Implement client configs (#383)

Author: jkroepke

.golangci.yaml

@@ -133,7 +133,7 @@ linters:
         - l net.Listener
         - t reflect.Type
         - wg sync.WaitGroup
-        - k *koanf.Koanf
+        - sb strings.Builder
         - mu sync.Mutex
         - ts oauth2.TokenSource
         - ca *testcerts.CertificateAuthority

.goreleaser.yaml

@@ -70,6 +70,12 @@ nfpms:
           owner: root
           group: openvpn-auth-oauth2
           mode: 0750
+      - dst: /etc/openvpn-auth-oauth2/client-config/
+        type: dir
+        file_info:
+          owner: root
+          group: openvpn-auth-oauth2
+          mode: 0750
       - src: packaging/etc/openvpn-auth-oauth2/config.yaml
         dst: /etc/openvpn-auth-oauth2/config.yaml
         type: "config|noreplace"

docs/Client specific configuration.md

@@ -0,0 +1,15 @@
+# Client specific configuration
+
+## Introduction
+
+This document describes the client-specific configuration options of openvpn-auth-oauth2.
+It mimics the client-config-dir capability of OpenVPN.
+But instead the client username, a token claim is used as config identifier.
+
+## Configuration
+
+The feature must be enabled with `--openvpn.client-config.enabled`.
+`--openvpn.client-config.path` points to a directory where the client-specific configuration files are stored.
+
+openvpn-auth-oauth2 looks for a file
+named after the token claim or common name with `.conf` suffix in the client config directory.

docs/Configuration.md

@@ -11,7 +11,7 @@ Take a look at the [FAQ](./FAQ) section, for common questions, issues and soluti
 openvpn-auth-oauth2 supports configuration via a YAML file. The file can be passed via the `--config` flag.
 
