Merge pull request #4496 from fatedier/dev

fatedier · web-flow · commit 4bbec09d570a · 2024-10-17T17:28:10.000+08:00
bump version
diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
@@ -17,13 +17,13 @@ jobs:
     - uses: actions/checkout@v4
     - uses: actions/setup-go@v5
       with:
-        go-version: '1.22'
+        go-version: '1.23'
         cache: false
     - name: golangci-lint
       uses: golangci/golangci-lint-action@v4
       with:
         # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
-        version: v1.57
+        version: v1.61
 
         # Optional: golangci-lint command line arguments.
         # args: --issues-exit-code=0
diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml
@@ -15,7 +15,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.22'
+          go-version: '1.23'
           
       - name: Make All
         run: |
diff --git a/.golangci.yml b/.golangci.yml
@@ -1,5 +1,5 @@
 service:
-  golangci-lint-version: 1.57.x # use the fixed version to not introduce new linters unexpectedly
+  golangci-lint-version: 1.61.x # use the fixed version to not introduce new linters unexpectedly
 
 run:
   concurrency: 4
@@ -14,7 +14,7 @@ linters:
   enable:
   - unused
   - errcheck
-  - exportloopref
+  - copyloopvar
   - gocritic
   - gofumpt
   - goimports
@@ -90,6 +90,7 @@ linters-settings:
     - G402
     - G404
     - G501
+    - G115 # integer overflow conversion
 
 issues:
   # List of regexps of issue texts to exclude, empty list by default.
diff --git a/README_zh.md b/README_zh.md
@@ -95,7 +95,7 @@ frp 是一个免费且开源的项目，我们欢迎任何人为其开发和进
 
 您可以通过 [GitHub Sponsors](https://github.com/sponsors/fatedier) 赞助我们。
 
-国内用户可以通过 [爱发电](https://afdian.net/a/fatedier) 赞助我们。
+国内用户可以通过 [爱发电](https://afdian.com/a/fatedier) 赞助我们。
 
 企业赞助者可以将贵公司的 Logo 以及链接放置在项目 README 文件中。
 
diff --git a/Release.md b/Release.md
@@ -1,8 +1,4 @@
 ### Features
 
-* Added a new plugin `tls2raw`: Enables TLS termination and forwarding of decrypted raw traffic to local service.
-* Added a default timeout of 30 seconds for the frpc subcommands to prevent commands from being stuck for a long time due to network issues.
-
-### Fixes
-
-* Fixed the issue that when `loginFailExit = false`, the frpc stop command cannot be stopped correctly if the server is not successfully connected after startup.
+* The frpc visitor command-line parameter adds the `--server-user` option to specify the username of the server-side proxy to connect to.
+* Support multiple frpc instances with different subjects when using oidc authentication.
diff --git a/client/control.go b/client/control.go
@@ -230,7 +230,7 @@ func (ctl *Control) registerMsgHandlers() {
 	ctl.msgDispatcher.RegisterHandler(&msg.Pong{}, ctl.handlePong)
 }
 
-// headerWorker sends heartbeat to server and check heartbeat timeout.
+// heartbeatWorker sends heartbeat to server and check heartbeat timeout.
 func (ctl *Control) heartbeatWorker() {
 	xl := ctl.xl
 
diff --git a/client/proxy/proxy_wrapper.go b/client/proxy/proxy_wrapper.go
@@ -137,7 +137,7 @@ func (pw *Wrapper) SetRunningStatus(remoteAddr string, respErr string) error {
 		pw.Phase = ProxyPhaseStartErr
 		pw.Err = respErr
 		pw.lastStartErr = time.Now()
-		return fmt.Errorf(pw.Err)
+		return fmt.Errorf("%s", pw.Err)
 	}
 
 	if err := pw.pxy.Run(); err != nil {
diff --git a/conf/frpc_full_example.toml b/conf/frpc_full_example.toml
@@ -327,7 +327,7 @@ requestHeaders.set.x-from-where = "frp"
 
