From 0e4ef2b176d7563408b4614d9aa28414d0aa58db Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Wed, 28 Feb 2024 10:47:51 -0500 Subject: [PATCH 1/7] respect service policies for admin identities. fixes #1781. --- controller/model/edge_service_manager.go | 36 +++++++++--------------- 1 file changed, 14 insertions(+), 22 deletions(-) diff --git a/controller/model/edge_service_manager.go b/controller/model/edge_service_manager.go index 5918b45c3..954f22f27 100644 --- a/controller/model/edge_service_manager.go +++ b/controller/model/edge_service_manager.go @@ -119,21 +119,11 @@ func (self *EdgeServiceManager) ReadForIdentity(id string, identityId string, co } func (self *EdgeServiceManager) ReadForIdentityInTx(tx *bbolt.Tx, id string, identityId string, configTypes map[string]struct{}) (*ServiceDetail, error) { - identity, err := self.GetEnv().GetManagers().Identity.readInTx(tx, identityId) - if err != nil { - return nil, err - } - + var err error var service *ServiceDetail - if identity.IsAdmin { - service, err = self.readInTx(tx, id) - if err == nil && service != nil { - service.Permissions = []string{db.PolicyTypeBindName, db.PolicyTypeDialName} - } - } else { - service, err = self.ReadForNonAdminIdentityInTx(tx, id, identityId) - } + // service permissions for admin & non-admin identities will be set according to policies + service, err = self.ReadForNonAdminIdentityInTx(tx, id, identityId) if err == nil && len(configTypes) > 0 { identityServiceConfigs := self.env.GetStores().Identity.LoadServiceConfigsByServiceAndType(tx, identityId, configTypes) self.mergeConfigs(tx, configTypes, service, identityServiceConfigs) @@ -143,10 +133,14 @@ func (self *EdgeServiceManager) ReadForIdentityInTx(tx *bbolt.Tx, id string, ide func (self *EdgeServiceManager) ReadForNonAdminIdentityInTx(tx *bbolt.Tx, id string, identityId string) (*ServiceDetail, error) { edgeServiceStore := self.env.GetStores().EdgeService + identity, err := self.GetEnv().GetManagers().Identity.readInTx(tx, identityId) + if err != nil { + return nil, err + } isBindable := edgeServiceStore.IsBindableByIdentity(tx, id, identityId) isDialable := edgeServiceStore.IsDialableByIdentity(tx, id, identityId) - if !isBindable && !isDialable { + if !isBindable && !isDialable && !identity.IsAdmin { // admin can view services even if policies don't permit bind/dial return nil, boltz.NewNotFoundError(self.GetStore().GetSingularEntityType(), "id", id) } @@ -163,6 +157,10 @@ func (self *EdgeServiceManager) ReadForNonAdminIdentityInTx(tx *bbolt.Tx, id str if isDialable { result.Permissions = append(result.Permissions, db.PolicyTypeDialName) } + if result.Permissions == nil { + // don't return results with no permissions, since some SDKs assume non-nil permissions + result.Permissions = []string{db.PolicyTypeInvalidName} + } return result, nil } @@ -259,14 +257,8 @@ func (result *ServiceListResult) collect(tx *bbolt.Tx, ids []string, queryMetaDa identityServiceConfigs := result.manager.env.GetStores().Identity.LoadServiceConfigsByServiceAndType(tx, result.identityId, result.configTypes) for _, key := range ids { - if !result.isAdmin && result.identityId != "" { - service, err = result.manager.ReadForNonAdminIdentityInTx(tx, key, result.identityId) - } else { - service, err = result.manager.readInTx(tx, key) - if service != nil && result.isAdmin { - service.Permissions = []string{db.PolicyTypeBindName, db.PolicyTypeDialName} - } - } + // service permissions for admin & non-admin identities will be set according to policies + service, err = result.manager.ReadForNonAdminIdentityInTx(tx, key, result.identityId) if err != nil { return err } From 512be085f7e1c3ceabff1c4b98feb1ffe9ab72dd Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Wed, 28 Feb 2024 12:43:12 -0500 Subject: [PATCH 2/7] fix service tests --- tests/service_test.go | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/tests/service_test.go b/tests/service_test.go index c7e5c84b8..5a0663190 100644 --- a/tests/service_test.go +++ b/tests/service_test.go @@ -20,9 +20,9 @@ package tests import ( "fmt" - "github.com/openziti/ziti/common/eid" "github.com/openziti/foundation/v2/errorz" "github.com/openziti/foundation/v2/stringz" + "github.com/openziti/ziti/common/eid" "net/url" "sort" "testing" @@ -50,7 +50,7 @@ func Test_Services(t *testing.T) { ctx.testContextChanged(t) now := time.Now() service := ctx.AdminManagementSession.requireNewService(nil, nil) - service.permissions = []string{"Dial", "Bind"} + service.permissions = []string{"Invalid"} entityJson := ctx.AdminManagementSession.validateEntityWithQuery(service) ctx.validateDateFieldsForCreate(now, entityJson) }) @@ -58,11 +58,11 @@ func Test_Services(t *testing.T) { t.Run("list as admin should return 3 services", func(t *testing.T) { ctx.testContextChanged(t) service1 := ctx.AdminManagementSession.requireNewService(nil, nil) - service1.permissions = []string{"Dial", "Bind"} + service1.permissions = []string{"Invalid"} service2 := ctx.AdminManagementSession.requireNewService(nil, nil) - service2.permissions = []string{"Dial", "Bind"} + service2.permissions = []string{"Invalid"} service3 := ctx.AdminManagementSession.requireNewService(nil, nil) - service3.permissions = []string{"Dial", "Bind"} + service3.permissions = []string{"Invalid"} ctx.AdminManagementSession.validateEntityWithLookup(service1) ctx.AdminManagementSession.validateEntityWithQuery(service1) @@ -108,7 +108,7 @@ func Test_Services(t *testing.T) { t.Run("lookup as admin should pass", func(t *testing.T) { ctx.testContextChanged(t) service := ctx.AdminManagementSession.requireNewService(nil, nil) - service.permissions = []string{"Dial", "Bind"} + service.permissions = []string{"Invalid"} ctx.AdminManagementSession.validateEntityWithLookup(service) }) @@ -163,7 +163,7 @@ func Test_Services(t *testing.T) { ctx.testContextChanged(t) now := time.Now() service := ctx.AdminManagementSession.requireNewService(nil, nil) - service.permissions = []string{"Bind", "Dial"} + service.permissions = []string{"Invalid"} entityJson := ctx.AdminManagementSession.validateEntityWithQuery(service) createdAt := ctx.validateDateFieldsForCreate(now, entityJson) From ba995a68c6ad2bcdc480e486e13e2b49479f0235 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Wed, 28 Feb 2024 15:27:05 -0500 Subject: [PATCH 3/7] combine ReadForNonAdminIdentityInTx into ReadForIdentityInTx --- controller/model/edge_service_manager.go | 23 ++++++++--------------- 1 file changed, 8 insertions(+), 15 deletions(-) diff --git a/controller/model/edge_service_manager.go b/controller/model/edge_service_manager.go index 954f22f27..d2f433b74 100644 --- a/controller/model/edge_service_manager.go +++ b/controller/model/edge_service_manager.go @@ -119,19 +119,6 @@ func (self *EdgeServiceManager) ReadForIdentity(id string, identityId string, co } func (self *EdgeServiceManager) ReadForIdentityInTx(tx *bbolt.Tx, id string, identityId string, configTypes map[string]struct{}) (*ServiceDetail, error) { - var err error - var service *ServiceDetail - - // service permissions for admin & non-admin identities will be set according to policies - service, err = self.ReadForNonAdminIdentityInTx(tx, id, identityId) - if err == nil && len(configTypes) > 0 { - identityServiceConfigs := self.env.GetStores().Identity.LoadServiceConfigsByServiceAndType(tx, identityId, configTypes) - self.mergeConfigs(tx, configTypes, service, identityServiceConfigs) - } - return service, err -} - -func (self *EdgeServiceManager) ReadForNonAdminIdentityInTx(tx *bbolt.Tx, id string, identityId string) (*ServiceDetail, error) { edgeServiceStore := self.env.GetStores().EdgeService identity, err := self.GetEnv().GetManagers().Identity.readInTx(tx, identityId) if err != nil { @@ -161,7 +148,13 @@ func (self *EdgeServiceManager) ReadForNonAdminIdentityInTx(tx *bbolt.Tx, id str // don't return results with no permissions, since some SDKs assume non-nil permissions result.Permissions = []string{db.PolicyTypeInvalidName} } - return result, nil + + if len(configTypes) > 0 { + identityServiceConfigs := self.env.GetStores().Identity.LoadServiceConfigsByServiceAndType(tx, identityId, configTypes) + self.mergeConfigs(tx, configTypes, result, identityServiceConfigs) + } + + return result, err } func (self *EdgeServiceManager) PublicQueryForIdentity(sessionIdentity *Identity, configTypes map[string]struct{}, query ast.Query) (*ServiceListResult, error) { @@ -258,7 +251,7 @@ func (result *ServiceListResult) collect(tx *bbolt.Tx, ids []string, queryMetaDa for _, key := range ids { // service permissions for admin & non-admin identities will be set according to policies - service, err = result.manager.ReadForNonAdminIdentityInTx(tx, key, result.identityId) + service, err = result.manager.ReadForIdentityInTx(tx, key, result.identityId, result.configTypes) if err != nil { return err } From ecce28c65e3784966d8dd46a864bd17961c280b3 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Wed, 28 Feb 2024 16:30:15 -0500 Subject: [PATCH 4/7] more tests fixes --- tests/service_test.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/service_test.go b/tests/service_test.go index 5a0663190..e84efdd5a 100644 --- a/tests/service_test.go +++ b/tests/service_test.go @@ -364,7 +364,7 @@ func Test_ServiceRoleAttributes(t *testing.T) { role1 := eid.New() role2 := eid.New() service := ctx.AdminManagementSession.requireNewService(s(role1, role2), nil) - service.permissions = []string{"Dial", "Bind"} + service.permissions = []string{"Invalid"} ctx.AdminManagementSession.validateEntityWithQuery(service) ctx.AdminManagementSession.validateEntityWithLookup(service) @@ -375,7 +375,7 @@ func Test_ServiceRoleAttributes(t *testing.T) { role1 := eid.New() role2 := eid.New() service := ctx.AdminManagementSession.requireNewService(s(role1, role2), nil) - service.permissions = []string{"Dial", "Bind"} + service.permissions = []string{"Invalid"} role3 := eid.New() service.roleAttributes = []string{role2, role3} @@ -423,7 +423,7 @@ func Test_ServiceRoleAttributes(t *testing.T) { now := time.Now() newService := ctx.AdminManagementSession.requireNewService(nil, nil) - newService.permissions = []string{"Dial", "Bind"} + newService.permissions = []string{"Invalid"} entityJson := ctx.AdminManagementSession.validateEntityWithQuery(newService) From 0c628ae52e1ec3a1612ed3f63f1607c6b2297c60 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Fri, 8 Mar 2024 10:59:11 -0500 Subject: [PATCH 5/7] update changelog --- CHANGELOG.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 358d48d86..f46a1271c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,23 @@ +# Release 0.32.3 + +## What's New + +* Bugfixes + +## Default Bind/Dial service permissions for Admin identities + +Admin identities were able to Dial and Bind all services regardless of the effective service policies +prior to this release. This could lead to a confusing situation where a tunneler that was assuming an Admin +identity would put itself into an infinite connect-loop when a service's host.v1 address overlapped with +any addresses in its intercept configuration. + +Please create service policies to grant Bind or Dial permissions to Admin identities as needed. + +## Component Updates and Bug Fixes + +* github.com/openziti/ziti: [v0.32.2 -> v0.32.3](https://github.com/openziti/ziti/compare/v0.32.2...v0.32.3) + * [Issue #1781](https://github.com/openziti/ziti/issues/1781) - Admin identities have bind and dial permissions to services + # Release 0.32.2 ## What's New From 4bd062bc17b3dbf8a08930609d8c34cc438e1b3d Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Tue, 9 Apr 2024 11:39:18 -0400 Subject: [PATCH 6/7] update versions in changelog --- CHANGELOG.md | 120 +++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 116 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f46a1271c..87d65d1a6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,23 +1,135 @@ -# Release 0.32.3 +# Release 1.0.0 ## What's New * Bugfixes -## Default Bind/Dial service permissions for Admin identities +## DEFAULT Bind/Dial SERVICE PERMISSIONS FOR Admin IDENTITIES HAVE CHANGED Admin identities were able to Dial and Bind all services regardless of the effective service policies prior to this release. This could lead to a confusing situation where a tunneler that was assuming an Admin identity would put itself into an infinite connect-loop when a service's host.v1 address overlapped with any addresses in its intercept configuration. -Please create service policies to grant Bind