ziti

package
v0.19.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 4, 2023 License: Apache-2.0 Imports: 54 Imported by: 86

Documentation

Overview

Package ziti provides methods for loading ziti contexts from identity JSON files Identity files specifies in `ZITI_IDENTITIES` environment variable (semicolon separates) are loaded automatically at startup

Index

Constants

View Source 
const (
	PrecedenceDefault  Precedence = 0
	PrecedenceRequired Precedence = 1
	PrecedenceFailed   Precedence = 2

	PrecedenceDefaultLabel  = string(rest_model.TerminatorPrecedenceDefault)
	PrecedenceRequiredLabel = string(rest_model.TerminatorPrecedenceRequired)
	PrecedenceFailedLabel   = string(rest_model.TerminatorPrecedenceFailed)
)
View Source 
const (
	LatencyCheckInterval = 30 * time.Second
	LatencyCheckTimeout  = 10 * time.Second

	ClientConfigV1 = "ziti-tunneler-client.v1"
	InterceptV1    = "intercept.v1"

	SessionDial = rest_model.DialBindDial
	SessionBind = rest_model.DialBindBind
)

Variables

View Source 
var DefaultOptions = &Options{
	RefreshInterval: 5 * time.Minute,
	OnServiceUpdate: nil,
}

Functions

func ForAllContexts added in v0.17.0 

func ForAllContexts(f func(ctx Context) bool)

ForAllContexts iterates over all Ziti contexts loaded from ZITI_IDENTITIES environment variable, or with LoadContext() call

Types

type Context 

type Context interface {
	// Authenticate attempts to use credentials configured on the Context to perform authentication. The authentication
	// implementation used is configured via the Authenticator field on an Option struct provided during Context
	// creation.
	Authenticate() error

	// SetAuthenticator sets the current Authenticator to use for subsequent authentication requests
	SetAuthenticator(authenticator rest_util.Authenticator)

	// GetAuthenticator returns the currently set Authenticator used to authenticate requests
	GetAuthenticator() rest_util.Authenticator

	// GetCurrentIdentity returns the Edge API details of the currently authenticated identity.
	GetCurrentIdentity() (*rest_model.IdentityDetail, error)

	// Dial attempts to connect to a service using a given service name; authenticating as necessary in order to obtain
	// a service session, attach to Edge Routers, and connect to a service.
	Dial(serviceName string) (edge.Conn, error)

	// DialWithOptions performs the same logic as Dial but allows specification of DialOptions.
	DialWithOptions(serviceName string, options *DialOptions) (edge.Conn, error)

	// DialAddr finds the service for given address and performs a Dial for it.
	DialAddr(network string, addr string) (edge.Conn, error)

	// Listen attempts to host a service by the given service name;  authenticating as necessary in order to obtain
	// a service session, attach to Edge Routers, and bind (host) the service.
	Listen(serviceName string) (edge.Listener, error)

	// ListenWithOptions performs the same logic as Listen, but allows the specification of ListenOptions.
	ListenWithOptions(serviceName string, options *ListenOptions) (edge.Listener, error)

	// GetServiceId will return the id of a specific service by service name. If not found, false, will be returned
	// with an empty string.
	GetServiceId(serviceName string) (string, bool, error)

	// GetServices will return a slice of service details that the current authenticating identity can access for
	// dial (connect) or bind (host/listen).
	GetServices() ([]rest_model.ServiceDetail, error)

	// GetService will return the service details of a specific service by service name.
	GetService(serviceName string) (*rest_model.ServiceDetail, bool)

	// GetServiceForAddr finds the service with intercept that matches best to given address
	GetServiceForAddr(network, hostname string, port uint16) (*rest_model.ServiceDetail, int, error)

	// RefreshServices forces the context to refresh the list of services the current authenticating identity has access
	// to.
	RefreshServices() error

	// GetServiceTerminators will return a slice of rest_model.TerminatorClientDetail for a specific service name.
	// The offset and limit options can be used to page through excessive lists of items. A max of 500 is imposed on
	// limit.
	GetServiceTerminators(serviceName string, offset, limit int) ([]*rest_model.TerminatorClientDetail, int, error)

	// GetSession will return the session detail associated with a specific session id.
	GetSession(id string) (*rest_model.SessionDetail, error)

	// Metrics will return the current context's metrics Registry.
	Metrics() metrics.Registry

	// Close closes any connections open to edge routers
	Close()

	// AddZitiMfaHandler adds a Ziti MFA handler, invoked during authentication
	AddZitiMfaHandler(handler func(query *rest_model.AuthQueryDetail, resp func(code string) error) error)

	// EnrollZitiMfa will attempt to enable TOTP 2FA on the currently authenticating identity if not already enrolled.
	EnrollZitiMfa() (*rest_model.DetailMfa, error)

	// VerifyZitiMfa will attempt to complete enrollment of TOTP 2FA with the given code.
	VerifyZitiMfa(code string) error

	// RemoveZitiMfa will attempt to remove TOTP 2FA for the current identity
	RemoveZitiMfa(code string) error
}

Context is the main interface for SDK instances that may be used to authenticate, connect to services, or host services.

func LoadContext added in v0.17.0 

func LoadContext(config_ string) (Context, error)

LoadContext returns Ziti context for the given identity file loading it if needed

func NewContext 

func NewContext() (Context, error)

func NewContextWithConfig 

func NewContextWithConfig(cfg *config.Config) (Context, error)

func NewContextWithOpts added in v0.13.0 

func NewContextWithOpts(cfg *config.Config, options *Options) (Context, error)

type ContextDialer added in v0.17.0 

type ContextDialer interface {
	DialContext(ctx context.Context, network, address string) (net.Conn, error)
}

type ContextImpl added in v0.19.0 

type ContextImpl struct {
	// contains filtered or unexported fields
}

func (*ContextImpl) AddZitiMfaHandler added in v0.19.0 

func (context *ContextImpl) AddZitiMfaHandler(handler func(query *rest_model.AuthQueryDetail, resp func(code string) error) error)

func (*ContextImpl) Authenticate added in v0.19.0 

func (context *ContextImpl) Authenticate() error

func (*ContextImpl) Close added in v0.19.0 

func (context *ContextImpl) Close()

func (*ContextImpl) Dial added in v0.19.0 

func (context *ContextImpl) Dial(serviceName string) (edge.Conn, error)

func (*ContextImpl) DialAddr added in v0.19.0 

func (context *ContextImpl) DialAddr(network string, addr string) (edge.Conn, error)

func (*ContextImpl) DialWithOptions added in v0.19.0 

func (context *ContextImpl) DialWithOptions(serviceName string, options *DialOptions) (edge.Conn, error)

func (*ContextImpl) EnrollZitiMfa added in v0.19.0 

func (context *ContextImpl) EnrollZitiMfa() (*rest_model.DetailMfa, error)

func (*ContextImpl) EnsureAuthenticated added in v0.19.0 

func (context *ContextImpl) EnsureAuthenticated(options edge.ConnOptions) error

func (*ContextImpl) GetAuthenticator added in v0.19.0 

func (context *ContextImpl) GetAuthenticator() rest_util.Authenticator

func (*ContextImpl) GetCurrentIdentity added in v0.19.0 

func (context *ContextImpl) GetCurrentIdentity() (*rest_model.IdentityDetail, error)

func (*ContextImpl) GetService added in v0.19.0 

func (context *ContextImpl) GetService(name string) (*rest_model.ServiceDetail, bool)

func (*ContextImpl) GetServiceForAddr added in v0.19.0 

func (context *ContextImpl) GetServiceForAddr(network, hostname string, port uint16) (*rest_model.ServiceDetail, int, error)

GetServiceForAddr finds the service with intercept that matches best to given address

func (*ContextImpl) GetServiceId added in v0.19.0 

func (context *ContextImpl) GetServiceId(name string) (string, bool, error)

func (*ContextImpl) GetServiceTerminators added in v0.19.0 

func (context *ContextImpl) GetServiceTerminators(serviceName string, offset, limit int) ([]*rest_model.TerminatorClientDetail, int, error)

func (*ContextImpl) GetServices added in v0.19.0 

func (context *ContextImpl) GetServices() ([]rest_model.ServiceDetail, error)

func (*ContextImpl) GetSession added in v0.19.0 

func (context *ContextImpl) GetSession(serviceId string) (*rest_model.SessionDetail, error)

func (*ContextImpl) Listen added in v0.19.0 

func (context *ContextImpl) Listen(serviceName string) (edge.Listener, error)

func (*ContextImpl) ListenWithOptions added in v0.19.0 

func (context *ContextImpl) ListenWithOptions(serviceName string, options *ListenOptions) (edge.Listener, error)

