 
 [[package]]
 name = "gpapi"
-version = "2.2.1"
+version = "2.1.2"
 dependencies = [
  "anyhow",
  "base64 0.21.5",
@@ -1462,14 +1462,13 @@ dependencies = [
 
 [[package]]
 name = "gpauth"
-version = "2.2.1"
+version = "2.1.2"
 dependencies = [
  "anyhow",
  "clap",
  "compile-time",
  "env_logger",
  "gpapi",
- "html-escape",
  "log",
  "regex",
  "serde_json",
@@ -1483,7 +1482,7 @@ dependencies = [
 
 [[package]]
 name = "gpclient"
-version = "2.2.1"
+version = "2.1.2"
 dependencies = [
  "anyhow",
  "clap",
@@ -1505,7 +1504,7 @@ dependencies = [
 
 [[package]]
 name = "gpgui-helper"
-version = "2.2.1"
+version = "2.1.2"
 dependencies = [
  "anyhow",
  "clap",
@@ -1523,7 +1522,7 @@ dependencies = [
 
 [[package]]
 name = "gpservice"
-version = "2.2.1"
+version = "2.1.2"
 dependencies = [
  "anyhow",
  "axum",
@@ -1599,9 +1598,9 @@ dependencies = [
 
 [[package]]
 name = "h2"
-version = "0.3.26"
+version = "0.3.24"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "81fe527a889e1532da5c525686d96d4c2e74cdd345badf8dfef9f6b39dd5f5e8"
+checksum = "bb2c4422095b67ee78da96fbb51a4cc413b3b25883c7717ff7ca1ab31022c9c9"
 dependencies = [
  "bytes",
  "fnv",
@@ -1618,9 +1617,9 @@ dependencies = [
 
 [[package]]
 name = "h2"
-version = "0.4.4"
+version = "0.4.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "816ec7294445779408f36fe57bc5b7fc1cf59664059096c65f905c1c61f58069"
+checksum = "31d030e59af851932b72ceebadf4a2b5986dba4c3b99dd2493f8273a0f151943"
 dependencies = [
  "bytes",
  "fnv",
@@ -1674,15 +1673,6 @@ version = "0.4.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
 
-[[package]]
-name = "html-escape"
-version = "0.2.13"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6d1ad449764d627e22bfd7cd5e8868264fc9236e07c752972b4080cd351cb476"
-dependencies = [
- "utf8-width",
-]
-
 [[package]]
 name = "html5ever"
 version = "0.26.0"
@@ -1787,7 +1777,7 @@ dependencies = [
  "futures-channel",
  "futures-core",
  "futures-util",
- "h2 0.3.26",
+ "h2 0.3.24",
  "http 0.2.11",
  "http-body 0.4.6",
  "httparse",
@@ -1810,7 +1800,7 @@ dependencies = [
  "bytes",
  "futures-channel",
  "futures-util",
- "h2 0.4.4",
+ "h2 0.4.2",
  "http 1.0.0",
  "http-body 1.0.0",
  "httparse",
@@ -2537,7 +2527,7 @@ dependencies = [
 
 [[package]]
 name = "openconnect"
-version = "2.2.1"
+version = "2.1.2"
 dependencies = [
  "cc",
  "common",
@@ -3167,7 +3157,7 @@ dependencies = [
  "encoding_rs",
  "futures-core",
  "futures-util",
- "h2 0.3.26",
+ "h2 0.3.24",
  "http 0.2.11",
  "http-body 0.4.6",
  "hyper 0.14.28",
@@ -4494,12 +4484,6 @@ version = "0.7.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "09cc8ee72d2a9becf2f2febe0205bbed8fc6615b7cb429ad062dc7b7ddd036a9"
 
-[[package]]
-name = "utf8-width"
-version = "0.1.7"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "86bd8d4e895da8537e5315b8254664e6b769c4ff3db18321b297a1e7004392e3"
-
 [[package]]
 name = "utf8parse"
 version = "0.2.1"
@@ -4606,12 +4590,6 @@ version = "0.11.0+wasi-snapshot-preview1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423"
 
-[[package]]
-name = "wasite"
-version = "0.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b8dad83b4f25e74f184f64c43b150b91efe7647395b42289f38e50566d82855b"
-
 [[package]]
 name = "wasm-bindgen"
 version = "0.2.89"
@@ -4788,12 +4766,11 @@ dependencies = [
 
 [[package]]
 name = "whoami"
-version = "1.5.1"
+version = "1.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a44ab49fad634e88f55bf8f9bb3abd2f27d7204172a112c7c9987e01c1c94ea9"
+checksum = "22fc3756b8a9133049b26c7f61ab35416c130e8c09b660f5b3958b446f52cc50"
 dependencies = [
- "redox_syscall",
- "wasite",
+ "wasm-bindgen",
  "web-sys",
 ]
 

Cargo.toml

@@ -5,7 +5,7 @@ members = ["crates/*", "apps/gpclient", "apps/gpservice", "apps/gpauth", "apps/g
 
 [workspace.package]
 rust-version = "1.70"
-version = "2.2.1"
+version = "2.1.2"
 authors = ["Kevin Yue <k3vinyue@gmail.com>"]
 homepage = "https://github.com/yuezk/GlobalProtect-openconnect"
 edition = "2021"

Makefile

@@ -13,15 +13,14 @@ PKG = $(PKG_NAME)-$(VERSION)
 SERIES ?= $(shell lsb_release -cs)
 PUBLISH ?= 0
 
+# Indicate if it is a Debian packaging
+DEB_PACKAGING ?= 0
+INCLUDE_SYSTEMD ?= $(shell [ -d /run/systemd/system ] && echo 1 || echo 0)
+# Enable the systemd service after installation
+ENABLE_SERVICE ?= 1
+
 export DEBEMAIL = k3vinyue@gmail.com
 export DEBFULLNAME = Kevin Yue
-export SNAPSHOT = $(shell test -f SNAPSHOT && echo "true" || echo "false")
-
-ifeq ($(SNAPSHOT), true)
-	RELEASE_TAG = snapshot
-else
-	RELEASE_TAG = v$(VERSION)
-endif
 
 CARGO_BUILD_ARGS = --release
 
@@ -68,8 +67,7 @@ download-gui:
 	if [ $(INCLUDE_GUI) -eq 1 ]; then \
 		echo "Downloading GlobalProtect GUI..."; \
 		mkdir -p .build/gpgui; \
-		curl -sSL https://github.com/yuezk/GlobalProtect-openconnect/releases/download/$(RELEASE_TAG)/gpgui_$(shell uname -m).bin.tar.xz \
-			-o .build/gpgui/gpgui_$(shell uname -m).bin.tar.xz; \
+		curl -sSL https://github.com/yuezk/GlobalProtect-openconnect/releases/download/v$(VERSION)/gpgui_$(VERSION)_$(shell uname -m).bin.tar.xz -o .build/gpgui/gpgui_$(VERSION)_x$(shell uname -m).bin.tar.xz; \
 		tar -xJf .build/gpgui/*.tar.xz -C .build/gpgui; \
 	else \
 		echo "Skipping GlobalProtect GUI download (INCLUDE_GUI=0)"; \
@@ -124,9 +122,34 @@ install:
 	install -Dm644 packaging/files/usr/share/icons/hicolor/256x256@2/apps/gpgui.png $(DESTDIR)/usr/share/icons/hicolor/256x256@2/apps/gpgui.png
 	install -Dm644 packaging/files/usr/share/polkit-1/actions/com.yuezk.gpgui.policy $(DESTDIR)/usr/share/polkit-1/actions/com.yuezk.gpgui.policy
 
+	# Install the systemd service
+	if [ $(INCLUDE_SYSTEMD) -eq 1 ]; then \
+		if [ $(DEB_PACKAGING) -eq 1 ]; then \
+			install -Dm644 packaging/files/usr/lib/systemd/system/gp-suspend.service $(DESTDIR)/lib/systemd/system/gp-suspend.service; \
+		else \
+			install -Dm644 packaging/files/usr/lib/systemd/system/gp-suspend.service $(DESTDIR)/usr/lib/systemd/system/gp-suspend.service; \
+		fi; \
+		if [ $(ENABLE_SERVICE) -eq 1 ]; then \
+			systemctl --system daemon-reload \
+			systemctl enable gp-suspend.service || true; \
+		fi \
+	else \
+		echo "Skipping systemd service installation"; \
+	fi
+
+	@echo "Installation complete."
+
 uninstall:
 	@echo "Uninstalling $(PKG_NAME)..."
 