 [[proxies]]
 name = "plugin_tls2raw"
-type = "https"
+type = "tcp"
 remotePort = 6008
 [proxies.plugin]
 type = "tls2raw"
diff --git a/dockerfiles/Dockerfile-for-frpc b/dockerfiles/Dockerfile-for-frpc
@@ -1,4 +1,4 @@
-FROM golang:1.22 AS building
+FROM golang:1.23 AS building
 
 COPY . /building
 WORKDIR /building
diff --git a/dockerfiles/Dockerfile-for-frps b/dockerfiles/Dockerfile-for-frps
@@ -1,4 +1,4 @@
-FROM golang:1.22 AS building
+FROM golang:1.23 AS building
 
 COPY . /building
 WORKDIR /building
diff --git a/pkg/auth/auth.go b/pkg/auth/auth.go
@@ -50,7 +50,8 @@ func NewAuthVerifier(cfg v1.AuthServerConfig) (authVerifier Verifier) {
 	case v1.AuthMethodToken:
 		authVerifier = NewTokenAuth(cfg.AdditionalScopes, cfg.Token)
 	case v1.AuthMethodOIDC:
-		authVerifier = NewOidcAuthVerifier(cfg.AdditionalScopes, cfg.OIDC)
+		tokenVerifier := NewTokenVerifier(cfg.OIDC)
+		authVerifier = NewOidcAuthVerifier(cfg.AdditionalScopes, tokenVerifier)
 	}
 	return authVerifier
 }
diff --git a/pkg/auth/oidc.go b/pkg/auth/oidc.go
@@ -87,14 +87,18 @@ func (auth *OidcAuthProvider) SetNewWorkConn(newWorkConnMsg *msg.NewWorkConn) (e
 	return err
 }
 
+type TokenVerifier interface {
+	Verify(context.Context, string) (*oidc.IDToken, error)
+}
+
 type OidcAuthConsumer struct {
 	additionalAuthScopes []v1.AuthScope
 
-	verifier         *oidc.IDTokenVerifier
-	subjectFromLogin string
+	verifier          TokenVerifier
+	subjectsFromLogin []string
 }
 
-func NewOidcAuthVerifier(additionalAuthScopes []v1.AuthScope, cfg v1.AuthOIDCServerConfig) *OidcAuthConsumer {
+func NewTokenVerifier(cfg v1.AuthOIDCServerConfig) TokenVerifier {
 	provider, err := oidc.NewProvider(context.Background(), cfg.Issuer)
 	if err != nil {
 		panic(err)
@@ -105,9 +109,14 @@ func NewOidcAuthVerifier(additionalAuthScopes []v1.AuthScope, cfg v1.AuthOIDCSer
 		SkipExpiryCheck:   cfg.SkipExpiryCheck,
 		SkipIssuerCheck:   cfg.SkipIssuerCheck,
 	}
+	return provider.Verifier(&verifierConf)
+}
+
+func NewOidcAuthVerifier(additionalAuthScopes []v1.AuthScope, verifier TokenVerifier) *OidcAuthConsumer {
 	return &OidcAuthConsumer{
 		additionalAuthScopes: additionalAuthScopes,
-		verifier:             provider.Verifier(&verifierConf),
+		verifier:             verifier,
+		subjectsFromLogin:    []string{},
 	}
 }
 
@@ -116,7 +125,9 @@ func (auth *OidcAuthConsumer) VerifyLogin(loginMsg *msg.Login) (err error) {
 	if err != nil {
 		return fmt.Errorf("invalid OIDC token in login: %v", err)
 	}
-	auth.subjectFromLogin = token.Subject
+	if !slices.Contains(auth.subjectsFromLogin, token.Subject) {
+		auth.subjectsFromLogin = append(auth.subjectsFromLogin, token.Subject)
+	}
 	return nil
 }
 
