From f3b5c6c32810e3c632471eee4c8092c0b105d245 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan-Otto=20Kr=C3=B6pke?= Date: Wed, 28 Feb 2024 23:19:57 +0100 Subject: [PATCH] Add --log.vpn-client-ip (#204) --- docs/Configuration.md | 3 +++ internal/config/config.go | 7 ++++++- internal/config/defaults.go | 5 +++-- internal/config/load_test.go | 6 ++++-- internal/config/types.go | 5 +++-- internal/openvpn/client.go | 15 +++++++++++++-- packaging/etc/openvpn-auth-oauth2/config.yaml | 1 + 7 files changed, 33 insertions(+), 9 deletions(-) diff --git a/docs/Configuration.md b/docs/Configuration.md index 576b3048..0d3e09f5 100644 --- a/docs/Configuration.md +++ b/docs/Configuration.md @@ -46,6 +46,7 @@ http: log: format: console level: INFO + vpn-client-ip: true oauth2: authorize-params: "a=c" client: @@ -138,6 +139,8 @@ Usage of openvpn-auth-oauth2: log format. json or console (env: CONFIG_LOG_FORMAT) (default "console") --log.level value log level (env: CONFIG_LOG_LEVEL) (default INFO) + --log.vpn-client-ip + log IP of VPN client. Useful to have an identifier between OpenVPN and openvpn-auth-oauth2. (env: CONFIG_LOG_VPN__CLIENT__IP) (default true) --oauth2.auth-style value Auth style represents how requests for tokens are authenticated to the server. Possible values: AuthStyleAutoDetect, AuthStyleInParams, AuthStyleInHeader. See https://pkg.go.dev/golang.org/x/oauth2#AuthStyle (env: CONFIG_OAUTH2_AUTH__STYLE) (default AuthStyleInParams) --oauth2.authorize-params string diff --git a/internal/config/config.go b/internal/config/config.go index fa6b0d3b..66049ca7 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -17,7 +17,7 @@ const ( // FlagSet configure the command line parser using the [flag] library. // - +//nolint:maintidx func FlagSet(name string) *flag.FlagSet { flagSet := flag.NewFlagSet(name, flag.ContinueOnError) flagSet.Usage = func() { @@ -44,6 +44,11 @@ func FlagSet(name string) *flag.FlagSet { Defaults.Debug.Listen, "listen address for go profiling endpoint", ) + flagSet.Bool( + "log.vpn-client-ip", + Defaults.Log.VPNClientIP, + "log IP of VPN client. Useful to have an identifier between OpenVPN and openvpn-auth-oauth2.", + ) flagSet.String( "log.format", Defaults.Log.Format, diff --git a/internal/config/defaults.go b/internal/config/defaults.go index d306ce08..91fe3d4d 100644 --- a/internal/config/defaults.go +++ b/internal/config/defaults.go @@ -16,8 +16,9 @@ var Defaults = Config{ Listen: ":9001", }, Log: Log{ - Format: "console", - Level: slog.LevelInfo, + Format: "console", + Level: slog.LevelInfo, + VPNClientIP: true, }, HTTP: HTTP{ BaseURL: &url.URL{ diff --git a/internal/config/load_test.go b/internal/config/load_test.go index 49f36e94..55f31e5b 100644 --- a/internal/config/load_test.go +++ b/internal/config/load_test.go @@ -67,6 +67,7 @@ debug: log: format: json level: DEBUG + vpn-client-ip: false oauth2: issuer: "https://company.zitadel.cloud" client: @@ -127,8 +128,9 @@ http: Listen: ":9002", }, Log: config.Log{ - Format: "json", - Level: slog.LevelDebug, + Format: "json", + Level: slog.LevelDebug, + VPNClientIP: false, }, HTTP: config.HTTP{ Listen: ":9001", diff --git a/internal/config/types.go b/internal/config/types.go index b5a58e50..1bbbace3 100644 --- a/internal/config/types.go +++ b/internal/config/types.go @@ -37,8 +37,9 @@ type HTTPCheck struct { } type Log struct { - Format string `koanf:"format"` - Level slog.Level `koanf:"level"` + Format string `koanf:"format"` + Level slog.Level `koanf:"level"` + VPNClientIP bool `koanf:"vpn-client-ip"` } type OpenVpn struct { diff --git a/internal/openvpn/client.go b/internal/openvpn/client.go index 168690cb..498f3cc1 100644 --- a/internal/openvpn/client.go +++ b/internal/openvpn/client.go @@ -79,7 +79,17 @@ func (c *Client) handleClientAuthentication(logger *slog.Logger, client connecti commonName := utils.TransformCommonName(c.conf.OpenVpn.CommonName.Mode, client.CommonName) - session := state.New(ClientIdentifier, client.IPAddr, client.IPPort, commonName) + var ( + ipAddr string + ipPort string + ) + + if c.conf.Log.VPNClientIP || c.conf.OAuth2.Validate.IPAddr { + ipAddr = client.IPAddr + ipPort = client.IPPort + } + + session := state.New(ClientIdentifier, ipAddr, ipPort, commonName) if err := session.Encode(c.conf.HTTP.Secret.String()); err != nil { return fmt.Errorf("error encoding state: %w", err) } @@ -89,7 +99,8 @@ func (c *Client) handleClientAuthentication(logger *slog.Logger, client connecti if len(startURL) >= 245 { c.DenyClient(logger, ClientIdentifier, "internal error") - return fmt.Errorf("url %s (%d chars) too long! OpenVPN support up to 245 chars. Try --openvpn.common-name.mode to avoid this error", + return fmt.Errorf("url %s (%d chars) too long! OpenVPN support up to 245 chars. "+ + "Try --openvpn.common-name.mode=omit or --log.vpn-client-ip=false to avoid this error", startURL, len(startURL)) } diff --git a/packaging/etc/openvpn-auth-oauth2/config.yaml b/packaging/etc/openvpn-auth-oauth2/config.yaml index 1ea3c23b..535b16dd 100644 --- a/packaging/etc/openvpn-auth-oauth2/config.yaml +++ b/packaging/etc/openvpn-auth-oauth2/config.yaml @@ -15,6 +15,7 @@ #log: # format: console # level: INFO +# vpn-client-ip: true #oauth2: # authorize-params: "a=c" # client: