ziti

package
v0.20.6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 4, 2023 License: Apache-2.0 Imports: 54 Imported by: 93

Documentation

Overview

Package ziti provides methods for loading ziti contexts from identity JSON files Identity files specifies in `ZITI_IDENTITIES` environment variable (semicolon separates) are loaded automatically at startup

Index

Constants

View Source 
const (
	PrecedenceDefault  Precedence = 0
	PrecedenceRequired Precedence = 1
	PrecedenceFailed   Precedence = 2

	PrecedenceDefaultLabel  = string(rest_model.TerminatorPrecedenceDefault)
	PrecedenceRequiredLabel = string(rest_model.TerminatorPrecedenceRequired)
	PrecedenceFailedLabel   = string(rest_model.TerminatorPrecedenceFailed)
)
View Source 
const (
	LatencyCheckInterval = 30 * time.Second
	LatencyCheckTimeout  = 10 * time.Second

	ClientConfigV1 = "ziti-tunneler-client.v1"
	InterceptV1    = "intercept.v1"

	SessionDial = rest_model.DialBindDial
	SessionBind = rest_model.DialBindBind
)

Variables

View Source 
var DefaultOptions = &Options{
	RefreshInterval: 5 * time.Minute,
	OnServiceUpdate: nil,
}
View Source 
var EnrollUrl, _ = url.Parse("/edge/client/v1/enroll")

Functions

func ForAllContexts added in v0.17.0 

func ForAllContexts(f func(ctx Context) bool)

ForAllContexts iterates over all Ziti contexts loaded from ZITI_IDENTITIES environment variable, or with LoadContext() call

func GetControllerWellKnownCaPool added in v0.20.0 

func GetControllerWellKnownCaPool(controllerAddr string) (*x509.CertPool, error)

GetControllerWellKnownCaPool will return a x509.CertPool. The target controller will not be verified via TLS and must be verified by some other means (i.e enrollment JWT token).

Types

type Config added in v0.20.0 

type Config struct {
	//ZtAPI should be in the form of https://<domain>[:<port>]/edge/client/v1
	ZtAPI string `json:"ztAPI"`

	//ConfigTypes is an array of string configuration types that will be requested from the controller
	//for services.
	ConfigTypes []string `json:"configTypes"`

	//The ID field allows configurations is maintained for backwards compatability with previous SDK versions.
	//If set, it will be used to set the Credentials field.
	ID identity.Config `json:"id"`

	//The Credentials field is used to authenticate with the Edge Client API. If the ID field is set, it will be used
	//to populate this field with credentials.
	Credentials apis.Credentials `json:"-"`
}

func NewConfig added in v0.20.0 

func NewConfig(ztApi string, idConfig identity.Config) *Config

func NewConfigFromFile added in v0.20.0 

func NewConfigFromFile(confFile string) (*Config, error)

type Context 

type Context interface {
	// Authenticate attempts to use credentials configured on the Context to perform authentication. The authentication
	// implementation used is configured via the Credentials field on an Option struct provided during Context
	// creation.
	Authenticate() error

	// SetCredentials sets the credentials used to authenticate against the Edge Client API.
	SetCredentials(authenticator apis.Credentials)

	// GetCredentials returns the currently set credentials used to authenticate against the Edge Client API.
	GetCredentials() apis.Credentials

	// GetCurrentIdentity returns the Edge API details of the currently authenticated identity.
	GetCurrentIdentity() (*rest_model.IdentityDetail, error)

	// Dial attempts to connect to a service using a given service name; authenticating as necessary in order to obtain
	// a service session, attach to Edge Routers, and connect to a service.
	Dial(serviceName string) (edge.Conn, error)

	// DialWithOptions performs the same logic as Dial but allows specification of DialOptions.
	DialWithOptions(serviceName string, options *DialOptions) (edge.Conn, error)

	// DialAddr finds the service for given address and performs a Dial for it.
	DialAddr(network string, addr string) (edge.Conn, error)

	// Listen attempts to host a service by the given service name;  authenticating as necessary in order to obtain
	// a service session, attach to Edge Routers, and bind (host) the service.
	Listen(serviceName string) (edge.Listener, error)

