config: openvpn.bypass.common-names accepts regular expressions now (#602)

Author: jkroepke

docs/Configuration.md

@@ -117,7 +117,7 @@ Usage of openvpn-auth-oauth2:
   --openvpn.auth-token-user
     	Override the username of a session with the username from the token by using auth-token-user, if the client username is empty (env: CONFIG_OPENVPN_AUTH__TOKEN__USER) (default true)
   --openvpn.bypass.common-names value
-    	bypass oauth authentication for CNs. Comma separated list. (env: CONFIG_OPENVPN_BYPASS_COMMON__NAMES)
+    	Skip OAuth authentication for client certificate common names (CNs) matching any of the given regular expressions. Multiple expressions can be provided as a comma-separated list. Regular expressions are automatically anchored (^…$) by default, so "client" matches only "client". To allow partial matches, specify explicitly (e.g. "client.*"). (env: CONFIG_OPENVPN_BYPASS_COMMON__NAMES)
   --openvpn.client-config.enabled
     	If true, openvpn-auth-oauth2 will read the CCD directory for additional configuration. This function mimic the client-config-dir directive in OpenVPN. (env: CONFIG_OPENVPN_CLIENT__CONFIG_ENABLED)
   --openvpn.client-config.path value

internal/config/config_test.go

@@ -7,6 +7,7 @@ import (
 	"log/slog"
 	"net/url"
 	"os"
+	"regexp"
 	"slices"
 	"testing"
 	"time"
@@ -19,6 +20,7 @@ import (
 	"golang.org/x/oauth2"
 )
 
+//goland:noinspection RegExpUnnecessaryNonCapturingGroup
 func TestConfig(t *testing.T) {
 	t.Parallel()
 
@@ -177,7 +179,7 @@ http:
 						OmitHost: false,
 					}},
 					Bypass: config.OpenVPNBypass{
-						CommonNames: []string{"test", "test2"},
+						CommonNames: types.RegexpSlice{regexp.MustCompile(`^(?:test)$`), regexp.MustCompile(`^(?:test2)$`)},
 					},
 					ClientConfig: config.OpenVPNConfig{
 						Enabled:    true,
@@ -322,7 +324,8 @@ func TestConfigFlagSet(t *testing.T) {
 			[]string{"--openvpn.bypass.common-names=a,b"},
 			func() config.Config {
 				conf := config.Defaults
-				conf.OpenVPN.Bypass.CommonNames = []string{"a", "b"}
+				//goland:noinspection RegExpUnnecessaryNonCapturingGroup
+				conf.OpenVPN.Bypass.CommonNames = types.RegexpSlice{regexp.MustCompile("^(?:a)$"), regexp.MustCompile("^(?:b)$")}
 
 				return conf
 			}(),

internal/config/defaults.go

@@ -58,7 +58,7 @@ var Defaults = Config{
 		},
 		OverrideUsername: false,
 		Bypass: OpenVPNBypass{
-			CommonNames: make([]string, 0),
+			CommonNames: types.RegexpSlice{},
 		},
 		Passthrough: OpenVPNPassthrough{
 			Enabled: false,

internal/config/flags.go

@@ -138,7 +138,10 @@ func (c *Config) flagSetOpenVPN(flagSet *flag.FlagSet) {
 		&c.OpenVPN.Bypass.CommonNames,
 		"openvpn.bypass.common-names",
 		lookupEnvOrDefault("openvpn.bypass.common-names", c.OpenVPN.Bypass.CommonNames),
-		"bypass oauth authentication for CNs. Comma separated list.",
+		"Skip OAuth authentication for client certificate common names (CNs) matching any of the given regular expressions. "+
+			"Multiple expressions can be provided as a comma-separated list. "+
+			"Regular expressions are automatically anchored (^…$) by default, so \"client\" matches only \"client\". "+
+			"To allow partial matches, specify explicitly (e.g. \"client.*\").",
 	)
 	flagSet.BoolVar(
 		&c.OpenVPN.ClientConfig.Enabled,

internal/config/types.go

@@ -64,7 +64,7 @@ type OpenVPN struct {
 }
 
 type OpenVPNBypass struct {
-	CommonNames types.StringSlice `json:"common-names" yaml:"common-names"`
+	CommonNames types.RegexpSlice `json:"common-names" yaml:"common-names"`
 }
 type OpenVPNConfig struct {
 	Path       types.FS `json:"path"        yaml:"path"`

internal/config/types/slice.go

@@ -3,7 +3,11 @@ package types
 import (
 	"bytes"
 	"encoding/json"
+	"fmt"
+	"regexp"
 	"strings"
+
+	"go.yaml.in/yaml/v3"
 )
 
