feat: gpauth support Windows

.github/workflows/build.yaml

@@ -44,7 +44,8 @@ jobs:
       with:
         version: 9
     - name: Prepare workspace
-      run: rm -rf source && mkdir source
+      run: rm -rf source && mkdir -p source/artifacts
+
     - name: Checkout GlobalProtect-openconnect
       uses: actions/checkout@v4
       with:
@@ -52,6 +53,7 @@ jobs:
         repository: yuezk/GlobalProtect-openconnect
         ref: ${{ github.ref }}
         path: source/gp
+
     - name: Create tarball
       run: |
         cd source/gp
@@ -60,13 +62,69 @@ jobs:
           touch SNAPSHOT
         fi
         make tarball
+
+        mv -v .build/tarball/*.tar.gz ../artifacts/
+
+    - name: Generate RPM spec file
+      env:
+        RELEASE_TAG: ${{ github.ref == 'refs/heads/dev' && 'snapshot' || github.ref_name }}
+      run: |
+        cd source/gp
+
+        make init-rpm \
+          REVISION='1%{?dist}' \
+          RPM_SOURCE=https://github.com/yuezk/GlobalProtect-openconnect/releases/download/${RELEASE_TAG}/%{name}-%{version}.tar.gz
+
+        mv -v .build/rpm/*.spec ../artifacts/
+
     - name: Upload tarball
       uses: actions/upload-artifact@v4
       with:
         name: artifact-source
         if-no-files-found: error
         path: |
-          source/gp/.build/tarball/*.tar.gz
+          source/artifacts/*
+
+  tarball-offline:
+    if: ${{ github.ref == 'refs/heads/dev' || startsWith(github.ref, 'refs/tags/') }}
+    runs-on: ubuntu-latest
+    needs:
+    - tarball
+    steps:
+    - uses: pnpm/action-setup@v4
+      with:
+        version: 9
+
+    - name: Prepare workspace
+      run: rm -rf source-offline && mkdir source-offline
+
+    - name: Download tarball
+      uses: actions/download-artifact@v4
+      with:
+        name: artifact-source
+        path: source-offline
+
+    - name: Create offline tarball
+      run: |
+        cd source-offline
+
+        offline_tarball=$(basename *.tar.gz .tar.gz).offline.tar.gz
+
+        # Extract the tarball
+        tar -xzf *.tar.gz
+
+        cd */
+        make tarball OFFLINE=1
+
+        # Rename the tarball to .offline.tar.gz
+        mv -v .build/tarball/*.tar.gz ../$offline_tarball
+
+    - name: Upload offline tarball
+      uses: actions/upload-artifact@v4
+      with:
+        path: source-offline/*.offline.tar.gz
+        name: artifact-source-offline
+        if-no-files-found: error
 
   build-gp:
     needs:
@@ -168,6 +226,7 @@ jobs:
     runs-on: ubuntu-latest
     needs:
       - tarball
+      - tarball-offline
       - build-gp
       - build-gpgui
 

.github/workflows/publish.yaml

@@ -52,22 +52,26 @@ jobs:
         version: 9
     - name: Prepare workspace
       run: rm -rf publish-ppa && mkdir publish-ppa
-    - name: Download ${{ inputs.tag }} source code
-      uses: robinraju/release-downloader@v1.9
-      with:
-        token: ${{ secrets.GH_PAT }}
-        tag: ${{ inputs.tag }}
-        fileName: globalprotect-openconnect-*.tar.gz
-        tarBall: false
-        zipBall: false
-        out-file-path: publish-ppa
-    - name: Make the offline tarball
+    - name: Download ${{ inputs.tag }} offline source code
+      env:
+        GH_TOKEN: ${{ secrets.GH_PAT }}
+      run: |
+        gh -R yuezk/GlobalProtect-openconnect \
+          release download ${{ inputs.tag }} \
+          --pattern '*.offline.tar.gz' \
+          --dir publish-ppa
+    - name: Patch the source code
       run: |
         cd publish-ppa
-        tar -xf globalprotect-openconnect-*.tar.gz
-        cd globalprotect-openconnect-*/
 
