From ce6d1d846655eff145b09f7a303b14f7a8580d64 Mon Sep 17 00:00:00 2001
From: Henrik Bengtsson <henrik.bengtsson@gmail.com>
Date: Sun, 19 May 2024 21:41:20 -0700
Subject: [PATCH] Now OpenConnect stdout and stderr is redirected to
 ~/.local/state/ucsf-vpn/logs/openconnect.log

---
 bin/ucsf-vpn            | 61 ++++++++++++++++++++---------------------
 src/incl/openconnect.sh | 45 ++++++++++--------------------
 src/ucsf-vpn.sh         | 18 +++++++++++-
 3 files changed, 61 insertions(+), 63 deletions(-)

diff --git a/bin/ucsf-vpn b/bin/ucsf-vpn
index 73c3164..77f10ce 100755
--- a/bin/ucsf-vpn
+++ b/bin/ucsf-vpn
@@ -817,7 +817,7 @@ function openconnect_pid() {
 }
 
 function openconnect_start() {
-    local two_pwds fh_stderr stderr fh_stdout stdout main_reason reason post_reason
+    local two_pwds openconnect_log_file log_file main_reason reason post_reason
     local -a opts
     local -i pid
 
@@ -930,14 +930,16 @@ function openconnect_start() {
         _exit 0
     fi
 
-    rm "$(logfile)"
+    log_file="$(logfile)"
+    openconnect_log_file="$(openconnect_logfile)"
+    rm "${log_file}"
     log "openconnect_start() ..."
     
     ## Record IP routing table before connecting to the VPN
     ip route show > "${ip_route_novpn_file}"
 
-    fh_stderr=$(mktemp)
-    fh_stdout=$(mktemp)
+    log "ip route show:"
+    ip route show >> "${log_file}"
 
     if [[ -n $pwd && -n $token ]]; then
         case "${UCSF_VPN_TWO_PWDS:-password-token}" in
@@ -952,38 +954,19 @@ function openconnect_start() {
                 ;;
         esac
         # shellcheck disable=SC2086
-        sudo echo -e "$two_pwds" | sudo UCSF_VPN_VERSION="$(version)" UCSF_VPN_FLAVOR="$(flavor_home)" UCSF_VPN_LOGFILE="$(logfile)" openconnect "${opts[@]}" --authgroup="$realm" 2> "$fh_stderr" 1> "$fh_stdout"
+        sudo echo -e "$two_pwds" | sudo UCSF_VPN_VERSION="$(version)" UCSF_VPN_FLAVOR="$(flavor_home)" UCSF_VPN_LOGFILE="$(logfile)" openconnect "${opts[@]}" --authgroup="$realm" 2> "${openconnect_log_file}" 1> "${openconnect_log_file}"
     else
         # shellcheck disable=SC2086
-        sudo UCSF_VPN_VERSION="$(version)" UCSF_VPN_FLAVOR="$(flavor_home)" UCSF_VPN_LOGFILE="$(logfile)" openconnect "${opts[@]}" --authgroup="$realm" 2> "$fh_stderr" 1> "$fh_stdout"
+        sudo UCSF_VPN_VERSION="$(version)" UCSF_VPN_FLAVOR="$(flavor_home)" UCSF_VPN_LOGFILE="$(logfile)" openconnect "${opts[@]}" --authgroup="$realm" 2> "${openconnect_log_file}" 1> "${openconnect_log_file}"
     fi
 
     ## Update IP-info file
     pii_file=$(make_pii_file)
 
-    ## Cleanup
-    if [[ -f "$fh_stderr" ]]; then
-        stderr=$(cat "$fh_stderr")
-        sudo rm "$fh_stderr"
-    else
-        stderr=
-    fi
-    if [[ -f "$fh_stdout" ]]; then
-        stdout=$(cat "$fh_stdout")
-        sudo rm "$fh_stdout"
-    else
-        stdout=
-    fi
-    mdebug "OpenConnect standard output:"
-    mdebug "$stdout"
-    mdebug "OpenConnect standard error:"
-    mdebug "$stderr"
-
     pid=$(openconnect_pid)
     mdebug "pid=$pid"
     if [[ $pid == -1 ]]; then
-        echo "$stdout"
-        echo "$stderr"
+        cat "${openconnect_log_file}"
 
