edge_apis

package
v0.23.7 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 11, 2024 License: Apache-2.0 Imports: 43 Imported by: 9

Documentation

Overview

Package edge_apis_2 edge_apis_2 provides a wrapper around the generated Edge Client and Management APIs improve ease of use.

Index

Constants

View Source
const (
	AuthRequestIdHeader = "auth-request-id"
	TotpRequiredHeader  = "totp-required"
)
View Source
const (
	ClientApiPath     = "/edge/client/v1"
	ManagementApiPath = "/edge/management/v1"
)
View Source
const JwtTokenPrefix = "ey"

Variables

This section is empty.

Functions

func ClientUrl added in v0.20.66

func ClientUrl(hostname string) string

ClientUrl returns a URL with the given hostname in the format of `https://<hostname>/edge/management/v1`. The hostname provided may include a port.

func ManagementUrl added in v0.20.66

func ManagementUrl(hostname string) string

ManagementUrl returns a URL with the given hostname in the format of `https://<hostname>/edge/management/v1`. The hostname provided may include a port.

Types

type ApiAccessClaims added in v0.23.0

type ApiAccessClaims struct {
	jwt.RegisteredClaims
	ApiSessionId     string   `json:"z_asid,omitempty"`
	ExternalId       string   `json:"z_eid,omitempty"`
	IsAdmin          bool     `json:"z_ia,omitempty"`
	ConfigTypes      []string `json:"z_ct,omitempty"`
	ApplicationId    string   `json:"z_aid,omitempty"`
	Type             string   `json:"z_t"`
	CertFingerprints []string `json:"z_cfs"`
	Scopes           []string `json:"scopes,omitempty"`
}

type ApiSession added in v0.22.6

type ApiSession interface {
	//GetAccessHeader returns the HTTP header name and value that should be used to represent this ApiSession
	GetAccessHeader() (string, string)

	//AuthenticateRequest fulfills the interface defined by the OpenAPI libraries to authenticate client HTTP requests
	AuthenticateRequest(request runtime.ClientRequest, _ strfmt.Registry) error

	//GetToken returns the ApiSessions' token bytes
	GetToken() []byte

	//GetExpiresAt returns the time when the ApiSession will expire.
	GetExpiresAt() *time.Time

	//GetAuthQueries returns a list of authentication queries the ApiSession is subjected to
	GetAuthQueries() rest_model.AuthQueryList

	//GetIdentityName returns the name of the authenticating identity
	GetIdentityName() string

	//GetIdentityId returns the id of the authenticating identity
	GetIdentityId() string

	//GetId returns the id of the ApiSession
	GetId() string
}

type ApiSessionLegacy added in v0.23.0

type ApiSessionLegacy struct {
	Detail *rest_model.CurrentAPISessionDetail
}

ApiSessionLegacy represents OpenZiti's original authentication API Session Detail, supplied in the `zt-session` header. It has been supplanted by OIDC authentication represented by ApiSessionOidc.

func (*ApiSessionLegacy) AuthenticateRequest added in v0.23.0

func (a *ApiSessionLegacy) AuthenticateRequest(request runtime.ClientRequest, _ strfmt.Registry) error

func (*ApiSessionLegacy) GetAccessHeader added in v0.23.0

func (a *ApiSessionLegacy) GetAccessHeader() (string, string)

GetAccessHeader returns the header and header token value should be used for authentication requests

func (*ApiSessionLegacy) GetAuthQueries added in v0.23.0

func (a *ApiSessionLegacy) GetAuthQueries() rest_model.AuthQueryList

func (*ApiSessionLegacy) GetExpiresAt added in v0.23.0

func (a *ApiSessionLegacy) GetExpiresAt() *time.Time

func (*ApiSessionLegacy) GetId added in v0.23.0

func (a *ApiSessionLegacy) GetId() string

func (*ApiSessionLegacy) GetIdentityId added in v0.23.0

func (a *ApiSessionLegacy) GetIdentityId() string

func (*ApiSessionLegacy) GetIdentityName added in v0.23.0

func (a *ApiSessionLegacy) GetIdentityName() string

func (*ApiSessionLegacy) GetToken added in v0.23.0

func (a *ApiSessionLegacy) GetToken() []byte

type ApiSessionOidc added in v0.23.0

type ApiSessionOidc struct {
	OidcTokens *oidc.Tokens[*oidc.IDTokenClaims]
}

ApiSessionOidc represents an authenticated session backed by OIDC tokens.

