dokril/lemana-vpn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Make installer interactive for credential source selection

Browse Source
This commit is contained in:
Dmitriy Petrov
2026-05-26 14:05:36 +03:00
parent 7c625e840e
commit a52b4ecdd4
10 changed files with 1634 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

78
.agents/skills/lemana-vpn-sso-autofill/SKILL.md Normal file
View File

@@ -0,0 +1,78 @@
---
name: lemana-vpn-sso-autofill
description: Use when touching Lemana VPN Bitwarden, Keychain, TOTP, openconnect-lite runtime patches, Keycloak SSO, auto-fill, manual mode, hidden browser mode, or authentication troubleshooting.
---
# Lemana VPN SSO And Autofill
## Overview
The connection path is: Bitwarden or existing Keychain -> `openconnect-lite` credentials -> patched Keycloak browser flow -> Cisco/openconnect tunnel -> status JSON/logs/DNS cleanup. Be precise about which credential source is active.
## Credential Flow
With Bitwarden enabled, `bin/vpn-lemanapro.sh` unlocks `bw`, reads item `LM LDAP`, extracts LDAP password and permanent TOTP seed, then writes both to macOS Keychain for `openconnect-lite`.
Without Bitwarden, connection can still work if Keychain already has:
- service `openconnect-lite`, account `<LDAP username>` for the LDAP password;
- service `openconnect-lite`, account `totp/<LDAP username>` for the permanent TOTP seed.
The Bitwarden master password unlocks the vault. It is not the corporate LDAP password. The TOTP seed is not the current 6-digit authenticator code.
If a GUI/no-tty path has incomplete Keychain credentials, do not invent an invisible prompt. Tell the user to run:
```sh
vpn --configure-keychain
```
## Runtime Patches
`vpn-lemanapro.sh` patches `openconnect-lite` before connection. The expected behavior includes:
- Qt hidden browser mode uses `offscreen`, not `minimal`.
- Keycloak fields keep direct `elem.value = ...`, plus `input` and `change` DOM events.
- Autofill stays in `ApplicationWorld`; do not reintroduce `MainWorld`, native setters, or stateful click guards unless there is fresh evidence.
- URL guard prevents Keycloak selectors from clicking Cisco ACS pages.
- Auth redirect reads 302 `Location` from `vpn.lemanapro.ru` without following a TLS-reset-prone final headend GET.
- `LEMANA_VPN_AUTOFILL_CLICK=0` disables submit for manual mode.
- `LEMANA_VPN_AUTOFILL_DISABLE=1` disables autofill for low-level diagnosis.
Apply patches without connecting:
```sh
vpn-lemanapro.sh --patch-only
```
## Modes
- `vpn` / `vpn-auto`: hidden browser, autofill, auto-submit.
- `vpn --manual` / `vpn-manual`: visible browser, autofill, no submit.
- `vpn-debug`: visible browser and raw logs.
When diagnosing SSO, use manual mode first. Do not repeatedly start automatic mode if a connection attempt is already in progress.
## Testing
For any SSO/autofill patch:
```sh
bash -n bin/vpn-lemanapro.sh
tests/smoke.sh
```
If live behavior must be checked:
```sh
vpn --status
vpn --manual
tail -f ~/Library/Logs/LemanaVPN-openconnect-lite.log
```
Skip live reconnect when VPN is already connected unless the user explicitly approves disrupting the current session.
## Troubleshooting Signals
- Looping on `employee.auth.lemanapro.ru/.../login-actions/authenticate`: check autofill events and Keycloak selectors.
- `SSLEOFError` / `UNEXPECTED_EOF_WHILE_READING` on `sslvpna` or `sslvpnb`: check the auth redirect patch.
- Menu-bar app shows credential failure without a prompt: use terminal `vpn --configure-keychain`; GUI should not wait for stdin.