@@ -125,11 +136,11 @@ func (auth *OidcAuthConsumer) verifyPostLoginToken(privilegeKey string) (err err
 	if err != nil {
 		return fmt.Errorf("invalid OIDC token in ping: %v", err)
 	}
-	if token.Subject != auth.subjectFromLogin {
+	if !slices.Contains(auth.subjectsFromLogin, token.Subject) {
 		return fmt.Errorf("received different OIDC subject in login and ping. "+
-			"original subject: %s, "+
+			"original subjects: %s, "+
 			"new subject: %s",
-			auth.subjectFromLogin, token.Subject)
+			auth.subjectsFromLogin, token.Subject)
 	}
 	return nil
 }
diff --git a/pkg/auth/oidc_test.go b/pkg/auth/oidc_test.go
@@ -0,0 +1,64 @@
+package auth_test
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	"github.com/coreos/go-oidc/v3/oidc"
+	"github.com/stretchr/testify/require"
+
+	"github.com/fatedier/frp/pkg/auth"
+	v1 "github.com/fatedier/frp/pkg/config/v1"
+	"github.com/fatedier/frp/pkg/msg"
+)
+
+type mockTokenVerifier struct{}
+
+func (m *mockTokenVerifier) Verify(ctx context.Context, subject string) (*oidc.IDToken, error) {
+	return &oidc.IDToken{
+		Subject: subject,
+	}, nil
+}
+
+func TestPingWithEmptySubjectFromLoginFails(t *testing.T) {
+	r := require.New(t)
+	consumer := auth.NewOidcAuthVerifier([]v1.AuthScope{v1.AuthScopeHeartBeats}, &mockTokenVerifier{})
+	err := consumer.VerifyPing(&msg.Ping{
+		PrivilegeKey: "ping-without-login",
+		Timestamp:    time.Now().UnixMilli(),
+	})
+	r.Error(err)
+	r.Contains(err.Error(), "received different OIDC subject in login and ping")
+}
+
+func TestPingAfterLoginWithNewSubjectSucceeds(t *testing.T) {
+	r := require.New(t)
+	consumer := auth.NewOidcAuthVerifier([]v1.AuthScope{v1.AuthScopeHeartBeats}, &mockTokenVerifier{})
+	err := consumer.VerifyLogin(&msg.Login{
+		PrivilegeKey: "ping-after-login",
+	})
+	r.NoError(err)
+
+	err = consumer.VerifyPing(&msg.Ping{
+		PrivilegeKey: "ping-after-login",
+		Timestamp:    time.Now().UnixMilli(),
+	})
+	r.NoError(err)
+}
+
+func TestPingAfterLoginWithDifferentSubjectFails(t *testing.T) {
+	r := require.New(t)
+	consumer := auth.NewOidcAuthVerifier([]v1.AuthScope{v1.AuthScopeHeartBeats}, &mockTokenVerifier{})
+	err := consumer.VerifyLogin(&msg.Login{
+		PrivilegeKey: "login-with-first-subject",
+	})
+	r.NoError(err)
+
+	err = consumer.VerifyPing(&msg.Ping{
+		PrivilegeKey: "ping-with-different-subject",
+		Timestamp:    time.Now().UnixMilli(),
+	})
+	r.Error(err)
+	r.Contains(err.Error(), "received different OIDC subject in login and ping")
+}
diff --git a/pkg/config/flags.go b/pkg/config/flags.go
@@ -140,6 +140,7 @@ func registerVisitorBaseConfigFlags(cmd *cobra.Command, c *v1.VisitorBaseConfig,
 	cmd.Flags().BoolVarP(&c.Transport.UseCompression, "uc", "", false, "use compression")
 	cmd.Flags().StringVarP(&c.SecretKey, "sk", "", "", "secret key")
 	cmd.Flags().StringVarP(&c.ServerName, "server_name", "", "", "server name")
+	cmd.Flags().StringVarP(&c.ServerUser, "server-user", "", "", "server user")
 	cmd.Flags().StringVarP(&c.BindAddr, "bind_addr", "", "", "bind addr")
 	cmd.Flags().IntVarP(&c.BindPort, "bind_port", "", 0, "bind port")
 }
diff --git a/pkg/config/types/types.go b/pkg/config/types/types.go
@@ -159,18 +159,18 @@ func NewPortsRangeSliceFromString(str string) ([]PortsRange, error) {
 			out = append(out, PortsRange{Single: int(singleNum)})
 		case 2:
 			// range numbers
-			min, err := strconv.ParseInt(strings.TrimSpace(numArray[0]), 10, 64)
+			minNum, err := strconv.ParseInt(strings.TrimSpace(numArray[0]), 10, 64)
 			if err != nil {
 				return nil, fmt.Errorf("range number is invalid, %v", err)
 			}
-			max, err := strconv.ParseInt(strings.TrimSpace(numArray[1]), 10, 64)
+			maxNum, err := strconv.ParseInt(strings.TrimSpace(numArray[1]), 10, 64)
 			if err != nil {
 				return nil, fmt.Errorf("range number is invalid, %v", err)
 			}
-			if max < min {
+			if maxNum < minNum {
 				return nil, fmt.Errorf("range number is invalid")
 			}
-			out = append(out, PortsRange{Start: int(min), End: int(max)})
+			out = append(out, PortsRange{Start: int(minNum), End: int(maxNum)})
 		default:
 			return nil, fmt.Errorf("range number is invalid")
 		}
diff --git a/pkg/nathole/utils.go b/pkg/nathole/utils.go
@@ -78,19 +78,19 @@ func ListAllLocalIPs() ([]net.IP, error) {
 	return ips, nil
 }
 
