Documentation ¶
Overview ¶
Package edge_apis_2 edge_apis_2 provides a wrapper around the generated Edge Client and Management APIs improve ease of use.
Index ¶
- Constants
- func ClientUrl(hostname string) string
- func ManagementUrl(hostname string) string
- type ApiAccessClaims
- type ApiSession
- type ApiSessionLegacy
- func (a *ApiSessionLegacy) AuthenticateRequest(request runtime.ClientRequest, _ strfmt.Registry) error
- func (a *ApiSessionLegacy) GetAccessHeader() (string, string)
- func (a *ApiSessionLegacy) GetAuthQueries() rest_model.AuthQueryList
- func (a *ApiSessionLegacy) GetExpiresAt() *time.Time
- func (a *ApiSessionLegacy) GetId() string
- func (a *ApiSessionLegacy) GetIdentityId() string
- func (a *ApiSessionLegacy) GetIdentityName() string
- func (a *ApiSessionLegacy) GetToken() []byte
- type ApiSessionOidc
- func (a *ApiSessionOidc) AuthenticateRequest(request runtime.ClientRequest, _ strfmt.Registry) error
- func (a *ApiSessionOidc) GetAccessClaims() (*ApiAccessClaims, error)
- func (a *ApiSessionOidc) GetAccessHeader() (string, string)
- func (a *ApiSessionOidc) GetAuthQueries() rest_model.AuthQueryList
- func (a *ApiSessionOidc) GetExpiresAt() *time.Time
- func (a *ApiSessionOidc) GetId() string
- func (a *ApiSessionOidc) GetIdentityId() string
- func (a *ApiSessionOidc) GetIdentityName() string
- func (a *ApiSessionOidc) GetToken() []byte
- type ApiType
- type AuthEnabledApi
- type BaseClient
- func (self *BaseClient[A]) Authenticate(credentials Credentials, configTypes []string) (ApiSession, error)
- func (self *BaseClient[A]) AuthenticateRequest(request runtime.ClientRequest, registry strfmt.Registry) error
- func (self *BaseClient[A]) GetCurrentApiSession() ApiSession
- func (self *BaseClient[A]) SetUseOidc(use bool)
- type BaseCredentials
- func (c *BaseCredentials) AddHeader(key, value string)
- func (c *BaseCredentials) AddJWT(token string)
- func (c *BaseCredentials) AuthenticateRequest(request runtime.ClientRequest, _ strfmt.Registry) error
- func (c *BaseCredentials) GetCaPool() *x509.CertPool
- func (c *BaseCredentials) Payload() *rest_model.Authenticate
- func (c *BaseCredentials) TlsCerts() []tls.Certificate
- type CertCredentials
- type ClientApiClient
- type Components
- type Credentials
- type IdentityCredentials
- func (c *IdentityCredentials) AuthenticateRequest(request runtime.ClientRequest, reg strfmt.Registry) error
- func (c *IdentityCredentials) GetCaPool() *x509.CertPool
- func (c *IdentityCredentials) GetIdentity() identity.Identity
- func (c *IdentityCredentials) Method() string
- func (c *IdentityCredentials) TlsCerts() []tls.Certificate
- type IdentityProvider
- type JwtCredentials
- type ManagementApiClient
- type OidcEnabledApi
- type ServiceAccessClaims
- type UpdbCredentials
- type ZitiEdgeClient
- func (self *ZitiEdgeClient) Authenticate(credentials Credentials, configTypes []string, httpClient *http.Client) (ApiSession, error)
- func (self *ZitiEdgeClient) ExchangeTokens(curTokens *oidc.Tokens[*oidc.IDTokenClaims]) (*oidc.Tokens[*oidc.IDTokenClaims], error)
- func (self *ZitiEdgeClient) RefreshApiSession(apiSession ApiSession) (ApiSession, error)
- func (self *ZitiEdgeClient) SetUseOidc(use bool)
- type ZitiEdgeManagement
- func (self *ZitiEdgeManagement) Authenticate(credentials Credentials, configTypes []string, httpClient *http.Client) (ApiSession, error)
- func (self *ZitiEdgeManagement) ExchangeTokens(curTokens *oidc.Tokens[*oidc.IDTokenClaims]) (*oidc.Tokens[*oidc.IDTokenClaims], error)
- func (self *ZitiEdgeManagement) RefreshApiSession(apiSession ApiSession) (ApiSession, error)
- func (self *ZitiEdgeManagement) SetUseOidc(use bool)
Constants ¶
const ( AuthRequestIdHeader = "auth-request-id" TotpRequiredHeader = "totp-required" )
const ( ClientApiPath = "/edge/client/v1" ManagementApiPath = "/edge/management/v1" )
const JwtTokenPrefix = "ey"
Variables ¶
This section is empty.