 <details>
-<summary>Example</summary>
+<summary>Example config.yaml</summary>
 
 ```yaml
 debug:
@@ -79,6 +79,10 @@ openvpn:
   # - "test"
   # - "test2"
   override-username: false
+  ccd:
+    enabled: false
+    token-claim: ""
+    path: "/etc/openvpn-auth-oauth2/client-config/"
   common-name:
     environment-variable-name: common_name
     mode: plain
@@ -106,30 +110,30 @@ Usage of openvpn-auth-oauth2:
     	listen address for go profiling endpoint (env: CONFIG_DEBUG_LISTEN) (default ":9001")
   --debug.pprof
     	Enables go profiling endpoint. This should be never exposed. (env: CONFIG_DEBUG_PPROF)
-  --http.assets-path string
+  --http.assets-path value
     	Custom path to the assets directory. Files in this directory will be served under /assets/ and having an higher priority than the embedded assets. (env: CONFIG_HTTP_ASSETS__PATH)
-  --http.baseurl string
-    	listen addr for client listener (env: CONFIG_HTTP_BASEURL) (default "http://localhost:9000")
+  --http.baseurl value
+    	listen addr for client listener (env: CONFIG_HTTP_BASEURL) (default http://localhost:9000)
   --http.cert string
-    	Path to tls server certificate (env: CONFIG_HTTP_CERT)
+    	Path to tls server certificate used for TLS listener. (env: CONFIG_HTTP_CERT)
   --http.check.ipaddr
     	Check if client IP in http and VPN is equal (env: CONFIG_HTTP_CHECK_IPADDR)
   --http.enable-proxy-headers
     	Use X-Forward-For http header for client ips (env: CONFIG_HTTP_ENABLE__PROXY__HEADERS)
   --http.key string
-    	Path to tls server key (env: CONFIG_HTTP_KEY)
+    	Path to tls server key used for TLS listener. (env: CONFIG_HTTP_KEY)
   --http.listen string
     	listen addr for client listener (env: CONFIG_HTTP_LISTEN) (default ":9000")
   --http.secret value
     	Random generated secret for cookie encryption. Must be 16, 24 or 32 characters. If argument starts with file:// it reads the secret from a file. (env: CONFIG_HTTP_SECRET)
-  --http.template string
+  --http.template value
     	Path to a HTML file which is displayed at the end of the screen. See https://github.com/jkroepke/openvpn-auth-oauth2/wiki/Layout-Customization for more information. (env: CONFIG_HTTP_TEMPLATE)
   --http.tls
     	enable TLS listener (env: CONFIG_HTTP_TLS)
   --log.format string
     	log format. json or console (env: CONFIG_LOG_FORMAT) (default "console")
   --log.level value
-    	log level (env: CONFIG_LOG_LEVEL) (default INFO)
+    	log level. Can be one of: debug, info, warn, error (env: CONFIG_LOG_LEVEL) (default INFO)
   --log.vpn-client-ip
     	log IP of VPN client. Useful to have an identifier between OpenVPN and openvpn-auth-oauth2. (env: CONFIG_LOG_VPN__CLIENT__IP) (default true)
   --oauth2.auth-style value
@@ -144,13 +148,13 @@ Usage of openvpn-auth-oauth2:
     	oauth2 client private key id. If specified, JWT assertions will be generated with the specific kid header. (env: CONFIG_OAUTH2_CLIENT_PRIVATE__KEY__ID)
   --oauth2.client.secret value
     	oauth2 client secret. If argument starts with file:// it reads the secret from a file. (env: CONFIG_OAUTH2_CLIENT_SECRET)
-  --oauth2.endpoint.auth string
+  --oauth2.endpoint.auth value
     	The flag is used to specify a custom OAuth2 authorization endpoint. (env: CONFIG_OAUTH2_ENDPOINT_AUTH)
-  --oauth2.endpoint.discovery string
+  --oauth2.endpoint.discovery value
     	The flag is used to set a custom OAuth2 discovery URL. This URL retrieves the provider's configuration details. (env: CONFIG_OAUTH2_ENDPOINT_DISCOVERY)
-  --oauth2.endpoint.token string
+  --oauth2.endpoint.token value
     	The flag is used to specify a custom OAuth2 token endpoint. (env: CONFIG_OAUTH2_ENDPOINT_TOKEN)
-  --oauth2.issuer string
+  --oauth2.issuer value
     	oauth2 issuer (env: CONFIG_OAUTH2_ISSUER)
