SAML: disable proxy when opening auth dialog

auth-dialog/main.c

@@ -745,9 +745,18 @@ static gboolean open_webview_idle(gpointer data)
 	// Create a browser instance
 	webView = WEBKIT_WEB_VIEW(webkit_web_view_new());
 
+	dont_use_proxy_for_auth = g_hash_table_lookup(ui_data->options,
+                                                      NM_OPENCONNECT_DONT_USE_PROXY_AUTHENTICATION);
+
 	dm = webkit_web_view_get_website_data_manager(webView);
-	if (dm)
+	if (dm) {
 		cm = webkit_website_data_manager_get_cookie_manager(dm);
+
+                if (dont_use_proxy_for_auth) {
+                        // Ensure that proxies won't be used on auth dialog
+                        webkit_website_data_manager_set_network_proxy_settings(dm, WEBKIT_NETWORK_PROXY_MODE_NO_PROXY, NULL);
+                }
+        }
 	if (cm)
 		storage = g_string_new (g_get_user_data_dir());
 	if (storage)

properties/nm-openconnect-dialog.ui

@@ -324,6 +324,23 @@
         <property name="width">2</property>
       </packing>
     </child>
+    <child>
+      <object class="GtkCheckButton" id="dont_use_proxy_for_authentication">
+        <property name="visible">True</property>
+        <property name="can_focus">True</property>
+        <property name="label" translatable="yes">Don't use system proxy settings during authentication</property>
+        <property name="use_underline">True</property>
+        <property name="focus_on_click">True</property>
+        <property name="active">False</property>
+        <property name="inconsistent">False</property>
+        <property name="draw_indicator">True</property>
+      </object>
+      <packing>
+        <property name="left_attach">0</property>
+        <property name="top_attach">13</property>
+        <property name="width">2</property>
+      </packing>
+    </child>
     <child>
       <object class="GtkLabel" id="token_label">
         <property name="visible">False</property>
@@ -344,7 +361,7 @@
       </object>
       <packing>
           <property name="left_attach">0</property>
-          <property name="top_attach">13</property>
+          <property name="top_attach">14</property>
           <property name="width">2</property>
       </packing>
     </child>
@@ -366,7 +383,7 @@
       </object>
       <packing>
         <property name="left_attach">0</property>
-        <property name="top_attach">14</property>
+        <property name="top_attach">15</property>
       </packing>
     </child>
     <child>
@@ -384,7 +401,7 @@
       </object>
       <packing>
         <property name="left_attach">1</property>
-        <property name="top_attach">14</property>
+        <property name="top_attach">15</property>
       </packing>
     </child>
     <child>
@@ -406,7 +423,7 @@
       </object>
       <packing>
         <property name="left_attach">0</property>
-        <property name="top_attach">15</property>
+        <property name="top_attach">16</property>
       </packing>
     </child>
     <child>

properties/nm-openconnect-editor-plugin.c

@@ -264,6 +264,11 @@ import (NMVpnEditorPlugin *iface, const char *path, GError **error)
 	if (true)
 		nm_setting_vpn_add_data_item (s_vpn, NM_OPENCONNECT_KEY_PREVENT_INVALID_CERT, "yes");
 
+	/* Don't use system proxy settings during authentication */
+	bval = g_key_file_get_boolean (keyfile, "openconnect", "DontUseProxyAuth", NULL);
+	if (true)
+		nm_setting_vpn_add_data_item (s_vpn, NM_OPENCONNECT_DONT_USE_PROXY_AUTHENTICATION, "yes");
+
 	/* Soft token mode */
 	buf = g_key_file_get_string (keyfile, "openconnect", "StokenSource", NULL);
 	if (buf)
@@ -366,6 +371,10 @@ export (NMVpnEditorPlugin *iface,
 	if (value && !strcmp (value, "yes"))
 		prevent_invalid_cert = TRUE;
 
+	value = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_DONT_USE_PROXY_AUTHENTICATION);
+	if (value && !strcmp (value, "yes"))
+		prevent_invalid_cert = TRUE;
+
 	value = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_KEY_TOKEN_MODE);
 	if (value && strlen (value))
 		token_mode = value;

properties/nm-openconnect-editor.c

@@ -364,7 +364,17 @@ init_editor_plugin (OpenconnectEditor *self, NMConnection *connection, GError **
 	}
 	g_signal_connect (G_OBJECT (widget), "toggled", G_CALLBACK (stuff_changed_cb), self);
 
