func loadNetworkExtensionConfig() async {

let tm = try await getTunnelManager()

neState = .disabled

serverAddress = tm.protocolConfiguration?.serverAddress

neState = .unconfigured

var serverAddress: String?

await loadNetworkExtensionConfig()

serverAddress = proto.serverAddress

Text(session.hasSession ? "Sign out" : "Sign in")

VPNState<VPN, S>()

if vpn.state == .failed(.systemExtensionError(.needsUserApproval)) {

Button {

openSystemExtensionSettings()

} label: {

ButtonRowView { Text("Approve in System Settings") }

}.buttonStyle(.plain)

} else {

AuthButton<VPN, S>()

}

vpn.state == .disconnecting ||

vpn.state == .failed(.systemExtensionError(.needsUserApproval))

func openSystemExtensionSettings() {

// Sourced from:

// https://gist.github.com/rmcdongit/f66ff91e0dad78d4d6346a75ded4b751?permalink_comment_id=5261757

// We'll need to ensure this continues to work in future macOS versions

// swiftlint:disable:next line_length

NSWorkspace.shared.open(URL(string: "x-apple.systempreferences:com.apple.ExtensionsPreferences?extensionPointIdentifier=com.apple.system_extension.network_extension.extension-point")!)

struct VPNState<VPN: VPNService, S: Session>: View {

@EnvironmentObject var session: S

switch (vpn.state, session.hasSession) {

case (.failed(.systemExtensionError(.needsUserApproval)), _):

Text("Awaiting System Extension approval")

.font(.body)

.foregroundStyle(.gray)

case (_, false):

Text("Sign in to use CoderVPN")

case (.disabled, _):

Text("Enable CoderVPN to see agents")

.font(.body)

.foregroundStyle(.gray)

case (.connecting, _), (.disconnecting, _):

case let (.failed(vpnErr), _):

// The NE has verified the dylib and knows better than Gatekeeper

func removeQuarantine(path: String, reply: @escaping (Bool) -> Void) {

let reply = CallbackWrapper(reply)

Task { @MainActor in

let prompt = """

\(svc.serverAddress ?? "the Coder deployment"). The code has been \

let source = """

do shell script "xattr -d com.apple.quarantine \(path)" \

with prompt "\(prompt)" \

let success = await withCheckedContinuation { continuation in

guard let script = NSAppleScript(source: source) else {

continuation.resume(returning: false)

return

}

// Run on a background thread

Task.detached {

var error: NSDictionary?

script.executeAndReturnError(&error)

if let error {

self.logger.error("AppleScript error: \(error)")

continuation.resume(returning: false)

} else {

continuation.resume(returning: true)

}

}

}

reply(success)

}

}

#expect(throws: Never.self) { try view.find(button: "Sign in") }

let session: MockSession

let sut: VPNState<MockVPNService, MockSession>

sut = VPNState<MockVPNService, MockSession>()

session = MockSession()

session.hasSession = true

view = sut.environmentObject(vpn).environmentObject(session)

// HACK: The downloaded dylib may be quarantined, but we've validated it's signature

// so it's safe to execute. However, this SE must be sandboxed, so we defer to the app.

try await removeQuarantine(dest)

ptp.cancelTunnelWithError(

makeNSError(suffix: "Manager", desc: "Tunnel read loop failed: \(error.localizedDescription)")

)

case noApp

case permissionDenied

case tunnelFail(any Error)

case .noApp:

"The VPN must be started with the app open during first-time setup."

case .permissionDenied:

"Permission was not granted to execute the CoderVPN dylib"

case let .tunnelFail(err):

"Failed to communicate with dylib over tunnel: \(err)"

private func removeQuarantine(_ dest: URL) async throws(ManagerError) {

var flag: AnyObject?

let file = NSURL(fileURLWithPath: dest.path)

try? file.getResourceValue(&flag, forKey: kCFURLQuarantinePropertiesKey as URLResourceKey)

if flag != nil {

guard let conn = globalXPCListenerDelegate.conn else {

throw .noApp

}

// Wait for unsandboxed app to accept our file

let success = await withCheckedContinuation { [dest] continuation in

conn.removeQuarantine(path: dest.path) { success in

continuation.resume(returning: success)

}

}

if !success {

throw .permissionDenied

}

}