chore: Additional CEL changes (#742)

Author: jkroepke

docs/Client token validation.md

@@ -4,7 +4,12 @@ openvpn-auth-oauth2 supports advanced token validation using the [Common Express
 
 ## Overview
 
-CEL validation provides a flexible way to enforce security policies by allowing you to write custom expressions that evaluate to `true` or `false`. This validation happens after the OAuth2 authentication flow completes but before the OpenVPN connection is established.
+CEL validation provides a flexible way to enforce security policies by allowing you to write custom expressions that evaluate to `true` or `false`. This validation happens:
+
+1. **During interactive authentication** - After the OAuth2 authentication flow completes but before the OpenVPN connection is established
+2. **During token refresh** - When an existing OpenVPN session is refreshed using a refresh token (non-interactive authentication)
+
+This ensures that access policies are continuously enforced throughout the lifecycle of the VPN connection, not just during initial authentication.
 
 ## Configuration
 
@@ -15,23 +20,28 @@ To enable CEL validation, configure the `oauth2.validate.cel` property in your c
 ```yaml
 oauth2:
   validate:
-    cel: 'openvpnUserCommonName == oauth2TokenClaims.preferred_username'
+    cel: 'openVPNUserCommonName == oauth2TokenClaims.preferred_username'
 ```
 
 ### Environment Variable
 
 ```bash
-CONFIG_OAUTH2_VALIDATE_VALIDATION__CEL='openvpnUserCommonName == oauth2TokenClaims.preferred_username'
+CONFIG_OAUTH2_VALIDATE_VALIDATION__CEL='openVPNUserCommonName == oauth2TokenClaims.preferred_username'
 ```
 
+> [!IMPORTANT]
+> CEL validation is performed **both during initial OAuth2 authentication and during token refresh**. This means your validation rules will be continuously enforced throughout the entire lifecycle of a VPN session. Make sure your expressions account for both scenarios using the `authMode` variable if needed.
+
 ## Available Variables
 
 The following variables are available in your CEL expressions:
 
 | Variable | Type | Description |
 |----------|------|-------------|
-| `openvpnUserCommonName` | `string` | The common name (CN) of the OpenVPN client certificate |
-| `openvpnUserIPAddr` | `string` | The IP address of the OpenVPN client |
+| `authMode` | `string` | The authentication mode: `"interactive"` (initial OAuth2 login) or `"non-interactive"` (token refresh) |
+| `openVPNSessionState` | `string` | The OpenVPN session state (e.g., `""`, `"Empty"`, `"Initial"`, `"Authenticated"`, `"Expired"`, `"Invalid"`, `"AuthenticatedEmptyUser"`, `"ExpiredEmptyUser"`) |
+| `openVPNUserCommonName` | `string` | The common name (CN) of the OpenVPN client certificate |
+| `openVPNUserIPAddr` | `string` | The IP address of the OpenVPN client |
 | `oauth2TokenClaims` | `map<string, dynamic>` | All claims from the OAuth2 ID token |
 
 ## Expression Requirements
@@ -53,7 +63,8 @@ oauth2:
       oauth2TokenClaims.department == 'engineering'
 ```
 
-**Important:** If you try to access a claim that doesn't exist without using `has()`, the expression evaluation will fail and the user will be denied access.
+> [!IMPORTANT]
+> If you try to access a claim that doesn't exist without using `has()`, the expression evaluation will fail, and the user will be denied access.
 
 ## Examples
 
@@ -64,7 +75,7 @@ Ensure the OpenVPN common name matches the OAuth2 username claim:
 ```yaml
 oauth2:
   validate:
-    cel: 'openvpnUserCommonName == oauth2TokenClaims.preferred_username'
+    cel: 'openVPNUserCommonName == oauth2TokenClaims.preferred_username'
 ```
 
 ### Email Domain Validation
@@ -87,7 +98,7 @@ Combine multiple conditions with logical operators:
 oauth2:
   validate:
     cel: |
-      openvpnUserCommonName == oauth2TokenClaims.preferred_username &&
+      openVPNUserCommonName == oauth2TokenClaims.preferred_username &&
       has(oauth2TokenClaims.email_verified) &&
       oauth2TokenClaims.email_verified == true
 ```
@@ -111,7 +122,7 @@ Validate that the VPN client IP is in an expected range:
 ```yaml
 oauth2:
   validate:
-    cel: 'openvpnUserIPAddr.startsWith("10.0.") || openvpnUserIPAddr.startsWith("192.168.")'
+    cel: 'openVPNUserIPAddr.startsWith("10.0.") || openVPNUserIPAddr.startsWith("192.168.")'
 ```
 
 ### Case-Insensitive Username Validation
@@ -122,7 +133,7 @@ Compare usernames in a case-insensitive manner using the `lowerAscii()` function
 oauth2:
   validate:
     cel: |
-      has(oauth2TokenClaims.preferred_username) && openvpnUserCommonName.lowerAscii() == string(oauth2TokenClaims.preferred_username).lowerAscii()
+      has(oauth2TokenClaims.preferred_username) && openVPNUserCommonName.lowerAscii() == string(oauth2TokenClaims.preferred_username).lowerAscii()
 ```
 
 > [!IMPORTANT]
@@ -136,7 +147,7 @@ Combine multiple conditions for sophisticated validation rules:
 oauth2:
   validate:
     cel: |
-      openvpnUserCommonName == oauth2TokenClaims.sub &&
+      openVPNUserCommonName == oauth2TokenClaims.sub &&
       (
         (has(oauth2TokenClaims.role) && oauth2TokenClaims.role == 'admin') ||
         (has(oauth2TokenClaims.vpn_access) && oauth2TokenClaims.vpn_access == true)
@@ -153,7 +164,7 @@ oauth2:
   validate:
     cel: |
       has(oauth2TokenClaims.email) &&
-      string(oauth2TokenClaims.email).split('@')[0] == openvpnUserCommonName
+      string(oauth2TokenClaims.email).split('@')[0] == openVPNUserCommonName
 ```
 
 ### Username Format Validation
@@ -176,7 +187,7 @@ Ensure usernames meet minimum length requirements:
 oauth2:
   validate:
     cel: |
-      openvpnUserCommonName.size() >= 3 &&
+      openVPNUserCommonName.size() >= 3 &&
       has(oauth2TokenClaims.preferred_username) &&
       string(oauth2TokenClaims.preferred_username).size() >= 3
 ```
@@ -192,12 +203,48 @@ oauth2:
       has(oauth2TokenClaims.email) &&
       (
         (string(oauth2TokenClaims.email).endsWith('@internal.company.com') &&
-         openvpnUserIPAddr.startsWith('10.0.')) ||
+         openVPNUserIPAddr.startsWith('10.0.')) ||
         (string(oauth2TokenClaims.email).endsWith('@company.com') &&
-         openvpnUserIPAddr.startsWith('192.168.'))
+         openVPNUserIPAddr.startsWith('192.168.'))
       )
 ```
 
+### Authentication Mode Based Validation
+
+Apply different validation rules based on whether this is an initial login or a token refresh:
+
+```yaml
+oauth2:
+  validate:
+    cel: |
+      authMode == 'interactive' ||
+      (authMode == 'non-interactive' && has(oauth2TokenClaims.refresh_allowed) && oauth2TokenClaims.refresh_allowed == true)
+```
+
+### Session State Validation
+
+Validate based on the current OpenVPN session state:
+
+```yaml
+oauth2:
+  validate:
+    cel: |
+      openVPNSessionState in ['Initial', 'Authenticated', 'AuthenticatedEmptyUser'] &&
+      openVPNUserCommonName == oauth2TokenClaims.preferred_username
+```
+
+### Combined Mode and State Validation
+
+Combine authentication mode and session state for fine-grained control:
+
+```yaml
+oauth2:
+  validate:
+    cel: |
+      (authMode == 'interactive' && openVPNSessionState == 'Initial') ||
+      (authMode == 'non-interactive' && openVPNSessionState == 'Authenticated')
+```
+
 ## CEL Language Features
 
 CEL supports many standard operations:
@@ -310,10 +357,10 @@ The expression must evaluate to a boolean. If it evaluates to another type (stri
 
 ```yaml
 # ❌ Bad - evaluates to a string, not a boolean
-cel: 'openvpnUserCommonName'
+cel: 'openVPNUserCommonName'
 ---
 # ✅ Good - evaluates to a boolean
-cel: 'openvpnUserCommonName != ""'
+cel: 'openVPNUserCommonName != ""'
 ```
 
 ## Relationship with Other Validation Options

docs/Configuration.md

@@ -107,7 +107,7 @@ Usage of openvpn-auth-oauth2:
   --oauth2.validate.groups value
     	oauth2 required user groups. If multiple groups are configured, the user needs to be least in one group. Comma separated list. Example: group1,group2,group3 (env: CONFIG_OAUTH2_VALIDATE_GROUPS)
   --oauth2.validate.cel string
-    	CEL expression for custom token validation. The expression must evaluate to a boolean value. Available variables: openvpnUserCommonName (string), openvpnUserIPAddr (string), oauth2TokenClaims (map). Example: openvpnUserCommonName == oauth2TokenClaims.preferred_username (env: CONFIG_OAUTH2_VALIDATE_CEL)
+    	CEL expression for custom token validation. The expression must evaluate to a boolean value.
   --oauth2.validate.ipaddr
     	validate client ipaddr between VPN and oidc token (env: CONFIG_OAUTH2_VALIDATE_IPADDR)
   --oauth2.validate.issuer

internal/config/flags.go

@@ -407,13 +407,13 @@ func (c *Config) flagSetOAuth2(flagSet *flag.FlagSet) {
 		&c.OAuth2.Validate.IPAddr,
 		"oauth2.validate.ipaddr",
 		lookupEnvOrDefault("oauth2.validate.ipaddr", c.OAuth2.Validate.IPAddr),
-		"validate client ipaddr between VPN and oidc token",
+		"validate client ipaddr between VPN and OIDC token",
 	)
 	flagSet.BoolVar(
 		&c.OAuth2.Validate.Issuer,
 		"oauth2.validate.issuer",
 		lookupEnvOrDefault("oauth2.validate.issuer", c.OAuth2.Validate.Issuer),
-		"validate issuer from oidc discovery",
+		"validate issuer from OIDC discovery",
 	)
 	flagSet.StringVar(
 		&c.OAuth2.Validate.CommonName,
@@ -433,8 +433,7 @@ func (c *Config) flagSetOAuth2(flagSet *flag.FlagSet) {
 		lookupEnvOrDefault("oauth2.validate.cel", c.OAuth2.Validate.CEL),
 		"CEL expression for custom token validation. "+
 			"The expression must evaluate to a boolean value. "+
-			"Available variables: openvpnUserCommonName (string), openvpnUserIPAddr (string), oauth2TokenClaims (map). "+
-			"Example: openvpnUserCommonName == oauth2TokenClaims.preferred_username",
+			"Example: openVPNUserCommonName == oauth2TokenClaims.preferred_username",
 	)
 	flagSet.TextVar(
 		&c.OAuth2.Scopes,

internal/oauth2/cel.go

@@ -7,8 +7,15 @@ import (
 	"github.com/jkroepke/openvpn-auth-oauth2/internal/state"
 )
 
+type CELAuthMode string
+
+const (
+	CELAuthModeInteractive    CELAuthMode = "interactive"
+	CELAuthModeNonInteractive CELAuthMode = "non-interactive"
+)
+
 // CheckTokenCEL checks the provided ID token claims against the configured CEL expression.
-func (c *Client) CheckTokenCEL(session state.State, tokens idtoken.IDToken) error {
+func (c *Client) CheckTokenCEL(authMode CELAuthMode, session state.State, tokens idtoken.IDToken) error {
 	if c.celEvalPrg == nil {
 		return nil
 	}
@@ -18,8 +25,10 @@ func (c *Client) CheckTokenCEL(session state.State, tokens idtoken.IDToken) erro
 	}
 
 	vars := map[string]any{
-		"openvpnUserCommonName": session.Client.CommonName,
-		"openvpnUserIPAddr":     session.IPAddr,
+		"authMode":              string(authMode),
+		"openVPNSessionState":   session.SessionState,
+		"openVPNUserCommonName": session.Client.CommonName,
+		"openVPNUserIPAddr":     session.IPAddr,
 		"oauth2TokenClaims":     tokens.IDTokenClaims.Claims,
 	}
 

internal/oauth2/cel_test.go

@@ -141,7 +141,7 @@ func TestCheckTokenCEL(t *testing.T) {
 				conf.OAuth2.Endpoints.Discovery = conf.OAuth2.Issuer
 				conf.OAuth2.Endpoints.Auth = conf.OAuth2.Issuer
 				conf.OAuth2.Endpoints.Token = conf.OAuth2.Issuer
-				conf.OAuth2.Validate.CEL = "openvpnUserCommonName == oauth2TokenClaims.preferred_username"
+				conf.OAuth2.Validate.CEL = "openVPNUserCommonName == oauth2TokenClaims.preferred_username"
 
 				return conf
 			}(),
@@ -167,7 +167,7 @@ func TestCheckTokenCEL(t *testing.T) {
 				conf.OAuth2.Endpoints.Discovery = conf.OAuth2.Issuer
 				conf.OAuth2.Endpoints.Auth = conf.OAuth2.Issuer
 				conf.OAuth2.Endpoints.Token = conf.OAuth2.Issuer
-				conf.OAuth2.Validate.CEL = "openvpnUserCommonName != oauth2TokenClaims.preferred_username"
+				conf.OAuth2.Validate.CEL = "openVPNUserCommonName != oauth2TokenClaims.preferred_username"
 
 				return conf
 			}(),
@@ -194,7 +194,7 @@ func TestCheckTokenCEL(t *testing.T) {
 				conf.OAuth2.Endpoints.Discovery = conf.OAuth2.Issuer
 				conf.OAuth2.Endpoints.Auth = conf.OAuth2.Issuer
 				conf.OAuth2.Endpoints.Token = conf.OAuth2.Issuer
-				conf.OAuth2.Validate.CEL = "openvpnUserCommonName"
+				conf.OAuth2.Validate.CEL = "openVPNUserCommonName"
 
 				return conf
 			}(),
@@ -221,7 +221,7 @@ func TestCheckTokenCEL(t *testing.T) {
 				conf.OAuth2.Endpoints.Discovery = conf.OAuth2.Issuer
 				conf.OAuth2.Endpoints.Auth = conf.OAuth2.Issuer
 				conf.OAuth2.Endpoints.Token = conf.OAuth2.Issuer
-				conf.OAuth2.Validate.CEL = "openvpnUserCommonName.lowerAscii() == string(oauth2TokenClaims.preferred_username).lowerAscii()"
+				conf.OAuth2.Validate.CEL = "openVPNUserCommonName.lowerAscii() == string(oauth2TokenClaims.preferred_username).lowerAscii()"
 
 				return conf
 			}(),
@@ -255,7 +255,7 @@ func TestCheckTokenCEL(t *testing.T) {
 
 			require.NoError(t, err)
 
-			err = oAuth2Client.CheckTokenCEL(tc.state, tc.token)
+			err = oAuth2Client.CheckTokenCEL(oauth2.CELAuthModeInteractive, tc.state, tc.token)
 			if tc.err != "" {
 				require.Error(t, err)
 				require.ErrorContains(t, err, tc.err)

internal/oauth2/handler.go

@@ -285,7 +285,7 @@ func (c *Client) postCodeExchangeHandler(
 			return
 		}
 
-		if err = c.CheckTokenCEL(session, tokens); err != nil {
+		if err = c.CheckTokenCEL(CELAuthModeInteractive, session, tokens); err != nil {
 			c.openvpn.DenyClient(ctx, logger, session.Client, "client rejected")
 			c.writeHTTPError(ctx, w, logger, http.StatusForbidden, "user validation", err.Error())
 

internal/oauth2/handler_test.go

@@ -339,6 +339,32 @@ func TestHandler(t *testing.T) {
 			true,
 			true,
 		},
+		{
+			"with cel validation result false",
+			func() config.Config {
+				conf := config.Defaults
+				conf.HTTP.Secret = testutils.Secret
+				conf.HTTP.Check.IPAddr = true
+				conf.HTTP.EnableProxyHeaders = true
+				conf.OAuth2.Provider = generic.Name
+				conf.OAuth2.Endpoints = config.OAuth2Endpoints{}
+				conf.OAuth2.Scopes = []string{oauth2types.ScopeOpenID, oauth2types.ScopeProfile}
+				conf.OAuth2.Validate.Groups = make([]string, 0)
+				conf.OAuth2.Validate.Roles = make([]string, 0)
+				conf.OAuth2.Validate.Issuer = true
+				conf.OAuth2.Validate.IPAddr = false
+				conf.OAuth2.Validate.CEL = "false"
+				conf.OpenVPN.Bypass.CommonNames = make(types.RegexpSlice, 0)
+				conf.OpenVPN.AuthTokenUser = true
+
+				return conf
+			}(),
+			state.New(state.ClientIdentifier{CID: 0, KID: 1, CommonName: "name"}, "127.0.0.2", "12345", ""),
+			false,
+			"127.0.0.2, 8.8.8.8",
+			true,
+			false,
+		},
 		{
 			"with client config found",
 			func() config.Config {

internal/oauth2/provider.go

@@ -84,8 +84,11 @@ func (c *Client) initializeCELValidation() error {
 	}
 
 	env, err := cel.NewEnv(
-		cel.VariableWithDoc("openvpnUserCommonName", cel.StringType, "The common name of the OpenVPN user"),
-		cel.VariableWithDoc("openvpnUserIPAddr", cel.StringType, "The IP address of the OpenVPN user"),
+		cel.VariableWithDoc("authMode", cel.StringType, "The authentication mode used (e.g., 'interactive', 'non-interactive')"),
+		cel.VariableWithDoc("openVPNSessionState", cel.StringType, "The OpenVPN session state "+
+			"(e.g., '', 'Empty', 'Initial', 'Authenticated', 'Expired', 'Invalid', 'AuthenticatedEmptyUser', 'ExpiredEmptyUser')"),
+		cel.VariableWithDoc("openVPNUserCommonName", cel.StringType, "The common name of the OpenVPN user"),
+		cel.VariableWithDoc("openVPNUserIPAddr", cel.StringType, "The IP address of the OpenVPN user"),
 		cel.VariableWithDoc("oauth2TokenClaims", cel.MapType(cel.StringType, cel.DynType), "The claims of the OAuth2 ID token"),
 		ext.Strings(ext.StringsVersion(4)),
 	)

internal/oauth2/refresh.go

@@ -78,6 +78,10 @@ func (c *Client) RefreshClientAuth(ctx context.Context, logger *slog.Logger, cli
 		return false, fmt.Errorf("error check user data: %w", err)
 	}
 
+	if err = c.CheckTokenCEL(CELAuthModeNonInteractive, session, tokens); err != nil {
+		return false, fmt.Errorf("error cel validation: %w", err)
+	}
+
 	logger.LogAttrs(ctx, slog.LevelInfo, "successful authenticate via refresh token")
 
 	refreshToken, err = c.provider.GetRefreshToken(tokens)

internal/oauth2/refresh_test.go

@@ -310,6 +310,23 @@ func TestRefreshReAuth(t *testing.T) {
 				return res.Result(), nil
 			}),
 		},
+		{
+			name:                     "refresh with CEL denying non-interactive auth",
+			clientCommonName:         "test",
+			nonInteractiveShouldWork: false,
+			conf: func() config.Config {
+				conf := config.Defaults
+				conf.OpenVPN.AuthTokenUser = false
+				conf.OAuth2.Provider = generic.Name
+				conf.OAuth2.Refresh.Enabled = true
+				conf.OAuth2.Refresh.ValidateUser = true
+				conf.OAuth2.Refresh.UseSessionID = false
+				conf.OAuth2.Validate.CEL = "authMode == 'interactive'"
+
+				return conf
+			}(),
+			rt: http.DefaultTransport,
+		},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()