From ae917cc13664f528207eb60f476e6f8bc1b067e4 Mon Sep 17 00:00:00 2001 From: Dave Hart Date: Wed, 13 Jul 2022 16:44:56 -0400 Subject: [PATCH 1/7] Update to use new mattermost webhook --- .github/workflows/mattermost-ziti-webhook.yml | 23 ++++++++++++------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/.github/workflows/mattermost-ziti-webhook.yml b/.github/workflows/mattermost-ziti-webhook.yml index fb6d0802c..dee7cfd61 100644 --- a/.github/workflows/mattermost-ziti-webhook.yml +++ b/.github/workflows/mattermost-ziti-webhook.yml @@ -1,15 +1,16 @@ name: mattermost-ziti-webhook -on: - create: - delete: +on: issues: issue_comment: pull_request_review: + types: [submitted] pull_request_review_comment: pull_request: + types: [opened, reopened] push: fork: release: + types: [released] workflow_dispatch: jobs: @@ -17,9 +18,15 @@ jobs: runs-on: ubuntu-latest name: POST Webhook steps: - - uses: openziti/ziti-webhook-action@v2 - if: github.repository_owner == 'openziti' + - uses: openziti/ziti-mattermost-action-py@main + if: | + github.repository_owner == 'openziti' + && ((github.event_name != 'pull_request_review') + || (github.event_name == 'pull_request_review' && github.event.review.state == 'approved')) with: - ziti-id: ${{ secrets.ZITI_MATTERMOST_IDENTITY }} - webhook-url: ${{ secrets.ZITI_MATTERMOST_WEBHOOK_URL }} - webhook-secret: ${{ secrets.ZITI_MATTERMOSTI_WEBHOOK_SECRET }} + zitiId: ${{ secrets.ZITI_MATTERMOST_IDENTITY }} + webhookUrl: ${{ secrets.ZHOOK_URL }} + eventJson: ${{ toJson(github.event) }} + senderUsername: "GitHubZ" + destChannel: "dev-notifications" + From 832696e760385b956b826fdc2c4754c374b66956 Mon Sep 17 00:00:00 2001 From: Andrew Martinez Date: Wed, 13 Jul 2022 17:55:17 -0400 Subject: [PATCH 2/7] prettier formatting for posture checks from CLI --- go.mod | 1 + go.sum | 2 + ziti/cmd/ziti/cmd/edge/list.go | 363 ++++++++++++++++++++++----------- 3 files changed, 244 insertions(+), 122 deletions(-) diff --git a/go.mod b/go.mod index b527e050f..4d57a49b3 100644 --- a/go.mod +++ b/go.mod @@ -103,6 +103,7 @@ require ( github.com/hashicorp/raft v1.3.9 // indirect github.com/hashicorp/raft-boltdb v0.0.0-20220329195025-15018e9b97e0 // indirect github.com/inconshreveable/mousetrap v1.0.0 // indirect + github.com/jedib0t/go-pretty v4.3.0+incompatible // indirect github.com/jessevdk/go-flags v1.5.0 // indirect github.com/jinzhu/copier v0.3.5 // indirect github.com/josharian/intern v1.0.0 // indirect diff --git a/go.sum b/go.sum index 6403f94e7..1ecd7b000 100644 --- a/go.sum +++ b/go.sum @@ -479,6 +479,8 @@ github.com/influxdata/influxdb-client-go/v2 v2.2.2/go.mod h1:fa/d1lAdUHxuc1jedx3 github.com/influxdata/influxdb1-client v0.0.0-20191209144304-8bf82d3c094d h1:/WZQPMZNsjZ7IlCpsLGdQBINg5bxKQ1K1sh6awxLtkA= github.com/influxdata/influxdb1-client v0.0.0-20191209144304-8bf82d3c094d/go.mod h1:qj24IKcXYK6Iy9ceXlo3Tc+vtHo9lIhSX5JddghvEPo= github.com/influxdata/line-protocol v0.0.0-20200327222509-2487e7298839/go.mod h1:xaLFMmpvUxqXtVkUJfg9QmT88cDaCJ3ZKgdZ78oO8Qo= +github.com/jedib0t/go-pretty v4.3.0+incompatible h1:CGs8AVhEKg/n9YbUenWmNStRW2PHJzaeDodcfvRAbIo= +github.com/jedib0t/go-pretty v4.3.0+incompatible/go.mod h1:XemHduiw8R651AF9Pt4FwCTKeG3oo7hrHJAoznj9nag= github.com/jedib0t/go-pretty/v6 v6.2.4 h1:wdaj2KHD2W+mz8JgJ/Q6L/T5dB7kyqEFI16eLq7GEmk= github.com/jedib0t/go-pretty/v6 v6.2.4/go.mod h1:+nE9fyyHGil+PuISTCrp7avEdo6bqoMwqZnuiK2r2a0= github.com/jellevandenhooff/dkim v0.0.0-20150330215556-f50fe3d243e1/go.mod h1:E0B/fFc00Y+Rasa88328GlI/XbtyysCtTHZS8h7IrBU= diff --git a/ziti/cmd/ziti/cmd/edge/list.go b/ziti/cmd/ziti/cmd/edge/list.go index a55d3149e..52014a502 100644 --- a/ziti/cmd/ziti/cmd/edge/list.go +++ b/ziti/cmd/ziti/cmd/edge/list.go @@ -17,12 +17,14 @@ package edge import ( + "bytes" "fmt" + "github.com/go-openapi/runtime" "github.com/jedib0t/go-pretty/v6/table" "github.com/jedib0t/go-pretty/v6/text" + "github.com/openziti/foundation/v2/stringz" "io" "net/url" - "reflect" "sort" "strconv" "strings" @@ -30,7 +32,6 @@ import ( "github.com/Jeffail/gabs" "github.com/openziti/edge/rest_management_api_client/certificate_authority" "github.com/openziti/edge/rest_model" - "github.com/openziti/foundation/v2/errorz" "github.com/openziti/ziti/ziti/cmd/ziti/cmd/api" "github.com/openziti/ziti/ziti/cmd/ziti/cmd/common" cmdhelper "github.com/openziti/ziti/ziti/cmd/ziti/cmd/helpers" @@ -291,7 +292,7 @@ func newSubListCmdForEntityType(entityType string, subType string, outputF outpu Run: func(cmd *cobra.Command, args []string) { options.Cmd = cmd options.Args = args - err := runListChilden(entityType, subType, options, outputF) + err := runListChildren(entityType, subType, options, outputF) cmdhelper.CheckErr(err) }, SuggestFor: []string{}, @@ -339,20 +340,6 @@ func ListEntitiesOfType(entityType string, params url.Values, logJSON bool, out return children, api.GetPaging(jsonParsed), err } -func toInt64(c *gabs.Container, path string, errorHolder errorz.ErrorHolder) int64 { - data := c.S(path).Data() - if data == nil { - errorHolder.SetError(errors.Errorf("%v not found", path)) - return 0 - } - val, ok := data.