   --oauth2.nonce
     	If true, a nonce will be defined on the auth URL which is expected inside the token. (env: CONFIG_OAUTH2_NONCE) (default true)
@@ -184,22 +188,28 @@ Usage of openvpn-auth-oauth2:
     	validate issuer from oidc discovery (env: CONFIG_OAUTH2_VALIDATE_ISSUER) (default true)
   --oauth2.validate.roles value
     	oauth2 required user roles. If multiple role are configured, the user needs to be least in one role. Comma separated list. Example: role1,role2,role3 (env: CONFIG_OAUTH2_VALIDATE_ROLES)
-  --openvpn.addr string
-    	openvpn management interface addr. Must start with unix:// or tcp:// (env: CONFIG_OPENVPN_ADDR) (default "unix:/run/openvpn/server.sock")
+  --openvpn.addr value
+    	openvpn management interface addr. Must start with unix:// or tcp:// (env: CONFIG_OPENVPN_ADDR) (default unix:/run/openvpn/server.sock)
   --openvpn.auth-pending-timeout duration
     	How long OpenVPN server wait until user is authenticated (env: CONFIG_OPENVPN_AUTH__PENDING__TIMEOUT) (default 3m0s)
   --openvpn.auth-token-user
     	Override the username of a session with the username from the token by using auth-token-user, if the client username is empty (env: CONFIG_OPENVPN_AUTH__TOKEN__USER) (default true)
   --openvpn.bypass.common-names value
     	bypass oauth authentication for CNs. Comma separated list. (env: CONFIG_OPENVPN_BYPASS_COMMON__NAMES)
+  --openvpn.client-config.enabled
+    	If true, openvpn-auth-oauth2 will read the CCD directory for additional configuration. This function mimic the client-config-dir directive in OpenVPN. (env: CONFIG_OPENVPN_CLIENT__CONFIG_ENABLED)
+  --openvpn.client-config.path value
+    	Path to the CCD directory. openvpn-auth-oauth2 will look for an file with an .conf suffix and returns the content back. (env: CONFIG_OPENVPN_CLIENT__CONFIG_PATH)
+  --openvpn.client-config.token-claim string
+    	If non-empty, the value of the token claim is used to lookup the configuration file in the CCD directory. If empty, the common name is used. (env: CONFIG_OPENVPN_CLIENT__CONFIG_TOKEN__CLAIM)
   --openvpn.common-name.environment-variable-name string
     	Name of the environment variable in the OpenVPN management interface which contains the common name. If username-as-common-name is enabled, this should be set to 'username' to use the username as common name. Other values like 'X509_0_emailAddress' are supported. See https://openvpn.net/community-resources/reference-manual-for-openvpn-2-6/#environmental-variables for more information. (env: CONFIG_OPENVPN_COMMON__NAME_ENVIRONMENT__VARIABLE__NAME) (default "common_name")
   --openvpn.common-name.mode value
     	If common names are too long, use md5/sha1 to hash them or omit to skip them. If omit, oauth2.validate.common-name does not work anymore. Values: [plain,omit] (env: CONFIG_OPENVPN_COMMON__NAME_MODE) (default plain)
   --openvpn.override-username
     	Requires OpenVPN Server 2.7! If true, openvpn-auth-oauth2 use the override-username command to set the username in OpenVPN connection. This is useful to use real usernames in OpenVPN statistics. The username will be set after client configs are read. Read openvpn man page for limitations of the override-username. (env: CONFIG_OPENVPN_OVERRIDE__USERNAME)
-  --openvpn.pass-through.address string
-    	The address of the pass-through socket. Must start with unix:// or tcp:// (env: CONFIG_OPENVPN_PASS__THROUGH_ADDRESS) (default "unix:/run/openvpn-auth-oauth2/server.sock")
+  --openvpn.pass-through.address value
+    	The address of the pass-through socket. Must start with unix:// or tcp:// (env: CONFIG_OPENVPN_PASS__THROUGH_ADDRESS) (default unix:/run/openvpn-auth-oauth2/server.sock)
   --openvpn.pass-through.enabled
