Merge branch 'tag-based-releases' of github.com:openziti/ziti into ta…

…g-triggered-downstreams

.github/workflows/main.yml

@@ -56,9 +56,8 @@ jobs:
         shell: bash
         run: |
           go install github.com/mitchellh/gox@latest
-          $(go env GOPATH)/bin/ziti-ci generate-build-info common/version/info_generated.go version ${ZITI_BASE_VERSION:+--base-version $ZITI_BASE_VERSION}
-          $(go env GOPATH)/bin/gox -cgo -os=darwin -arch=amd64 -output=$GOX_OUTPUT ./...
-          $(go env GOPATH)/bin/gox -cgo -os=darwin -arch=arm64 -output=$GOX_OUTPUT ./...
+          $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -n go-build-flags)" -cgo -os=darwin -arch=amd64 -output=$GOX_OUTPUT ./...
+          $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -n go-build-flags)" -cgo -os=darwin -arch=arm64 -output=$GOX_OUTPUT ./...
 
       - name: Upload artifacts
         uses: actions/upload-artifact@v4
@@ -90,8 +89,7 @@ jobs:
         shell: bash
         run: |
           go install github.com/mitchellh/gox@latest
-          $(go env GOPATH)/bin/ziti-ci generate-build-info common/version/info_generated.go version ${ZITI_BASE_VERSION:+--base-version $ZITI_BASE_VERSION}
-          $(go env GOPATH)/bin/gox -cgo -os=windows -arch=amd64 -output=$GOX_OUTPUT ./...
+          $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -n go-build-flags)" -cgo -os=windows -arch=amd64 -output=$GOX_OUTPUT ./...
 
       - name: Upload artifacts
         uses: actions/upload-artifact@v4
@@ -125,9 +123,9 @@ jobs:
           $(go env GOPATH)/bin/ziti-ci configure-git
           $(go env GOPATH)/bin/ziti-ci generate-build-info common/version/info_generated.go version ${ZITI_BASE_VERSION:+--base-version $ZITI_BASE_VERSION}
           go install github.com/mitchellh/gox@latest
-          $(go env GOPATH)/bin/gox -cgo -os=linux -arch=amd64 -output=$GOX_OUTPUT ./...
-          CC=arm-linux-gnueabihf-gcc $(go env GOPATH)/bin/gox -cgo -os=linux -arch=arm -output=$GOX_OUTPUT ./...
-          CC=aarch64-linux-gnu-gcc   $(go env GOPATH)/bin/gox -cgo -os=linux -arch=arm64 -output=$GOX_OUTPUT ./...
+          $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -n go-build-flags)" -cgo -os=linux -arch=amd64 -output=$GOX_OUTPUT ./...
+          CC=arm-linux-gnueabihf-gcc $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -n go-build-flags)" -cgo -os=linux -arch=arm -output=$GOX_OUTPUT ./...
+          CC=aarch64-linux-gnu-gcc   $(go env GOPATH)/bin/gox -ldflags "$($(go env GOPATH)/bin/ziti-ci -q -n go-build-flags)" -cgo -os=linux -arch=arm64 -output=$GOX_OUTPUT ./...
 
       - name: Upload artifacts
         uses: actions/upload-artifact@v4

CHANGELOG.md

@@ -1,3 +1,25 @@
+# Release 1.1.4
+
+## What's New
+
+* Bug fixes
+
+## Component Updates and Bug Fixes 
+
+* github.com/openziti/channel/v2: [v2.0.130 -> v2.0.131](https://github.com/openziti/channel/compare/v2.0.130...v2.0.131)
+* github.com/openziti/edge-api: [v0.26.19 -> v0.26.20](https://github.com/openziti/edge-api/compare/v0.26.19...v0.26.20)
+    * [Issue #113](https://github.com/openziti/edge-api/issues/113) - RecoveryCodesEnvelope is wrong
+
+* github.com/openziti/foundation/v2: [v2.0.45 -> v2.0.46](https://github.com/openziti/foundation/compare/v2.0.45...v2.0.46)
+    * [Issue #407](https://github.com/openziti/foundation/issues/407) - Remove Branch from build info
+
+* github.com/openziti/identity: [v1.0.77 -> v1.0.78](https://github.com/openziti/identity/compare/v1.0.77...v1.0.78)
+* github.com/openziti/metrics: [v1.2.54 -> v1.2.55](https://github.com/openziti/metrics/compare/v1.2.54...v1.2.55)
+* github.com/openziti/runzmd: [v1.0.47 -> v1.0.48](https://github.com/openziti/runzmd/compare/v1.0.47...v1.0.48)
+* github.com/openziti/transport/v2: [v2.0.133 -> v2.0.134](https://github.com/openziti/transport/compare/v2.0.133...v2.0.134)
+* github.com/openziti/ziti: [v1.1.3 -> v1.1.4](https://github.com/openziti/ziti/compare/v1.1.3...v1.1.4)
+    * [Issue #2124](https://github.com/openziti/ziti/issues/2124) - api session certs should be deleted when related api sessions are deleted
+
 # Release 1.1.3
 