func (*ContextImpl) Metrics added in v0.19.0 

func (context *ContextImpl) Metrics() metrics.Registry

func (*ContextImpl) OnClose added in v0.19.0 

func (context *ContextImpl) OnClose(factory edge.RouterConn)

func (*ContextImpl) RefreshServices added in v0.19.0 

func (context *ContextImpl) RefreshServices() error

func (*ContextImpl) RemoveZitiMfa added in v0.19.0 

func (context *ContextImpl) RemoveZitiMfa(code string) error

func (*ContextImpl) Sessions added in v0.19.0 

func (context *ContextImpl) Sessions() ([]*rest_model.SessionDetail, error)

func (*ContextImpl) SetAuthenticator added in v0.19.0 

func (context *ContextImpl) SetAuthenticator(authenticator rest_util.Authenticator)

func (*ContextImpl) VerifyZitiMfa added in v0.19.0 

func (context *ContextImpl) VerifyZitiMfa(code string) error

type CtrlClient added in v0.19.0 

type CtrlClient struct {
	*rest_client_api_client.ZitiEdgeClient
	Authenticator rest_util.Authenticator

	ApiSession *rest_model.CurrentAPISessionDetail

	EdgeClientApiUrl *url.URL

	ApiSessionIdentity          identity.Identity
	ApiSessionCertificateDetail rest_model.CurrentAPISessionCertificateDetail
	ApiSessionCsr               x509.CertificateRequest
	ApiSessionCertificate       *x509.Certificate
	ApiSessionPrivateKey        *ecdsa.PrivateKey
	CaPool                      *x509.CertPool
	ApiSessionCertInstance      string

	PostureCache *posture.Cache
	// contains filtered or unexported fields
}

CtrlClient is a stateful version of ZitiEdgeClient that simplifies operations

func (*CtrlClient) Authenticate added in v0.19.0 

func (client *CtrlClient) Authenticate() (*rest_model.CurrentAPISessionDetail, error)

Authenticate attempts to use authenticate, overwriting any existing ApiSession.

func (*CtrlClient) AuthenticateMFA added in v0.19.0 

func (client *CtrlClient) AuthenticateMFA(code string) error

AuthenticateMFA handles MFA authentication queries may be provided. AuthenticateMFA allows the current identity for their current api session to attempt to pass MFA authentication.

func (*CtrlClient) AuthenticateRequest added in v0.19.0 

func (client *CtrlClient) AuthenticateRequest(request runtime.ClientRequest, registry strfmt.Registry) error

AuthenticateRequest allows a CtrlClient to act as a ClientAuthInfoWriter, authenticating go-swagger generated client requests.

func (*CtrlClient) CreateSession added in v0.19.0 

func (client *CtrlClient) CreateSession(id string, sessionType SessionType) (*rest_model.SessionDetail, error)

CreateSession will attempt to obtain a session token for a specific service id and type.

func (*CtrlClient) EnrollMfa added in v0.19.0 

func (client *CtrlClient) EnrollMfa() (*rest_model.DetailMfa, error)

EnrollMfa will attempt to start TOTP MFA enrollment for the currently authenticated identity.

func (*CtrlClient) EnsureApiSessionCertificate added in v0.19.0 

func (client *CtrlClient) EnsureApiSessionCertificate() error

EnsureApiSessionCertificate will create an ApiSessionCertificate if one does not already exist.

func (*CtrlClient) GetCurrentApiSession added in v0.19.0 

func (client *CtrlClient) GetCurrentApiSession() *rest_model.CurrentAPISessionDetail

GetCurrentApiSession returns the current cached ApiSession or nil

func (*CtrlClient) GetCurrentIdentity added in v0.19.0 

func (client *CtrlClient) GetCurrentIdentity() (*rest_model.IdentityDetail, error)

GetCurrentIdentity returns the rest_model.IdentityDetail for the currently authenticated ApiSession.

func (*CtrlClient) GetIdentity added in v0.19.0 

func (client *CtrlClient) GetIdentity() (identity.Identity, error)

GetIdentity returns the identity.Identity used to facilitate authentication. Each identity.Identity instance may provide authentication material in the form of x509 certificates and private keys and/or trusted CA pools.

func (*CtrlClient) GetServiceTerminators added in v0.19.0 

func (client *CtrlClient) GetServiceTerminators(svc *rest_model.ServiceDetail, offset int, limit int) ([]*rest_model.TerminatorClientDetail, int, error)

GetServiceTerminators returns the client terminator details for a specific service.