 type StringSlice []string
@@ -35,12 +39,108 @@ func (s *StringSlice) UnmarshalText(text []byte) error {
 //
 //goland:noinspection GoMixedReceiverTypes
 func (s *StringSlice) UnmarshalJSON(jsonBytes []byte) error {
-	var slice []string
+	var stringList []string
+
+	err := json.NewDecoder(bytes.NewReader(jsonBytes)).Decode(&stringList)
+	if err != nil {
+		//nolint:wrapcheck
+		return err
+	}
+
+	*s = stringList
+
+	return nil
+}
+
+// UnmarshalYAML implements the [yaml.Unmarshaler] interface.
+//
+//goland:noinspection GoMixedReceiverTypes
+func (s *StringSlice) UnmarshalYAML(data *yaml.Node) error {
+	var stringList []string
+
+	err := data.Decode(&stringList)
+	if err != nil {
+		//nolint:wrapcheck
+		return err
+	}
+
+	*s = stringList
+
+	return nil
+}
+
+type RegexpSlice []*regexp.Regexp
+
+// String returns the string representation of the [RegexpSlice].
+//
+//goland:noinspection GoMixedReceiverTypes
+func (s RegexpSlice) String() string {
+	stringList := make([]string, 0, len(s))
+	for _, r := range s {
+		stringList = append(stringList, r.String())
+	}
 
-	err := json.NewDecoder(bytes.NewReader(jsonBytes)).Decode(&slice)
+	return strings.Join(stringList, ",")
+}
 
-	*s = slice
+// MarshalText implements [encoding.TextMarshaler] interface.
+//
+//goland:noinspection GoMixedReceiverTypes
+func (s RegexpSlice) MarshalText() ([]byte, error) {
+	return []byte(s.String()), nil
+}
 
-	//nolint:wrapcheck
-	return err
+// UnmarshalText implements the [encoding.TextUnmarshaler] interface.
+//
+//goland:noinspection GoMixedReceiverTypes
+func (s *RegexpSlice) UnmarshalText(text []byte) error {
+	return s.fromSlice(strings.Split(string(text), ","))
+}
+
+// UnmarshalJSON implements the [json.Unmarshaler] interface.
+//
+//goland:noinspection GoMixedReceiverTypes
+func (s *RegexpSlice) UnmarshalJSON(jsonBytes []byte) error {
+	var stringList []string
+
+	err := json.NewDecoder(bytes.NewReader(jsonBytes)).Decode(&stringList)
+	if err != nil {
+		//nolint:wrapcheck
+		return err
+	}
+
+	return s.fromSlice(stringList)
+}
+
+// UnmarshalYAML implements the [yaml.Unmarshaler] interface.
+//
+//goland:noinspection GoMixedReceiverTypes
+func (s *RegexpSlice) UnmarshalYAML(data *yaml.Node) error {
+	var stringList []string
+
+	err := data.Decode(&stringList)
+	if err != nil {
+		//nolint:wrapcheck
+		return err
+	}
+
+	return s.fromSlice(stringList)
+}
+
+//goland:noinspection GoMixedReceiverTypes
+func (s *RegexpSlice) fromSlice(stringList []string) error {
+	regexList := make(RegexpSlice, 0, len(stringList))
+	for _, str := range stringList {
+		regexPattern, err := regexp.Compile(fmt.Sprintf("^(?:%s)$", str))
+		if err != nil {
+			//nolint:wrapcheck
+			return err
+		}
+
+		regexList = append(regexList, regexPattern)
+	}
+
+	*s = regexList
+
+	return nil
 }

internal/config/types/slice_test.go

@@ -2,6 +2,7 @@ package types_test
 
 import (
 	"encoding/json"
+	"regexp"
 	"strings"
 	"testing"
 
