Merge branch 'main' into fix.2354.auth.query.support.oidc

openziti · Oct 4, 2024 · c2a62c9 · c2a62c9
2 parents d0e0c60 + 7849e06
commit c2a62c9
Show file tree

Hide file tree

Showing 42 changed files with 328 additions and 160 deletions.
diff --git a/.github/workflows/release-quickstart.yml b/.github/workflows/release-quickstart.yml
@@ -12,22 +12,26 @@ on:
 jobs:
   release-quickstart:
     name: Release Quickstart Job
-    # this is only run on the official upstream repo when a PR is merged to the default branch "main" or a release tag
-    # is pushed; merges to main trigger a quickstart release with a commit SHA suffix featuring the previous ziti binary
-    # release version, whereas release tag pushes trigger a quickstart release with the same tag name and the same ziti
-    # binary release version
-    if: github.repository_owner == 'openziti' 
-      && (
-        startsWith(github.ref_name, 'v')
-        || (github.event.pull_request.merged == true && contains(github.event.pull_request.labels.*.name, 'quickstartrelease'))
+    # this is only run on the official upstream repo when a PR is merged to the
+    # default branch "main" or a release tag is pushed or for the same
+    # conditions in a repo fork that overrides the container image repo to push
+    # to; merges to main trigger a quickstart release with a commit SHA suffix
+    # featuring the previous ziti binary release version, whereas release tag
+    # pushes trigger a quickstart release with the same tag name and the same
+    # ziti binary release version
+    if: (github.repository_owner == 'openziti' || vars.ZITI_QUICKSTART_IMAGE != '') && (
+        startsWith(github.ref_name, 'v') || (
+          github.event.pull_request.merged == true 
+          && contains(github.event.pull_request.labels.*.name, 'quickstartrelease')
+        )
       )
     runs-on: ubuntu-latest
     env:
       ZITI_QUICKSTART_IMAGE: ${{ vars.ZITI_QUICKSTART_IMAGE || 'docker.io/openziti/quickstart' }}
       # use github.ref, not github.head_ref, because this workflow should only run on merged PRs in the target/base
       # branch context, not the PR source branch
       GITHUB_REF:            ${{ github.ref }}
-      # user github.sha, not github.pull_request.head.sha, because this workflow should only run on merged PRs in the
+      # use github.sha, not github.pull_request.head.sha, because this workflow should only run on merged PRs in the
       # target/base branch, not the PR source branch
       GITHUB_SHA:            ${{ github.sha }}
     steps:
@@ -89,32 +93,32 @@ jobs:
 
           if [[ "${GITHUB_REF_NAME}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
             # Set output parameters for release tags
-            echo QUICKSTART_VERSION="${GITHUB_REF_NAME}" | tee -a $GITHUB_OUTPUT
+            QUICKSTART_VERSION="${GITHUB_REF_NAME}"
 
           elif [[ "${GITHUB_REF_NAME}" =~ ^main$ ]]; then
             # compute the latest release version to install in the quickstart image
             QUICKSTART_VERSION="$($(go env GOPATH)/bin/ziti-ci -q get-current-version ${ZITI_BASE_VERSION:+--base-version $ZITI_BASE_VERSION})"
-
-            # drop the leading 'v', if any
-            QUICKSTART_VERSION=${QUICKSTART_VERSION#v}
-
             validateSemver "${QUICKSTART_VERSION}"
 
             # Append short SHA to identify quickstart docker images shipped on merge to main
             QUICKSTART_VERSION="${QUICKSTART_VERSION}-$(git rev-parse --short ${GITHUB_SHA})"
 
-            echo QUICKSTART_VERSION="${QUICKSTART_VERSION}" | tee -a $GITHUB_OUTPUT
-
           else
             echo "ERROR: Unexpected GITHUB_REF_NAME=${GITHUB_REF_NAME}" >&2
             exit 1
           fi
 
-          # configure the env var used by the quickstart's Dockerfile to download the correct version of ziti for the
-          # target architecture of each image build by trimming the hyphenated short sha suffix so that the preceding
-          # release version of the ziti executable is installed in the quickstart container image
-          ZITI_OVERRIDE_VERSION=${QUICKSTART_VERSION%-*}
-          echo ZITI_OVERRIDE_VERSION="${ZITI_OVERRIDE_VERSION}" | tee -a $GITHUB_OUTPUT
+          # configure the env var used by the quickstart's Dockerfile to
+          # download the correct version of ziti for the target architecture of
+          # each image build by trimming the hyphenated short sha suffix so that
+          # the preceding release version of the ziti executable is installed in
+          # the quickstart container image; ensure the QUICKSTART_VERSION
+          # (container image tag) does not have a leading 'v' and the
+          # ZITI_VERSION_OVERRIDE (GitHub tag ref) does have a leading 'v'
+
+          QUICKSTART_VERSION="${QUICKSTART_VERSION#v}"
+          echo QUICKSTART_VERSION="${QUICKSTART_VERSION}" | tee -a $GITHUB_OUTPUT
+          echo ZITI_VERSION_OVERRIDE=v${QUICKSTART_VERSION%-*} | tee -a $GITHUB_OUTPUT
 
       # container image tag :latest is published on merge to default branch "main" and on release tags
       - name: Configure Quickstart Container
@@ -137,6 +141,8 @@ jobs:
           tags: ${{ steps.tagprep_qs.outputs.DOCKER_TAGS }}
           build-args: |
             ZITI_VERSION_OVERRIDE=${{ steps.get_version.outputs.ZITI_VERSION_OVERRIDE }}
+            GITHUB_REPO_OWNER=${{ github.repository_owner }}
+            GITHUB_REPO_NAME=${{ github.event.repository.name }}
           push: true
 
       - name: Configure Python
@@ -146,6 +152,7 @@ jobs:
           python --version
         
       - name: Deploy the CloudFront Function for get.openziti.io
+        if: github.repository_owner == 'openziti'
         shell: bash
         run: python ./dist/cloudfront/get.openziti.io/deploy-cloudfront-function.py
         env:

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -38,8 +38,8 @@ jobs:
         shell: bash
         run: |
           go install github.com/mitchellh/gox@latest
-          $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -t go-build-flags)" -cgo -os=darwin -arch=amd64 -output=$GOX_OUTPUT ./...
-          $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -t go-build-flags)" -cgo -os=darwin -arch=arm64 -output=$GOX_OUTPUT ./...
+          $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -t go-build-flags)" -cgo -os=darwin -arch=amd64 -output=$GOX_OUTPUT ./ziti/
+          $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -t go-build-flags)" -cgo -os=darwin -arch=arm64 -output=$GOX_OUTPUT ./ziti/
 
       - name: Upload artifacts
         uses: actions/upload-artifact@v4
@@ -71,7 +71,7 @@ jobs:
         shell: bash
         run: |
           go install github.com/mitchellh/gox@latest
-          $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -t go-build-flags)" -cgo -os=windows -arch=amd64 -output=$GOX_OUTPUT ./...
+          $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -t go-build-flags)" -cgo -os=windows -arch=amd64 -output=$GOX_OUTPUT ./ziti/
 
       - name: Upload artifacts
         uses: actions/upload-artifact@v4
@@ -105,11 +105,11 @@ jobs:
           $(go env GOPATH)/bin/ziti-ci configure-git
           go install github.com/mitchellh/gox@latest
           $(go env GOPATH)/bin/ziti-ci -t go-build-flags
-          $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -t go-build-flags)" -cgo -os=linux -arch=amd64 -output=$GOX_OUTPUT ./...
+          $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -t go-build-flags)" -cgo -os=linux -arch=amd64 -output=$GOX_OUTPUT ./ziti/
           CC=arm-linux-gnueabihf-gcc \
-          $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -t go-build-flags)" -cgo -os=linux -arch=arm -output=$GOX_OUTPUT ./...
+          $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -t go-build-flags)" -cgo -os=linux -arch=arm -output=$GOX_OUTPUT ./ziti/
           CC=aarch64-linux-gnu-gcc \
-          $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -t go-build-flags)" -cgo -os=linux -arch=arm64 -output=$GOX_OUTPUT ./...
+          $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -t go-build-flags)" -cgo -os=linux -arch=arm64 -output=$GOX_OUTPUT ./ziti/
 
       - name: Upload artifacts
         uses: actions/upload-artifact@v4
@@ -228,6 +228,10 @@ jobs:
         shell: bash
         run: |
           $(go env GOPATH)/bin/ziti-ci configure-git
+          $(go env GOPATH)/bin/ziti-ci publish-to-github -t --prerelease --archive-base "" --dry-run
+          mkdir tmp
+          tar xfzv ./release/ziti-linux-amd64-* -C ./tmp
+          $(go env GOPATH)/bin/ziti-ci verify-current-version -t $(./tmp/ziti version)
           $(go env GOPATH)/bin/ziti-ci publish-to-github -t --prerelease --archive-base ""
 
       # only ziti-ci computed version for release branches and {version}-{run_id} for non-release branches

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,56 @@
+# Release 1.1.15
+
+## What's New
+
+* Bug fixes, enhancements and continuing progress on controller HA
+
+## Component Updates and Bug Fixes
+
+* github.com/openziti/channel/v3: [v3.0.3 -> v3.0.5](https://github.com/openziti/channel/compare/v3.0.3...v3.0.5)
+    * [Issue #146](https://github.com/openziti/channel/issues/146) - Transport options aren't being set in dialer
+    * [Issue #144](https://github.com/openziti/channel/issues/144) - Add ReadAdapter utility
+
+* github.com/openziti/edge-api: [v0.26.31 -> v0.26.32](https://github.com/openziti/edge-api/compare/v0.26.31...v0.26.32)
+* github.com/openziti/sdk-golang: [v0.23.42 -> v0.23.43](https://github.com/openziti/sdk-golang/compare/v0.23.42...v0.23.43)
+    * [Issue #629](https://github.com/openziti/sdk-golang/issues/629) - JWT session refresh interprets expiration date incorrectly
+
+* github.com/openziti/secretstream: [v0.1.24 -> v0.1.25](https://github.com/openziti/secretstream/compare/v0.1.24...v0.1.25)
+* github.com/openziti/ziti: [v1.1.14 -> v1.1.15](https://github.com/openziti/ziti/compare/v1.1.14...v1.1.15)
+    * [Issue #2460](https://github.com/openziti/ziti/issues/2460) - Panic on JWT token refresh
+
+# Release 1.1.14
+
+## What's New
+
+* Bug fixes, enhancements and continuing progress on controller HA
+
+## Component Updates and Bug Fixes
+
+* github.com/openziti/edge-api: [v0.26.30 -> v0.26.31](https://github.com/openziti/edge-api/compare/v0.26.30...v0.26.31)
+* github.com/openziti/jwks: [v1.0.5 -> v1.0.6](https://github.com/openziti/jwks/compare/v1.0.5...v1.0.6)
+* github.com/openziti/ziti: [v1.1.13 -> v1.1.14](https://github.com/openziti/ziti/compare/v1.1.13...v1.1.14)
+    * [Issue #2119](https://github.com/openziti/ziti/issues/2119) - Add authentication events
+    * [Issue #2424](https://github.com/openziti/ziti/issues/2424) - Enabling any health check causes WARNING to be logged
+    * [Issue #2454](https://github.com/openziti/ziti/issues/2454) - Fix release archive
+    * [Issue #1479](https://github.com/openziti/ziti/issues/1479) - ziti edge list ... show paginated output but no suggestions on how to go to next page
+    * [Issue #1420](https://github.com/openziti/ziti/issues/1420) - ziti-cli comma+space causes unhelpful error
+    * [Issue #2207](https://github.com/openziti/ziti/issues/2207) - ziti edge login --token -- gets "username and password fields are required"
+    * [Issue #2444](https://github.com/openziti/ziti/issues/2444) - Change default semantic for policies created from the CLI from AllOf to AnyOf
+
+* github.com/openziti/xweb/v2: [v2.1.2 -> v2.1.3](https://github.com/openziti/xweb/compare/v2.1.2...v2.1.3)
+  * [Issue #2454](https://github.com/openziti/ziti/issues/2454) - Fix release archive
+  * [Issue #2429](https://github.com/openziti/ziti/issues/2429) - Controller configurations without default Edge API binding panics 
+* github.com/openziti/ziti: [v1.1.12 -> v1.1.13](https://github.com/openziti/ziti/compare/v1.1.12...v1.1.13)
+  * [Issue #2427](https://github.com/openziti/ziti/issues/2427) - Add low overhead xgress protocol for DTLS links
+  * [Issue #2422](https://github.com/openziti/ziti/issues/2422) - Busy first hop links should backpressure to xgress senders
+  * support using "\*" in host.v1/host.v2 allowedAddresses
+
+
+# Release 1.1.13
+
+This release will not be promoted, as a test binary was unintentionally released in the release archives.
+
+
 # Release 1.1.12
 
 ## What's New

diff --git a/controller/env/appenv.go b/controller/env/appenv.go
@@ -258,6 +258,10 @@ func (ae *AppEnv) GetManagers() *model.Managers {
 	return ae.Managers
 }
 
+func (ae *AppEnv) GetEventDispatcher() event.Dispatcher {
+	return ae.HostController.GetEventDispatcher()
+}
+
 func (ae *AppEnv) GetConfig() *config.Config {
 	return ae.HostController.GetConfig()
 }

diff --git a/controller/event/api_session.go b/controller/event/api_session.go
@@ -23,12 +23,18 @@ import (
 
 const ApiSessionEventTypeCreated = "created"
 const ApiSessionEventTypeDeleted = "deleted"
+const ApiSessionEventTypeRefreshed = "refreshed"
+const ApiSessionEventTypeExchanged = "exchanged"
 const ApiSessionEventNS = "edge.apiSessions"
 
+const ApiSessionTypeLegacy = "legacy"
+const ApiSessionTypeJwt = "jwt"
+
 type ApiSessionEvent struct {
 	Namespace  string    `json:"namespace"`
 	EventType  string    `json:"event_type"`
 	Id         string    `json:"id"`
+	Type       string    `json:"type"`
 	Timestamp  time.Time `json:"timestamp"`
 	Token      string    `json:"token"`
 	IdentityId string    `json:"identity_id"`

diff --git a/controller/event/dispatcher.go b/controller/event/dispatcher.go
@@ -124,6 +124,7 @@ type Dispatcher interface {
 	AddEntityCountEventHandler(handler EntityCountEventHandler, interval time.Duration, onlyLeaderEvents bool)
 	RemoveEntityCountEventHandler(handler EntityCountEventHandler)
 
+	ApiSessionEventHandler
 	CircuitEventHandler
 	EntityChangeEventHandler
 	LinkEventHandler

diff --git a/controller/event/dispatcher_mock.go b/controller/event/dispatcher_mock.go
@@ -27,6 +27,8 @@ var _ Dispatcher = DispatcherMock{}
 
 type DispatcherMock struct{}
 
+func (d DispatcherMock) AcceptApiSessionEvent(event *ApiSessionEvent) {}
+
 func (d DispatcherMock) AddApiSessionEventHandler(handler ApiSessionEventHandler) {}
 
 func (d DispatcherMock) RemoveApiSessionEventHandler(handler ApiSessionEventHandler) {}

diff --git a/controller/events/dispatcher_api_session.go b/controller/events/dispatcher_api_session.go
@@ -48,36 +48,40 @@ func (self *Dispatcher) initApiSessionEvents(stores *db.Stores) {
 	stores.ApiSession.AddEntityEventListenerF(self.apiSessionDeleted, boltz.EntityDeleted)
 }
 
+func (self *Dispatcher) AcceptApiSessionEvent(evt *event.ApiSessionEvent) {
+	for _, handler := range self.apiSessionEventHandlers.Value() {
+		go handler.AcceptApiSessionEvent(evt)
+	}
+}
+
 func (self *Dispatcher) apiSessionCreated(apiSession *db.ApiSession) {
-	event := &event.ApiSessionEvent{
+	evt := &event.ApiSessionEvent{
 		Namespace:  event.ApiSessionEventNS,
 		EventType:  event.ApiSessionEventTypeCreated,
 		Id:         apiSession.Id,
+		Type:       event.ApiSessionTypeLegacy,
 		Timestamp:  time.Now(),
 		Token:      apiSession.Token,
 		IdentityId: apiSession.IdentityId,
 		IpAddress:  apiSession.IPAddress,
 	}
 
-	for _, handler := range self.apiSessionEventHandlers.Value() {
-		go handler.AcceptApiSessionEvent(event)
-	}
+	self.AcceptApiSessionEvent(evt)
 }
 
 func (self *Dispatcher) apiSessionDeleted(apiSession *db.ApiSession) {
-	event := &event.ApiSessionEvent{
+	evt := &event.ApiSessionEvent{
 		Namespace:  event.ApiSessionEventNS,
 		EventType:  event.ApiSessionEventTypeDeleted,
 		Id:         apiSession.Id,
+		Type:       event.ApiSessionTypeLegacy,
 		Timestamp:  time.Now(),
 		Token:      apiSession.Token,
 		IdentityId: apiSession.IdentityId,
 		IpAddress:  apiSession.IPAddress,
 	}
 
-	for _, handler := range self.apiSessionEventHandlers.Value() {
-		go handler.AcceptApiSessionEvent(event)
-	}
+	self.AcceptApiSessionEvent(evt)
 }
 
 func (self *Dispatcher) registerApiSessionEventHandler(val interface{}, config map[string]interface{}) error {

diff --git a/controller/model/authenticator_mod_ext_jwt.go b/controller/model/authenticator_mod_ext_jwt.go
@@ -185,7 +185,9 @@ func (r *signerRecord) Resolve(force bool) error {
 		for _, key := range jwksResponse.Keys {
 			//if we have an x509chain the first must be the signing key
 			if len(key.X509Chain) != 0 {
-				x509Der, err := base64.RawURLEncoding.DecodeString(key.X509Chain[0])
+				// x5c is the only attribute with padding according to
+				// RFC 7517 Section-4.7 "x5c" (X.509 Certificate Chain) Parameter
+				x509Der, err := base64.StdEncoding.DecodeString(key.X509Chain[0])
 
 				if err != nil {
 					return fmt.Errorf("could not parse JWKS keys: %v", err)

diff --git a/controller/model/env.go b/controller/model/env.go
@@ -34,6 +34,7 @@ import (
 type Env interface {
 	GetCommandDispatcher() command.Dispatcher
 	GetManagers() *Managers
+	GetEventDispatcher() event.Dispatcher
 	GetConfig() *config.Config
 	GetDb() boltz.Db
 	GetStores() *db.Stores

diff --git a/controller/model/testing.go b/controller/model/testing.go
@@ -51,6 +51,10 @@ type TestContext struct {
 	dispatcher      command.Dispatcher
 }
 
+func (ctx *TestContext) GetEventDispatcher() event.Dispatcher {
+	panic("implement me")
+}
+
 func (self *TestContext) GetCloseNotifyChannel() <-chan struct{} {
 	return self.closeNotify
 }