diff --git a/controller/env/appenv.go b/controller/env/appenv.go index 04beb51ed..5345807de 100644 --- a/controller/env/appenv.go +++ b/controller/env/appenv.go @@ -602,7 +602,7 @@ func (ae *AppEnv) FillRequestContext(rc *response.RequestContext) error { func NewAuthQueryZitiMfa() *rest_model.AuthQueryDetail { provider := rest_model.MfaProvidersZiti return &rest_model.AuthQueryDetail{ - TypeID: "MFA", + TypeID: rest_model.AuthQueryTypeMFA, Format: rest_model.MfaFormatsAlphaNumeric, HTTPMethod: http.MethodPost, HTTPURL: "./authenticate/mfa", @@ -612,12 +612,23 @@ func NewAuthQueryZitiMfa() *rest_model.AuthQueryDetail { } } -func NewAuthQueryExtJwt(url string) *rest_model.AuthQueryDetail { +func NewAuthQueryExtJwt(signer *model.ExternalJwtSigner) *rest_model.AuthQueryDetail { provider := rest_model.MfaProvidersURL + + if signer == nil { + return &rest_model.AuthQueryDetail{ + TypeID: rest_model.AuthQueryTypeEXTDashJWT, + Provider: &provider, + } + } + return &rest_model.AuthQueryDetail{ - HTTPURL: url, - TypeID: "EXT-JWT", + HTTPURL: stringz.OrEmpty(signer.ExternalAuthUrl), + TypeID: rest_model.AuthQueryTypeEXTDashJWT, Provider: &provider, + Scopes: signer.Scopes, + ClientID: stringz.OrEmpty(signer.ClientId), + ID: signer.Id, } } @@ -642,12 +653,11 @@ func ProcessAuthQueries(ae *AppEnv, rc *response.RequestContext) { if err != nil || !authResult.IsSuccessful() { signer, err := ae.Managers.ExternalJwtSigner.Read(*rc.AuthPolicy.Secondary.RequiredExtJwtSigner) - authUrl := "" - if err == nil { - authUrl = stringz.OrEmpty(signer.ExternalAuthUrl) - } - rc.AuthQueries = append(rc.AuthQueries, NewAuthQueryExtJwt(authUrl)) + if err != nil { + pfxlog.Logger().Errorf("could not read required external jwt signer: %s: %s", *rc.AuthPolicy.Secondary.RequiredExtJwtSigner, err) + } + rc.AuthQueries = append(rc.AuthQueries, NewAuthQueryExtJwt(signer)) } } @@ -859,7 +869,7 @@ func (ae *AppEnv) getJwtTokenFromRequest(r *http.Request) *jwt.Token { parsedToken, err := jwt.ParseWithClaims(token, claims, ae.ControllersKeyFunc) if err != nil { - pfxlog.Logger().WithError(err).Error("error during JWT parsing during API request") + pfxlog.Logger().WithError(err).Debug("JWT provided that did not parse and verify against controller public keys, skipping") continue } if parsedToken.Valid { diff --git a/controller/model/authenticator_mod_updb.go b/controller/model/authenticator_mod_updb.go index 7868d7670..c90ac0a95 100644 --- a/controller/model/authenticator_mod_updb.go +++ b/controller/model/authenticator_mod_updb.go @@ -153,6 +153,7 @@ func (module *AuthModuleUpdb) Process(context AuthContext) (AuthResult, error) { authenticator: authenticator, authenticatorId: authenticator.Id, env: module.env, + authPolicy: authPolicy, }, nil } diff --git a/controller/oidc_auth/login.go b/controller/oidc_auth/login.go index 5c93a5474..5d7625592 100644 --- a/controller/oidc_auth/login.go +++ b/controller/oidc_auth/login.go @@ -5,6 +5,7 @@ import ( "embed" "encoding/json" "fmt" + "github.com/go-openapi/swag" "github.com/openziti/edge-api/rest_model" "github.com/openziti/foundation/v2/errorz" "github.com/openziti/ziti/controller/apierror" @@ -108,6 +109,7 @@ func newLogin(store