v0.20.5

Release 0.20.5

What's New

• Bug fix: Fix panic on double chan close that can occur when edge routers disconnect/reconnect in rapid succession
• Bug fix: Fix defaults for enrollment durations when not specified (would default near 0 values)

v0.20.4

Release 0.20.4

What's New

• Bug fix: Fix a deadlock that can occur if Edge Routers disconnect during session synchronization or update processes
• Bug fix: Fix URL for CAS create in Ziti CLI

v0.20.3

Release 0.20.3

What's New

• Bug fix: Update of identity appData wasn't working
• Bug fix: Terminator updates failed if cost wasn't specified
• Bug fix: Control channel handler routines were exiting on error instead of just closing peer and continuing

v0.20.2

Release v0.20.2

v0.20.1

Release 0.20.1

What's New

• Fixes a bug in the GO sdk which could cause panic by return nil connection and nil error
• ziti#170 Fixes the service poll refresh default for ziti-tunnel host mode
• Fixes a deadlock in control channel reconnect logic triggerable when network path to controller is unreliable

v0.20.0

Release 0.20.0

What's New

• Fix bug in router/tunneler where only first 10 services would get picked up for intercepting/hosting
• Fix bug in router/tunneler where we'd process services multiple times on service add/remove/update
• Historical Changelog Split
• Edge Management REST API Transit Router Deprecation
• Edge REST API Split & Configuration Changes

Historical Changelog Split

Changelogs for previous minor versions are now split into their own files
under /changelogs.

Edge Management REST API Transit Router Deprecation

The endpoint /transit-routers is now /routers. Use of the former name
is considered deprecated. This endpoint only affects the new Edge Management API.

Edge REST API Split

The Edge REST API has now been split into two APIs: The Edge Client API and the Edge Management API.
There are now two Open API 2.0 specifications present in the edge repository under /specs/client.yml
and /specs/management.yml. These two files are generated (see the scripts in /scripts/) from decomposed
YAML source files present in /specs/source.

The APIs are now hosted on separate URL paths:

• Client API: /edge/client/v1
• Management API: /edge/management/v1

Legacy path support is present for the Client API only. The Management API does not support legacy
URL paths. The Client API Legacy paths that are supported are as follows:

• No Prefix: /*
• Edge Prefix: /edge/v1/*

This support is only expected to last until all Ziti SDKs move to using the new prefixed paths and versions
that do not reach the end of their lifecycle. After that time, support will be removed. It is highly
suggested that URL path prefixes be updated or dynamically looked up via the /version endpoint (see below)

Client and Management API Capabilities

The Client API represents only functionality required by and endpoint to
connected to and use services. This API services Ziti SDKs.

The Management API represents all administrative configuration capabilities.
The Management API is meant to be used by the Ziti Admin Console (ZAC) or
other administrative integrations.

Client API Endpoints

• /edge/client/v1/
• /edge/client/v1/.well-known/est/cacerts
• /edge/client/v1/authenticate
• /edge/client/v1/authenticate/mfa
• /edge/client/v1/current-api-session
• /edge/client/v1/current-api-session/certificates
• /edge/client/v1/current-api-session/certificates/{id}
• /edge/client/v1/current-api-session/service-updates
• /edge/client/v1/current-identity
• /edge/client/v1/current-identity/authenticators
• /edge/client/v1/current-identity/authenticators/{id}
• /edge/client/v1/current-identity/edge-routers
• /edge/client/v1/current-identity/mfa
• /edge/client/v1/current-identity/mfa/qr-code
• /edge/client/v1/current-identity/mfa/verify
• /edge/client/v1/current-identity/mfa/recovery-codes
• /edge/client/v1/enroll
• /edge/client/v1/enroll/ca
• /edge/client/v1/enroll/ott
• /edge/client/v1/enroll/ottca
• /edge/client/v1/enroll/updb
• /edge/client/v1/enroll/erott
• /edge/client/v1/enroll/extend/router
• /edge/client/v1/posture-response
• /edge/client/v1/posture-response-bulk
• /edge/client/v1/protocols
• /edge/client/v1/services
• /edge/client/v1/services/{id}
• /edge/client/v1/services/{id}/terminators
• /edge/client/v1/sessions
• /edge/client/v1/sessions/{id}
• /edge/client/v1/specs
• /edge/client/v1/specs/{id}
• /edge/client/v1/specs/{id}/spec
• /edge/client/v1/version