(float64) - if !ok { - errorHolder.SetError(errors.Errorf("%v not a number, it's a %v", path, reflect.TypeOf(data))) - return 0 - } - return int64(val) -} - // ListEntitiesOfType queries the Ziti Controller for entities of the given type func filterSubEntitiesOfType(entityType, subType, entityId, filter string, o *api.Options) ([]*gabs.Container, *api.Paging, error) { jsonParsed, err := util.EdgeControllerListSubEntities(entityType, subType, entityId, filter, o.OutputJSONResponse, o.Out, o.Timeout, o.Verbose) @@ -802,118 +789,264 @@ func outputIdentities(o *api.Options, children []*gabs.Container, pagingInfo *ap return nil } -func outputPostureCheck(o *api.Options, entity *gabs.Container) error { - id, _ := entity.Path("id").Data().(string) - typeId, _ := entity.Path("typeId").Data().(string) - name, _ := entity.Path("name").Data().(string) - roleAttributes := entity.Path("roleAttributes").String() - - config := "" - - switch typeId { - case "MFA": - timeoutFloat, _ := entity.Path("timeoutSeconds").Data().(float64) - timeout := int64(timeoutFloat) - promptOnWake, _ := entity.Path("promptOnWake").Data().(bool) - promptOnUnlock, _ := entity.Path("promptOnUnlock").Data().(bool) - ignoreLegacyEndpoints, _ := entity.Path("ignoreLegacyEndpoints").Data().(bool) - config = fmt.Sprintf("timeout: %d, wake: %t, unlock: %t, ignore: %t", timeout, promptOnWake, promptOnUnlock, ignoreLegacyEndpoints) - case "MAC": - containers, _ := entity.Path("macAddresses").Children() - config = containerArrayToString(containers, 4) - case "DOMAIN": - containers, _ := entity.Path("domains").Children() - config = containerArrayToString(containers, 4) - case "OS": - operatingSystems, _ := entity.Path("operatingSystems").Children() - config = strings.Join(postureCheckOsToStrings(operatingSystems), ",") - case "PROCESS_MULTI": - postureCheck := rest_model.PostureCheckProcessMultiDetail{} - if err := postureCheck.UnmarshalJSON(entity.Bytes()); err != nil { - return err - } +func getEllipsesString(val string, lead, lag int) string { + total := lead + lag + 3 - baseConfig := fmt.Sprintf("(SEMANTIC: %s)", *postureCheck.Semantic) + if len(val) <= total { + return val + } - if _, err := fmt.Fprintf(o.Out, "id: %-10v type: %-10v name: %-15v role attributes: %-10s param: %v\n", id, typeId, name, roleAttributes, baseConfig); err != nil { - return err - } + return val[0:lead] + "..." + val[len(val)-lag:] +} - for _, process := range postureCheck.Processes { - process.SignerFingerprints = getEllipsesStrings(process.SignerFingerprints, 4, 2) - process.Hashes = getEllipsesStrings(process.Hashes, 4, 2) - _, _ = fmt.Fprintf(o.Out, "\t(OS: %s, PATH: %s, HASHES: %s, SIGNER: %s)\n", *process.OsType, *process.Path, strings.Join(process.Hashes, ","), strings.Join(process.SignerFingerprints, ", ")) +func strSliceToStr(strs []string, width int) string { + builder := strings.Builder{} + for i, str := range strs { + if i != 0 { + if i%width == 0 { + //builder.WriteRune('\n') + } else { + builder.WriteRune(' ') + } } - return nil + builder.WriteString(str) + } - case "PROCESS": - process := entity.Path("process") + return builder.String() +} - os := process.Path("osType").Data().(string) - path := process.Path("path").Data().(string) +func strSliceToStrEllipses(strs []string, width, lead, lag int) string { + var ret []string + for _, str := range strs { + ret = append(ret, getEllipsesString(str, lead, lag)) + } + return strSliceToStr(ret, width) +} - var hashStrings []string - if val := process.Path("hashes").Data(); val != nil { - hashes := val.([]interface{}) +func WrapHardEllipses(str string, wrapLen int) string { + newStr := text.WrapHard(str, wrapLen) - for _, hash := range hashes { - hashStr := hash.(string) - hashStrings = append(hashStrings, getEllipsesString(hashStr, 4, 2)) - } - } - signerFingerprint := "N/A" - if val := process.Path("signerFingerprint").Data(); val != nil { - if valStr := val.