feat: Use selenium for headless SAML flow (containerization support)

[mgagliardo91]

Opening this as an alternate option - not necessary to merge unless the decision makes sense. This PR replaces the use of the PyQT toolkit with Python Selenium in order to allow headless SSO flow in dockerized environments (see https://stackoverflow.com/a/27162721).

Why?

I had a specific need for issuing the openconnect SSO SAML flow for Azure AD in a dockerized environment. While attempting to build a docker image for openconnect-sso, I found that the browser requirement from PyQT blocks us from using a headless (--browser-display-mode=HIDDEN) browser to get an SSO token. In order to resolve this, I opted for pulling in selenium instead and using a lightweight chromium browser to issue the request with the correct flags. Given seleniums support for browser-based interaction, this also removed a lot of the complexities of using asyncio to collect the necessary cookie containing the exchanged token.

The changes

After the implementation, the following changes were added:

• Replace PyQT with Selenium (removes need for asyncio via webengine_process.py)
• Support piping the password via stdin without a terminal (https://pymotw.com/2/getpass/#using-getpass-without-a-terminal) - this allows you to echo "password" | openconnect-sso from a script as openconnect supports
• Adds a dockerfile that builds and points to openconnect-sso to demonstrate usage from a docker container

You can test it out by checking out the fork or via:

pip install git+https://github.com/mgagliardo91/openconnect-sso.git

Shoutout

Thanks again to @vlaci + others for the development of the base wrapper, it served to be extremely helpful with a recent upgrade of our VPN to SAML via Azure AD. Hopefully this change/fork will help others who ran into a similar problem as I did with containerized environments.

[YoungElPaso]

Could I suggest loading a JS file to append to or substitute for the scripts for autofill? I think the differences in SSO flows requires some ability to fine tune what selector get's clicked when, what get's filled out or checked etc and I don't think the rules in the config.toml are sufficient to handle all of the cases.

Since you're proposing using Selenium (which I think is a great idea!) I think it would be useful to be able to execute user scripts more directly, since the audience of people who can implement those for Selenium is bound to be higher than for Qt.

I should add, that I suggest this because my org's SSO flow is overly complicated and cannot be accomodated via the rules.

Oh, also, perhaps consider a screenshot dump for failures via Selenium? That would be super useful for debugging headless environments!

[mgagliardo91]

@YoungElPaso thanks for the comments! Passing scripts via javascript files could be an easy way to make the functionality of the SSO flow more extensible when the default rules don't work out of the box. That should be pretty straight-forward to implement.

I haven't heard from @vlaci on this one, so I'm not sure the future of this PR, but I'd be happy to update the fork with these requests 👍

[mgagliardo91]

@YoungElPaso added this functionality as branch off of this fork - feel free to test it out and give any feedback: https://github.com/mgagliardo91/openconnect-sso/pull/2

[YoungElPaso]

Awesome! Thanks, I'll give it a try.

On Wed, Feb 9, 2022, 12:01 PM Michael Gagliardo @.***> wrote:

@YoungElPaso https://github.com/YoungElPaso added this functionality as branch off of this fork - feel free to test it out and give any feedback: mgagliardo91#2 https://github.com/mgagliardo91/openconnect-sso/pull/2

— Reply to this email directly, view it on GitHub https://github.com/vlaci/openconnect-sso/pull/76#issuecomment-1033985157, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAANITK5OSSTAQWQJFZ3IQDU2KMWFANCNFSM5MHRXZ7A . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you were mentioned.Message ID: @.***>

[vlaci]

Thanks for the awesome PR!

Unfortunately I have no access to this kind of VPN any more so it is getting harder and harder for me to maintain the project. I am open to suggestions about the future of this project, maybe in a separate issue.

[andre-geldenhuis]

Getting QT5 working on Mac silicon is non trivial - switching to selenium instead of QT5 makes getting openconnect-sso much easier to setup. I haven't quite got it working, likely due to weirdness in my companies vpn setup, but it's really promising that it's much easier to install.

[AdrienPoupa]

Hi @mgagliardo91, I tried your fork and it works great for me! Due to #77, I could not get openconnect-sso to work on my Mac, but using Selenium solved it. It opens a new Chrome session as it should, and I am able to enter my credentials and pass the 2FA challenge.

On Mac, I had to manually create a ~/.config/openconnect-sso/config.toml config file to increase the timeout, since 10 seconds is really not enough to enter my password and pass the 2FA challenge. Maybe the default could be increased to 30 or 60 seconds?

Either way it works great, thanks for your work!

@vlaci I feel like this is something that should be merged if other people tested it successfully :)

[mgagliardo91]

@AdrienPoupa we can definitely increase the default timeout - I agree 10 can be pretty short depending on the specific SSO you are authenticating against. I think @vlaci mentioned he may not be able to maintain the repo as he would have previously without a VPN to test against. I'd be happy to merge this one in and help maintain it, otherwise, I can always publish my fork to PyPI and keep it alive over there.

[vlaci]

@AdrienPoupa we can definitely increase the default timeout - I agree 10 can be pretty short depending on the specific SSO you are authenticating against. I think @vlaci mentioned he may not be able to maintain the repo as he would have previously without a VPN to test against. I'd be happy to merge this one in and help maintain it, otherwise, I can always publish my fork to PyPI and keep it alive over there.

If you are willing to maintain this project, I am happy to archive this repository and point users to your fork. I don't think I'll have access to a Cisco VPN anytime soon.

[mgagliardo91]

@vlaci thanks for the reply, I'll spend some time getting the fork ready and drop a comment here when its good to go

[lucashtc]

@mgagliardo91 The browser closes before I can complete the login, how do I increase the wait time?

[AdrienPoupa]

@lucashtc put this in your ~/.config/openconnect-sso/config.toml file:

authenticate_timeout = 120