From edd7cf8967a95d9009dfa0bd82233f35fd6c0500 Mon Sep 17 00:00:00 2001 From: crystalstall Date: Fri, 6 Sep 2024 11:39:22 +0800 Subject: [PATCH 1/7] chore: fix function name (#4416) Signed-off-by: crystalstall --- client/control.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/client/control.go b/client/control.go index eeea1285ec7..3e20c312822 100644 --- a/client/control.go +++ b/client/control.go @@ -230,7 +230,7 @@ func (ctl *Control) registerMsgHandlers() { ctl.msgDispatcher.RegisterHandler(&msg.Pong{}, ctl.handlePong) } -// headerWorker sends heartbeat to server and check heartbeat timeout. +// heartbeatWorker sends heartbeat to server and check heartbeat timeout. func (ctl *Control) heartbeatWorker() { xl := ctl.xl From fe4ca1b54e9045ea91ffa4645ac8f39bb2e770ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=8B=BE=E5=85=89=EF=BC=8C?= Date: Fri, 6 Sep 2024 11:41:11 +0800 Subject: [PATCH 2/7] Update README_zh.md (#4421) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 修复爱发电链接无法访问问题 --- README_zh.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README_zh.md b/README_zh.md index a07e840cc6c..63a49325df5 100644 --- a/README_zh.md +++ b/README_zh.md @@ -95,7 +95,7 @@ frp 是一个免费且开源的项目,我们欢迎任何人为其开发和进 您可以通过 [GitHub Sponsors](https://github.com/sponsors/fatedier) 赞助我们。 -国内用户可以通过 [爱发电](https://afdian.net/a/fatedier) 赞助我们。 +国内用户可以通过 [爱发电](https://afdian.com/a/fatedier) 赞助我们。 企业赞助者可以将贵公司的 Logo 以及链接放置在项目 README 文件中。 From 2855ac71e3fc3fb2859f4c75f97f97e99f131f1b Mon Sep 17 00:00:00 2001 From: fatedier Date: Wed, 9 Oct 2024 14:04:30 +0800 Subject: [PATCH 3/7] frpc visitor: add --server-user option to specify server proxy username (#4477) --- Release.md | 7 +------ pkg/config/flags.go | 1 + 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/Release.md b/Release.md index d0414efec04..fed36e2408a 100644 --- a/Release.md +++ b/Release.md @@ -1,8 +1,3 @@ ### Features -* Added a new plugin `tls2raw`: Enables TLS termination and forwarding of decrypted raw traffic to local service. -* Added a default timeout of 30 seconds for the frpc subcommands to prevent commands from being stuck for a long time due to network issues. - -### Fixes - -* Fixed the issue that when `loginFailExit = false`, the frpc stop command cannot be stopped correctly if the server is not successfully connected after startup. +* The frpc visitor command-line parameter adds the `--server-user` option to specify the username of the server-side proxy to connect to. diff --git a/pkg/config/flags.go b/pkg/config/flags.go index 98f617be481..ce2582dd84c 100644 --- a/pkg/config/flags.go +++ b/pkg/config/flags.go @@ -140,6 +140,7 @@ func registerVisitorBaseConfigFlags(cmd *cobra.Command, c *v1.VisitorBaseConfig, cmd.Flags().BoolVarP(&c.Transport.UseCompression, "uc", "", false, "use compression") cmd.Flags().StringVarP(&c.SecretKey, "sk", "", "", "secret key") cmd.Flags().StringVarP(&c.ServerName, "server_name", "", "", "server name") + cmd.Flags().StringVarP(&c.ServerUser, "server-user", "", "", "server user") cmd.Flags().StringVarP(&c.BindAddr, "bind_addr", "", "", "bind addr") cmd.Flags().IntVarP(&c.BindPort, "bind_port", "", 0, "bind port") } From 2466e65f43f61fa87fce0069cc06defe94f1e856 Mon Sep 17 00:00:00 2001 From: RobKenis Date: Sat, 12 Oct 2024 12:52:47 +0200 Subject: [PATCH 4/7] support multiple subjects in oidc ping (#4475) Resolves: #4466 --- pkg/auth/auth.go | 3 +- pkg/auth/oidc.go | 27 ++++++++++++------ pkg/auth/oidc_test.go | 64 +++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 85 insertions(+), 9 deletions(-) create mode 100644 pkg/auth/oidc_test.go diff --git a/pkg/auth/auth.go b/pkg/auth/auth.go