-        make tarball OFFLINE=1
+        # Rename the source tarball without the offline suffix
+        mv -v *.tar.gz $(basename *.tar.gz .offline.tar.gz).tar.gz
+
+        # Extract the source tarball
+        tar -xzf *.tar.gz
+
+        # Prepare the debian directory with custom files
+        cd globalprotect-openconnect-*/
 
         # Prepare the debian directory with custom files
         mkdir -p .build/debian
@@ -78,7 +82,6 @@ jobs:
         cp -v packaging/deb/postrm .build/debian/postrm
 
         sed -i "s/@RUST@/cargo-1.80/g" .build/debian/control
-
         sed -i "s/@OFFLINE@/1/g" .build/debian/rules
         sed -i "s/@BUILD_GUI@/1/g" .build/debian/rules
         sed -i "s/@RUST_VERSION@/1.80/g" .build/debian/rules
@@ -89,7 +92,7 @@ jobs:
         repository: "yuezk/globalprotect-openconnect"
         gpg_private_key: ${{ secrets.PPA_GPG_PRIVATE_KEY }}
         gpg_passphrase: ${{ secrets.PPA_GPG_PASSPHRASE }}
-        tarball: publish-ppa/globalprotect-openconnect-*/.build/tarball/*.tar.gz
+        tarball: publish-ppa/globalprotect-openconnect-*.tar.gz
         debian_dir: publish-ppa/globalprotect-openconnect-*/.build/debian
         deb_email: "k3vinyue@gmail.com"
         deb_fullname: "Kevin Yue"

.github/workflows/release.yaml

@@ -96,15 +96,16 @@ jobs:
     steps:
     - name: Prepare workspace
       run: rm -rf build-${{ matrix.package }} && mkdir -p build-${{ matrix.package }}
+
     - name: Download ${{ inputs.tag }} source code
-      uses: robinraju/release-downloader@v1.9
-      with:
-        token: ${{ secrets.GH_PAT }}
-        tag: ${{ inputs.tag }}
-        fileName: globalprotect-openconnect-*.tar.gz
-        tarBall: false
-        zipBall: false
-        out-file-path: build-${{ matrix.package }}
+      env:
+        GH_TOKEN: ${{ secrets.GH_PAT }}
+      run: |
+        gh -R yuezk/GlobalProtect-openconnect \
+          release download ${{ inputs.tag }} \
+          --pattern '*[^offline].tar.gz' \
+          --dir build-${{ matrix.package }}
+
     - name: Docker Login
       run: echo ${{ secrets.DOCKER_HUB_TOKEN }} | docker login -u ${{ secrets.DOCKER_HUB_USERNAME }} --password-stdin
     - name: Build ${{ matrix.package }} package in Docker

Cargo.lock

@@ -188,6 +188,7 @@ dependencies = [
  "objc2-web-kit",
  "open",
  "regex",
+ "serde_json",
  "tauri",
  "tiny_http",
  "tokio",
@@ -195,7 +196,10 @@ dependencies = [
  "uuid",
  "webbrowser",
  "webkit2gtk",
+ "webview2-com",
  "which",
+ "windows 0.58.0",
+ "windows-core 0.58.0",
 ]
 
 [[package]]

Makefile

@@ -8,6 +8,8 @@ RUST_VERSION = 1.80
 
 VERSION = $(shell $(CARGO) metadata --no-deps --format-version 1 | jq -r '.packages[0].version')
 REVISION ?= 1
+RPM_SOURCE ?= %{name}.tar.gz
+
 PPA_REVISION ?= 1
 PKG_NAME = globalprotect-openconnect
 PKG = $(PKG_NAME)-$(VERSION)
@@ -234,6 +236,7 @@ init-rpm: clean-rpm
 
 	sed -i "s/@VERSION@/$(VERSION)/g" .build/rpm/globalprotect-openconnect.spec
 	sed -i "s/@REVISION@/$(REVISION)/g" .build/rpm/globalprotect-openconnect.spec
+	sed -i "s|@SOURCE@|$(RPM_SOURCE)|g" .build/rpm/globalprotect-openconnect.spec
 	sed -i "s/@OFFLINE@/$(OFFLINE)/g" .build/rpm/globalprotect-openconnect.spec
 	sed -i "s/@DATE@/$(shell LC_ALL=en.US date "+%a %b %d %Y")/g" .build/rpm/globalprotect-openconnect.spec
 