+	# Disable the systemd service
+	if [ -d /run/systemd/system ]; then \
+		systemctl disable gp-suspend.service >/dev/null || true; \
+	fi
+
+	rm -f $(DESTDIR)/lib/systemd/system/gp-suspend.service
+	rm -f $(DESTDIR)/usr/lib/systemd/system/gp-suspend.service
+
 	rm -f $(DESTDIR)/usr/bin/gpclient
 	rm -f $(DESTDIR)/usr/bin/gpauth
 	rm -f $(DESTDIR)/usr/bin/gpservice
@@ -231,6 +254,7 @@ init-pkgbuild: clean-pkgbuild tarball
 
 	cp .build/tarball/${PKG}.tar.gz .build/pkgbuild
 	cp packaging/pkgbuild/PKGBUILD.in .build/pkgbuild/PKGBUILD
+	cp packaging/pkgbuild/gp.install .build/pkgbuild
 
 	sed -i "s/@PKG_NAME@/$(PKG_NAME)/g" .build/pkgbuild/PKGBUILD
 	sed -i "s/@VERSION@/$(VERSION)/g" .build/pkgbuild/PKGBUILD
@@ -252,7 +276,10 @@ binary: clean-binary tarball
 	mkdir -p .build/binary/$(PKG_NAME)_$(VERSION)/artifacts
 
 	make -C .build/binary/${PKG} build OFFLINE=$(OFFLINE) BUILD_FE=0 INCLUDE_GUI=$(INCLUDE_GUI)
-	make -C .build/binary/${PKG} install DESTDIR=$(PWD)/.build/binary/$(PKG_NAME)_$(VERSION)/artifacts
+	make -C .build/binary/${PKG} install \
+		DESTDIR=$(PWD)/.build/binary/$(PKG_NAME)_$(VERSION)/artifacts \
+		INCLUDE_SYSTEMD=1 \
+		ENABLE_SERVICE=0
 
 	cp packaging/binary/Makefile.in .build/binary/$(PKG_NAME)_$(VERSION)/Makefile
 

README.md

@@ -43,12 +43,6 @@ Options:
 See 'gpclient help <command>' for more information on a specific command.
 ```
 
-To use the default browser for authentication with the CLI version, you need to use the following command:
-
-```bash
-sudo -E gpclient connect --default-browser <portal>
-```
-
 ### GUI
 
 The GUI version is also available after you installed it. You can launch it from the application menu or run `gpclient launch-gui` in the terminal.
@@ -61,7 +55,7 @@ The GUI version is also available after you installed it. You can launch it from
 
 ### Debian/Ubuntu based distributions
 
-#### Install from PPA (Ubuntu 18.04 and later, except 24.04)
+#### Install from PPA
 
 ```
 sudo apt-get install gir1.2-gtk-3.0 gir1.2-webkit2-4.0
@@ -74,29 +68,12 @@ sudo apt-get install globalprotect-openconnect
 >
 > For Linux Mint, you might need to import the GPG key with: `sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7937C393082992E5D6E4A60453FC26B43838D761` if you encountered an error `gpg: keyserver receive failed: General error`.
 
-#### **Ubuntu 24.04**
-
-The `libwebkit2gtk-4.0-37` package was [removed](https://bugs.launchpad.net/ubuntu/+source/webkit2gtk/+bug/2061914) from its repo, before [the issue](https://github.com/yuezk/GlobalProtect-openconnect/issues/351) gets resolved, you need to install them manually:
-
-```bash
-wget http://launchpadlibrarian.net/704701349/libwebkit2gtk-4.0-37_2.43.3-1_amd64.deb
-wget http://launchpadlibrarian.net/704701345/libjavascriptcoregtk-4.0-18_2.43.3-1_amd64.deb
-
-sudo dpkg --install *.deb
-```
-
-And the latest package is not available in the PPA, you can follow the [Install from deb package](#install-from-deb-package) section to install the latest package.
-
-#### **Ubuntu 18.04**
-
-The latest package is not available in the PPA either, but you still needs to add the `ppa:yuezk/globalprotect-openconnect` repo beforehand to use the required `openconnect` package. Then you can follow the [Install from deb package](#install-from-deb-package) section to install the latest package.
-
 #### Install from deb package
 
-Download the latest deb package from [releases](https://github.com/yuezk/GlobalProtect-openconnect/releases) page. Then install it with `apt`:
+Download the latest deb package from [releases](https://github.com/yuezk/GlobalProtect-openconnect/releases) page. Then install it with `dpkg`:
 
 ```bash
-sudo apt install --fix-broken globalprotect-openconnect_*.deb
+sudo dpkg -i globalprotect-openconnect_*.deb
 ```
 
 ### Arch Linux / Manjaro
@@ -143,30 +120,6 @@ Download the latest RPM package from [releases](https://github.com/yuezk/GlobalP
 ```bash
 sudo rpm -i globalprotect-openconnect-*.rpm
 ```
-### Gentoo
-
-Install from the ```rios``` or ```slonko``` overlays.  Example using rios:
-
-#### 1. Enable the overlay
-```
-sudo eselect repository enable rios
-```
-
-#### 2. Sync with the repository
-
-  - If you have eix installed, use it:
-```
-sudo eix-sync
-```
-  - Otherwise, use:
-```
-sudo emerge --sync
-```
-
-#### 3. Install
-
-```sudo emerge globalprotect-openconnect```
-
 
 ### Other distributions
 
@@ -198,8 +151,6 @@ You can also build the client from source, steps are as follows:
 
 1. How to deal with error `Secure Storage not ready`
 
-   Try upgrade the client to `2.2.0` or later, which will use a file-based storage as a fallback.
-
    You need to install the `gnome-keyring` package, and restart the system (See [#321](https://github.com/yuezk/GlobalProtect-openconnect/issues/321), [#316](https://github.com/yuezk/GlobalProtect-openconnect/issues/316)).
 
 2. How to deal with error `(gpauth:18869): Gtk-WARNING **: 10:33:37.566: cannot open display:`

apps/gpauth/Cargo.toml

@@ -8,11 +8,7 @@ license.workspace = true
 tauri-build = { version = "1.5", features = [] }
 
 [dependencies]
-gpapi = { path = "../../crates/gpapi", features = [
-  "tauri",
-  "clap",
-  "browser-auth",
-] }
+gpapi = { path = "../../crates/gpapi", features = ["tauri", "clap"] }
 anyhow.workspace = true
 clap.workspace = true
 env_logger.workspace = true
@@ -22,7 +18,6 @@ serde_json.workspace = true
 tokio.workspace = true
 tokio-util.workspace = true
 tempfile.workspace = true
-html-escape = "0.2.13"
 webkit2gtk = "0.18.2"
 tauri = { workspace = true, features = ["http-all"] }
 compile-time.workspace = true

apps/gpauth/src/auth_window.rs

@@ -7,7 +7,6 @@ use std::{
 use anyhow::bail;
 use gpapi::{
   auth::SamlAuthData,
-  error::AuthDataParseError,
   gp_params::GpParams,
   portal::{prelogin, Prelogin},
   utils::{redact::redact_uri, window::WindowExt},
@@ -185,10 +184,6 @@ impl<'a> AuthWindow<'a> {
           }
 
           info!("Loaded uri: {}", redact_uri(&uri));
-          if uri.starts_with("globalprotectcallback:") {
-            return;
-          }
-
           read_auth_data(&main_resource, auth_result_tx_clone.clone());
         }
       });
@@ -207,9 +202,7 @@ impl<'a> AuthWindow<'a> {
 
       wv.connect_load_failed(move |_wv, _event, uri, err| {
         let redacted_uri = redact_uri(uri);
-        if !uri.starts_with("globalprotectcallback:") {
-          warn!("Failed to load uri: {} with error: {}", redacted_uri, err);
-        }
+        warn!("Failed to load uri: {} with error: {}", redacted_uri, err);
         // NOTE: Don't send error here, since load_changed event will be triggered after this
         // send_auth_result(&auth_result_tx, Err(AuthDataError::Invalid));
         // true to stop other handlers from being invoked for the event. false to propagate the event further.
@@ -346,7 +339,7 @@ fn read_auth_data_from_headers(response: &URIResponse) -> AuthResult {
 
 fn read_auth_data_from_body<F>(main_resource: &WebResource, callback: F)
 where
-  F: FnOnce(Result<SamlAuthData, AuthDataParseError>) + Send + 'static,
+  F: FnOnce(AuthResult) + Send + 'static,
 {
   main_resource.data(Cancellable::NONE, |data| match data {
     Ok(data) => {
@@ -355,41 +348,53 @@ where
     }
     Err(err) => {
       info!("Failed to read response body: {}", err);
-      callback(Err(AuthDataParseError::Invalid))
+      callback(Err(AuthDataError::Invalid))
     }
   });
 }
 
-fn read_auth_data_from_html(html: &str) -> Result<SamlAuthData, AuthDataParseError> {
+fn read_auth_data_from_html(html: &str) -> AuthResult {
   if html.contains("Temporarily Unavailable") {
     info!("Found 'Temporarily Unavailable' in HTML, auth failed");
-    return Err(AuthDataParseError::Invalid);
+    return Err(AuthDataError::Invalid);
   }
 
-  SamlAuthData::from_html(html).or_else(|err| {
-    if let Some(gpcallback) = extract_gpcallback(html) {
-      info!("Found gpcallback from html...");
-      SamlAuthData::from_gpcallback(&gpcallback)
-    } else {
-      Err(err)
-    }
-  })
-}
+  match parse_xml_tag(html, "saml-auth-status") {
+    Some(saml_status) if saml_status == "1" => {
+      let username = parse_xml_tag(html, "saml-username");
+      let prelogin_cookie = parse_xml_tag(html, "prelogin-cookie");
+      let portal_userauthcookie = parse_xml_tag(html, "portal-userauthcookie");
 
-fn extract_gpcallback(html: &str) -> Option<String> {
-  let re = Regex::new(r#"globalprotectcallback:[^"]+"#).unwrap();
-  re.captures(html)
-    .and_then(|captures| captures.get(0))
-    .map(|m| html_escape::decode_html_entities(m.as_str()).to_string())
+      if SamlAuthData::check(&username, &prelogin_cookie, &portal_userauthcookie) {
+        return Ok(SamlAuthData::new(
+          username.unwrap(),
+          prelogin_cookie,
+          portal_userauthcookie,
+        ));
+      }
+
+      info!("Found invalid auth data in HTML");
+      Err(AuthDataError::Invalid)
+    }
+    Some(status) => {
+      info!("Found invalid SAML status {} in HTML", status);
+      Err(AuthDataError::Invalid)
+    }
+    None => {
+      info!("No auth data found in HTML");
+      Err(AuthDataError::NotFound)
+    }
+  }
 }
 
 fn read_auth_data(main_resource: &WebResource, auth_result_tx: mpsc::UnboundedSender<AuthResult>) {
-  let Some(response) = main_resource.response() else {
+  if main_resource.response().is_none() {
     info!("No response found in main resource");
     send_auth_result(&auth_result_tx, Err(AuthDataError::Invalid));
     return;
-  };
+  }
 
