config: add some validations (#3610)

2025-07-29 01:07:38 +00:00 · 2023-09-13 18:59:51 +08:00
parent 7cd02f5bd8
commit 74255f711e
9 changed files with 144 additions and 20 deletions
--- a/pkg/config/v1/validation/client.go
+++ b/pkg/config/v1/validation/client.go
@@ -29,6 +29,21 @@ func ValidateClientCommonConfig(c *v1.ClientCommonConfig) (Warning, error) {
 		warnings Warning
 		errs     error
 	)
+	if !lo.Contains(supportedAuthMethods, c.Auth.Method) {
+		errs = AppendError(errs, fmt.Errorf("invalid auth method, optional values are %v", supportedAuthMethods))
+	}
+	if !lo.Every(supportedAuthAdditionalScopes, c.Auth.AdditionalScopes) {
+		errs = AppendError(errs, fmt.Errorf("invalid auth additional scopes, optional values are %v", supportedAuthAdditionalScopes))
+	}
+
+	if err := validateLogConfig(&c.Log); err != nil {
+		errs = AppendError(errs, err)
+	}
+
+	if err := validateWebServerConfig(&c.WebServer); err != nil {
+		errs = AppendError(errs, err)
+	}
+
 	if c.Transport.HeartbeatTimeout > 0 && c.Transport.HeartbeatInterval > 0 {
 		if c.Transport.HeartbeatTimeout < c.Transport.HeartbeatInterval {
 			errs = AppendError(errs, fmt.Errorf("invalid transport.heartbeatTimeout, heartbeat timeout should not less than heartbeat interval"))
@@ -48,8 +63,8 @@ func ValidateClientCommonConfig(c *v1.ClientCommonConfig) (Warning, error) {
 		warnings = AppendError(warnings, checkTLSConfig("transport.tls.trustedCaFile", c.Transport.TLS.TrustedCaFile))
 	}

-	if !lo.Contains([]string{"tcp", "kcp", "quic", "websocket", "wss"}, c.Transport.Protocol) {
-		errs = AppendError(errs, fmt.Errorf("invalid transport.protocol, only support tcp, kcp, quic, websocket, wss"))
+	if !lo.Contains(supportedTransportProtocols, c.Transport.Protocol) {
+		errs = AppendError(errs, fmt.Errorf("invalid transport.protocol, optional values are %v", supportedTransportProtocols))
 	}

 	for _, f := range c.IncludeConfigFiles {
--- a/pkg/config/v1/validation/common.go
+++ b/pkg/config/v1/validation/common.go
@@ -17,6 +17,8 @@ package validation
 import (
 	"fmt"

+	"github.com/samber/lo"
+
 	v1 "github.com/fatedier/frp/pkg/config/v1"
 )

@@ -29,13 +31,21 @@ func validateWebServerConfig(c *v1.WebServerConfig) error {
 			return fmt.Errorf("tls.keyFile must be specified when tls is enabled")
 		}
 	}
-	return nil
+
+	return ValidatePort(c.Port, "webServer.port")
 }

 // ValidatePort checks that the network port is in range
-func ValidatePort(port int) error {
+func ValidatePort(port int, fieldPath string) error {
 	if 0 <= port && port <= 65535 {
 		return nil
 	}
-	return fmt.Errorf("port number %d must be in the range 0..65535", port)
+	return fmt.Errorf("%s: port number %d must be in the range 0..65535", fieldPath, port)
+}
+
+func validateLogConfig(c *v1.LogConfig) error {
+	if !lo.Contains(supportedLogLevels, c.Level) {
+		return fmt.Errorf("invalid log level, optional values are %v", supportedLogLevels)
+	}
+	return nil
 }
--- a/pkg/config/v1/validation/proxy.go
+++ b/pkg/config/v1/validation/proxy.go
@@ -39,7 +39,7 @@ func validateProxyBaseConfigForClient(c *v1.ProxyBaseConfig) error {
 	}

 	if c.Plugin.Type == "" {
-		if err := ValidatePort(c.LocalPort); err != nil {
+		if err := ValidatePort(c.LocalPort, "localPort"); err != nil {
 			return fmt.Errorf("localPort: %v", err)
 		}
 	}
--- a/pkg/config/v1/validation/server.go
+++ b/pkg/config/v1/validation/server.go
@@ -15,6 +15,10 @@
 package validation

 import (
+	"fmt"
+
+	"github.com/samber/lo"
+
 	v1 "github.com/fatedier/frp/pkg/config/v1"
 )

