Уточни подключение без Bitwarden
This commit is contained in:
@@ -355,18 +355,75 @@ if totp_secret:
|
||||
PY
|
||||
}
|
||||
|
||||
_can_prompt() {
|
||||
[[ -t 0 ]]
|
||||
}
|
||||
|
||||
_configure_keychain() {
|
||||
local password totp_secret
|
||||
read -rsp "LDAP password: " password
|
||||
local password_present=false totp_present=false
|
||||
_keychain_has openconnect-lite "$KC_USERNAME" && password_present=true
|
||||
_keychain_has openconnect-lite "totp/$KC_USERNAME" && totp_present=true
|
||||
|
||||
printf 'Manual LDAP credentials setup for Lemana VPN\n'
|
||||
printf 'User: %s\n' "$KC_USERNAME"
|
||||
printf 'LDAP password: your corporate LDAP/domain password, not the Bitwarden master password.\n'
|
||||
printf 'TOTP seed: permanent BASE32 secret from 2FA setup, not the current 6-digit code.\n'
|
||||
printf 'Saved values go to macOS Keychain service openconnect-lite.\n\n'
|
||||
|
||||
if $password_present; then
|
||||
read -rsp "Corporate LDAP password for $KC_USERNAME [leave empty to keep saved password]: " password
|
||||
else
|
||||
read -rsp "Corporate LDAP password for $KC_USERNAME: " password
|
||||
fi
|
||||
printf '\n'
|
||||
read -rsp "TOTP secret (BASE32, optional if already stored): " totp_secret
|
||||
if $totp_present; then
|
||||
read -rsp "TOTP seed BASE32 [leave empty to keep saved seed]: " totp_secret
|
||||
else
|
||||
read -rsp "TOTP seed BASE32 from 2FA setup: " totp_secret
|
||||
fi
|
||||
printf '\n'
|
||||
if [[ -z "$password" ]]; then
|
||||
printf 'Empty password, nothing was saved.\n' >&2
|
||||
|
||||
if [[ -z "$password" && "$password_present" != "true" ]]; then
|
||||
printf 'LDAP password is required because no saved password was found.\n' >&2
|
||||
return 1
|
||||
fi
|
||||
if [[ -z "$totp_secret" && "$totp_present" != "true" ]]; then
|
||||
printf 'TOTP seed is required because no saved seed was found. Use the BASE32 setup secret, not the current 6-digit code.\n' >&2
|
||||
return 1
|
||||
fi
|
||||
|
||||
_store_keychain "$password" "$totp_secret"
|
||||
printf 'Credentials saved to macOS Keychain for openconnect-lite/%s.\n' "$KC_USERNAME"
|
||||
printf 'Credentials are ready in macOS Keychain for openconnect-lite/%s.\n' "$KC_USERNAME"
|
||||
}
|
||||
|
||||
_ensure_keychain_credentials() {
|
||||
local password_present=false totp_present=false
|
||||
_keychain_has openconnect-lite "$KC_USERNAME" && password_present=true
|
||||
_keychain_has openconnect-lite "totp/$KC_USERNAME" && totp_present=true
|
||||
|
||||
if [[ "$password_present" == "true" && "$totp_present" == "true" ]]; then
|
||||
if [[ "$USE_BITWARDEN" == "1" ]]; then
|
||||
_emit '{"event":"keychain_ready","source":"keychain"}' "LDAP credentials are ready in macOS Keychain for $KC_USERNAME."
|
||||
else
|
||||
_emit '{"event":"keychain_ready","source":"keychain","bitwarden":false}' "Bitwarden is disabled. Using saved LDAP password and TOTP seed from macOS Keychain for $KC_USERNAME."
|
||||
fi
|
||||
return 0
|
||||
fi
|
||||
|
||||
if [[ "$USE_BITWARDEN" == "1" ]]; then
|
||||
_emit '{"event":"keychain_required","bitwarden":true}' "Bitwarden sync did not produce complete Keychain credentials."
|
||||
else
|
||||
_emit '{"event":"keychain_required","bitwarden":false}' "Bitwarden is disabled and saved LDAP credentials are incomplete."
|
||||
fi
|
||||
|
||||
if ! _can_prompt; then
|
||||
_emit '{"event":"error","message":"LDAP credentials are missing. Run vpn --configure-keychain in Terminal, or reinstall with --configure-keychain."}' \
|
||||
"LDAP credentials are missing. Run: vpn --configure-keychain"
|
||||
return 1
|
||||
fi
|
||||
|
||||
_configure_keychain
|
||||
}
|
||||
|
||||
_bw_cache_session() {
|
||||
@@ -410,8 +467,13 @@ _bw_unlock() {
|
||||
fi
|
||||
|
||||
local manual_pw
|
||||
_emit '{"event":"bw_manual"}' "Unlocking Bitwarden vault..."
|
||||
read -rsp "Bitwarden master password: " manual_pw
|
||||
if ! _can_prompt; then
|
||||
printf 'Bitwarden vault is locked and no interactive terminal is available. Using existing Keychain credentials.\n' >&2
|
||||
return 1
|
||||
fi
|
||||
|
||||
_emit '{"event":"bw_manual"}' "Bitwarden vault is locked. Enter Bitwarden master password to sync LDAP credentials."
|
||||
read -rsp "Bitwarden master password (not LDAP password): " manual_pw
|
||||
printf '\n'
|
||||
if [[ -z "$manual_pw" ]]; then
|
||||
printf 'Empty Bitwarden password. Using existing Keychain credentials.\n' >&2
|
||||
@@ -428,7 +490,7 @@ _bw_unlock() {
|
||||
|
||||
if [[ "$USE_TOUCHID" == "1" && -x "$KC_FP" ]]; then
|
||||
local save_choice
|
||||
read -rp "Save Bitwarden master password behind Touch ID? [Y/n] " save_choice
|
||||
read -rp "Save Bitwarden master password behind Touch ID for next VPN unlock? [Y/n] " save_choice
|
||||
if [[ "${save_choice:-y}" =~ ^[Yy]?$ ]]; then
|
||||
printf '%s' "$manual_pw" | "$KC_FP" set "$BW_KC_SERVICE" "$BW_KC_ACCOUNT_MASTER" >/dev/null 2>&1 \
|
||||
&& printf 'Saved. Next unlock can use Touch ID.\n' \
|
||||
@@ -544,19 +606,19 @@ if $CONFIGURE_KEYCHAIN_MODE; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
trap '_dns_cleanup; _clear_status' EXIT
|
||||
|
||||
if ! $JSON_MODE; then
|
||||
_module_status_human
|
||||
else
|
||||
printf '{"event":"modules","modules":%s}\n' "$(_module_status_json)"
|
||||
fi
|
||||
|
||||
_patch_oc
|
||||
_sync_bitwarden
|
||||
_ensure_keychain_credentials
|
||||
_patch_oc
|
||||
|
||||
_emit '{"event":"connecting"}' "Connecting to VPN (lemanapro)..."
|
||||
_write_status "{\"pid\":$$,\"state\":\"connecting\",\"updated_at\":\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\"}"
|
||||
trap '_dns_cleanup; _clear_status' EXIT
|
||||
|
||||
display_mode="hidden"
|
||||
log_level=""
|
||||
|
||||
Reference in New Issue
Block a user