         ## Report on ping for VPN server
         if ! is_online "$server"; then
@@ -1002,16 +985,16 @@ function openconnect_start() {
         ##       username:fgets (stdin): Resource temporarily unavailable
 
         ## Was the wrong credentials given?
-        if echo "$stderr" | grep -q -F "username:password"; then
+        if grep -q -F "username:password" "${openconnect_log_file}"; then
             reason="Incorrect username or password"
             reason="${reason}. You can test your credentials via the Web VPN at https://${UCSF_WEB_VPN_SERVER:-remote-vpn01.ucsf.edu}/"
-        elif echo "$stderr" | grep -q -F "Inappropriate ioctl for device"; then
+        elif grep -q -F "Inappropriate ioctl for device" "${openconnect_log_file}"; then
             reason="Incorrect username or password"
             reason="${reason}. You can test your credentials via the Web VPN at https://${UCSF_WEB_VPN_SERVER:-remote-vpn01.ucsf.edu}/"
-        elif echo "$stderr" | grep -q -E "password#2"; then
+        elif grep -q -E "password#2" "${openconnect_log_file}"; then
             reason="2FA token not accepted"
-        elif echo "$stderr" | grep -q -iF "Unknown VPN protocol"; then
-            reason="$stderr (option --protocol=<ptl>)"
+        elif grep -q -iF "Unknown VPN protocol" "${openconnect_log_file}"; then
+            reason="Unknown VPN protocol (option --protocol=<ptl>)"
         else
             reason="Check your username, password, and token"
             reason="${reason}. You can test your credentials via the Web VPN at https://${UCSF_WEB_VPN_SERVER:-remote-vpn01.ucsf.edu}/"
@@ -1388,6 +1371,22 @@ function install_vpnc() {
 }
 
 
+function openconnect_logfile() {
+    local path file
+    
+    path="$(xdg_state_path)/logs"
+    if [ ! -d "$path" ]; then
+        mkdir -p "$path"
+    fi
+
+    file="${path}"/openconnect.log
+
+    ## Create log file
+    touch "${file}"
+    
+    echo "${file}"
+}
+
 function logfile() {
     local path file
     
diff --git a/src/incl/openconnect.sh b/src/incl/openconnect.sh
index b808a6d..e4eb004 100755
--- a/src/incl/openconnect.sh
+++ b/src/incl/openconnect.sh
@@ -41,7 +41,7 @@ function openconnect_pid() {
 }
 
 function openconnect_start() {
-    local two_pwds fh_stderr stderr fh_stdout stdout main_reason reason post_reason
+    local two_pwds openconnect_log_file log_file main_reason reason post_reason
     local -a opts
     local -i pid
 
@@ -154,14 +154,16 @@ function openconnect_start() {
         _exit 0
     fi
 
-    rm "$(logfile)"
+    log_file="$(logfile)"
+    openconnect_log_file="$(openconnect_logfile)"
+    rm "${log_file}"
     log "openconnect_start() ..."
     
     ## Record IP routing table before connecting to the VPN
     ip route show > "${ip_route_novpn_file}"
 
-    fh_stderr=$(mktemp)
-    fh_stdout=$(mktemp)
+    log "ip route show:"
+    ip route show >> "${log_file}"
 
     if [[ -n $pwd && -n $token ]]; then
         case "${UCSF_VPN_TWO_PWDS:-password-token}" in
@@ -176,38 +178,19 @@ function openconnect_start() {
                 ;;
         esac
         # shellcheck disable=SC2086
-        sudo echo -e "$two_pwds" | sudo UCSF_VPN_VERSION="$(version)" UCSF_VPN_FLAVOR="$(flavor_home)" UCSF_VPN_LOGFILE="$(logfile)" openconnect "${opts[@]}" --authgroup="$realm" 2> "$fh_stderr" 1> "$fh_stdout"
+        sudo echo -e "$two_pwds" | sudo UCSF_VPN_VERSION="$(version)" UCSF_VPN_FLAVOR="$(flavor_home)" UCSF_VPN_LOGFILE="$(logfile)" openconnect "${opts[@]}" --authgroup="$realm" 2> "${openconnect_log_file}" 1> "${openconnect_log_file}"
     else
         # shellcheck disable=SC2086
-        sudo UCSF_VPN_VERSION="$(version)" UCSF_VPN_FLAVOR="$(flavor_home)" UCSF_VPN_LOGFILE="$(logfile)" openconnect "${opts[@]}" --authgroup="$realm" 2> "$fh_stderr" 1> "$fh_stdout"
+        sudo UCSF_VPN_VERSION="$(version)" UCSF_VPN_FLAVOR="$(flavor_home)" UCSF_VPN_LOGFILE="$(logfile)" openconnect "${opts[@]}" --authgroup="$realm" 2> "${openconnect_log_file}" 1> "${openconnect_log_file}"
     fi
 