func (*ApiSessionOidc) AuthenticateRequest added in v0.23.0

func (a *ApiSessionOidc) AuthenticateRequest(request runtime.ClientRequest, _ strfmt.Registry) error

func (*ApiSessionOidc) GetAccessClaims added in v0.23.0

func (a *ApiSessionOidc) GetAccessClaims() (*ApiAccessClaims, error)

func (*ApiSessionOidc) GetAccessHeader added in v0.23.0

func (a *ApiSessionOidc) GetAccessHeader() (string, string)

GetAccessHeader returns the header and header token value should be used for authentication requests

func (*ApiSessionOidc) GetAuthQueries added in v0.23.0

func (a *ApiSessionOidc) GetAuthQueries() rest_model.AuthQueryList

func (*ApiSessionOidc) GetExpiresAt added in v0.23.0

func (a *ApiSessionOidc) GetExpiresAt() *time.Time

func (*ApiSessionOidc) GetId added in v0.23.0

func (a *ApiSessionOidc) GetId() string

func (*ApiSessionOidc) GetIdentityId added in v0.23.0

func (a *ApiSessionOidc) GetIdentityId() string

func (*ApiSessionOidc) GetIdentityName added in v0.23.0

func (a *ApiSessionOidc) GetIdentityName() string

func (*ApiSessionOidc) GetToken added in v0.23.0

func (a *ApiSessionOidc) GetToken() []byte

type ApiType

type ApiType interface {
	ZitiEdgeManagement | ZitiEdgeClient
}

ApiType is an interface constraint for generics. The underlying go-swagger types only have fields, which are insufficient to attempt to make a generic type from. Instead, this constraint is used that points at the aliased types.

type AuthEnabledApi

type AuthEnabledApi interface {
	//Authenticate will attempt to issue an authentication request using the provided credentials and http client.
	//These functions act as abstraction around the underlying go-swagger generated client and will use the default
	//http client if not provided.
	Authenticate(credentials Credentials, configTypes []string, httpClient *http.Client) (ApiSession, error)
	SetUseOidc(bool)
}

AuthEnabledApi is used as a sentinel interface to detect APIs that support authentication and to work around a golang limitation dealing with accessing field of generically typed fields.

type BaseClient

type BaseClient[A ApiType] struct {
	API *A
	Components
	AuthInfoWriter runtime.ClientAuthInfoWriter
	ApiSession     atomic.Pointer[ApiSession]
	Credentials    Credentials
}

BaseClient implements the Client interface specifically for the types specified in the ApiType constraint. It provides shared functionality that all ApiType types require.

func (*BaseClient[A]) Authenticate

func (self *BaseClient[A]) Authenticate(credentials Credentials, configTypes []string) (ApiSession, error)

Authenticate will attempt to use the provided credentials to authenticate via the underlying ApiType. On success the API Session details will be returned and the current client will make authenticated requests on future calls. On an error the API Session in use will be cleared and subsequent requests will become/continue to be made in an unauthenticated fashion.

func (*BaseClient[A]) AuthenticateRequest

func (self *BaseClient[A]) AuthenticateRequest(request runtime.ClientRequest, registry strfmt.Registry) error

AuthenticateRequest implements the openapi runtime.ClientAuthInfoWriter interface from the OpenAPI libraries. It is used to authenticate outgoing requests.

func (*BaseClient[A]) GetCurrentApiSession

func (self *BaseClient[A]) GetCurrentApiSession() ApiSession

GetCurrentApiSession returns the ApiSession that is being used to authenticate requests.

