From f8346be9cd9afba4b0a7672faefee7325e151bd3 Mon Sep 17 00:00:00 2001 From: Andrew Martinez Date: Mon, 23 Sep 2024 10:14:31 -0400 Subject: [PATCH 1/5] fixes #2354 adds oidc AuthhQuery support --- controller/env/appenv.go | 25 +++- controller/model/authenticator_mod_updb.go | 1 + controller/oidc_auth/login.go | 82 ++++++++-- controller/oidc_auth/requests.go | 65 ++++++-- controller/oidc_auth/storage.go | 10 +- ..._distributed_test.go => auth_oidc_test.go} | 141 +++++++++++++++++- 6 files changed, 288 insertions(+), 36 deletions(-) rename tests/{auth_distributed_test.go => auth_oidc_test.go} (55%) diff --git a/controller/env/appenv.go b/controller/env/appenv.go index ec94af460..52959b4ec 100644 --- a/controller/env/appenv.go +++ b/controller/env/appenv.go @@ -608,12 +608,22 @@ func NewAuthQueryZitiMfa() *rest_model.AuthQueryDetail { } } -func NewAuthQueryExtJwt(url string) *rest_model.AuthQueryDetail { +func NewAuthQueryExtJwt(signer *model.ExternalJwtSigner) *rest_model.AuthQueryDetail { provider := rest_model.MfaProvidersURL + + if signer == nil { + return &rest_model.AuthQueryDetail{ + TypeID: "EXT-JWT", + Provider: &provider, + } + } + return &rest_model.AuthQueryDetail{ - HTTPURL: url, + HTTPURL: stringz.OrEmpty(signer.ExternalAuthUrl), TypeID: "EXT-JWT", Provider: &provider, + Scopes: signer.Scopes, + ClientID: stringz.OrEmpty(signer.ClientId), } } @@ -638,12 +648,11 @@ func ProcessAuthQueries(ae *AppEnv, rc *response.RequestContext) { if err != nil || !authResult.IsSuccessful() { signer, err := ae.Managers.ExternalJwtSigner.Read(*rc.AuthPolicy.Secondary.RequiredExtJwtSigner) - authUrl := "" - if err == nil { - authUrl = stringz.OrEmpty(signer.ExternalAuthUrl) - } - rc.AuthQueries = append(rc.AuthQueries, NewAuthQueryExtJwt(authUrl)) + if err != nil { + pfxlog.Logger().Errorf("could not read required external jwt signer: %s: %s", *rc.AuthPolicy.Secondary.RequiredExtJwtSigner, err) + } + rc.AuthQueries = append(rc.AuthQueries, NewAuthQueryExtJwt(signer)) } } @@ -855,7 +864,7 @@ func (ae *AppEnv) getJwtTokenFromRequest(r *http.Request) *jwt.Token { parsedToken, err := jwt.ParseWithClaims(token, claims, ae.ControllersKeyFunc) if err != nil { - pfxlog.Logger().WithError(err).Error("error during JWT parsing during API request") + pfxlog.Logger().WithError(err).Debug("JWT provided that did not parse and verify against controller public keys, skipping") continue } if parsedToken.Valid { diff --git a/controller/model/authenticator_mod_updb.go b/controller/model/authenticator_mod_updb.go index 7868d7670..c90ac0a95 100644 --- a/controller/model/authenticator_mod_updb.go +++ b/controller/model/authenticator_mod_updb.go @@ -153,6 +153,7 @@ func (module *AuthModuleUpdb) Process(context AuthContext) (AuthResult, error) { authenticator: authenticator, authenticatorId: authenticator.Id, env: module.env, + authPolicy: authPolicy, }, nil } diff --git a/controller/oidc_auth/login.go b/controller/oidc_auth/login.go index 5c93a5474..a35a53aa5 100644 --- a/controller/oidc_auth/login.go +++ b/controller/oidc_auth/login.go @@ -5,6 +5,7 @@ import ( "embed" "encoding/json" "fmt" + "github.com/go-openapi/swag" "github.com/openziti/edge-api/rest_model" "github.com/openziti/foundation/v2/errorz" "github.com/openziti/ziti/controller/apierror" @@ -150,14 +151,14 @@ func (l *login) loginHandler(w http.ResponseWriter, r *http.Request) { } func renderLogin(w http.ResponseWriter, id string, err error) { - renderPage(w, loginTemplate, id, err) + renderPage(w, loginTemplate, id, err, nil) } -func renderTotp(w http.ResponseWriter, id string, err error) { - renderPage(w, totpTemplate, id, err) +func renderTotp(w http.ResponseWriter, id string, err error, additionalData any) { + renderPage(w, totpTemplate, id, err, additionalData) } -func renderPage(w http.ResponseWriter, pageTemplate *template.Template, id string, err error) { +func renderPage(w http.ResponseWriter, pageTemplate *template.Template, id string, err error, additionalData any) { w.Header().Set("content-type", "text/html; charset=utf-8") var errMsg string errDisplay := "none" @@ -166,13 +167,15 @@ func renderPage(w http.ResponseWriter, pageTemplate *template.Template, id strin errDisplay = "block" } data := &struct { - ID string - Error string - ErrorDisplay string + ID string + Error string + ErrorDisplay string + AdditionalData any }{ - ID: id, - Error: errMsg, - ErrorDisplay: errDisplay, + ID: id, + Error: errMsg, + ErrorDisplay: errDisplay, + AdditionalData: additionalData, } err = pageTemplate.Execute(w, data) @@ -241,13 +244,13 @@ func (l *login) checkTotp(w http.ResponseWriter, r *http.Request) { }) return } else { - renderTotp(w, id, verifyErr) + renderTotp(w, id, verifyErr, nil) return } } if !authRequest.HasAmr(AuthMethodSecondaryTotp) { - renderTotp(w, id, errors.New("TOTP supplied but not enabled or required on identity")) + renderTotp(w, id, errors.New("TOTP supplied but not enabled or required on identity"), nil) } callbackUrl := l.callback(r.Context(), id) @@ -302,12 +305,25 @@ func (l *login) authenticate(w http.ResponseWriter, r *http.Request) { authRequest.EnvInfo = credentials.EnvInfo authRequest.AuthTime = time.Now() - if authRequest.SecondaryTotpRequired && !authRequest.HasAmr(AuthMethodSecondaryTotp) { + var authQueries []*rest_model.AuthQueryDetail + + if !authRequest.HasSecondaryAuth() { + authQueries = authRequest.GetAuthQueries() + } + + if authRequest.NeedsTotp() { w.Header().Set(TotpRequiredHeader, "true") + } + + if len(authQueries) > 0 { + if responseType == HtmlContentType { - renderTotp(w, credentials.AuthRequestId, err) + renderTotp(w, credentials.AuthRequestId, err, authQueries) } else if responseType == JsonContentType { - renderJson(w, http.StatusOK, &rest_model.Empty{}) + respBody := JsonMap(map[string]interface{}{ + "authQueries": authQueries, + }) + renderJson(w, http.StatusOK, &respBody) } return @@ -317,6 +333,42 @@ func (l *login) authenticate(w http.ResponseWriter, r *http.Request) { http.Redirect(w, r, callbackUrl, http.StatusFound) } +func (l *login) listAuthQuueries(w http.ResponseWriter, r *http.Request) { + authRequestId := r.URL.Query().Get("id") + + authRequest, err := l.store.GetAuthRequest(authRequestId) + + if err != nil { + invalid := apierror.NewInvalidAuth() + http.Error(w, invalid.Message, invalid.Status) + return + } + + var authQueries []*rest_model.AuthQueryDetail + + if !authRequest.HasSecondaryAuth() { + authQueries = authRequest.GetAuthQueries() + } + + if authRequest.NeedsTotp() { + w.Header().Set(TotpRequiredHeader, "true") + } + + respBody := JsonMap(map[string]interface{}{ + "authQueries": authQueries, + }) + renderJson(w, http.StatusOK, &respBody) +} + +type JsonMap map[string]any + +func (m *JsonMap) MarshalBinary() ([]byte, error) { + if m == nil { + return nil, nil + } + return swag.WriteJSON(m) +} + func (l *login) startEnrollTotp(w http.ResponseWriter, r *http.Request) { changeCtx := NewHttpChangeCtx(r) diff --git a/controller/oidc_auth/requests.go b/controller/oidc_auth/requests.go index 0e44d4cbd..9e7b1c464 100644 --- a/controller/oidc_auth/requests.go +++ b/controller/oidc_auth/requests.go @@ -5,7 +5,9 @@ import ( "crypto/x509" "fmt" "github.com/openziti/edge-api/rest_model" + "github.com/openziti/foundation/v2/stringz" "github.com/openziti/ziti/common" + "github.com/openziti/ziti/controller/model" "time" "github.com/zitadel/oidc/v2/pkg/oidc" @@ -14,16 +16,15 @@ import ( // AuthRequest represents an OIDC authentication request and implements op.AuthRequest type AuthRequest struct { oidc.AuthRequest - Id string - CreationDate time.Time - IdentityId string - AuthTime time.Time - ApiSessionId string - SecondaryTotpRequired bool - SecondaryExtJwtRequired bool - SecondaryExtJwtId string - ConfigTypes []string - Amr map[string]struct{} + Id string + CreationDate time.Time + IdentityId string + AuthTime time.Time + ApiSessionId string + SecondaryTotpRequired bool + SecondaryExtJwtSigner *model.ExternalJwtSigner + ConfigTypes []string + Amr map[string]struct{} PeerCerts []*x509.Certificate RequestedMethod string @@ -69,7 +70,7 @@ func (a *AuthRequest) HasPrimaryAuth() bool { // HasSecondaryAuth returns true if all applicable secondary authentications have been passed func (a *AuthRequest) HasSecondaryAuth() bool { return (!a.SecondaryTotpRequired || a.HasAmr(AuthMethodSecondaryTotp)) && - (!a.SecondaryExtJwtRequired || a.HasAmr(AuthMethodSecondaryExtJwt)) + (a.SecondaryExtJwtSigner == nil || a.HasAmrExtJwtId(a.SecondaryExtJwtSigner.Id)) } // HasAmr returns true if the supplied amr is present @@ -78,6 +79,10 @@ func (a *AuthRequest) HasAmr(amr string) bool { return found } +func (a *AuthRequest) HasAmrExtJwtId(id string) bool { + return a.HasAmr(AuthMethodSecondaryExtJwt + ":" + id) +} + // AddAmr adds the supplied amr func (a *AuthRequest) AddAmr(amr string) { if a.Amr == nil { @@ -159,6 +164,44 @@ func (a *AuthRequest) GetCertFingerprints() []string { return prints } +func (a *AuthRequest) NeedsTotp() bool { + return a.SecondaryTotpRequired && !a.HasAmr(AuthMethodSecondaryTotp) +} + +func (a *AuthRequest) NeedsSecondaryExtJwt() bool { + return a.SecondaryExtJwtSigner != nil && !a.HasAmrExtJwtId(a.SecondaryExtJwtSigner.Id) +} + +func (a *AuthRequest) GetAuthQueries() []*rest_model.AuthQueryDetail { + var authQueries []*rest_model.AuthQueryDetail + + if a.NeedsTotp() { + provider := rest_model.MfaProvidersZiti + authQueries = append(authQueries, &rest_model.AuthQueryDetail{ + Format: rest_model.MfaFormatsNumeric, + HTTPMethod: "POST", + HTTPURL: "./oidc/login/totp", + MaxLength: 8, + MinLength: 6, + Provider: &provider, + TypeID: "TOTP", + }) + } + + if a.NeedsSecondaryExtJwt() { + provider := rest_model.MfaProvidersURL + authQueries = append(authQueries, &rest_model.AuthQueryDetail{ + ClientID: stringz.OrEmpty(a.SecondaryExtJwtSigner.ClientId), + HTTPURL: stringz.OrEmpty(a.SecondaryExtJwtSigner.ExternalAuthUrl), + Scopes: a.SecondaryExtJwtSigner.Scopes, + Provider: &provider, + TypeID: a.SecondaryExtJwtSigner.Id, + }) + } + + return authQueries +} + // RefreshTokenRequest is a wrapper around RefreshClaims to avoid collisions between go-jwt interface requirements and // zitadel oidc interface names. Implements zitadel op.RefreshTokenRequest type RefreshTokenRequest struct { diff --git a/controller/oidc_auth/storage.go b/controller/oidc_auth/storage.go index 69993a500..c179e1bf1 100644 --- a/controller/oidc_auth/storage.go +++ b/controller/oidc_auth/storage.go @@ -223,7 +223,15 @@ func (s *HybridStorage) Authenticate(authCtx model.AuthContext, id string, confi return nil, err } - authRequest.SecondaryTotpRequired = mfa != nil && mfa.IsVerified + authRequest.SecondaryTotpRequired = (mfa != nil && mfa.IsVerified) || result.AuthPolicy().Secondary.RequireTotp + + extJwtSignerId := stringz.OrEmpty(result.AuthPolicy().Secondary.RequiredExtJwtSigner) + + authRequest.SecondaryExtJwtSigner, err = s.env.GetManagers().ExternalJwtSigner.Read(extJwtSignerId) + + if err != nil { + return nil, err + } if authCtx.GetMethod() == AuthMethodCert { if len(authRequest.PeerCerts) == 0 { diff --git a/tests/auth_distributed_test.go b/tests/auth_oidc_test.go similarity index 55% rename from tests/auth_distributed_test.go rename to tests/auth_oidc_test.go index d8929348e..b9def6451 100644 --- a/tests/auth_distributed_test.go +++ b/tests/auth_oidc_test.go @@ -3,11 +3,21 @@ package tests import ( "context" "crypto/tls" + "encoding/json" "fmt" "github.com/go-resty/resty/v2" "github.com/golang-jwt/jwt/v5" "github.com/google/uuid" + "github.com/openziti/edge-api/rest_management_api_client/auth_policy" + authenticator2 "github.com/openziti/edge-api/rest_management_api_client/authenticator" + "github.com/openziti/edge-api/rest_management_api_client/external_jwt_signer" + identity2 "github.com/openziti/edge-api/rest_management_api_client/identity" + "github.com/openziti/edge-api/rest_model" + "github.com/openziti/edge-api/rest_util" + nfpem "github.com/openziti/foundation/v2/pem" + edge_apis "github.com/openziti/sdk-golang/edge-apis" "github.com/openziti/ziti/common" + "github.com/openziti/ziti/common/eid" "github.com/openziti/ziti/controller/oidc_auth" "github.com/zitadel/oidc/v2/pkg/client/rp" httphelper "github.com/zitadel/oidc/v2/pkg/http" @@ -15,6 +25,7 @@ import ( "net" "net/http" "net/http/cookiejar" + "net/url" "testing" "time" ) @@ -124,7 +135,7 @@ func newOidcTestRp(apiHost string) (*testRpServer, error) { return result, nil } -func Test_Authenticate_Distributed_Auth(t *testing.T) { +func Test_Authenticate_OIDC_Auth(t *testing.T) { ctx := NewTestContext(t) defer ctx.Teardown() ctx.StartServer() @@ -228,4 +239,132 @@ func Test_Authenticate_Distributed_Auth(t *testing.T) { ctx.Req.True(accessClaims.IsCertExtendable, "expected isCertExtendable to be true for first party cert auth") }) }) + + t.Run("test cert auth totp ext-jwt", func(t *testing.T) { + ctx.testContextChanged(t) + + managementApiUrl, err := url.Parse("https://" + ctx.ApiHost + "/edge/management/v1") + ctx.Req.NoError(err) + + managementApiUrls := []*url.URL{managementApiUrl} + + managementClient := edge_apis.NewManagementApiClient(managementApiUrls, ctx.ControllerConfig.Id.CA(), func(resp chan string) { + resp <- "" + }) + + adminCreds := edge_apis.NewUpdbCredentials(ctx.AdminAuthenticator.Username, ctx.AdminAuthenticator.Password) + + apiSession, err := managementClient.Authenticate(adminCreds, nil) + ctx.Req.NoError(rest_util.WrapErr(err)) + ctx.NotNil(apiSession) + + ctx.testContextChanged(t) + jwtSignerCert, _ := newSelfSignedCert("Test Jwt Signer Cert - Auth Policy") + + createExtJwtParam := external_jwt_signer.NewCreateExternalJWTSignerParams() + createExtJwtParam.ExternalJWTSigner = &rest_model.ExternalJWTSignerCreate{ + CertPem: S(nfpem.EncodeToString(jwtSignerCert)), + Enabled: B(true), + Name: S("Test JWT Signer - Auth Policy"), + Kid: S(uuid.NewString()), + Issuer: S("test-issuer-99"), + Audience: S("test-audience-99"), + } + + extJwtCreateResp, err := managementClient.API.ExternalJWTSigner.CreateExternalJWTSigner(createExtJwtParam, nil) + ctx.Req.NoError(rest_util.WrapErr(err)) + ctx.Req.NotNil(extJwtCreateResp) + + createAuthPolicyParams := auth_policy.NewCreateAuthPolicyParams() + createAuthPolicyParams.AuthPolicy = &rest_model.AuthPolicyCreate{ + Name: ToPtr("auth_oidc_test-" + eid.New()), + Primary: &rest_model.AuthPolicyPrimary{ + Cert: &rest_model.AuthPolicyPrimaryCert{ + AllowExpiredCerts: ToPtr(true), + Allowed: ToPtr(true), + }, + ExtJWT: &rest_model.AuthPolicyPrimaryExtJWT{ + Allowed: ToPtr(false), + AllowedSigners: []string{}, + }, + Updb: &rest_model.AuthPolicyPrimaryUpdb{ + Allowed: ToPtr(true), + LockoutDurationMinutes: ToPtr(int64(0)), + MaxAttempts: ToPtr(int64(5)), + MinPasswordLength: ToPtr(int64(5)), + RequireMixedCase: ToPtr(false), + RequireNumberChar: ToPtr(false), + RequireSpecialChar: ToPtr(false), + }, + }, + Secondary: &rest_model.AuthPolicySecondary{ + RequireExtJWTSigner: ToPtr(extJwtCreateResp.Payload.Data.ID), + RequireTotp: ToPtr(true), + }, + } + + authPolicyCreateResp, err := managementClient.API.AuthPolicy.CreateAuthPolicy(createAuthPolicyParams, nil) + ctx.Req.NoError(rest_util.WrapErr(err)) + ctx.Req.NotNil(authPolicyCreateResp) + + identityName := eid.New() + identityExternalId := eid.New() + createIdentityParams := identity2.NewCreateIdentityParams() + createIdentityParams.Identity = &rest_model.IdentityCreate{ + AuthPolicyID: ToPtr(authPolicyCreateResp.Payload.Data.ID), + ExternalID: ToPtr(identityExternalId), + IsAdmin: ToPtr(false), + Name: ToPtr(identityName), + Type: ToPtr(rest_model.IdentityTypeDefault), + } + + createIdentityResp, err := managementClient.API.Identity.CreateIdentity(createIdentityParams, nil) + ctx.Req.NoError(rest_util.WrapErr(err)) + ctx.Req.NotNil(createIdentityResp) + + identityPassword := eid.New() + + createIdentityUpdbAuthenticator := authenticator2.NewCreateAuthenticatorParams() + createIdentityUpdbAuthenticator.Authenticator = &rest_model.AuthenticatorCreate{ + CertPem: "", + IdentityID: ToPtr(createIdentityResp.Payload.Data.ID), + Method: ToPtr("updb"), + Password: identityPassword, + Username: identityName, + } + + createIdentityUpdbAuthenticatorResp, err := managementClient.API.Authenticator.CreateAuthenticator(createIdentityUpdbAuthenticator, nil) + ctx.Req.NoError(rest_util.WrapErr(err)) + ctx.Req.NotNil(createIdentityUpdbAuthenticatorResp) + + t.Run("can authenticate via UPDB", func(t *testing.T) { + ctx.testContextChanged(t) + identityClient := resty.NewWithClient(ctx.NewHttpClient(ctx.NewTransport())) + identityClient.SetRedirectPolicy(resty.DomainCheckRedirectPolicy("127.0.0.1", "localhost")) + resp, err := identityClient.R().Get(rpServer.LoginUri) + + ctx.Req.NoError(err) + ctx.Req.Equal(http.StatusOK, resp.StatusCode()) + + authRequestId := resp.Header().Get(oidc_auth.AuthRequestIdHeader) + ctx.Req.NotEmpty(authRequestId) + + opLoginUri := "https://" + resp.RawResponse.Request.URL.Host + "/oidc/login/username" + + resp, err = identityClient.R().SetHeader("content-type", "application/json").SetBody(map[string]string{"id": authRequestId, "username": identityName, "password": identityPassword}).Post(opLoginUri) + + ctx.Req.NoError(err) + ctx.Req.Equal(http.StatusOK, resp.StatusCode()) + + parsedBody := map[string]any{ + "authQueries": []*rest_model.AuthQueryDetail{}, + } + + err = json.Unmarshal(resp.Body(), &parsedBody) + ctx.Req.NoError(err) + + ctx.Req.Len(parsedBody["authQueries"], 2) + }) + + }) } From e44cdec0bbcf319e5be782cd2231ecdb41677e69 Mon Sep 17 00:00:00 2001 From: Andrew Martinez Date: Mon, 23 Sep 2024 10:21:58 -0400 Subject: [PATCH 2/5] update edge-api dep --- go.mod | 10 +++++----- go.sum | 20 ++++++++++---------- zititest/go.mod | 10 +++++----- zititest/go.sum | 20 ++++++++++---------- 4 files changed, 30 insertions(+), 30 deletions(-) diff --git a/go.mod b/go.mod index 1cfbeef89..c5e17bfe1 100644 --- a/go.mod +++ b/go.mod @@ -52,7 +52,7 @@ require ( github.com/openziti/agent v1.0.18 github.com/openziti/channel/v3 v3.0.3 github.com/openziti/cobra-to-md v1.0.1 - github.com/openziti/edge-api v0.26.30 + github.com/openziti/edge-api v0.26.31 github.com/openziti/foundation/v2 v2.0.49 github.com/openziti/identity v1.0.85 github.com/openziti/jwks v1.0.5 @@ -185,11 +185,11 @@ require ( github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/yusufpapurcu/wmi v1.2.4 // indirect - go.mongodb.org/mongo-driver v1.16.1 // indirect + go.mongodb.org/mongo-driver v1.17.0 // indirect go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 // indirect - go.opentelemetry.io/otel v1.29.0 // indirect - go.opentelemetry.io/otel/metric v1.29.0 // indirect - go.opentelemetry.io/otel/trace v1.29.0 // indirect + go.opentelemetry.io/otel v1.30.0 // indirect + go.opentelemetry.io/otel/metric v1.30.0 // indirect + go.opentelemetry.io/otel/trace v1.30.0 // indirect go.uber.org/atomic v1.9.0 // indirect go.uber.org/multierr v1.9.0 // indirect golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect diff --git a/go.sum b/go.sum index 2755f6ef6..f14c79d28 100644 --- a/go.sum +++ b/go.sum @@ -576,8 +576,8 @@ github.com/openziti/cobra-to-md v1.0.1 h1:WRinNoIRmwWUSJm+pSNXMjOrtU48oxXDZgeCYQ github.com/openziti/cobra-to-md v1.0.1/go.mod h1:FjCpk/yzHF7/r28oSTNr5P57yN5VolpdAtS/g7KNi2c= github.com/openziti/dilithium v0.3.5 h1:+envGNzxc3OyVPiuvtxivQmCsOjdZjtOMLpQBeMz7eM= github.com/openziti/dilithium v0.3.5/go.mod h1:XONq1iK6te/WwNzkgZHfIDHordMPqb0hMwJ8bs9EfSk= -github.com/openziti/edge-api v0.26.30 h1:Zeit+UJbMhL8aJkcHKsq7XyRX2b7p/hBWL3nzo60gS8= -github.com/openziti/edge-api v0.26.30/go.mod h1:Ya4b6u+SmkqSU2HsWxahwhZ3g+aBqW8mzfm/OOSdCNM= +github.com/openziti/edge-api v0.26.31 h1:9XljIuZNhoPbiIicQYuxNyL7erpowZce3aOg1CkoxSo= +github.com/openziti/edge-api v0.26.31/go.mod h1:f5paewA+1G6JMZddYgXqA9Zp6BBXOJ1i4K42B+ET5ns= github.com/openziti/foundation/v2 v2.0.49 h1:aQ5I/lMhkHQ6urhRpLwrWP+7YtoeUitCfY/wub+nOqo= github.com/openziti/foundation/v2 v2.0.49/go.mod h1:tFk7wg5WE/nDDur5jSVQTROugKDXQkFvmqRSV4pvWp0= github.com/openziti/identity v1.0.85 h1:jphDHrUCXCJGdbVTMBqsdtS0Ei/vhDH337DMNMYzLro= @@ -817,8 +817,8 @@ go.etcd.io/bbolt v1.3.11/go.mod h1:dksAq7YMXoljX0xu6VF5DMZGbhYYoLUalEiSySYAS4I= go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs= go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g= go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ= -go.mongodb.org/mongo-driver v1.16.1 h1:rIVLL3q0IHM39dvE+z2ulZLp9ENZKThVfuvN/IiN4l8= -go.mongodb.org/mongo-driver v1.16.1/go.mod h1:oB6AhJQvFQL4LEHyXi6aJzQJtBiTQHiAd83l0GdFaiw= +go.mongodb.org/mongo-driver v1.17.0 h1:Hp4q2MCjvY19ViwimTs00wHi7G4yzxh4/2+nTx8r40k= +go.mongodb.org/mongo-driver v1.17.0/go.mod h1:wwWm/+BuOddhcq3n68LKRmgk2wXzmF6s0SFOa0GINL4= go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 h1:CCriYyAfq1Br1aIYettdHZTy8mBTIPo7We18TuO/bak= go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk= go.opencensus.io v0.18.0/go.mod h1:vKdFvxhtzZ9onBp9VKHK8z/sRpBMnKAsufL7wlDrCOA= @@ -829,14 +829,14 @@ go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= -go.opentelemetry.io/otel v1.29.0 h1:PdomN/Al4q/lN6iBJEN3AwPvUiHPMlt93c8bqTG5Llw= -go.opentelemetry.io/otel v1.29.0/go.mod h1:N/WtXPs1CNCUEx+Agz5uouwCba+i+bJGFicT8SR4NP8= -go.opentelemetry.io/otel/metric v1.29.0 h1:vPf/HFWTNkPu1aYeIsc98l4ktOQaL6LeSoeV2g+8YLc= -go.opentelemetry.io/otel/metric v1.29.0/go.mod h1:auu/QWieFVWx+DmQOUMgj0F8LHWdgalxXqvp7BII/W8= +go.opentelemetry.io/otel v1.30.0 h1:F2t8sK4qf1fAmY9ua4ohFS/K+FUuOPemHUIXHtktrts= +go.opentelemetry.io/otel v1.30.0/go.mod h1:tFw4Br9b7fOS+uEao81PJjVMjW/5fvNCbpsDIXqP0pc= +go.opentelemetry.io/otel/metric v1.30.0 h1:4xNulvn9gjzo4hjg+wzIKG7iNFEaBMX00Qd4QIZs7+w= +go.opentelemetry.io/otel/metric v1.30.0/go.mod h1:aXTfST94tswhWEb+5QjlSqG+cZlmyXy/u8jFpor3WqQ= go.opentelemetry.io/otel/sdk v1.24.0 h1:YMPPDNymmQN3ZgczicBY3B6sf9n62Dlj9pWD3ucgoDw= go.opentelemetry.io/otel/sdk v1.24.0/go.mod h1:KVrIYw6tEubO9E96HQpcmpTKDVn9gdv35HoYiQWGDFg= -go.opentelemetry.io/otel/trace v1.29.0 h1:J/8ZNK4XgR7a21DZUAsbF8pZ5Jcw1VhACmnYt39JTi4= -go.opentelemetry.io/otel/trace v1.29.0/go.mod h1:eHl3w0sp3paPkYstJOmAimxhiFXPg+MMTlEh3nsQgWQ= +go.opentelemetry.io/otel/trace v1.30.0 h1:7UBkkYzeg3C7kQX8VAidWh2biiQbtAKjyIML8dQ9wmc= +go.opentelemetry.io/otel/trace v1.30.0/go.mod h1:5EyKqTzzmyqB9bwtCCq6pDLktPK6fmGf/Dph+8VI02o= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE= diff --git a/zititest/go.mod b/zititest/go.mod index ac3b9f812..4ee96606e 100644 --- a/zititest/go.mod +++ b/zititest/go.mod @@ -12,7 +12,7 @@ require ( github.com/michaelquigley/pfxlog v0.6.10 github.com/openziti/agent v1.0.18 github.com/openziti/channel/v3 v3.0.3 - github.com/openziti/edge-api v0.26.30 + github.com/openziti/edge-api v0.26.31 github.com/openziti/fablab v0.5.60 github.com/openziti/foundation/v2 