     	If true, openvpn-auth-oauth2 will setup a pass-through socket for the OpenVPN management interface. (env: CONFIG_OPENVPN_PASS__THROUGH_ENABLED)
   --openvpn.pass-through.password value
@@ -325,3 +335,7 @@ See [Layout Customization](Layout%20Customization) for more information
 ## Non-interactive session refresh
 
 See [Non-interactive session refresh](Non-interactive%20session%20refresh) for more information.
+
+## Client specific configuration
+
+See [Client specific configuration](Client%20specific%20configuration) for more information.

internal/config/config_test.go

@@ -109,6 +109,10 @@ openvpn:
         common-names:
         - "test"
         - "test2"
+    client-config:
+        enabled: true
+        token-claim: sub
+        path: "."
     common-name:
         environment-variable-name: X509_0_emailAddress
         mode: omit
@@ -168,9 +172,19 @@ http:
 						Path:     "/run/openvpn/server2.sock",
 						OmitHost: false,
 					}},
-					Bypass: config.OpenVpnBypass{
+					Bypass: config.OpenVPNBypass{
 						CommonNames: []string{"test", "test2"},
 					},
+					ClientConfig: config.OpenVPNConfig{
+						Enabled:    true,
+						TokenClaim: "sub",
+						Path: func() types.FS {
+							dirFS, err := types.NewFS(".")
+							require.NoError(t, err)
+
+							return dirFS
+						}(),
+					},
 					Password:           "1jd93h5b6s82lf03jh5b2hf9",
 					AuthTokenUser:      true,
 					AuthPendingTimeout: 2 * time.Minute,

internal/config/defaults.go

@@ -3,6 +3,7 @@ package config
 import (
 	"log/slog"
 	"net/url"
+	"os"
 	"text/template"
 	"time"
 
@@ -47,12 +48,16 @@ var Defaults = Config{
 		}},
 		AuthTokenUser:      true,
 		AuthPendingTimeout: 3 * time.Minute,
+		ClientConfig: OpenVPNConfig{
+			Enabled: false,
+			Path:    types.FS{FS: os.DirFS("/etc/openvpn-auth-oauth2/client-config-dir/")},
+		},
 		CommonName: OpenVPNCommonName{
 			EnvironmentVariableName: "common_name",
 			Mode:                    CommonNameModePlain,
 		},
 		OverrideUsername: false,
-		Bypass: OpenVpnBypass{
+		Bypass: OpenVPNBypass{
 			CommonNames: make([]string, 0),
 		},
 		Passthrough: OpenVPNPassthrough{

internal/config/flags.go

@@ -140,6 +140,24 @@ func (c *Config) flagSetOpenVPN(flagSet *flag.FlagSet) {
 		lookupEnvOrDefault("openvpn.bypass.common-names", c.OpenVpn.Bypass.CommonNames),
 		"bypass oauth authentication for CNs. Comma separated list.",
 	)
+	flagSet.BoolVar(
+		&c.OpenVpn.ClientConfig.Enabled,
+		"openvpn.client-config.enabled",
+		lookupEnvOrDefault("openvpn.client-config.enabled", c.OpenVpn.ClientConfig.Enabled),
+		"If true, openvpn-auth-oauth2 will read the CCD directory for additional configuration. This function mimic the client-config-dir directive in OpenVPN.",
+	)
+	flagSet.TextVar(
+		&c.OpenVpn.ClientConfig.Path,
+		"openvpn.client-config.path",
+		lookupEnvOrDefault("openvpn.client-config.path", c.OpenVpn.ClientConfig.Path),
+		"Path to the CCD directory. openvpn-auth-oauth2 will look for an file with an .conf suffix and returns the content back.",
+	)
+	flagSet.StringVar(
+		&c.OpenVpn.ClientConfig.TokenClaim,
+		"openvpn.client-config.token-claim",
+		lookupEnvOrDefault("openvpn.client-config.token-claim", c.OpenVpn.ClientConfig.TokenClaim),
+		"If non-empty, the value of the token claim is used to lookup the configuration file in the CCD directory. If empty, the common name is used.",
+	)
 	flagSet.StringVar(
 		&c.OpenVpn.CommonName.EnvironmentVariableName,
 		"openvpn.common-name.environment-variable-name",

internal/config/types.go

@@ -51,7 +51,8 @@ type Log struct {
 type OpenVpn struct {
 	Addr               types.URL          `json:"addr"                 yaml:"addr"`
 	Password           types.Secret       `json:"password"             yaml:"password"`
-	Bypass             OpenVpnBypass      `json:"bypass"               yaml:"bypass"`