(string); valStr != "" { - signerFingerprint = getEllipsesString(valStr, 4, 2) - } - } + if newStr != str { + newStr = newStr[:len(newStr)-3] + "..." + } - if len(hashStrings) == 0 { - hashStrings = append(hashStrings, "N/A") - } + return newStr +} - config = fmt.Sprintf("\n\t(OS: %s, PATH: %s, HASHES: %s, SIGNER: %s)", os, path, strings.Join(hashStrings, ","), signerFingerprint) +func outputPostureChecks(options *api.Options, children []*gabs.Container, pagingInfo *api.Paging) error { + if options.OutputJSONResponse { + return nil } - if _, err := fmt.Fprintf(o.Out, "id: %-10v type: %-10v name: %-15v role attributes: %-10s param: %v\n", id, typeId, name, roleAttributes, config); err != nil { - return err - } + outTable := table.NewWriter() + outTable.SetStyle(table.StyleRounded) + outTable.Style().Options.SeparateRows = true - return nil -} + rowConfigAutoMerge := table.RowConfig{AutoMerge: true} -func getEllipsesString(val string, lead, lag int) string { - total := lead + lag + 3 + outTable.AppendHeader(table.Row{"ID", "Name", "Type", "Attributes", "Configuration", "Configuration", "Configuration"}, rowConfigAutoMerge) - if len(val) <= total { - return val - } + outTable.SetColumnConfigs([]table.ColumnConfig{ + {Number: 1, AutoMerge: true}, + {Number: 2, AutoMerge: true}, + {Number: 3, AutoMerge: true, WidthMax: 20, WidthMaxEnforcer: WrapHardEllipses}, + {Number: 4, AutoMerge: true, WidthMax: 20, WidthMaxEnforcer: WrapHardEllipses}, + {Number: 5, WidthMax: 20, WidthMaxEnforcer: WrapHardEllipses}, + {Number: 6, WidthMax: 50, WidthMaxEnforcer: WrapHardEllipses}, + {Number: 7, WidthMax: 50, WidthMaxEnforcer: WrapHardEllipses}, + }) - return val[0:lead] + "..." + val[len(val)-lag:] -} + for i, entity := range children { + json := entity.EncodeJSON() + detail, err := rest_model.UnmarshalPostureCheckDetail(bytes.NewBuffer(json), runtime.JSONConsumer()) -func getEllipsesStrings(values []string, lead, lag int) []string { - var ret []string - for _, val := range values { - ret = append(ret, getEllipsesString(val, lead, lag)) - } + id := stringz.OrEmpty(detail.ID()) + name := stringz.OrEmpty(detail.Name()) + timeout := "never" - return ret -} + roleAttributes := strSliceToStr(*detail.RoleAttributes(), 1) -func outputPostureChecks(o *api.Options, children []*gabs.Container, pagingInfo *api.Paging) error { - if o.OutputJSONResponse { - return nil - } + if roleAttributes == "" { + roleAttributes = "" + } - for _, entity := range children { - if err := outputPostureCheck(o, entity); err != nil { - return err + typeStr := detail.TypeID() + + //defeat cell merging by adding a space every other row + if i%2 == 0 { + roleAttributes = roleAttributes + " " + typeStr = typeStr + " " } - } - pagingInfo.Output(o) + if err != nil { + msg := "Error unmarshalling index " + strconv.Itoa(i) + ": " + err.Error() + _, _ = options.ErrOutputWriter().Write([]byte(msg)) + } else { + switch detail.TypeID() { + case "MFA": + mfaDetail := detail.(*rest_model.PostureCheckMfaDetail) + + if mfaDetail.TimeoutSeconds > 0 { + timeout = fmt.Sprintf("%ds", mfaDetail.TimeoutSeconds) + } + + outTable.AppendRow(table.Row{ + id, + name, + typeStr, + roleAttributes, + "Timeout", + timeout, + timeout, + }, rowConfigAutoMerge) + + outTable.AppendRow(table.Row{ + id, + name, + typeStr, + roleAttributes, + "Prompt On Wake", + mfaDetail.PromptOnWake, + mfaDetail.PromptOnWake, + }, rowConfigAutoMerge) + + outTable.AppendRow(table.Row{ + id, + name, + typeStr, + roleAttributes, + "Prompt On Unlock", + mfaDetail.PromptOnUnlock, + mfaDetail.PromptOnUnlock, + }, rowConfigAutoMerge) + + case "MAC": + macDetail := detail.(*rest_model.PostureCheckMacAddressDetail) + + outTable.AppendRow(table.Row{ + id, + name, + typeStr, + roleAttributes, + "MAC Address", + strSliceToStrEllipses(macDetail.MacAddresses, 3, 3, 3), + strSliceToStrEllipses(macDetail.MacAddresses, 3, 3, 3), + }, rowConfigAutoMerge) + case "DOMAIN": + domainDetails := detail.(*rest_model.PostureCheckDomainDetail) + + outTable.AppendRow(table.Row{ + id, + name, + typeStr, + roleAttributes, + "Windows Domain", + strSliceToStr(domainDetails.Domains, 3), + strSliceToStr(domainDetails.Domains, 3), + }, rowConfigAutoMerge) + case "OS": + osDetails := detail.(*rest_model.PostureCheckOperatingSystemDetail) + + for _, os := range osDetails.OperatingSystems { + osType := string(*os.Type) + + for _, version := range os.Versions { + outTable.AppendRow(table.Row{ + id, + name, + typeStr, + roleAttributes, + osType, + version, + version, + }, rowConfigAutoMerge) + } + } + + case "PROCESS_MULTI": + procMultiDetail := detail.