@@ -23,15 +27,32 @@ func ValidateServerConfig(c *v1.ServerConfig) (Warning, error) {
 		warnings Warning
 		errs     error
 	)
+	if !lo.Contains(supportedAuthMethods, c.Auth.Method) {
+		errs = AppendError(errs, fmt.Errorf("invalid auth method, optional values are %v", supportedAuthMethods))
+	}
+	if !lo.Every(supportedAuthAdditionalScopes, c.Auth.AdditionalScopes) {
+		errs = AppendError(errs, fmt.Errorf("invalid auth additional scopes, optional values are %v", supportedAuthAdditionalScopes))
+	}
+
+	if err := validateLogConfig(&c.Log); err != nil {
+		errs = AppendError(errs, err)
+	}
+
 	if err := validateWebServerConfig(&c.WebServer); err != nil {
 		errs = AppendError(errs, err)
 	}

-	errs = AppendError(errs, ValidatePort(c.BindPort))
-	errs = AppendError(errs, ValidatePort(c.KCPBindPort))
-	errs = AppendError(errs, ValidatePort(c.QUICBindPort))
-	errs = AppendError(errs, ValidatePort(c.VhostHTTPPort))
-	errs = AppendError(errs, ValidatePort(c.VhostHTTPSPort))
-	errs = AppendError(errs, ValidatePort(c.TCPMuxHTTPConnectPort))
+	errs = AppendError(errs, ValidatePort(c.BindPort, "bindPort"))
+	errs = AppendError(errs, ValidatePort(c.KCPBindPort, "kcpBindPort"))
+	errs = AppendError(errs, ValidatePort(c.QUICBindPort, "quicBindPort"))
+	errs = AppendError(errs, ValidatePort(c.VhostHTTPPort, "vhostHTTPPort"))
+	errs = AppendError(errs, ValidatePort(c.VhostHTTPSPort, "vhostHTTPSPort"))
+	errs = AppendError(errs, ValidatePort(c.TCPMuxHTTPConnectPort, "tcpMuxHTTPConnectPort"))
+
+	for _, p := range c.HTTPPlugins {
+		if !lo.Every(supportedHTTPPluginOps, p.Ops) {
+			errs = AppendError(errs, fmt.Errorf("invalid http plugin ops, optional values are %v", supportedHTTPPluginOps))
+		}
+	}
 	return warnings, errs
 }
--- a/pkg/config/v1/validation/validation.go
+++ b/pkg/config/v1/validation/validation.go
@@ -16,6 +16,46 @@ package validation

 import (
 	"errors"
+
+	v1 "github.com/fatedier/frp/pkg/config/v1"
+	splugin "github.com/fatedier/frp/pkg/plugin/server"
+)
+
+var (
+	supportedTransportProtocols = []string{
+		"tcp",
+		"kcp",
+		"quic",
+		"websocket",
+		"wss",
+	}
+
+	supportedAuthMethods = []string{
+		"token",
+		"oidc",
+	}
+
+	supportedAuthAdditionalScopes = []v1.AuthScope{
+		"HeartBeats",
+		"NewWorkConns",
+	}
+
+	supportedLogLevels = []string{
+		"trace",
+		"debug",
+		"info",
+		"warn",
+		"error",
+	}
+
+	supportedHTTPPluginOps = []string{
+		splugin.OpLogin,
+		splugin.OpNewProxy,
+		splugin.OpCloseProxy,
+		splugin.OpPing,
+		splugin.OpNewWorkConn,
+		splugin.OpNewUserConn,
+	}
 )

 type Warning error