feat: add CLI flag to disable re-authentication (#491)

Author: jkroepke

cmd/daemon/full_test.go

@@ -189,10 +189,10 @@ func TestFull(t *testing.T) {
 					">CLIENT:ENV,END",
 				}, "\r\n")
 
-				testutils.SendMessage(t, managementInterfaceConn, msg+"\r\n")
+				testutils.SendMessagef(t, managementInterfaceConn, msg+"\r\n")
 
 				authURL := testutils.ReadLine(t, managementInterfaceConn, reader)
-				testutils.SendMessage(t, managementInterfaceConn, "SUCCESS: client-pending-auth command succeeded")
+				testutils.SendMessagef(t, managementInterfaceConn, "SUCCESS: client-pending-auth command succeeded")
 
 				_, authURL, _ = strings.Cut(authURL, `"`)
 				authURL, _, _ = strings.Cut(authURL, `"`)
@@ -207,7 +207,7 @@ func TestFull(t *testing.T) {
 					defer wg.Done()
 
 					testutils.ReadLine(t, managementInterfaceConn, reader)
-					testutils.SendMessage(t, managementInterfaceConn, "SUCCESS: client-auth command succeeded")
+					testutils.SendMessagef(t, managementInterfaceConn, "SUCCESS: client-auth command succeeded")
 				}()
 
 				resp, err := httpClient.Do(request)

docs/Configuration.md

@@ -93,6 +93,7 @@ openvpn:
     # password: ""
     # socket-group: ""
     # socket-mode: 660
+  reauthentication: true
 ```
 </details>
 
@@ -220,6 +221,8 @@ Usage of openvpn-auth-oauth2:
     	The unix file permission mode for the pass-through socket. Used only, if openvpn.pass-through.address starts with unix:// (env: CONFIG_OPENVPN_PASS__THROUGH_SOCKET__MODE) (default 660)
   --openvpn.password value
     	openvpn management interface password. If argument starts with file:// it reads the secret from a file. (env: CONFIG_OPENVPN_PASSWORD)
+  --openvpn.reauthentication
+    	If set to false, openvpn-auth-oauth2 rejects all re-authentication requests. (env: CONFIG_OPENVPN_REAUTHENTICATION) (default true)
   --version
     	show version
 ```

internal/config/config_test.go

@@ -123,6 +123,7 @@ openvpn:
         password: "password"
         socket-group: "group"
         socket-mode: 0666
+    reauthentication: false
 http:
     listen: ":9001"
     secret: "1jd93h5b6s82lf03jh5b2hf9"
@@ -204,7 +205,8 @@ http:
 						SocketMode:  0o666,
 						Password:    "password",
 					},
-					CommandTimeout: 10 * time.Second,
+					CommandTimeout:   10 * time.Second,
+					ReAuthentication: false,
 				},
 				OAuth2: config.OAuth2{
 					Issuer: types.URL{URL: &url.URL{

internal/config/flags.go

@@ -141,21 +141,21 @@ func (c *Config) flagSetOpenVPN(flagSet *flag.FlagSet) {
 		"bypass oauth authentication for CNs. Comma separated list.",
 	)
 	flagSet.BoolVar(
-		&c.OpenVpn.ClientConfig.Enabled,
+		&c.OpenVPN.ClientConfig.Enabled,
 		"openvpn.client-config.enabled",
-		lookupEnvOrDefault("openvpn.client-config.enabled", c.OpenVpn.ClientConfig.Enabled),
+		lookupEnvOrDefault("openvpn.client-config.enabled", c.OpenVPN.ClientConfig.Enabled),
 		"If true, openvpn-auth-oauth2 will read the CCD directory for additional configuration. This function mimic the client-config-dir directive in OpenVPN.",
 	)
 	flagSet.TextVar(
-		&c.OpenVpn.ClientConfig.Path,
+		&c.OpenVPN.ClientConfig.Path,
 		"openvpn.client-config.path",
-		lookupEnvOrDefault("openvpn.client-config.path", c.OpenVpn.ClientConfig.Path),
+		lookupEnvOrDefault("openvpn.client-config.path", c.OpenVPN.ClientConfig.Path),
 		"Path to the CCD directory. openvpn-auth-oauth2 will look for an file with an .conf suffix and returns the content back.",
 	)
 	flagSet.StringVar(
-		&c.OpenVpn.ClientConfig.TokenClaim,
+		&c.OpenVPN.ClientConfig.TokenClaim,
 		"openvpn.client-config.token-claim",
-		lookupEnvOrDefault("openvpn.client-config.token-claim", c.OpenVpn.ClientConfig.TokenClaim),
+		lookupEnvOrDefault("openvpn.client-config.token-claim", c.OpenVPN.ClientConfig.TokenClaim),
 		"If non-empty, the value of the token claim is used to lookup the configuration file in the CCD directory. If empty, the common name is used.",
 	)
 	flagSet.StringVar(

