Merge pull request #2476 from openziti/fix.2474.add.generic.network.w…

…ide.jwt Fix.2474.add.generic.network.wide.jwt
openziti · Oct 11, 2024 · c36b3b2 · c36b3b2
2 parents bd8b4da + 04faa9e
commit c36b3b2
Show file tree

Hide file tree

Showing 10 changed files with 347 additions and 107 deletions.
diff --git a/controller/env/appenv.go b/controller/env/appenv.go
@@ -78,6 +78,8 @@ var _ model.Env = &AppEnv{}
 const (
 	ZitiSession      = "zt-session"
 	ClientApiBinding = "edge-client"
+
+	JwtAudEnrollment = "openziti-enroller"
 )
 
 const (

diff --git a/controller/internal/routes/ca_router.go b/controller/internal/routes/ca_router.go
@@ -266,9 +266,10 @@ func (r *CaRouter) generateJwt(ae *env.AppEnv, rc *response.RequestContext) {
 	claims := &ziti.EnrollmentClaims{
 		EnrollmentMethod: method,
 		RegisteredClaims: jwt.RegisteredClaims{
-			Issuer:  fmt.Sprintf(`https://%s/`, ae.GetConfig().Edge.Api.Address),
-			Subject: ca.Id,
-			ID:      ca.Id,
+			Audience: jwt.ClaimStrings{env.JwtAudEnrollment},
+			Issuer:   fmt.Sprintf(`https://%s/`, ae.GetConfig().Edge.Api.Address),
+			Subject:  ca.Id,
+			ID:       ca.Id,
 		},
 	}
 

diff --git a/controller/internal/routes/network-jwt_router.go b/controller/internal/routes/network-jwt_router.go
@@ -0,0 +1,104 @@
+package routes
+
+import (
+	"errors"
+	"fmt"
+	"github.com/go-openapi/runtime/middleware"
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/google/uuid"
+	"github.com/michaelquigley/pfxlog"
+	enrollment_client "github.com/openziti/edge-api/rest_client_api_server/operations/enrollment"
+	enrollment_management "github.com/openziti/edge-api/rest_management_api_server/operations/enrollment"
+	"github.com/openziti/edge-api/rest_model"
+	"github.com/openziti/sdk-golang/ziti"
+	"github.com/openziti/ziti/controller/env"
+	"github.com/openziti/ziti/controller/internal/permissions"
+	"github.com/openziti/ziti/controller/response"
+	"net/http"
+)
+
+func init() {
+	r := NewNetworkJwtRouter()
+	env.AddRouter(r)
+}
+
+const (
+	EntityNameNetworkJwt = "network-jwts"
+
+	EnrollmentMethodNetwork = "network"
+
+	DefaultNetworkJwtName = "default"
+)
+
+type NetworkJwtRoute struct {
+	BasePath string
+}
+
+func NewNetworkJwtRouter() *NetworkJwtRoute {
+	return &NetworkJwtRoute{
+		BasePath: "/" + EntityNameNetworkJwt,
+	}
+}
+
+func (r *NetworkJwtRoute) Register(ae *env.AppEnv) {
+
+	ae.ManagementApi.EnrollmentListNetworkJWTsHandler = enrollment_management.ListNetworkJWTsHandlerFunc(func(params enrollment_management.ListNetworkJWTsParams) middleware.Responder {
+		return ae.IsAllowed(r.List, params.HTTPRequest, "", "", permissions.Always())
+	})
+
+	ae.ClientApi.EnrollmentListNetworkJWTsHandler = enrollment_client.ListNetworkJWTsHandlerFunc(func(params enrollment_client.ListNetworkJWTsParams) middleware.Responder {
+		return ae.IsAllowed(r.List, params.HTTPRequest, "", "", permissions.Always())
+	})
+
+}
+
+var networkJwt string
+
+func (r *NetworkJwtRoute) List(ae *env.AppEnv, rc *response.RequestContext) {
+
+	if networkJwt == "" {
+		issuer := fmt.Sprintf(`https://%s/`, ae.GetConfig().Edge.Api.Address)
+
+		claims := &ziti.EnrollmentClaims{
+			EnrollmentMethod: EnrollmentMethodNetwork,
+			RegisteredClaims: jwt.RegisteredClaims{
+				Audience: jwt.ClaimStrings{env.JwtAudEnrollment},
+				Issuer:   issuer,
+				Subject:  issuer,
+				ID:       uuid.NewString(),
+			},
+		}
+
+		signer, err := ae.GetEnrollmentJwtSigner()
+
+		if err != nil {
+			pfxlog.Logger().WithError(err).Error("could not get enrollment signer to generate a network JWT")
+			rc.RespondWithError(errors.New("could not determine signer"))
+			return
+		}
+
+		jwtStr, genErr := signer.Generate(claims)
+
+		if genErr != nil {
+			networkJwt = ""
+			pfxlog.Logger().WithError(genErr).Error("could not sign network JWT")
+			rc.RespondWithError(errors.New("could not generate claims"))
+			return
+		}
+
+		networkJwt = jwtStr
+	}
+
+	name := DefaultNetworkJwtName
+	resp := rest_model.ListNetworkJWTsEnvelope{
+		Data: rest_model.NetworkJWTList{
+			&rest_model.NetworkJWT{
+				Name:  &name,
+				Token: &networkJwt,
+			},
+		},
+		Meta: &rest_model.Meta{},
+	}
+
+	rc.Respond(resp, http.StatusOK)
+}
diff --git a/etc/ctrl.with.edge.yml b/etc/ctrl.with.edge.yml
@@ -268,11 +268,9 @@ web:
       - binding: edge-client
       - binding: edge-oidc
         options:
-          secret: 38de0de7fa283e8c8ef2a7823a6d3e727681ade50b9eb7bee2424197fb22bf18
           redirectURIs:
             - "http://localhost:*/auth/callback"
             - "http://127.0.0.1:*/auth/callback"
-            - "https://oauth.pstmn.io/v1/callback"
 
