dokril/lemana-vpn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Make installer interactive for credential source selection

Browse Source
This commit is contained in:
Dmitriy Petrov
2026-05-26 14:05:36 +03:00
parent 7c625e840e
commit a52b4ecdd4
10 changed files with 1634 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
.agents/skills/lemana-vpn-operations/SKILL.md Normal file
View File

@@ -0,0 +1,70 @@
---
name: lemana-vpn-operations
description: Use when working in the lemana-vpn repo on install, uninstall, status, CLI aliases, menu-bar app behavior, live VPN connection handling, update instructions, or user-facing answers.
---
# Lemana VPN Operations
## Overview
This repo is a macOS VPN packaging layer around `openconnect`, `openconnect-lite`, Keychain/Bitwarden credential sync, runtime SSO patches, DNS cleanup, and a Swift menu-bar app. Treat live VPN state as real user state, not as a disposable test fixture.
## System Map
- `install.sh` installs/updates the whole package and restarts `LemanaVPN.app` only if it is already running.
- `bin/vpn-lemanapro.sh` is the runtime source for `vpn`, `vpn-auto`, `vpn-manual`, `vpn-debug`, `vpn-fix-dns`.
- `app/Sources/LemanaVPN/VPNManager.swift` shells out to `~/bin/vpn-lemanapro.sh --json`; app state must stay compatible with CLI JSON events.
- `templates/openconnect-lite-config.toml` holds Keycloak selectors and the VPN profile.
- `uninstall.sh` must stop the running menu-bar app when removing the app, not only delete the bundle.
## Live Connection Rules
Before any live connect, run:
```sh
vpn --status
vpn --status --json
```
Do not start another `vpn`, `vpn-auto`, `vpn-debug`, `vpn --manual`, or app connect if status says connected/connecting/reconnecting or if the previous connect attempt is still active. Inspect logs instead:
```sh
tail -f ~/Library/Logs/LemanaVPN-openconnect-lite.log
tail -f ~/Library/Logs/LemanaVPN.log
```
Use `vpn --manual` for SSO diagnosis before automatic mode. Use `vpn-lemanapro.sh --patch-only` when only runtime patches need to be applied.
## Update Commands
From a checkout:
```sh
sh install.sh
vpn --status
open ~/Applications/LemanaVPN.app
```
From the remote installer:
```sh
curl -fsSL https://git.dokops.ru/dokril/lemana-vpn/raw/branch/main/install.sh | sh
```
If Bitwarden is disabled or unavailable and Keychain credentials are missing:
```sh
vpn --configure-keychain
```
## Answer Format
Final answers must always include how to run, how to check, and how to update. Also state whether live VPN was tested or intentionally skipped because an existing connection should not be disturbed.
## Common Mistakes
- Starting a second VPN session instead of reading `vpn --status` and logs.
- Testing only the Swift app while breaking CLI JSON events.
- Calling a Bitwarden master password an LDAP password.
- Treating the current 6-digit TOTP code as the TOTP seed.
- Forgetting that the menu-bar app may still be running after app files are changed or removed.