@@ -50,3 +51,48 @@ func TestSliceUnmarshalYAML(t *testing.T) {
 
 	assert.Equal(t, types.StringSlice{"a", "b", "c", "d"}, slice)
 }
+
+func TestRegexpSliceUnmarshalText(t *testing.T) {
+	t.Parallel()
+
+	slice := types.RegexpSlice{}
+
+	require.NoError(t, slice.UnmarshalText([]byte("a,b,c,d")))
+
+	//goland:noinspection RegExpUnnecessaryNonCapturingGroup
+	assert.Equal(t, types.RegexpSlice{regexp.MustCompile("^(?:a)$"), regexp.MustCompile("^(?:b)$"), regexp.MustCompile("^(?:c)$"), regexp.MustCompile("^(?:d)$")}, slice)
+}
+
+func TestRegexpSliceUnmarshalTextError(t *testing.T) {
+	t.Parallel()
+
+	slice := types.RegexpSlice{}
+
+	require.EqualError(t, slice.UnmarshalText([]byte("^(a,b,c,d")), "error parsing regexp: missing closing ): `^(?:^(a)$`")
+}
+
+func TestRegexpSliceMarshalText(t *testing.T) {
+	t.Parallel()
+
+	slice, err := types.RegexpSlice{regexp.MustCompile("a"), regexp.MustCompile("b"), regexp.MustCompile("c"), regexp.MustCompile("d")}.MarshalText()
+
+	require.NoError(t, err)
+
+	assert.Equal(t, []byte("a,b,c,d"), slice)
+}
+
+func TestRegexpSliceUnmarshalJSON(t *testing.T) {
+	t.Parallel()
+
+	slice := types.RegexpSlice{}
+
+	require.EqualError(t, json.NewDecoder(strings.NewReader(`["^(a","b","c","d"]`)).Decode(&slice), "error parsing regexp: missing closing ): `^(?:^(a)$`")
+}
+
+func TestRegexpSliceUnmarshalYAML(t *testing.T) {
+	t.Parallel()
+
+	slice := types.RegexpSlice{}
+
+	require.EqualError(t, yaml.NewDecoder(strings.NewReader("- \"^(a\"\n- b\n- c\n- d\n")).Decode(&slice), "error parsing regexp: missing closing ): `^(?:^(a)$`")
+}

internal/oauth2/handler_test.go

@@ -44,7 +44,7 @@ func TestHandler(t *testing.T) {
 				conf.OAuth2.Validate.Roles = make([]string, 0)
 				conf.OAuth2.Validate.Issuer = true
 				conf.OAuth2.Validate.IPAddr = false
-				conf.OpenVPN.Bypass.CommonNames = make([]string, 0)
+				conf.OpenVPN.Bypass.CommonNames = make(types.RegexpSlice, 0)
 				conf.OpenVPN.AuthTokenUser = true
 
 				return conf
@@ -68,7 +68,7 @@ func TestHandler(t *testing.T) {
 				conf.OAuth2.Validate.Roles = make([]string, 0)
 				conf.OAuth2.Validate.Issuer = true
 				conf.OAuth2.Validate.IPAddr = false
-				conf.OpenVPN.Bypass.CommonNames = make([]string, 0)
+				conf.OpenVPN.Bypass.CommonNames = make(types.RegexpSlice, 0)
 				conf.OpenVPN.AuthTokenUser = true
 
 				return conf
@@ -95,7 +95,7 @@ func TestHandler(t *testing.T) {
 				conf.OAuth2.Validate.IPAddr = false
 				conf.OAuth2.Nonce = true
 				conf.OAuth2.PKCE = true
-				conf.OpenVPN.Bypass.CommonNames = make([]string, 0)
+				conf.OpenVPN.Bypass.CommonNames = make(types.RegexpSlice, 0)
 				conf.OpenVPN.AuthTokenUser = true
 
 				return conf
@@ -123,7 +123,7 @@ func TestHandler(t *testing.T) {
 				conf.OAuth2.Validate.Roles = make([]string, 0)
 				conf.OAuth2.Validate.Issuer = true
 				conf.OAuth2.Validate.IPAddr = false
-				conf.OpenVPN.Bypass.CommonNames = make([]string, 0)
+				conf.OpenVPN.Bypass.CommonNames = make(types.RegexpSlice, 0)
 				conf.OpenVPN.AuthTokenUser = true
 
 				return conf
@@ -148,7 +148,7 @@ func TestHandler(t *testing.T) {
 				conf.OAuth2.Validate.Issuer = true
 				conf.OAuth2.Validate.IPAddr = false
 				conf.OAuth2.UserInfo = true
-				conf.OpenVPN.Bypass.CommonNames = make([]string, 0)
+				conf.OpenVPN.Bypass.CommonNames = make(types.RegexpSlice, 0)
 				conf.OpenVPN.AuthTokenUser = true
 
 				return conf
@@ -173,7 +173,7 @@ func TestHandler(t *testing.T) {
 				conf.OAuth2.Validate.Issuer = true
 				conf.OAuth2.Validate.IPAddr = false
 				conf.OAuth2.UserInfo = true
-				conf.OpenVPN.Bypass.CommonNames = make([]string, 0)
+				conf.OpenVPN.Bypass.CommonNames = make(types.RegexpSlice, 0)
 				conf.OpenVPN.AuthTokenUser = true
 