+	Bypass             OpenVPNBypass      `json:"bypass"               yaml:"bypass"`
+	ClientConfig       OpenVPNConfig      `json:"client-config"        yaml:"client-config"`
 	AuthTokenUser      bool               `json:"auth-token-user"      yaml:"auth-token-user"`
 	AuthPendingTimeout time.Duration      `json:"auth-pending-timeout" yaml:"auth-pending-timeout"`
 	OverrideUsername   bool               `json:"override-username"    yaml:"override-username"`
@@ -60,9 +61,14 @@ type OpenVpn struct {
 	CommandTimeout     time.Duration      `json:"command-timeout"      yaml:"command-timeout"`
 }
 
-type OpenVpnBypass struct {
+type OpenVPNBypass struct {
 	CommonNames types.StringSlice `json:"common-names" yaml:"common-names"`
 }
+type OpenVPNConfig struct {
+	Enabled    bool     `json:"enabled"     yaml:"enabled"`
+	TokenClaim string   `json:"token-claim" yaml:"token-claim"`
+	Path       types.FS `json:"path"        yaml:"path"`
+}
 
 type OpenVPNCommonName struct {
 	EnvironmentVariableName string                `json:"environment-variable-name" yaml:"environment-variable-name"`

internal/config/validate.go

@@ -107,6 +107,19 @@ func validateOAuth2Config(conf Config) error {
 		}
 	}
 
+	if conf.OpenVpn.ClientConfig.Enabled {
+		if conf.OpenVpn.CommonName.Mode == CommonNameModeOmit {
+			return errors.New("openvpn.common-name.mode: omit is not supported with openvpn.ccd.enabled")
+		}
+
+		file, err := conf.OpenVpn.ClientConfig.Path.Open(".")
+		if err != nil {
+			return fmt.Errorf("openvpn.ccd.path: %w", err)
+		}
+
+		_ = file.Close()
+	}
+
 	return nil
 }
 

internal/oauth2/handler.go

@@ -21,7 +21,7 @@ import (
 )
 
 type openvpnManagementClient interface {
-	AcceptClient(logger *slog.Logger, client state.ClientIdentifier, username string)
+	AcceptClient(logger *slog.Logger, client state.ClientIdentifier, reAuth bool, username string)
 	DenyClient(logger *slog.Logger, client state.ClientIdentifier, reason string)
 }
 
@@ -52,7 +52,7 @@ func (c Client) OAuth2Start() http.Handler {
 			slog.String("ip", fmt.Sprintf("%s:%s", session.IPAddr, session.IPPort)),
 			slog.Uint64("cid", session.Client.CID),
 			slog.Uint64("kid", session.Client.KID),
-			slog.String("common_name", session.CommonName),
+			slog.String("common_name", session.Client.CommonName),
 		)
 
 		if c.conf.HTTP.Check.IPAddr {
@@ -116,7 +116,7 @@ func (c Client) OAuth2Callback() http.Handler {
 			slog.String("ip", fmt.Sprintf("%s:%s", session.IPAddr, session.IPPort)),
 			slog.Uint64("cid", session.Client.CID),
 			slog.Uint64("kid", session.Client.KID),
-			slog.String("common_name", session.CommonName),
+			slog.String("common_name", session.Client.CommonName),
 			slog.String("session_id", session.Client.SessionID),
 			slog.String("session_state", session.SessionState),
 		)
@@ -181,10 +181,10 @@ func (c Client) postCodeExchangeHandler(logger *slog.Logger, session state.State
 
 		username := user.PreferredUsername
 		if username == "" {
-			username = session.CommonName
+			username = session.Client.CommonName
 		}
 
-		c.openvpn.AcceptClient(logger, session.Client, username)
+		c.openvpn.AcceptClient(logger, session.Client, false, username)
 		c.postCodeExchangeHandlerStoreRefreshToken(ctx, logger, session, clientID, tokens)
 		c.writeHTTPSuccess(w, logger)
 	}
@@ -240,7 +240,7 @@ func (c Client) httpErrorHandler(w http.ResponseWriter, httpStatus int, errorTyp
 			slog.String("ip", fmt.Sprintf("%s:%s", session.IPAddr, session.IPPort)),
 			slog.Uint64("cid", session.Client.CID),
 			slog.Uint64("kid", session.Client.KID),
-			slog.String("common_name", session.CommonName),
+			slog.String("common_name", session.Client.CommonName),
 		)
 
 		c.openvpn.DenyClient(logger, session.Client, "client rejected")