Added support for browser-type and browser-executable-path #816
Conversation
eliat123
changed the title
|
@wolfeidau If possible, can I kindly ask you to have a look at this addition to the 'Browser' provider and let me know what you think. |
|
Hi, I would like to push this PR because it would allow NixOS users like me to use the Browser provider. In NixOS you cannot simply download a random executable from the internet and run it because it doesn't use the Linux Filesystem Hierarchy Standard (FHS), therefore the setup script and subsequently downloaded chromium (after I patched the script by hand) won't work (see screenshots)
As a rule of thumb downloading executables to the user machine is not a really good practice. I prefer having complete control over what is in my system and installing software through the package manager. The other thing that bothers me with the downloaded chrome executable is that it is run in Incognito mode, meaning I have to re-authenticate to my Google account every time. If saml2aws were to use the system browser (firefox in my case) it could reuse the active login session. |
|
Looks like a good feature. Can you help to review and merge? |
|
@MatteoJoliveau We have the same usecase with regards to the chrome executable running in incognito mode which is a blocker for us in adopting this atm. |
|
@wolfeidau kind reminder. |
|
That'd definitely be nice, because the chromium browser is launched with incognito, which forces users to re-enter their credentials every single time. @eliat123 any chance you can pull the recent changes from the base branch so that @wolfeidau can review & merge it in one go when they have time? |
|
Thank you @TwiN. |
cmd/saml2aws/main.go
Outdated
| @@ -70,6 +70,7 @@ func main() { | |||
| app.Flag("config", "Path/filename of saml2aws config file (env: SAML2AWS_CONFIGFILE)").Envar("SAML2AWS_CONFIGFILE").StringVar(&commonFlags.ConfigFile) | |||
| app.Flag("idp-account", "The name of the configured IDP account. (env: SAML2AWS_IDP_ACCOUNT)").Envar("SAML2AWS_IDP_ACCOUNT").Short('a').Default("default").StringVar(&commonFlags.IdpAccount) | |||
| app.Flag("idp-provider", "The configured IDP provider. (env: SAML2AWS_IDP_PROVIDER)").Envar("SAML2AWS_IDP_PROVIDER").EnumVar(&commonFlags.IdpProvider, "Akamai", "AzureAD", "ADFS", "ADFS2", "Browser", "GoogleApps", "Ping", "JumpCloud", "Okta", "OneLogin", "PSU", "KeyCloak", "F5APM", "Shibboleth", "ShibbolethECP", "NetIQ", "Auth0") | |||
| app.Flag("browser-type", "The configured browser type when the IDP provider is set to Browser. (env: SAML2AWS_BROWSER_TYPE)").Envar("SAML2AWS_BROWSER_TYPE").EnumVar(&commonFlags.BrowserType, "chrome", "chrome-beta", "chrome-dev", "chrome-canary", "msedge", "msedge-beta", "msedge-dev", "msedge-canary") | |||
There was a problem hiding this comment.
Is there a reason why there's no support for Firefox? 👀
There was a problem hiding this comment.
browser, err := pw.Chromium.Launch(launchOptions)
if err != nil {
return "", err
}It looks like it always launches a Chromium-based browser, so I'd guess that's the reason why.
There was a problem hiding this comment.
@TwiN, @zemberdotnet Added Firefox.
The original values were set based on the comment of the supported values by the playwright Channel; see: https://github.com/playwright-community/playwright-go/blob/8e8f670b5fa7ba5365ae4bfc123fea4aac359763/generated-structs.go#L441-L444
However, it totally made sense to me to add this capability, so I added support for Firefox and Webkit. (msedge is also supported using Chromium which is the default).
There was a problem hiding this comment.
@eliat123 I looked at the code and it looks like the value from the browser-type flag isn't getting passed down when running the login command.
The NewSAMLClient gets constructed here on 78:
saml2aws/cmd/saml2aws/commands/login.go
Lines 70 to 78 in 0d135dc
And the account that gets passed in is constructed here in buildIdpAccount where I assume we want to make sure the BrowserType property is set.
saml2aws/cmd/saml2aws/commands/login.go
Lines 31 to 34 in 0d135dc
I may have a different use case than you, so not sure if this is outside the scope of your PR or not.
For reference I was running this command:
saml2aws login --browser-type=chromeThere was a problem hiding this comment.
@zemberdotnet thank you for noticing that.
The reason for this behaviour is that the commonFlags can be passed both in the configure or other steps such as login. In my case, i have set the --browser-type in the configure and then it was available in the login.
To support providing the flag in the login command, I removed the additional check for commonFlags.IdpProvider == "Browser" since the BrowserType is only used by the Browser Provider, the functionality is still the same.
Please check it again as it should work now.
eliat123
requested review from
TwiN and
zemberdotnet
and removed request for
TwiN and
zemberdotnet
eliat123
requested review from
zemberdotnet and
TwiN
and removed request for
TwiN and
zemberdotnet
@MatteoJoliveau, does this PR fix the issue you described? Skimming the code, I'm thinking it still uses a playwright browser, something that was downloaded to the playwright cache directory. It just allows users to change the playwright browser being used instead of only using Chromium. |
|
Definitely looking forward to Provider Browser support outside of Chromium. Context-Aware policies in Google Workspace leverages the Endpoint Verification Chrome plugin, and currently no Provider option for saml2aws works when Context-Aware policies are enabled. |
|
@MadOx710, @MatteoJoliveau, @zemberdotnet, @TwiN, looking at the previous comments, are we ok with the playwright browser for now? or do want to wait for non-downloadable browser support? I would be happy to contribute, but I would like to know the direction of this project. |
|
@GuillaumeRoss playwright-go comes with "chromium," "firefox", "webkit", see: https://playwright-community.github.io/playwright-go/ This means that If you don't have one of the three browsers installed, it will download the browser for you and then perform the browser IDP authentication. I have also added the ability to set the In addition, playwright-go supports a set of predefined browser types that are not downloadable, this means that if you have already installed that browser and set the I have tested this with I believe this resolves most of the issues in #729 |
Codecov Report
❗ Your organization is not using the GitHub App Integration. As a result you may experience degraded service beginning May 15th. Please install the Github App Integration for your organization. Read more. @@ Coverage Diff @@
## master #816 +/- ##
==========================================
+ Coverage 36.29% 36.33% +0.04%
==========================================
Files 53 53
Lines 7941 7970 +29
==========================================
+ Hits 2882 2896 +14
- Misses 4686 4696 +10
- Partials 373 378 +5
Flags with carried forward coverage won't be shown. Click here to find out more.
