Implement client configs

Signed-off-by: Jan-Otto Kröpke <[email protected]>

Author: jkroepke

cmd/daemon/root.go

@@ -6,6 +6,7 @@ import (
 	"flag"
 	"fmt"
 	"io"
+	"io/fs"
 	"log/slog"
 	"net/http"
 	"net/http/pprof"
@@ -74,16 +75,21 @@ func Execute(args []string, logWriter io.Writer, version, commit, date string) i
 		return 1
 	}
 
-	openvpnClient := openvpn.New(logger, conf)
+	var ccdFS fs.FS
+	if conf.OpenVpn.CCD.Enabled {
+		ccdFS = os.DirFS(conf.OpenVpn.CCD.Path)
+	}
+
+	openVPNClient := openvpn.New(logger, conf, ccdFS)
 
-	oAuth2Client, err := oauth2.New(ctx, logger, conf, httpClient, tokenStorage, provider, openvpnClient)
+	oAuth2Client, err := oauth2.New(ctx, logger, conf, httpClient, tokenStorage, provider, openVPNClient)
 	if err != nil {
 		logger.Error(err.Error())
 
 		return 1
 	}
 
-	openvpnClient.SetOAuth2Client(oAuth2Client)
+	openVPNClient.SetOAuth2Client(oAuth2Client)
 
 	httpHandler, err := httphandler.New(conf, oAuth2Client)
 	if err != nil {
@@ -126,7 +132,7 @@ func Execute(args []string, logWriter io.Writer, version, commit, date string) i
 	go func() {
 		defer wg.Done()
 
-		if err := openvpnClient.Connect(context.Background()); err != nil {
+		if err := openVPNClient.Connect(context.Background()); err != nil {
 			cancel(fmt.Errorf("openvpn: %w", err))
 
 			return

docs/Client specific configuration.md

@@ -0,0 +1,9 @@
+# Client specific configuration
+
+## Introduction
+
+This document describes the client specific configuration options of openvpn-auth-oauth2.
+It mimics the client-config-dir functionality of OpenVPN, but instead the client username, a token claim is
+used as config identifier.
+
+## Configuration

docs/Configuration.md

@@ -78,6 +78,10 @@ openvpn:
   # common-names:
   # - "test"
   # - "test2"
+  ccd:
+    enabled: false
+    token-claim: ""
+    path: "/etc/openvpn-auth-oauth2/"
   common-name:
     environment-variable-name: common_name
     mode: plain
@@ -95,9 +99,10 @@ openvpn:
 