Functions ¶
func ClientUrl ¶ added in v0.20.66
ClientUrl returns a URL with the given hostname in the format of `https://<hostname>/edge/management/v1`. The hostname provided may include a port.
func ManagementUrl ¶ added in v0.20.66
ManagementUrl returns a URL with the given hostname in the format of `https://<hostname>/edge/management/v1`. The hostname provided may include a port.
Types ¶
type ApiAccessClaims ¶ added in v0.23.0
type ApiAccessClaims struct { jwt.RegisteredClaims ApiSessionId string `json:"z_asid,omitempty"` ExternalId string `json:"z_eid,omitempty"` IsAdmin bool `json:"z_ia,omitempty"` ConfigTypes []string `json:"z_ct,omitempty"` ApplicationId string `json:"z_aid,omitempty"` Type string `json:"z_t"` CertFingerprints []string `json:"z_cfs"` Scopes []string `json:"scopes,omitempty"` }
type ApiSession ¶ added in v0.22.6
type ApiSession interface { //GetAccessHeader returns the HTTP header name and value that should be used to represent this ApiSession GetAccessHeader() (string, string) //AuthenticateRequest fulfills the interface defined by the OpenAPI libraries to authenticate client HTTP requests AuthenticateRequest(request runtime.ClientRequest, _ strfmt.Registry) error //GetToken returns the ApiSessions' token bytes GetToken() []byte //GetExpiresAt returns the time when the ApiSession will expire. GetExpiresAt() *time.Time //GetAuthQueries returns a list of authentication queries the ApiSession is subjected to GetAuthQueries() rest_model.AuthQueryList //GetIdentityName returns the name of the authenticating identity GetIdentityName() string //GetIdentityId returns the id of the authenticating identity GetIdentityId() string //GetId returns the id of the ApiSession GetId() string }
type ApiSessionLegacy ¶ added in v0.23.0
type ApiSessionLegacy struct {
Detail *rest_model.CurrentAPISessionDetail
}
ApiSessionLegacy represents OpenZiti's original authentication API Session Detail, supplied in the `zt-session` header. It has been supplanted by OIDC authentication represented by ApiSessionOidc.
func (*ApiSessionLegacy) AuthenticateRequest ¶ added in v0.23.0
func (a *ApiSessionLegacy) AuthenticateRequest(request runtime.ClientRequest, _ strfmt.Registry) error
func (*ApiSessionLegacy) GetAccessHeader ¶ added in v0.23.0
func (a *ApiSessionLegacy) GetAccessHeader() (string, string)
GetAccessHeader returns the header and header token value should be used for authentication requests
func (*ApiSessionLegacy) GetAuthQueries ¶ added in v0.23.0
func (a *ApiSessionLegacy) GetAuthQueries() rest_model.AuthQueryList
func (*ApiSessionLegacy) GetExpiresAt ¶ added in v0.23.0
func (a *ApiSessionLegacy) GetExpiresAt() *time.Time
func (*ApiSessionLegacy) GetId ¶ added in v0.23.0
func (a *ApiSessionLegacy) GetId() string
func (*ApiSessionLegacy) GetIdentityId ¶ added in v0.23.0
func (a *ApiSessionLegacy) GetIdentityId() string
func (*ApiSessionLegacy) GetIdentityName ¶ added in v0.23.0
func (a *ApiSessionLegacy) GetIdentityName() string
func (*ApiSessionLegacy) GetToken ¶ added in v0.23.0
func (a *ApiSessionLegacy) GetToken() []byte
type ApiSessionOidc ¶ added in v0.23.0
type ApiSessionOidc struct {
OidcTokens *oidc.Tokens[*oidc.IDTokenClaims]
}
ApiSessionOidc represents an authenticated session backed by OIDC tokens.