internal/config/types.go

@@ -52,7 +52,7 @@ type OpenVPN struct {
 	Addr               types.URL          `json:"addr"                 yaml:"addr"`
 	AuthTokenUser      bool               `json:"auth-token-user"      yaml:"auth-token-user"`
 	AuthPendingTimeout time.Duration      `json:"auth-pending-timeout" yaml:"auth-pending-timeout"`
-	Bypass             OpenVpnBypass      `json:"bypass"               yaml:"bypass"`
+	Bypass             OpenVPNBypass      `json:"bypass"               yaml:"bypass"`
 	ClientConfig       OpenVPNConfig      `json:"client-config"        yaml:"client-config"`
 	CommonName         OpenVPNCommonName  `json:"common-name"          yaml:"common-name"`
 	CommandTimeout     time.Duration      `json:"command-timeout"      yaml:"command-timeout"`

internal/config/validate.go

@@ -107,12 +107,12 @@ func validateOAuth2Config(conf Config) error {
 		}
 	}
 
-	if conf.OpenVpn.ClientConfig.Enabled {
-		if conf.OpenVpn.CommonName.Mode == CommonNameModeOmit {
+	if conf.OpenVPN.ClientConfig.Enabled {
+		if conf.OpenVPN.CommonName.Mode == CommonNameModeOmit {
 			return errors.New("openvpn.common-name.mode: omit is not supported with openvpn.ccd.enabled")
 		}
 
-		file, err := conf.OpenVpn.ClientConfig.Path.Open(".")
+		file, err := conf.OpenVPN.ClientConfig.Path.Open(".")
 		if err != nil {
 			return fmt.Errorf("openvpn.ccd.path: %w", err)
 		}