78
.agents/skills/lemana-vpn-sso-autofill/SKILL.md Normal file
View File

@@ -0,0 +1,78 @@
---
name: lemana-vpn-sso-autofill
description: Use when touching Lemana VPN Bitwarden, Keychain, TOTP, openconnect-lite runtime patches, Keycloak SSO, auto-fill, manual mode, hidden browser mode, or authentication troubleshooting.
---
# Lemana VPN SSO And Autofill
## Overview
The connection path is: Bitwarden or existing Keychain -> `openconnect-lite` credentials -> patched Keycloak browser flow -> Cisco/openconnect tunnel -> status JSON/logs/DNS cleanup. Be precise about which credential source is active.
## Credential Flow
With Bitwarden enabled, `bin/vpn-lemanapro.sh` unlocks `bw`, reads item `LM LDAP`, extracts LDAP password and permanent TOTP seed, then writes both to macOS Keychain for `openconnect-lite`.
Without Bitwarden, connection can still work if Keychain already has:
- service `openconnect-lite`, account `<LDAP username>` for the LDAP password;
- service `openconnect-lite`, account `totp/<LDAP username>` for the permanent TOTP seed.
The Bitwarden master password unlocks the vault. It is not the corporate LDAP password. The TOTP seed is not the current 6-digit authenticator code.
If a GUI/no-tty path has incomplete Keychain credentials, do not invent an invisible prompt. Tell the user to run:
```sh
vpn --configure-keychain
```
## Runtime Patches
`vpn-lemanapro.sh` patches `openconnect-lite` before connection. The expected behavior includes:
- Qt hidden browser mode uses `offscreen`, not `minimal`.
- Keycloak fields keep direct `elem.value = ...`, plus `input` and `change` DOM events.
- Autofill stays in `ApplicationWorld`; do not reintroduce `MainWorld`, native setters, or stateful click guards unless there is fresh evidence.
- URL guard prevents Keycloak selectors from clicking Cisco ACS pages.
- Auth redirect reads 302 `Location` from `vpn.lemanapro.ru` without following a TLS-reset-prone final headend GET.
- `LEMANA_VPN_AUTOFILL_CLICK=0` disables submit for manual mode.
- `LEMANA_VPN_AUTOFILL_DISABLE=1` disables autofill for low-level diagnosis.
Apply patches without connecting:
```sh
vpn-lemanapro.sh --patch-only
```
## Modes
- `vpn` / `vpn-auto`: hidden browser, autofill, auto-submit.
- `vpn --manual` / `vpn-manual`: visible browser, autofill, no submit.
- `vpn-debug`: visible browser and raw logs.
When diagnosing SSO, use manual mode first. Do not repeatedly start automatic mode if a connection attempt is already in progress.
## Testing
For any SSO/autofill patch:
```sh
bash -n bin/vpn-lemanapro.sh
tests/smoke.sh
```
If live behavior must be checked:
```sh
vpn --status
vpn --manual
tail -f ~/Library/Logs/LemanaVPN-openconnect-lite.log
```
Skip live reconnect when VPN is already connected unless the user explicitly approves disrupting the current session.
## Troubleshooting Signals
- Looping on `employee.auth.lemanapro.ru/.../login-actions/authenticate`: check autofill events and Keycloak selectors.
- `SSLEOFError` / `UNEXPECTED_EOF_WHILE_READING` on `sslvpna` or `sslvpnb`: check the auth redirect patch.
- Menu-bar app shows credential failure without a prompt: use terminal `vpn --configure-keychain`; GUI should not wait for stdin.

95
.agents/skills/lemana-vpn-testing/SKILL.md Normal file
View File

@@ -0,0 +1,95 @@
---
name: lemana-vpn-testing
description: Use when testing, validating, reviewing, or preparing release/update notes for lemana-vpn shell scripts, Swift app code, installer behavior, SSO patches, or live VPN changes.
---
# Lemana VPN Testing
## Overview
Use a ladder: static checks first, isolated smoke tests second, Swift build third, live VPN only when the changed behavior requires it. Never use live reconnect as a default smoke test.
## Non-Live Verification
Run the smallest relevant set, expanding with risk:
```sh
sh -n install.sh
sh -n uninstall.sh
bash -n bin/vpn-lemanapro.sh
sh -n tests/smoke.sh
tests/smoke.sh
swift build -c release --package-path app
git diff --check
```
`tests/smoke.sh` is the main repo smoke test. It uses temporary homes and fake `openconnect-lite` sources for patch checks, and it asserts status JSON, install dry-run output, uninstall dry-run output, app wiring, manual/auto flags, no-tty credential behavior, and autofill patch invariants.
## Status Checks
For source-script behavior:
```sh
bin/vpn-lemanapro.sh --status
bin/vpn-lemanapro.sh --status --json
```
For the installed user setup:
```sh
vpn --status
vpn --status --json
```
Prefer installed status when verifying what the menu-bar app will see, because `VPNManager.swift` calls `~/bin/vpn-lemanapro.sh`.
## Live VPN Checks
Live checks are appropriate only for changes to connection start/stop, reconnect, SSO/autofill, Bitwarden/Keychain, `openconnect-lite` patching, status JSON consumed by the app, or DNS cleanup.
Before a live check:
```sh
vpn --status
```
If already connected, connecting, or reconnecting, do not start another session. Use logs/status and report that live reconnect was skipped to avoid disturbing the current tunnel.
When SSO/autofill changed, prefer:
```sh
vpn --manual
```
Only use automatic mode after manual mode proves the form is filled correctly:
```sh
vpn
```
Use debug only for diagnosis:
```sh
vpn-debug
tail -f ~/Library/Logs/LemanaVPN-openconnect-lite.log
```
## Installer/Uninstaller Checks
Use dry-runs before real install/uninstall:
```sh
sh install.sh --dry-run --non-interactive --minimal
sh uninstall.sh --dry-run
```
Real install can modify Homebrew packages, pipx packages, sudoers, `/usr/local/sbin`, `~/.zshrc`, LaunchAgents, Keychain prompts, and the menu-bar app. Real uninstall can stop `LemanaVPN.app`. Be explicit in the answer when those were not run.
## Final Report
Report exact commands and results. Always include:
- Run: command to use the changed repo/app.
- Check: command to verify state or behavior.
- Update: `sh install.sh` from checkout or the remote `curl ... | sh`.
- Not run: especially any skipped live VPN reconnect, real install, or real uninstall.