From f83e6cfc59c392a03c3617a2db39f874439a64be Mon Sep 17 00:00:00 2001
From: Fabio Prina <fprina@nme-jump1-prod.ten.ictquality.net>
Date: Sat, 22 Sep 2018 19:42:48 +0200
Subject: [PATCH 1/2] openvpn, option to match CSO against common_name or login

---
 src/etc/inc/plugins.inc.d/openvpn/auth-user.php | 17 ++++++++++++++---
 src/www/vpn_openvpn_server.php                  | 17 ++++++++++++++---
 2 files changed, 28 insertions(+), 6 deletions(-)

diff --git a/src/etc/inc/plugins.inc.d/openvpn/auth-user.php b/src/etc/inc/plugins.inc.d/openvpn/auth-user.php
index af94fd90f..1275ef480 100644
--- a/src/etc/inc/plugins.inc.d/openvpn/auth-user.php
+++ b/src/etc/inc/plugins.inc.d/openvpn/auth-user.php
@@ -115,12 +115,23 @@ if (count($argv) > 6) {
         if ($authenticator) {
             if ($authenticator->authenticate($username, $password)) {
                 $vpnid = filter_var($a_server['vpnid'], FILTER_SANITIZE_NUMBER_INT);
+                $cso_login_matching = $a_server['cso_login_matching'];
                 // fetch or  create client specif override
                 $all_cso = openvpn_fetch_csc_list();
-                if (!empty($all_cso[$vpnid][$common_name])) {
-                    $cso = $all_cso[$vpnid][$common_name];
+                if (empty($cso_login_matching)){
+                    syslog(LOG_NOTICE, "CSO Login - CN" );
+                    if (!empty($all_cso[$vpnid][$common_name])) {
+                        $cso = $all_cso[$vpnid][$common_name];
+                    } else {
+                        $cso = array("common_name" => $common_name);
+                    }
                 } else {
-                    $cso = array("common_name" => $common_name);
+                    syslog(LOG_NOTICE, "CSO Login - USER" );
+                    if (!empty($all_cso[$vpnid][$username])) {
+                         $cso = $all_cso[$vpnid][$username];
+                    } else {
+                         $cso = array("common_name" => $username);
+                    } 
                 }
                 $cso = array_merge($cso, parse_auth_properties($authenticator->getLastAuthProperties()));
                 $cso_filename = openvpn_csc_conf_write($cso, $a_server);
diff --git a/src/www/vpn_openvpn_server.php b/src/www/vpn_openvpn_server.php
index 852808345..a2fd7e95f 100644
--- a/src/www/vpn_openvpn_server.php
+++ b/src/www/vpn_openvpn_server.php
@@ -69,7 +69,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
             ,ntp_server2,netbios_enable,netbios_ntype,netbios_scope,wins_server1
             ,wins_server2,no_tun_ipv6,push_register_dns,dns_domain,local_group
             ,client_mgmt_port,verbosity_level,caref,crlref,certref,dh_length
-            ,cert_depth,strictusercn,digest,disable,duplicate_cn,vpnid,reneg-sec,use-common-name";
+            ,cert_depth,strictusercn,digest,disable,duplicate_cn,vpnid,reneg-sec,use-common-name,cso_login_matching";
 
         foreach (explode(",", $copy_fields) as $fieldname) {
             $fieldname = trim($fieldname);
@@ -117,7 +117,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
             ,ntp_server2,netbios_enable,netbios_ntype,netbios_scope,wins_server1
             ,wins_server2,no_tun_ipv6,push_register_dns,dns_domain
             ,client_mgmt_port,verbosity_level,caref,crlref,certref,dh_length
-            ,cert_depth,strictusercn,digest,disable,duplicate_cn,vpnid,shared_key,tls,reneg-sec,use-common-name";
+            ,cert_depth,strictusercn,digest,disable,duplicate_cn,vpnid,shared_key,tls,reneg-sec,use-common-name,cso_login_matching";
         foreach (explode(",", $init_fields) as $fieldname) {
             $fieldname = trim($fieldname);
             if (!isset($pconfig[$fieldname])) {
@@ -347,7 +347,7 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
                 ,serverbridge_dhcp_end,dns_domain,dns_server1,dns_server2,dns_server3
                 ,dns_server4,push_register_dns,ntp_server1,ntp_server2,netbios_enable
                 ,netbios_ntype,netbios_scope,no_tun_ipv6,verbosity_level,wins_server1
-                ,wins_server2,client_mgmt_port,strictusercn,reneg-sec,use-common-name";
+                ,wins_server2,client_mgmt_port,strictusercn,reneg-sec,use-common-name,cso_login_matching";
 
             foreach (explode(",", $copy_fields) as $fieldname) {
                 $fieldname = trim($fieldname);
@@ -1585,6 +1585,17 @@ endif; ?>
                         </div>
                       </td>
                     </tr>
+                    <tr id="chkboxLoginMatching">
+                      <td style="width:22%"><a id="help_for_cso_login_matching" href="#" class="showhelp"><i class="fa fa-info-circle"></i></a> <?=gettext("Force CSO Login Matching"); ?></td>
+                      <td>
+                        <input name="cso_login_matching" type="checkbox" value="yes" <?=!empty($pconfig['cso_login_matching']) ? "checked=\"checked\"" : "" ;?> />
+                        <div class="hidden" data-for="help_for_cso_login_matching">
+                          <span>
+                            <?=gettext("Use Login instead CN to match against CSO."); ?><br />
+                          </span>
+                        </div>
+                      </td>
+                    </tr>
                     <tr>
                       <td style="width:22%">&nbsp;</td>
                       <td style="width:78%">