internal/internal_test.go

@@ -59,10 +59,10 @@ func BenchmarkFull(b *testing.B) {
 	wgc := sync.WaitGroup{}
 
 	for b.Loop() {
-		testutils.SendMessage(b, managementInterfaceConn, ">CLIENT:CONNECT,0,1\r\n>CLIENT:ENV,n_clients=0\r\n>CLIENT:ENV,password=\r\n>CLIENT:ENV,untrusted_port=17016\r\n>CLIENT:ENV,untrusted_ip=192.168.65.1\r\n>CLIENT:ENV,[email protected]\r\n>CLIENT:ENV,username=\r\n>CLIENT:ENV,IV_BS64DL=1\r\n>CLIENT:ENV,IV_SSO=webauth,openurl,crtext\r\n>CLIENT:ENV,IV_GUI_VER=OCmacOS_3.4.4-4629\r\n>CLIENT:ENV,IV_AUTO_SESS=1\r\n>CLIENT:ENV,IV_CIPHERS=AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305\r\n>CLIENT:ENV,IV_MTU=1600\r\n>CLIENT:ENV,IV_PROTO=990\r\n>CLIENT:ENV,IV_TCPNL=1\r\n>CLIENT:ENV,IV_NCP=2\r\n>CLIENT:ENV,IV_PLAT=mac\r\n>CLIENT:ENV,IV_VER=3.8.1\r\n>CLIENT:ENV,tls_serial_hex_0=51:b3:55:90:65:af:71:5c:d5:52:2b:0b:00:14:8d:ee\r\n>CLIENT:ENV,tls_serial_0=108598624241397715647038806614705737198\r\n>CLIENT:ENV,tls_digest_sha256_0=d3:6d:1d:96:f8:bd:7e:e8:db:c4:0f:53:a1:76:f0:ca:9e:78:63:bf:c6:4a:ac:b9:e6:ed:84:62:f5:ac:5d:b8\r\n>CLIENT:ENV,tls_digest_0=b7:73:bd:6c:31:31:49:63:0d:0c:11:6d:0c:13:d0:b4:8f:97:33:7d\r\n>CLIENT:ENV,[email protected]\r\n>CLIENT:ENV,[email protected]\r\n>CLIENT:ENV,tls_serial_hex_1=01:b3:95:f8:1a:9f:9f:fe:7c:27:ad:29:c1:93:23:ae:08:7f:ab:36\r\n>CLIENT:ENV,tls_serial_1=9713888317380397892476539918183380788698917686\r\n>CLIENT:ENV,tls_digest_sha256_1=75:1a:a1:63:bb:e9:c7:f3:e3:bf:e1:08:f1:36:b7:36:90:04:da:dd:b8:78:b1:cf:d5:ac:09:b6:36:31:a7:db\r\n>CLIENT:ENV,tls_digest_1=d4:bc:00:89:e5:01:0c:27:3d:ea:4a:b5:42:8b:f7:3d:19:7a:a2:25\r\n>CLIENT:ENV,tls_id_1=CN=Easy-RSA CA\r\n>CLIENT:ENV,X509_1_CN=Easy-RSA CA\r\n>CLIENT:ENV,remote_port_1=1194\r\n>CLIENT:ENV,local_port_1=1194\r\n>CLIENT:ENV,proto_1=udp\r\n>CLIENT:ENV,daemon_pid=7\r\n>CLIENT:ENV,daemon_start_time=1703401559\r\n>CLIENT:ENV,daemon_log_redirect=0\r\n>CLIENT:ENV,daemon=0\r\n>CLIENT:ENV,verb=3\r\n>CLIENT:ENV,config=/etc/openvpn/openvpn.conf\r\n>CLIENT:ENV,ifconfig_local=100.64.0.1\r\n>CLIENT:ENV,ifconfig_netmask=255.255.255.0\r\n>CLIENT:ENV,script_context=init\r\n>CLIENT:ENV,tun_mtu=1500\r\n>CLIENT:ENV,dev=tun0\r\n>CLIENT:ENV,dev_type=tun\r\n>CLIENT:ENV,redirect_gateway=0\r\n>CLIENT:ENV,END\r\n")