or Dial permissions to Admin identities as needed. +Please create service policies to grant Bind or Dial permissions to Admin identities as needed. ## Component Updates and Bug Fixes -* github.com/openziti/ziti: [v0.32.2 -> v0.32.3](https://github.com/openziti/ziti/compare/v0.32.2...v0.32.3) +* github.com/openziti/ziti: [v0.34.2 -> v1.0.0](https://github.com/openziti/ziti/compare/v0.34.2...v1.0.0) * [Issue #1781](https://github.com/openziti/ziti/issues/1781) - Admin identities have bind and dial permissions to services +# Release 0.34.2 + +## What's New + +* The circuit id is now available in the SDK on the client and hosting side + * Requires 0.34.2+ routers + * Requests SDK support. Currently supported in the Go SDK 0.23.11+ +* Bug fixes + +## Component Updates and Bug Fixes +* github.com/openziti/edge-api: [v0.26.13 -> v0.26.14](https://github.com/openziti/edge-api/compare/v0.26.13...v0.26.14) +* github.com/openziti/sdk-golang: [v0.23.14 -> v0.23.15](https://github.com/openziti/sdk-golang/compare/v0.23.14...v0.23.15) +* github.com/openziti/secretstream: [v0.1.17 -> v0.1.18](https://github.com/openziti/secretstream/compare/v0.1.17...v0.1.18) + * [Issue #24](https://github.com/openziti/secretstream/issues/24) - Potential side channel issue + * [Issue #25](https://github.com/openziti/secretstream/issues/25) - Reads from crypto/rand not checked for errors + +* github.com/openziti/ziti: [v0.34.1 -> v0.34.2](https://github.com/openziti/ziti/compare/v0.34.1...v0.34.2) + * [Issue #1831](https://github.com/openziti/ziti/issues/1831) - Circuit ID should be returned in the response to a Dial request + * [Issue #1873](https://github.com/openziti/ziti/issues/1873) - host.v1 health check time.Duration unconvertible + +# Release 0.34.1 + +## What's New + +* Updates version of go to 1.22.x + * As usual when updating the go version, this is the only change in this release + +# Release 0.34.0 + +## What's New + +* Bug fixes and performance enhancements +* Version number is bumped as a large chunk of HA was merged up. The next version bump is likely to bring HA to alpha status. + +## Component Updates and Bug Fixes + +* github.com/openziti/channel/v2: [v2.0.119 -> v2.0.122](https://github.com/openziti/channel/compare/v2.0.119...v2.0.122) +* github.com/openziti/edge-api: [v0.26.12 -> v0.26.14](https://github.com/openziti/edge-api/compare/v0.26.12...v0.26.14) +* github.com/openziti/foundation/v2: [v2.0.37 -> v2.0.40](https://github.com/openziti/foundation/compare/v2.0.37...v2.0.40) +* github.com/openziti/identity: [v1.0.70 -> v1.0.73](https://github.com/openziti/identity/compare/v1.0.70...v1.0.73) +* github.com/openziti/metrics: [v1.2.45 -> v1.2.48](https://github.com/openziti/metrics/compare/v1.2.45...v1.2.48) +* github.com/openziti/runzmd: [v1.0.38 -> v1.0.41](https://github.com/openziti/runzmd/compare/v1.0.38...v1.0.41) +* github.com/openziti/sdk-golang: [v0.22.28 -> v0.23.14](https://github.com/openziti/sdk-golang/compare/v0.22.28...v0.23.14) + * [Issue #524](https://github.com/openziti/sdk-golang/issues/524) - Add circuit id to edge.Conn, so sdk connections can be correlated with network traffic + * [Issue #515](https://github.com/openziti/sdk-golang/issues/515) - Service hosting improvements + * [Issue #501](https://github.com/openziti/sdk-golang/issues/501) - Improve hosting session management + +* github.com/openziti/secretstream: [v0.1.16 -> v0.1.17](https://github.com/openziti/secretstream/compare/v0.1.16...v0.1.17) +* github.com/openziti/storage: [v0.2.30 -> v0.2.33](https://github.com/openziti/storage/compare/v0.2.30...v0.2.33) +* github.com/openziti/transport/v2: [v2.0.122 -> v2.0.125](https://github.com/openziti/transport/compare/v2.0.122...v2.0.125) +* github.com/openziti/ziti: [v0.33.1 -> v0.34.0](https://github.com/openziti/ziti/compare/v0.33.1...v0.34.0) + * [Issue #1858](https://github.com/openziti/ziti/issues/1858) - add option to create a generic env file instead of a BASH script + * [Issue #1428](https://github.com/openziti/ziti/issues/1428) - Investigate policy integrity performance + * [Issue #1854](https://github.com/openziti/ziti/issues/1854) - Controller can try to send unroute to