Storage, callback func(context.Context, string) string, issu func (l *login) createRouter(issuerInterceptor *op.IssuerInterceptor) { l.router = mux.NewRouter() + l.router.Path("/auth-queries").Methods("GET").HandlerFunc(l.listAuthQueries) l.router.Path("/password").Methods("GET").HandlerFunc(l.loginHandler) l.router.Path("/password").Methods("POST").HandlerFunc(issuerInterceptor.HandlerFunc(l.authenticate)) @@ -150,14 +152,14 @@ func (l *login) loginHandler(w http.ResponseWriter, r *http.Request) { } func renderLogin(w http.ResponseWriter, id string, err error) { - renderPage(w, loginTemplate, id, err) + renderPage(w, loginTemplate, id, err, nil) } -func renderTotp(w http.ResponseWriter, id string, err error) { - renderPage(w, totpTemplate, id, err) +func renderTotp(w http.ResponseWriter, id string, err error, additionalData any) { + renderPage(w, totpTemplate, id, err, additionalData) } -func renderPage(w http.ResponseWriter, pageTemplate *template.Template, id string, err error) { +func renderPage(w http.ResponseWriter, pageTemplate *template.Template, id string, err error, additionalData any) { w.Header().Set("content-type", "text/html; charset=utf-8") var errMsg string errDisplay := "none" @@ -166,17 +168,19 @@ func renderPage(w http.ResponseWriter, pageTemplate *template.Template, id strin errDisplay = "block" } data := &struct { - ID string - Error string - ErrorDisplay string + ID string + Error string + ErrorDisplay string + AdditionalData any }{ - ID: id, - Error: errMsg, - ErrorDisplay: errDisplay, + ID: id, + Error: errMsg, + ErrorDisplay: errDisplay, + AdditionalData: additionalData, } - err = pageTemplate.Execute(w, data) - if err != nil { + templateErr := pageTemplate.Execute(w, data) + if templateErr != nil { http.Error(w, err.Error(), http.StatusInternalServerError) } } @@ -241,13 +245,13 @@ func (l *login) checkTotp(w http.ResponseWriter, r *http.Request) { }) return } else { - renderTotp(w, id, verifyErr) + renderTotp(w, id, verifyErr, nil) return } } if !authRequest.HasAmr(AuthMethodSecondaryTotp) { - renderTotp(w, id, errors.New("TOTP supplied but not enabled or required on identity")) + renderTotp(w, id, errors.New("TOTP supplied but not enabled or required on identity"), nil) } callbackUrl := l.callback(r.Context(), id) @@ -291,6 +295,7 @@ func (l *login) authenticate(w http.ResponseWriter, r *http.Request) { invalid := apierror.NewInvalidAuth() if method == AuthMethodPassword { renderLogin(w, credentials.AuthRequestId, invalid) + w.WriteHeader(invalid.Status) return } @@ -302,12 +307,25 @@ func (l *login) authenticate(w http.ResponseWriter, r *http.Request) { authRequest.EnvInfo = credentials.EnvInfo authRequest.AuthTime = time.Now() - if authRequest.SecondaryTotpRequired && !authRequest.HasAmr(AuthMethodSecondaryTotp) { + var authQueries []*rest_model.AuthQueryDetail + + if !authRequest.HasSecondaryAuth() { + authQueries = authRequest.GetAuthQueries() + } + + if authRequest.NeedsTotp() { w.Header().Set(TotpRequiredHeader, "true") + } + + if len(authQueries) > 0 { + if responseType == HtmlContentType { - renderTotp(w, credentials.AuthRequestId, err) + renderTotp(w, credentials.AuthRequestId, err, authQueries) } else if