README.md

@@ -70,7 +70,7 @@ The GUI version is also available after you installed it. You can launch it from
 
 ### Debian/Ubuntu based distributions
 
-#### Install from PPA (Ubuntu > 18.04)
+#### Install from PPA
 
 ```
 sudo add-apt-repository ppa:yuezk/globalprotect-openconnect
@@ -81,10 +81,6 @@ sudo apt-get install globalprotect-openconnect
 >
 > For Linux Mint, you might need to import the GPG key with: `sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 7937C393082992E5D6E4A60453FC26B43838D761` if you encountered an error `gpg: keyserver receive failed: General error`.
 
-#### **Ubuntu 18.04**
-
-The latest package is not available in the PPA, but you still needs to add the `ppa:yuezk/globalprotect-openconnect` repo beforehand to use the required `openconnect` package. Then you can follow the [Install from deb package](#install-from-deb-package) section to install the latest package.
-
 #### Install from deb package
 
 Download the latest deb package from [releases](https://github.com/yuezk/GlobalProtect-openconnect/releases) page. Then install it with `apt`:

apps/gpclient/src/cli.rs

@@ -1,17 +1,21 @@
-use std::{env::temp_dir, fs::File};
+use std::{env::temp_dir, fs::File, str::FromStr};
 
+use anyhow::bail;
 use clap::{Parser, Subcommand};
 use gpapi::{
   clap::{handle_error, Args, InfoLevelVerbosity},
   utils::openssl,
 };
 use log::info;
+use sysinfo::{Pid, System};
 use tempfile::NamedTempFile;
+use tokio::fs;
 
 use crate::{
   connect::{ConnectArgs, ConnectHandler},
   disconnect::{DisconnectArgs, DisconnectHandler},
   launch_gui::{LaunchGuiArgs, LaunchGuiHandler},
+  GP_CLIENT_LOCK_FILE,
 };
 
 const VERSION: &str = concat!(env!("CARGO_PKG_VERSION"), " (", compile_time::date_str!(), ")");
@@ -77,6 +81,25 @@ impl Args for Cli {
 }
 
 impl Cli {
+  async fn is_running(&self) -> bool {
+    let Ok(c) = fs::read_to_string(GP_CLIENT_LOCK_FILE).await else {
+      return false;
+    };
+
+    let Ok(pid) = Pid::from_str(c.trim()) else {
+      return false;
+    };
+
+    let s = System::new_all();
+    let Some(p) = s.process(pid) else {
+      return false;
+    };
+
+    p.exe()
+      .map(|exe| exe.to_string_lossy().contains("gpclient"))
+      .unwrap_or(false)
+  }
+
   fn fix_openssl(&self) -> anyhow::Result<Option<NamedTempFile>> {
     if self.fix_openssl {
       let file = openssl::fix_openssl_env()?;
@@ -87,6 +110,11 @@ impl Cli {
   }
 
   async fn run(&self) -> anyhow::Result<()> {
+    // check if an instance is running
+    if self.is_running().await {
+      bail!("Another instance of the client is already running");
+    }
+
     // The temp file will be dropped automatically when the file handle is dropped
     // So, declare it here to ensure it's not dropped
     let _file = self.fix_openssl()?;

crates/auth/Cargo.toml

@@ -28,7 +28,7 @@ regex = { workspace = true, optional = true }
 tokio-util = { workspace = true, optional = true }
 html-escape = { version = "0.2.13", optional = true }
 
-[target.'cfg(not(target_os = "macos"))'.dependencies]
+[target.'cfg(not(any(target_os="macos", target_os="windows")))'.dependencies]
 webkit2gtk = { version = "2", optional = true }
 
 [target.'cfg(target_os="macos")'.dependencies]
@@ -37,6 +37,12 @@ objc2 = { version = "0.5", optional = true }
 objc2-foundation = { version = "0.2", optional = true }
 objc2-web-kit = { version = "0.2", optional = true }
 
+[target.'cfg(target_os="windows")'.dependencies]
+webview2-com = { version = "0.34", optional = true }
+windows-core = { version = "0.58", optional = true }
+windows = { version = "0.58", optional = true }
+serde_json = { workspace = true, optional = true }
+
 [features]
 browser-auth = [
   "dep:webbrowser",
@@ -56,4 +62,8 @@ webview-auth = [
   "dep:objc2",
   "dep:objc2-foundation",
   "dep:objc2-web-kit",
+  "dep:webview2-com",
+  "dep:windows-core",
+  "dep:windows",
+  "dep:serde_json",
 ]

crates/auth/src/browser/browser_auth.rs

@@ -1,4 +1,4 @@
-use std::{env::temp_dir, fs, os::unix::fs::PermissionsExt};
+use std::{env::temp_dir, fs};
 
 use gpapi::{auth::SamlAuthData, GP_CALLBACK_PORT_FILENAME};
 use log::info;
@@ -96,7 +96,11 @@ async fn wait_auth_data() -> anyhow::Result<SamlAuthData> {
 
   // Write the port to a file
   fs::write(&port_file, port.to_string())?;
+  #[cfg(unix)]
+  {
+    use os::unix::fs::PermissionsExt;
     fs::set_permissions(&port_file, fs::Permissions::from_mode(0o600))?;
+  }
 
   // Remove the previous log file
   let callback_log = temp_dir().join("gpcallback.log");

crates/auth/src/webview.rs

@@ -1,8 +1,9 @@
 mod auth_messenger;
 mod webview_auth;
 
-#[cfg_attr(not(target_os = "macos"), path = "webview/unix.rs")]
+#[cfg_attr(not(any(target_os = "macos", target_os = "windows")), path = "webview/unix.rs")]
 #[cfg_attr(target_os = "macos", path = "webview/macos.rs")]
+#[cfg_attr(windows, path = "webview/windows.rs")]
 mod platform_impl;
 
 pub use webview_auth::WebviewAuthenticator;

crates/auth/src/webview/auth_messenger.rs

@@ -15,7 +15,7 @@ pub(crate) enum AuthDataLocation {
 #[derive(Debug)]
 pub(crate) enum AuthError {
   /// Failed to load page due to TLS error
-  #[cfg(not(target_os = "macos"))]
+  #[cfg(not(any(target_os = "macos", target_os = "windows")))]
   TlsError,
   /// 1. Found auth data in headers/body but it's invalid
   /// 2. Loaded an empty page, failed to load page. etc.

crates/auth/src/webview/webview_auth.rs

@@ -115,7 +115,7 @@ impl<'a> WebviewAuthenticator<'a> {
       match auth_messenger.subscribe().await? {
         AuthEvent::Close => bail!("Authentication cancelled"),
         AuthEvent::RaiseWindow => self.raise_window(&auth_window),
-        #[cfg(not(target_os = "macos"))]
+        #[cfg(not(any(target_os = "macos", target_os = "windows")))]
         AuthEvent::Error(AuthError::TlsError) => bail!(gpapi::error::PortalError::TlsError),
         AuthEvent::Error(AuthError::NotFound(location)) => {
           info!(
@@ -261,10 +261,10 @@ impl<'a> WebviewAuthenticator<'a> {
 
     info!("Raising auth window...");
 
-    #[cfg(target_os = "macos")]
+    #[cfg(any(target_os = "macos", target_os = "windows"))]
     let result = auth_window.show();
 
-    #[cfg(not(target_os = "macos"))]
+    #[cfg(not(any(target_os = "macos", target_os = "windows")))]
     let result = {
       use gpapi::utils::window::WindowExt;
       auth_window.raise()

crates/auth/src/webview/windows.rs

@@ -0,0 +1,142 @@
+use log::warn;
+use tauri::webview::PlatformWebview;
+use webview2_com::{
+  pwstr_from_str, take_pwstr, ExecuteScriptCompletedHandler,
+  Microsoft::Web::WebView2::Win32::{
+    ICoreWebView2WebResourceResponseView, ICoreWebView2_14, ICoreWebView2_2,
+    COREWEBVIEW2_SERVER_CERTIFICATE_ERROR_ACTION_ALWAYS_ALLOW,
+  },
+  ServerCertificateErrorDetectedEventHandler, WebResourceResponseReceivedEventHandler,
+};
+use windows_core::{Interface, PWSTR};
+
+use super::{
+  auth_messenger::AuthError,