-	widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, "csd_button"));
+	widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, "dont_use_proxy_for_authentication"));
+	g_return_val_if_fail (widget, FALSE);
+
+	if (s_vpn) {
+		value = nm_setting_vpn_get_data_item (s_vpn, NM_OPENCONNECT_DONT_USE_PROXY_AUTHENTICATION);
+		if (value && !strcmp(value, "yes"))
+			gtk_check_button_set_active (GTK_CHECK_BUTTON (widget), TRUE);
+	}
+	g_signal_connect (G_OBJECT (widget), "toggled", G_CALLBACK (stuff_changed_cb), self);
+
+        widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, "csd_button"));
 	g_return_val_if_fail (widget, FALSE);
 
 	if (s_vpn) {
@@ -468,6 +478,10 @@ update_connection (NMVpnEditor *iface,
 	str = gtk_check_button_get_active (GTK_CHECK_BUTTON (widget))?"yes":"no";
 	nm_setting_vpn_add_data_item (s_vpn, NM_OPENCONNECT_KEY_PREVENT_INVALID_CERT, str);
 
+	widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, "dont_use_proxy_for_authentication"));
+	str = gtk_check_button_get_active (GTK_CHECK_BUTTON (widget))?"yes":"no";
+	nm_setting_vpn_add_data_item (s_vpn, NM_OPENCONNECT_DONT_USE_PROXY_AUTHENTICATION, str);
+
 	widget = GTK_WIDGET (gtk_builder_get_object (priv->builder, "csd_button"));
 	str = gtk_check_button_get_active (GTK_CHECK_BUTTON (widget))?"yes":"no";
 	nm_setting_vpn_add_data_item (s_vpn, NM_OPENCONNECT_KEY_CSD_ENABLE, str);

shared/nm-service-defines.h

@@ -43,6 +43,7 @@
 #define NM_OPENCONNECT_KEY_MTU "mtu"
 #define NM_OPENCONNECT_KEY_PEM_PASSPHRASE_FSID "pem_passphrase_fsid"
 #define NM_OPENCONNECT_KEY_PREVENT_INVALID_CERT "prevent_invalid_cert"
+#define NM_OPENCONNECT_DONT_USE_PROXY_AUTHENTICATION "no_proxy_auth"
 #define NM_OPENCONNECT_KEY_PROTOCOL "protocol"
 #define NM_OPENCONNECT_KEY_PROXY "proxy"
 #define NM_OPENCONNECT_KEY_CSD_ENABLE "enable_csd_trojan"

src/nm-openconnect-service.c

@@ -88,6 +88,7 @@ static const ValidProperty valid_properties[] = {
 	{ NM_OPENCONNECT_KEY_MTU,         G_TYPE_STRING, 0, 0 },
 	{ NM_OPENCONNECT_KEY_PEM_PASSPHRASE_FSID, G_TYPE_BOOLEAN, 0, 0 },
 	{ NM_OPENCONNECT_KEY_PREVENT_INVALID_CERT, G_TYPE_BOOLEAN, 0, 0 },
+	{ NM_OPENCONNECT_DONT_USE_PROXY_AUTHENTICATION, G_TYPE_BOOLEAN, 0, 0 },
 	{ NM_OPENCONNECT_KEY_PROTOCOL,    G_TYPE_STRING, 0, 0 },
 	{ NM_OPENCONNECT_KEY_PROXY,       G_TYPE_STRING, 0, 0 },
 	{ NM_OPENCONNECT_KEY_CSD_ENABLE,  G_TYPE_BOOLEAN, 0, 0 },
@@ -603,7 +604,7 @@ real_need_secrets (NMVpnServicePlugin *plugin,
 	}
 
 	/* We just need the WebVPN cookie, and the final IP address of the gateway
-	   (after HTTP redirects, which do happen). All the certificate/SecurID 
+	   (after HTTP redirects, which do happen). All the certificate/SecurID
 	   nonsense can be handled for us, in the user's context, by auth-dialog */
 	if (!nm_setting_vpn_get_secret (s_vpn, NM_OPENCONNECT_KEY_GATEWAY)) {
 		*setting_name = NM_SETTING_VPN_SETTING_NAME;