+  let response = main_resource.response().unwrap();
   info!("Trying to read auth data from response headers...");
 
   match read_auth_data_from_headers(&response) {
@@ -402,27 +407,22 @@ fn read_auth_data(main_resource: &WebResource, auth_result_tx: mpsc::UnboundedSe
       read_auth_data_from_body(main_resource, move |auth_result| {
         // Since we have already found invalid auth data in headers, which means this could be the `/SAML20/SP/ACS` endpoint
         // any error result from body should be considered as invalid, and trigger a retry
-        let auth_result = auth_result.map_err(|err| {
-          info!("Failed to read auth data from body: {}", err);
-          AuthDataError::Invalid
-        });
+        let auth_result = auth_result.map_err(|_| AuthDataError::Invalid);
         send_auth_result(&auth_result_tx, auth_result);
       });
     }
     Err(AuthDataError::NotFound) => {
       info!("No auth data found in headers, trying to read from body...");
-
-      let is_acs_endpoint = main_resource.uri().map_or(false, |uri| uri.contains("/SAML20/SP/ACS"));
+      let url = main_resource.uri().unwrap_or("".into());
+      let is_acs_endpoint = url.contains("/SAML20/SP/ACS");
 
       read_auth_data_from_body(main_resource, move |auth_result| {
         // If the endpoint is `/SAML20/SP/ACS` and no auth data found in body, it should be considered as invalid
         let auth_result = auth_result.map_err(|err| {
-          info!("Failed to read auth data from body: {}", err);
-
-          if !is_acs_endpoint && matches!(err, AuthDataParseError::NotFound) {
-            AuthDataError::NotFound
-          } else {
+          if matches!(err, AuthDataError::NotFound) && is_acs_endpoint {
             AuthDataError::Invalid
+          } else {
+            err
           }
         });
 
@@ -437,6 +437,13 @@ fn read_auth_data(main_resource: &WebResource, auth_result_tx: mpsc::UnboundedSe
   }
 }
 
+fn parse_xml_tag(html: &str, tag: &str) -> Option<String> {
+  let re = Regex::new(&format!("<{}>(.*)</{}>", tag, tag)).unwrap();
+  re.captures(html)
+    .and_then(|captures| captures.get(1))
+    .map(|m| m.as_str().to_string())
+}
+
 pub(crate) async fn clear_webview_cookies(window: &Window) -> anyhow::Result<()> {
   let (tx, rx) = oneshot::channel::<Result<(), String>>();
 
@@ -482,42 +489,3 @@ pub(crate) async fn clear_webview_cookies(window: &Window) -> anyhow::Result<()>
 
   rx.await?.map_err(|err| anyhow::anyhow!(err))
 }
-
-#[cfg(test)]
-mod tests {
-  use super::*;
-
-  #[test]
-  fn extract_gpcallback_some() {
-    let html = r#"
-      <meta http-equiv="refresh" content="0; URL=globalprotectcallback:PGh0bWw+PCEtLSA8c">
-      <meta http-equiv="refresh" content="0; URL=globalprotectcallback:PGh0bWw+PCEtLSA8c">
-    "#;
-
-    assert_eq!(
-      extract_gpcallback(html).as_deref(),
-      Some("globalprotectcallback:PGh0bWw+PCEtLSA8c")
-    );
-  }
-
-  #[test]
-  fn extract_gpcallback_cas() {
-    let html = r#"
-      <meta http-equiv="refresh" content="0; URL=globalprotectcallback:cas-as=1&amp;un=xyz@email.com&amp;token=very_long_string">
-    "#;
-
-    assert_eq!(
-      extract_gpcallback(html).as_deref(),
-      Some("globalprotectcallback:cas-as=1&un=xyz@email.com&token=very_long_string")
-    );
-  }
-
-  #[test]
-  fn extract_gpcallback_none() {
-    let html = r#"
-      <meta http-equiv="refresh" content="0; URL=PGh0bWw+PCEtLSA8c">
-    "#;
-
-    assert_eq!(extract_gpcallback(html), None);
-  }
-}

apps/gpauth/src/cli.rs

@@ -3,7 +3,6 @@ use gpapi::{
   auth::{SamlAuthData, SamlAuthResult},
   clap::args::Os,
   gp_params::{ClientOs, GpParams},
-  process::browser_authenticator::BrowserAuthenticator,
   utils::{normalize_server, openssl},
   GP_USER_AGENT,
 };
@@ -38,8 +37,6 @@ struct Cli {
   ignore_tls_errors: bool,
   #[arg(long)]
   clean: bool,
-  #[arg(long)]
-  default_browser: bool,
 }
 
 impl Cli {
@@ -59,15 +56,6 @@ impl Cli {
       None => portal_prelogin(&self.server, &gp_params).await?,
     };
 
-    if self.default_browser {
-      let browser_auth = BrowserAuthenticator::new(&saml_request);
-      browser_auth.authenticate()?;
-
-      info!("Please continue the authentication process in the default browser");
-
-      return Ok(());
-    }
-
     self.saml_request.replace(saml_request);
 
     let app = create_app(self.clone())?;

apps/gpclient/src/connect.rs

@@ -6,7 +6,7 @@ use gpapi::{
   clap::args::Os,
   credential::{Credential, PasswordCredential},
   error::PortalError,
-  gateway::{gateway_login, GatewayLogin},
+  gateway::gateway_login,
   gp_params::{ClientOs, GpParams},
   portal::{prelogin, retrieve_config, Prelogin},
   process::{
@@ -19,9 +19,8 @@ use gpapi::{
 use inquire::{Password, PasswordDisplayMode, Select, Text};
 use log::info;
 use openconnect::Vpn;
-use tokio::{io::AsyncReadExt, net::TcpListener};
 
-use crate::{cli::SharedArgs, GP_CLIENT_LOCK_FILE, GP_CLIENT_PORT_FILE};
+use crate::{cli::SharedArgs, GP_CLIENT_LOCK_FILE};
 
 #[derive(Args)]
 pub(crate) struct ConnectArgs {
@@ -33,8 +32,6 @@ pub(crate) struct ConnectArgs {
   user: Option<String>,
   #[arg(long, short, help = "The VPNC script to use")]
   script: Option<String>,
-  #[arg(long, help = "Connect the server as a gateway, instead of a portal")]
-  as_gateway: bool,
 
   #[arg(
     long,
@@ -61,8 +58,6 @@ pub(crate) struct ConnectArgs {
   hidpi: bool,
   #[arg(long, help = "Do not reuse the remembered authentication cookie")]
   clean: bool,
-  #[arg(long, help = "Use the default browser to authenticate")]
-  default_browser: bool,
 }
 
 impl ConnectArgs {
@@ -100,12 +95,6 @@ impl<'a> ConnectHandler<'a> {
 
   pub(crate) async fn handle(&self) -> anyhow::Result<()> {
     let server = self.args.server.as_str();
-    let as_gateway = self.args.as_gateway;
-
-    if as_gateway {
-      info!("Treating the server as a gateway");
-      return self.connect_gateway_with_prelogin(server).await;
-    }
 
     let Err(err) = self.connect_portal_with_prelogin(server).await else {
       return Ok(());
@@ -114,15 +103,10 @@ impl<'a> ConnectHandler<'a> {
     info!("Failed to connect portal with prelogin: {}", err);
     if err.root_cause().downcast_ref::<PortalError>().is_some() {
       info!("Trying the gateway authentication workflow...");
-      self.connect_gateway_with_prelogin(server).await?;
-
-      eprintln!("\nNOTE: the server may be a gateway, not a portal.");
-      eprintln!("NOTE: try to use the `--as-gateway` option if you were authenticated twice.");
-
-      Ok(())
-    } else {
-      Err(err)
+      return self.connect_gateway_with_prelogin(server).await;
     }
+
+    Err(err)
   }
 
   async fn connect_portal_with_prelogin(&self, portal: &str) -> anyhow::Result<()> {
@@ -157,7 +141,7 @@ impl<'a> ConnectHandler<'a> {
     let gateway = selected_gateway.server();
     let cred = portal_config.auth_cookie().into();
 
-    let cookie = match self.login_gateway(gateway, &cred, &gp_params).await {
+    let cookie = match gateway_login(gateway, &cred, &gp_params).await {
       Ok(cookie) => cookie,
       Err(err) => {
         info!("Gateway login failed: {}", err);
@@ -177,28 +161,11 @@ impl<'a> ConnectHandler<'a> {
     let prelogin = prelogin(gateway, &gp_params).await?;
     let cred = self.obtain_credential(&prelogin, gateway).await?;
 