 ## What's New

controller/config/config.go

@@ -23,6 +23,7 @@ import (
 	"encoding/pem"
 	"fmt"
 	"github.com/michaelquigley/pfxlog"
+	nfpem "github.com/openziti/foundation/v2/pem"
 	"github.com/openziti/identity"
 	"github.com/openziti/ziti/controller/command"
 	"github.com/pkg/errors"
@@ -101,6 +102,7 @@ type Config struct {
 	caPemsOnce      sync.Once
 	Totp            Totp
 	AuthRateLimiter command.AdaptiveRateLimiterConfig
+	caCerts         []*x509.Certificate
 }
 
 type HttpTimeouts struct {
@@ -133,22 +135,31 @@ func (c *Config) SessionTimeoutDuration() time.Duration {
 
 func (c *Config) CaPems() []byte {
 	c.caPemsOnce.Do(func() {
-		c.RefreshCaPems()
+		c.RefreshCas()
 	})
 
 	return c.caPems.Bytes()
 }
 
+func (c *Config) CaCerts() []*x509.Certificate {
+	c.caPemsOnce.Do(func() {
+		c.RefreshCas()
+	})
+
+	return c.caCerts
+}
+
 // AddCaPems adds a byte array of certificates to the current buffered list of CAs. The certificates
-// should be in PEM format separated by new lines. RefreshCaPems should be called after all
+// should be in PEM format separated by new lines. RefreshCas should be called after all
 // calls to AddCaPems are completed.
 func (c *Config) AddCaPems(caPems []byte) {
 	c.caPems.WriteString("\n")
 	c.caPems.Write(caPems)
 }
 
-func (c *Config) RefreshCaPems() {
+func (c *Config) RefreshCas() {
 	c.caPems = CalculateCaPems(c.caPems)
+	c.caCerts = nfpem.PemBytesToCertificates(c.caPems.Bytes())
 }
 
 func (c *Config) loadTotpSection(edgeConfigMap map[any]any) error {

controller/db/api_session_certificate_store.go

@@ -68,11 +68,11 @@ func (store *ApiSessionCertificateStoreImpl) initializeLocal() {
 	store.AddSymbol(FieldApiSessionCertificateApiSession, ast.NodeTypeString)
 	store.AddSymbol(FieldApiSessionCertificateSubject, ast.NodeTypeString)
 	store.AddSymbol(FieldApiSessionCertificateFingerprint, ast.NodeTypeString)
-	store.symbolApiSession = store.AddFkSymbol(FieldApiSessionCertificateApiSession, store.stores.apiSession)
+	store.symbolApiSession = store.AddSymbol(FieldApiSessionCertificateApiSession, ast.NodeTypeString)
 }
 
 func (store *ApiSessionCertificateStoreImpl) initializeLinked() {
-	store.AddFkIndex(store.symbolApiSession, store.stores.apiSession.apiSessionCertsSymbol)
+	store.AddFkIndexCascadeDelete(store.symbolApiSession, store.stores.apiSession.apiSessionCertsSymbol)
 }
 
 func (store *ApiSessionCertificateStoreImpl) NewEntity() *ApiSessionCertificate {

controller/model/enrollment_manager.go

@@ -21,6 +21,7 @@ import (
 	"fmt"
 	"github.com/michaelquigley/pfxlog"
 	"github.com/openziti/foundation/v2/errorz"
+	"github.com/openziti/identity"
 	"github.com/openziti/storage/boltz"
 	"github.com/openziti/ziti/common/cert"
 	"github.com/openziti/ziti/common/eid"
@@ -218,23 +219,26 @@ func (self *EnrollmentManager) ReplaceWithAuthenticator(enrollmentId string, aut
 // GetCertChainPem parses a given certificate in raw DER and attempt to provide string in PEM format of the
 // original certificate followed by each signing intermediate up to but not including the root CA.
 func (self *EnrollmentManager) GetCertChainPem(certRaw []byte) (string, error) {
-	clientCert, err := x509.ParseCertificate(certRaw)
+	targetCert, err := x509.ParseCertificate(certRaw)
 	if err != nil {
 		pfxlog.Logger().WithError(err).Error("error parsing cert raw during enrollment, attempting to assemble chain")
 		return "", err
 	}
 
-	var clientChainPem []byte
-	clientChain := self.env.GetHostController().Identity().CaPool().GetChainMinusRoot(clientCert)
-	for _, c := range clientChain {
+	var targetChainPem []byte
+
+	pool := identity.NewCaPool(self.env.GetConfig().CaCerts())
+	targetChain := pool.GetChainMinusRoot(targetCert)
+
+	for _, c := range targetChain {
 		pemData, err := cert.RawToPem(c.Raw)
 		if err != nil {
 			return "", err
 		}
-		clientChainPem = append(clientChainPem, pemData...)
+		targetChainPem = append(targetChainPem, pemData...)
 	}
 