-func ListLocalIPsForNatHole(max int) ([]string, error) {
-	if max <= 0 {
-		return nil, fmt.Errorf("max must be greater than 0")
+func ListLocalIPsForNatHole(maxItems int) ([]string, error) {
+	if maxItems <= 0 {
+		return nil, fmt.Errorf("maxItems must be greater than 0")
 	}
 
 	ips, err := ListAllLocalIPs()
 	if err != nil {
 		return nil, err
 	}
 
-	filtered := make([]string, 0, max)
+	filtered := make([]string, 0, maxItems)
 	for _, ip := range ips {
-		if len(filtered) >= max {
+		if len(filtered) >= maxItems {
 			break
 		}
 
diff --git a/pkg/util/util/util.go b/pkg/util/util/util.go
@@ -85,21 +85,21 @@ func ParseRangeNumbers(rangeStr string) (numbers []int64, err error) {
 			numbers = append(numbers, singleNum)
 		case 2:
 			// range numbers
-			min, errRet := strconv.ParseInt(strings.TrimSpace(numArray[0]), 10, 64)
+			minValue, errRet := strconv.ParseInt(strings.TrimSpace(numArray[0]), 10, 64)
 			if errRet != nil {
 				err = fmt.Errorf("range number is invalid, %v", errRet)
 				return
 			}
-			max, errRet := strconv.ParseInt(strings.TrimSpace(numArray[1]), 10, 64)
+			maxValue, errRet := strconv.ParseInt(strings.TrimSpace(numArray[1]), 10, 64)
 			if errRet != nil {
 				err = fmt.Errorf("range number is invalid, %v", errRet)
 				return
 			}
-			if max < min {
+			if maxValue < minValue {
 				err = fmt.Errorf("range number is invalid")
 				return
 			}
-			for i := min; i <= max; i++ {
+			for i := minValue; i <= maxValue; i++ {
 				numbers = append(numbers, i)
 			}
 		default:
@@ -118,13 +118,13 @@ func GenerateResponseErrorString(summary string, err error, detailed bool) strin
 }
 
 func RandomSleep(duration time.Duration, minRatio, maxRatio float64) time.Duration {
-	min := int64(minRatio * 1000.0)
-	max := int64(maxRatio * 1000.0)
+	minValue := int64(minRatio * 1000.0)
+	maxValue := int64(maxRatio * 1000.0)
 	var n int64
-	if max <= min {
-		n = min
+	if maxValue <= minValue {
+		n = minValue
 	} else {
-		n = mathrand.Int64N(max-min) + min
+		n = mathrand.Int64N(maxValue-minValue) + minValue
 	}
 	d := duration * time.Duration(n) / time.Duration(1000)
 	time.Sleep(d)
diff --git a/pkg/util/version/version.go b/pkg/util/version/version.go
@@ -14,7 +14,7 @@
 
