import os

import ServiceManagement

// Whilst the GUI app installs the helper, the System Extension communicates

// with it over XPC

privateletlogger=Logger(subsystem:Bundle.main.bundleIdentifier!, category:"HelperService")

varlogger=Logger(subsystem:Bundle.main.bundleIdentifier!, category:"vpn")

lazyvarxpc:VPNXPCInterface=.init(vpn:self)

lazyvarxpc:AppXPCListener=.init(vpn:self)

@PublishedvartunnelState:VPNServiceState=.disabled{

didSet{

func onExtensionPeerUpdate(_data:Data){

func onExtensionPeerUpdate(_diff:Data){

logger.info("network extension peer update")

letmsg=tryVpn_PeerUpdate(serializedBytes:data)

letmsg=tryVpn_PeerUpdate(serializedBytes:diff)

debugPrint(msg)

applyPeerUpdate(with: msg)

// Non-connecting -> Connecting: Establish XPC

case(_,.connecting):

xpc.connect()

xpc.ping()

// Detached to run ASAP

// TODO: Switch to `Task.immediate` once stable

Task.detached{try?awaitself.xpc.ping()}

tunnelState=.connecting

// Non-connected -> Connected:

// - Retrieve Peers

// - Run `onStart` closure

case(_,.connected):

xpc.connect()

xpc.getPeerState()

// Detached to run ASAP

// TODO: Switch to `Task.immediate` once stable

Task.detached{try?awaitself.xpc.getPeerState()}

tunnelState=.connected

// Any -> Reasserting

case(_,.reasserting):

func validateURL(_ url:String)throws(LoginError)->URL{

guardlet url=URL(string: url)else{

throwLoginError.invalidURL

throw.invalidURL

guard url.scheme=="https"else{

throwLoginError.httpsRequired

throw.httpsRequired

guard url.host!=nilelse{

throwLoginError.noHost

throw.noHost

return url

import os

import VPNLib

privateletlogger=Logger(subsystem:Bundle.main.bundleIdentifier!, category:"VPNXPCInterface")

privateletlogger=Logger(subsystem:Bundle.main.bundleIdentifier!, category:"AppXPCListener")

init(vpn:CoderVPNService){

svc= vpn

super.init()

func connect(){

logger.debug("VPN xpc connect called")

guard xpc==nilelse{

logger.debug("VPN xpc already exists")

func connect()->NSXPCConnection{

iflet connection{

return connection

letnetworkExtDict=Bundle.main.object(forInfoDictionaryKey:"NetworkExtension")as?[String:Any]

letxpcConn=NSXPCConnection(machServiceName: machServiceName!)

xpcConn.remoteObjectInterface=NSXPCInterface(with:VPNXPCProtocol.self)

xpcConn.exportedInterface=NSXPCInterface(with:VPNXPCClientCallbackProtocol.self)

guardlet proxy= xpcConn.remoteObjectProxyas?VPNXPCProtocolelse{

xpc= proxy

logger.debug("connecting to machServiceName:\(machServiceName!)")

xpcConn.exportedObject=self

xpcConn.invalidationHandler={[logger]in

machServiceName: helperAppMachServiceName,

options:.privileged

connection.remoteObjectInterface=NSXPCInterface(with:HelperAppXPCInterface.self)

connection.exportedInterface=NSXPCInterface(with:AppXPCInterface.self)

connection.exportedObject=self

connection.invalidationHandler={

logger.error("VPNXPC connection invalidated.")

self.logger.error("XPC connection invalidated")

xpcConn.interruptionHandler={[logger]in

connection.interruptionHandler={

logger.error("VPNXPC connection interrupted.")

self.logger.error("XPC connection interrupted")

xpcConn.resume()

connection.resume()

self.connection= connection

return connection

func ping(){

xpc?.ping{

self.logger.info("Connected to NE over XPC")

func ping()asyncthrows{

returntryawaitwithCheckedThrowingContinuation{ continuationin

guardlet proxy= conn.remoteObjectProxyWithErrorHandler({ errin

self.logger.error("failed to connect to HelperXPC\(err.localizedDescription, privacy:.public)")

continuation.resume(throwing: err)

self.logger.error("failed to get proxy for HelperXPC")

continuation.resume(throwing:XPCError.wrongProxyType)

proxy.ping{

self.logger.info("Connected to Helper over XPC")

continuation.resume()

func getPeerState(){

xpc?.getPeerState{ datain

self.svc.onExtensionPeerState(data)

func getPeerState()asyncthrows{

returntryawaitwithCheckedThrowingContinuation{ continuationin

guardlet proxy= conn.remoteObjectProxyWithErrorHandler({ errin

self.logger.error("failed to connect to HelperXPC\(err.localizedDescription, privacy:.public)")

continuation.resume(throwing: err)

self.logger.error("failed to get proxy for HelperXPC")

continuation.resume(throwing:XPCError.wrongProxyType)

proxy.getPeerState{ datain

self.svc.onExtensionPeerState(data)

continuation.resume()

func onPeerUpdate(_ data:Data){

func onPeerUpdate(_ diff:Data, reply:@escaping()->Void){

letreply=CompletionWrapper(reply)

svc.onExtensionPeerUpdate(data)

svc.onExtensionPeerUpdate(diff)

func onProgress(stage:ProgressStage, downloadProgress:DownloadProgress?){

func onProgress(stage:ProgressStage, downloadProgress:DownloadProgress?, reply:@escaping()->Void){

letreply=CompletionWrapper(reply)

svc.onProgress(stage: stage, downloadProgress: downloadProgress)

// The NE has verified the dylib and knows better than Gatekeeper

func removeQuarantine(path:String, reply:@escaping(Bool)->Void){

letreply=CallbackWrapper(reply)

\(svc.serverAddress??"the Coder deployment"). The code has been\

do shell script"xattr -d com.apple.quarantine\(path)"\

with prompt"\(prompt)"\

letsuccess=awaitwithCheckedContinuation{ continuationin

guardlet script=NSAppleScript(source: source)else{

continuation.resume(returning:false)

// Run on a background thread

script.executeAndReturnError(&error)

iflet error{

self.logger.error("AppleScript error:\(error)")

continuation.resume(returning:false)

continuation.resume(returning:true)

reply(success)