 <!-- BEGIN USAGE -->
 ```
-Usage of openvpn-auth-oauth2:
 Documentation available at https://github.com/jkroepke/openvpn-auth-oauth2/wiki
 
+Usage of ./openvpn-auth-oauth2:
+
   --config string
     	path to one .yaml config file (env: CONFIG_CONFIG)
   --debug.listen string
@@ -186,6 +191,12 @@ Documentation available at https://github.com/jkroepke/openvpn-auth-oauth2/wiki
     	Override the username of a session with the username from the token by using auth-token-user, if the client username is empty (env: CONFIG_OPENVPN_AUTH__TOKEN__USER) (default true)
   --openvpn.bypass.common-names value
     	bypass oauth authentication for CNs. Comma separated list. (env: CONFIG_OPENVPN_BYPASS_COMMON__NAMES)
+  --openvpn.ccd.enabled
+    	If true, openvpn-auth-oauth2 will read the CCD directory for additional configuration. This function mimic the client-config-dir directive in OpenVPN. (env: CONFIG_OPENVPN_CCD_ENABLED)
+  --openvpn.ccd.path string
+    	Path to the CCD directory. openvpn-auth-oauth2 will look for an file with an .conf suffix and returns the content back. (env: CONFIG_OPENVPN_CCD_PATH) (default "/etc/openvpn-auth-oauth2/ccd/")
+  --openvpn.ccd.token-claim string
+    	If non-empty, the value of the token claim is used to lookup the configuration file in the CCD directory. If empty, the common name is used. (env: CONFIG_OPENVPN_CCD_TOKEN__CLAIM)
   --openvpn.common-name.environment-variable-name string
     	Name of the environment variable in the OpenVPN management interface which contains the common name. If username-as-common-name is enabled, this should be set to 'username' to use the username as common name. Other values like 'X509_0_emailAddress' are supported. See https://openvpn.net/community-resources/reference-manual-for-openvpn-2-6/#environmental-variables for more information. (env: CONFIG_OPENVPN_COMMON__NAME_ENVIRONMENT__VARIABLE__NAME) (default "common_name")
   --openvpn.common-name.mode value
@@ -317,3 +328,7 @@ See [Layout Customization](Layout%20Customization) for more information
 ## Non-interactive session refresh
 
 See [Non-interactive session refresh](Non-interactive%20session%20refresh) for more information.
+
+## Client specific configuration
+
+See [Client specific configuration](Client%20specific%20configuration) for more information.

internal/config/defaults.go

@@ -32,7 +32,7 @@ var Defaults = Config{
 		},
 		CallbackTemplate: template.Must(template.New("index.gohtml").ParseFS(ui.Template, "index.gohtml")),
 	},
-	OpenVpn: OpenVpn{
+	OpenVpn: OpenVPN{
 		Addr: &url.URL{
 			Scheme:   "unix",
 			Path:     "/run/openvpn/server.sock",
@@ -44,9 +44,13 @@ var Defaults = Config{
 			EnvironmentVariableName: "common_name",
 			Mode:                    CommonNameModePlain,
 		},
-		Bypass: OpenVpnBypass{
+		Bypass: OpenVPNBypass{
 			CommonNames: make([]string, 0),
 		},
+		CCD: OpenVPNCCD{
+			Enabled: false,
+			Path:    "/etc/openvpn-auth-oauth2/ccd/",
+		},
 		Passthrough: OpenVPNPassthrough{
 			Enabled: false,
 			Address: &url.URL{

internal/config/flags.go

@@ -16,7 +16,7 @@ const (
 func FlagSet(name string) *flag.FlagSet {
 	flagSet := flag.NewFlagSet(name, flag.ContinueOnError)
 	flagSet.Usage = func() {
-		_, _ = fmt.Fprint(flagSet.Output(), "Documentation available at https://github.com/jkroepke/openvpn-auth-oauth2/wiki\r\n\r\n", name)
+		_, _ = fmt.Fprint(flagSet.Output(), "Documentation available at https://github.com/jkroepke/openvpn-auth-oauth2/wiki\r\n\r\n")
 		_, _ = fmt.Fprintf(flagSet.Output(), "Usage of %s:\r\n\r\n", name)
 		// --help should display options with double dash
 		flagSet.VisitAll(func(flag *flag.Flag) {
@@ -169,6 +169,21 @@ func flagSetOpenVPN(flagSet *flag.FlagSet) {
 		Defaults.OpenVpn.Bypass.CommonNames,
 		"bypass oauth authentication for CNs. Comma separated list.",
 	)
+	flagSet.Bool(
+		"openvpn.ccd.enabled",
+		Defaults.OpenVpn.CCD.Enabled,
+		"If true, openvpn-auth-oauth2 will read the CCD directory for additional configuration. This function mimic the client-config-dir directive in OpenVPN.",
+	)
+	flagSet.String(
+		"openvpn.ccd.path",
+		Defaults.OpenVpn.CCD.Path,
+		"Path to the CCD directory. openvpn-auth-oauth2 will look for an file with an .conf suffix and returns the content back.",
+	)
+	flagSet.String(
+		"openvpn.ccd.token-claim",
+		Defaults.OpenVpn.CCD.TokenClaim,
+		"If non-empty, the value of the token claim is used to lookup the configuration file in the CCD directory. If empty, the common name is used.",
+	)
 	flagSet.String(
 		"openvpn.common-name.environment-variable-name",
 		Defaults.OpenVpn.CommonName.EnvironmentVariableName,

internal/config/flags_test.go

@@ -171,7 +171,7 @@ func TestValidate(t *testing.T) {
 					Client: config.OAuth2Client{ID: "ID", Secret: testutils.Secret},
 					Issuer: &url.URL{Scheme: "http", Host: "localhost"},
 				},