func (*CtrlClient) GetServices added in v0.19.0 

func (client *CtrlClient) GetServices() ([]*rest_model.ServiceDetail, error)

GetServices will fetch the list of services that the identity of the current ApiSession has access to for dialing or binding.

func (*CtrlClient) GetSession added in v0.19.0 

func (client *CtrlClient) GetSession(id string) (*rest_model.SessionDetail, error)

GetSession returns the full rest_model.SessionDetail for a specific id

func (*CtrlClient) IsServiceListUpdateAvailable added in v0.19.0 

func (client *CtrlClient) IsServiceListUpdateAvailable() (bool, error)

IsServiceListUpdateAvailable will contact the controller to determine if a new set of services are available. Service updates could entail gaining/losing services access via policy or runtime authorization revocation due to posture checks.

func (*CtrlClient) NewApiSessionCertificate added in v0.19.0 

func (client *CtrlClient) NewApiSessionCertificate() error

NewApiSessionCertificate will create a new ephemeral private key used to generate an ephemeral certificate that may be used with the current ApiSession. The generated certificate and private key are scoped to the ApiSession used to create it.

func (*CtrlClient) Refresh added in v0.19.0 

func (client *CtrlClient) Refresh() (*time.Time, error)

Refresh will contact the controller extending the current ApiSession

func (*CtrlClient) RemoveMfa added in v0.19.0 

func (client *CtrlClient) RemoveMfa(code string) error

RemoveMfa will remove the currently enrolled TOTP MFA added by EnrollMfa() and verified by VerifyMfa()

func (*CtrlClient) SendPostureResponse added in v0.19.0 

func (client *CtrlClient) SendPostureResponse(response rest_model.PostureResponseCreate) error

SendPostureResponse creates a posture response (some state data the controller has requested) for services. This information is used to determine runtime authorization access to services via posture checks.

func (*CtrlClient) SendPostureResponseBulk added in v0.19.0 

func (client *CtrlClient) SendPostureResponseBulk(responses []rest_model.PostureResponseCreate) error

SendPostureResponseBulk provides the same functionality as SendPostureResponse but allows multiple responses to be sent in a single request.

func (*CtrlClient) SetInfo added in v0.19.0 

func (client *CtrlClient) SetInfo(envInfo *rest_model.EnvInfo, sdkInfo *rest_model.SdkInfo)

SetInfo is used to set the environment and SDK information that is submitted during authentication requests. Environment information includes OS level information while SDK information includes application and build information.

func (*CtrlClient) VerifyMfa added in v0.19.0 

func (client *CtrlClient) VerifyMfa(code string) error

VerifyMfa will complete a TOTP MFA enrollment created via EnrollMfa.

type DialOptions added in v0.13.47 

type DialOptions struct {
	ConnectTimeout time.Duration
	Identity       string
	AppData        []byte
}

func (DialOptions) GetConnectTimeout added in v0.13.47 

func (d DialOptions) GetConnectTimeout() time.Duration

type Dialer added in v0.17.0 

type Dialer interface {
	Dial(network, address string) (net.Conn, error)
}

func NewDialer added in v0.17.0 

func NewDialer() Dialer

func NewDialerWithFallback added in v0.17.0 

func NewDialerWithFallback(ctx context.Context, fallback Dialer) Dialer

type ListenOptions added in v0.13.47 

type ListenOptions struct {
	Cost                  uint16
	Precedence            Precedence
	ConnectTimeout        time.Duration
	MaxConnections        int
	Identity              string
	BindUsingEdgeIdentity bool
	ManualStart           bool
}

func DefaultListenOptions added in v0.13.47 

func DefaultListenOptions() *ListenOptions

type Options added in v0.15.17 

type Options struct {
	RefreshInterval time.Duration
	OnContextReady  func(ctx Context)
	OnServiceUpdate serviceCB
}

type Precedence added in v0.13.47 

type Precedence byte

func GetPrecedenceForLabel added in v0.15.3 

func GetPrecedenceForLabel(p string) Precedence

func (Precedence) String added in v0.15.3 

func (p Precedence) String() string

type ServiceEventType added in v0.15.17 

type ServiceEventType string
const (
	ServiceAdded   ServiceEventType = "Added"
	ServiceRemoved ServiceEventType = "Removed"
	ServiceChanged ServiceEventType = "Changed"
)

type SessionType added in v0.19.0 

type SessionType rest_model.DialBind

Source Files

View all Source files

Directories

Path Synopsis
network
posture

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.