openconnect stoken support not working properly with our form

[Kevin Cernekee]

On Wed, Nov 15, 2017 at 10:50 AM, Andy Wang <dopey at moonteeth.com> wrote:
> I can't figure out how line wrap a diff from git for it to be happy
> with gmail so trying the new patch as an attachment.

Most contributors use `git format-patch` and `git send-email`,
bypassing the gmail client.

> I'm not sure what you mean by hits cancel on the pin form.  There is
> no UI for that in the command line openconnect right?

Right, the CLI callback doesn't normally support that option, but the
library allows it.  You can temporarily modify main.c to return
OC_FORM_RESULT_CANCELLED for testing purposes.

> If you're referring to the networkmanager ui, that was actually my
> next step.  The patched openconnect doesn't work there and I can't
> figure out why.  I have literally no clue what I'm doing looking at
> the network-manager-openconnect repo.  It looks like it mostly uses
> libopenconnect to interface, but it also appears to exec an
> openconnect binary without the --token-* arguments.
> That's where I'm hoping to learn more when I have a bit of time.

Last time I looked at it (several years ago) it called into
libopenconnect to obtain the cookie and perform all of the auth form
stuff, then it invoked the openconnect binary with the cookie obtained
in the previous step.  It was written before libopenconnect had APIs
that allow a UI to "supervise" an active connection.  There are also
some privilege separation concerns, since the first stage runs as
non-root and the second stage usually runs as root.