func (*ApiSessionOidc) AuthenticateRequest ¶ added in v0.23.0
func (a *ApiSessionOidc) AuthenticateRequest(request runtime.ClientRequest, _ strfmt.Registry) error
func (*ApiSessionOidc) GetAccessClaims ¶ added in v0.23.0
func (a *ApiSessionOidc) GetAccessClaims() (*ApiAccessClaims, error)
func (*ApiSessionOidc) GetAccessHeader ¶ added in v0.23.0
func (a *ApiSessionOidc) GetAccessHeader() (string, string)
GetAccessHeader returns the header and header token value should be used for authentication requests
func (*ApiSessionOidc) GetAuthQueries ¶ added in v0.23.0
func (a *ApiSessionOidc) GetAuthQueries() rest_model.AuthQueryList
func (*ApiSessionOidc) GetExpiresAt ¶ added in v0.23.0
func (a *ApiSessionOidc) GetExpiresAt() *time.Time
func (*ApiSessionOidc) GetId ¶ added in v0.23.0
func (a *ApiSessionOidc) GetId() string
func (*ApiSessionOidc) GetIdentityId ¶ added in v0.23.0
func (a *ApiSessionOidc) GetIdentityId() string
func (*ApiSessionOidc) GetIdentityName ¶ added in v0.23.0
func (a *ApiSessionOidc) GetIdentityName() string
func (*ApiSessionOidc) GetToken ¶ added in v0.23.0
func (a *ApiSessionOidc) GetToken() []byte
type ApiType ¶
type ApiType interface { ZitiEdgeManagement | ZitiEdgeClient }
ApiType is an interface constraint for generics. The underlying go-swagger types only have fields, which are insufficient to attempt to make a generic type from. Instead, this constraint is used that points at the aliased types.
type AuthEnabledApi ¶
type AuthEnabledApi interface { //Authenticate will attempt to issue an authentication request using the provided credentials and http client. //These functions act as abstraction around the underlying go-swagger generated client and will use the default //http client if not provided. Authenticate(credentials Credentials, configTypes []string, httpClient *http.Client) (ApiSession, error) SetUseOidc(bool) }
AuthEnabledApi is used as a sentinel interface to detect APIs that support authentication and to work around a golang limitation dealing with accessing field of generically typed fields.
type BaseClient ¶
type BaseClient[A ApiType] struct { API *A Components AuthInfoWriter runtime.ClientAuthInfoWriter ApiSession atomic.Pointer[ApiSession] Credentials Credentials }
BaseClient implements the Client interface specifically for the types specified in the ApiType constraint. It provides shared functionality that all ApiType types require.
func (*BaseClient[A]) Authenticate ¶
func (self *BaseClient[A]) Authenticate(credentials Credentials, configTypes []string) (ApiSession, error)
Authenticate will attempt to use the provided credentials to authenticate via the underlying ApiType. On success the API Session details will be returned and the current client will make authenticated requests on future calls. On an error the API Session in use will be cleared and subsequent requests will become/continue to be made in an unauthenticated fashion.
func (*BaseClient[A]) AuthenticateRequest ¶
func (self *BaseClient[A]) AuthenticateRequest(request runtime.ClientRequest, registry strfmt.Registry) error
AuthenticateRequest implements the openapi runtime.ClientAuthInfoWriter interface from the OpenAPI libraries. It is used to authenticate outgoing requests.
func (*BaseClient[A]) GetCurrentApiSession ¶
func (self *BaseClient[A]) GetCurrentApiSession() ApiSession
GetCurrentApiSession returns the ApiSession that is being used to authenticate requests.
