From 6d63e6e31b9e74656add939341860346249c2c23 Mon Sep 17 00:00:00 2001
From: Lev Stipakov <lev@openvpn.net>
Date: Mon, 31 May 2021 23:13:10 +0300
Subject: [PATCH] Web-based extra authentication

This adds support for web-based extra authentication, which may be
used by OpenVPN Cloud. When enabled and client sends IV_SSO=openurl,
server pushes Info command OPEN_URL:<url>. The client opens that URL and
user authenticates.

Signed-off-by: Lev Stipakov <lev@openvpn.net>
---
 main.c    |  1 +
 manage.c  |  5 +++++
 manage.h  |  1 +
 openvpn.c | 21 ++++++++++++++++++++-
 openvpn.h |  1 +
 5 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/main.c b/main.c
index 789c043..1eacf01 100644
--- a/main.c
+++ b/main.c
@@ -186,6 +186,7 @@ int WINAPI _tWinMain (HINSTANCE hThisInstance,
       { needstr_,  OnNeedStr },
       { echo_,     OnEcho },
       { bytecount_,OnByteCount },
+      { infomsg_,  OnInfoMsg },
       { 0,        NULL }
   };
   InitManagement(handler);
diff --git a/manage.c b/manage.c
index 45106b1..8d80b87 100644
--- a/manage.c
+++ b/manage.c
@@ -332,6 +332,11 @@ OnManagement(SOCKET sk, LPARAM lParam)
                     if (rtmsg_handler[bytecount_])
                         rtmsg_handler[bytecount_](c, pos + 10);
                 }
+                else if (strncmp(pos, "INFOMSG:", 8) == 0)
+                {
+                    if (rtmsg_handler[infomsg_])
+                        rtmsg_handler[infomsg_](c, pos + 8);
+                }
             }
             else if (c->manage.cmd_queue)
             {
diff --git a/manage.h b/manage.h
index 6d563dd..7b7f005 100644
--- a/manage.h
+++ b/manage.h
@@ -37,6 +37,7 @@ typedef enum {
     needok_,
     needstr_,
     pkcs11_id_count_,
+    infomsg_,
     mgmt_rtmsg_type_max
 } mgmt_rtmsg_type;
 
diff --git a/openvpn.c b/openvpn.c
index 5154d0c..e52b909 100644
--- a/openvpn.c
+++ b/openvpn.c
@@ -1281,6 +1281,25 @@ void OnByteCount(connection_t *c, char *msg)
             LoadLocalizedString(IDS_NFO_BYTECOUNT, in, out));
 }
 
+/*
+ * Handle INFOMSG from OpenVPN. At the moment in only handles
+ * "OPEN_URL:<url>" message used by web-based extra authentication.
+ */
+void OnInfoMsg(connection_t* c, char* msg)
+{
+    PrintDebug(L"OnInfoMsg with msg = %S", msg);
+
+    if (strbegins(msg, "OPEN_URL:"))
+    {
+        wchar_t* url = Widen(msg + 9);
+        if (!open_url(url))
+        {
+            WriteStatusLog(c, L"GUI> ", L"Error: failed to open url from info msg", false);
+        }
+        free(url);
+    }
+}
+
 /*
  * Break a long line into shorter segments
  */
@@ -1986,7 +2005,7 @@ StartOpenVPN(connection_t *c)
 
     /* Construct command line -- put log first */
     _sntprintf_0(cmdline, _T("openvpn --log%s \"%s\" --config \"%s\" "
-        "--setenv IV_GUI_VER \"%S\" --service %s 0 --auth-retry interact "
+        "--setenv IV_GUI_VER \"%S\" --setenv IV_SSO openurl --service %s 0 --auth-retry interact "
         "--management %S %hd stdin --management-query-passwords %s"
         "--management-hold"),
         (o.log_append ? _T("-append") : _T("")), c->log_path,
diff --git a/openvpn.h b/openvpn.h
index 118bb21..6dd9818 100644
--- a/openvpn.h
+++ b/openvpn.h
@@ -40,6 +40,7 @@ void OnNeedOk(connection_t *, char *);
 void OnNeedStr(connection_t *, char *);
 void OnEcho(connection_t *, char *);
 void OnByteCount(connection_t *, char *);
+void OnInfoMsg(connection_t*, char*);
 
 void ResetSavePasswords(connection_t *);