chore: support operating the VPN without the app

Author: ethanndickson

Coder Desktop/Coder Desktop/Coder_DesktopApp.swift

@@ -47,9 +47,11 @@ class AppDelegate: NSObject, NSApplicationDelegate {
         }
     }
 
+    // MUST eventually call `NSApp.reply(toApplicationShouldTerminate: true)`
     func applicationShouldTerminate(_: NSApplication) -> NSApplication.TerminateReply {
         Task {
-            await vpn.quit()
+            await vpn.stop()
+            NSApp.reply(toApplicationShouldTerminate: true)
         }
         return .terminateLater
     }

Coder Desktop/Coder Desktop/NetworkExtension.swift

@@ -24,16 +24,6 @@ enum NetworkExtensionState: Equatable {
 /// An actor that handles configuring, enabling, and disabling the VPN tunnel via the
 /// NetworkExtension APIs.
 extension CoderVPNService {
-    // Updates the UI if a previous configuration exists
-    func loadNetworkExtension() async {
-        do {
-            try await getTunnelManager()
-            neState = .disabled
-        } catch {
-            neState = .unconfigured
-        }
-    }
-
     func configureNetworkExtension(proto: NETunnelProviderProtocol) async {
         // removing the old tunnels, rather than reconfiguring ensures that configuration changes
         // are picked up.
@@ -74,39 +64,31 @@ extension CoderVPNService {
     func enableNetworkExtension() async {
         do {
             let tm = try await getTunnelManager()
-            if !tm.isEnabled {
-                tm.isEnabled = true
-                try await tm.saveToPreferences()
-                logger.debug("saved tunnel with enabled=true")
-            }
             try tm.connection.startVPNTunnel()
         } catch {
-            logger.error("enable network extension: \(error)")
+            logger.error("start tunnel: \(error)")
             neState = .failed(error.localizedDescription)
             return
         }
-        logger.debug("enabled and started tunnel")
+        logger.debug("started tunnel")
         neState = .enabled
     }
 
     func disableNetworkExtension() async {
         do {
             let tm = try await getTunnelManager()
             tm.connection.stopVPNTunnel()
-            tm.isEnabled = false
-
-            try await tm.saveToPreferences()
         } catch {
-            logger.error("disable network extension: \(error)")
+            logger.error("stop tunnel: \(error)")
             neState = .failed(error.localizedDescription)
             return
         }
-        logger.debug("saved tunnel with enabled=false")
+        logger.debug("stopped tunnel")
         neState = .disabled
     }
 
     @discardableResult
-    private func getTunnelManager() async throws(VPNServiceError) -> NETunnelProviderManager {
+    func getTunnelManager() async throws(VPNServiceError) -> NETunnelProviderManager {
         var tunnels: [NETunnelProviderManager] = []
         do {
             tunnels = try await NETunnelProviderManager.loadAllFromPreferences()

Coder Desktop/Coder Desktop/SystemExtension.swift

@@ -29,7 +29,16 @@ protocol SystemExtensionAsyncRecorder: Sendable {
 extension CoderVPNService: SystemExtensionAsyncRecorder {
     func recordSystemExtensionState(_ state: SystemExtensionState) async {
         sysExtnState = state
+        if state == .uninstalled {
+            installSystemExtension()
+        }
         if state == .installed {
+            do {
+                try await getTunnelManager()
+                neState = .disabled
+            } catch {
+                neState = .unconfigured
+            }
             // system extension was successfully installed, so we don't need the delegate any more
             systemExtnDelegate = nil
         }
@@ -64,7 +73,21 @@ extension CoderVPNService: SystemExtensionAsyncRecorder {
         return extensionBundle
     }
 
-    func installSystemExtension() {
+    func checkSystemExtensionStatus() {
+        logger.info("checking SystemExtension status")
+        guard let bundleID = extensionBundle.bundleIdentifier else {
+            logger.error("Bundle has no identifier")
+            return
+        }
+        let request = OSSystemExtensionRequest.propertiesRequest(forExtensionWithIdentifier: bundleID, queue: .main)
+        let delegate = SystemExtensionDelegate(asyncDelegate: self)
+        request.delegate = delegate
+        systemExtnDelegate = delegate
+        OSSystemExtensionManager.shared.submitRequest(request)
+        logger.info("submitted SystemExtension properties request with bundleID: \(bundleID)")
+    }
+
+    private func installSystemExtension() {
         logger.info("activating SystemExtension")
         guard let bundleID = extensionBundle.bundleIdentifier else {
             logger.error("Bundle has no identifier")
@@ -74,11 +97,9 @@ extension CoderVPNService: SystemExtensionAsyncRecorder {
             forExtensionWithIdentifier: bundleID,
             queue: .main
         )
-        let delegate = SystemExtensionDelegate(asyncDelegate: self)
-        systemExtnDelegate = delegate
-        request.delegate = delegate
+        request.delegate = systemExtnDelegate
         OSSystemExtensionManager.shared.submitRequest(request)
-        logger.info("submitted SystemExtension request with bundleID: \(bundleID)")
+        logger.info("submitted SystemExtension activate request with bundleID: \(bundleID)")
     }
 }
 
@@ -88,6 +109,8 @@ class SystemExtensionDelegate<AsyncDelegate: SystemExtensionAsyncRecorder>:
     NSObject, OSSystemExtensionRequestDelegate
 {
     private var logger = Logger(subsystem: Bundle.main.bundleIdentifier!, category: "vpn-installer")
+    // TODO: Refactor this to use a continuation, so the result of a request can be
+    // 'await'd for the determined state
     private var asyncDelegate: AsyncDelegate
 
     init(asyncDelegate: AsyncDelegate) {
@@ -138,4 +161,38 @@ class SystemExtensionDelegate<AsyncDelegate: SystemExtensionAsyncRecorder>:
         logger.info("Replacing \(request.identifier) v\(existing.bundleShortVersion) with v\(`extension`.bundleShortVersion)")
         return .replace
     }
+
+    public func request(
+        _: OSSystemExtensionRequest,
+        foundProperties properties: [OSSystemExtensionProperties]
+    ) {
+        // In debug builds we always replace the SE to test
+        // changes made without bumping the version
+       #if DEBUG
+           Task { [asyncDelegate] in
+               await asyncDelegate.recordSystemExtensionState(.uninstalled)
+           }
+           return
+       #else
+            let version = Bundle.main.object(forInfoDictionaryKey: "CFBundleVersion") as? String
+            let shortVersion = Bundle.main.object(forInfoDictionaryKey: "CFBundleShortVersionString") as? String
+
+            let versionMatches = properties.contains { sysex in
+                sysex.isEnabled
+                    && sysex.bundleVersion == version
+                    && sysex.bundleShortVersion == shortVersion
+            }
+            if versionMatches {
+                Task { [asyncDelegate] in
+                    await asyncDelegate.recordSystemExtensionState(.installed)
+                }
+                return
+            }
+
+            // Either uninstalled or needs replacing
+            Task { [asyncDelegate] in
+                await asyncDelegate.recordSystemExtensionState(.uninstalled)
+            }
+       #endif
+    }
 }

Coder Desktop/Coder Desktop/VPNService.swift

@@ -41,7 +41,6 @@ enum VPNServiceError: Error, Equatable {
 final class CoderVPNService: NSObject, VPNService {
     var logger = Logger(subsystem: Bundle.main.bundleIdentifier!, category: "vpn")
     lazy var xpc: VPNXPCInterface = .init(vpn: self)
-    var terminating = false
     var workspaces: [UUID: String] = [:]
 
     @Published var tunnelState: VPNServiceState = .disabled
@@ -66,10 +65,7 @@ final class CoderVPNService: NSObject, VPNService {
 
     override init() {
         super.init()
-        installSystemExtension()
-        Task {
-            await loadNetworkExtension()
-        }
+        checkSystemExtensionStatus()
         NotificationCenter.default.addObserver(
             self,
             selector: #selector(vpnDidUpdate(_:)),
@@ -82,6 +78,11 @@ final class CoderVPNService: NSObject, VPNService {
         NotificationCenter.default.removeObserver(self)
     }
 
+    func clearPeers() {
+        agents = [:]
+        workspaces = [:]
+    }
+
     func start() async {
         switch tunnelState {
         case .disabled, .failed:
@@ -102,19 +103,6 @@ final class CoderVPNService: NSObject, VPNService {
         logger.info("network extension stopped")
     }
 
-    // Instructs the service to stop the VPN and then quit once the stop event
-    // is read over XPC.
-    // MUST only be called from `NSApplicationDelegate.applicationShouldTerminate`
-    // MUST eventually call `NSApp.reply(toApplicationShouldTerminate: true)`
-    func quit() async {
-        guard tunnelState == .connected else {
-            NSApp.reply(toApplicationShouldTerminate: true)
-            return
-        }
-        terminating = true
-        await stop()
-    }
-
     func configureTunnelProviderProtocol(proto: NETunnelProviderProtocol?) {
         Task {
             if let proto {
@@ -145,6 +133,22 @@ final class CoderVPNService: NSObject, VPNService {
         }
     }
 
+    func onExtensionPeerState(_ data: Data?) {
+        logger.info("network extension peer state")
+        guard let data else {
+            logger.error("could not retrieve peer state from network extension")
+            return
+        }
+        do {
+            let msg = try Vpn_PeerUpdate(serializedBytes: data)
+            debugPrint(msg)
+            clearPeers()
+            applyPeerUpdate(with: msg)
+        } catch {
+            logger.error("failed to decode peer update \(error)")
+        }
+    }
+
     func applyPeerUpdate(with update: Vpn_PeerUpdate) {
         // Delete agents
         update.deletedAgents
@@ -204,9 +208,6 @@ extension CoderVPNService {
         }
         switch connection.status {
         case .disconnected:
-            if terminating {
-                NSApp.reply(toApplicationShouldTerminate: true)
-            }
             connection.fetchLastDisconnectError { err in
                 self.tunnelState = if let err {
                     .failed(.internalError(err.localizedDescription))
@@ -217,6 +218,11 @@ extension CoderVPNService {
         case .connecting:
             tunnelState = .connecting
         case .connected:
+            // If we moved from disabled to connected, then the NE was already
+            // running, and we need to request the current peer state
+            if self.tunnelState == .disabled {
+                xpc.getPeerState()
+            }
             tunnelState = .connected
         case .reasserting:
             tunnelState = .connecting

Coder Desktop/Coder Desktop/XPCInterface.swift

@@ -45,6 +45,14 @@ import VPNLib
         }
     }
 
+    func getPeerState() {
+        xpc.getPeerState { data in
+            Task { @MainActor in
+                self.svc.onExtensionPeerState(data)
+            }
+        }
+    }
+
     func onPeerUpdate(_ data: Data) {
         Task { @MainActor in
             svc.onExtensionPeerUpdate(data)

Coder Desktop/VPN/Manager.swift

@@ -194,7 +194,7 @@ actor Manager {
 
     // Retrieves the current state of all peers,
     // as required when starting the app whilst the network extension is already running
-    func getPeerInfo() async throws(ManagerError) -> Vpn_PeerUpdate {
+    func getPeerState() async throws(ManagerError) -> Vpn_PeerUpdate {
         logger.info("sending peer state request")
         let resp: Vpn_TunnelMessage
         do {

Coder Desktop/VPN/XPCInterface.swift

@@ -20,9 +20,12 @@ import VPNLib
         }
     }
 
-    func getPeerInfo(with reply: @escaping () -> Void) {
-        // TODO: Retrieve from Manager
-        reply()
+    func getPeerState(with reply: @escaping (Data?) -> Void) {
+        let reply = CallbackWrapper(reply)
+        Task {
+            let data = try? await manager?.getPeerState().serializedData()
+            reply(data)
+        }
     }
 
     func ping(with reply: @escaping () -> Void) {

Coder Desktop/VPNLib/XPC.swift

@@ -2,7 +2,7 @@ import Foundation
 
 @preconcurrency
 @objc public protocol VPNXPCProtocol {
-    func getPeerInfo(with reply: @escaping () -> Void)
+    func getPeerState(with reply: @escaping (Data?) -> Void)
     func ping(with reply: @escaping () -> Void)
 }