+  webview_auth::{GetHeader, PlatformWebviewExt},
+};
+
+impl PlatformWebviewExt for PlatformWebview {
+  fn ignore_tls_errors(&self) -> anyhow::Result<()> {
+    unsafe {
+      let wv = self.controller().CoreWebView2()?.cast::<ICoreWebView2_14>()?;
+      let handler = ServerCertificateErrorDetectedEventHandler::create(Box::new(|_, e| {
+        if let Some(e) = e {
+          let _ = e.SetAction(COREWEBVIEW2_SERVER_CERTIFICATE_ERROR_ACTION_ALWAYS_ALLOW);
+        }
+        Ok(())
+      }));
+
+      wv.add_ServerCertificateErrorDetected(&handler, &mut Default::default())?;
+    }
+
+    Ok(())
+  }
+
+  fn load_url(&self, url: &str) -> anyhow::Result<()> {
+    let url = pwstr_from_str(url);
+
+    unsafe { self.controller().CoreWebView2()?.Navigate(url)? }
+
+    Ok(())
+  }
+
+  fn load_html(&self, html: &str) -> anyhow::Result<()> {
+    let html = pwstr_from_str(html);
+
+    unsafe { self.controller().CoreWebView2()?.NavigateToString(html)? }
+
+    Ok(())
+  }
+
+  fn get_html(&self, callback: Box<dyn Fn(anyhow::Result<String>) + 'static>) {
+    unsafe {
+      match self.controller().CoreWebView2() {
+        Ok(wv) => {
+          let js = "document.documentElement.outerHTML";
+          let js = pwstr_from_str(js);
+
+          let handler = ExecuteScriptCompletedHandler::create(Box::new(move |err, html| {
+            if let Err(err) = err {
+              callback(Err(anyhow::anyhow!(err)));
+              return Ok(());
+            }
+
+            // The returned HTML is JSON.stringify'd string, so we need to parse it
+            let res = match serde_json::from_str(&html) {
+              Ok(Some(html)) => Ok(html),
+              Ok(None) => Err(anyhow::anyhow!("No HTML returned")),
+              Err(err) => Err(anyhow::anyhow!(err)),
+            };
+            callback(res);
+
+            Ok(())
+          }));
+
+          if let Err(err) = wv.ExecuteScript(js, &handler) {
+            warn!("Failed to execute script: {}", err);
+          }
+        }
+        Err(err) => callback(Err(anyhow::anyhow!(err))),
+      }
+    }
+  }
+}
+
+impl GetHeader for ICoreWebView2WebResourceResponseView {
+  fn get_header(&self, key: &str) -> Option<String> {
+    unsafe {
+      let headers = self.Headers().ok()?;
+      let key = pwstr_from_str(key);
+
+      let mut contains = Default::default();
+      headers.Contains(key, &mut contains).ok()?;
+
+      if contains.as_bool() {
+        let mut value = PWSTR::null();
+        headers.GetHeader(key, &mut value).ok()?;
+        let value = take_pwstr(value);
+
+        Some(value)
+      } else {
+        None
+      }
+    }
+  }
+}
+
+pub trait PlatformWebviewOnResponse {
+  fn on_response(
+    &self,
+    callback: Box<dyn Fn(anyhow::Result<ICoreWebView2WebResourceResponseView, AuthError>) + 'static>,
+  );
+}
+
+impl PlatformWebviewOnResponse for PlatformWebview {
+  fn on_response(
+    &self,
+    callback: Box<dyn Fn(anyhow::Result<ICoreWebView2WebResourceResponseView, AuthError>) + 'static>,
+  ) {
+    unsafe {
+      let _ = self
+        .controller()
+        .CoreWebView2()
+        .and_then(|wv| wv.cast::<ICoreWebView2_2>())
+        .map(|wv| {
+          let handler = WebResourceResponseReceivedEventHandler::create(Box::new(move |_, e| {
+            let Some(e) = e else {
+              return Ok(());
+            };
+
+            match e.Response() {
+              Ok(res) => callback(Ok(res)),