func (*BaseClient[A]) SetUseOidc ¶ added in v0.23.2
func (self *BaseClient[A]) SetUseOidc(use bool)
type BaseCredentials ¶
type BaseCredentials struct { // ConfigTypes is used to set the configuration types for services during authentication ConfigTypes []string // Headers is a map of strings to string arrays of headers to send with auth requests. Headers *http.Header // EnvInfo is provided during authentication to set environmental information about the client. EnvInfo *rest_model.EnvInfo // SdkInfo is provided during authentication to set SDK information about the client. SdkInfo *rest_model.SdkInfo // CaPool will override the client's default certificate pool if set to a non-nil value. CaPool *x509.CertPool }
BaseCredentials is a shared struct of information all Credentials implementations require.
func (*BaseCredentials) AddHeader ¶ added in v0.20.20
func (c *BaseCredentials) AddHeader(key, value string)
AddHeader provides a base implementation to add a header to the request.
func (*BaseCredentials) AddJWT ¶ added in v0.20.50
func (c *BaseCredentials) AddJWT(token string)
AddJWT adds additional JWTs to the credentials. Used to satisfy secondary authentication/MFA requirements. The provided token should be the base64 encoded version of the token. Convenience function for AddHeader.
func (*BaseCredentials) AuthenticateRequest ¶
func (c *BaseCredentials) AuthenticateRequest(request runtime.ClientRequest, _ strfmt.Registry) error
AuthenticateRequest provides a base implementation to authenticate an outgoing request. This is provided here for authentication methods such as `cert` which do not have to provide any more request level information.
func (*BaseCredentials) GetCaPool ¶
func (c *BaseCredentials) GetCaPool() *x509.CertPool
GetCaPool provides a base implementation to return the certificate pool of a Credentials instance.
func (*BaseCredentials) Payload ¶
func (c *BaseCredentials) Payload() *rest_model.Authenticate
Payload will produce the object used to construct the body of an authentication requests. The base version sets shared information available in BaseCredentials.
func (*BaseCredentials) TlsCerts ¶
func (c *BaseCredentials) TlsCerts() []tls.Certificate
TlsCerts provides a base implementation of returning the tls.Certificate array that will be used to setup mTLS connections. This is provided here for authentication methods that do not initially require mTLS (e.g. JWTs).
type CertCredentials ¶
type CertCredentials struct { BaseCredentials Certs []*x509.Certificate Key crypto.PrivateKey }
CertCredentials represents authentication using certificates that are not from an Identity configuration file.
func NewCertCredentials ¶
func NewCertCredentials(certs []*x509.Certificate, key crypto.PrivateKey) *CertCredentials
NewCertCredentials creates Credentials instance based upon an array of certificates. At least one certificate must be provided and the certificate at index zero is assumed to be the leaf client certificate that pairs with the provided private key. All other certificates are assumed to support the leaf client certificate as a chain.
func (*CertCredentials) GetIdentity ¶
func (c *CertCredentials) GetIdentity() identity.Identity
func (*CertCredentials) Method ¶
func (c *CertCredentials) Method() string
func (*CertCredentials) TlsCerts ¶
func (c *CertCredentials) TlsCerts() []tls.Certificate
type ClientApiClient ¶
type ClientApiClient struct { BaseClient[ZitiEdgeClient] }
func NewClientApiClient ¶
func NewClientApiClient(apiUrl *url.URL, caPool *x509.CertPool, totpCallback func(chan string)) *ClientApiClient
NewClientApiClient will assemble a ClientApiClient. The apiUrl should be the full URL to the Edge Client API (e.g. `https://example.com/edge/client/v1`).
The `caPool` argument should be a list of trusted root CAs. If provided as `nil` here unauthenticated requests will use the system certificate pool. If authentication occurs, and a certificate pool is set on the Credentials the certificate pool from the Credentials will be used from that point forward. Credentials implementations based on an identity.Identity are likely to provide a certificate pool.