-    let cookie = self.login_gateway(gateway, &cred, &gp_params).await?;
+    let cookie = gateway_login(gateway, &cred, &gp_params).await?;
 
     self.connect_gateway(gateway, &cookie).await
   }
 
-  async fn login_gateway(&self, gateway: &str, cred: &Credential, gp_params: &GpParams) -> anyhow::Result<String> {
-    let mut gp_params = gp_params.clone();
-
-    loop {
-      match gateway_login(gateway, cred, &gp_params).await? {
-        GatewayLogin::Cookie(cookie) => return Ok(cookie),
-        GatewayLogin::Mfa(message, input_str) => {
-          let otp = Text::new(&message).prompt()?;
-          gp_params.set_input_str(&input_str);
-          gp_params.set_otp(&otp);
-
-          info!("Retrying gateway login with MFA...");
-        }
-      }
-    }
-  }
-
   async fn connect_gateway(&self, gateway: &str, cookie: &str) -> anyhow::Result<()> {
     let mtu = self.args.mtu.unwrap_or(0);
     let csd_uid = get_csd_uid(&self.args.csd_user)?;
@@ -243,9 +210,7 @@ impl<'a> ConnectHandler<'a> {
 
     match prelogin {
       Prelogin::Saml(prelogin) => {
-        let use_default_browser = prelogin.support_default_browser() && self.args.default_browser;
-
-        let cred = SamlAuthLauncher::new(&self.args.server)
+        SamlAuthLauncher::new(&self.args.server)
           .gateway(is_gateway)
           .saml_request(prelogin.saml_request())
           .user_agent(&self.args.user_agent)
@@ -255,21 +220,8 @@ impl<'a> ConnectHandler<'a> {
           .fix_openssl(self.shared_args.fix_openssl)
           .ignore_tls_errors(self.shared_args.ignore_tls_errors)
           .clean(self.args.clean)
-          .default_browser(use_default_browser)
           .launch()
-          .await?;
-
-        if let Some(cred) = cred {
-          return Ok(cred);
-        }
-
-        if !use_default_browser {
-          // This should never happen
-          unreachable!("SAML authentication failed without using the default browser");
-        }
-
-        info!("Waiting for the browser authentication to complete...");
-        wait_credentials().await
+          .await
       }
       Prelogin::Standard(prelogin) => {
         let prefix = if is_gateway { "Gateway" } else { "Portal" };
@@ -292,27 +244,6 @@ impl<'a> ConnectHandler<'a> {
   }
 }
 
-async fn wait_credentials() -> anyhow::Result<Credential> {
-  // Start a local server to receive the browser authentication data
-  let listener = TcpListener::bind("127.0.0.1:0").await?;
-  let port = listener.local_addr()?.port();
-
-  // Write the port to a file
-  fs::write(GP_CLIENT_PORT_FILE, port.to_string())?;
-
-  info!("Listening authentication data on port {}", port);
-  let (mut socket, _) = listener.accept().await?;
-
-  info!("Received the browser authentication data from the socket");
-  let mut data = String::new();
-  socket.read_to_string(&mut data).await?;
-
-  // Remove the port file
-  fs::remove_file(GP_CLIENT_PORT_FILE)?;
-
-  Credential::from_gpcallback(&data)
-}
-
 fn write_pid_file() {
   let pid = std::process::id();
 

apps/gpclient/src/launch_gui.rs

@@ -7,9 +7,6 @@ use gpapi::{
   utils::{endpoint::http_endpoint, env_file, shutdown_signal},
 };
 use log::info;
-use tokio::io::AsyncWriteExt;
-
-use crate::GP_CLIENT_PORT_FILE;
 
 #[derive(Args)]
 pub(crate) struct LaunchGuiArgs {
@@ -81,16 +78,11 @@ impl<'a> LaunchGuiHandler<'a> {
 }
 
 async fn feed_auth_data(auth_data: &str) -> anyhow::Result<()> {
-  let _ = tokio::join!(feed_auth_data_gui(auth_data), feed_auth_data_cli(auth_data));
-  Ok(())
-}
-
-async fn feed_auth_data_gui(auth_data: &str) -> anyhow::Result<()> {
   let service_endpoint = http_endpoint().await?;
 
   reqwest::Client::default()
     .post(format!("{}/auth-data", service_endpoint))
-    .body(auth_data.to_string())
+    .json(&auth_data)
     .send()
     .await?
     .error_for_status()?;
@@ -98,15 +90,6 @@ async fn feed_auth_data_gui(auth_data: &str) -> anyhow::Result<()> {
   Ok(())
 }
 
-async fn feed_auth_data_cli(auth_data: &str) -> anyhow::Result<()> {
-  let port = tokio::fs::read_to_string(GP_CLIENT_PORT_FILE).await?;
-  let mut stream = tokio::net::TcpStream::connect(format!("127.0.0.1:{}", port.trim())).await?;
-
-  stream.write_all(auth_data.as_bytes()).await?;
-
-  Ok(())
-}
-
 async fn try_active_gui() -> anyhow::Result<()> {
   let service_endpoint = http_endpoint().await?;
 

apps/gpclient/src/main.rs

@@ -4,7 +4,6 @@ mod disconnect;
 mod launch_gui;
 
 pub(crate) const GP_CLIENT_LOCK_FILE: &str = "/var/run/gpclient.lock";
-pub(crate) const GP_CLIENT_PORT_FILE: &str = "/var/run/gpclient.port";
 
 #[tokio::main]
 async fn main() {

apps/gpgui-helper/package.json

@@ -31,6 +31,6 @@
     "eslint-plugin-react-hooks": "^4.6.0",
     "prettier": "3.1.0",
     "typescript": "^5.0.2",
-    "vite": "^4.5.3"
+    "vite": "^4.5.2"
   }
 }

apps/gpgui-helper/pnpm-lock.yaml

@@ -48,7 +48,7 @@ devDependencies:
     version: 6.12.0(eslint@8.54.0)(typescript@5.0.2)
   '@vitejs/plugin-react':
     specifier: ^4.0.3
-    version: 4.0.3(vite@4.5.3)
+    version: 4.0.3(vite@4.5.2)
   eslint:
     specifier: ^8.54.0
     version: 8.54.0
@@ -68,8 +68,8 @@ devDependencies:
     specifier: ^5.0.2
     version: 5.0.2
   vite:
-    specifier: ^4.5.3
-    version: 4.5.3(@types/node@20.8.10)
+    specifier: ^4.5.2
+    version: 4.5.2(@types/node@20.8.10)
 
 packages:
 
@@ -1229,7 +1229,7 @@ packages:
     resolution: {integrity: sha512-zuVdFrMJiuCDQUMCzQaD6KL28MjnqqN8XnAqiEq9PNm/hCPTSGfrXCOfwj1ow4LFb/tNymJPwsNbVePc1xFqrQ==}
     dev: true
 
-  /@vitejs/plugin-react@4.0.3(vite@4.5.3):
+  /@vitejs/plugin-react@4.0.3(vite@4.5.2):
     resolution: {integrity: sha512-pwXDog5nwwvSIzwrvYYmA2Ljcd/ZNlcsSG2Q9CNDBwnsd55UGAyr2doXtB5j+2uymRCnCfExlznzzSFbBRcoCg==}
     engines: {node: ^14.18.0 || >=16.0.0}
     peerDependencies:
@@ -1239,7 +1239,7 @@ packages:
       '@babel/plugin-transform-react-jsx-self': 7.22.5(@babel/core@7.23.2)
       '@babel/plugin-transform-react-jsx-source': 7.22.5(@babel/core@7.23.2)
       react-refresh: 0.14.0
-      vite: 4.5.3(@types/node@20.8.10)
+      vite: 4.5.2(@types/node@20.8.10)
     transitivePeerDependencies:
       - supports-color
     dev: true
@@ -2979,8 +2979,8 @@ packages:
       punycode: 2.3.1
     dev: true
 
-  /vite@4.5.3(@types/node@20.8.10):
-    resolution: {integrity: sha512-kQL23kMeX92v3ph7IauVkXkikdDRsYMGTVl5KY2E9OY4ONLvkHf04MDTbnfo6NKxZiDLWzVpP5oTa8hQD8U3dg==}
+  /vite@4.5.2(@types/node@20.8.10):
+    resolution: {integrity: sha512-tBCZBNSBbHQkaGyhGCDUGqeo2ph8Fstyp6FMSvTtsXeZSPpSMGlviAOav2hxVTqFcx8Hj/twtWKsMJXNY0xI8w==}
     engines: {node: ^14.18.0 || >=16.0.0}
     hasBin: true
     peerDependencies:

apps/gpgui-helper/src-tauri/src/updater.rs

@@ -9,12 +9,6 @@ use tauri::{Manager, Window};
 
 use crate::downloader::{ChecksumFetcher, FileDownloader};
 
-#[cfg(not(debug_assertions))]
-const SNAPSHOT: &str = match option_env!("SNAPSHOT") {
-    Some(val) => val,
-    None => "false"
-};
-
 pub struct ProgressNotifier {
   win: Window,
 }
@@ -87,13 +81,9 @@ impl GuiUpdater {
     info!("Update GUI, version: {}", self.version);
 
     #[cfg(debug_assertions)]
-    let release_tag = "snapshot";
+    let release_tag = "latest";
     #[cfg(not(debug_assertions))]
-    let release_tag = if SNAPSHOT == "true" {
-      String::from("snapshot")
-    } else {
-      format!("v{}", self.version)
-    };
+    let release_tag = format!("v{}", self.version);
 