router which has since disconnected, causing panic + * [Issue #1576](https://github.com/openziti/ziti/issues/1576) - Don't scan for posture checks if there are no posture checks + * [Issue #1849](https://github.com/openziti/ziti/issues/1849) - Session Sync shouldn't be able to block the control channel + * [Issue #1846](https://github.com/openziti/ziti/issues/1846) - Looking up api session certs for api sessions is inefficient + +# Release 0.33.1 + +## What's New + +* Backward compatibility router <-> controller fix to address metrics parsing panic + +## Component Updates and Bug Fixes +* github.com/openziti/ziti: [v0.33.0 -> v0.33.1](https://github.com/openziti/ziti/compare/v0.33.0...v0.33.1) + * [Issue #1826](https://github.com/openziti/ziti/issues/1826) - 0.33.+ routers can cause panic in pre-0.33 controller with new metric + +# Release 0.33.0 + +## What's New + +* SDK Terminator stability improvements +* Minor feature updates and bug fixes + +## SDK Terminator stability improvements + +This release was focused on creating a chaos test for SDK terminators, running it and fixing any issues found. +The test repeatedly and randomly restarts the controller, routers and tunnelers then verifies that terminators +end up in the correct state. + +The following tools were also used/added to aid in diagnosing and fixing issues: + +* `ziti fabric validate router-sdk-terminators` + * Compares the controller state with the router state +* `ziti fabric validate terminators` + * Checks each selected terminator to ensure it's still valid on the router and/or sdk +* `ziti fabric inspect sdk-terminators` + * Allows inspecting each routers terminator state +* `ziti fabric inspect router-messaging` + * Allows inspecting what the controller has queued for router state sync and terminator validations +* `ziti edge validate service-hosting` + * Shows how many terminators each identity which can host a service has + +Several changes were made to the terminator code to ensure that terminators are properly created and cleaned up. +The routers now use an adaptive rate limiter to control how fast they send terminator related requests to the +controller. For this to work properly, the rate limiting on the controller must be enabled, so it can report +back to the routers when it's got too much work. + +## Component Updates and Bug Fixes + +* github.com/openziti/edge-api: [v0.26.10 -> v0.26.12](https://github.com/openziti/edge-api/compare/v0.26.10...v0.26.12) +* github.com/openziti/ziti: [v0.32.2 -> v0.33.0](https://github.com/openziti/ziti/compare/v0.32.2...v0.33.0) + * [Issue #1815](https://github.com/openziti/ziti/issues/1815) - Panic if api session sync failed handler is called twice in the router + * [Issue #1794](https://github.com/openziti/ziti/issues/1794) - Add SDK terminator chaos test and fix any bugs found as part of chaos testing + * [Issue #1781](https://github.com/openziti/ziti/issues/1781) - Improve performance when adding intercepted services + * [Issue #1369](https://github.com/openziti/ziti/issues/1369) - Allow filtering by policy type when listing identities for service or services for identity + * [Issue #1791](https://github.com/openziti/ziti/issues/1791) - route dial isn't checking for network timeouts correctly + * [Issue #1204](https://github.com/openziti/ziti/issues/1204) - ziti cli identity tags related flags misbehaving + * [Issue #987](https://github.com/openziti/ziti/issues/987) - "ziti create config router edge" doesn't know about --tunnelerMode proxy + * [Issue #652](https://github.com/openziti/ziti/issues/652) - Update CLI script M1 Support when github actions allows + # Release 0.32.2 ## What's New From 797fd79b98b3a7cc2677a522c33fea0d77c8ffea Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Tue, 9 Apr 2024 11:39:18 -0400 Subject: [PATCH 7/7] update versions in changelog --- CHANGELOG.md | 120 +++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 116 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f46a1271c..259bb1709 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,23 +1,135 @@ -# Release 0.32.3 +# Release 1.0.0 ## What's New * Bugfixes -## Default Bind/Dial service permissions