Management API Endpoints

• /edge/management/v1/
• /edge/management/v1/api-sessions
• /edge/management/v1/api-sessions/{id}
• /edge/management/v1/authenticate
• /edge/management/v1/authenticate/mfa
• /edge/management/v1/authenticators
• /edge/management/v1/authenticators/{id}
• /edge/management/v1/cas
• /edge/management/v1/cas/{id}
• /edge/management/v1/cas/{id}/jwt
• /edge/management/v1/cas/{id}/verify
• /edge/management/v1/config-types
• /edge/management/v1/config-types/{id}
• /edge/management/v1/config-types/{id}/configs
• /edge/management/v1/configs
• /edge/management/v1/configs/{id}
• /edge/management/v1/current-api-session
• /edge/management/v1/current-identity
• /edge/management/v1/current-identity/authenticators
• /edge/management/v1/current-identity/authenticators/{id}
• /edge/management/v1/current-identity/mfa
• /edge/management/v1/current-identity/mfa/qr-code
• /edge/management/v1/current-identity/mfa/verify
• /edge/management/v1/current-identity/mfa/recovery-codes
• /edge/management/v1/database/snapshot
• /edge/management/v1/database/check-data-integrity
• /edge/management/v1/database/fix-data-integrity
• /edge/management/v1/database/data-integrity-results
• /edge/management/v1/edge-router-role-attributes
• /edge/management/v1/edge-routers
• /edge/management/v1/edge-routers/{id}
• /edge/management/v1/edge-routers/{id}/edge-router-policies
• /edge/management/v1/edge-routers/{id}/identities
• /edge/management/v1/edge-routers/{id}/service-edge-router-policies
• /edge/management/v1/edge-routers/{id}/services
• /edge/management/v1/edge-router-policies
• /edge/management/v1/edge-router-policies/{id}
• /edge/management/v1/edge-router-policies/{id}/edge-routers
• /edge/management/v1/edge-router-policies/{id}/identities
• /edge/management/v1/enrollments
• /edge/management/v1/enrollments/{id}
• /edge/management/v1/identities
• /edge/management/v1/identities/{id}
• /edge/management/v1/identities/{id}/edge-router-policies
• /edge/management/v1/identities/{id}/service-configs
• /edge/management/v1/identities/{id}/service-policies
• /edge/management/v1/identities/{id}/edge-routers
• /edge/management/v1/identities/{id}/services
• /edge/management/v1/identities/{id}/policy-advice/{serviceId}
• /edge/management/v1/identities/{id}/posture-data
• /edge/management/v1/identities/{id}/failed-service-requests
• /edge/management/v1/identities/{id}/mfa
• /edge/management/v1/identity-role-attributes
• /edge/management/v1/identity-types
• /edge/management/v1/identity-types/{id}
• /edge/management/v1/posture-checks
• /edge/management/v1/posture-checks/{id}
• /edge/management/v1/posture-check-types
• /edge/management/v1/posture-check-types/{id}
• /edge/management/v1/service-edge-router-policies
• /edge/management/v1/service-edge-router-policies/{id}
• /edge/management/v1/service-edge-router-policies/{id}/edge-routers
• /edge/management/v1/service-edge-router-policies/{id}/services
• /edge/management/v1/service-role-attributes
• /edge/management/v1/service-policies
• /edge/management/v1/service-policies/{id}
• /edge/management/v1/service-policies/{id}/identities
• /edge/management/v1/service-policies/{id}/services
• /edge/management/v1/service-policies/{id}/posture-checks
• /edge/management/v1/services
• /edge/management/v1/services/{id}
• /edge/management/v1/services/{id}/configs
• /edge/management/v1/services/{id}/service-edge-router-policies
• /edge/management/v1/services/{id}/service-policies
• /edge/management/v1/services/{id}/identities
• /edge/management/v1/services/{id}/edge-routers
• /edge/management/v1/services/{id}/terminators
• /edge/management/v1/sessions
• /edge/management/v1/sessions/{id}
• /edge/management/v1/sessions/{id}/route-path
• /edge/management/v1/specs
• /edge/management/v1/specs/{id}
• /edge/management/v1/specs/{id}/spec
• /edge/management/v1/summary
• /edge/management/v1/terminators
• /edge/management/v1/terminators/{id}
• /edge/management/v1/routers
• /edge/management/v1/transit-routers
• /edge/management/v1/routers/{id}
• /edge/management/v1/transit-routers/{id}
• /edge/management/v1/version

XWeb Support & Configuration Changes

The underlying framework used to host the Edge REST API has been moved into a new library
that can be found in the fabric repository under the module name xweb. XWeb allows arbitrary
APIs and website capabilities to be hosted on one or more http servers bound to any number of
network interfaces and ports.

The main result of this is that the Edge Client and Management APIs can be hosted on separate ports or
even on separate network interfaces if desired. This allows for configurations where the Edge Management
API is not accessible outside of localhost or is only presented to network interfaces that are inwardly facing.

The introduction of XWeb has necessitated changes to the controller configuration. For a full documented example
see the file /etc/ctrl.with.edge.yml in this repository.

Controller Configuration: Edge Section

The Ziti Controller configuration edge YAML section remains as a shared location for cross-API settings. It however,
does not include HTTP settings which are now configured in the web section.

Additionally, all duration configuration values must be specified in <integer><unit> durations. For example

• "5m" for five minutes
• "100s" for one hundred seconds

# By having an 'edge' section defined, the ziti-controller will attempt to parse the edge configuration. Removing this
# section, commenting out, or altering the name of the section will cause the edge to not run.
edge:
  # This section represents the configuration of the Edge API that is served over HTTPS
  api:
    #(optional, default 90s) Alters how frequently heartbeat and last activity values are persisted
    # activityUpdateInterval: 90s
    #(optional, default 250) The number of API Sessions updated for last activity per transaction
    # activityUpdateBatchSize: 250
    # sessionTimeout - optional, default 10m
    # The number of minutes before an Edge API session will timeout. Timeouts ar...

v0.19.13

Release 0.19.13

What's New

• Fix bug in tunneler source transparency when using UDP
• Added guidance under /quickstart for quickly launching a simplified, local environment suitable for local dev testing and learning
• Removed xtv framework from fabric and moved edge terminator identity validation to control channel handler. The terminator: section may be removed from the controller configuration file.
• Listen for SIGINT for router shutdown
• Implement dial and listen identity options in go tunneler
• Edge REST API Deprecation Warnings
• Posture Check Process Multi

Deprecation Warning Of Non-Prefixed Edge REST API

Upcoming changes will remove support for non-prefixed Edge REST API URLs. The correct API URL prefix has been edge/v1
for over a year and not using will become unsupported at a future date. Additionally, the Edge REST API will be splitting
into two separate APIs in the coming months:

• /edge/management/v1
• /edge/client/v1

These new prefixes are not currently live and will be released in a subsequent version.

Posture Check Process Multi

A new posture check type has been introduced: PROCESS_MULTI. This posture check
is meant to replace the posture check type PROCESS and PROCESS should be considered
deprecated. PROCESS_MULTI covers all the uses that its predecessor provided with
additional semantic configuration options.

Process Multi Fields:

• semantic: Either AllOf or OneOf. Determines which processes specified in processes must pass
• processes: An array of objects representing a process. Similar to PROCESS's fields but with the ability to specify multiple binary hashes
  • osType - Any of the standard posture check OS types (Android, iOS, macOS, Linux, Windows, WindowsServer)
  • path - The absolute file path the process is expected to run from
  • hashes - An array of sha512 hashes that are valid (optional, none allows any)
  • signerFingerprints - An array of sha1 signer fingerprints that are valid (optional, none allows any)

v0.19.12

Release 0.19.12

What's New

• Revert dial error messages to what sdks are expecting. Add error codes so future sdks don't have to parse error text
• Add router events
• Allow filters with no predicate if sort or paging clauses are provided
  • Ex: instead of true limit 5 you could have just limit 5. Or instead of true sort by name you could have sort by name
• Corrected host.v1 configuration type schema to prevent empty port range objects

Router events

To enable:

events:
  jsonLogger:
    subscriptions:
      - type: fabric.routers

Example JSON output:

{
  "namespace": "fabric.routers",
  "event_type": "router-online",
  "timestamp": "2021-04-22T11:26:31.99299884-04:00",
  "router_id": "JAoyjafljO",
  "router_online": true
}
{
  "namespace": "fabric.routers",
  "event_type": "router-offline",
  "timestamp": "2021-04-22T11:26:41.335114358-04:00",
  "router_id": "JAoyjafljO",
  "router_online": false
}

v0.19.11

Release 0.19.11

What's New

• Add workaround for bbolt bug which caused some data to get left behind when deleting identities, seen when turning off tunneler capability on edge routers

• Remove deprecated ziti-enroller command. Enrollement can be done using the ziti-tunnel, ziti-router and ziti commands

• Fix UDP intercept handling

• The host.v1 service configuration type has been changed as follows:

  • Rename dialIntercepted* properties to forwardProtocol, forwardAddress, forwardPort for better consistency with non-tunneler client applications.
  • Add allowedProtocols, allowedAddresses, and allowedPortRanges properties to whitelist destinations that are dialed via forward*. The allowed* properties are required for any corresponding forward* property that is true.
  • Add allowedSourceAddresses, which serves as a whitelist for source IPs/CIDRs and informs the hosting tunneler of the local routes to establish when hosting a service.

• Ziti Controller will now report service posture query policy types (Dial/Bind)

• Ziti Controller now supports enrollment extension for routers

• Ziti Router now support forcing enrollment extension via run -e

• Ziti Routers will now automatically extend their enrollment before their certificates expire

• ziti edge enroll with a UPDB JWT now confirms and properly sets the password supplied

  Caveats:

  • Any existing host.v1 configurations that use will become invalid.
  • ziti-tunnel and the converged router/tunneler creates local routes that are establised for allowedSourceAddresses, but the routes are not consistently cleaned up when ziti-tunnel exits. This issue will be addressed in a future release.

v0.19.10

Release 0.19.10

What's New

• Fixed issue where edge router renames didn't propagate to fabric
• Fixed issue where gateway couldn't dial after router rename
• Allowed parsing identities where values were not URIs
• Allow updating which configs are used by services