(*rest_model.PostureCheckProcessMultiDetail) + + outTable.AppendRow(table.Row{ + id, + name, + typeStr, + roleAttributes, + "Semantic", + string(*procMultiDetail.Semantic), + string(*procMultiDetail.Semantic), + }, rowConfigAutoMerge) + + for _, process := range procMultiDetail.Processes { + outTable.AppendRow(table.Row{ + id, + name, + typeStr, + roleAttributes, + "Path", + stringz.OrEmpty(process.Path), + stringz.OrEmpty(process.Path), + }, rowConfigAutoMerge) + + outTable.AppendRow(table.Row{ + id, + name, + typeStr, + roleAttributes, + " ", + "Hashes", + strSliceToStrEllipses(process.Hashes, 3, 4, 4), + }) + + outTable.AppendRow(table.Row{ + id, + name, + typeStr, + roleAttributes, + " ", + "Signers", + strSliceToStrEllipses(process.SignerFingerprints, 1, 4, 4), + }) + } + + case "PROCESS": + procDetail := detail.(*rest_model.PostureCheckProcessDetail) + + outTable.AppendRow(table.Row{ + id, + name, + typeStr, + roleAttributes, + "Path", + stringz.OrEmpty(procDetail.Process.Path), + stringz.OrEmpty(procDetail.Process.Path), + }, rowConfigAutoMerge) + + for _, hash := range procDetail.Process.Hashes { + outTable.AppendRow(table.Row{ + id, + name, + typeStr, + roleAttributes, + "Hash", + getEllipsesString(hash, 4, 4), + getEllipsesString(hash, 4, 4), + }, rowConfigAutoMerge) + } + + outTable.AppendRow(table.Row{ + id, + name, + typeStr, + roleAttributes, + "Signer", + getEllipsesString(procDetail.Process.SignerFingerprint, 4, 4), + getEllipsesString(procDetail.Process.SignerFingerprint, 4, 4), + }, rowConfigAutoMerge) + } + } + } + api.RenderTable(options, outTable, pagingInfo) return nil } @@ -1183,7 +1316,7 @@ func runListRoleAttributes(entityType string, o *api.Options) error { return nil } -func runListChilden(parentType, childType string, o *api.Options, outputF outputFunction) error { +func runListChildren(parentType, childType string, o *api.Options, outputF outputFunction) error { idOrName := o.Args[0] parentId, err := mapNameToID(parentType, idOrName, *o) if err != nil { @@ -1257,20 +1390,6 @@ func runListSummary(o *api.Options) error { return nil } -func containerArrayToString(containers []*gabs.Container, limit int) string { - var values []string - for _, container := range containers { - value := container.Data().(string) - values = append(values, value) - } - valuesLength := len(values) - if valuesLength > limit { - values = values[:limit-1] - values = append(values, fmt.Sprintf(" and %d more", valuesLength-limit)) - } - return strings.Join(values, ",") -} - func runListPostureCheckTypes(o *api.Options) error { children, pagingInfo, err := listEntitiesWithOptions("posture-check-types", o) @@ -1351,7 +1470,7 @@ func outputAuthPolicies(options *api.Options, children []*gabs.Container, info * err := detail.UnmarshalJSON(json) if err != nil { - msg := "Error unmarshaling index " + strconv.Itoa(i) + ": " + err.Error() + msg := "Error unmarshalling index " + strconv.Itoa(i) + ": " + err.Error() _, _ = options.ErrOutputWriter().Write([]byte(msg)) } else { secondarySigner := "" From c559542660f820ce848ade7108e0978a11d413df Mon Sep 17 00:00:00 2001 From: Andrew Martinez Date: Wed, 13 Jul 2022 18:02:36 -0400 Subject: [PATCH 3/7] re-enable new lines and comma between items --- ziti/cmd/ziti/cmd/edge/list.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ziti/cmd/ziti/cmd/edge/list.go b/ziti/cmd/ziti/cmd/edge/list.go index 52014a502..ea472832b 100644 --- a/ziti/cmd/ziti/cmd/edge/list.go +++ b/ziti/cmd/ziti/cmd/edge/list.go @@ -804,9 +804,9 @@ func strSliceToStr(strs []string, width int) string { for i, str := range strs { if i != 0 { if i%width == 0 { - //builder.WriteRune('\n') + builder.WriteRune('\n') } else { - builder.WriteRune(' ') + builder.WriteString(", ") } } From 6fc8db148120f5375527fd49ae18601a3913368e Mon Sep 17 00:00:00 2001 From: Andrew Martinez Date: Thu, 14 Jul 2022 10:37:13 -0400 Subject: [PATCH 4/7] updates change log --- CHANGELOG.md | 83 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 83 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index fbe9ee691..4bbd85ae5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,86 @@ +# Release 0.26.1 + +## What's New +- All + - Identity `alt_server_certs` +- Edge + - N/A +- Fabric + - N/A +- Ziti CLI + - N/A +- SDK Golang + - N/a + +## All +### Identity `alt_server_certs` + +The [identity library](https://github.com/openziti/identity) has been updated to support a new field: `alt_server_certs` +. This field is an array of objects with `server_cert` and `server_key` fields. `alt_server_certs` is not touched by +higher level Ziti automations to