From e35ddfbe542d59038dc3ea566f99291a17953005 Mon Sep 17 00:00:00 2001 From: Mauro Carvalho Chehab Date: Tue, 5 Dec 2023 10:31:03 +0100 Subject: [PATCH] SAML: allow disabling proxy when opening auth dialog The system environment may have proxy set, which is needed after connecting with the VPN. Using it for the actual VPN won't work, as it would try to connect to an internal proxy without success. By default, webkit dialog use system proxy settings. This may cause troubles if such settings exist at the system to be used only after VPN connection. So, add an option to disable it at the webkit dialog window. Signed-off-by: Mauro Carvalho Chehab --- auth-dialog/main.c | 14 ++++++++++++- gtk4/nm-openconnect-dialog.ui | 20 ++++++++++++++---- properties/nm-openconnect-dialog.ui | 25 +++++++++++++++++++---- properties/nm-openconnect-editor-plugin.c | 9 ++++++++ properties/nm-openconnect-editor.c | 14 +++++++++++++ shared/nm-service-defines.h | 1 + src/nm-openconnect-service.c | 1 + 7 files changed, 75 insertions(+), 9 deletions(-) diff --git a/auth-dialog/main.c b/auth-dialog/main.c index a333aeb..293db55 100644 --- a/auth-dialog/main.c +++ b/auth-dialog/main.c @@ -746,13 +746,25 @@ static gboolean open_webview_idle(gpointer data) WebKitWebsiteDataManager *dm = NULL; WebKitCookieManager *cm = NULL; GString *storage = NULL; + char *dont_use_proxy_for_auth; + gboolean proxy_for_auth_allowed; // Create a browser instance webView = WEBKIT_WEB_VIEW(webkit_web_view_new()); + dont_use_proxy_for_auth = g_hash_table_lookup(ui_data->options, + NM_OPENCONNECT_KEY_DONT_USE_PROXY_AUTH); + proxy_for_auth_allowed = dont_use_proxy_for_auth ? !strcmp(dont_use_proxy_for_auth, "no") : TRUE; + dm = webkit_web_view_get_website_data_manager(webView); - if (dm) + if (dm) { cm = webkit_website_data_manager_get_cookie_manager(dm); + + if (!proxy_for_auth_allowed) { + // Ensure that proxies won't be used on auth dialog + webkit_website_data_manager_set_network_proxy_settings(dm, WEBKIT_NETWORK_PROXY_MODE_NO_PROXY, NULL); + } + } if (cm) storage = g_string_new (g_get_user_data_dir()); if (storage) diff --git a/gtk4/nm-openconnect-dialog.ui b/gtk4/nm-openconnect-dialog.ui index 83666d2..9979acf 100644 --- a/gtk4/nm-openconnect-dialog.ui +++ b/gtk4/nm-openconnect-dialog.ui @@ -266,6 +266,18 @@ You should only select this option if your connection is unreliable or non-funct 1 + + + 1 + Don't use system proxy settings during authentication + 1 + + 0 + 14 + 2 + + + 0 @@ -278,7 +290,7 @@ You should only select this option if your connection is unreliable or non-funct 6 0 - 14 + 15 2 @@ -292,7 +304,7 @@ You should only select this option if your connection is unreliable or non-funct token_mode 0 - 15 + 16 @@ -310,7 +322,7 @@ You should only select this option if your connection is unreliable or non-funct 1 - 15 + 16 @@ -324,7 +336,7 @@ You should only select this option if your connection is unreliable or non-funct 0 0 - 16 + 17 diff --git a/properties/nm-openconnect-dialog.ui b/properties/nm-openconnect-dialog.ui index c10d907..3c2a839 100644 --- a/properties/nm-openconnect-dialog.ui +++ b/properties/nm-openconnect-dialog.ui @@ -393,6 +393,23 @@ You should only select this option if your connection is unreliable or non-funct True + + + True + True + Don't use system proxy settings during authentication + True + True + False + False + True + + + 0 + 14 + 2 + + False @@ -413,7 +430,7 @@ You should only select this option if your connection is unreliable or non-funct 0 - 14 + 15 2 @@ -435,7 +452,7 @@ You should only select this option if your connection is unreliable or non-funct 0 - 15 + 16 @@ -453,7 +470,7 @@ You should only select this option if your connection is unreliable or non-funct 1 - 15 + 16 @@ -475,7 +492,7 @@ You should only select this option if your connection is unreliable or non-funct 0 - 16 + 17 diff --git a/properties/nm-openconnect-editor-plugin.c b/properties/nm-openconnect-editor-plugin.c