func (*BaseClient[A]) SetUseOidc added in v0.23.2

func (self *BaseClient[A]) SetUseOidc(use bool)

type BaseCredentials

type BaseCredentials struct {
	// ConfigTypes is used to set the configuration types for services during authentication
	ConfigTypes []string

	// Headers is a map of strings to string arrays of headers to send with auth requests.
	Headers *http.Header

	// EnvInfo is provided during authentication to set environmental information about the client.
	EnvInfo *rest_model.EnvInfo

	// SdkInfo is provided during authentication to set SDK information about the client.
	SdkInfo *rest_model.SdkInfo

	// CaPool will override the client's default certificate pool if set to a non-nil value.
	CaPool *x509.CertPool
}

BaseCredentials is a shared struct of information all Credentials implementations require.

func (*BaseCredentials) AddHeader added in v0.20.20

func (c *BaseCredentials) AddHeader(key, value string)

AddHeader provides a base implementation to add a header to the request.

func (*BaseCredentials) AddJWT added in v0.20.50

func (c *BaseCredentials) AddJWT(token string)

AddJWT adds additional JWTs to the credentials. Used to satisfy secondary authentication/MFA requirements. The provided token should be the base64 encoded version of the token. Convenience function for AddHeader.

func (*BaseCredentials) AuthenticateRequest

func (c *BaseCredentials) AuthenticateRequest(request runtime.ClientRequest, _ strfmt.Registry) error

AuthenticateRequest provides a base implementation to authenticate an outgoing request. This is provided here for authentication methods such as `cert` which do not have to provide any more request level information.

func (*BaseCredentials) GetCaPool

func (c *BaseCredentials) GetCaPool() *x509.CertPool

GetCaPool provides a base implementation to return the certificate pool of a Credentials instance.

func (*BaseCredentials) Payload

func (c *BaseCredentials) Payload() *rest_model.Authenticate

Payload will produce the object used to construct the body of an authentication requests. The base version sets shared information available in BaseCredentials.

func (*BaseCredentials) TlsCerts

func (c *BaseCredentials) TlsCerts() []tls.Certificate

TlsCerts provides a base implementation of returning the tls.Certificate array that will be used to setup mTLS connections. This is provided here for authentication methods that do not initially require mTLS (e.g. JWTs).

type CertCredentials

type CertCredentials struct {
	BaseCredentials
	Certs []*x509.Certificate
	Key   crypto.PrivateKey
}

CertCredentials represents authentication using certificates that are not from an Identity configuration file.

func NewCertCredentials

func NewCertCredentials(certs []*x509.Certificate, key crypto.PrivateKey) *CertCredentials

NewCertCredentials creates Credentials instance based upon an array of certificates. At least one certificate must be provided and the certificate at index zero is assumed to be the leaf client certificate that pairs with the provided private key. All other certificates are assumed to support the leaf client certificate as a chain.

func (*CertCredentials) GetIdentity

func (c *CertCredentials) GetIdentity() identity.Identity

func (*CertCredentials) Method

func (c *CertCredentials) Method() string

func (*CertCredentials) TlsCerts

func (c *CertCredentials) TlsCerts() []tls.Certificate

type ClientApiClient

type ClientApiClient struct {
	BaseClient[ZitiEdgeClient]
}

func NewClientApiClient

func NewClientApiClient(apiUrl *url.URL, caPool *x509.CertPool, totpCallback func(chan string)) *ClientApiClient

NewClientApiClient will assemble a ClientApiClient. The apiUrl should be the full URL to the Edge Client API (e.g. `https://example.com/edge/client/v1`).

The `caPool` argument should be a list of trusted root CAs. If provided as `nil` here unauthenticated requests will use the system certificate pool. If authentication occurs, and a certificate pool is set on the Credentials the certificate pool from the Credentials will be used from that point forward. Credentials implementations based on an identity.Identity are likely to provide a certificate pool.

For OpenZiti instances not using publicly signed certificates, `ziti.GetControllerWellKnownCaPool()` can be used to obtain and verify the target controllers CAs. Tools should allow users to verify and accept new controllers that have not been verified from an outside secret (such as an enrollment token).

type Components

type Components struct {
	Runtime       *openapiclient.Runtime
	HttpClient    *http.Client
	HttpTransport *http.Transport
	CaPool        *x509.CertPool
}

Components provides the basic shared lower level pieces used to assemble go-swagger/openapi clients. These components are interconnected and have references to each other. This struct is used to set, move, and manage them as a set.

func NewComponents

func NewComponents(api *url.URL, schemes []string) *Components

NewComponents assembles a new set of components with reasonable production defaults.

type Credentials

type Credentials interface {
	// Payload constructs the objects that represent the JSON authentication payload for this set of credentials.
	Payload() *rest_model.Authenticate

	// TlsCerts returns zero or more tls.Certificates used for client authentication.
	TlsCerts() []tls.Certificate

	// GetCaPool returns the CA pool that this credential was configured to trust.
	GetCaPool() *x509.CertPool

	// Method returns the authentication necessary to complete an authentication request.
	Method() string

	// AddHeader adds a header to the request.
	AddHeader(key, value string)

	// AddJWT adds additional JWTs to the credentials. Used to satisfy secondary authentication/MFA requirements. The
	// provided token should be the base64 encoded version of the token.
	AddJWT(string)

	// ClientAuthInfoWriter is used to pass a Credentials instance to the openapi runtime to authenticate outgoing
	//requests.
	runtime.ClientAuthInfoWriter
}

Credentials represents the minimal information needed across all authentication mechanisms to authenticate an identity to an OpenZiti network.

type IdentityCredentials

type IdentityCredentials struct {
	BaseCredentials
	Identity identity.Identity
}

func NewIdentityCredentials

func NewIdentityCredentials(identity identity.Identity) *IdentityCredentials

NewIdentityCredentials creates a Credentials instance based upon and Identity.

func NewIdentityCredentialsFromConfig

func NewIdentityCredentialsFromConfig(config identity.Config) *IdentityCredentials

NewIdentityCredentialsFromConfig creates a Credentials instance based upon and Identity configuration.

func (*IdentityCredentials) AuthenticateRequest added in v0.20.20

func (c *IdentityCredentials) AuthenticateRequest(request runtime.ClientRequest, reg strfmt.Registry) error

func (*IdentityCredentials) GetCaPool

func (c *IdentityCredentials) GetCaPool() *x509.CertPool

func (*IdentityCredentials) GetIdentity

func (c *IdentityCredentials) GetIdentity() identity.Identity

func (*IdentityCredentials) Method

func (c *IdentityCredentials) Method() string

func (*IdentityCredentials) TlsCerts

func (c *IdentityCredentials) TlsCerts() []tls.Certificate

type IdentityProvider

type IdentityProvider interface {
	GetIdentity() identity.Identity
}

IdentityProvider is a sentinel interface used to determine whether the backing Credentials instance can provide an Identity that can provide a certificate and private key used to initiate mTLS connections.

type JwtCredentials

type JwtCredentials struct {
	BaseCredentials
	JWT                string
	SendOnEveryRequest bool
}

func NewJwtCredentials

func NewJwtCredentials(jwt string) *JwtCredentials

NewJwtCredentials creates a Credentials instance based on a JWT obtained from an outside system.

func (*JwtCredentials) AuthenticateRequest

func (c *JwtCredentials) AuthenticateRequest(request runtime.ClientRequest, reg strfmt.Registry) error

func (*JwtCredentials) Method

func (c *JwtCredentials) Method() string

type ManagementApiClient

type ManagementApiClient struct {
	BaseClient[ZitiEdgeManagement]
}

ManagementApiClient provides the ability to authenticate and interact with the Edge Management API.

func NewManagementApiClient

func NewManagementApiClient(apiUrl *url.URL, caPool *x509.CertPool, totpCallback func(chan string)) *ManagementApiClient

NewManagementApiClient will assemble an ManagementApiClient. The apiUrl should be the full URL to the Edge Management API (e.g. `https://example.com/edge/management/v1`).

The `caPool` argument should be a list of trusted root CAs. If provided as `nil` here unauthenticated requests will use the system certificate pool. If authentication occurs, and a certificate pool is set on the Credentials the certificate pool from the Credentials will be used from that point forward. Credentials implementations based on an identity.Identity are likely to provide a certificate pool.

For OpenZiti instances not using publicly signed certificates, `ziti.GetControllerWellKnownCaPool()` can be used to obtain and verify the target controllers CAs. Tools should allow users to verify and accept new controllers that have not been verified from an outside secret (such as an enrollment token).

type OidcEnabledApi added in v0.23.2

type OidcEnabledApi interface {
	SetUseOidc(use bool)
}

type ServiceAccessClaims added in v0.22.6

type ServiceAccessClaims struct {
	jwt.RegisteredClaims
	ApiSessionId string `json:"z_asid"`
	IdentityId   string `json:"z_iid"`
	TokenType    string `json:"z_t"`
	Type         string `json:"z_st"`
}

type UpdbCredentials

type UpdbCredentials struct {
	BaseCredentials
	Username string
	Password string
}

func NewUpdbCredentials

func NewUpdbCredentials(username string, password string) *UpdbCredentials

NewUpdbCredentials creates a Credentials instance based on a username/passwords combination.

func (*UpdbCredentials) AuthenticateRequest added in v0.20.20

func (c *UpdbCredentials) AuthenticateRequest(request runtime.ClientRequest, reg strfmt.Registry) error

func (*UpdbCredentials) Method

func (c *UpdbCredentials) Method() string

func (*UpdbCredentials) Payload

func (c *UpdbCredentials) Payload() *rest_model.Authenticate

type ZitiEdgeClient

type ZitiEdgeClient struct {
	*rest_client_api_client.ZitiEdgeClient

	TotpCallback func(chan string)
	// contains filtered or unexported fields
}

ZitiEdgeClient is an alias of the go-swagger generated client that allows this package to add additional functionality to the alias type to implement the AuthEnabledApi interface.

func (*ZitiEdgeClient) Authenticate

func (self *ZitiEdgeClient) Authenticate(credentials Credentials, configTypes []string, httpClient *http.Client) (ApiSession, error)

func (*ZitiEdgeClient) ExchangeTokens added in v0.22.6

func (self *ZitiEdgeClient) ExchangeTokens(curTokens *oidc.Tokens[*oidc.IDTokenClaims]) (*oidc.Tokens[*oidc.IDTokenClaims], error)

func (*ZitiEdgeClient) RefreshApiSession added in v0.22.6

func (self *ZitiEdgeClient) RefreshApiSession(apiSession ApiSession) (ApiSession, error)

func (*ZitiEdgeClient) SetUseOidc added in v0.22.6

func (self *ZitiEdgeClient) SetUseOidc(use bool)

type ZitiEdgeManagement

type ZitiEdgeManagement struct {
	*rest_management_api_client.ZitiEdgeManagement

	TotpCallback func(chan string)
	// contains filtered or unexported fields
}

ZitiEdgeManagement is an alias of the go-swagger generated client that allows this package to add additional functionality to the alias type to implement the AuthEnabledApi interface.

func (*ZitiEdgeManagement) Authenticate

func (self *ZitiEdgeManagement) Authenticate(credentials Credentials, configTypes []string, httpClient *http.Client) (ApiSession, error)

func (*ZitiEdgeManagement) ExchangeTokens added in v0.22.6

func (self *ZitiEdgeManagement) ExchangeTokens(curTokens *oidc.Tokens[*oidc.IDTokenClaims]) (*oidc.Tokens[*oidc.IDTokenClaims], error)

func (*ZitiEdgeManagement) RefreshApiSession added in v0.22.6

func (self *ZitiEdgeManagement) RefreshApiSession(apiSession ApiSession) (ApiSession, error)

func (*ZitiEdgeManagement) SetUseOidc added in v0.22.6

func (self *ZitiEdgeManagement) SetUseOidc(use bool)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL