From 0b506ac67c33939732bdd91d39a8a632bcbe0841 Mon Sep 17 00:00:00 2001 From: sommerfeld Date: Thu, 14 May 2026 10:58:38 +0100 Subject: refactor(snxctl-chromium): drop daemon drop-in, override snxctl's PATH snx-rs.service is a system unit, not --user, so the prior approach of overriding the daemon's PATH via a systemd drop-in could never apply. And it wasn't needed anyway: snxctl itself runs opener::open(url) in-process, so prepending the shim dir to snxctl's PATH is enough. - Drop dot_config/systemd/user/snx-rs.service.d/10-chromium-saml.conf. - snxctl-chromium now just sets PATH and exec's snxctl connect. - xdg-open shim no longer forces --new-window so chromium can reuse a warm window (faster SAML round-trip). --- .../user/snx-rs.service.d/10-chromium-saml.conf | 10 ------ dot_local/bin/executable_snxctl-chromium | 36 ++++++---------------- dot_local/share/snx-rs/bin/executable_xdg-open | 11 +++---- 3 files changed, 15 insertions(+), 42 deletions(-) delete mode 100644 dot_config/systemd/user/snx-rs.service.d/10-chromium-saml.conf mode change 100644 => 100755 dot_local/bin/executable_snxctl-chromium diff --git a/dot_config/systemd/user/snx-rs.service.d/10-chromium-saml.conf b/dot_config/systemd/user/snx-rs.service.d/10-chromium-saml.conf deleted file mode 100644 index a5380e3..0000000 --- a/dot_config/systemd/user/snx-rs.service.d/10-chromium-saml.conf +++ /dev/null @@ -1,10 +0,0 @@ -[Service] -# Force snx-rs to use the flatpak ungoogled-chromium as its SAML browser. -# snx-rs calls `xdg-open ` via the `opener` crate. Prepending a private -# PATH dir that contains an `xdg-open` shim makes the daemon find our shim -# first, without affecting xdg-open for any other user process. -# -# Why not the system default browser? LibreWolf force-upgrades loopback to -# HTTPS and enables LNA blocking, both of which break snx-rs's plain-HTTP -# 127.0.0.1:7779 SAML callback. See firefox/user-overrides.js comments. -Environment=PATH=%h/.local/share/snx-rs/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin diff --git a/dot_local/bin/executable_snxctl-chromium b/dot_local/bin/executable_snxctl-chromium old mode 100644 new mode 100755 index d52ddfb..c97b026 --- a/dot_local/bin/executable_snxctl-chromium +++ b/dot_local/bin/executable_snxctl-chromium @@ -1,37 +1,21 @@ #!/bin/sh # snxctl-chromium: `snxctl connect` with the flatpak ungoogled-chromium as # the SAML browser. Bypasses LibreWolf's loopback HTTPS-upgrade + LNA block -# that prevent snx-rs's 127.0.0.1:7779 SAML callback from completing. +# that stop snx-rs's 127.0.0.1:7779 SAML callback from completing. # -# How it works -# ------------ -# A tracked drop-in -# (~/.config/systemd/user/snx-rs.service.d/10-chromium-saml.conf) prepends -# ~/.local/share/snx-rs/bin to the daemon's PATH. That directory contains -# an `xdg-open` shim that flatpak-runs ungoogled-chromium. snx-rs uses the -# `opener` crate which spawns `xdg-open` — the shim wins. -# -# This script just makes sure the daemon picks up the override (it only -# loads Environment= at start time, so a freshly-edited drop-in needs a -# daemon-reload + service restart) and then runs `snxctl connect`. +# snxctl runs `opener::open(url)` in-process; opener on Linux execs +# `xdg-open` first. We prepend a private bin dir containing only an +# `xdg-open` shim that flatpak-runs ungoogled-chromium. No daemon +# tweaks needed — the override is scoped to this snxctl invocation. set -eu -SERVICE=snx-rs.service +SHIM_DIR="$HOME/.local/share/snx-rs/bin" -if ! systemctl --user cat "$SERVICE" >/dev/null 2>&1; then - printf '%s: %s is not a known user unit; aborting.\n' "${0##*/}" "$SERVICE" >&2 +if [ ! -x "$SHIM_DIR/xdg-open" ]; then + printf '%s: missing xdg-open shim at %s\n' "${0##*/}" "$SHIM_DIR/xdg-open" >&2 exit 1 fi -current_path=$(systemctl --user show -p Environment --value "$SERVICE") -case "$current_path" in - *"$HOME/.local/share/snx-rs/bin"*) ;; - *) - echo "${0##*/}: applying chromium SAML drop-in (daemon-reload + restart)…" >&2 - systemctl --user daemon-reload - systemctl --user restart "$SERVICE" - sleep 1 - ;; -esac - +PATH="$SHIM_DIR:$PATH" +export PATH exec snxctl connect "$@" diff --git a/dot_local/share/snx-rs/bin/executable_xdg-open b/dot_local/share/snx-rs/bin/executable_xdg-open index 5577b10..f646200 100644 --- a/dot_local/share/snx-rs/bin/executable_xdg-open +++ b/dot_local/share/snx-rs/bin/executable_xdg-open @@ -1,11 +1,10 @@ #!/bin/sh # xdg-open shim that hands every URL to the flatpak ungoogled-chromium. # -# Used by snx-rs (which calls `xdg-open` via the `opener` crate) to land -# the SAML callback inside a browser that won't HTTPS-upgrade or LNA-block -# the loopback handoff to 127.0.0.1:7779. Wired up via a systemd --user -# drop-in (dot_config/systemd/user/snx-rs.service.d/10-chromium-saml.conf) -# that prepends this directory to the daemon's PATH — it does NOT shadow +# Used by `snxctl connect` (via the snxctl-chromium wrapper) so the +# Check Point SAML callback lands in a browser that won't HTTPS-upgrade +# or LNA-block the loopback handoff to 127.0.0.1:7779. The wrapper +# prepends this directory to snxctl's PATH — this file does NOT shadow # the system-wide xdg-open for any other process. exec flatpak run io.github.ungoogled_software.ungoogled_chromium \ - --new-window "$@" + "$@" -- cgit v1.3.1