fix: implement openvpn.client-config.token-claim (#681)

Author: jkroepke

internal/oauth2/handler.go

@@ -19,7 +19,7 @@ import (
 )
 
 type openvpnManagementClient interface {
-	AcceptClient(ctx context.Context, logger *slog.Logger, client state.ClientIdentifier, reAuth bool, username string)
+	AcceptClient(ctx context.Context, logger *slog.Logger, client state.ClientIdentifier, reAuth bool, username string, clientConfigName string)
 	DenyClient(ctx context.Context, logger *slog.Logger, client state.ClientIdentifier, reason string)
 }
 
@@ -197,7 +197,17 @@ func (c Client) postCodeExchangeHandler(
 			username = session.Client.CommonName
 		}
 
-		c.openvpn.AcceptClient(ctx, logger, session.Client, false, username)
+		clientConfigName := username
+
+		if clientConfigClaim := c.conf.OpenVPN.ClientConfig.TokenClaim; clientConfigClaim != "" && tokens.IDTokenClaims != nil {
+			if claimValue, ok := tokens.IDTokenClaims.Claims[clientConfigClaim]; ok {
+				if clientConfigTokenValue, ok := claimValue.(string); ok && clientConfigName != "" {
+					clientConfigName = clientConfigTokenValue
+				}
+			}
+		}
+
+		c.openvpn.AcceptClient(ctx, logger, session.Client, false, username, clientConfigName)
 		c.postCodeExchangeHandlerStoreRefreshToken(ctx, logger, session, clientID, tokens)
 		c.writeHTTPSuccess(ctx, w, logger)
 	}

internal/oauth2/handler_test.go

@@ -365,6 +365,40 @@ func TestHandler(t *testing.T) {
 			true,
 			true,
 		},
+		{
+			"with client config and custom claim",
+			func() config.Config {
+				conf := config.Defaults
+				conf.HTTP.Secret = testutils.Secret
+				conf.HTTP.Check.IPAddr = true
+				conf.HTTP.EnableProxyHeaders = true
+				conf.OAuth2.Provider = generic.Name
+				conf.OAuth2.Endpoints = config.OAuth2Endpoints{}
+				conf.OAuth2.Scopes = []string{oauth2types.ScopeOpenID, oauth2types.ScopeProfile}
+				conf.OAuth2.Validate.Groups = make([]string, 0)
+				conf.OAuth2.Validate.Roles = make([]string, 0)
+				conf.OAuth2.Validate.Issuer = true
+				conf.OAuth2.Validate.IPAddr = false
+				conf.OpenVPN.Bypass.CommonNames = make(types.RegexpSlice, 0)
+				conf.OpenVPN.AuthTokenUser = true
+				conf.OpenVPN.ClientConfig.Enabled = true
+				conf.OpenVPN.ClientConfig.TokenClaim = "sub"
+				conf.OpenVPN.ClientConfig.Path = types.FS{
+					FS: fstest.MapFS{
+						"id1.conf": &fstest.MapFile{
+							Data: []byte("push \"ping 60\"\npush \"ping-restart 180\"\r\npush \"ping-timer-rem\" 0\r\n"),
+						},
+					},
+				}
+
+				return conf
+			}(),
+			state.New(state.ClientIdentifier{CID: 0, KID: 1, CommonName: "name"}, "127.0.0.2", "12345", ""),
+			false,
+			"127.0.0.2, 8.8.8.8",
+			true,
+			true,
+		},
 		{
 			"with client config not found",
 			func() config.Config {

internal/openvpn/callbacks.go

@@ -13,7 +13,7 @@ import (
 
 // AcceptClient accepts an OpenVPN client connection.
 // It reads the client configuration from the CCD path if enabled.
-func (c *Client) AcceptClient(ctx context.Context, logger *slog.Logger, client state.ClientIdentifier, reAuth bool, username string) {
+func (c *Client) AcceptClient(ctx context.Context, logger *slog.Logger, client state.ClientIdentifier, reAuth bool, username, clientConfigName string) {
 	if reAuth {
 		logger.LogAttrs(ctx, slog.LevelInfo, "client re-authentication")
 
@@ -26,22 +26,22 @@ func (c *Client) AcceptClient(ctx context.Context, logger *slog.Logger, client s
 		return
 	}
 
-	c.acceptClientAuth(ctx, logger, client, username)
+	c.acceptClientAuth(ctx, logger, client, username, clientConfigName)
 }
 
 //nolint:cyclop
-func (c *Client) acceptClientAuth(ctx context.Context, logger *slog.Logger, client state.ClientIdentifier, username string) {
+func (c *Client) acceptClientAuth(ctx context.Context, logger *slog.Logger, client state.ClientIdentifier, username, clientConfigName string) {
 	var (
 		err           error
 		tokenUsername string
 	)
 
 	logger.LogAttrs(ctx, slog.LevelInfo, "client authentication")
 
-	clientConfig, err := c.readClientConfig(username)
+	clientConfig, err := c.readClientConfig(clientConfigName)
 	if err != nil {
 		logger.LogAttrs(ctx, slog.LevelDebug, "failed to read client config",
-			slog.String("username", username),
+			slog.String("config", clientConfigName),
 			slog.Any("error", err),
 		)
 	}

internal/openvpn/client.go

@@ -58,7 +58,7 @@ func (c *Client) handleClientAuthentication(ctx context.Context, logger *slog.Lo
 	// Check if the client is allowed to bypass authentication. If so, accept the client.
 	if c.checkAuthBypass(client) {
 		logger.LogAttrs(ctx, slog.LevelInfo, "client bypass authentication")
-		c.AcceptClient(ctx, logger, state.ClientIdentifier{CID: client.CID, KID: client.KID}, true, client.CommonName)
+		c.AcceptClient(ctx, logger, state.ClientIdentifier{CID: client.CID, KID: client.KID}, true, client.CommonName, "")
 
 		return
 	}
@@ -83,7 +83,7 @@ func (c *Client) handleClientAuthentication(ctx context.Context, logger *slog.Lo
 
 		return
 	} else if ok {
-		c.AcceptClient(ctx, logger, state.ClientIdentifier{CID: client.CID, KID: client.KID}, true, client.CommonName)
+		c.AcceptClient(ctx, logger, state.ClientIdentifier{CID: client.CID, KID: client.KID}, true, client.CommonName, "")
 
 		return
 	}

internal/utils/testutils/openvpn.go

@@ -17,7 +17,7 @@ func NewFakeOpenVPNClient() FakeOpenVPNClient {
 }
 
 // AcceptClient is a no-op implementation of the real method.
-func (FakeOpenVPNClient) AcceptClient(_ context.Context, _ *slog.Logger, _ state.ClientIdentifier, _ bool, _ string) {
+func (FakeOpenVPNClient) AcceptClient(_ context.Context, _ *slog.Logger, _ state.ClientIdentifier, _ bool, _, _ string) {
 }
 
 // DenyClient is a no-op implementation of the real method.