	// ListenWithOptions performs the same logic as Listen, but allows the specification of ListenOptions.
	ListenWithOptions(serviceName string, options *ListenOptions) (edge.Listener, error)

	// GetServiceId will return the id of a specific service by service name. If not found, false, will be returned
	// with an empty string.
	GetServiceId(serviceName string) (string, bool, error)

	// GetServices will return a slice of service details that the current authenticating identity can access for
	// dial (connect) or bind (host/listen).
	GetServices() ([]rest_model.ServiceDetail, error)

	// GetService will return the service details of a specific service by service name.
	GetService(serviceName string) (*rest_model.ServiceDetail, bool)

	// GetServiceForAddr finds the service with intercept that matches best to given address
	GetServiceForAddr(network, hostname string, port uint16) (*rest_model.ServiceDetail, int, error)

	// RefreshServices forces the context to refresh the list of services the current authenticating identity has access
	// to.
	RefreshServices() error

	// GetServiceTerminators will return a slice of rest_model.TerminatorClientDetail for a specific service name.
	// The offset and limit options can be used to page through excessive lists of items. A max of 500 is imposed on
	// limit.
	GetServiceTerminators(serviceName string, offset, limit int) ([]*rest_model.TerminatorClientDetail, int, error)

	// GetSession will return the session detail associated with a specific session id.
	GetSession(id string) (*rest_model.SessionDetail, error)

	// Metrics will return the current context's metrics Registry.
	Metrics() metrics.Registry

	// Close closes any connections open to edge routers
	Close()

	// AddZitiMfaHandler adds a Ziti MFA handler, invoked during authentication
	AddZitiMfaHandler(handler func(query *rest_model.AuthQueryDetail, resp func(code string) error) error)

	// EnrollZitiMfa will attempt to enable TOTP 2FA on the currently authenticating identity if not already enrolled.
	EnrollZitiMfa() (*rest_model.DetailMfa, error)

	// VerifyZitiMfa will attempt to complete enrollment of TOTP 2FA with the given code.
	VerifyZitiMfa(code string) error

	// RemoveZitiMfa will attempt to remove TOTP 2FA for the current identity
	RemoveZitiMfa(code string) error
}

Context is the main interface for SDK instances that may be used to authenticate, connect to services, or host services.

func LoadContext added in v0.17.0 

func LoadContext(configPath string) (Context, error)

LoadContext loads a configuration from the supplied path. The configuration specifies location of the controller's Edge Client API, the configuration types to request for services, and the identity configuration that specifies where the client certificate and private key are loaded from. See the [identity repository](https://githb.com/openziti/identity for more details.

Creating a Context using this function requires an identity configuration and only supports certificate based authentication. For other authentication flows see NewContext().

``` 

{
  "ztAPI": "https://ziti.controller.example.com/edge/client/v1",
  "configTypes": ["config1", "config2"],
  "id": { "cert": "...", "key": "..." },
}

```

func NewContext 

func NewContext(cfg *Config) (Context, error)

NewContext creates a Context from the supplied Config with the default options. See NewContextWithOpts().

func NewContextWithOpts added in v0.13.0 

func NewContextWithOpts(cfg *Config, options *Options) (Context, error)

NewContextWithOpts creates a Context from the supplied Config and Options. The configuration requires either the `ID` field or the `Credentials` field to be populated. If both are supplied the, the ID field is used.

type ContextDialer added in v0.17.0 

type ContextDialer interface {
	DialContext(ctx context.Context, network, address string) (net.Conn, error)
}

type ContextImpl added in v0.19.0 

type ContextImpl struct {
	CtrlClt *CtrlClient
	// contains filtered or unexported fields
}

func (*ContextImpl) AddZitiMfaHandler added in v0.19.0 

func (context *ContextImpl) AddZitiMfaHandler(handler func(query *rest_model.AuthQueryDetail, resp func(code string) error) error)

func (*ContextImpl) Authenticate added in v0.19.0 

func (context *ContextImpl) Authenticate() error

func (*ContextImpl) Close added in v0.19.0 

func (context *ContextImpl) Close()

func (*ContextImpl) Dial added in v0.19.0 

func (context *ContextImpl) Dial(serviceName string) (edge.Conn, error)

func (*ContextImpl) DialAddr added in v0.19.0 

func (context *ContextImpl) DialAddr(network string, addr string) (edge.Conn, error)

func (*ContextImpl) DialWithOptions added in v0.19.0 

func (context *ContextImpl) DialWithOptions(serviceName string, options *DialOptions) (edge.Conn, error)

func (*ContextImpl) EnrollZitiMfa added in v0.19.0 

func (context *ContextImpl) EnrollZitiMfa() (*rest_model.DetailMfa, error)

func (*ContextImpl) EnsureAuthenticated added in v0.19.0 

func (context *ContextImpl) EnsureAuthenticated(options edge.ConnOptions) error

func (*ContextImpl) GetCredentials added in v0.20.0 

func (context *ContextImpl) GetCredentials() apis.Credentials

func (*ContextImpl) GetCurrentIdentity added in v0.19.0 

func (context *ContextImpl) GetCurrentIdentity() (*rest_model.IdentityDetail, error)

func (*ContextImpl) GetService added in v0.19.0 

func (context *ContextImpl) GetService(name string) (*rest_model.ServiceDetail, bool)

func (*ContextImpl) GetServiceForAddr added in v0.19.0 

func (context *ContextImpl) GetServiceForAddr(network, hostname string, port uint16) (*rest_model.ServiceDetail, int, error)

GetServiceForAddr finds the service with intercept that matches best to given address

func (*ContextImpl) GetServiceId added in v0.19.0 

func (context *ContextImpl) GetServiceId(name string) (string, bool, error)

func (*ContextImpl) GetServiceTerminators added in v0.19.0 

func (context *ContextImpl) GetServiceTerminators(serviceName string, offset, limit int) ([]*rest_model.TerminatorClientDetail, int, error)

func (*ContextImpl) GetServices added in v0.19.0 

func (context *ContextImpl) GetServices() ([]rest_model.ServiceDetail, error)

func (*ContextImpl) GetSession added in v0.19.0 

func (context *ContextImpl) GetSession(serviceId string) (*rest_model.SessionDetail, error)

func (*ContextImpl) Listen added in v0.19.0 

func (context *ContextImpl) Listen(serviceName string) (edge.Listener, error)

func (*ContextImpl) ListenWithOptions added in v0.19.0 

func (context *ContextImpl) ListenWithOptions(serviceName string, options *ListenOptions) (edge.Listener, error)

func (*ContextImpl) Metrics added in v0.19.0 

func (context *ContextImpl) Metrics() metrics.Registry

func (*ContextImpl) OnClose added in v0.19.0 

func (context *ContextImpl) OnClose(factory edge.RouterConn)

func (*ContextImpl) RefreshServices added in v0.19.0 

func (context *ContextImpl) RefreshServices() error

func (*ContextImpl) RemoveZitiMfa added in v0.19.0 

func (context *ContextImpl) RemoveZitiMfa(code string) error

func (*ContextImpl) Sessions added in v0.19.0 

func (context *ContextImpl) Sessions() ([]*rest_model.SessionDetail, error)

func (*ContextImpl) SetCredentials added in v0.20.0 

func (context *ContextImpl) SetCredentials(credentials apis.Credentials)

func (*ContextImpl) VerifyZitiMfa added in v0.19.0 

func (context *ContextImpl) VerifyZitiMfa(code string) error

type CtrlClient added in v0.19.0 

type CtrlClient struct {
	*apis.ClientApiClient
	Credentials apis.Credentials

	ApiSessionCertificateDetail rest_model.CurrentAPISessionCertificateDetail
	ApiSessionCsr               x509.CertificateRequest
	ApiSessionCertificate       *x509.Certificate
	ApiSessionPrivateKey        *ecdsa.PrivateKey
	ApiSessionCertInstance      string

	PostureCache *posture.Cache
	// contains filtered or unexported fields
}

CtrlClient is a stateful version of ZitiEdgeClient that simplifies operations

func (*CtrlClient) Authenticate added in v0.19.0 

func (self *CtrlClient) Authenticate() (*rest_model.CurrentAPISessionDetail, error)

Authenticate attempts to use authenticate, overwriting any existing ApiSession.

func (*CtrlClient) AuthenticateMFA added in v0.19.0 

func (self *CtrlClient) AuthenticateMFA(code string) error

AuthenticateMFA handles MFA authentication queries may be provided. AuthenticateMFA allows the current identity for their current api session to attempt to pass MFA authentication.

func (*CtrlClient) CreateSession added in v0.19.0 

func (self *CtrlClient) CreateSession(id string, sessionType SessionType) (*rest_model.SessionDetail, error)

CreateSession will attempt to obtain a session token for a specific service id and type.

func (*CtrlClient) EnrollMfa added in v0.19.0 

func (self *CtrlClient) EnrollMfa() (*rest_model.DetailMfa, error)

EnrollMfa will attempt to start TOTP MFA enrollment for the currently authenticated identity.

func (*CtrlClient) EnsureApiSessionCertificate added in v0.19.0 

func (self *CtrlClient) EnsureApiSessionCertificate() error

EnsureApiSessionCertificate will create an ApiSessionCertificate if one does not already exist.

func (*CtrlClient) GetCurrentApiSession added in v0.19.0 

func (self *CtrlClient) GetCurrentApiSession() *rest_model.CurrentAPISessionDetail

GetCurrentApiSession returns the current cached ApiSession or nil

func (*CtrlClient) GetCurrentIdentity added in v0.19.0 

func (self *CtrlClient) GetCurrentIdentity() (*rest_model.IdentityDetail, error)

GetCurrentIdentity returns the rest_model.IdentityDetail for the currently authenticated ApiSession.

func (*CtrlClient) GetIdentity added in v0.19.0 

func (self *CtrlClient) GetIdentity() (identity.Identity, error)

GetIdentity returns the identity.Identity used to facilitate authentication. Each identity.Identity instance may provide authentication material in the form of x509 certificates and private keys and/or trusted CA pools.

func (*CtrlClient) GetServiceTerminators added in v0.19.0 

func (self *CtrlClient) GetServiceTerminators(svc *rest_model.ServiceDetail, offset int, limit int) ([]*rest_model.TerminatorClientDetail, int, error)

GetServiceTerminators returns the client terminator details for a specific service.

func (*CtrlClient) GetServices added in v0.19.0 

func (self *CtrlClient) GetServices() ([]*rest_model.ServiceDetail, error)

GetServices will fetch the list of services that the identity of the current ApiSession has access to for dialing or binding.

func (*CtrlClient) GetSession added in v0.19.0 

func (self *CtrlClient) GetSession(id string) (*rest_model.SessionDetail, error)

GetSession returns the full rest_model.SessionDetail for a specific id

func (*CtrlClient) IsServiceListUpdateAvailable added in v0.19.0 

func (self *CtrlClient) IsServiceListUpdateAvailable() (bool, error)

IsServiceListUpdateAvailable will contact the controller to determine if a new set of services are available. Service updates could entail gaining/losing services access via policy or runtime authorization revocation due to posture checks.

func (*CtrlClient) NewApiSessionCertificate added in v0.19.0 

func (self *CtrlClient) NewApiSessionCertificate() error

NewApiSessionCertificate will create a new ephemeral private key used to generate an ephemeral certificate that may be used with the current ApiSession. The generated certificate and private key are scoped to the ApiSession used to create it.

func (*CtrlClient) Refresh added in v0.19.0 

func (self *CtrlClient) Refresh() (*time.Time, error)

Refresh will contact the controller extending the current ApiSession

func (*CtrlClient) RemoveMfa added in v0.19.0 

func (self *CtrlClient) RemoveMfa(code string) error

RemoveMfa will remove the currently enrolled TOTP MFA added by EnrollMfa() and verified by VerifyMfa()

func (*CtrlClient) SendPostureResponse added in v0.19.0 

func (self *CtrlClient) SendPostureResponse(response rest_model.PostureResponseCreate) error

SendPostureResponse creates a posture response (some state data the controller has requested) for services. This information is used to determine runtime authorization access to services via posture checks.

func (*CtrlClient) SendPostureResponseBulk added in v0.19.0 

func (self *CtrlClient) SendPostureResponseBulk(responses []rest_model.PostureResponseCreate) error

SendPostureResponseBulk provides the same functionality as SendPostureResponse but allows multiple responses to be sent in a single request.

func (*CtrlClient) VerifyMfa added in v0.19.0 

func (self *CtrlClient) VerifyMfa(code string) error

VerifyMfa will complete a TOTP MFA enrollment created via EnrollMfa.

type DialOptions added in v0.13.47 

type DialOptions struct {
	ConnectTimeout time.Duration
	Identity       string
	AppData        []byte
}

func (DialOptions) GetConnectTimeout added in v0.13.47 

func (d DialOptions) GetConnectTimeout() time.Duration

type Dialer added in v0.17.0 

type Dialer interface {
	Dial(network, address string) (net.Conn, error)
}

func NewDialer added in v0.17.0 

func NewDialer() Dialer

func NewDialerWithFallback added in v0.17.0 

func NewDialerWithFallback(ctx context.Context, fallback Dialer) Dialer

type EnrollmentClaims added in v0.20.0 

type EnrollmentClaims struct {
	EnrollmentMethod string            `json:"em"`
	SignatureCert    *x509.Certificate `json:"-"`
	jwt.StandardClaims
}

func (*EnrollmentClaims) EnrolmentUrl added in v0.20.0 

func (t *EnrollmentClaims) EnrolmentUrl() string

func (*EnrollmentClaims) ToMapClaims added in v0.20.0 

func (t *EnrollmentClaims) ToMapClaims() (jwt.MapClaims, error)

func (*EnrollmentClaims) Valid added in v0.20.0 

func (t *EnrollmentClaims) Valid() error

type KeyAlgVar added in v0.20.0 

type KeyAlgVar string

func (*KeyAlgVar) EC added in v0.20.0 

func (f *KeyAlgVar) EC() bool

func (*KeyAlgVar) Get added in v0.20.0 

func (f *KeyAlgVar) Get() string

func (*KeyAlgVar) RSA added in v0.20.0 

func (f *KeyAlgVar) RSA() bool

func (*KeyAlgVar) Set added in v0.20.0 

func (f *KeyAlgVar) Set(value string) error

func (*KeyAlgVar) String added in v0.20.0 

func (f *KeyAlgVar) String() string

func (*KeyAlgVar) Type added in v0.20.0 

func (f *KeyAlgVar) Type() string

type ListenOptions added in v0.13.47 

type ListenOptions struct {
	Cost                  uint16
	Precedence            Precedence
	ConnectTimeout        time.Duration
	MaxConnections        int
	Identity              string
	BindUsingEdgeIdentity bool
	ManualStart           bool
}

func DefaultListenOptions added in v0.13.47 

func DefaultListenOptions() *ListenOptions

type Options added in v0.15.17 

type Options struct {
	RefreshInterval time.Duration
	OnContextReady  func(ctx Context)
	OnServiceUpdate serviceCB
}

type Precedence added in v0.13.47 

type Precedence byte

func GetPrecedenceForLabel added in v0.15.3 

func GetPrecedenceForLabel(p string) Precedence

func (Precedence) String added in v0.15.3 

func (p Precedence) String() string

type ServiceEventType added in v0.15.17 

type ServiceEventType string
const (
	ServiceAdded   ServiceEventType = "Added"
	ServiceRemoved ServiceEventType = "Removed"
	ServiceChanged ServiceEventType = "Changed"
)

type SessionType added in v0.19.0 

type SessionType rest_model.DialBind

type Versions added in v0.20.0 

type Versions struct {
	Api           string `json:"api"`
	EnrollmentApi string `json:"enrollmentApi"`
}

Source Files

View all Source files

Directories

Path Synopsis
network
posture

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.