 package version
 
-var version = "0.60.0"
+var version = "0.61.0"
 
 func Full() string {
 	return version
diff --git a/server/proxy/proxy.go b/server/proxy/proxy.go
@@ -137,17 +137,17 @@ func (pxy *BaseProxy) GetWorkConnFromPool(src, dst net.Addr) (workConn net.Conn,
 			dstAddr    string
 			srcPortStr string
 			dstPortStr string
-			srcPort    int
-			dstPort    int
+			srcPort    uint64
+			dstPort    uint64
 		)
 
 		if src != nil {
 			srcAddr, srcPortStr, _ = net.SplitHostPort(src.String())
-			srcPort, _ = strconv.Atoi(srcPortStr)
+			srcPort, _ = strconv.ParseUint(srcPortStr, 10, 16)
 		}
 		if dst != nil {
 			dstAddr, dstPortStr, _ = net.SplitHostPort(dst.String())
-			dstPort, _ = strconv.Atoi(dstPortStr)
+			dstPort, _ = strconv.ParseUint(dstPortStr, 10, 16)
 		}
 		err := msg.WriteMsg(workConn, &msg.StartWorkConn{
 			ProxyName: pxy.GetName(),
@@ -190,8 +190,8 @@ func (pxy *BaseProxy) startCommonTCPListenersHandler() {
 						} else {
 							tempDelay *= 2
 						}
-						if max := 1 * time.Second; tempDelay > max {
-							tempDelay = max
+						if maxTime := 1 * time.Second; tempDelay > maxTime {
+							tempDelay = maxTime
 						}
 						xl.Infof("met temporary error: %s, sleep for %s ...", err, tempDelay)
 						time.Sleep(tempDelay)