For OpenZiti instances not using publicly signed certificates, `ziti.GetControllerWellKnownCaPool()` can be used to obtain and verify the target controllers CAs. Tools should allow users to verify and accept new controllers that have not been verified from an outside secret (such as an enrollment token).
type Components ¶
type Components struct { Runtime *openapiclient.Runtime HttpClient *http.Client HttpTransport *http.Transport CaPool *x509.CertPool }
Components provides the basic shared lower level pieces used to assemble go-swagger/openapi clients. These components are interconnected and have references to each other. This struct is used to set, move, and manage them as a set.
func NewComponents ¶
func NewComponents(api *url.URL, schemes []string) *Components
NewComponents assembles a new set of components with reasonable production defaults.
type Credentials ¶
type Credentials interface { // Payload constructs the objects that represent the JSON authentication payload for this set of credentials. Payload() *rest_model.Authenticate // TlsCerts returns zero or more tls.Certificates used for client authentication. TlsCerts() []tls.Certificate // GetCaPool returns the CA pool that this credential was configured to trust. GetCaPool() *x509.CertPool // Method returns the authentication necessary to complete an authentication request. Method() string // AddHeader adds a header to the request. AddHeader(key, value string) // AddJWT adds additional JWTs to the credentials. Used to satisfy secondary authentication/MFA requirements. The // provided token should be the base64 encoded version of the token. AddJWT(string) // ClientAuthInfoWriter is used to pass a Credentials instance to the openapi runtime to authenticate outgoing //requests. runtime.ClientAuthInfoWriter }
Credentials represents the minimal information needed across all authentication mechanisms to authenticate an identity to an OpenZiti network.
type IdentityCredentials ¶
type IdentityCredentials struct { BaseCredentials Identity identity.Identity }
func NewIdentityCredentials ¶
func NewIdentityCredentials(identity identity.Identity) *IdentityCredentials
NewIdentityCredentials creates a Credentials instance based upon and Identity.
func NewIdentityCredentialsFromConfig ¶
func NewIdentityCredentialsFromConfig(config identity.Config) *IdentityCredentials
NewIdentityCredentialsFromConfig creates a Credentials instance based upon and Identity configuration.
func (*IdentityCredentials) AuthenticateRequest ¶ added in v0.20.20
func (c *IdentityCredentials) AuthenticateRequest(request runtime.ClientRequest, reg strfmt.Registry) error
func (*IdentityCredentials) GetCaPool ¶
func (c *IdentityCredentials) GetCaPool() *x509.CertPool
func (*IdentityCredentials) GetIdentity ¶
func (c *IdentityCredentials) GetIdentity() identity.Identity
func (*IdentityCredentials) Method ¶
func (c *IdentityCredentials) Method() string
func (*IdentityCredentials) TlsCerts ¶
func (c *IdentityCredentials) TlsCerts() []tls.Certificate
type IdentityProvider ¶
IdentityProvider is a sentinel interface used to determine whether the backing Credentials instance can provide an Identity that can provide a certificate and private key used to initiate mTLS connections.
type JwtCredentials ¶
type JwtCredentials struct { BaseCredentials JWT string SendOnEveryRequest bool }
func NewJwtCredentials ¶
func NewJwtCredentials(jwt string) *JwtCredentials
NewJwtCredentials creates a Credentials instance based on a JWT obtained from an outside system.
func (*JwtCredentials) AuthenticateRequest ¶
func (c *JwtCredentials) AuthenticateRequest(request runtime.ClientRequest, reg strfmt.Registry) error
func (*JwtCredentials) Method ¶
func (c *JwtCredentials) Method() string
type ManagementApiClient ¶
type ManagementApiClient struct { BaseClient[ZitiEdgeManagement] }
ManagementApiClient provides the ability to authenticate and interact with the Edge Management API.
func NewManagementApiClient ¶
func NewManagementApiClient(apiUrl *url.URL, caPool *x509.CertPool, totpCallback func(chan string)) *ManagementApiClient
NewManagementApiClient will assemble an ManagementApiClient. The apiUrl should be the full URL to the Edge Management API (e.g. `https://example.com/edge/management/v1`).