responseType == JsonContentType { - renderJson(w, http.StatusOK, &rest_model.Empty{}) + respBody := JsonMap(map[string]interface{}{ + "authQueries": authQueries, + }) + renderJson(w, http.StatusOK, &respBody) } return @@ -317,6 +335,42 @@ func (l *login) authenticate(w http.ResponseWriter, r *http.Request) { http.Redirect(w, r, callbackUrl, http.StatusFound) } +func (l *login) listAuthQueries(w http.ResponseWriter, r *http.Request) { + authRequestId := r.URL.Query().Get("id") + + authRequest, err := l.store.GetAuthRequest(authRequestId) + + if err != nil { + invalid := apierror.NewInvalidAuth() + http.Error(w, invalid.Message, invalid.Status) + return + } + + var authQueries []*rest_model.AuthQueryDetail + + if !authRequest.HasSecondaryAuth() { + authQueries = authRequest.GetAuthQueries() + } + + if authRequest.NeedsTotp() { + w.Header().Set(TotpRequiredHeader, "true") + } + + respBody := JsonMap(map[string]interface{}{ + "authQueries": authQueries, + }) + renderJson(w, http.StatusOK, &respBody) +} + +type JsonMap map[string]any + +func (m *JsonMap) MarshalBinary() ([]byte, error) { + if m == nil { + return nil, nil + } + return swag.WriteJSON(m) +} + func (l *login) startEnrollTotp(w http.ResponseWriter, r *http.Request) { changeCtx := NewHttpChangeCtx(r) diff --git a/controller/oidc_auth/requests.go b/controller/oidc_auth/requests.go index 0e44d4cbd..e3e65d60b 100644 --- a/controller/oidc_auth/requests.go +++ b/controller/oidc_auth/requests.go @@ -5,7 +5,9 @@ import ( "crypto/x509" "fmt" "github.com/openziti/edge-api/rest_model" + "github.com/openziti/foundation/v2/stringz" "github.com/openziti/ziti/common" + "github.com/openziti/ziti/controller/model" "time" "github.com/zitadel/oidc/v2/pkg/oidc" @@ -14,16 +16,15 @@ import ( // AuthRequest represents an OIDC authentication request and implements op.AuthRequest type AuthRequest struct { oidc.AuthRequest - Id string - CreationDate time.Time - IdentityId string - AuthTime time.Time - ApiSessionId string - SecondaryTotpRequired bool - SecondaryExtJwtRequired bool - SecondaryExtJwtId string - ConfigTypes []string - Amr map[string]struct{} + Id string + CreationDate time.Time + IdentityId string + AuthTime time.Time + ApiSessionId string + SecondaryTotpRequired bool + SecondaryExtJwtSigner *model.ExternalJwtSigner + ConfigTypes []string + Amr map[string]struct{} PeerCerts []*x509.Certificate RequestedMethod string @@ -69,7 +70,7 @@ func (a *AuthRequest) HasPrimaryAuth() bool { // HasSecondaryAuth returns true if all applicable secondary authentications have been passed func (a *AuthRequest) HasSecondaryAuth() bool { return (!a.SecondaryTotpRequired || a.HasAmr(AuthMethodSecondaryTotp)) && - (!a.SecondaryExtJwtRequired || a.HasAmr(AuthMethodSecondaryExtJwt)) + (a.SecondaryExtJwtSigner == nil || a.HasAmrExtJwtId(a.SecondaryExtJwtSigner.Id)) } // HasAmr returns true if the supplied amr is present @@ -78,6 +79,10 @@ func (a *AuthRequest) HasAmr(amr string) bool { return found } +func (a *AuthRequest) HasAmrExtJwtId(id string) bool { + return a.HasAmr(AuthMethodSecondaryExtJwt + ":" + id) +} + // AddAmr adds the supplied amr func (a *AuthRequest) AddAmr(amr string) { if a.Amr == nil { @@ -159,6 +164,45 @@ func (a *AuthRequest) GetCertFingerprints() []string { return prints } +func (a *AuthRequest) NeedsTotp() bool { + return a.SecondaryTotpRequired && !a.HasAmr(AuthMethodSecondaryTotp) +} + +func (a *AuthRequest) NeedsSecondaryExtJwt() bool { + return a.SecondaryExtJwtSigner != nil && !a.HasAmrExtJwtId(a.SecondaryExtJwtSigner.Id) +} + +func (a *AuthRequest) GetAuthQueries() []*rest_model.AuthQueryDetail { + var authQueries []*rest_model.AuthQueryDetail + + if a.NeedsTotp() { + provider := rest_model.MfaProvidersZiti + authQueries = append(authQueries, &rest_model.AuthQueryDetail{ + Format: rest_model.MfaFormatsNumeric, + HTTPMethod: "POST", + HTTPURL: "./oidc/login/totp", + MaxLength: 8, + MinLength: 6, + Provider: &provider, + TypeID: rest_model.AuthQueryTypeTOTP, + }) + } + + if a.NeedsSecondaryExtJwt() { + provider := rest_model.MfaProvidersURL + authQueries = append(authQueries, &rest_model.AuthQueryDetail{ + ClientID: stringz.OrEmpty(a.SecondaryExtJwtSigner.ClientId), + HTTPURL: stringz.OrEmpty(a.SecondaryExtJwtSigner.ExternalAuthUrl), + Scopes: a.SecondaryExtJwtSigner.Scopes, + Provider: &provider, + ID: a.SecondaryExtJwtSigner.Id, + TypeID: rest_model.AuthQueryTypeEXTDashJWT, + }) + } + + return authQueries +} + // RefreshTokenRequest is a wrapper around RefreshClaims to avoid collisions between go-jwt interface requirements and // zitadel oidc interface names. Implements zitadel op.RefreshTokenRequest type RefreshTokenRequest struct { diff --git a/controller/oidc_auth/storage.go b/controller/oidc_auth/storage.go index b902a9ce6..de540cedf 100644 --- a/controller/oidc_auth/storage.go +++ b/controller/oidc_auth/storage.go @@ -224,7 +224,17 @@ func (s *HybridStorage) Authenticate(authCtx model.AuthContext, id string, confi return nil, err } - authRequest.SecondaryTotpRequired = mfa != nil && mfa.IsVerified + authRequest.SecondaryTotpRequired = (mfa != nil && mfa.IsVerified) || result.AuthPolicy().Secondary.RequireTotp + + extJwtSignerId := stringz.OrEmpty(result.AuthPolicy().Secondary.RequiredExtJwtSigner) + + if extJwtSignerId != "" { + authRequest.SecondaryExtJwtSigner, err = s.env.GetManagers().ExternalJwtSigner.Read(extJwtSignerId) + + if err != nil { + return nil, err + } + } if authCtx.GetMethod() == AuthMethodCert { if len(authRequest.PeerCerts) == 0 { diff --git a/go.mod b/go.mod index 6c2aaf822..e4a9e82a8 100644 --- a/go.mod +++ b/go.mod @@ -52,7 +52,7 @@ require ( github.com/openziti/agent v1.0.18 github.com/openziti/channel/v3 v3.0.5 github.com/openziti/cobra-to-md v1.0.1 - github.com/openziti/edge-api v0.26.32 + github.com/openziti/edge-api v0.26.33 github.com/openziti/foundation/v2 v2.0.49 github.com/openziti/identity v1.0.85 github.com/openziti/jwks v1.0.6 diff --git a/go.sum b/go.sum index ed429d83e..f9234781d 100644 --- a/go.sum +++ b/go.sum @@ -576,8 +576,8 @@ github.com/openziti/cobra-to-md v1.0.1 h1:WRinNoIRmwWUSJm+pSNXMjOrtU48oxXDZgeCYQ github.com/openziti/cobra-to-md v1.0.1/go.mod h1:FjCpk/yzHF7/r28oSTNr5P57yN5VolpdAtS/g7KNi2c= github.com/openziti/dilithium v0.3.5 h1:+envGNzxc3OyVPiuvtxivQmCsOjdZjtOMLpQBeMz7eM= github.com/openziti/dilithium v0.3.5/go.mod h1:XONq1iK6te/WwNzkgZHfIDHordMPqb0hMwJ8bs9EfSk= -github.com/openziti/edge-api