renew certificates and is intended for manual or externally automated use. It allows +additional server certificates to be used for the controller and routers with separate private keys. It is useful in +scenarios where routers or controllers are exposed using certificates signed by public CAs (i.e. Let's Encrypt). + +The `server_cert` and `server_key` work the same as the root identity properties of the same name. In any single +`server_cert` source that provides a chain, it assumed that all leaf-certificates are based on the private key in +`server_key`. If `server_key` is not defined, the default root `server_key` will be used. The identity library will use +the certificate chains and private key pairs specified in `alt_server_certs` when generating a TLS configuration via +`ServerTLSConfig()`. All identity sources are viable: `pem`, `file`, etc. + +Go Identity Config Struct Definition: +```go +type Config struct { + Key string `json:"key" yaml:"key" mapstructure:"key"` + Cert string `json:"cert" yaml:"cert" mapstructure:"cert"` + ServerCert string `json:"server_cert,omitempty" yaml:"server_cert,omitempty" mapstructure:"server_cert,omitempty"` + ServerKey string `json:"server_key,omitempty" yaml:"server_key,omitempty" mapstructure:"server_key,omitempty"` + AltServerCerts []ServerPair `json:"alt_server_certs,omitempty" yaml:"alt_server_certs,omitempty" mapstructure:"alt_server_certs,omitempty"` + CA string `json:"ca,omitempty" yaml:"ca,omitempty" mapstructure:"ca"` +} + +type ServerPair struct { + ServerCert string `json:"server_cert,omitempty" yaml:"server_cert,omitempty" mapstructure:"server_cert,omitempty"` + ServerKey string `json:"server_key,omitempty" yaml:"server_key,omitempty" mapstructure:"server_key,omitempty"` +} +``` + +JSON Example: + +```json +{ + "cert": "./ziti/etc/ca/intermediate/certs/ctrl-client.cert.pem", + "key": "./ziti/etc/ca/intermediate/private/ctrl.key.pem", + "server_cert": "./ziti/etc/ca/intermediate/certs/ctrl-server.cert.pem", + "server_key": "./ziti/etc/ca/intermediate/certs/ctrl-server.key.pem", + "ca": "./ziti/etc/ca/intermediate/certs/ca-chain.cert.pem", + "alt_server_certs": [ + { + "server_cert": "./ziti/etc/ca/intermediate/certs/alt01-ctrl-server.cert.pem", + "server_key": "./ziti/etc/ca/intermediate/certs/alt01-ctrl-server.key.pem" + }, + { + "server_cert": "pem:-----BEGIN CERTIFICATE-----\nIIGBjCCA+6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZcxCzAJBgNVBAYTAlVT...", + "server_key": "pem:-----BEGIN CERTIFICATE-----\nMIIEuDCCAqCgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNVBAYTAlVT..." + } + ] +} +``` + +YAML Example: + +```yaml +cert: "./ziti/etc/ca/intermediate/certs/ctrl-client.cert.pem" +key: "./ziti/etc/ca/intermediate/private/ctrl.key.pem" +server_cert: "./ziti/etc/ca/intermediate/certs/ctrl-server.cert.pem" +server_key: "./ziti/etc/ca/intermediate/certs/ctrl-server.key.pem" +ca: "./ziti/etc/ca/intermediate/certs/ca-chain.cert.pem" +alt_server_certs: + - server_cert: "./ziti/etc/ca/intermediate/certs/alt01-ctrl-server.cert.pem" + server_key: "./ziti/etc/ca/intermediate/certs/alt01-ctrl-server.key.pem" + - server_cert: "pem:-----BEGIN CERTIFICATE-----\nIIGBjCCA+6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZcxCzAJBgNVBAYTAlVT..." + server_key: "pem:-----BEGIN CERTIFICATE-----\nMIIEuDCCAqCgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNVBAYTAlVT..." +``` + # Release 0.26.0 ## Breaking Changes From 636eca05d6dd5ddadaa761539ae7a662280f78ac Mon Sep 17 00:00:00 2001 From: Andrew Martinez Date: Thu, 14 Jul 2022 15:22:24 -0400 Subject: [PATCH 5/7] update xweb/fabric/edge adds note about SNI dep missing --- CHANGELOG.md | 4 ++++ go.mod | 14 +++++++------- go.sum | 28 ++++++++++++++-------------- 3 files changed, 25 insertions(+), 21 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4bbd85ae5..0a69ee5bc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,12 @@ # Release 0.26.1 +There was a missed dependency update for xweb in 0.26.0 that kept SNI from working in HTTP API components. This would +affect SNI support for all REST APIs. + ## What's New - All - Identity `alt_server_certs` + - Fixes missing identity update in xweb - Edge - N/A - Fabric diff --git a/go.mod b/go.mod index b527e050f..d08016035 100644 --- a/go.mod +++ b/go.mod @@ -23,16 +23,16 @@ require ( github.com/keybase/go-ps v0.0.0-20190827175125-91aafc93ba19 github.com/michaelquigley/pfxlog v0.6.9 github.com/openziti/agent v1.0.1 - github.com/openziti/channel v0.18.52 - github.com/openziti/edge v0.22.13 - github.com/openziti/fabric