index 9d8db7b686b..ae706986708 100644 --- a/pkg/auth/auth.go +++ b/pkg/auth/auth.go @@ -50,7 +50,8 @@ func NewAuthVerifier(cfg v1.AuthServerConfig) (authVerifier Verifier) { case v1.AuthMethodToken: authVerifier = NewTokenAuth(cfg.AdditionalScopes, cfg.Token) case v1.AuthMethodOIDC: - authVerifier = NewOidcAuthVerifier(cfg.AdditionalScopes, cfg.OIDC) + tokenVerifier := NewTokenVerifier(cfg.OIDC) + authVerifier = NewOidcAuthVerifier(cfg.AdditionalScopes, tokenVerifier) } return authVerifier } diff --git a/pkg/auth/oidc.go b/pkg/auth/oidc.go index d87420ff764..40ce060faa9 100644 --- a/pkg/auth/oidc.go +++ b/pkg/auth/oidc.go @@ -87,14 +87,18 @@ func (auth *OidcAuthProvider) SetNewWorkConn(newWorkConnMsg *msg.NewWorkConn) (e return err } +type TokenVerifier interface { + Verify(context.Context, string) (*oidc.IDToken, error) +} + type OidcAuthConsumer struct { additionalAuthScopes []v1.AuthScope - verifier *oidc.IDTokenVerifier - subjectFromLogin string + verifier TokenVerifier + subjectsFromLogin []string } -func NewOidcAuthVerifier(additionalAuthScopes []v1.AuthScope, cfg v1.AuthOIDCServerConfig) *OidcAuthConsumer { +func NewTokenVerifier(cfg v1.AuthOIDCServerConfig) TokenVerifier { provider, err := oidc.NewProvider(context.Background(), cfg.Issuer) if err != nil { panic(err) @@ -105,9 +109,14 @@ func NewOidcAuthVerifier(additionalAuthScopes []v1.AuthScope, cfg v1.AuthOIDCSer SkipExpiryCheck: cfg.SkipExpiryCheck, SkipIssuerCheck: cfg.SkipIssuerCheck, } + return provider.Verifier(&verifierConf) +} + +func NewOidcAuthVerifier(additionalAuthScopes []v1.AuthScope, verifier TokenVerifier) *OidcAuthConsumer { return &OidcAuthConsumer{ additionalAuthScopes: additionalAuthScopes, - verifier: provider.Verifier(&verifierConf), + verifier: verifier, + subjectsFromLogin: []string{}, } } @@ -116,7 +125,9 @@ func (auth *OidcAuthConsumer) VerifyLogin(loginMsg *msg.Login) (err error) { if err != nil { return fmt.Errorf("invalid OIDC token in login: %v", err) } - auth.subjectFromLogin = token.Subject + if !slices.Contains(auth.subjectsFromLogin, token.Subject) { + auth.subjectsFromLogin = append(auth.subjectsFromLogin, token.Subject) + } return nil } @@ -125,11 +136,11 @@ func (auth *OidcAuthConsumer) verifyPostLoginToken(privilegeKey string) (err err if err != nil { return fmt.Errorf("invalid OIDC token in ping: %v", err) } - if token.Subject != auth.subjectFromLogin { + if !slices.Contains(auth.subjectsFromLogin, token.Subject) { return fmt.Errorf("received different OIDC subject in login and ping. "+ - "original subject: %s, "+ + "original subjects: %s, "+ "new subject: %s", - auth.subjectFromLogin, token.Subject) + auth.subjectsFromLogin, token.Subject) } return nil } diff --git a/pkg/auth/oidc_test.go b/pkg/auth/oidc_test.go new file mode 100644 index 00000000000..58054186e11 --- /dev/null +++ b/pkg/auth/oidc_test.go @@ -0,0 +1,64 @@ +package auth_test + +import ( + "context" + "testing" + "time" + + "github.com/coreos/go-oidc/v3/oidc" + "github.com/stretchr/testify/require" + + "github.com/fatedier/frp/pkg/auth" + v1 "github.com/fatedier/frp/pkg/config/v1" + "github.com/fatedier/frp/pkg/msg" +) + +type mockTokenVerifier struct{} + +func (m *mockTokenVerifier) Verify(ctx context.Context, subject string) (*oidc.IDToken, error) { + return &oidc.IDToken{ + Subject: subject, + }, nil +} + +func TestPingWithEmptySubjectFromLoginFails(t *testing.T) { + r := require.New(t) + consumer := auth.NewOidcAuthVerifier([]v1.AuthScope{v1.AuthScopeHeartBeats}, &mockTokenVerifier{}) + err := consumer.VerifyPing(&msg.Ping{ + PrivilegeKey: "ping-without-login", + Timestamp: time.Now().UnixMilli(), + }) + r.Error(err) + r.Contains(err.Error(), "received different OIDC subject in login and ping") +} + +func TestPingAfterLoginWithNewSubjectSucceeds(t *testing.T) { + r := require.New(t) + consumer := auth.NewOidcAuthVerifier([]v1.AuthScope{v1.AuthScopeHeartBeats}, &mockTokenVerifier{}) + err := consumer.VerifyLogin(&msg.Login{ + PrivilegeKey: "ping-after-login", + }) + r.NoError(err) + + err = consumer.VerifyPing(&msg.Ping{ + PrivilegeKey: "ping-after-login", + Timestamp: time.Now().UnixMilli(), + }) + r.NoError(err) +} + +func TestPingAfterLoginWithDifferentSubjectFails(t *testing.T) { + r := require.New(t) + consumer := auth.NewOidcAuthVerifier([]v1.AuthScope{v1.AuthScopeHeartBeats}, &mockTokenVerifier{}) + err := consumer.VerifyLogin(&msg.Login{ + PrivilegeKey: "login-with-first-subject", + }) + r.NoError(err) + + err = consumer.VerifyPing(&msg.Ping{ + PrivilegeKey: "ping-with-different-subject", + Timestamp: time.Now().UnixMilli(), + }) + r.Error(err) + r.Contains(err.Error(), "received different OIDC subject in login and ping") +} From b14192a8d3bb5b5a844977ea82de9a7d87dbdf06 Mon Sep 17 00:00:00 2001 From: 0x7fff <4812302+blizard863@users.noreply.github.com> Date: Tue, 15 Oct 2024 10:55:56 +0800 Subject: [PATCH 5/7] feat: bump (#4490) Co-authored-by: Coder123 --- Release.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Release.md b/Release.md index fed36e2408a..3661ea4de86 100644 --- a/Release.md +++ b/Release.md @@ -1,3 +1,5 @@ ### Features * The frpc visitor command-line parameter adds the `--server-user` option to specify the username of the server-side proxy to connect to. + +* Support multiple frpc instances with different subjects when using oidc authentication. \ No newline at end of file From 3a08c2aeb0fd5639e40c3f91d6c5ac98150ec194 Mon Sep 17 00:00:00 2001 From: fatedier Date: Thu, 17 Oct 2024 16:27:41 +0800 Subject: [PATCH 6/7] conf: fix example for tls2raw (#4494) --- conf/frpc_full_example.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/frpc_full_example.toml b/conf/frpc_full_example.toml index 3bf868663b3..eb44739239d 100644 --- a/conf/frpc_full_example.toml +++ b/conf/frpc_full_example.toml @@ -327,7 +327,7 @@ requestHeaders.set.x-from-where = "frp" [[proxies]] name = "plugin_tls2raw" -type = "https" +type = "tcp" remotePort = 6008 [proxies.plugin] type = "tls2raw" From f7a06cbe61b0eb703a65b9ebabed036ed45fe8ca Mon Sep 17 00:00:00 2001 From: fatedier Date: Thu, 17 Oct 2024 17:22:41 +0800 Subject: [PATCH 7/7] use go1.23 (#4495) --- .github/workflows/golangci-lint.yml | 4 ++-- .github/workflows/goreleaser.yml | 2 +- .golangci.yml | 5 +++-- Release.md | 3 +-- client/proxy/proxy_wrapper.go | 2 +- dockerfiles/Dockerfile-for-frpc | 2 +- dockerfiles/Dockerfile-for-frps | 2 +- pkg/config/types/types.go | 8 ++++---- pkg/nathole/utils.go | 10 +++++----- pkg/util/util/util.go | 18 +++++++++--------- pkg/util/version/version.go | 2 +- server/proxy/proxy.go | 12 ++++++------ 12 files changed, 35 insertions(+), 35 deletions(-) diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index b3e2cb43c39..8058592853a 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -17,13 +17,13 @@ jobs: - uses: actions/checkout@v4 - uses: actions/setup-go@v5 with: - go-version: '1.22' + go-version: '1.23' cache: false - name: golangci-lint uses: golangci/golangci-lint-action@v4 with: # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version - version: v1.57 + version: v1.61 # Optional: golangci-lint command line arguments. # args: --issues-exit-code=0 diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml index 7c01f3764a0..d55913fda6c 100644 --- a/.github/workflows/goreleaser.yml +++ b/.github/workflows/goreleaser.yml @@ -15,7 +15,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v5 with: - go-version: '1.22' + go-version: '1.23' - name: Make All run: | diff --git a/.golangci.yml b/.golangci.yml index fb625c9b98c..f7456d65043 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -1,5 +1,5 @@ service: - golangci-lint-version: 1.57.x # use the fixed version to not introduce new linters unexpectedly + golangci-lint-version: 1.61.x # use the fixed version to not introduce new linters unexpectedly run: concurrency: 4 @@ -14,7 +14,7 @@ linters: enable: - unused - errcheck - - exportloopref + - copyloopvar - gocritic - gofumpt - goimports @@ -90,6 +90,7 @@ linters-settings: - G402 - G404 - G501 + - G115 # integer overflow conversion issues: # List of regexps of issue texts to exclude, empty list by default. diff --git a/Release.md b/Release.md index 3661ea4de86..ee388be1b1c 100644 --- a/Release.md +++ b/Release.md @@ -1,5 +1,4 @@ ### Features * The frpc visitor command-line parameter adds the `--server-user` option to specify the username of the server-side proxy to connect to. - -* Support multiple frpc instances with different subjects when using oidc authentication. \ No newline at end of file +* Support multiple frpc instances with different subjects when using oidc authentication. diff --git a/client/proxy/proxy_wrapper.go b/client/proxy/proxy_wrapper.go index 487e3702b9e..95048f29907 100644 --- a/client/proxy/proxy_wrapper.go +++ b/client/proxy/proxy_wrapper.go @@ -137,7 +137,7 @@ func (pw *Wrapper) SetRunningStatus(remoteAddr string, respErr string) error { pw.Phase = ProxyPhaseStartErr pw.Err = respErr pw.lastStartErr = time.Now() - return fmt.Errorf(pw.Err) + return fmt.Errorf("%s", pw.Err) } if err := pw.pxy.Run(); err != nil { diff --git a/dockerfiles/Dockerfile-for-frpc b/dockerfiles/Dockerfile-for-frpc index 99b3120778a..326c75b9ce7 100644 --- a/dockerfiles/Dockerfile-for-frpc +++ b/dockerfiles/Dockerfile-for-frpc @@ -1,4 +1,4 @@ -FROM golang:1.22 AS building +FROM golang:1.23 AS building COPY . /building WORKDIR /building diff --git a/dockerfiles/Dockerfile-for-frps b/dockerfiles/Dockerfile-for-frps index 3d2c387a431..0772686c333 100644 --- a/dockerfiles/Dockerfile-for-frps +++ b/dockerfiles/Dockerfile-for-frps @@ -1,4 +1,4 @@ -FROM golang:1.22 AS building +FROM golang:1.23 AS building COPY . /building WORKDIR /building diff --git a/pkg/config/types/types.go b/pkg/config/types/types.go index a6cd2e71b0e..8fa3105a5f3 100644 --- a/pkg/config/types/types.go +++ b/pkg/config/types/types.go @@ -159,18 +159,18 @@ func NewPortsRangeSliceFromString(str string) ([]PortsRange, error) { out = append(out, PortsRange{Single: int(singleNum)}) case 2: // range numbers - min, err := strconv.ParseInt(strings.TrimSpace(numArray[0]), 10, 64) + minNum, err := strconv.ParseInt(strings.TrimSpace(numArray[0]), 10, 64) if err != nil { return nil, fmt.Errorf("range number is invalid, %v", err) } - max, err := strconv.ParseInt(strings.TrimSpace(numArray[1]), 10, 64) + maxNum, err := strconv.ParseInt(strings.TrimSpace(numArray[1]), 10, 64) if err != nil { return nil, fmt.Errorf("range number is invalid, %v", err) } - if max < min { + if maxNum < minNum { return nil, fmt.Errorf("range number is invalid") } - out = append(out, PortsRange{Start: int(min), End: int(max)}) + out = append(out, PortsRange{Start: int(minNum), End: int(maxNum)}) default: return nil, fmt.Errorf("range number is invalid") } diff --git a/pkg/nathole/utils.go b/pkg/nathole/utils.go index 3896a2153f0..5f32142ec1b 100644 --- a/pkg/nathole/utils.go +++ b/pkg/nathole/utils.go @@ -78,9 +78,9 @@ func ListAllLocalIPs() ([]net.IP, error) { return ips, nil } -func ListLocalIPsForNatHole(max int) ([]string, error) { - if max <= 0 { - return nil, fmt.Errorf("max must be greater than 0") +func ListLocalIPsForNatHole(maxItems int) ([]string, error) { + if maxItems <= 0 { + return nil, fmt.Errorf("maxItems must be greater than 0") } ips, err := ListAllLocalIPs() @@ -88,9 +88,9 @@ func ListLocalIPsForNatHole(max int) ([]string, error) { return nil, err } - filtered := make([]string, 0, max) + filtered := make([]string, 0, maxItems) for _, ip := range ips { - if len(filtered) >= max { + if len(filtered) >= maxItems { break } diff --git a/pkg/util/util/util.go b/pkg/util/util/util.go index 7758054d948..774af2cfaa2 100644 --- a/pkg/util/util/util.go +++ b/pkg/util/util/util.go @@ -85,21 +85,21 @@ func ParseRangeNumbers(rangeStr string) (numbers []int64, err error) { numbers = append(numbers, singleNum) case 2: // range numbers - min, errRet := strconv.ParseInt(strings.TrimSpace(numArray[0]), 10, 64) + minValue, errRet := strconv.ParseInt(strings.TrimSpace(numArray[0]), 10, 64) if errRet != nil { err = fmt.Errorf("range number is invalid, %v", errRet) return } - max, errRet := strconv.ParseInt(strings.TrimSpace(numArray[1]), 10, 64) + maxValue, errRet := strconv.ParseInt(strings.TrimSpace(numArray[1]), 10, 64) if errRet != nil { err = fmt.Errorf("range number is invalid, %v", errRet) return } - if max < min { + if maxValue < minValue { err = fmt.Errorf("range number is invalid") return } - for i := min; i <= max; i++ { + for i := minValue; i <= maxValue; i++ { numbers = append(numbers, i) } default: @@ -118,13 +118,13 @@ func GenerateResponseErrorString(summary string, err error, detailed bool) strin } func RandomSleep(duration time.Duration, minRatio, maxRatio float64) time.Duration { - min := int64(minRatio * 1000.0) - max := int64(maxRatio * 1000.0) + minValue := int64(minRatio * 1000.0) + maxValue := int64(maxRatio * 1000.0) var n int64 - if max <= min { - n = min + if maxValue <= minValue { + n = minValue } else { - n = mathrand.Int64N(max-min) + min + n = mathrand.Int64N(maxValue-minValue) + minValue } d := duration * time.Duration(n) / time.Duration(1000) time.Sleep(d) diff --git a/pkg/util/version/version.go b/pkg/util/version/version.go index a60d71d2fa6..91b2ed98a2c 100644 --- a/pkg/util/version/version.go +++ b/pkg/util/version/version.go @@ -14,7 +14,7 @@ package version -var version = "0.60.0" +var version = "0.61.0" func Full() string { return version diff --git a/server/proxy/proxy.go b/server/proxy/proxy.go index d5ab0f13ae5..c7c18c32223 100644 --- a/server/proxy/proxy.go +++ b/server/proxy/proxy.go @@ -137,17 +137,17 @@ func (pxy *BaseProxy) GetWorkConnFromPool(src, dst net.Addr) (workConn net.Conn, dstAddr string srcPortStr string dstPortStr string - srcPort int - dstPort int + srcPort uint64 + dstPort uint64 ) if src != nil { srcAddr, srcPortStr, _ = net.SplitHostPort(src.String()) - srcPort, _ = strconv.Atoi(srcPortStr) + srcPort, _ = strconv.ParseUint(srcPortStr, 10, 16) } if dst != nil { dstAddr, dstPortStr, _ = net.SplitHostPort(dst.String()) - dstPort, _ = strconv.Atoi(dstPortStr) + dstPort, _ = strconv.ParseUint(dstPortStr, 10, 16) } err := msg.WriteMsg(workConn, &msg.StartWorkConn{ ProxyName: pxy.GetName(), @@ -190,8 +190,8 @@ func (pxy *BaseProxy) startCommonTCPListenersHandler() { } else { tempDelay *= 2 } - if max := 1 * time.Second; tempDelay > max { - tempDelay = max + if maxTime := 1 * time.Second; tempDelay > maxTime { + tempDelay = maxTime } xl.Infof("met temporary error: %s, sleep for %s ...", err, tempDelay) time.Sleep(tempDelay)