v2.0.49 github.com/openziti/identity v1.0.85 @@ -182,11 +182,11 @@ require ( github.com/xeipuuv/gojsonschema v1.2.0 // indirect github.com/yusufpapurcu/wmi v1.2.4 // indirect github.com/zitadel/oidc/v2 v2.12.2 // indirect - go.mongodb.org/mongo-driver v1.16.1 // indirect + go.mongodb.org/mongo-driver v1.17.0 // indirect go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 // indirect - go.opentelemetry.io/otel v1.29.0 // indirect - go.opentelemetry.io/otel/metric v1.29.0 // indirect - go.opentelemetry.io/otel/trace v1.29.0 // indirect + go.opentelemetry.io/otel v1.30.0 // indirect + go.opentelemetry.io/otel/metric v1.30.0 // indirect + go.opentelemetry.io/otel/trace v1.30.0 // indirect go.uber.org/atomic v1.9.0 // indirect go.uber.org/multierr v1.9.0 // indirect go4.org v0.0.0-20180809161055-417644f6feb5 // indirect diff --git a/zititest/go.sum b/zititest/go.sum index 701fed9c4..0d1db61f8 100644 --- a/zititest/go.sum +++ b/zititest/go.sum @@ -598,8 +598,8 @@ github.com/openziti/cobra-to-md v1.0.1 h1:WRinNoIRmwWUSJm+pSNXMjOrtU48oxXDZgeCYQ github.com/openziti/cobra-to-md v1.0.1/go.mod h1:FjCpk/yzHF7/r28oSTNr5P57yN5VolpdAtS/g7KNi2c= github.com/openziti/dilithium v0.3.5 h1:+envGNzxc3OyVPiuvtxivQmCsOjdZjtOMLpQBeMz7eM= github.com/openziti/dilithium v0.3.5/go.mod h1:XONq1iK6te/WwNzkgZHfIDHordMPqb0hMwJ8bs9EfSk= -github.com/openziti/edge-api v0.26.30 h1:Zeit+UJbMhL8aJkcHKsq7XyRX2b7p/hBWL3nzo60gS8= -github.com/openziti/edge-api v0.26.30/go.mod h1:Ya4b6u+SmkqSU2HsWxahwhZ3g+aBqW8mzfm/OOSdCNM= +github.com/openziti/edge-api v0.26.31 h1:9XljIuZNhoPbiIicQYuxNyL7erpowZce3aOg1CkoxSo= +github.com/openziti/edge-api v0.26.31/go.mod h1:f5paewA+1G6JMZddYgXqA9Zp6BBXOJ1i4K42B+ET5ns= github.com/openziti/fablab v0.5.60 h1:RsqrEb3LV6asK5N97uZKyNSDhcNOeDcAuT4OAD/hY9Y= github.com/openziti/fablab v0.5.60/go.mod h1:B/ib+GOtozEIytv2aXSFl9+dL7AiGfbpGS/VjnNduU8= github.com/openziti/foundation/v2 v2.0.49 h1:aQ5I/lMhkHQ6urhRpLwrWP+7YtoeUitCfY/wub+nOqo= @@ -838,8 +838,8 @@ go.etcd.io/bbolt v1.3.11/go.mod h1:dksAq7YMXoljX0xu6VF5DMZGbhYYoLUalEiSySYAS4I= go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs= go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g= go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ= -go.mongodb.org/mongo-driver v1.16.1 h1:rIVLL3q0IHM39dvE+z2ulZLp9ENZKThVfuvN/IiN4l8= -go.mongodb.org/mongo-driver v1.16.1/go.mod h1:oB6AhJQvFQL4LEHyXi6aJzQJtBiTQHiAd83l0GdFaiw= +go.mongodb.org/mongo-driver v1.17.0 h1:Hp4q2MCjvY19ViwimTs00wHi7G4yzxh4/2+nTx8r40k= +go.mongodb.org/mongo-driver v1.17.0/go.mod h1:wwWm/+BuOddhcq3n68LKRmgk2wXzmF6s0SFOa0GINL4= go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 h1:CCriYyAfq1Br1aIYettdHZTy8mBTIPo7We18TuO/bak= go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk= go.opencensus.io v0.18.0/go.mod h1:vKdFvxhtzZ9onBp9VKHK8z/sRpBMnKAsufL7wlDrCOA= @@ -850,14 +850,14 @@ go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= -go.opentelemetry.io/otel v1.29.0 h1:PdomN/Al4q/lN6iBJEN3AwPvUiHPMlt93c8bqTG5Llw= -go.opentelemetry.io/otel v1.29.0/go.mod h1:N/WtXPs1CNCUEx+Agz5uouwCba+i+bJGFicT8SR4NP8= -go.opentelemetry.io/otel/metric v1.29.0 h1:vPf/HFWTNkPu1aYeIsc98l4ktOQaL6LeSoeV2g+8YLc= -go.opentelemetry.io/otel/metric v1.29.0/go.mod h1:auu/QWieFVWx+DmQOUMgj0F8LHWdgalxXqvp7BII/W8= +go.opentelemetry.io/otel v1.30.0 h1:F2t8sK4qf1fAmY9ua4ohFS/K+FUuOPemHUIXHtktrts= +go.opentelemetry.io/otel v1.30.0/go.mod h1:tFw4Br9b7fOS+uEao81PJjVMjW/5fvNCbpsDIXqP0pc= +go.opentelemetry.io/otel/metric v1.30.0 h1:4xNulvn9gjzo4hjg+wzIKG7iNFEaBMX00Qd4QIZs7+w= +go.opentelemetry.io/otel/metric v1.30.0/go.mod h1:aXTfST94tswhWEb+5QjlSqG+cZlmyXy/u8jFpor3WqQ= go.opentelemetry.io/otel/sdk v1.24.0 h1:YMPPDNymmQN3ZgczicBY3B6sf9n62Dlj9pWD3ucgoDw= go.opentelemetry.io/otel/sdk v1.24.0/go.mod h1:KVrIYw6tEubO9E96HQpcmpTKDVn9gdv35HoYiQWGDFg= -go.opentelemetry.io/otel/trace v1.29.0 h1:J/8ZNK4XgR7a21DZUAsbF8pZ5Jcw1VhACmnYt39JTi4= -go.opentelemetry.io/otel/trace v1.29.0/go.mod h1:eHl3w0sp3paPkYstJOmAimxhiFXPg+MMTlEh3nsQgWQ= +go.opentelemetry.io/otel/trace v1.30.0 h1:7UBkkYzeg3C7kQX8VAidWh2biiQbtAKjyIML8dQ9wmc= +go.opentelemetry.io/otel/trace v1.30.0/go.mod h1:5EyKqTzzmyqB9bwtCCq6pDLktPK6fmGf/Dph+8VI02o= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE= From d2571413ad6620bfe65ce837d9560e66ed7a8e3f Mon Sep 17 00:00:00 2001 From: Andrew Martinez Date: Mon, 23 Sep 2024 10:39:58 -0400 Subject: [PATCH 3/5] fix unused method --- controller/oidc_auth/login.