Merge e2b34fff62ba7c2e642b07e5d00d7525aaab1f03 into 2466e65f43f61fa87fce0069cc06defe94f1e856

support multiple subjects in oidc ping (#4475 )
Resolves: #4466
2025-06-16 08:08:20 +00:00 · 2024-10-13 10:59:21 +03:00 · 2024-10-12 18:52:47 +08:00 · 2024-09-25 14:42:17 -04:00
6 changed files with 125 additions and 13 deletions
--- a/pkg/auth/auth.go
+++ b/pkg/auth/auth.go
@ -50,7 +50,8 @@ func NewAuthVerifier(cfg v1.AuthServerConfig) (authVerifier Verifier) {
 	case v1.AuthMethodToken:
 		authVerifier = NewTokenAuth(cfg.AdditionalScopes, cfg.Token)
 	case v1.AuthMethodOIDC:
-		authVerifier = NewOidcAuthVerifier(cfg.AdditionalScopes, cfg.OIDC)
+		tokenVerifier := NewTokenVerifier(cfg.OIDC)
 		authVerifier = NewOidcAuthVerifier(cfg.AdditionalScopes, tokenVerifier)
 	}
 	return authVerifier
 }
--- a/pkg/auth/oidc.go
+++ b/pkg/auth/oidc.go
@ -87,14 +87,18 @@ func (auth *OidcAuthProvider) SetNewWorkConn(newWorkConnMsg *msg.NewWorkConn) (e
 	return err
 }
 type TokenVerifier interface {
 	Verify(context.Context, string) (*oidc.IDToken, error)
 }
 type OidcAuthConsumer struct {
 	additionalAuthScopes []v1.AuthScope
-	verifier         *oidc.IDTokenVerifier
+	verifier          TokenVerifier
-	subjectFromLogin string
+	subjectsFromLogin []string
 }
-func NewOidcAuthVerifier(additionalAuthScopes []v1.AuthScope, cfg v1.AuthOIDCServerConfig) *OidcAuthConsumer {
+func NewTokenVerifier(cfg v1.AuthOIDCServerConfig) TokenVerifier {
 	provider, err := oidc.NewProvider(context.Background(), cfg.Issuer)
 	if err != nil {
 		panic(err)
@ -105,9 +109,14 @@ func NewOidcAuthVerifier(additionalAuthScopes []v1.AuthScope, cfg v1.AuthOIDCSer
 		SkipExpiryCheck:   cfg.SkipExpiryCheck,
 		SkipIssuerCheck:   cfg.SkipIssuerCheck,
 	}
 	return provider.Verifier(&verifierConf)
 }
 func NewOidcAuthVerifier(additionalAuthScopes []v1.AuthScope, verifier TokenVerifier) *OidcAuthConsumer {
 	return &OidcAuthConsumer{
 		additionalAuthScopes: additionalAuthScopes,
-		verifier:             provider.Verifier(&verifierConf),
+		verifier:             verifier,
 		subjectsFromLogin:    []string{},
 	}
 }
@ -116,7 +125,9 @@ func (auth *OidcAuthConsumer) VerifyLogin(loginMsg *msg.Login) (err error) {
 	if err != nil {
 		return fmt.Errorf("invalid OIDC token in login: %v", err)
 	}
-	auth.subjectFromLogin = token.Subject
+	if !slices.Contains(auth.subjectsFromLogin, token.Subject) {
 		auth.subjectsFromLogin = append(auth.subjectsFromLogin, token.Subject)
 	}
 	return nil
 }
@ -125,11 +136,11 @@ func (auth *OidcAuthConsumer) verifyPostLoginToken(privilegeKey string) (err err
 	if err != nil {
 		return fmt.Errorf("invalid OIDC token in ping: %v", err)
 	}
-	if token.Subject != auth.subjectFromLogin {
+	if !slices.Contains(auth.subjectsFromLogin, token.Subject) {
 		return fmt.Errorf("received different OIDC subject in login and ping. "+
-			"original subject: %s, "+
+			"original subjects: %s, "+
 			"new subject: %s",
-			auth.subjectFromLogin, token.Subject)
+			auth.subjectsFromLogin, token.Subject)
 	}
 	return nil
 }
--- a/pkg/auth/oidc_test.go
+++ b/pkg/auth/oidc_test.go
@ -0,0 +1,64 @@
 package auth_test
 import (
 	"context"
 	"testing"
 	"time"
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/stretchr/testify/require"
 	"github.com/fatedier/frp/pkg/auth"
 	v1 "github.com/fatedier/frp/pkg/config/v1"
 	"github.com/fatedier/frp/pkg/msg"
 )
 type mockTokenVerifier struct{}
 func (m *mockTokenVerifier) Verify(ctx context.Context, subject string) (*oidc.IDToken, error) {
 	return &oidc.IDToken{
 		Subject: subject,
 	}, nil
 }
 func TestPingWithEmptySubjectFromLoginFails(t *testing.T) {
 	r := require.New(t)
 	consumer := auth.NewOidcAuthVerifier([]v1.AuthScope{v1.AuthScopeHeartBeats}, &mockTokenVerifier{})
 	err := consumer.VerifyPing(&msg.Ping{
 		PrivilegeKey: "ping-without-login",
 		Timestamp:    time.Now().UnixMilli(),
 	})
 	r.Error(err)
 	r.Contains(err.Error(), "received different OIDC subject in login and ping")
 }