The `caPool` argument should be a list of trusted root CAs. If provided as `nil` here unauthenticated requests will use the system certificate pool. If authentication occurs, and a certificate pool is set on the Credentials the certificate pool from the Credentials will be used from that point forward. Credentials implementations based on an identity.Identity are likely to provide a certificate pool.
For OpenZiti instances not using publicly signed certificates, `ziti.GetControllerWellKnownCaPool()` can be used to obtain and verify the target controllers CAs. Tools should allow users to verify and accept new controllers that have not been verified from an outside secret (such as an enrollment token).
type OidcEnabledApi ¶ added in v0.23.2
type OidcEnabledApi interface {
SetUseOidc(use bool)
}
type ServiceAccessClaims ¶ added in v0.22.6
type UpdbCredentials ¶
type UpdbCredentials struct { BaseCredentials Username string Password string }
func NewUpdbCredentials ¶
func NewUpdbCredentials(username string, password string) *UpdbCredentials
NewUpdbCredentials creates a Credentials instance based on a username/passwords combination.
func (*UpdbCredentials) AuthenticateRequest ¶ added in v0.20.20
func (c *UpdbCredentials) AuthenticateRequest(request runtime.ClientRequest, reg strfmt.Registry) error
func (*UpdbCredentials) Method ¶
func (c *UpdbCredentials) Method() string
func (*UpdbCredentials) Payload ¶
func (c *UpdbCredentials) Payload() *rest_model.Authenticate
type ZitiEdgeClient ¶
type ZitiEdgeClient struct { *rest_client_api_client.ZitiEdgeClient TotpCallback func(chan string) // contains filtered or unexported fields }
ZitiEdgeClient is an alias of the go-swagger generated client that allows this package to add additional functionality to the alias type to implement the AuthEnabledApi interface.
func (*ZitiEdgeClient) Authenticate ¶
func (self *ZitiEdgeClient) Authenticate(credentials Credentials, configTypes []string, httpClient *http.Client) (ApiSession, error)
func (*ZitiEdgeClient) ExchangeTokens ¶ added in v0.22.6
func (self *ZitiEdgeClient) ExchangeTokens(curTokens *oidc.Tokens[*oidc.IDTokenClaims]) (*oidc.Tokens[*oidc.IDTokenClaims], error)
func (*ZitiEdgeClient) RefreshApiSession ¶ added in v0.22.6
func (self *ZitiEdgeClient) RefreshApiSession(apiSession ApiSession) (ApiSession, error)
func (*ZitiEdgeClient) SetUseOidc ¶ added in v0.22.6
func (self *ZitiEdgeClient) SetUseOidc(use bool)
type ZitiEdgeManagement ¶
type ZitiEdgeManagement struct { *rest_management_api_client.ZitiEdgeManagement TotpCallback func(chan string) // contains filtered or unexported fields }
ZitiEdgeManagement is an alias of the go-swagger generated client that allows this package to add additional functionality to the alias type to implement the AuthEnabledApi interface.
func (*ZitiEdgeManagement) Authenticate ¶
func (self *ZitiEdgeManagement) Authenticate(credentials Credentials, configTypes []string, httpClient *http.Client) (ApiSession, error)
func (*ZitiEdgeManagement) ExchangeTokens ¶ added in v0.22.6
func (self *ZitiEdgeManagement) ExchangeTokens(curTokens *oidc.Tokens[*oidc.IDTokenClaims]) (*oidc.Tokens[*oidc.IDTokenClaims], error)
func (*ZitiEdgeManagement) RefreshApiSession ¶ added in v0.22.6
func (self *ZitiEdgeManagement) RefreshApiSession(apiSession ApiSession) (ApiSession, error)
func (*ZitiEdgeManagement) SetUseOidc ¶ added in v0.22.6
func (self *ZitiEdgeManagement) SetUseOidc(use bool)