     #[cfg(target_arch = "x86_64")]
     let arch = "x86_64";
@@ -101,8 +91,8 @@ impl GuiUpdater {
     let arch = "aarch64";
 
     let file_url = format!(
-      "https://github.com/yuezk/GlobalProtect-openconnect/releases/download/{}/gpgui_{}.bin.tar.xz",
-      release_tag, arch
+      "https://github.com/yuezk/GlobalProtect-openconnect/releases/download/{}/gpgui_{}_{}.bin.tar.xz",
+      release_tag, self.version, arch
     );
     let checksum_url = format!("{}.sha256", file_url);
 

changelog.md

@@ -1,26 +1,5 @@
 # Changelog
 
-## 2.2.1 - 2024-05-07
-
-- GUI: Restore the default browser auth implementation (fix [#360](https://github.com/yuezk/GlobalProtect-openconnect/issues/360))
-
-## 2.2.0 - 2024-04-30
-
-- CLI: support authentication with external browser (fix [#298](https://github.com/yuezk/GlobalProtect-openconnect/issues/298))
-- GUI: support using file-based storage when the system keyring is not available.
-
-## 2.1.4 - 2024-04-10
-
-- Support MFA authentication (fix [#343](https://github.com/yuezk/GlobalProtect-openconnect/issues/343))
-- Improve the Gateway switcher UI
-
-## 2.1.3 - 2024-04-07
-
-- Support CAS authentication (fix [#339](https://github.com/yuezk/GlobalProtect-openconnect/issues/339))
-- CLI: Add `--as-gateway` option to connect as gateway directly (fix [#318](https://github.com/yuezk/GlobalProtect-openconnect/issues/318))
-- GUI: Support connect the gateway directly (fix [#318](https://github.com/yuezk/GlobalProtect-openconnect/issues/318))
-- GUI: Add an option to use symbolic tray icon (fix [#341](https://github.com/yuezk/GlobalProtect-openconnect/issues/341))
-
 ## 2.1.2 - 2024-03-29
 
 - Treat portal as gateway when the gateway login is failed (fix #338)

crates/gpapi/src/auth.rs

@@ -1,17 +1,13 @@
-use log::{info, warn};
+use anyhow::bail;
 use regex::Regex;
 use serde::{Deserialize, Serialize};
 
-use crate::{error::AuthDataParseError, utils::base64::decode_to_string};
-
 #[derive(Debug, Serialize, Deserialize)]
 #[serde(rename_all = "camelCase")]
 pub struct SamlAuthData {
-  #[serde(alias = "un")]
   username: String,
   prelogin_cookie: Option<String>,
   portal_userauthcookie: Option<String>,
-  token: Option<String>,
 }
 
 #[derive(Debug, Serialize, Deserialize)]
@@ -36,11 +32,10 @@ impl SamlAuthData {
       username,
       prelogin_cookie,
       portal_userauthcookie,
-      token: None,
     }
   }
 
-  pub fn from_html(html: &str) -> anyhow::Result<SamlAuthData, AuthDataParseError> {
+  pub fn parse_html(html: &str) -> anyhow::Result<SamlAuthData> {
     match parse_xml_tag(html, "saml-auth-status") {
       Some(saml_status) if saml_status == "1" => {
         let username = parse_xml_tag(html, "saml-username");
@@ -48,42 +43,21 @@ impl SamlAuthData {
         let portal_userauthcookie = parse_xml_tag(html, "portal-userauthcookie");
 
         if SamlAuthData::check(&username, &prelogin_cookie, &portal_userauthcookie) {
-          Ok(SamlAuthData::new(
+          return Ok(SamlAuthData::new(
             username.unwrap(),
             prelogin_cookie,
             portal_userauthcookie,
-          ))
-        } else {
-          Err(AuthDataParseError::Invalid)
+          ));
         }
+
+        bail!("Found invalid auth data in HTML");
+      }
+      Some(status) => {
+        bail!("Found invalid SAML status {} in HTML", status);
+      }
+      None => {
+        bail!("No auth data found in HTML");
       }
-      Some(_) => Err(AuthDataParseError::Invalid),
-      None => Err(AuthDataParseError::NotFound),
-    }
-  }
-
-  pub fn from_gpcallback(data: &str) -> anyhow::Result<SamlAuthData, AuthDataParseError> {
-    let auth_data = data.trim_start_matches("globalprotectcallback:");
-
-    if auth_data.starts_with("cas-as") {
-      info!("Got CAS auth data from globalprotectcallback");
-
-      let auth_data: SamlAuthData = serde_urlencoded::from_str(auth_data).map_err(|e| {
-        warn!("Failed to parse token auth data: {}", e);
-        AuthDataParseError::Invalid
-      })?;
-
-      Ok(auth_data)
-    } else {
-      info!("Parsing SAML auth data...");
-
-      let auth_data = decode_to_string(auth_data).map_err(|e| {
-        warn!("Failed to decode SAML auth data: {}", e);
-        AuthDataParseError::Invalid
-      })?;
-      let auth_data = Self::from_html(&auth_data)?;
-
-      Ok(auth_data)
     }
   }
 
@@ -95,10 +69,6 @@ impl SamlAuthData {
     self.prelogin_cookie.as_deref()
   }
 
-  pub fn token(&self) -> Option<&str> {
-    self.token.as_deref()
-  }
-
   pub fn check(
     username: &Option<String>,
     prelogin_cookie: &Option<String>,
@@ -108,16 +78,7 @@ impl SamlAuthData {
     let prelogin_cookie_valid = prelogin_cookie.as_ref().is_some_and(|val| val.len() > 5);
     let portal_userauthcookie_valid = portal_userauthcookie.as_ref().is_some_and(|val| val.len() > 5);
 
-    let is_valid = username_valid && (prelogin_cookie_valid || portal_userauthcookie_valid);
-
-    if !is_valid {
-      warn!(
-        "Invalid SAML auth data: username: {:?}, prelogin-cookie: {:?}, portal-userauthcookie: {:?}",
-        username, prelogin_cookie, portal_userauthcookie
-      );
-    }
-
-    is_valid
+    username_valid && (prelogin_cookie_valid || portal_userauthcookie_valid)
   }
 }
 
@@ -127,28 +88,3 @@ pub fn parse_xml_tag(html: &str, tag: &str) -> Option<String> {
     .and_then(|captures| captures.get(1))
     .map(|m| m.as_str().to_string())
 }
-
-#[cfg(test)]
-mod tests {
-  use super::*;
-
-  #[test]
-  fn auth_data_from_gpcallback_cas() {
-    let auth_data = "globalprotectcallback:cas-as=1&un=xyz@email.com&token=very_long_string";
-
-    let auth_data = SamlAuthData::from_gpcallback(auth_data).unwrap();
-
-    assert_eq!(auth_data.username(), "xyz@email.com");
-    assert_eq!(auth_data.token(), Some("very_long_string"));
-  }
-
-  #[test]
-  fn auth_data_from_gpcallback_non_cas() {
-    let auth_data = "PGh0bWw+PCEtLSA8c2FtbC1hdXRoLXN0YXR1cz4xPC9zYW1sLWF1dGgtc3RhdHVzPjxwcmVsb2dpbi1jb29raWU+cHJlbG9naW4tY29va2llPC9wcmVsb2dpbi1jb29raWU+PHNhbWwtdXNlcm5hbWU+eHl6QGVtYWlsLmNvbTwvc2FtbC11c2VybmFtZT48c2FtbC1zbG8+bm88L3NhbWwtc2xvPjxzYW1sLVNlc3Npb25Ob3RPbk9yQWZ0ZXI+PC9zYW1sLVNlc3Npb25Ob3RPbk9yQWZ0ZXI+IC0tPjwvaHRtbD4=";
-
-    let auth_data = SamlAuthData::from_gpcallback(auth_data).unwrap();
-
-    assert_eq!(auth_data.username(), "xyz@email.com");
-    assert_eq!(auth_data.prelogin_cookie(), Some("prelogin-cookie"));
-  }
-}

crates/gpapi/src/credential.rs

@@ -3,7 +3,7 @@ use std::collections::HashMap;
 use serde::{Deserialize, Serialize};
 use specta::Type;
 
-use crate::auth::SamlAuthData;
+use crate::{auth::SamlAuthData, utils::base64::decode_to_string};
 
 #[derive(Debug, Serialize, Deserialize, Type, Clone)]
 #[serde(rename_all = "camelCase")]
@@ -37,18 +37,16 @@ impl From<&CachedCredential> for PasswordCredential {
 
 #[derive(Debug, Serialize, Deserialize, Type, Clone)]
 #[serde(rename_all = "camelCase")]
-pub struct PreloginCredential {
+pub struct PreloginCookieCredential {
   username: String,
-  prelogin_cookie: Option<String>,
-  token: Option<String>,
+  prelogin_cookie: String,
 }
 
-impl PreloginCredential {
-  pub fn new(username: &str, prelogin_cookie: Option<&str>, token: Option<&str>) -> Self {
+impl PreloginCookieCredential {
+  pub fn new(username: &str, prelogin_cookie: &str) -> Self {
     Self {
       username: username.to_string(),
-      prelogin_cookie: prelogin_cookie.map(|s| s.to_string()),
-      token: token.map(|s| s.to_string()),
+      prelogin_cookie: prelogin_cookie.to_string(),
     }
   }
 
@@ -56,22 +54,22 @@ impl PreloginCredential {
     &self.username
   }
 
-  pub fn prelogin_cookie(&self) -> Option<&str> {
-    self.prelogin_cookie.as_deref()
-  }
-
-  pub fn token(&self) -> Option<&str> {
-    self.token.as_deref()
+  pub fn prelogin_cookie(&self) -> &str {
+    &self.prelogin_cookie
   }
 }
 
-impl From<SamlAuthData> for PreloginCredential {
-  fn from(value: SamlAuthData) -> Self {
-    let username = value.username().to_string();
-    let prelogin_cookie = value.prelogin_cookie();
-    let token = value.token();
+impl TryFrom<SamlAuthData> for PreloginCookieCredential {
+  type Error = anyhow::Error;
 
-    Self::new(&username, prelogin_cookie, token)
+  fn try_from(value: SamlAuthData) -> Result<Self, Self::Error> {
+    let username = value.username().to_string();
+    let prelogin_cookie = value
+      .prelogin_cookie()
+      .ok_or_else(|| anyhow::anyhow!("Missing prelogin cookie"))?
+      .to_string();
+
+    Ok(Self::new(&username, &prelogin_cookie))
   }
 }
 