Original file line number	Diff line number	Diff line change
`@@ -230,7 +230,7 @@ func (ctl *Control) registerMsgHandlers() {`
`230`	`230`	`ctl.msgDispatcher.RegisterHandler(&msg.Pong{}, ctl.handlePong)`
`231`	`231`	`}`
`232`	`232`
`233`		`-// headerWorker sends heartbeat to server and check heartbeat timeout.`
	`233`	`+// heartbeatWorker sends heartbeat to server and check heartbeat timeout.`
`234`	`234`	`func (ctl *Control) heartbeatWorker() {`
`235`	`235`	`xl := ctl.xl`
`236`	`236`
Original file line number	Diff line number	Diff line change
`@@ -137,7 +137,7 @@ func (pw *Wrapper) SetRunningStatus(remoteAddr string, respErr string) error {`
`137`	`137`	`pw.Phase = ProxyPhaseStartErr`
`138`	`138`	`pw.Err = respErr`
`139`	`139`	`pw.lastStartErr = time.Now()`
`140`		`- return fmt.Errorf(pw.Err)`
	`140`	`+ return fmt.Errorf("%s", pw.Err)`
`141`	`141`	`}`
`142`	`142`
`143`	`143`	`if err := pw.pxy.Run(); err != nil {`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-FROM golang:1.22 AS building`
	`1`	`+FROM golang:1.23 AS building`
`2`	`2`
`3`	`3`	`COPY . /building`
`4`	`4`	`WORKDIR /building`
Original file line number	Diff line number	Diff line change
`@@ -50,7 +50,8 @@ func NewAuthVerifier(cfg v1.AuthServerConfig) (authVerifier Verifier) {`
`50`	`50`	`case v1.AuthMethodToken:`
`51`	`51`	`authVerifier = NewTokenAuth(cfg.AdditionalScopes, cfg.Token)`
`52`	`52`	`case v1.AuthMethodOIDC:`
`53`		`- authVerifier = NewOidcAuthVerifier(cfg.AdditionalScopes, cfg.OIDC)`
	`53`	`+ tokenVerifier := NewTokenVerifier(cfg.OIDC)`
	`54`	`+ authVerifier = NewOidcAuthVerifier(cfg.AdditionalScopes, tokenVerifier)`
`54`	`55`	`}`
`55`	`56`	`return authVerifier`
`56`	`57`	`}`
Original file line number	Diff line number	Diff line change
`@@ -140,6 +140,7 @@ func registerVisitorBaseConfigFlags(cmd cobra.Command, c v1.VisitorBaseConfig,`
`140`	`140`	`cmd.Flags().BoolVarP(&c.Transport.UseCompression, "uc", "", false, "use compression")`
`141`	`141`	`cmd.Flags().StringVarP(&c.SecretKey, "sk", "", "", "secret key")`
`142`	`142`	`cmd.Flags().StringVarP(&c.ServerName, "server_name", "", "", "server name")`
	`143`	`+ cmd.Flags().StringVarP(&c.ServerUser, "server-user", "", "", "server user")`
`143`	`144`	`cmd.Flags().StringVarP(&c.BindAddr, "bind_addr", "", "", "bind addr")`
`144`	`145`	`cmd.Flags().IntVarP(&c.BindPort, "bind_port", "", 0, "bind port")`
`145`	`146`	`}`
Original file line number	Diff line number	Diff line change
`@@ -159,18 +159,18 @@ func NewPortsRangeSliceFromString(str string) ([]PortsRange, error) {`
`159`	`159`	`out = append(out, PortsRange{Single: int(singleNum)})`
`160`	`160`	`case 2:`
`161`	`161`	`// range numbers`
`162`		`- min, err := strconv.ParseInt(strings.TrimSpace(numArray[0]), 10, 64)`
	`162`	`+ minNum, err := strconv.ParseInt(strings.TrimSpace(numArray[0]), 10, 64)`
`163`	`163`	`if err != nil {`
`164`	`164`	`return nil, fmt.Errorf("range number is invalid, %v", err)`
`165`	`165`	`}`
`166`		`- max, err := strconv.ParseInt(strings.TrimSpace(numArray[1]), 10, 64)`
	`166`	`+ maxNum, err := strconv.ParseInt(strings.TrimSpace(numArray[1]), 10, 64)`
`167`	`167`	`if err != nil {`
`168`	`168`	`return nil, fmt.Errorf("range number is invalid, %v", err)`
`169`	`169`	`}`
`170`		`- if max < min {`
	`170`	`+ if maxNum < minNum {`
`171`	`171`	`return nil, fmt.Errorf("range number is invalid")`
`172`	`172`	`}`
`173`		`- out = append(out, PortsRange{Start: int(min), End: int(max)})`
	`173`	`+ out = append(out, PortsRange{Start: int(minNum), End: int(maxNum)})`
`174`	`174`	`default:`
`175`	`175`	`return nil, fmt.Errorf("range number is invalid")`
`176`	`176`	`}`
Original file line number	Diff line number	Diff line change
`@@ -78,19 +78,19 @@ func ListAllLocalIPs() ([]net.IP, error) {`
`78`	`78`	`return ips, nil`
`79`	`79`	`}`
`80`	`80`
`81`		`-func ListLocalIPsForNatHole(max int) ([]string, error) {`
`82`		`- if max <= 0 {`
`83`		`- return nil, fmt.Errorf("max must be greater than 0")`
	`81`	`+func ListLocalIPsForNatHole(maxItems int) ([]string, error) {`
	`82`	`+ if maxItems <= 0 {`
	`83`	`+ return nil, fmt.Errorf("maxItems must be greater than 0")`
`84`	`84`	`}`
`85`	`85`
`86`	`86`	`ips, err := ListAllLocalIPs()`
`87`	`87`	`if err != nil {`
`88`	`88`	`return nil, err`
`89`	`89`	`}`
`90`	`90`
`91`		`- filtered := make([]string, 0, max)`
	`91`	`+ filtered := make([]string, 0, maxItems)`
`92`	`92`	`for _, ip := range ips {`
`93`		`- if len(filtered) >= max {`
	`93`	`+ if len(filtered) >= maxItems {`
`94`	`94`	`break`
`95`	`95`	`}`
`96`	`96`