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/controller/oidc_auth/login.go b/controller/oidc_auth/login.go index a35a53aa5..b637ad1dd 100644 --- a/controller/oidc_auth/login.go +++ b/controller/oidc_auth/login.go @@ -109,6 +109,7 @@ func newLogin(store Storage, callback func(context.Context, string) string, issu func (l *login) createRouter(issuerInterceptor *op.IssuerInterceptor) { l.router = mux.NewRouter() + l.router.Path("/auth-queries").Methods("GET").HandlerFunc(l.listAuthQueries) l.router.Path("/password").Methods("GET").HandlerFunc(l.loginHandler) l.router.Path("/password").Methods("POST").HandlerFunc(issuerInterceptor.HandlerFunc(l.authenticate)) @@ -333,7 +334,7 @@ func (l *login) authenticate(w http.ResponseWriter, r *http.Request) { http.Redirect(w, r, callbackUrl, http.StatusFound) } -func (l *login) listAuthQuueries(w http.ResponseWriter, r *http.Request) { +func (l *login) listAuthQueries(w http.ResponseWriter, r *http.Request) { authRequestId := r.URL.Query().Get("id") authRequest, err := l.store.GetAuthRequest(authRequestId) From d96913df7a62f5711c264da5c149450e9f5e74a2 Mon Sep 17 00:00:00 2001 From: Andrew Martinez Date: Mon, 30 Sep 2024 10:34:36 -0400 Subject: [PATCH 4/5] error with proper status code and do not read empty jwt signer ids --- controller/oidc_auth/login.go | 5 +++-- controller/oidc_auth/storage.go | 8 +++++--- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/controller/oidc_auth/login.go b/controller/oidc_auth/login.go index b637ad1dd..5d7625592 100644 --- a/controller/oidc_auth/login.go +++ b/controller/oidc_auth/login.go @@ -179,8 +179,8 @@ func renderPage(w http.ResponseWriter, pageTemplate *template.Template, id strin AdditionalData: additionalData, } - err = pageTemplate.Execute(w, data) - if err != nil { + templateErr := pageTemplate.Execute(w, data) + if templateErr != nil { http.Error(w, err.Error(), http.StatusInternalServerError) } } @@ -295,6 +295,7 @@ func (l *login) authenticate(w http.ResponseWriter, r *http.Request) { invalid := apierror.NewInvalidAuth() if method == AuthMethodPassword { renderLogin(w, credentials.AuthRequestId, invalid) + w.WriteHeader(invalid.Status) return } diff --git a/controller/oidc_auth/storage.go b/controller/oidc_auth/storage.go index c179e1bf1..1e1f7bc0b 100644 --- a/controller/oidc_auth/storage.go +++ b/controller/oidc_auth/storage.go @@ -227,10 +227,12 @@ func (s *HybridStorage) Authenticate(authCtx model.AuthContext, id string, confi extJwtSignerId := stringz.OrEmpty(result.AuthPolicy().Secondary.RequiredExtJwtSigner) - authRequest.SecondaryExtJwtSigner, err = s.env.GetManagers().ExternalJwtSigner.Read(extJwtSignerId) + if extJwtSignerId != "" { + authRequest.SecondaryExtJwtSigner, err = s.env.GetManagers().ExternalJwtSigner.Read(extJwtSignerId) - if err != nil { - return nil, err + if err != nil { + return nil, err + } } if authCtx.GetMethod() == AuthMethodCert { From d0e0c6008aee96e19dfb455c2d8b368b132c3884 Mon Sep 17 00:00:00 2001 From: Andrew Martinez Date: Fri, 4 Oct 2024 11:14:39 -0400 Subject: [PATCH 5/5] use new edge-api constants --- controller/env/appenv.go | 7 ++++--- controller/oidc_auth/requests.go | 5 +++-- go.mod | 2 +- go.sum | 4 ++-- tests/auth_policy_test.go | 4 ++-- zititest/go.mod | 2 +- zititest/go.sum | 4 ++-- 7 files changed, 15 insertions(+), 13 deletions(-) diff --git a/controller/env/appenv.go b/controller/env/appenv.go index 52959b4ec..13d150078 100644 --- a/controller/env/appenv.go +++ b/controller/env/appenv.go @@ -598,7 +598,7 @@ func (ae *AppEnv) FillRequestContext(rc *response.RequestContext) error { func NewAuthQueryZitiMfa() *rest_model.AuthQueryDetail { provider := rest_model.MfaProvidersZiti return &rest_model.AuthQueryDetail{ - TypeID: "MFA", + TypeID: rest_model.AuthQueryTypeMFA, Format: rest_model.MfaFormatsAlphaNumeric, HTTPMethod: http.MethodPost, HTTPURL: "./authenticate/mfa", @@ -613,17 +613,18 @@ func NewAuthQueryExtJwt(signer *model.ExternalJwtSigner) *rest_model.AuthQueryDe if signer == nil { return &rest_model.AuthQueryDetail{ - TypeID: "EXT-JWT", + TypeID: rest_model.AuthQueryTypeEXTDashJWT, Provider: &provider, } } return &rest_model.AuthQueryDetail{ HTTPURL: stringz.OrEmpty(signer.ExternalAuthUrl), - TypeID: "EXT-JWT", + TypeID: rest_model.AuthQueryTypeEXTDashJWT, Provider: &provider, Scopes: signer.Scopes, ClientID: stringz.OrEmpty(signer.ClientId), + ID: signer.Id, } } diff --git a/controller/oidc_auth/requests.go b/controller/oidc_auth/requests.go index 9e7b1c464..e3e65d60b 100644 --- a/controller/oidc_auth/requests.go +++ b/controller/oidc_auth/requests.go @@ -184,7 +184,7 @@ func (a *AuthRequest) GetAuthQueries() []*rest_model.AuthQueryDetail { MaxLength: 8, MinLength: 6, Provider: &provider, - TypeID: "TOTP", + TypeID: rest_model.AuthQueryTypeTOTP, }) } @@ -195,7 +195,8 @@ func (a *AuthRequest) GetAuthQueries() []*rest_model.AuthQueryDetail { HTTPURL: stringz.OrEmpty(a.SecondaryExtJwtSigner.ExternalAuthUrl), Scopes: a.SecondaryExtJwtSigner.Scopes, Provider: &provider, - TypeID: a.SecondaryExtJwtSigner.Id, + ID: a.SecondaryExtJwtSigner.Id, + TypeID: rest_model.AuthQueryTypeEXTDashJWT, }) } diff --git a/go.mod b/go.mod index c5e17bfe1..d41680a32 100644 --- a/go.mod +++ b/go.mod @@ -52,7 +52,7 @@ require ( github.com/openziti/agent v1.0.18 github.com/openziti/channel/v3 v3.0.3 github.com/openziti/cobra-to-md v1.0.1 - github.com/openziti/edge-api v0.26.31 + github.com/openziti/edge-api v0.26.33 github.com/openziti/foundation/v2 v2.0.49 github.com/openziti/identity v1.0.85 github.com/openziti/jwks v1.0.5 diff --git a/go.sum b/go.sum index f14c79d28..bcdcdf28a 100644 --- a/go.sum +++ b/go.sum @@ -576,8 +576,8 @@ github.com/openziti/cobra-to-md v1.0.1 h1:WRinNoIRmwWUSJm+pSNXMjOrtU48oxXDZgeCYQ github.com/openziti/cobra-to-md v1.0.1/go.mod h1:FjCpk/yzHF7/r28oSTNr5P57yN5VolpdAtS/g7KNi2c= github.com/openziti/dilithium v0.3.5 h1:+envGNzxc3OyVPiuvtxivQmCsOjdZjtOMLpQBeMz7eM= github.com/openziti/dilithium v0.3.5/go.mod h1:XONq1iK6te/WwNzkgZHfIDHordMPqb0hMwJ8bs9EfSk= -github.com/openziti/edge-api v0.26.31 h1:9XljIuZNhoPbiIicQYuxNyL7erpowZce3aOg1CkoxSo= -github.com/openziti/edge-api v0.26.31/go.mod h1:f5paewA+1G6JMZddYgXqA9Zp6BBXOJ1i4K42B+ET5ns= +github.com/openziti/edge-api v0.26.33 h1:EjR7D9O9zuZZqBYRD+X9iDkm5yIQ/G/tjIgnL8ioShE= +github.com/openziti/edge-api v0.26.33/go.mod h1:sYHVpm26Jr1u7VooNJzTb2b2nGSlmCHMnbGC8XfWSng= github.com/openziti/foundation/v2 v2.0.49 h1:aQ5I/lMhkHQ6urhRpLwrWP+7YtoeUitCfY/wub+nOqo= github.com/openziti/foundation/v2 v2.0.49/go.mod h1:tFk7wg5WE/nDDur5jSVQTROugKDXQkFvmqRSV4pvWp0= github.com/openziti/identity v1.0.85 h1:jphDHrUCXCJGdbVTMBqsdtS0Ei/vhDH337DMNMYzLro= diff --git a/tests/auth_policy_test.go b/tests/auth_policy_test.go index 4418b8d0b..5442c4a7b 100644 --- a/tests/auth_policy_test.go +++ b/tests/auth_policy_test.go @@ -1422,11 +1422,11 @@ func Test_AuthPolicies(t *testing.T) { ctx.Req.NotEmpty(currentApiSessionEnv.Data.AuthQueries) //API Session from auth ahs the auth query - ctx.Req.Equal("EXT-JWT", apiSession.AuthResponse.AuthQueries[0].TypeID) + ctx.Req.Equal(rest_model.AuthQueryTypeEXTDashJWT, apiSession.AuthResponse.AuthQueries[0].TypeID) ctx.Req.Equal(*extJwtSignerAllowed.ExternalAuthURL, apiSession.AuthResponse.AuthQueries[0].HTTPURL) //API Session from get current has auth query - ctx.Req.Equal("EXT-JWT", currentApiSessionEnv.Data.AuthQueries[0].TypeID) + ctx.Req.Equal(rest_model.AuthQueryTypeEXTDashJWT, currentApiSessionEnv.Data.AuthQueries[0].TypeID) ctx.Req.Equal(*extJwtSignerAllowed.ExternalAuthURL, currentApiSessionEnv.Data.AuthQueries[0].HTTPURL) t.Run("without bearer token partially authenticated", func(t *testing.T) { diff --git a/zititest/go.mod b/zititest/go.mod index 4ee96606e..cb5f2bb23 100644 --- a/zititest/go.mod +++ b/zititest/go.mod @@ -12,7 +12,7 @@ require ( github.com/michaelquigley/pfxlog v0.6.10 github.com/openziti/agent v1.0.18 github.com/openziti/channel/v3 v3.0.3 - github.com/openziti/edge-api v0.26.31 + github.com/openziti/edge-api v0.26.33 github.com/openziti/fablab v0.5.60 github.com/openziti/foundation/v2 v2.0.49 github.com/openziti/identity v1.0.85 diff --git a/zititest/go.sum b/zititest/go.sum index 0d1db61f8..3f5b44afb 100644 --- a/zititest/go.sum +++ b/zititest/go.sum @@ -598,8 +598,8 @@ github.com/openziti/cobra-to-md v1.0.1 h1:WRinNoIRmwWUSJm+pSNXMjOrtU48oxXDZgeCYQ github.com/openziti/cobra-to-md v1.0.1/go.mod h1:FjCpk/yzHF7/r28oSTNr5P57yN5VolpdAtS/g7KNi2c= github.com/openziti/dilithium v0.3.5 h1:+envGNzxc3OyVPiuvtxivQmCsOjdZjtOMLpQBeMz7eM= github.com/openziti/dilithium v0.3.5/go.mod h1:XONq1iK6te/WwNzkgZHfIDHordMPqb0hMwJ8bs9EfSk= -github.com/openziti/edge-api v0.26.31 h1:9XljIuZNhoPbiIicQYuxNyL7erpowZce3aOg1CkoxSo= -github.com/openziti/edge-api v0.26.31/go.mod h1:f5paewA+1G6JMZddYgXqA9Zp6BBXOJ1i4K42B+ET5ns= +github.com/openziti/edge-api v0.26.33 h1:EjR7D9O9zuZZqBYRD+X9iDkm5yIQ/G/tjIgnL8ioShE= +github.com/openziti/edge-api v0.26.33/go.mod h1:sYHVpm26Jr1u7VooNJzTb2b2nGSlmCHMnbGC8XfWSng= github.com/openziti/fablab v0.5.60 h1:RsqrEb3LV6asK5N97uZKyNSDhcNOeDcAuT4OAD/hY9Y= github.com/openziti/fablab v0.5.60/go.mod h1:B/ib+GOtozEIytv2aXSFl9+dL7AiGfbpGS/VjnNduU8= github.com/openziti/foundation/v2 v2.0.49 h1:aQ5I/lMhkHQ6urhRpLwrWP+7YtoeUitCfY/wub+nOqo=