@@ -156,30 +154,34 @@ impl From<PasswordCredential> for CachedCredential {
     )
   }
 }
+
 #[derive(Debug, Serialize, Deserialize, Type, Clone)]
 #[serde(tag = "type", rename_all = "camelCase")]
 pub enum Credential {
   Password(PasswordCredential),
-  Prelogin(PreloginCredential),
+  PreloginCookie(PreloginCookieCredential),
   AuthCookie(AuthCookieCredential),
-  Cached(CachedCredential),
+  CachedCredential(CachedCredential),
 }
 
 impl Credential {
-  /// Create a credential from a globalprotectcallback:<base64 encoded string>,
-  /// or globalprotectcallback:cas-as=1&un=user@xyz.com&token=very_long_string
-  pub fn from_gpcallback(auth_data: &str) -> anyhow::Result<Self> {
-    let auth_data = SamlAuthData::from_gpcallback(auth_data)?;
+  /// Create a credential from a globalprotectcallback:<base64 encoded string>
+  pub fn parse_gpcallback(auth_data: &str) -> anyhow::Result<Self> {
+    // Remove the surrounding quotes
+    let auth_data = auth_data.trim_matches('"');
+    let auth_data = auth_data.trim_start_matches("globalprotectcallback:");
+    let auth_data = decode_to_string(auth_data)?;
+    let auth_data = SamlAuthData::parse_html(&auth_data)?;
 
-    Ok(Self::from(auth_data))
+    Self::try_from(auth_data)
   }
 
   pub fn username(&self) -> &str {
     match self {
       Credential::Password(cred) => cred.username(),
-      Credential::Prelogin(cred) => cred.username(),
+      Credential::PreloginCookie(cred) => cred.username(),
       Credential::AuthCookie(cred) => cred.username(),
-      Credential::Cached(cred) => cred.username(),
+      Credential::CachedCredential(cred) => cred.username(),
     }
   }
 
@@ -187,22 +189,20 @@ impl Credential {
     let mut params = HashMap::new();
     params.insert("user", self.username());
 
-    let (passwd, prelogin_cookie, portal_userauthcookie, portal_prelogonuserauthcookie, token) = match self {
-      Credential::Password(cred) => (Some(cred.password()), None, None, None, None),
-      Credential::Prelogin(cred) => (None, cred.prelogin_cookie(), None, None, cred.token()),
+    let (passwd, prelogin_cookie, portal_userauthcookie, portal_prelogonuserauthcookie) = match self {
+      Credential::Password(cred) => (Some(cred.password()), None, None, None),
+      Credential::PreloginCookie(cred) => (None, Some(cred.prelogin_cookie()), None, None),
       Credential::AuthCookie(cred) => (
         None,
         None,
         Some(cred.user_auth_cookie()),
         Some(cred.prelogon_user_auth_cookie()),
-        None,
       ),
-      Credential::Cached(cred) => (
+      Credential::CachedCredential(cred) => (
         cred.password(),
         None,
         Some(cred.auth_cookie.user_auth_cookie()),
         Some(cred.auth_cookie.prelogon_user_auth_cookie()),
-        None,
       ),
     };
 
@@ -214,19 +214,17 @@ impl Credential {
       portal_prelogonuserauthcookie.unwrap_or_default(),
     );
 
-    if let Some(token) = token {
-      params.insert("token", token);
-    }
-
     params
   }
 }
 
-impl From<SamlAuthData> for Credential {
-  fn from(value: SamlAuthData) -> Self {
-    let cred = PreloginCredential::from(value);
+impl TryFrom<SamlAuthData> for Credential {
+  type Error = anyhow::Error;
 
-    Self::Prelogin(cred)
+  fn try_from(value: SamlAuthData) -> Result<Self, Self::Error> {
+    let prelogin_cookie = PreloginCookieCredential::try_from(value)?;
+
+    Ok(Self::PreloginCookie(prelogin_cookie))
   }
 }
 
@@ -244,6 +242,6 @@ impl From<&AuthCookieCredential> for Credential {
 
 impl From<&CachedCredential> for Credential {
   fn from(value: &CachedCredential) -> Self {
-    Self::Cached(value.clone())
+    Self::CachedCredential(value.clone())
   }
 }

crates/gpapi/src/error.rs

@@ -2,18 +2,10 @@ use thiserror::Error;
 
 #[derive(Error, Debug)]
 pub enum PortalError {
-  #[error("Prelogin error: {0}")]
+  #[error("Portal prelogin error: {0}")]
   PreloginError(String),
   #[error("Portal config error: {0}")]
   ConfigError(String),
   #[error("Network error: {0}")]
   NetworkError(String),
 }
-
-#[derive(Error, Debug)]
-pub enum AuthDataParseError {
-  #[error("No auth data found")]
-  NotFound,
-  #[error("Invalid auth data")]
-  Invalid,
-}

crates/gpapi/src/gateway/login.rs

@@ -8,15 +8,10 @@ use crate::{
   credential::Credential,
   error::PortalError,
   gp_params::GpParams,
-  utils::{normalize_server, parse_gp_response, remove_url_scheme},
+  utils::{normalize_server, parse_gp_error, remove_url_scheme},
 };
 
-pub enum GatewayLogin {
-  Cookie(String),
-  Mfa(String, String),
-}
-
-pub async fn gateway_login(gateway: &str, cred: &Credential, gp_params: &GpParams) -> anyhow::Result<GatewayLogin> {
+pub async fn gateway_login(gateway: &str, cred: &Credential, gp_params: &GpParams) -> anyhow::Result<String> {
   let url = normalize_server(gateway)?;
   let gateway = remove_url_scheme(&url);
 
@@ -41,25 +36,23 @@ pub async fn gateway_login(gateway: &str, cred: &Credential, gp_params: &GpParam
     .await
     .map_err(|e| anyhow::anyhow!(PortalError::NetworkError(e.to_string())))?;
 
-  let res = parse_gp_response(res).await.map_err(|err| {
-    warn!("{err}");
-    anyhow::anyhow!("Gateway login error: {}", err.reason)
-  })?;
+  let status = res.status();
 
-  // MFA detected
-  if res.contains("Challenge") {
-    let Some((message, input_str)) = parse_mfa(&res) else {
-      bail!("Failed to parse MFA challenge: {res}");
-    };
+  if status.is_client_error() || status.is_server_error() {
+    let (reason, res) = parse_gp_error(res).await;
 
-    return Ok(GatewayLogin::Mfa(message, input_str));
+    warn!(
+      "Gateway login error: reason={}, status={}, response={}",
+      reason, status, res
+    );
+
+    bail!("Gateway login error, reason: {}", reason);
   }
 
-  let doc = Document::parse(&res)?;
+  let res_xml = res.text().await?;
+  let doc = Document::parse(&res_xml)?;
 
-  let cookie = build_gateway_token(&doc, gp_params.computer())?;
-
-  Ok(GatewayLogin::Cookie(cookie))
+  build_gateway_token(&doc, gp_params.computer())
 }
 
 fn build_gateway_token(doc: &Document, computer: &str) -> anyhow::Result<String> {
@@ -93,33 +86,3 @@ fn read_args<'a>(args: &'a [String], index: usize, key: &'a str) -> anyhow::Resu
     .ok_or_else(|| anyhow::anyhow!("Failed to read {key} from args"))
     .map(|s| (key, s.as_ref()))
 }
-
-fn parse_mfa(res: &str) -> Option<(String, String)> {
-  let message = res
-    .lines()
-    .find(|l| l.contains("respMsg"))
-    .and_then(|l| l.split('"').nth(1).map(|s| s.to_string()))?;
-
-  let input_str = res
-    .lines()
-    .find(|l| l.contains("inputStr"))
-    .and_then(|l| l.split('"').nth(1).map(|s| s.to_string()))?;
-
-  Some((message, input_str))
-}
-
-#[cfg(test)]
-mod tests {
-  use super::*;
-
-  #[test]
-  fn mfa() {
-    let res = r#"var respStatus = "Challenge";
-var respMsg = "MFA message";
-thisForm.inputStr.value = "5ef64e83000119ed";"#;
-
-    let (message, input_str) = parse_mfa(res).unwrap();
-    assert_eq!(message, "MFA message");
-    assert_eq!(input_str, "5ef64e83000119ed");
-  }
-}

crates/gpapi/src/gp_params.rs

@@ -42,7 +42,7 @@ impl ClientOs {
   }
 }
 
-#[derive(Debug, Serialize, Deserialize, Type, Default, Clone)]
+#[derive(Debug, Serialize, Deserialize, Type, Default)]
 pub struct GpParams {
   is_gateway: bool,
   user_agent: String,
@@ -51,9 +51,7 @@ pub struct GpParams {
   client_version: Option<String>,
   computer: String,
   ignore_tls_errors: bool,
-  // Used for MFA
-  input_str: Option<String>,
-  otp: Option<String>,
+  prefer_default_browser: bool,
 }
 
 impl GpParams {
@@ -81,6 +79,10 @@ impl GpParams {
     self.ignore_tls_errors
   }
 
+  pub fn prefer_default_browser(&self) -> bool {
+    self.prefer_default_browser
+  }
+
   pub fn client_os(&self) -> &str {
     self.client_os.as_str()
   }
@@ -93,14 +95,6 @@ impl GpParams {
     self.client_version.as_deref()
   }
 