v0.26.32 h1:32oJI97cuM/kRJPEOwH2pe9dqwj56IYdQgTjTJaaHaU= -github.com/openziti/edge-api v0.26.32/go.mod h1:sYHVpm26Jr1u7VooNJzTb2b2nGSlmCHMnbGC8XfWSng= +github.com/openziti/edge-api v0.26.33 h1:EjR7D9O9zuZZqBYRD+X9iDkm5yIQ/G/tjIgnL8ioShE= +github.com/openziti/edge-api v0.26.33/go.mod h1:sYHVpm26Jr1u7VooNJzTb2b2nGSlmCHMnbGC8XfWSng= github.com/openziti/foundation/v2 v2.0.49 h1:aQ5I/lMhkHQ6urhRpLwrWP+7YtoeUitCfY/wub+nOqo= github.com/openziti/foundation/v2 v2.0.49/go.mod h1:tFk7wg5WE/nDDur5jSVQTROugKDXQkFvmqRSV4pvWp0= github.com/openziti/identity v1.0.85 h1:jphDHrUCXCJGdbVTMBqsdtS0Ei/vhDH337DMNMYzLro= diff --git a/tests/auth_distributed_test.go b/tests/auth_oidc_test.go similarity index 55% rename from tests/auth_distributed_test.go rename to tests/auth_oidc_test.go index d8929348e..b9def6451 100644 --- a/tests/auth_distributed_test.go +++ b/tests/auth_oidc_test.go @@ -3,11 +3,21 @@ package tests import ( "context" "crypto/tls" + "encoding/json" "fmt" "github.com/go-resty/resty/v2" "github.com/golang-jwt/jwt/v5" "github.com/google/uuid" + "github.com/openziti/edge-api/rest_management_api_client/auth_policy" + authenticator2 "github.com/openziti/edge-api/rest_management_api_client/authenticator" + "github.com/openziti/edge-api/rest_management_api_client/external_jwt_signer" + identity2 "github.com/openziti/edge-api/rest_management_api_client/identity" + "github.com/openziti/edge-api/rest_model" + "github.com/openziti/edge-api/rest_util" + nfpem "github.com/openziti/foundation/v2/pem" + edge_apis "github.com/openziti/sdk-golang/edge-apis" "github.com/openziti/ziti/common" + "github.com/openziti/ziti/common/eid" "github.com/openziti/ziti/controller/oidc_auth" "github.com/zitadel/oidc/v2/pkg/client/rp" httphelper "github.com/zitadel/oidc/v2/pkg/http" @@ -15,6 +25,7 @@ import ( "net" "net/http" "net/http/cookiejar" + "net/url" "testing" "time" ) @@ -124,7 +135,7 @@ func newOidcTestRp(apiHost string) (*testRpServer, error) { return result, nil } -func Test_Authenticate_Distributed_Auth(t *testing.T) { +func Test_Authenticate_OIDC_Auth(t *testing.T) { ctx := NewTestContext(t) defer ctx.Teardown() ctx.StartServer() @@ -228,4 +239,132 @@ func Test_Authenticate_Distributed_Auth(t *testing.T) { ctx.Req.True(accessClaims.IsCertExtendable, "expected isCertExtendable to be true for first party cert auth") }) }) + + t.Run("test cert auth totp ext-jwt", func(t *testing.T) { + ctx.testContextChanged(t) + + managementApiUrl, err := url.Parse("https://" + ctx.ApiHost + "/edge/management/v1") + ctx.Req.NoError(err) + + managementApiUrls := []*url.URL{managementApiUrl} + + managementClient := edge_apis.NewManagementApiClient(managementApiUrls, ctx.ControllerConfig.Id.CA(), func(resp chan string) { + resp <- "" + }) + + adminCreds := edge_apis.NewUpdbCredentials(ctx.AdminAuthenticator.Username, ctx.AdminAuthenticator.Password) + + apiSession, err := managementClient.Authenticate(adminCreds, nil) + ctx.Req.NoError(rest_util.WrapErr(err)) + ctx.NotNil(apiSession) + + ctx.testContextChanged(t) + jwtSignerCert, _ := newSelfSignedCert("Test Jwt Signer Cert - Auth Policy") + + createExtJwtParam := external_jwt_signer.NewCreateExternalJWTSignerParams() + createExtJwtParam.ExternalJWTSigner = &rest_model.ExternalJWTSignerCreate{ + CertPem: S(nfpem.EncodeToString(jwtSignerCert)), + Enabled: B(true), + Name: S("Test JWT Signer - Auth Policy"), + Kid: S(uuid.NewString()), + Issuer: S("test-issuer-99"), + Audience: S("test-audience-99"), + } + + extJwtCreateResp, err := managementClient.API.ExternalJWTSigner.CreateExternalJWTSigner(createExtJwtParam, nil) + ctx.Req.NoError(rest_util.WrapErr(err)) + ctx.Req.NotNil(extJwtCreateResp) + + createAuthPolicyParams := auth_policy.NewCreateAuthPolicyParams() + createAuthPolicyParams.AuthPolicy = &rest_model.AuthPolicyCreate{ + Name: ToPtr("auth_oidc_test-" + eid.New()), + Primary: &rest_model.AuthPolicyPrimary{ + Cert: &rest_model.AuthPolicyPrimaryCert{ + AllowExpiredCerts: ToPtr(true), + Allowed: ToPtr(true), + }, + ExtJWT: &rest_model.AuthPolicyPrimaryExtJWT{ + Allowed: ToPtr(false), + AllowedSigners: []string{}, + }, + Updb: &rest_model.AuthPolicyPrimaryUpdb{ + Allowed: ToPtr(true), + LockoutDurationMinutes: ToPtr(int64(0)), + MaxAttempts: ToPtr(int64(5)), + MinPasswordLength: ToPtr(int64(5)), + RequireMixedCase: ToPtr(false), + RequireNumberChar: ToPtr(false), + RequireSpecialChar: ToPtr(false), + }, + }, + Secondary: &rest_model.AuthPolicySecondary{ + RequireExtJWTSigner: ToPtr(extJwtCreateResp.Payload.Data.ID), + RequireTotp: ToPtr(true), + }, + } + + authPolicyCreateResp, err := managementClient.API.AuthPolicy.CreateAuthPolicy(createAuthPolicyParams, nil) + ctx.Req.NoError(rest_util.WrapErr(err)) + ctx.Req.NotNil(authPolicyCreateResp) + + identityName := eid.New() + identityExternalId := eid.New() + createIdentityParams := identity2.NewCreateIdentityParams() + createIdentityParams.Identity = &rest_model.IdentityCreate{ + AuthPolicyID: ToPtr(authPolicyCreateResp.Payload.Data.ID), + ExternalID: ToPtr(identityExternalId), + IsAdmin: ToPtr(false), + Name: ToPtr(identityName), + Type: ToPtr(rest_model.IdentityTypeDefault), + } + + createIdentityResp, err := managementClient.API.Identity.CreateIdentity(createIdentityParams, nil) + ctx.Req.NoError(rest_util.WrapErr(err)) + ctx.Req.NotNil(createIdentityResp) + + identityPassword := eid.New() + + createIdentityUpdbAuthenticator := authenticator2.NewCreateAuthenticatorParams() + createIdentityUpdbAuthenticator.Authenticator = &rest_model.AuthenticatorCreate{ + CertPem: "", + IdentityID: ToPtr(createIdentityResp.Payload.Data.ID), + Method: ToPtr("updb"), + Password: identityPassword, + Username: identityName, + } + + createIdentityUpdbAuthenticatorResp, err := managementClient.API.Authenticator.CreateAuthenticator(createIdentityUpdbAuthenticator, nil) + ctx.Req.NoError(rest_util.WrapErr(err)) + ctx.Req.NotNil(createIdentityUpdbAuthenticatorResp) + + t.Run("can authenticate via UPDB", func(t *testing.T) { + ctx.testContextChanged(t) + identityClient := resty.NewWithClient(ctx.NewHttpClient(ctx.NewTransport())) + identityClient.SetRedirectPolicy(resty.DomainCheckRedirectPolicy("127.0.0.1", "localhost")) + resp, err := identityClient.R().Get(rpServer.LoginUri) + + ctx.Req.NoError(err) + ctx.Req.Equal(http.StatusOK, resp.StatusCode()) + + authRequestId := resp.Header().Get(oidc_auth.AuthRequestIdHeader) + ctx.Req.NotEmpty(authRequestId) + + opLoginUri := "https://" + resp.RawResponse.Request.URL.Host + "/oidc/login/username" + + resp, err = identityClient.R().SetHeader("content-type", "application/json").SetBody(map[string]string{"id": authRequestId, "username": identityName, "password": identityPassword}).Post(opLoginUri) + + ctx.Req.NoError(err) + ctx.Req.Equal(http.StatusOK, resp.StatusCode()) + + parsedBody := map[string]any{ + "authQueries": []*rest_model.AuthQueryDetail{}, + } + + err = json.Unmarshal(resp.Body(), &parsedBody) + ctx.Req.NoError(err) + + ctx.Req.Len(parsedBody["authQueries"], 2) + }) + + }) } diff --git a/tests/auth_policy_test.go b/tests/auth_policy_test.go index 4418b8d0b..5442c4a7b 100644 --- a/tests/auth_policy_test.go +++ b/tests/auth_policy_test.go @@ -1422,11 +1422,11 @@ func Test_AuthPolicies(t *testing.T) { ctx.Req.NotEmpty(currentApiSessionEnv.Data.AuthQueries) //API Session from auth ahs the auth query - ctx.Req.Equal("EXT-JWT", apiSession.AuthResponse.AuthQueries[0].TypeID) + ctx.Req.Equal(rest_model.AuthQueryTypeEXTDashJWT, apiSession.AuthResponse.AuthQueries[0].TypeID) ctx.Req.Equal(*extJwtSignerAllowed.ExternalAuthURL, apiSession.AuthResponse.AuthQueries[0].HTTPURL) //API Session from get current has auth query - ctx.Req.Equal("EXT-JWT", currentApiSessionEnv.Data.AuthQueries[0].TypeID) + ctx.Req.Equal(rest_model.AuthQueryTypeEXTDashJWT, currentApiSessionEnv.Data.AuthQueries[0].TypeID) ctx.Req.Equal(*extJwtSignerAllowed.ExternalAuthURL, currentApiSessionEnv.Data.AuthQueries[0].HTTPURL) t.Run("without bearer token partially authenticated", func(t *testing.T) { diff --git a/zititest/go.mod b/zititest/go.mod index 121ea16d3..aedfba7eb 100644 --- a/zititest/go.mod +++ b/zititest/go.mod @@ -12,7 +12,7 @@ require ( github.com/michaelquigley/pfxlog v0.6.10 github.com/openziti/agent v1.0.18 github.com/openziti/channel/v3 v3.0.5 - github.com/openziti/edge-api v0.26.32 + github.com/openziti/edge-api v0.26.33 github.com/openziti/fablab v0.5.60 github.com/openziti/foundation/v2 v2.0.49 github.com/openziti/identity v1.0.85 diff --git a/zititest/go.sum b/zititest/go.sum index 70d705772..7726bb602 100644 --- a/zititest/go.sum +++ b/zititest/go.sum @@ -598,8 +598,8 @@ github.com/openziti/cobra-to-md v1.0.1 h1:WRinNoIRmwWUSJm+pSNXMjOrtU48oxXDZgeCYQ github.com/openziti/cobra-to-md v1.0.1/go.mod h1:FjCpk/yzHF7/r28oSTNr5P57yN5VolpdAtS/g7KNi2c= github.com/openziti/dilithium v0.3.5 h1:+envGNzxc3OyVPiuvtxivQmCsOjdZjtOMLpQBeMz7eM= github.com/openziti/dilithium v0.3.5/go.mod h1:XONq1iK6te/WwNzkgZHfIDHordMPqb0hMwJ8bs9EfSk= -github.com/openziti/edge-api v0.26.32 h1:32oJI97cuM/kRJPEOwH2pe9dqwj56IYdQgTjTJaaHaU= -github.com/openziti/edge-api v0.26.32/go.mod h1:sYHVpm26Jr1u7VooNJzTb2b2nGSlmCHMnbGC8XfWSng= +github.com/openziti/edge-api v0.26.33 h1:EjR7D9O9zuZZqBYRD+X9iDkm5yIQ/G/tjIgnL8ioShE= +github.com/openziti/edge-api v0.26.33/go.mod h1:sYHVpm26Jr1u7VooNJzTb2b2nGSlmCHMnbGC8XfWSng= github.com/openziti/fablab v0.5.60 h1:RsqrEb3LV6asK5N97uZKyNSDhcNOeDcAuT4OAD/hY9Y= github.com/openziti/fablab v0.5.60/go.mod h1:B/ib+GOtozEIytv2aXSFl9+dL7AiGfbpGS/VjnNduU8= github.com/openziti/foundation/v2 v2.0.49 h1:aQ5I/lMhkHQ6urhRpLwrWP+7YtoeUitCfY/wub+nOqo=