+		testutils.SendMessagef(b, managementInterfaceConn, ">CLIENT:CONNECT,0,1\r\n>CLIENT:ENV,n_clients=0\r\n>CLIENT:ENV,password=\r\n>CLIENT:ENV,untrusted_port=17016\r\n>CLIENT:ENV,untrusted_ip=192.168.65.1\r\n>CLIENT:ENV,[email protected]\r\n>CLIENT:ENV,username=\r\n>CLIENT:ENV,IV_BS64DL=1\r\n>CLIENT:ENV,IV_SSO=webauth,openurl,crtext\r\n>CLIENT:ENV,IV_GUI_VER=OCmacOS_3.4.4-4629\r\n>CLIENT:ENV,IV_AUTO_SESS=1\r\n>CLIENT:ENV,IV_CIPHERS=AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305\r\n>CLIENT:ENV,IV_MTU=1600\r\n>CLIENT:ENV,IV_PROTO=990\r\n>CLIENT:ENV,IV_TCPNL=1\r\n>CLIENT:ENV,IV_NCP=2\r\n>CLIENT:ENV,IV_PLAT=mac\r\n>CLIENT:ENV,IV_VER=3.8.1\r\n>CLIENT:ENV,tls_serial_hex_0=51:b3:55:90:65:af:71:5c:d5:52:2b:0b:00:14:8d:ee\r\n>CLIENT:ENV,tls_serial_0=108598624241397715647038806614705737198\r\n>CLIENT:ENV,tls_digest_sha256_0=d3:6d:1d:96:f8:bd:7e:e8:db:c4:0f:53:a1:76:f0:ca:9e:78:63:bf:c6:4a:ac:b9:e6:ed:84:62:f5:ac:5d:b8\r\n>CLIENT:ENV,tls_digest_0=b7:73:bd:6c:31:31:49:63:0d:0c:11:6d:0c:13:d0:b4:8f:97:33:7d\r\n>CLIENT:ENV,[email protected]\r\n>CLIENT:ENV,[email protected]\r\n>CLIENT:ENV,tls_serial_hex_1=01:b3:95:f8:1a:9f:9f:fe:7c:27:ad:29:c1:93:23:ae:08:7f:ab:36\r\n>CLIENT:ENV,tls_serial_1=9713888317380397892476539918183380788698917686\r\n>CLIENT:ENV,tls_digest_sha256_1=75:1a:a1:63:bb:e9:c7:f3:e3:bf:e1:08:f1:36:b7:36:90:04:da:dd:b8:78:b1:cf:d5:ac:09:b6:36:31:a7:db\r\n>CLIENT:ENV,tls_digest_1=d4:bc:00:89:e5:01:0c:27:3d:ea:4a:b5:42:8b:f7:3d:19:7a:a2:25\r\n>CLIENT:ENV,tls_id_1=CN=Easy-RSA CA\r\n>CLIENT:ENV,X509_1_CN=Easy-RSA CA\r\n>CLIENT:ENV,remote_port_1=1194\r\n>CLIENT:ENV,local_port_1=1194\r\n>CLIENT:ENV,proto_1=udp\r\n>CLIENT:ENV,daemon_pid=7\r\n>CLIENT:ENV,daemon_start_time=1703401559\r\n>CLIENT:ENV,daemon_log_redirect=0\r\n>CLIENT:ENV,daemon=0\r\n>CLIENT:ENV,verb=3\r\n>CLIENT:ENV,config=/etc/openvpn/openvpn.conf\r\n>CLIENT:ENV,ifconfig_local=100.64.0.1\r\n>CLIENT:ENV,ifconfig_netmask=255.255.255.0\r\n>CLIENT:ENV,script_context=init\r\n>CLIENT:ENV,tun_mtu=1500\r\n>CLIENT:ENV,dev=tun0\r\n>CLIENT:ENV,dev_type=tun\r\n>CLIENT:ENV,redirect_gateway=0\r\n>CLIENT:ENV,END\r\n")
 