-  pub fn set_input_str(&mut self, input_str: &str) {
-    self.input_str = Some(input_str.to_string());
-  }
-
-  pub fn set_otp(&mut self, otp: &str) {
-    self.otp = Some(otp.to_string());
-  }
-
   pub(crate) fn to_params(&self) -> HashMap<&str, &str> {
     let mut params: HashMap<&str, &str> = HashMap::new();
     let client_os = self.client_os.as_str();
@@ -111,16 +105,11 @@ impl GpParams {
     params.insert("ok", "Login");
     params.insert("direct", "yes");
     params.insert("ipv6-support", "yes");
+    params.insert("inputStr", "");
     params.insert("clientVer", "4100");
     params.insert("clientos", client_os);
     params.insert("computer", &self.computer);
 
-    // MFA
-    params.insert("inputStr", self.input_str.as_deref().unwrap_or_default());
-    if let Some(otp) = &self.otp {
-      params.insert("passwd", otp);
-    }
-
     if let Some(os_version) = &self.os_version {
       params.insert("os-version", os_version);
     }
@@ -142,20 +131,20 @@ pub struct GpParamsBuilder {
   client_version: Option<String>,
   computer: String,
   ignore_tls_errors: bool,
+  prefer_default_browser: bool,
 }
 
 impl GpParamsBuilder {
   pub fn new() -> Self {
-    let computer = whoami::fallible::hostname().unwrap_or_else(|_| String::from("localhost"));
-
     Self {
       is_gateway: false,
       user_agent: GP_USER_AGENT.to_string(),
       client_os: ClientOs::Linux,
       os_version: Default::default(),
       client_version: Default::default(),
-      computer,
+      computer: whoami::hostname(),
       ignore_tls_errors: false,
+      prefer_default_browser: false,
     }
   }
 
@@ -194,6 +183,11 @@ impl GpParamsBuilder {
     self
   }
 
+  pub fn prefer_default_browser(&mut self, prefer_default_browser: bool) -> &mut Self {
+    self.prefer_default_browser = prefer_default_browser;
+    self
+  }
+
   pub fn build(&self) -> GpParams {
     GpParams {
       is_gateway: self.is_gateway,
@@ -203,8 +197,7 @@ impl GpParamsBuilder {
       client_version: self.client_version.clone(),
       computer: self.computer.clone(),
       ignore_tls_errors: self.ignore_tls_errors,
-      input_str: Default::default(),
-      otp: Default::default(),
+      prefer_default_browser: self.prefer_default_browser,
     }
   }
 }

crates/gpapi/src/portal/config.rs

@@ -10,7 +10,7 @@ use crate::{
   error::PortalError,
   gateway::{parse_gateways, Gateway},
   gp_params::GpParams,
-  utils::{normalize_server, parse_gp_response, remove_url_scheme, xml},
+  utils::{normalize_server, parse_gp_error, remove_url_scheme, xml},
 };
 
 #[derive(Debug, Serialize, Type)]
@@ -108,19 +108,24 @@ pub async fn retrieve_config(portal: &str, cred: &Credential, gp_params: &GpPara
     .send()
     .await
     .map_err(|e| anyhow::anyhow!(PortalError::NetworkError(e.to_string())))?;
+  let status = res.status();
 
-  let res_xml = parse_gp_response(res).await.or_else(|err| {
-    if err.status == StatusCode::NOT_FOUND {
-      bail!(PortalError::ConfigError("Config endpoint not found".to_string()));
-    }
+  if status == StatusCode::NOT_FOUND {
+    bail!(PortalError::ConfigError("Config endpoint not found".to_string()))
+  }
 
-    if err.is_status_error() {
-      warn!("{err}");
-      bail!("Portal config error: {}", err.reason);
-    }
+  if status.is_client_error() || status.is_server_error() {
+    let (reason, res) = parse_gp_error(res).await;
 
-    Err(anyhow::anyhow!(PortalError::ConfigError(err.reason)))
-  })?;
+    warn!(
+      "Portal config error: reason={}, status={}, response={}",
+      reason, status, res
+    );
+
+    bail!("Portal config error, reason: {}", reason);
+  }
+
+  let res_xml = res.text().await.map_err(|e| PortalError::ConfigError(e.to_string()))?;
 
   if res_xml.is_empty() {
     bail!(PortalError::ConfigError("Empty portal config response".to_string()))

crates/gpapi/src/portal/prelogin.rs

@@ -1,4 +1,4 @@
-use anyhow::{anyhow, bail};
+use anyhow::bail;
 use log::{info, warn};
 use reqwest::{Client, StatusCode};
 use roxmltree::Document;
@@ -8,7 +8,7 @@ use specta::Type;
 use crate::{
   error::PortalError,
   gp_params::GpParams,
-  utils::{base64, normalize_server, parse_gp_response, xml},
+  utils::{base64, normalize_server, parse_gp_error, xml},
 };
 
 const REQUIRED_PARAMS: [&str; 8] = [
@@ -98,19 +98,18 @@ impl Prelogin {
 
 pub async fn prelogin(portal: &str, gp_params: &GpParams) -> anyhow::Result<Prelogin> {
   let user_agent = gp_params.user_agent();
-  let is_gateway = gp_params.is_gateway();
-  let prelogin_type = if is_gateway { "Gateway" } else { "Portal" };
-
-  info!("{} prelogin with user_agent: {}", prelogin_type, user_agent);
+  info!("Prelogin with user_agent: {}", user_agent);
 
   let portal = normalize_server(portal)?;
+  let is_gateway = gp_params.is_gateway();
   let path = if is_gateway { "ssl-vpn" } else { "global-protect" };
   let prelogin_url = format!("{portal}/{}/prelogin.esp", path);
   let mut params = gp_params.to_params();
 
   params.insert("tmp", "tmp");
-  params.insert("default-browser", "1");
-  params.insert("cas-support", "yes");
+  if gp_params.prefer_default_browser() {
+    params.insert("default-browser", "1");
+  }
 
   params.retain(|k, _| REQUIRED_PARAMS.iter().any(|required_param| required_param == k));
 
@@ -125,37 +124,39 @@ pub async fn prelogin(portal: &str, gp_params: &GpParams) -> anyhow::Result<Prel
     .send()
     .await
     .map_err(|e| anyhow::anyhow!(PortalError::NetworkError(e.to_string())))?;
+  let status = res.status();
 
-  let res_xml = parse_gp_response(res).await.or_else(|err| {
-    if err.status == StatusCode::NOT_FOUND {
-      bail!(PortalError::PreloginError("Prelogin endpoint not found".to_string()))
-    }
+  if status == StatusCode::NOT_FOUND {
+    bail!(PortalError::PreloginError("Prelogin endpoint not found".to_string()))
+  }
 
-    if err.is_status_error() {
-      warn!("{err}");
-      bail!("Prelogin error: {}", err.reason)
-    }
+  if status.is_client_error() || status.is_server_error() {
+    let (reason, res) = parse_gp_error(res).await;
 
-    Err(anyhow!(PortalError::PreloginError(err.reason)))
-  })?;
+    warn!("Prelogin error: reason={}, status={}, response={}", reason, status, res);
 
-  let prelogin = parse_res_xml(&res_xml, is_gateway).map_err(|err| {
-    warn!("Parse response error, response: {}", res_xml);
-    PortalError::PreloginError(err.to_string())
-  })?;
+    bail!("Prelogin error: {}", status)
+  }
+
+  let res_xml = res
+    .text()
+    .await
+    .map_err(|e| PortalError::PreloginError(e.to_string()))?;
+
+  let prelogin = parse_res_xml(res_xml, is_gateway).map_err(|e| PortalError::PreloginError(e.to_string()))?;
 
   Ok(prelogin)
 }
 
-fn parse_res_xml(res_xml: &str, is_gateway: bool) -> anyhow::Result<Prelogin> {
-  let doc = Document::parse(res_xml)?;
+fn parse_res_xml(res_xml: String, is_gateway: bool) -> anyhow::Result<Prelogin> {
+  let doc = Document::parse(&res_xml)?;
 
   let status = xml::get_child_text(&doc, "status")
     .ok_or_else(|| anyhow::anyhow!("Prelogin response does not contain status element"))?;
   // Check the status of the prelogin response
   if status.to_uppercase() != "SUCCESS" {
     let msg = xml::get_child_text(&doc, "msg").unwrap_or(String::from("Unknown error"));
-    bail!("{}", msg)
+    bail!("Prelogin failed: {}", msg)
   }
 
   let region = xml::get_child_text(&doc, "region").unwrap_or_else(|| {
@@ -195,8 +196,8 @@ fn parse_res_xml(res_xml: &str, is_gateway: bool) -> anyhow::Result<Prelogin> {
       label_password: label_password.unwrap(),
     };
 
-    Ok(Prelogin::Standard(standard_prelogin))
-  } else {
-    Err(anyhow!("Invalid prelogin response"))
+    return Ok(Prelogin::Standard(standard_prelogin));
   }
+
+  bail!("Invalid prelogin response");
 }

crates/gpapi/src/process/auth_launcher.rs

@@ -18,7 +18,6 @@ pub struct SamlAuthLauncher<'a> {
   fix_openssl: bool,
   ignore_tls_errors: bool,
   clean: bool,
-  default_browser: bool,
 }
 
 impl<'a> SamlAuthLauncher<'a> {
@@ -34,7 +33,6 @@ impl<'a> SamlAuthLauncher<'a> {
       fix_openssl: false,
       ignore_tls_errors: false,
       clean: false,
-      default_browser: false,
     }
   }
 
@@ -83,13 +81,8 @@ impl<'a> SamlAuthLauncher<'a> {
     self
   }
 
-  pub fn default_browser(mut self, default_browser: bool) -> Self {
-    self.default_browser = default_browser;
-    self
-  }
-
   /// Launch the authenticator binary as the current user or SUDO_USER if available.
-  pub async fn launch(self) -> anyhow::Result<Option<Credential>> {
+  pub async fn launch(self) -> anyhow::Result<Credential> {
     let mut auth_cmd = Command::new(GP_AUTH_BINARY);
     auth_cmd.arg(self.server);
 