index 9cc5177..2dcb19f 100644 --- a/properties/nm-openconnect-editor-plugin.c +++ b/properties/nm-openconnect-editor-plugin.c @@ -285,6 +285,11 @@ import (NMVpnEditorPlugin *iface, const char *path, GError **error) if (bval) nm_setting_vpn_add_data_item (s_vpn, NM_OPENCONNECT_KEY_DISABLE_UDP, "yes"); + /* Don't use system proxy settings during authentication */ + bval = g_key_file_get_boolean (keyfile, "openconnect", "DontUseProxyAuth", NULL); + if (bval) + nm_setting_vpn_add_data_item (s_vpn, NM_OPENCONNECT_KEY_DONT_USE_PROXY_AUTH, "yes"); + /* Soft token mode */ buf = g_key_file_get_string (keyfile, "openconnect", "StokenSource", NULL); if (buf) @@ -407,6 +412,10 @@ export (NMVpnEditorPlugin *iface, if (value && !strcmp (value, "yes")) disable_udp = TRUE; + value = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_DONT_USE_PROXY_AUTH); + if (value && !strcmp (value, "yes")) + prevent_invalid_cert = TRUE; + value = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_TOKEN_MODE); if (value && strlen (value)) token_mode = value; diff --git a/properties/nm-openconnect-editor.c b/properties/nm-openconnect-editor.c index 793f6c7..a76868f 100644 --- a/properties/nm-openconnect-editor.c +++ b/properties/nm-openconnect-editor.c @@ -404,6 +404,16 @@ init_editor_plugin (OpenconnectEditor *self, NMConnection *connection, GError ** } g_signal_connect (G_OBJECT (widget), "toggled", G_CALLBACK (stuff_changed_cb), self); + widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, "dont_use_proxy_auth")); + g_return_val_if_fail (widget, FALSE); + + if (s_vpn) { + value = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_DONT_USE_PROXY_AUTH); + if (value && !strcmp(value, "yes")) + gtk_check_button_set_active (GTK_CHECK_BUTTON (widget), TRUE); + } + g_signal_connect (G_OBJECT (widget), "toggled", G_CALLBACK (stuff_changed_cb), self); + widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, "csd_button")); g_return_val_if_fail (widget, FALSE); @@ -526,6 +536,10 @@ update_connection (NMVpnEditor *iface, str = gtk_check_button_get_active(GTK_CHECK_BUTTON (widget))?"yes":"no"; nm_setting_vpn_add_data_item (s_vpn, NM_OPENCONNECT_KEY_DISABLE_UDP, str); + widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, "dont_use_proxy_auth")); + str = gtk_check_button_get_active (GTK_CHECK_BUTTON (widget))?"yes":"no"; + nm_setting_vpn_add_data_item (s_vpn, NM_OPENCONNECT_KEY_DONT_USE_PROXY_AUTH, str); + widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, "csd_button")); str = gtk_check_button_get_active (GTK_CHECK_BUTTON (widget))?"yes":"no"; nm_setting_vpn_add_data_item (s_vpn, NM_OPENCONNECT_KEY_CSD_ENABLE, str); diff --git a/shared/nm-service-defines.h b/shared/nm-service-defines.h index dc88a4f..65971b1 100644 --- a/shared/nm-service-defines.h +++ b/shared/nm-service-defines.h @@ -44,6 +44,7 @@ #define NM_OPENCONNECT_KEY_PEM_PASSPHRASE_FSID "pem_passphrase_fsid" #define NM_OPENCONNECT_KEY_PREVENT_INVALID_CERT "prevent_invalid_cert" #define NM_OPENCONNECT_KEY_DISABLE_UDP "disable_udp" +#define NM_OPENCONNECT_KEY_DONT_USE_PROXY_AUTH "dont_use_proxy_auth" #define NM_OPENCONNECT_KEY_PROTOCOL "protocol" #define NM_OPENCONNECT_KEY_PROXY "proxy" #define NM_OPENCONNECT_KEY_CSD_ENABLE "enable_csd_trojan" diff --git a/src/nm-openconnect-service.c b/src/nm-openconnect-service.c index 0005534..e22d223 100644 --- a/src/nm-openconnect-service.c +++ b/src/nm-openconnect-service.c @@ -89,6 +89,7 @@ static const ValidProperty valid_properties[] = { { NM_OPENCONNECT_KEY_PEM_PASSPHRASE_FSID, G_TYPE_BOOLEAN, 0, 0 }, { NM_OPENCONNECT_KEY_PREVENT_INVALID_CERT, G_TYPE_BOOLEAN, 0, 0 }, { NM_OPENCONNECT_KEY_DISABLE_UDP, G_TYPE_BOOLEAN, 0, 0 }, + { NM_OPENCONNECT_KEY_DONT_USE_PROXY_AUTH, G_TYPE_BOOLEAN, 0, 0 }, { NM_OPENCONNECT_KEY_PROTOCOL, G_TYPE_STRING, 0, 0 }, { NM_OPENCONNECT_KEY_PROXY, G_TYPE_STRING, 0, 0 }, { NM_OPENCONNECT_KEY_CSD_ENABLE, G_TYPE_BOOLEAN, 0, 0 }, -- GitLab