 		authURL = testutils.ReadLine(b, managementInterfaceConn, reader)
-		testutils.SendMessage(b, managementInterfaceConn, "SUCCESS: client-pending-auth command succeeded")
+		testutils.SendMessagef(b, managementInterfaceConn, "SUCCESS: client-pending-auth command succeeded")
 
 		_, authURL, _ = strings.Cut(authURL, `"`)
 		authURL, _, _ = strings.Cut(authURL, `"`)
@@ -76,7 +76,7 @@ func BenchmarkFull(b *testing.B) {
 			defer wgc.Done()
 
 			testutils.ReadLine(b, managementInterfaceConn, reader)
-			testutils.SendMessage(b, managementInterfaceConn, "SUCCESS: client-auth command succeeded")
+			testutils.SendMessagef(b, managementInterfaceConn, "SUCCESS: client-auth command succeeded")
 		}()
 
 		resp, _ = httpClient.Do(request)

internal/oauth2/handler_test.go

@@ -246,10 +246,10 @@ func TestHandler(t *testing.T) {
 				conf.OAuth2.Validate.Roles = make([]string, 0)
 				conf.OAuth2.Validate.Issuer = true
 				conf.OAuth2.Validate.IPAddr = false
-				conf.OpenVpn.Bypass.CommonNames = make([]string, 0)
-				conf.OpenVpn.AuthTokenUser = true
-				conf.OpenVpn.ClientConfig.Enabled = true
-				conf.OpenVpn.ClientConfig.Path = types.FS{
+				conf.OpenVPN.Bypass.CommonNames = make([]string, 0)
+				conf.OpenVPN.AuthTokenUser = true
+				conf.OpenVPN.ClientConfig.Enabled = true
+				conf.OpenVPN.ClientConfig.Path = types.FS{
 					FS: fstest.MapFS{
 						"name.conf": &fstest.MapFile{
 							Data: []byte("push \"ping 60\"\npush \"ping-restart 180\"\r\npush \"ping-timer-rem\" 0\r\n"),
@@ -279,10 +279,10 @@ func TestHandler(t *testing.T) {
 				conf.OAuth2.Validate.Roles = make([]string, 0)
 				conf.OAuth2.Validate.Issuer = true
 				conf.OAuth2.Validate.IPAddr = false
-				conf.OpenVpn.Bypass.CommonNames = make([]string, 0)
-				conf.OpenVpn.AuthTokenUser = true
-				conf.OpenVpn.ClientConfig.Enabled = true
-				conf.OpenVpn.ClientConfig.Path = types.FS{
+				conf.OpenVPN.Bypass.CommonNames = make([]string, 0)
+				conf.OpenVPN.AuthTokenUser = true
+				conf.OpenVPN.ClientConfig.Enabled = true
+				conf.OpenVPN.ClientConfig.Path = types.FS{
 					FS: fstest.MapFS{},
 				}
 
@@ -429,7 +429,7 @@ func TestHandler(t *testing.T) {
 
 			if !tc.preAllow {
 				testutils.ExpectMessage(t, managementInterfaceConn, reader, `client-deny 0 1 "client rejected: http client ip 127.0.0.1 and vpn ip 127.0.0.2 is different"`)
-				testutils.SendMessage(t, managementInterfaceConn, "SUCCESS: client-deny command succeeded")
+				testutils.SendMessagef(t, managementInterfaceConn, "SUCCESS: client-deny command succeeded")
 			}
 
 			select {
@@ -479,26 +479,26 @@ func TestHandler(t *testing.T) {
 			switch {
 			case !tc.postAllow:
 				testutils.ExpectMessage(t, managementInterfaceConn, reader, `client-deny 0 1 "client rejected"`)
-				testutils.SendMessage(t, managementInterfaceConn, "SUCCESS: client-deny command succeeded")
+				testutils.SendMessagef(t, managementInterfaceConn, "SUCCESS: client-deny command succeeded")
 			case tc.state.Client.UsernameIsDefined == 1:
 				testutils.ExpectMessage(t, managementInterfaceConn, reader, "client-auth-nt 0 1")
-				testutils.SendMessage(t, managementInterfaceConn, "SUCCESS: client-auth command succeeded")
-			case tc.conf.OpenVpn.ClientConfig.Enabled:
+				testutils.SendMessagef(t, managementInterfaceConn, "SUCCESS: client-auth command succeeded")
+			case tc.conf.OpenVPN.ClientConfig.Enabled:
 				if tc.state.Client.CommonName == "name" {
 					testutils.ExpectMessage(t, managementInterfaceConn, reader, "client-auth 0 1\r\n"+
 						"push \"ping 60\"\r\n"+
 						"push \"ping-restart 180\"\r\n"+
 						"push \"ping-timer-rem\" 0\r\n"+
 						"push \"auth-token-user bmFtZQ==\"\r\n"+
 						"END")
-					testutils.SendMessage(t, managementInterfaceConn, "SUCCESS: client-auth command succeeded")
+					testutils.SendMessagef(t, managementInterfaceConn, "SUCCESS: client-auth command succeeded")
 				} else {
 					testutils.ExpectMessage(t, managementInterfaceConn, reader, "client-auth 0 1\r\npush \"auth-token-user Y2xpZW50\"\r\nEND")
-					testutils.SendMessage(t, managementInterfaceConn, "SUCCESS: client-auth command succeeded")
+					testutils.SendMessagef(t, managementInterfaceConn, "SUCCESS: client-auth command succeeded")
 				}
 			default:
 				testutils.ExpectMessage(t, managementInterfaceConn, reader, "client-auth 0 1\r\npush \"auth-token-user bmFtZQ==\"\r\nEND")
-				testutils.SendMessage(t, managementInterfaceConn, "SUCCESS: client-auth command succeeded")
+				testutils.SendMessagef(t, managementInterfaceConn, "SUCCESS: client-auth command succeeded")
 			}
 
 			select {