@@ -129,10 +122,6 @@ impl<'a> SamlAuthLauncher<'a> {
       auth_cmd.arg("--clean");
     }
 
-    if self.default_browser {
-      auth_cmd.arg("--default-browser");
-    }
-
     let mut non_root_cmd = auth_cmd.into_non_root()?;
     let output = non_root_cmd
       .kill_on_drop(true)
@@ -141,16 +130,12 @@ impl<'a> SamlAuthLauncher<'a> {
       .wait_with_output()
       .await?;
 
-    if self.default_browser {
-      return Ok(None);
-    }
-
     let Ok(auth_result) = serde_json::from_slice::<SamlAuthResult>(&output.stdout) else {
       bail!("Failed to parse auth data")
     };
 
     match auth_result {
-      SamlAuthResult::Success(auth_data) => Ok(Some(Credential::from(auth_data))),
+      SamlAuthResult::Success(auth_data) => Credential::try_from(auth_data),
       SamlAuthResult::Failure(msg) => bail!(msg),
     }
   }

crates/gpapi/src/utils/mod.rs

@@ -1,3 +1,5 @@
+use reqwest::{Response, Url};
+
 pub(crate) mod xml;
 
 pub mod base64;
@@ -13,12 +15,8 @@ pub mod window;
 
 mod shutdown_signal;
 
-use log::warn;
 pub use shutdown_signal::shutdown_signal;
 
-use reqwest::{Response, StatusCode, Url};
-use thiserror::Error;
-
 /// Normalize the server URL to the format `https://<host>:<port>`
 pub fn normalize_server(server: &str) -> anyhow::Result<String> {
   let server = if server.starts_with("https://") || server.starts_with("http://") {
@@ -44,41 +42,7 @@ pub fn remove_url_scheme(s: &str) -> String {
   s.replace("http://", "").replace("https://", "")
 }
 
-#[derive(Error, Debug)]
-#[error("GP response error: reason={reason}, status={status}, body={body}")]
-pub(crate) struct GpError {
-  pub status: StatusCode,
-  pub reason: String,
-  body: String,
-}
-
-impl GpError {
-  pub fn is_status_error(&self) -> bool {
-    self.status.is_client_error() || self.status.is_server_error()
-  }
-}
-
-pub(crate) async fn parse_gp_response(res: Response) -> anyhow::Result<String, GpError> {
-  let status = res.status();
-
-  if status.is_client_error() || status.is_server_error() {
-    let (reason, body) = parse_gp_error(res).await;
-
-    return Err(GpError { status, reason, body });
-  }
-
-  res.text().await.map_err(|err| {
-    warn!("Failed to read response: {}", err);
-
-    GpError {
-      status,
-      reason: "failed to read response".to_string(),
-      body: "<failed to read response>".to_string(),
-    }
-  })
-}
-
-async fn parse_gp_error(res: Response) -> (String, String) {
+pub(crate) async fn parse_gp_error(res: Response) -> (String, String) {
   let reason = res
     .headers()
     .get("x-private-pan-globalprotect")

packaging/binary/Makefile.in

@@ -1,3 +1,7 @@
+INCLUDE_SYSTEMD ?= $(shell [ -d /run/systemd/system ] && echo 1 || echo 0)
+# Enable the systemd service after installation
+ENABLE_SERVICE ?= 1
+
 install:
 	@echo "===> Installing..."
 
@@ -17,9 +21,28 @@ install:
 	install -Dm644 artifacts/usr/share/icons/hicolor/256x256@2/apps/gpgui.png $(DESTDIR)/usr/share/icons/hicolor/256x256@2/apps/gpgui.png
 	install -Dm644 artifacts/usr/share/polkit-1/actions/com.yuezk.gpgui.policy $(DESTDIR)/usr/share/polkit-1/actions/com.yuezk.gpgui.policy
 
+	# Install the service
+	if [ $(INCLUDE_SYSTEMD) -eq 1 ]; then \
+		install -Dm644 artifacts/usr/lib/systemd/system/gp-suspend.service $(DESTDIR)/usr/lib/systemd/system/gp-suspend.service; \
+		if [ $(ENABLE_SERVICE) -eq 1 ]; then \
+			systemctl --system daemon-reload; \
+			systemctl enable gp-suspend.service; \
+		fi; \
+	fi
+
+	@echo "===> Done."
+
 uninstall:
 	@echo "===> Uninstalling from $(DESTDIR)..."
 
+	# Disable the systemd service
+	if [ -d /run/systemd/system ]; then \
+		systemctl disable gp-suspend.service >/dev/null || true; \
+	fi
+
+	rm -f $(DESTDIR)/lib/systemd/system/gp-suspend.service
+	rm -f $(DESTDIR)/usr/lib/systemd/system/gp-suspend.service
+
 	rm -f $(DESTDIR)/usr/bin/gpclient
 	rm -f $(DESTDIR)/usr/bin/gpservice
 	rm -f $(DESTDIR)/usr/bin/gpauth
@@ -32,3 +55,5 @@ uninstall:
 	rm -f $(DESTDIR)/usr/share/icons/hicolor/128x128/apps/gpgui.png
 	rm -f $(DESTDIR)/usr/share/icons/hicolor/256x256@2/apps/gpgui.png
 	rm -f $(DESTDIR)/usr/share/polkit-1/actions/com.yuezk.gpgui.policy
+
+	@echo "===> Done."

packaging/deb/postrm

@@ -11,4 +11,6 @@ case "$1" in
     ;;
 esac
 
+#DEBHELPER#
+
 exit 0

packaging/deb/rules.in

@@ -2,6 +2,12 @@
 
 export OFFLINE = @OFFLINE@
 export BUILD_FE = 0
+export DEB_PACKAGING = 1
+export INCLUDE_SYSTEMD = 1
+export ENABLE_SERVICE = 0
 
 %:
 	dh $@ --no-parallel
+
+override_dh_installsystemd:
+	dh_installsystemd gp-suspend.service --no-start

packaging/files/usr/lib/systemd/system/gp-suspend.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=Disconnect from the VPN when suspending
+Before=sleep.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/gpclient disconnect
+
+[Install]
+WantedBy=sleep.target

packaging/pkgbuild/PKGBUILD.in

@@ -14,6 +14,8 @@ optdepends=('wmctrl: for window management')
 
 provides=('globalprotect-openconnect' 'gpclient' 'gpservice' 'gpauth' 'gpgui')
 
+install=gp.install
+
 source=("${_pkgname}-${pkgver}.tar.gz")
 sha256sums=('SKIP')
 
@@ -31,5 +33,5 @@ build() {
 package() {
   cd "$pkgname-$pkgver"
 
-  make install DESTDIR="$pkgdir"
+  make install DESTDIR="$pkgdir" INCLUDE_SYSTEMD=1 ENABLE_SERVICE=0
 }

packaging/pkgbuild/gp.install

@@ -0,0 +1,12 @@
+post_install() {
+    systemctl --system daemon-reload
+    systemctl enable gp-suspend.service
+}
+
+post_upgrade() {
+    post_install
+}
+
+post_remove() {
+    systemctl disable gp-suspend.service
+}

packaging/rpm/globalprotect-openconnect.spec.in

@@ -22,6 +22,7 @@ BuildRequires:  perl
 BuildRequires:  (webkit2gtk4.0-devel or webkit2gtk3-soup2-devel)
 BuildRequires:  (libappindicator-gtk3-devel or libappindicator3-1)
 BuildRequires:  (librsvg2-devel or librsvg-devel)
+BuildRequires:  systemd-rpm-macros
 
 Requires:       openconnect >= 8.20, (libayatana-appindicator or libappindicator-gtk3)
 Conflicts:      globalprotect-openconnect-snapshot
@@ -34,16 +35,42 @@ A GUI for GlobalProtect VPN, based on OpenConnect, supports the SSO authenticati
 %prep
 %setup
 
+%pre
+%if 0%{?suse_version}
+  %service_add_pre gp-suspend.service
+%endif
+
+%post
+%if 0%{?suse_version}
+  %service_add_post gp-suspend.service
+%else
+  %systemd_post gp-suspend.service
+%endif
+
+%preun
+%if 0%{?suse_version}
+  %service_del_preun gp-suspend.service
+%else
+  %systemd_preun gp-suspend.service
+%endif
+
 %postun
+# Clean up the gpgui downloaded at runtime
 rm -f %{_bindir}/gpgui
 
+%if 0%{?suse_version}
+  %service_del_postun_without_restart gp-suspend.service
+%else
+  %systemd_postun gp-suspend.service
+%endif
+
 %build
 # The injected RUSTFLAGS could fail the build
 unset RUSTFLAGS
 make build OFFLINE=@OFFLINE@ BUILD_FE=0
 
 %install
-%make_install
+%make_install INCLUDE_SYSTEMD=1 ENABLE_SERVICE=0
 
 %files
 %defattr(-,root,root)
@@ -54,6 +81,7 @@ make build OFFLINE=@OFFLINE@ BUILD_FE=0
 %{_datadir}/icons/hicolor/256x256@2/apps/gpgui.png
 %{_datadir}/icons/hicolor/scalable/apps/gpgui.svg
 %{_datadir}/polkit-1/actions/com.yuezk.gpgui.policy
+%{_unitdir}/gp-suspend.service
 
 %dir %{_datadir}/icons/hicolor
 %dir %{_datadir}/icons/hicolor/32x32