From c314ac09e457f9ae48ae2dfa7d666fde6715a351 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Mon, 1 Oct 2018 21:45:41 +0200
Subject: [PATCH 2/2] small cleanups for
 https://github.com/opnsense/core/pull/2748

---
 .../inc/plugins.inc.d/openvpn/auth-user.php   | 23 +++++++------------
 src/www/vpn_openvpn_server.php                |  5 ++--
 2 files changed, 11 insertions(+), 17 deletions(-)

diff --git a/src/etc/inc/plugins.inc.d/openvpn/auth-user.php b/src/etc/inc/plugins.inc.d/openvpn/auth-user.php
index 1275ef480..df9537783 100644
--- a/src/etc/inc/plugins.inc.d/openvpn/auth-user.php
+++ b/src/etc/inc/plugins.inc.d/openvpn/auth-user.php
@@ -115,28 +115,21 @@ if (count($argv) > 6) {
         if ($authenticator) {
             if ($authenticator->authenticate($username, $password)) {
                 $vpnid = filter_var($a_server['vpnid'], FILTER_SANITIZE_NUMBER_INT);
-                $cso_login_matching = $a_server['cso_login_matching'];
                 // fetch or  create client specif override
                 $all_cso = openvpn_fetch_csc_list();
-                if (empty($cso_login_matching)){
-                    syslog(LOG_NOTICE, "CSO Login - CN" );
-                    if (!empty($all_cso[$vpnid][$common_name])) {
-                        $cso = $all_cso[$vpnid][$common_name];
-                    } else {
-                        $cso = array("common_name" => $common_name);
-                    }
+                $common_name = empty($a_server['cso_login_matching']) ? $common_name : $username;
+                $login_type = empty($a_server['cso_login_matching']) ? "CN" : "USER";
+                if (!empty($all_cso[$vpnid][$common_name])) {
+                    $cso = $all_cso[$vpnid][$common_name];
                 } else {
-                    syslog(LOG_NOTICE, "CSO Login - USER" );
-                    if (!empty($all_cso[$vpnid][$username])) {
-                         $cso = $all_cso[$vpnid][$username];
-                    } else {
-                         $cso = array("common_name" => $username);
-                    } 
+                    $cso = array("common_name" => $common_name);
                 }
+
                 $cso = array_merge($cso, parse_auth_properties($authenticator->getLastAuthProperties()));
                 $cso_filename = openvpn_csc_conf_write($cso, $a_server);
                 if (!empty($cso_filename)) {
-                    syslog(LOG_NOTICE, "user '{$username}' authenticated using '{$authName}' cso :{$cso_filename}");
+                    $tmp = empty($a_server['cso_login_matching']) ? "CSO [CN]" : "CSO [USER]";
+                    syslog(LOG_NOTICE, "user '{$username}' authenticated using '{$authName}' {$tmp}:{$cso_filename}");
                 } else {
                     syslog(LOG_NOTICE, "user '{$username}' authenticated using '{$authName}'");
                 }
diff --git a/src/www/vpn_openvpn_server.php b/src/www/vpn_openvpn_server.php
index a2fd7e95f..e43e64559 100644
--- a/src/www/vpn_openvpn_server.php
+++ b/src/www/vpn_openvpn_server.php
@@ -117,7 +117,8 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') {
             ,ntp_server2,netbios_enable,netbios_ntype,netbios_scope,wins_server1
             ,wins_server2,no_tun_ipv6,push_register_dns,dns_domain
             ,client_mgmt_port,verbosity_level,caref,crlref,certref,dh_length
-            ,cert_depth,strictusercn,digest,disable,duplicate_cn,vpnid,shared_key,tls,reneg-sec,use-common-name,cso_login_matching";
+            ,cert_depth,strictusercn,digest,disable,duplicate_cn,vpnid,shared_key,tls,reneg-sec,use-common-name
+            ,cso_login_matching";
         foreach (explode(",", $init_fields) as $fieldname) {
             $fieldname = trim($fieldname);
             if (!isset($pconfig[$fieldname])) {
@@ -1591,7 +1592,7 @@ endif; ?>
                         <input name="cso_login_matching" type="checkbox" value="yes" <?=!empty($pconfig['cso_login_matching']) ? "checked=\"checked\"" : "" ;?> />
                         <div class="hidden" data-for="help_for_cso_login_matching">
                           <span>
-                            <?=gettext("Use Login instead CN to match against CSO."); ?><br />
+                            <?=gettext("Use username instead of common name to match client specfic override."); ?><br />
                           </span>
                         </div>
                       </td>