-	return string(clientChainPem), nil
+	return string(targetChainPem), nil
 }
 
 func (self *EnrollmentManager) ApplyReplaceEncoderWithAuthenticatorCommand(cmd *ReplaceEnrollmentWithAuthenticatorCmd, ctx boltz.MutateContext) error {

controller/server/client-api.go

@@ -68,7 +68,7 @@ func (factory ClientApiFactory) Validate(config *xweb.InstanceConfig) error {
 		}
 	}
 
-	factory.appEnv.Config.RefreshCaPems()
+	factory.appEnv.Config.RefreshCas()
 
 	if !clientApiFound {
 		return errors.Errorf("could not find [edge.api.address] value [%s] as a bind point any instance of ApiConfig [%s]", factory.appEnv.Config.Api.Address, controller.ClientApiBinding)

controller/sync_strats/sync_instant.go

@@ -890,7 +890,16 @@ func (strategy *InstantStrategy) BuildServicePolicies(tx *bbolt.Tx, rdm *common.
 	return nil
 }
 
-func (strategy *InstantStrategy) BuildPublicKeys(tx *bbolt.Tx, rdm *common.RouterDataModel) error {
+func (strategy *InstantStrategy) BuildPublicKeys(tx *bbolt.Tx) error {
+	serverTls := strategy.ae.HostController.Identity().ServerCert()
+
+	newModel := &edge_ctrl_pb.DataState_Event_PublicKey{PublicKey: newPublicKey(serverTls[0].Certificate[0], edge_ctrl_pb.DataState_PublicKey_X509CertDer, []edge_ctrl_pb.DataState_PublicKey_Usage{edge_ctrl_pb.DataState_PublicKey_JWTValidation, edge_ctrl_pb.DataState_PublicKey_ClientX509CertValidation})}
+	newEvent := &edge_ctrl_pb.DataState_Event{
+		Action: edge_ctrl_pb.DataState_Create,
+		Model:  newModel,
+	}
+	strategy.HandlePublicKeyEvent(newEvent, newModel)
+
 	for cursor := strategy.ae.GetStores().Controller.IterateIds(tx, ast.BoolNodeTrue); cursor.IsValid(); cursor.Next() {
 		currentBytes := cursor.Current()
 		currentId := string(currentBytes)

go.mod

@@ -49,15 +49,15 @@ require (
 	github.com/natefinch/lumberjack v2.0.0+incompatible
 	github.com/openziti/agent v1.0.16
 	github.com/openziti/channel/v2 v2.0.131
-	github.com/openziti/edge-api v0.26.19
+	github.com/openziti/edge-api v0.26.20
 	github.com/openziti/foundation/v2 v2.0.46
 	github.com/openziti/identity v1.0.78
 	github.com/openziti/jwks v1.0.3
 	github.com/openziti/metrics v1.2.55
 	github.com/openziti/runzmd v1.0.48
 	github.com/openziti/sdk-golang v0.23.37
 	github.com/openziti/secretstream v0.1.20
-	github.com/openziti/storage v0.2.41
+	github.com/openziti/storage v0.2.42
 	github.com/openziti/transport/v2 v2.0.134
 	github.com/openziti/x509-claims v1.0.3
 	github.com/openziti/xweb/v2 v2.1.0
@@ -79,11 +79,11 @@ require (
 	github.com/zitadel/oidc/v2 v2.12.0
 	go.etcd.io/bbolt v1.3.10
 	go4.org v0.0.0-20180809161055-417644f6feb5
-	golang.org/x/crypto v0.23.0
-	golang.org/x/net v0.25.0
+	golang.org/x/crypto v0.24.0
+	golang.org/x/net v0.26.0
 	golang.org/x/sync v0.7.0
-	golang.org/x/sys v0.20.0
-	golang.org/x/text v0.15.0
+	golang.org/x/sys v0.21.0
+	golang.org/x/text v0.16.0
 	google.golang.org/protobuf v1.34.1
 	gopkg.in/AlecAivazis/survey.v1 v1.8.8
 	gopkg.in/resty.v1 v1.12.0
@@ -113,7 +113,7 @@ require (
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/go-jose/go-jose/v4 v4.0.1 // indirect
-	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
 	github.com/go-openapi/analysis v0.23.0 // indirect
@@ -176,17 +176,17 @@ require (
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	go.mongodb.org/mongo-driver v1.15.0 // indirect
 	go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 // indirect
-	go.opentelemetry.io/otel v1.26.0 // indirect
-	go.opentelemetry.io/otel/metric v1.26.0 // indirect
-	go.opentelemetry.io/otel/trace v1.26.0 // indirect
+	go.opentelemetry.io/otel v1.27.0 // indirect
+	go.opentelemetry.io/otel/metric v1.27.0 // indirect
+	go.opentelemetry.io/otel/trace v1.27.0 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/multierr v1.9.0 // indirect
 	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect
 	golang.org/x/image v0.13.0 // indirect
 	golang.org/x/mod v0.17.0 // indirect
 	golang.org/x/oauth2 v0.20.0 // indirect
-	golang.org/x/term v0.20.0 // indirect
-	golang.org/x/tools v0.21.0 // indirect
+	golang.org/x/term v0.21.0 // indirect
+	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect
 	nhooyr.io/websocket v1.8.11 // indirect