Merge pull request #126 from ansibleguy/fix-openvpn-server-usercnstrict

api-fix for openvpn-server user-cn-strict (fix #125)
ansibleguy · Dec 24, 2024 · fe60973 · fe60973
2 parents 9b010ca + a2f23b1
commit fe60973
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 7 deletions.
diff --git a/docs/source/modules/openvpn.rst b/docs/source/modules/openvpn.rst
@@ -77,7 +77,7 @@ ansibleguy.opnsense.openvpn_server
     "register_dns","boolean","false","false","\-","Run ipconfig /flushdns and ipconfig /registerdns on connection initiation. This is known to kick Windows into recognizing pushed DNS servers."
     "ocsp","boolean","false","false","use_ocsp, verify_ocsp","When the CA used supplies an authorityInfoAccess OCSP URI extension, it will be used to validate the client certificate."
     "user_as_cn","boolean","false","false","username_as_cn","Use the authenticated username as the common-name, rather than the common-name from the client certificate."
-    "user_cn_strict","boolean","false","false","username_cn_strict","When authenticating users, enforce a match between the Common Name of the client certificate and the username given at login."
+    "user_cn_strict","string","false","no","username_cn_strict","One of: 'yes', 'no', 'case-insensitive', 'ci', 'true', 'false'. When authenticating users, enforce a match between the Common Name of the client certificate and the username given at login."
     "mss_fix","boolean","false","false","mss","Announce to TCP sessions running over the tunnel that they should limit their send packet sizes such that after OpenVPN has encapsulated them, the resulting UDP packet size that OpenVPN sends to its peer will not exceed the recommended size."
     "reload","boolean","false","true","\-", .. include:: ../_include/param_reload.rst
 
@@ -235,7 +235,7 @@ ansibleguy.opnsense.openvpn_server
             # ntp_servers: []
             # register_dns: false
             # user_as_cn: false
-            # user_cn_strict: false
+            # user_cn_strict: 'yes'
             # mss_fix: false
             # reload: true
             # enabled: true
@@ -265,7 +265,7 @@ ansibleguy.opnsense.openvpn_server
             data_ciphers: ['AES-256-GCM', 'CHACHA20-POLY1305']
             max_connections: 100
             user_as_cn: true
-            user_cn_strict: true
+            user_cn_strict: 'yes'
             push_options: ['block-outside-dns', 'register-dns']
             mtu: 1420
 
@@ -283,7 +283,7 @@ ansibleguy.opnsense.openvpn_server
             data_ciphers: ['AES-256-GCM', 'CHACHA20-POLY1305']
             max_connections: 100
             user_as_cn: true
-            user_cn_strict: true
+            user_cn_strict: 'yes'
             push_options: ['block-outside-dns', 'register-dns']
             mtu: 1420
             enabled: false

diff --git a/plugins/module_utils/main/openvpn_server.py b/plugins/module_utils/main/openvpn_server.py
@@ -64,7 +64,7 @@ class Server(BaseModule):
         'data_cipher_fallback': 'data-ciphers-fallback',
     }
     FIELDS_TYPING = {
-        'bool': ['enabled', 'mss_fix', 'ocsp', 'user_as_cn', 'user_cn_strict', 'register_dns'],
+        'bool': ['enabled', 'mss_fix', 'ocsp', 'user_as_cn', 'register_dns'],
         'list': [
             'network_local', 'network_remote', 'options', 'data_ciphers', 'auth_mode', 'push_options',
             'redirect_gateway', 'domain_list', 'dns_servers', 'ntp_servers',
@@ -74,7 +74,7 @@ class Server(BaseModule):
             'mode', 'protocol', 'role', 'topology', 'crl', 'verify_client_cert', 'cert_depth',
             'data_cipher_fallback', 'auth_group',
         ],
-        'select_opt_list_idx': ['log_level'],
+        'select_opt_list_idx': ['log_level', 'user_cn_strict'],
         'int': ['fragment_size', 'mtu', 'route_metric'],
     }
     INT_VALIDATIONS = {

diff --git a/plugins/modules/openvpn_server.py b/plugins/modules/openvpn_server.py
@@ -26,6 +26,16 @@
 # DOCUMENTATION = 'https://opnsense.ansibleguy.net/modules/openvpn.html'
 # EXAMPLES = 'https://opnsense.ansibleguy.net/modules/openvpn.html'
 
+USER_CN_STRICT_MAP = {
+    'no': 0,
+    'false': 0,
+    'False': 0,
+    'yes': 1,
+    'true': 1,
+    'True': 1,
+    'case-insensitive': 2,
+    'ci': 2,
+}
 
 def run_module():
     module_args = dict(
@@ -112,7 +122,8 @@ def run_module():
                         'from the client certificate.'
         ),
         user_cn_strict=dict(
-            type='bool', required=False, default=False, aliases=['username_cn_strict'],
+            type='str', required=False, default=False, aliases=['username_cn_strict'],
+            choices=list(USER_CN_STRICT_MAP.keys()),
             description='When authenticating users, enforce a match between the Common Name of the client '
                         'certificate and the username given at login.'
         ),
@@ -174,6 +185,7 @@ def run_module():
     )
 
 
+
     result = dict(
         changed=False,
         diff={
@@ -187,6 +199,8 @@ def run_module():
         supports_check_mode=True,
     )
 
+    module.params['user_cn_strict'] = USER_CN_STRICT_MAP[module.params['user_cn_strict']]
+
     module_wrapper(Server(module=module, result=result))
     module.exit_json(**result)