+              Err(err) => warn!("Failed to get response: {}", err),
+            }
+
+            Ok(())
+          }));
+
+          let _ = wv.add_WebResourceResponseReceived(&handler, &mut Default::default());
+        });
+    }
+  }
+}

crates/gpapi/Cargo.toml

@@ -27,7 +27,7 @@ chacha20poly1305 = { version = "0.10", features = ["std"] }
 redact-engine.workspace = true
 url.workspace = true
 regex.workspace = true
-uzers.workspace = true
+
 serde_urlencoded.workspace = true
 md5.workspace = true
 sha256.workspace = true
@@ -39,6 +39,9 @@ clap-verbosity-flag = { workspace = true, optional = true }
 env_logger = { workspace = true, optional = true }
 log-reload = { version = "0.1", optional = true }
 
+[target.'cfg(target_family="unix")'.dependencies]
+uzers.workspace = true
+
 [features]
 tauri = ["dep:tauri"]
 clap = ["dep:clap", "dep:clap-verbosity-flag"]

crates/gpapi/src/auth.rs

@@ -104,7 +104,7 @@ impl SamlAuthData {
     }
 
     let auth_data = decode_to_string(auth_data).map_err(|e| {
-      warn!("Failed to decode SAML auth data: {}", e);
+      warn!("Failed to decode SAML auth data: {}", auth_data);
       AuthDataParseError::Invalid(anyhow::anyhow!(e))
     })?;
     let auth_data = Self::from_html(&auth_data)?;

crates/gpapi/src/gateway/mod.rs

@@ -1,5 +1,7 @@
 mod login;
 mod parse_gateways;
+
+#[cfg(unix)]
 pub mod hip;
 
 pub use login::*;

crates/gpapi/src/lib.rs

@@ -4,7 +4,10 @@ pub mod error;
 pub mod gateway;
 pub mod gp_params;
 pub mod portal;
+
+#[cfg(unix)]
 pub mod process;
+
 pub mod service;
 pub mod utils;
 

crates/gpapi/src/process/mod.rs

@@ -1,8 +1,11 @@
 pub(crate) mod command_traits;
+
 pub(crate) mod gui_helper_launcher;
 
 pub mod auth_launcher;
 pub mod gui_launcher;
 pub mod hip_launcher;
 pub mod service_launcher;
+
+#[cfg(unix)]
 pub mod users;

crates/gpapi/src/utils/mod.rs

@@ -9,7 +9,7 @@ pub mod lock_file;
 pub mod openssl;
 pub mod redact;
 pub mod request;
-#[cfg(feature = "tauri")]
+#[cfg(all(feature = "tauri", not(any(target_os = "macos", target_os = "windows"))))]
 pub mod window;
 
 mod shutdown_signal;

crates/gpapi/src/utils/shutdown_signal.rs

@@ -6,15 +6,21 @@ pub async fn shutdown_signal() {
   };
 
   #[cfg(unix)]
+  {
     let terminate = async {
       signal::unix::signal(signal::unix::SignalKind::terminate())
         .expect("failed to install signal handler")
         .recv()
         .await;
     };
-
     tokio::select! {
         _ = ctrl_c => {},
         _ = terminate => {},
     }
   }
+
+  #[cfg(not(unix))]
+  {
+    ctrl_c.await;
+  }
+}

packaging/rpm/globalprotect-openconnect.spec.in

@@ -6,7 +6,7 @@ Group:          Productivity/Networking/PPP
 
 License:        GPL-3.0
 URL:            https://github.com/yuezk/GlobalProtect-openconnect
-Source:         %{name}.tar.gz
+Source:         @SOURCE@
 
 BuildRequires:  make
 BuildRequires:  rust

scripts/gh-release.sh

@@ -28,7 +28,7 @@ release_snapshot() {
 
   echo "Uploading new assets..."
   gh -R "$REPO" release upload "$TAG" \
-    "$PROJECT_DIR"/.build/artifacts/artifact-source/* \
+    "$PROJECT_DIR"/.build/artifacts/artifact-source*/* \
     "$PROJECT_DIR"/.build/artifacts/artifact-gpgui-*/*
 }
 
@@ -40,7 +40,7 @@ release_tag() {
   gh -R "$REPO" release create $TAG \
     --title "$TAG" \
     --notes "$RELEASE_NOTES" \
-    "$PROJECT_DIR"/.build/artifacts/artifact-source/* \
+    "$PROJECT_DIR"/.build/artifacts/artifact-source*/* \
     "$PROJECT_DIR"/.build/artifacts/artifact-gpgui-*/*
 }