 commandRateLimiter:
     enabled: true

diff --git a/go.mod b/go.mod
@@ -50,18 +50,18 @@ require (
 	github.com/mitchellh/mapstructure v1.5.0
 	github.com/natefinch/lumberjack v2.0.0+incompatible
 	github.com/openziti/agent v1.0.18
-	github.com/openziti/channel/v3 v3.0.5
+	github.com/openziti/channel/v3 v3.0.6
 	github.com/openziti/cobra-to-md v1.0.1
-	github.com/openziti/edge-api v0.26.33
+	github.com/openziti/edge-api v0.26.34
 	github.com/openziti/foundation/v2 v2.0.49
-	github.com/openziti/identity v1.0.85
+	github.com/openziti/identity v1.0.86
 	github.com/openziti/jwks v1.0.6
 	github.com/openziti/metrics v1.2.58
 	github.com/openziti/runzmd v1.0.51
-	github.com/openziti/sdk-golang v0.23.43
+	github.com/openziti/sdk-golang v0.23.44
 	github.com/openziti/secretstream v0.1.25
 	github.com/openziti/storage v0.3.2
-	github.com/openziti/transport/v2 v2.0.146
+	github.com/openziti/transport/v2 v2.0.147
 	github.com/openziti/x509-claims v1.0.3
 	github.com/openziti/xweb/v2 v2.1.3
 	github.com/openziti/ziti-db-explorer v1.1.3
@@ -82,13 +82,13 @@ require (
 	github.com/zitadel/oidc/v2 v2.12.2
 	go.etcd.io/bbolt v1.3.11
 	go4.org v0.0.0-20180809161055-417644f6feb5
-	golang.org/x/crypto v0.27.0
-	golang.org/x/net v0.29.0
+	golang.org/x/crypto v0.28.0
+	golang.org/x/net v0.30.0
 	golang.org/x/oauth2 v0.23.0
 	golang.org/x/sync v0.8.0
-	golang.org/x/sys v0.25.0
-	golang.org/x/text v0.18.0
-	google.golang.org/protobuf v1.34.2
+	golang.org/x/sys v0.26.0
+	golang.org/x/text v0.19.0
+	google.golang.org/protobuf v1.35.1
 	gopkg.in/AlecAivazis/survey.v1 v1.8.8
 	gopkg.in/go-jose/go-jose.v2 v2.6.3
 	gopkg.in/resty.v1 v1.12.0
@@ -141,7 +141,7 @@ require (
 	github.com/kr/pty v1.1.8 // indirect
 	github.com/kyokomi/emoji/v2 v2.2.12 // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
-	github.com/lufia/plan9stats v0.0.0-20240513124658-fba389f38bae // indirect
+	github.com/lufia/plan9stats v0.0.0-20240909124753-873cd0166683 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
@@ -179,24 +179,24 @@ require (
 	github.com/spf13/cast v1.6.0 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/tklauser/go-sysconf v0.3.14 // indirect
-	github.com/tklauser/numcpus v0.8.0 // indirect
+	github.com/tklauser/numcpus v0.9.0 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	github.com/valyala/fasttemplate v1.2.2 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
-	go.mongodb.org/mongo-driver v1.17.0 // indirect
+	go.mongodb.org/mongo-driver v1.17.1 // indirect
 	go.mozilla.org/pkcs7 v0.9.0 // indirect
 	go.opentelemetry.io/otel v1.30.0 // indirect
 	go.opentelemetry.io/otel/metric v1.30.0 // indirect
 	go.opentelemetry.io/otel/trace v1.30.0 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/multierr v1.9.0 // indirect
-	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
+	golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c // indirect
 	golang.org/x/image v0.13.0 // indirect
-	golang.org/x/mod v0.19.0 // indirect
-	golang.org/x/term v0.24.0 // indirect
-	golang.org/x/tools v0.23.0 // indirect
+	golang.org/x/mod v0.21.0 // indirect
+	golang.org/x/term v0.25.0 // indirect
+	golang.org/x/tools v0.26.0 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0 // indirect
 	nhooyr.io/websocket v1.8.17 // indirect
-Original file line number
+Diff line change
@@ Expand Up / @@ -78,6 +78,8 @@ var _ model.Env = &AppEnv{} @@
     const (
     	ZitiSession      = "zt-session"
     	ClientApiBinding = "edge-client"
+    	JwtAudEnrollment = "openziti-enroller"
     )
     const (
@@ Expand Down @@