v0.19.16 + github.com/openziti/channel v0.18.53 + github.com/openziti/edge v0.22.17 + github.com/openziti/fabric v0.19.18 github.com/openziti/foundation/v2 v2.0.1 - github.com/openziti/identity v1.0.4 + github.com/openziti/identity v1.0.5 github.com/openziti/metrics v1.0.2 - github.com/openziti/sdk-golang v0.16.97 + github.com/openziti/sdk-golang v0.16.98 github.com/openziti/storage v0.1.14 - github.com/openziti/transport/v2 v2.0.15 - github.com/openziti/xweb/v2 v2.0.1 + github.com/openziti/transport/v2 v2.0.16 + github.com/openziti/xweb/v2 v2.0.2 github.com/openziti/ziti-db-explorer v1.1.1 github.com/pborman/uuid v1.2.0 github.com/pkg/errors v0.9.1 diff --git a/go.sum b/go.sum index 6403f94e7..c155981bc 100644 --- a/go.sum +++ b/go.sum @@ -667,32 +667,32 @@ github.com/openzipkin/zipkin-go v0.1.1/go.mod h1:NtoC/o8u3JlF1lSlyPNswIbeQH9bJTm github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw= github.com/openziti/agent v1.0.1 h1:mk3M6MOyK75Qc+lOdtKHywfaxnbSES9qi4NiLZQxOMU= github.com/openziti/agent v1.0.1/go.mod h1:ALOg74f4b4GpUOjDPusp6lezbQa/7rgo09HOrodDWAw= -github.com/openziti/channel v0.18.52 h1:i7pst/JGQRtuTnve59Ra2i2MiJZL7M0k3wanqD5W9j8= -github.com/openziti/channel v0.18.52/go.mod h1:bjclQL6meYD5Uiw8xuKw0CI24gyzPTd7WW0IsfRk2/k= +github.com/openziti/channel v0.18.53 h1:YEGsizInlHoEPITJye/HZqTMykRvuzIoa4wrFMcSMkc= +github.com/openziti/channel v0.18.53/go.mod h1:6vF4dSujAqDsmJU5+g82pXvZRiagqq972E0uNA4LG9o= github.com/openziti/dilithium v0.3.3 h1:PLgQ6PMNLSTzCFbX/h98cmudgz/cU6TmjdSv5NAPD8k= github.com/openziti/dilithium v0.3.3/go.mod h1:vsCjI2AU/hon9e+dLhUFbCNGesJDj2ASgkySOcpmvjo= -github.com/openziti/edge v0.22.13 h1:5w6cMPd19rMFoDPhsF8PbLE4qLfMVM5WcfSE15FtMSA= -github.com/openziti/edge v0.22.13/go.mod h1:d0LCgwrz/YGvqwy+vf5Uv589bYo1ZZHEfmnkuOZ2JL0= -github.com/openziti/fabric v0.19.16 h1:KqxhVjVklyURJir+rC95GPeu0t2ZthSp6lX2ppV9Mfk= -github.com/openziti/fabric v0.19.16/go.mod h1:8AlLbXYyOR0PpEB+yW9cUDx4duys9YwvF4pcskj4LLA= +github.com/openziti/edge v0.22.17 h1:2m/vDyAWBvc4UrdezsHi+U/cj5UiyXUk9HO2xTCSl8M= +github.com/openziti/edge v0.22.17/go.mod h1:47Gh0EtHBL1D0LLixrWg/XvStkJAtrY0EkYzOReeROw= +github.com/openziti/fabric v0.19.18 h1:2FkP3Vutn2eZLtVSQBV8XHx3sQ/H8fJl0WU7RNim5DA= +github.com/openziti/fabric v0.19.18/go.mod h1:SLFSzdEqkCwJoW7nmUdeo2bvfDObK6M1h+fBQ8oUiGk= github.com/openziti/foundation/v2 v2.0.1 h1:HKYwAyxlZ4zmlt0t9Y/v6SWso0qUaeWapkWOlQDKPEk= github.com/openziti/foundation/v2 v2.0.1/go.mod h1:L75kwCC5WTUPqxuAd3G+WMBompaElMb/nYlJjR1sJ9Q= -github.com/openziti/identity v1.0.4 h1:48OuTuvJLTv32Vahonga+wHhS3GL8aFUgSHK2pqbcDs= -github.com/openziti/identity v1.0.4/go.mod h1:Nxf0CPFPkvdtFGvvsP4I/eZ//flU0q+sJVnLZDzlFOE= +github.com/openziti/identity v1.0.5 h1:PKW1tj0ctOWgscL3P4gKiVFfKrP6dYeP0U6R8Aw6DKM= +github.com/openziti/identity v1.0.5/go.mod h1:Nxf0CPFPkvdtFGvvsP4I/eZ//flU0q+sJVnLZDzlFOE= github.com/openziti/jwks v1.0.1 h1:+BtBzDWFVUlJfCbBhQR0BZI3YNtoBvfhfdCUSSB0G+0= github.com/openziti/jwks v1.0.1/go.mod h1:KwO0x9FBG0aoJS5f6nH5xeHoplyR1H143SMI9kF0mC8= github.com/openziti/metrics v1.0.2 h1:X3ip93aDDgVeyhqxBLVwCtdG7/kILktFxcpl5N2+4+E= github.com/openziti/metrics v1.0.2/go.mod h1:30EzUXm/VJfTVNoqPLx4x3mC/eslpCeh6wc4ejbZR/g= -github.com/openziti/sdk-golang v0.16.97 h1:FMdIQoSJl7iNrM0AhJMG8ChRZJ+2q1Y9jw6VzDuvPX4= -github.com/openziti/sdk-golang v0.16.97/go.mod h1:oHRuQCHv34DZG5XNHftBvjp5DR5tu6WtMnS52EHvWTQ= +github.com/openziti/sdk-golang v0.16.98 h1:djkdN8DHGuJehnGYTx5fD1gPqEhBy9v0rXj/eVXFtcc= +github.com/openziti/sdk-golang v0.16.98/go.mod h1:u/ft5kUJ2t4nxo0My33n0FNOc6MhBljmFJ4TpyfokEA= github.com/openziti/storage v0.1.14 h1:JZv9OP0O4d3Z5c+ebaVpNUDJWrRsqgpTPHIwdCgYud0= github.com/openziti/storage v0.1.14/go.mod h1:PXc1iYT8m+EmZf9EGyRTFwAToY1/jd5cAV2FFxL2D/g= -github.com/openziti/transport/v2 v2.0.15 h1:PsmNVsTeaav7/FHlczWlMhNW1wqdbVuC9ryAUzaywQw= -github.com/openziti/transport/v2 v2.0.15/go.mod h1:Dfd8ZORF/UHGrHL6FVaZka/58tFEKQK4tV0HSeqYBts= +github.com/openziti/transport/v2 v2.0.16 h1:dTo8TyJeYzLly04eadbN8o6m2tehzNNGadyL7abSMHk= +github.com/openziti/transport/v2 v2.0.16/go.mod h1:tkKEcr/NEjJ2NaYyn9ppAlXEidSOyusJGulfKLcqMws= github.com/openziti/x509-claims v1.0.2 h1:PSv/xRfejIAcPc16A902k08rSBs3R8bjtL4qq6WEwCI= github.com/openziti/x509-claims v1.0.2/go.mod h1:Z0WIpBm6c4ecrpRKrou6Gk2wrLWxJO/+tuUwKh8VewE= -github.com/openziti/xweb/v2 v2.0.1 h1:KF0bVCeiJ6TIJEsxdLZbnpdJKqZX095EiMTcoQynuz4= -github.com/openziti/xweb/v2 v2.0.1/go.mod h1:2+IpJFejJeJelA4QyAPluLS30hfyUP2eRTo9XD99W0Y= +github.com/openziti/xweb/v2 v2.0.2 h1:XYlVFriTq/U1wcUrc+XPnWJGhXh9NJPhtQ7+r3aC0cU= +github.com/openziti/xweb/v2 v2.0.2/go.mod h1:KQOOlnJk08EZT3TWkvDj/pbIUEVbgG0IrrNzl8gsi40= github.com/openziti/ziti-db-explorer v1.1.1 h1:G0eoTby+aIjjt5TxEfR+FMI2CWd4RvZFjzaIMX2lEBw= github.com/openziti/ziti-db-explorer v1.1.1/go.mod h1:h76h7Tsb+khb0v+CqYKL6ifUfJbUMjGBFU2IvupfBE4= github.com/oracle/oci-go-sdk v24.2.0+incompatible/go.mod h1:VQb79nF8Z2cwLkLS35ukwStZIg5F66tcBccjip/j888= From ee7ed76e8f79535ed32b655e2e1564b108cb993e Mon Sep 17 00:00:00 2001 From: Andrew Martinez Date: Thu, 14 Jul 2022 15:27:47 -0400 Subject: [PATCH 6/7] remove 1.0.5 identity info --- CHANGELOG.md | 80 ++-------------------------------------------------- 1 file changed, 2 insertions(+), 78 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 0a69ee5bc..a7ebe51e9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,86 +4,10 @@ There was a missed dependency update for xweb in 0.26.0 that kept SNI from worki affect SNI support for all REST APIs. ## What's New -- All - - Identity `alt_server_certs` - - Fixes missing identity update in xweb - Edge - - N/A + - Fixes missing identity update in xweb - Fabric - - N/A -- Ziti CLI - - N/A -- SDK Golang - - N/a - -## All -### Identity `alt_server_certs` - -The [identity library](https://github.com/openziti/identity) has been updated to support a new field: `alt_server_certs` -. This field is an array of objects with `server_cert` and `server_key` fields. `alt_server_certs` is not touched by -higher level Ziti automations to renew certificates and is intended for manual or externally automated use. It allows -additional server certificates to be used for the controller and routers with separate private keys. It is useful in -scenarios where routers or controllers are exposed using certificates signed by public CAs (i.e. Let's Encrypt). - -The `server_cert` and `server_key` work the same as the root identity properties of the same name. In any single -`server_cert` source that provides a chain, it assumed that all leaf-certificates are based on the private key in -`server_key`. If `server_key` is not defined, the default root `server_key` will be used. The identity library will use -the certificate chains and private key pairs specified in `alt_server_certs` when generating a TLS configuration via -`ServerTLSConfig()`. All identity sources are viable: `pem`, `file`, etc. - -Go Identity Config Struct Definition: -```go -type Config struct { - Key string `json:"key" yaml:"key" mapstructure:"key"` - Cert string `json:"cert" yaml:"cert" mapstructure:"cert"` - ServerCert string `json:"server_cert,omitempty" yaml:"server_cert,omitempty" mapstructure:"server_cert,omitempty"` - ServerKey string `json:"server_key,omitempty" yaml:"server_key,omitempty" mapstructure:"server_key,omitempty"` - AltServerCerts []ServerPair `json:"alt_server_certs,omitempty" yaml:"alt_server_certs,omitempty" mapstructure:"alt_server_certs,omitempty"` - CA string `json:"ca,omitempty" yaml:"ca,omitempty" mapstructure:"ca"` -} - -type ServerPair struct { - ServerCert string `json:"server_cert,omitempty" yaml:"server_cert,omitempty" mapstructure:"server_cert,omitempty"` - ServerKey string `json:"server_key,omitempty" yaml:"server_key,omitempty" mapstructure:"server_key,omitempty"` -} -``` - -JSON Example: - -```json -{ - "cert": "./ziti/etc/ca/intermediate/certs/ctrl-client.cert.pem", - "key": "./ziti/etc/ca/intermediate/private/ctrl.key.pem", - "server_cert": "./ziti/etc/ca/intermediate/certs/ctrl-server.cert.pem", - "server_key": "./ziti/etc/ca/intermediate/certs/ctrl-server.key.pem", - "ca": "./ziti/etc/ca/intermediate/certs/ca-chain.cert.pem", - "alt_server_certs": [ - { - "server_cert": "./ziti/etc/ca/intermediate/certs/alt01-ctrl-server.cert.pem", - "server_key": "./ziti/etc/ca/intermediate/certs/alt01-ctrl-server.key.pem" - }, - { - "server_cert": "pem:-----BEGIN CERTIFICATE-----\nIIGBjCCA+6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZcxCzAJBgNVBAYTAlVT...", - "server_key": "pem:-----BEGIN CERTIFICATE-----\nMIIEuDCCAqCgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNVBAYTAlVT..." - } - ] -} -``` - -YAML Example: - -```yaml -cert: "./ziti/etc/ca/intermediate/certs/ctrl-client.cert.pem" -key: "./ziti/etc/ca/intermediate/private/ctrl.key.pem" -server_cert: "./ziti/etc/ca/intermediate/certs/ctrl-server.cert.pem" -server_key: "./ziti/etc/ca/intermediate/certs/ctrl-server.key.pem" -ca: "./ziti/etc/ca/intermediate/certs/ca-chain.cert.pem" -alt_server_certs: - - server_cert: "./ziti/etc/ca/intermediate/certs/alt01-ctrl-server.cert.pem" - server_key: "./ziti/etc/ca/intermediate/certs/alt01-ctrl-server.key.pem" - - server_cert: "pem:-----BEGIN CERTIFICATE-----\nIIGBjCCA+6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgZcxCzAJBgNVBAYTAlVT..." - server_key: "pem:-----BEGIN CERTIFICATE-----\nMIIEuDCCAqCgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNVBAYTAlVT..." -``` + - Fixes missing identity update in xweb # Release 0.26.0 From 1123d940974fea6dcd10b3c56ae40d682d9ad424 Mon Sep 17 00:00:00 2001 From: Paul Lorenz Date: Thu, 14 Jul 2022 15:58:01 -0400 Subject: [PATCH 7/7] Update deps and changelog --- CHANGELOG.md | 13 +++++++++++++ go.mod | 5 ++--- go.sum | 10 ++++------ 3 files changed, 19 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a7ebe51e9..8372cc62f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,19 @@ affect SNI support for all REST APIs. - Fixes missing identity update in xweb - Fabric - Fixes missing identity update in xweb + - Bug Fixes +- Ziti CLI + - N/A +- SDK Golang + - N/A + +## Edge +### Bug Fixes +* (Fix panic on remote resolve connections)[https://github.com/openziti/edge/pull/1088] + +## Fabric +### Bug Fixes +* (Logging erroneously indicates conflicting conditions returned from route attempt)[https://github.com/openziti/fabric/issues/446] # Release 0.26.0 diff --git a/go.mod b/go.mod index 78428dac3..c2b9a5d33 100644 --- a/go.mod +++ b/go.mod @@ -24,8 +24,8 @@ require ( github.com/michaelquigley/pfxlog v0.6.9 github.com/openziti/agent v1.0.1 github.com/openziti/channel v0.18.53 - github.com/openziti/edge v0.22.17 - github.com/openziti/fabric v0.19.18 + github.com/openziti/edge v0.22.21 + github.com/openziti/fabric v0.19.20 github.com/openziti/foundation/v2 v2.0.1 github.com/openziti/identity v1.0.5 github.com/openziti/metrics v1.0.2 @@ -103,7 +103,6 @@ require ( github.com/hashicorp/raft v1.3.9 // indirect github.com/hashicorp/raft-boltdb v0.0.0-20220329195025-15018e9b97e0 // indirect github.com/inconshreveable/mousetrap v1.0.0 // indirect - github.com/jedib0t/go-pretty v4.3.0+incompatible // indirect github.com/jessevdk/go-flags v1.5.0 // indirect github.com/jinzhu/copier v0.3.5 // indirect github.com/josharian/intern v1.0.0 // indirect diff --git a/go.sum b/go.sum index 17b115161..4931a9482 100644 --- a/go.sum +++ b/go.sum @@ -479,8 +479,6 @@ github.com/influxdata/influxdb-client-go/v2 v2.2.2/go.mod h1:fa/d1lAdUHxuc1jedx3 github.com/influxdata/influxdb1-client v0.0.0-20191209144304-8bf82d3c094d h1:/WZQPMZNsjZ7IlCpsLGdQBINg5bxKQ1K1sh6awxLtkA= github.com/influxdata/influxdb1-client v0.0.0-20191209144304-8bf82d3c094d/go.mod h1:qj24IKcXYK6Iy9ceXlo3Tc+vtHo9lIhSX5JddghvEPo= github.com/influxdata/line-protocol v0.0.0-20200327222509-2487e7298839/go.mod h1:xaLFMmpvUxqXtVkUJfg9QmT88cDaCJ3ZKgdZ78oO8Qo= -github.com/jedib0t/go-pretty v4.3.0+incompatible h1:CGs8AVhEKg/n9YbUenWmNStRW2PHJzaeDodcfvRAbIo= -github.com/jedib0t/go-pretty v4.3.0+incompatible/go.mod h1:XemHduiw8R651AF9Pt4FwCTKeG3oo7hrHJAoznj9nag= github.com/jedib0t/go-pretty/v6 v6.2.4 h1:wdaj2KHD2W+mz8JgJ/Q6L/T5dB7kyqEFI16eLq7GEmk= github.com/jedib0t/go-pretty/v6 v6.2.4/go.mod h1:+nE9fyyHGil+PuISTCrp7avEdo6bqoMwqZnuiK2r2a0= github.com/jellevandenhooff/dkim v0.0.0-20150330215556-f50fe3d243e1/go.mod h1:E0B/fFc00Y+Rasa88328GlI/XbtyysCtTHZS8h7IrBU= @@ -673,10 +671,10 @@ github.com/openziti/channel v0.18.53 h1:YEGsizInlHoEPITJye/HZqTMykRvuzIoa4wrFMcS github.com/openziti/channel v0.18.53/go.mod h1:6vF4dSujAqDsmJU5+g82pXvZRiagqq972E0uNA4LG9o= github.com/openziti/dilithium v0.3.3 h1:PLgQ6PMNLSTzCFbX/h98cmudgz/cU6TmjdSv5NAPD8k= github.com/openziti/dilithium v0.3.3/go.mod h1:vsCjI2AU/hon9e+dLhUFbCNGesJDj2ASgkySOcpmvjo= -github.com/openziti/edge v0.22.17 h1:2m/vDyAWBvc4UrdezsHi+U/cj5UiyXUk9HO2xTCSl8M= -github.com/openziti/edge v0.22.17/go.mod h1:47Gh0EtHBL1D0LLixrWg/XvStkJAtrY0EkYzOReeROw= -github.com/openziti/fabric v0.19.18 h1:2FkP3Vutn2eZLtVSQBV8XHx3sQ/H8fJl0WU7RNim5DA= -github.com/openziti/fabric v0.19.18/go.mod h1:SLFSzdEqkCwJoW7nmUdeo2bvfDObK6M1h+fBQ8oUiGk= +github.com/openziti/edge v0.22.21 h1:tPvj5CcdFGIEY6jSkM2dhbRht4n+X4J0ISa5qwgJ9Dg= +github.com/openziti/edge v0.22.21/go.mod h1:viW34MBUDZnLGW2mpHTnR89LHXYbmi74Umt2C6v6sNg= +github.com/openziti/fabric v0.19.20 h1:3hd6q2pCwGdGRySvoFAdBeyMQwMNHr5ZdIwsJLUzoDA= +github.com/openziti/fabric v0.19.20/go.mod h1:SLFSzdEqkCwJoW7nmUdeo2bvfDObK6M1h+fBQ8oUiGk= github.com/openziti/foundation/v2 v2.0.1 h1:HKYwAyxlZ4zmlt0t9Y/v6SWso0qUaeWapkWOlQDKPEk= github.com/openziti/foundation/v2 v2.0.1/go.mod h1:L75kwCC5WTUPqxuAd3G+WMBompaElMb/nYlJjR1sJ9Q= github.com/openziti/identity v1.0.5 h1:PKW1tj0ctOWgscL3P4gKiVFfKrP6dYeP0U6R8Aw6DKM=