for Admin identities +## DEFAULT Bind/Dial SERVICE PERMISSIONS FOR Admin IDENTITIES HAVE CHANGED Admin identities were able to Dial and Bind all services regardless of the effective service policies prior to this release. This could lead to a confusing situation where a tunneler that was assuming an Admin identity would put itself into an infinite connect-loop when a service's host.v1 address overlapped with any addresses in its intercept configuration. -Please create service policies to grant Bind or Dial permissions to Admin identities as needed. +Please create service policies to grant Bind or Dial permissions to Admin identities as needed. ## Component Updates and Bug Fixes -* github.com/openziti/ziti: [v0.32.2 -> v0.32.3](https://github.com/openziti/ziti/compare/v0.32.2...v0.32.3) +* github.com/openziti/ziti: [v0.34.2 -> v1.0.0](https://github.com/openziti/ziti/compare/v0.34.2...v1.0.0) * [Issue #1781](https://github.com/openziti/ziti/issues/1781) - Admin identities have bind and dial permissions to services +# Release 0.34.2 + +## What's New + +* The circuit id is now available in the SDK on the client and hosting side + * Requires 0.34.2+ routers + * Requests SDK support. Currently supported in the Go SDK 0.23.11+ +* Bug fixes + +## Component Updates and Bug Fixes +* github.com/openziti/edge-api: [v0.26.13 -> v0.26.14](https://github.com/openziti/edge-api/compare/v0.26.13...v0.26.14) +* github.com/openziti/sdk-golang: [v0.23.14 -> v0.23.15](https://github.com/openziti/sdk-golang/compare/v0.23.14...v0.23.15) +* github.com/openziti/secretstream: [v0.1.17 -> v0.1.18](https://github.com/openziti/secretstream/compare/v0.1.17...v0.1.18) + * [Issue #24](https://github.com/openziti/secretstream/issues/24) - Potential side channel issue + * [Issue #25](https://github.com/openziti/secretstream/issues/25) - Reads from crypto/rand not checked for errors + +* github.com/openziti/ziti: [v0.34.1 -> v0.34.2](https://github.com/openziti/ziti/compare/v0.34.1...v0.34.2) + * [Issue #1831](https://github.com/openziti/ziti/issues/1831) - Circuit ID should be returned in the response to a Dial request + * [Issue #1873](https://github.com/openziti/ziti/issues/1873) - host.v1 health check time.Duration unconvertible + +# Release 0.34.1 + +## What's New + +* Updates version of go to 1.22.x + * As usual when updating the go version, this is the only change in this release + +# Release 0.34.0 + +## What's New + +* Bug fixes and performance enhancements +* Version number is bumped as a large chunk of HA was merged up. The next version bump is likely to bring HA to alpha status. + +## Component Updates and Bug Fixes + +* github.com/openziti/channel/v2: [v2.0.119 -> v2.0.122](https://github.com/openziti/channel/compare/v2.0.119...v2.0.122) +* github.com/openziti/edge-api: [v0.26.12 -> v0.26.14](https://github.com/openziti/edge-api/compare/v0.26.12...v0.26.14) +* github.com/openziti/foundation/v2: [v2.0.37 -> v2.0.40](https://github.com/openziti/foundation/compare/v2.0.37...v2.0.40) +* github.com/openziti/identity: [v1.0.70 -> v1.0.73](https://github.com/openziti/identity/compare/v1.0.70...v1.0.73) +* github.com/openziti/metrics: [v1.2.45 -> v1.2.48](https://github.com/openziti/metrics/compare/v1.2.45...v1.2.48) +* github.com/openziti/runzmd: [v1.0.38 -> v1.0.41](https://github.com/openziti/runzmd/compare/v1.0.38...v1.0.41) +* github.com/openziti/sdk-golang: [v0.22.28 -> v0.23.14](https://github.com/openziti/sdk-golang/compare/v0.22.28...v0.23.14) + * [Issue #524](https://github.com/openziti/sdk-golang/issues/524) - Add circuit id to edge.Conn, so sdk connections can be correlated with network traffic + * [Issue #515](https://github.com/openziti/sdk-golang/issues/515) - Service hosting improvements + * [Issue #501](https://github.com/openziti/sdk-golang/issues/501) - Improve hosting session management + +* github.com/openziti/secretstream: [v0.1.16 -> v0.1.17](https://github.com/openziti/secretstream/compare/v0.1.16...v0.1.17) +* github.com/openziti/storage: [v0.2.30 -> v0.2.33](https://github.com/openziti/storage/compare/v0.2.30...v0.2.33) +* github.com/openziti/transport/v2: [v2.0.122 -> v2.0.125](https://github.com/openziti/transport/compare/v2.0.122...v2.0.125) +* github.com/openziti/ziti: [v0.33.1 -> v0.34.0](https://github.com/openziti/ziti/compare/v0.33.1...v0.34.0) + * [Issue #1858](https://github.com/openziti/ziti/issues/1858) - add option to create a generic env file instead of a BASH script + * [Issue #1428](https://github.com/openziti/ziti/issues/1428) - Investigate policy integrity performance + * [Issue #1854](https://github.com/openziti/ziti/issues/1854) - Controller can try to send unroute to router which has since disconnected, causing panic + * [Issue #1576](https://github.com/openziti/ziti/issues/1576) - Don't scan for posture checks if there are no posture checks + * [Issue #1849](https://github.com/openziti/ziti/issues/1849) - Session Sync shouldn't be able to block the control channel + * [Issue #1846](https://github.com/openziti/ziti/issues/1846) - Looking up api session certs for api sessions is inefficient + +# Release 0.33.1 + +## What's New + +* Backward compatibility router <-> controller fix to address metrics parsing panic + +## Component Updates and Bug Fixes +* github.com/openziti/ziti: [v0.33.0 -> v0.33.1](https://github.com/openziti/ziti/compare/v0.33.0...v0.33.1) + * [Issue #1826](https://github.com/openziti/ziti/issues/1826) - 0.33.+ routers can cause panic in pre-0.33 controller with new metric + +# Release 0.33.0 + +## What's New + +* SDK Terminator stability improvements +* Minor feature updates and bug fixes + +## SDK Terminator stability improvements + +This release was focused on creating a chaos test for SDK terminators, running it and fixing any issues found. +The test repeatedly and randomly restarts the controller, routers and tunnelers then verifies that terminators +end up in the correct state. + +The following tools were also used/added to aid in diagnosing and fixing issues: + +* `ziti fabric validate router-sdk-terminators` + * Compares the controller state with the router state +* `ziti fabric validate terminators` + * Checks each selected terminator to ensure it's still valid on the router and/or sdk +* `ziti fabric inspect sdk-terminators` + * Allows inspecting each routers terminator state +* `ziti fabric inspect router-messaging` + * Allows inspecting what the controller has queued for router state sync and terminator validations +* `ziti edge validate service-hosting` + * Shows how many terminators each identity which can host a service has + +Several changes were made to the terminator code to ensure that terminators are properly created and cleaned up. +The routers now use an adaptive rate limiter to control how fast they send terminator related requests to the +controller. For this to work properly, the rate limiting on the controller must be enabled, so it can report +back to the routers when it's got too much work. + +## Component Updates and Bug Fixes + +* github.com/openziti/edge-api: [v0.26.10 -> v0.26.12](https://github.com/openziti/edge-api/compare/v0.26.10...v0.26.12) +* github.com/openziti/ziti: [v0.32.2 -> v0.33.0](https://github.com/openziti/ziti/compare/v0.32.2...v0.33.0) + * [Issue #1815](https://github.com/openziti/ziti/issues/1815) - Panic if api session sync failed handler is called twice in the router + * [Issue #1794](https://github.com/openziti/ziti/issues/1794) - Add SDK terminator chaos test and fix any bugs found as part of chaos testing + * [Issue #1781](https://github.com/openziti/ziti/issues/1781) - Improve performance when adding intercepted services + * [Issue #1369](https://github.com/openziti/ziti/issues/1369) - Allow filtering by policy type when listing identities for service or services for identity + * [Issue #1791](https://github.com/openziti/ziti/issues/1791) - route dial isn't checking for network timeouts correctly + * [Issue #1204](https://github.com/openziti/ziti/issues/1204) - ziti cli identity tags related flags misbehaving + * [Issue #987](https://github.com/openziti/ziti/issues/987) - "ziti create config router edge" doesn't know about --tunnelerMode proxy + * [Issue #652](https://github.com/openziti/ziti/issues/652) - Update CLI script M1 Support when github actions allows + # Release 0.32.2 ## What's New