-				OpenVpn: config.OpenVpn{
+				OpenVpn: config.OpenVPN{
 					Addr: &url.URL{Scheme: "tcp", Host: "127.0.0.1:9000"},
 				},
 			},
@@ -188,7 +188,7 @@ func TestValidate(t *testing.T) {
 					Client: config.OAuth2Client{ID: "ID", Secret: testutils.Secret},
 					Issuer: &url.URL{Scheme: "http", Host: "localhost"},
 				},
-				OpenVpn: config.OpenVpn{
+				OpenVpn: config.OpenVPN{
 					Addr: &url.URL{Scheme: "tcp", Host: "127.0.0.1:9000"},
 				},
 			},
@@ -205,7 +205,7 @@ func TestValidate(t *testing.T) {
 					Client: config.OAuth2Client{ID: "ID", Secret: testutils.Secret},
 					Issuer: &url.URL{Scheme: "http", Host: "localhost"},
 				},
-				OpenVpn: config.OpenVpn{
+				OpenVpn: config.OpenVPN{
 					Addr: &url.URL{Scheme: "quic", Host: "127.0.0.1:9000"},
 				},
 			},
@@ -225,7 +225,7 @@ func TestValidate(t *testing.T) {
 						Enabled: true,
 					},
 				},
-				OpenVpn: config.OpenVpn{
+				OpenVpn: config.OpenVPN{
 					Addr: &url.URL{Scheme: "tcp", Host: "127.0.0.1:9000"},
 				},
 			},
@@ -249,7 +249,7 @@ func TestValidate(t *testing.T) {
 						Discovery: &url.URL{Scheme: "http", Host: "localhost"},
 					},
 				},
-				OpenVpn: config.OpenVpn{
+				OpenVpn: config.OpenVPN{
 					Addr: &url.URL{Scheme: "tcp", Host: "127.0.0.1:9000"},
 				},
 			},

internal/config/load_test.go

@@ -105,9 +105,13 @@ openvpn:
         common-names:
         - "test"
         - "test2"
+    ccd:
+        enabled: true
+        token-claim: sub
+        path: "."
     common-name:
         environment-variable-name: X509_0_emailAddress
-        mode: omit
+        mode: plain
     password: "1jd93h5b6s82lf03jh5b2hf9"
     pass-through:
         address: "unix:///run/openvpn/pass-through.sock"
@@ -146,21 +150,26 @@ http:
 					},
 					AssetPath: ".",
 				},
-				OpenVpn: config.OpenVpn{
+				OpenVpn: config.OpenVPN{
 					Addr: &url.URL{
 						Scheme:   "unix",
 						Path:     "/run/openvpn/server2.sock",
 						OmitHost: false,
 					},
-					Bypass: config.OpenVpnBypass{
+					Bypass: config.OpenVPNBypass{
 						CommonNames: []string{"test", "test2"},
 					},
+					CCD: config.OpenVPNCCD{
+						Enabled:    true,
+						TokenClaim: "sub",
+						Path:       ".",
+					},
 					Password:           "1jd93h5b6s82lf03jh5b2hf9",
 					AuthTokenUser:      true,
 					AuthPendingTimeout: 2 * time.Minute,
 					CommonName: config.OpenVPNCommonName{
 						EnvironmentVariableName: "X509_0_emailAddress",
-						Mode:                    config.CommonNameModeOmit,
+						Mode:                    config.CommonNameModePlain,
 					},
 					Passthrough: config.OpenVPNPassthrough{
 						Enabled: true,

internal/config/types.go

@@ -16,7 +16,7 @@ type Config struct {
 	Debug      Debug   `koanf:"debug"`
 	Log        Log     `koanf:"log"`
 	HTTP       HTTP    `koanf:"http"`
-	OpenVpn    OpenVpn `koanf:"openvpn"`
+	OpenVpn    OpenVPN `koanf:"openvpn"`
 	OAuth2     OAuth2  `koanf:"oauth2"`
 }
 
@@ -43,20 +43,27 @@ type Log struct {
 	VPNClientIP bool       `koanf:"vpn-client-ip"`
 }
 
-type OpenVpn struct {
+type OpenVPN struct {
 	Addr               *url.URL           `koanf:"addr"`
 	Password           Secret             `koanf:"password"`
-	Bypass             OpenVpnBypass      `koanf:"bypass"`
+	Bypass             OpenVPNBypass      `koanf:"bypass"`
+	CCD                OpenVPNCCD         `koanf:"ccd"`
 	AuthTokenUser      bool               `koanf:"auth-token-user"`
 	AuthPendingTimeout time.Duration      `koanf:"auth-pending-timeout"`
 	CommonName         OpenVPNCommonName  `koanf:"common-name"`
 	Passthrough        OpenVPNPassthrough `koanf:"pass-through"`
 }
 
-type OpenVpnBypass struct {
+type OpenVPNBypass struct {
 	CommonNames StringSlice `koanf:"common-names"`
 }
 
+type OpenVPNCCD struct {
+	Enabled    bool   `koanf:"enabled"`
+	TokenClaim string `koanf:"token-claim"`
+	Path       string `koanf:"path"`
+}
+
 type OpenVPNCommonName struct {
 	EnvironmentVariableName string                `koanf:"environment-variable-name"`
 	Mode                    OpenVPNCommonNameMode `koanf:"mode"`

internal/config/validate.go

@@ -77,6 +77,20 @@ func Validate(mode int, conf Config) error {
 		if !slices.Contains([]string{"tcp", "unix"}, conf.OpenVpn.Addr.Scheme) {
 			return errors.New("openvpn.addr: invalid URL. only tcp://addr or unix://addr scheme supported")
 		}
+
+		if conf.OpenVpn.CCD.Enabled {
+			if conf.OpenVpn.CCD.Path == "" {
+				return fmt.Errorf("openvpn.ccd.path is %w, if openvpn.ccd.enabled=true", ErrRequired)
+			}
+
+			if conf.OpenVpn.CommonName.Mode == CommonNameModeOmit {
+				return errors.New("openvpn.common-name.mode: omit is not supported with openvpn.ccd.enabled")
+			}
+
+			if _, err := os.ReadDir(conf.OpenVpn.CCD.Path); err != nil {
+				return fmt.Errorf("openvpn.ccd.path: %w", err)
+			}
+		}
 	}
 
 	if conf.HTTP.AssetPath != "" {