 func TestPingAfterLoginWithNewSubjectSucceeds(t *testing.T) {
 	r := require.New(t)
 	consumer := auth.NewOidcAuthVerifier([]v1.AuthScope{v1.AuthScopeHeartBeats}, &mockTokenVerifier{})
 	err := consumer.VerifyLogin(&msg.Login{
 		PrivilegeKey: "ping-after-login",
 	})
 	r.NoError(err)
 	err = consumer.VerifyPing(&msg.Ping{
 		PrivilegeKey: "ping-after-login",
 		Timestamp:    time.Now().UnixMilli(),
 	})
 	r.NoError(err)
 }
 func TestPingAfterLoginWithDifferentSubjectFails(t *testing.T) {
 	r := require.New(t)
 	consumer := auth.NewOidcAuthVerifier([]v1.AuthScope{v1.AuthScopeHeartBeats}, &mockTokenVerifier{})
 	err := consumer.VerifyLogin(&msg.Login{
 		PrivilegeKey: "login-with-first-subject",
 	})
 	r.NoError(err)
 	err = consumer.VerifyPing(&msg.Ping{
 		PrivilegeKey: "ping-with-different-subject",
 		Timestamp:    time.Now().UnixMilli(),
 	})
 	r.Error(err)
 	r.Contains(err.Error(), "received different OIDC subject in login and ping")
 }
--- a/pkg/config/v1/plugin.go
+++ b/pkg/config/v1/plugin.go
@ -103,6 +103,7 @@ type HTTP2HTTPSPluginOptions struct {
 	LocalAddr         string           `json:"localAddr,omitempty"`
 	HostHeaderRewrite string           `json:"hostHeaderRewrite,omitempty"`
 	RequestHeaders    HeaderOperations `json:"requestHeaders,omitempty"`
 	RootCA            string           `json:"rootCA,omitempty"`
 }
 func (o *HTTP2HTTPSPluginOptions) Complete() {}
@ -137,6 +138,7 @@ type HTTPS2HTTPSPluginOptions struct {
 	EnableHTTP2       *bool            `json:"enableHTTP2,omitempty"`
 	CrtPath           string           `json:"crtPath,omitempty"`
 	KeyPath           string           `json:"keyPath,omitempty"`
 	RootCA            string           `json:"rootCA,omitempty"`
 }
 func (o *HTTPS2HTTPSPluginOptions) Complete() {
--- a/pkg/plugin/client/http2https.go
+++ b/pkg/plugin/client/http2https.go
@ -19,11 +19,13 @@ package plugin
 import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"io"
 	stdlog "log"
 	"net"
 	"net/http"
 	"net/http/httputil"
 	"os"
 	"github.com/fatedier/golib/pool"
@ -53,8 +55,23 @@ func NewHTTP2HTTPSPlugin(options v1.ClientPluginOptions) (Plugin, error) {
 		l:    listener,
 	}
-	tr := &http.Transport{
+	tr := &http.Transport{}
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+
 	if opts.RootCA != "" {
 		caCert, err := os.ReadFile(opts.RootCA)
 		if err != nil {
 			return nil, err
 		}
 		caCertPool, err := x509.SystemCertPool()
 		if err != nil {
 			return nil, err
 		}
 		caCertPool.AppendCertsFromPEM(caCert)
 		tr.TLSClientConfig = &tls.Config{
 			RootCAs: caCertPool,
 		}
 	} else {
 		tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
 	}
 	rp := &httputil.ReverseProxy{
--- a/pkg/plugin/client/https2https.go
+++ b/pkg/plugin/client/https2https.go
@ -19,12 +19,14 @@ package plugin
 import (
 	"context"
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
 	"io"
 	stdlog "log"
 	"net"
 	"net/http"
 	"net/http/httputil"
 	"os"
 	"time"
 	"github.com/fatedier/golib/pool"
@ -58,8 +60,23 @@ func NewHTTPS2HTTPSPlugin(options v1.ClientPluginOptions) (Plugin, error) {
 		l:    listener,
 	}
-	tr := &http.Transport{
+	tr := &http.Transport{}
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+
 	if opts.RootCA != "" {
 		caCert, err := os.ReadFile(opts.RootCA)
 		if err != nil {
 			return nil, err
 		}
 		caCertPool, err := x509.SystemCertPool()
 		if err != nil {
 			return nil, err
 		}
 		caCertPool.AppendCertsFromPEM(caCert)
 		tr.TLSClientConfig = &tls.Config{
 			RootCAs: caCertPool,
 		}
 	} else {
 		tr.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
 	}
 	rp := &httputil.ReverseProxy{
Author	SHA1	Message	Date
adamwallred	51fb85ae3b	Merge e2b34fff62ba7c2e642b07e5d00d7525aaab1f03 into 2466e65f43f61fa87fce0069cc06defe94f1e856	2024-10-13 10:59:21 +03:00
RobKenis	2466e65f43	support multiple subjects in oidc ping (#4475 ) Resolves: #4466	2024-10-12 18:52:47 +08:00
Adam Allred	e2b34fff62	feat(plugin): add rootca and tls verify for client http plugins	2024-09-25 14:42:17 -04:00