 				return conf
@@ -198,7 +198,7 @@ func TestHandler(t *testing.T) {
 				conf.OAuth2.Validate.Issuer = true
 				conf.OAuth2.Validate.IPAddr = false
 				conf.OAuth2.UserInfo = true
-				conf.OpenVPN.Bypass.CommonNames = make([]string, 0)
+				conf.OpenVPN.Bypass.CommonNames = make(types.RegexpSlice, 0)
 				conf.OpenVPN.AuthTokenUser = true
 
 				return conf
@@ -222,7 +222,7 @@ func TestHandler(t *testing.T) {
 				conf.OAuth2.Validate.Roles = make([]string, 0)
 				conf.OAuth2.Validate.Issuer = true
 				conf.OAuth2.Validate.IPAddr = false
-				conf.OpenVPN.Bypass.CommonNames = make([]string, 0)
+				conf.OpenVPN.Bypass.CommonNames = make(types.RegexpSlice, 0)
 				conf.OpenVPN.AuthTokenUser = true
 
 				return conf
@@ -247,7 +247,7 @@ func TestHandler(t *testing.T) {
 				conf.OAuth2.Validate.Roles = make([]string, 0)
 				conf.OAuth2.Validate.Issuer = true
 				conf.OAuth2.Validate.IPAddr = false
-				conf.OpenVPN.Bypass.CommonNames = make([]string, 0)
+				conf.OpenVPN.Bypass.CommonNames = make(types.RegexpSlice, 0)
 				conf.OpenVPN.AuthTokenUser = true
 
 				return conf
@@ -272,7 +272,7 @@ func TestHandler(t *testing.T) {
 				conf.OAuth2.Validate.Roles = make([]string, 0)
 				conf.OAuth2.Validate.Issuer = true
 				conf.OAuth2.Validate.IPAddr = false
-				conf.OpenVPN.Bypass.CommonNames = make([]string, 0)
+				conf.OpenVPN.Bypass.CommonNames = make(types.RegexpSlice, 0)
 				conf.OpenVPN.AuthTokenUser = true
 
 				return conf
@@ -297,7 +297,7 @@ func TestHandler(t *testing.T) {
 				conf.OAuth2.Validate.Roles = make([]string, 0)
 				conf.OAuth2.Validate.Issuer = true
 				conf.OAuth2.Validate.IPAddr = false
-				conf.OpenVPN.Bypass.CommonNames = make([]string, 0)
+				conf.OpenVPN.Bypass.CommonNames = make(types.RegexpSlice, 0)
 				conf.OpenVPN.AuthTokenUser = true
 
 				return conf
@@ -322,7 +322,7 @@ func TestHandler(t *testing.T) {
 				conf.OAuth2.Validate.Roles = make([]string, 0)
 				conf.OAuth2.Validate.Issuer = true
 				conf.OAuth2.Validate.IPAddr = false
-				conf.OpenVPN.Bypass.CommonNames = make([]string, 0)
+				conf.OpenVPN.Bypass.CommonNames = make(types.RegexpSlice, 0)
 				conf.OpenVPN.AuthTokenUser = true
 				conf.OpenVPN.ClientConfig.Enabled = true
 				conf.OpenVPN.ClientConfig.Path = types.FS{
@@ -355,7 +355,7 @@ func TestHandler(t *testing.T) {
 				conf.OAuth2.Validate.Roles = make([]string, 0)
 				conf.OAuth2.Validate.Issuer = true
 				conf.OAuth2.Validate.IPAddr = false
-				conf.OpenVPN.Bypass.CommonNames = make([]string, 0)
+				conf.OpenVPN.Bypass.CommonNames = make(types.RegexpSlice, 0)
 				conf.OpenVPN.AuthTokenUser = true
 				conf.OpenVPN.ClientConfig.Enabled = true
 				conf.OpenVPN.ClientConfig.Path = types.FS{
@@ -384,7 +384,7 @@ func TestHandler(t *testing.T) {
 				conf.OAuth2.Validate.Roles = make([]string, 0)
 				conf.OAuth2.Validate.Issuer = true
 				conf.OAuth2.Validate.IPAddr = false
-				conf.OpenVPN.Bypass.CommonNames = make([]string, 0)
+				conf.OpenVPN.Bypass.CommonNames = make(types.RegexpSlice, 0)
 				conf.OpenVPN.AuthTokenUser = true
 
 				return conf
@@ -409,7 +409,7 @@ func TestHandler(t *testing.T) {
 				conf.OAuth2.Validate.Roles = make([]string, 0)
 				conf.OAuth2.Validate.Issuer = true
 				conf.OAuth2.Validate.IPAddr = false
-				conf.OpenVPN.Bypass.CommonNames = make([]string, 0)
+				conf.OpenVPN.Bypass.CommonNames = make(types.RegexpSlice, 0)
 				conf.OpenVPN.AuthTokenUser = true
 
 				return conf