     ## Update IP-info file
     pii_file=$(make_pii_file)
 
-    ## Cleanup
-    if [[ -f "$fh_stderr" ]]; then
-        stderr=$(cat "$fh_stderr")
-        sudo rm "$fh_stderr"
-    else
-        stderr=
-    fi
-    if [[ -f "$fh_stdout" ]]; then
-        stdout=$(cat "$fh_stdout")
-        sudo rm "$fh_stdout"
-    else
-        stdout=
-    fi
-    mdebug "OpenConnect standard output:"
-    mdebug "$stdout"
-    mdebug "OpenConnect standard error:"
-    mdebug "$stderr"
-
     pid=$(openconnect_pid)
     mdebug "pid=$pid"
     if [[ $pid == -1 ]]; then
-        echo "$stdout"
-        echo "$stderr"
+        cat "${openconnect_log_file}"
 
         ## Report on ping for VPN server
         if ! is_online "$server"; then
@@ -226,16 +209,16 @@ function openconnect_start() {
         ##       username:fgets (stdin): Resource temporarily unavailable
 
         ## Was the wrong credentials given?
-        if echo "$stderr" | grep -q -F "username:password"; then
+        if grep -q -F "username:password" "${openconnect_log_file}"; then
             reason="Incorrect username or password"
             reason="${reason}. You can test your credentials via the Web VPN at https://${UCSF_WEB_VPN_SERVER:-remote-vpn01.ucsf.edu}/"
-        elif echo "$stderr" | grep -q -F "Inappropriate ioctl for device"; then
+        elif grep -q -F "Inappropriate ioctl for device" "${openconnect_log_file}"; then
             reason="Incorrect username or password"
             reason="${reason}. You can test your credentials via the Web VPN at https://${UCSF_WEB_VPN_SERVER:-remote-vpn01.ucsf.edu}/"
-        elif echo "$stderr" | grep -q -E "password#2"; then
+        elif grep -q -E "password#2" "${openconnect_log_file}"; then
             reason="2FA token not accepted"
-        elif echo "$stderr" | grep -q -iF "Unknown VPN protocol"; then
-            reason="$stderr (option --protocol=<ptl>)"
+        elif grep -q -iF "Unknown VPN protocol" "${openconnect_log_file}"; then
+            reason="Unknown VPN protocol (option --protocol=<ptl>)"
         else
             reason="Check your username, password, and token"
             reason="${reason}. You can test your credentials via the Web VPN at https://${UCSF_WEB_VPN_SERVER:-remote-vpn01.ucsf.edu}/"
diff --git a/src/ucsf-vpn.sh b/src/ucsf-vpn.sh
index 86c6f17..e0b999a 100755
--- a/src/ucsf-vpn.sh
+++ b/src/ucsf-vpn.sh
@@ -107,7 +107,7 @@
 ### * UCSF Managing Your Passwords:
 ###   - https://it.ucsf.edu/services/managing-your-passwords
 ###
-### Version: 5.8.0-9008
+### Version: 5.8.0-9009
 ### Copyright: Henrik Bengtsson (2016-2024)
 ### License: GPL (>= 2.1) [https://www.gnu.org/licenses/gpl.html]
 ### Source: https://github.com/HenrikBengtsson/ucsf-vpn
@@ -414,6 +414,22 @@ function install_vpnc() {
 }
 
 
+function openconnect_logfile() {
+    local path file
+    
+    path="$(xdg_state_path)/logs"
+    if [ ! -d "$path" ]; then
+        mkdir -p "$path"
+    fi
+
+    file="${path}"/openconnect.log
+
+    ## Create log file
+    touch "${file}"
+    
+    echo "${file}"
+}
+
 function logfile() {
     local path file