Add --log.vpn-client-ip (#204)

docs/Configuration.md

@@ -46,6 +46,7 @@ http:
 log:
     format: console
     level: INFO
+    vpn-client-ip: true
 oauth2:
     authorize-params: "a=c"
     client:
@@ -138,6 +139,8 @@ Usage of openvpn-auth-oauth2:
     	log format. json or console (env: CONFIG_LOG_FORMAT) (default "console")
   --log.level value
     	log level (env: CONFIG_LOG_LEVEL) (default INFO)
+  --log.vpn-client-ip
+    	log IP of VPN client. Useful to have an identifier between OpenVPN and openvpn-auth-oauth2. (env: CONFIG_LOG_VPN__CLIENT__IP) (default true)
   --oauth2.auth-style value
     	Auth style represents how requests for tokens are authenticated to the server. Possible values: AuthStyleAutoDetect, AuthStyleInParams, AuthStyleInHeader. See https://pkg.go.dev/golang.org/x/oauth2#AuthStyle (env: CONFIG_OAUTH2_AUTH__STYLE) (default AuthStyleInParams)
   --oauth2.authorize-params string

internal/config/config.go

@@ -17,7 +17,7 @@ const (
 
 // FlagSet configure the command line parser using the [flag] library.
 //
-
+//nolint:maintidx
 func FlagSet(name string) *flag.FlagSet {
 	flagSet := flag.NewFlagSet(name, flag.ContinueOnError)
 	flagSet.Usage = func() {
@@ -44,6 +44,11 @@ func FlagSet(name string) *flag.FlagSet {
 		Defaults.Debug.Listen,
 		"listen address for go profiling endpoint",
 	)
+	flagSet.Bool(
+		"log.vpn-client-ip",
+		Defaults.Log.VPNClientIP,
+		"log IP of VPN client. Useful to have an identifier between OpenVPN and openvpn-auth-oauth2.",
+	)
 	flagSet.String(
 		"log.format",
 		Defaults.Log.Format,

internal/config/defaults.go

@@ -16,8 +16,9 @@ var Defaults = Config{
 		Listen: ":9001",
 	},
 	Log: Log{
-		Format: "console",
-		Level:  slog.LevelInfo,
+		Format:      "console",
+		Level:       slog.LevelInfo,
+		VPNClientIP: true,
 	},
 	HTTP: HTTP{
 		BaseURL: &url.URL{

internal/config/load_test.go

@@ -67,6 +67,7 @@ debug:
 log:
     format: json
     level: DEBUG
+    vpn-client-ip: false
 oauth2:
     issuer: "https://company.zitadel.cloud"
     client:
@@ -127,8 +128,9 @@ http:
 					Listen: ":9002",
 				},
 				Log: config.Log{
-					Format: "json",
-					Level:  slog.LevelDebug,
+					Format:      "json",
+					Level:       slog.LevelDebug,
+					VPNClientIP: false,
 				},
 				HTTP: config.HTTP{
 					Listen:             ":9001",

internal/config/types.go

@@ -37,8 +37,9 @@ type HTTPCheck struct {
 }
 
 type Log struct {
-	Format string     `koanf:"format"`
-	Level  slog.Level `koanf:"level"`
+	Format      string     `koanf:"format"`
+	Level       slog.Level `koanf:"level"`
+	VPNClientIP bool       `koanf:"vpn-client-ip"`
 }
 
 type OpenVpn struct {

internal/openvpn/client.go

@@ -79,7 +79,17 @@ func (c *Client) handleClientAuthentication(logger *slog.Logger, client connecti
 
 	commonName := utils.TransformCommonName(c.conf.OpenVpn.CommonName.Mode, client.CommonName)
 
-	session := state.New(ClientIdentifier, client.IPAddr, client.IPPort, commonName)
+	var (
+		ipAddr string
+		ipPort string
+	)
+
+	if c.conf.Log.VPNClientIP || c.conf.OAuth2.Validate.IPAddr {
+		ipAddr = client.IPAddr
+		ipPort = client.IPPort
+	}
+
+	session := state.New(ClientIdentifier, ipAddr, ipPort, commonName)
 	if err := session.Encode(c.conf.HTTP.Secret.String()); err != nil {
 		return fmt.Errorf("error encoding state: %w", err)
 	}
@@ -89,7 +99,8 @@ func (c *Client) handleClientAuthentication(logger *slog.Logger, client connecti
 	if len(startURL) >= 245 {
 		c.DenyClient(logger, ClientIdentifier, "internal error")
 
-		return fmt.Errorf("url %s (%d chars) too long! OpenVPN support up to 245 chars. Try --openvpn.common-name.mode to avoid this error",
+		return fmt.Errorf("url %s (%d chars) too long! OpenVPN support up to 245 chars. "+
+			"Try --openvpn.common-name.mode=omit or --log.vpn-client-ip=false to avoid this error",
 			startURL, len(startURL))
 	}
 

packaging/etc/openvpn-auth-oauth2/config.yaml

@@ -15,6 +15,7 @@
 #log:
 #    format: console
 #    level: INFO
+#    vpn-client-ip: true
 #oauth2:
 #    authorize-params: "a=c"
 #    client: