mirror of
https://github.com/fatedier/frp.git
synced 2026-01-11 22:23:12 +00:00
Add exec value source type (#5050)
* config: introduce ExecSource value source * auth: introduce OidcTokenSourceAuthProvider * auth: use OidcTokenSourceAuthProvider if tokenSource config is present on the client * cmd: allow exec token source only if CLI flag was passed
This commit is contained in:
Krzysztof Bogacki
committed by
GitHub
GitHub
parent
f736d171ac
commit
66973a03db
@@ -239,8 +239,16 @@ type AuthOIDCClientConfig struct {
|
||||
// Supports http, https, socks5, and socks5h proxy protocols.
|
||||
// If empty, no proxy is used for OIDC connections.
|
||||
ProxyURL string `json:"proxyURL,omitempty"`
|
||||
|
||||
// TokenSource specifies a custom dynamic source for the authorization token.
|
||||
// This is mutually exclusive with every other field of this structure.
|
||||
TokenSource *ValueSource `json:"tokenSource,omitempty"`
|
||||
}
|
||||
|
||||
type VirtualNetConfig struct {
|
||||
Address string `json:"address,omitempty"`
|
||||
}
|
||||
|
||||
type UnsafeFeatures struct {
|
||||
TokenSourceExec bool
|
||||
}
|
||||
|
||||
@@ -26,7 +26,7 @@ import (
|
||||
"github.com/fatedier/frp/pkg/featuregate"
|
||||
)
|
||||
|
||||
func ValidateClientCommonConfig(c *v1.ClientCommonConfig) (Warning, error) {
|
||||
func ValidateClientCommonConfig(c *v1.ClientCommonConfig, unsafeFeatures v1.UnsafeFeatures) (Warning, error) {
|
||||
var (
|
||||
warnings Warning
|
||||
errs error
|
||||
@@ -52,11 +52,24 @@ func ValidateClientCommonConfig(c *v1.ClientCommonConfig) (Warning, error) {
|
||||
|
||||
// Validate tokenSource if specified
|
||||
if c.Auth.TokenSource != nil {
|
||||
if c.Auth.TokenSource.Type == "exec" && !unsafeFeatures.TokenSourceExec {
|
||||
errs = AppendError(errs, fmt.Errorf("unsafe 'exec' not allowed for auth.tokenSource.type"))
|
||||
}
|
||||
if err := c.Auth.TokenSource.Validate(); err != nil {
|
||||
errs = AppendError(errs, fmt.Errorf("invalid auth.tokenSource: %v", err))
|
||||
}
|
||||
}
|
||||
|
||||
if c.Auth.OIDC.TokenSource != nil {
|
||||
// Validate oidc.tokenSource mutual exclusivity with other fields of oidc
|
||||
if c.Auth.OIDC.ClientID != "" || c.Auth.OIDC.ClientSecret != "" || c.Auth.OIDC.Audience != "" || c.Auth.OIDC.Scope != "" || c.Auth.OIDC.TokenEndpointURL != "" || len(c.Auth.OIDC.AdditionalEndpointParams) > 0 || c.Auth.OIDC.TrustedCaFile != "" || c.Auth.OIDC.InsecureSkipVerify || c.Auth.OIDC.ProxyURL != "" {
|
||||
errs = AppendError(errs, fmt.Errorf("cannot specify both auth.oidc.tokenSource and any other field of auth.oidc"))
|
||||
}
|
||||
if c.Auth.OIDC.TokenSource.Type == "exec" && !unsafeFeatures.TokenSourceExec {
|
||||
errs = AppendError(errs, fmt.Errorf("unsafe 'exec' not allowed for auth.oidc.tokenSource.type"))
|
||||
}
|
||||
}
|
||||
|
||||
if err := validateLogConfig(&c.Log); err != nil {
|
||||
errs = AppendError(errs, err)
|
||||
}
|
||||
@@ -101,10 +114,10 @@ func ValidateClientCommonConfig(c *v1.ClientCommonConfig) (Warning, error) {
|
||||
return warnings, errs
|
||||
}
|
||||
|
||||
func ValidateAllClientConfig(c *v1.ClientCommonConfig, proxyCfgs []v1.ProxyConfigurer, visitorCfgs []v1.VisitorConfigurer) (Warning, error) {
|
||||
func ValidateAllClientConfig(c *v1.ClientCommonConfig, proxyCfgs []v1.ProxyConfigurer, visitorCfgs []v1.VisitorConfigurer, unsafeFeatures v1.UnsafeFeatures) (Warning, error) {
|
||||
var warnings Warning
|
||||
if c != nil {
|
||||
warning, err := ValidateClientCommonConfig(c)
|
||||
warning, err := ValidateClientCommonConfig(c, unsafeFeatures)
|
||||
warnings = AppendError(warnings, warning)
|
||||
if err != nil {
|
||||
return warnings, err
|
||||
|
||||
@@ -19,6 +19,7 @@ import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"os"
|
||||
"os/exec"
|
||||
"strings"
|
||||
)
|
||||
|
||||
@@ -27,6 +28,7 @@ import (
|
||||
type ValueSource struct {
|
||||
Type string `json:"type"`
|
||||
File *FileSource `json:"file,omitempty"`
|
||||
Exec *ExecSource `json:"exec,omitempty"`
|
||||
}
|
||||
|
||||
// FileSource specifies how to load a value from a file.
|
||||
@@ -34,6 +36,18 @@ type FileSource struct {
|
||||
Path string `json:"path"`
|
||||
}
|
||||
|
||||
// ExecSource specifies how to get a value from another program launched as subprocess.
|
||||
type ExecSource struct {
|
||||
Command string `json:"command"`
|
||||
Args []string `json:"args,omitempty"`
|
||||
Env []ExecEnvVar `json:"env,omitempty"`
|
||||
}
|
||||
|
||||
type ExecEnvVar struct {
|
||||
Name string `json:"name"`
|
||||
Value string `json:"value"`
|
||||
}
|
||||
|
||||
// Validate validates the ValueSource configuration.
|
||||
func (v *ValueSource) Validate() error {
|
||||
if v == nil {
|
||||
@@ -46,8 +60,13 @@ func (v *ValueSource) Validate() error {
|
||||
return errors.New("file configuration is required when type is 'file'")
|
||||
}
|
||||
return v.File.Validate()
|
||||
case "exec":
|
||||
if v.Exec == nil {
|
||||
return errors.New("exec configuration is required when type is 'exec'")
|
||||
}
|
||||
return v.Exec.Validate()
|
||||
default:
|
||||
return fmt.Errorf("unsupported value source type: %s (only 'file' is supported)", v.Type)
|
||||
return fmt.Errorf("unsupported value source type: %s (only 'file' and 'exec' are supported)", v.Type)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -60,6 +79,8 @@ func (v *ValueSource) Resolve(ctx context.Context) (string, error) {
|
||||
switch v.Type {
|
||||
case "file":
|
||||
return v.File.Resolve(ctx)
|
||||
case "exec":
|
||||
return v.Exec.Resolve(ctx)
|
||||
default:
|
||||
return "", fmt.Errorf("unsupported value source type: %s", v.Type)
|
||||
}
|
||||
@@ -91,3 +112,47 @@ func (f *FileSource) Resolve(_ context.Context) (string, error) {
|
||||
// Trim whitespace, which is important for file-based tokens
|
||||
return strings.TrimSpace(string(content)), nil
|
||||
}
|
||||
|
||||
// Validate validates the ExecSource configuration.
|
||||
func (e *ExecSource) Validate() error {
|
||||
if e == nil {
|
||||
return errors.New("execSource cannot be nil")
|
||||
}
|
||||
|
||||
if e.Command == "" {
|
||||
return errors.New("exec command cannot be empty")
|
||||
}
|
||||
|
||||
for _, env := range e.Env {
|
||||
if env.Name == "" {
|
||||
return errors.New("exec env name cannot be empty")
|
||||
}
|
||||
if strings.Contains(env.Name, "=") {
|
||||
return errors.New("exec env name cannot contain '='")
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// Resolve reads and returns the content captured from stdout of launched subprocess.
|
||||
func (e *ExecSource) Resolve(ctx context.Context) (string, error) {
|
||||
if err := e.Validate(); err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
cmd := exec.CommandContext(ctx, e.Command, e.Args...)
|
||||
if len(e.Env) != 0 {
|
||||
cmd.Env = os.Environ()
|
||||
for _, env := range e.Env {
|
||||
cmd.Env = append(cmd.Env, env.Name+"="+env.Value)
|
||||
}
|
||||
}
|
||||
|
||||
content, err := cmd.Output()
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("failed to execute command %v: %v", e.Command, err)
|
||||
}
|
||||
|
||||
// Trim whitespace, which is important for exec-based tokens
|
||||
return strings.TrimSpace(string(content)), nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user