From b2b2c7e2464431199de3b435cb8360c9cf131207 Mon Sep 17 00:00:00 2001 From: Mauro Carvalho Chehab Date: Tue, 5 Dec 2023 10:31:03 +0100 Subject: [PATCH 1/2] SAML: disable proxy when opening auth dialog The system environment may have proxy set, which is needed after connecting with the VPN. Using it for the actual VPN won't work, as it would try to connect to an internal proxy without success. Ensure that no proxies will be used during SAML dialogs. --- auth-dialog/main.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/auth-dialog/main.c b/auth-dialog/main.c index bca5956ce..8f9b85fdd 100644 --- a/auth-dialog/main.c +++ b/auth-dialog/main.c @@ -746,8 +746,11 @@ static gboolean open_webview_idle(gpointer data) webView = WEBKIT_WEB_VIEW(webkit_web_view_new()); dm = webkit_web_view_get_website_data_manager(webView); - if (dm) + if (dm) { cm = webkit_website_data_manager_get_cookie_manager(dm); + // Ensure that proxies won't be used on auth dialog + webkit_website_data_manager_set_network_proxy_settings(dm, WEBKIT_NETWORK_PROXY_MODE_NO_PROXY, NULL); + } if (cm) storage = g_string_new (g_get_user_data_dir()); if (storage) From 053d16f12774c5cffb7ed0f113a2024193193a3d Mon Sep 17 00:00:00 2001 From: Mauro Carvalho Chehab Date: Tue, 5 Dec 2023 12:37:12 +0100 Subject: [PATCH 2/2] Add a menu option to enable/disable using proxy at webkit dialog By default, webkit dialog use system proxy settings. This may cause troubles if such settings exist at the system to be used only after VPN connection. So, add an option to disable it at the webkit dialog window. Signed-off-by: Mauro Carvalho Chehab --- auth-dialog/main.c | 10 +++++++-- properties/nm-openconnect-dialog.ui | 25 +++++++++++++++++++---- properties/nm-openconnect-editor-plugin.c | 9 ++++++++ properties/nm-openconnect-editor.c | 16 ++++++++++++++- shared/nm-service-defines.h | 1 + src/nm-openconnect-service.c | 3 ++- 6 files changed, 56 insertions(+), 8 deletions(-) diff --git a/auth-dialog/main.c b/auth-dialog/main.c index 8f9b85fdd..e8682a286 100644 --- a/auth-dialog/main.c +++ b/auth-dialog/main.c @@ -745,11 +745,17 @@ static gboolean open_webview_idle(gpointer data) // Create a browser instance webView = WEBKIT_WEB_VIEW(webkit_web_view_new()); + dont_use_proxy_for_auth = g_hash_table_lookup(ui_data->options, + NM_OPENCONNECT_DONT_USE_PROXY_AUTHENTICATION); + dm = webkit_web_view_get_website_data_manager(webView); if (dm) { cm = webkit_website_data_manager_get_cookie_manager(dm); - // Ensure that proxies won't be used on auth dialog - webkit_website_data_manager_set_network_proxy_settings(dm, WEBKIT_NETWORK_PROXY_MODE_NO_PROXY, NULL); + + if (dont_use_proxy_for_auth) { + // Ensure that proxies won't be used on auth dialog + webkit_website_data_manager_set_network_proxy_settings(dm, WEBKIT_NETWORK_PROXY_MODE_NO_PROXY, NULL); + } } if (cm) storage = g_string_new (g_get_user_data_dir()); diff --git a/properties/nm-openconnect-dialog.ui b/properties/nm-openconnect-dialog.ui index 43beb44a3..7d8adbde6 100644 --- a/properties/nm-openconnect-dialog.ui +++ b/properties/nm-openconnect-dialog.ui @@ -324,6 +324,23 @@ 2 + + + True + True + Don't use system proxy settings during authentication + True + True + False + False + True + + + 0 + 13 + 2 + + False @@ -344,7 +361,7 @@ 0 - 13 + 14 2 @@ -366,7 +383,7 @@ 0 - 14 + 15 @@ -384,7 +401,7 @@ 1 - 14 + 15 @@ -406,7 +423,7 @@ 0 - 15 + 16 diff --git a/properties/nm-openconnect-editor-plugin.c b/properties/nm-openconnect-editor-plugin.c index 90dd5af55..4d04b878f 100644 --- a/properties/nm-openconnect-editor-plugin.c +++ b/properties/nm-openconnect-editor-plugin.c @@ -264,6 +264,11 @@ import (NMVpnEditorPlugin *iface, const char *path, GError **error) if (true) nm_setting_vpn_add_data_item (s_vpn, NM_OPENCONNECT_KEY_PREVENT_INVALID_CERT, "yes"); + /* Don't use system proxy settings during authentication */ + bval = g_key_file_get_boolean (keyfile, "openconnect", "DontUseProxyAuth", NULL); + if (true) + nm_setting_vpn_add_data_item (s_vpn, NM_OPENCONNECT_DONT_USE_PROXY_AUTHENTICATION, "yes"); + /* Soft token mode */ buf = g_key_file_get_string (keyfile, "openconnect", "StokenSource", NULL); if (buf) @@ -366,6 +371,10 @@ export (NMVpnEditorPlugin *iface, if (value && !strcmp (value, "yes")) prevent_invalid_cert = TRUE; + value = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_DONT_USE_PROXY_AUTHENTICATION); + if (value && !strcmp (value, "yes")) + prevent_invalid_cert = TRUE; + value = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_TOKEN_MODE); if (value && strlen (value)) token_mode = value; diff --git a/properties/nm-openconnect-editor.c b/properties/nm-openconnect-editor.c index de0c27a1b..1d9161a82 100644 --- a/properties/nm-openconnect-editor.c +++ b/properties/nm-openconnect-editor.c @@ -364,7 +364,17 @@ init_editor_plugin (OpenconnectEditor *self, NMConnection *connection, GError ** } g_signal_connect (G_OBJECT (widget), "toggled", G_CALLBACK (stuff_changed_cb), self); - widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, "csd_button")); + widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, "dont_use_proxy_for_authentication")); + g_return_val_if_fail (widget, FALSE); + + if (s_vpn) { + value = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_DONT_USE_PROXY_AUTHENTICATION); + if (value && !strcmp(value, "yes")) + gtk_check_button_set_active (GTK_CHECK_BUTTON (widget), TRUE); + } + g_signal_connect (G_OBJECT (widget), "toggled", G_CALLBACK (stuff_changed_cb), self); + + widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, "csd_button")); g_return_val_if_fail (widget, FALSE); if (s_vpn) { @@ -468,6 +478,10 @@ update_connection (NMVpnEditor *iface, str = gtk_check_button_get_active (GTK_CHECK_BUTTON (widget))?"yes":"no"; nm_setting_vpn_add_data_item (s_vpn, NM_OPENCONNECT_KEY_PREVENT_INVALID_CERT, str); + widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, "dont_use_proxy_for_authentication")); + str = gtk_check_button_get_active (GTK_CHECK_BUTTON (widget))?"yes":"no"; + nm_setting_vpn_add_data_item (s_vpn, NM_OPENCONNECT_DONT_USE_PROXY_AUTHENTICATION, str); + widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, "csd_button")); str = gtk_check_button_get_active (GTK_CHECK_BUTTON (widget))?"yes":"no"; nm_setting_vpn_add_data_item (s_vpn, NM_OPENCONNECT_KEY_CSD_ENABLE, str); diff --git a/shared/nm-service-defines.h b/shared/nm-service-defines.h index 4e7d48132..7fc979eaf 100644 --- a/shared/nm-service-defines.h +++ b/shared/nm-service-defines.h @@ -43,6 +43,7 @@ #define NM_OPENCONNECT_KEY_MTU "mtu" #define NM_OPENCONNECT_KEY_PEM_PASSPHRASE_FSID "pem_passphrase_fsid" #define NM_OPENCONNECT_KEY_PREVENT_INVALID_CERT "prevent_invalid_cert" +#define NM_OPENCONNECT_DONT_USE_PROXY_AUTHENTICATION "no_proxy_auth" #define NM_OPENCONNECT_KEY_PROTOCOL "protocol" #define NM_OPENCONNECT_KEY_PROXY "proxy" #define NM_OPENCONNECT_KEY_CSD_ENABLE "enable_csd_trojan" diff --git a/src/nm-openconnect-service.c b/src/nm-openconnect-service.c index 05e809507..924553c30 100644 --- a/src/nm-openconnect-service.c +++ b/src/nm-openconnect-service.c @@ -88,6 +88,7 @@ static const ValidProperty valid_properties[] = { { NM_OPENCONNECT_KEY_MTU, G_TYPE_STRING, 0, 0 }, { NM_OPENCONNECT_KEY_PEM_PASSPHRASE_FSID, G_TYPE_BOOLEAN, 0, 0 }, { NM_OPENCONNECT_KEY_PREVENT_INVALID_CERT, G_TYPE_BOOLEAN, 0, 0 }, + { NM_OPENCONNECT_DONT_USE_PROXY_AUTHENTICATION, G_TYPE_BOOLEAN, 0, 0 }, { NM_OPENCONNECT_KEY_PROTOCOL, G_TYPE_STRING, 0, 0 }, { NM_OPENCONNECT_KEY_PROXY, G_TYPE_STRING, 0, 0 }, { NM_OPENCONNECT_KEY_CSD_ENABLE, G_TYPE_BOOLEAN, 0, 0 }, @@ -603,7 +604,7 @@ real_need_secrets (NMVpnServicePlugin *plugin, } /* We just need the WebVPN cookie, and the final IP address of the gateway - (after HTTP redirects, which do happen). All the certificate/SecurID + (after HTTP redirects, which do happen). All the certificate/SecurID nonsense can be handled for us, in the user's context, by auth-dialog */ if (!nm_setting_vpn_get_secret (s_vpn, NM_OPENCONNECT_KEY_GATEWAY)) { *setting_name = NM_SETTING_VPN_SETTING_NAME;