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
@mapkon Thank you for noticing that, I updated the golint version to be able to see the ci lint issue and fixed it. |
eliat123
changed the title
|
@mapkon I have made the necessary adjustments as per your request. Hope this will help. |
|
Long comment: I'm also not in favour of downloading binary versions of Chromium, Firefox and Webkit to a cache - since I already have the current ones installed through the standard package manager. Short comment: +1 😄 |
|
@dangymbol Would you mind taking on this PR and updating it? |
|
@mapkon I have updated this PR. |
| @@ -56,10 +72,37 @@ func (cl *Client) Authenticate(loginDetails *creds.LoginDetails) (string, error) | |||
| Headless: playwright.Bool(cl.Headless), | |||
| } | |||
|
|
|||
| // currently using Chromium as it is widely supported for Identity providers | |||
| validBrowserTypes := []string{"chromium", "firefox", "webkit", "chrome", "chrome-beta", "chrome-dev", "chrome-canary", "msedge", "msedge-beta", "msedge-dev", "msedge-canary"} | |||
There was a problem hiding this comment.
why differentiate all these browsertypes if playwright only supports firefox, chrome and webkit?
I see #816 (comment)
maybe the if statement below is to be updated?
There was a problem hiding this comment.
Hi @gliptak, Thank you for your review.
Playwright does support all of those browser types, see:
https://playwright.dev/docs/browsers and https://github.com/playwright-community/playwright-go/blob/main/generated-structs.go#L691C4-L695
The main idea behind this PR is that the user can choose a browser type which is already installed on their system.
If you choose a browser you do not have on your system, you will get a relevant error message.
For example, I tried to set --browser-type=msedge. Since I did not have msedge installed I got the following notification:
INFO[0000] Setting browser type: msedge provider=browser
Error authenticating to IdP.: could not send message: Chromium distribution 'msedge' is not found at /Applications/Microsoft Edge.app/Contents/MacOS/Microsoft Edge
Run "npx playwright install msedge"
After I installed msedge, it used the installed one:
INFO[0000] Setting browser type: msedge provider=browser
INFO[0001] opening browser URL="[IDP_URL]" provider=browser
INFO[0021] waiting ... provider=browser
INFO[0049] clean up browser provider=browser
Furthermore, If your browser is installed on a non-default location, you can utilize --browser-executable-path, and it will start the browser from that path.
Hope this explains it.
| // Default browser is Chromium as it is widely supported for Identity providers, | ||
| // It can also be set to the other playwright browsers: Firefox and WebKit | ||
| browserType := pw.Chromium | ||
| if cl.BrowserType == "firefox" { |
There was a problem hiding this comment.
@eliat123 would there be more browsertypes mapped here?
There was a problem hiding this comment.
@gliptak Nope. Only these browsertypes are supported.
According to https://playwright.dev/docs/browsers :
- Chromium is for "chromium", "chrome", "msedge", "chrome-beta", "msedge-beta" or "msedge-dev".
- Firefox is for the recent Firefox Stable build.
- Webkit is for the recent WebKit build.
Chromium will be the default option, but if "webkit" or "firefox" are selected, they will be used instead. This ensures the most available options.
There was a problem hiding this comment.
will be browserType be pw.Chromium when cl.BrowserType == 'msedge' and is this as expected?
There was a problem hiding this comment.
@gliptak The answer is yes.
Here is the section from Playwright docs about Google Chrome & Microsoft Edge:
While Playwright can download and use the recent Chromium build,
it can operate against the branded Google Chrome and Microsoft Edge browsers available on the machine (note that Playwright doesn't install them by default).
In particular, the current Playwright version will support Stable and Beta channels of these browsers.
Available channels are 'chrome', 'msedge', 'chrome-beta', 'msedge-beta' or 'msedge-dev'.
ref: https://playwright.dev/docs/browsers#google-chrome--microsoft-edge
|
Can I get a link to this build for testing? |
|
Does this implementation allow use of an system's existing, default browser (#729)? It seems like it enables use of other Playwright browsers, which are still managed separately. |
|
I am trying to use this to run a local browser not in incognito mode but, while I can run a local chromium install, it still seems that playwright wants to open in it incognito mode. How do we prevent this? For settings, I am trying setting SAML2AWS_BROWSER_EXECUTABLE_PATH="chromium" and running --browser-type=chrome but it still opens in incognito mode. |
|
Following up on this to see if there was a workaround or playwright switch I could use, it seems this ability is still in the works with playwright and we may have to update to use If someone knows of another option, please let me know. Thanks. |
|
@merusso consider opening an issue for finding/running with default browser @kbarlowgw consider opening an issue on updating to browser.launchPersistentContext() are there cases when launch() is applicable? would this be a switch and what is the default? @eliat123 for awareness |
Improvement details:
This is the implementation to #815
An additional
saml2awscommand line argument & configuration to allow to the specification ofBrowserTypeLaunchOptions.Channelfor 'Browser' idp-provider.Usage example: