From 9f018e730fc1424c164158e63082d94c34419c2e Mon Sep 17 00:00:00 2001 From: Michael Quigley Date: Wed, 25 Oct 2023 11:32:08 -0400 Subject: [PATCH 1/9] support oauth flags for the 'zrok reserve' command (#421) --- cmd/zrok/reserve.go | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/cmd/zrok/reserve.go b/cmd/zrok/reserve.go index a5f0173c..5d87f9a0 100644 --- a/cmd/zrok/reserve.go +++ b/cmd/zrok/reserve.go @@ -7,6 +7,7 @@ import ( "github.com/openziti/zrok/tui" "github.com/sirupsen/logrus" "github.com/spf13/cobra" + "time" ) func init() { @@ -14,10 +15,13 @@ func init() { } type reserveCommand struct { - basicAuth []string - frontendSelection []string - backendMode string - cmd *cobra.Command + basicAuth []string + frontendSelection []string + backendMode string + oauthProvider string + oauthEmailDomains []string + oauthCheckInterval time.Duration + cmd *cobra.Command } func newReserveCommand() *reserveCommand { @@ -27,9 +31,15 @@ func newReserveCommand() *reserveCommand { Args: cobra.ExactArgs(2), } command := &reserveCommand{cmd: cmd} - cmd.Flags().StringArrayVar(&command.basicAuth, "basic-auth", []string{}, "Basic authentication users (,...)") cmd.Flags().StringArrayVar(&command.frontendSelection, "frontends", []string{"public"}, "Selected frontends to use for the share") cmd.Flags().StringVarP(&command.backendMode, "backend-mode", "b", "proxy", "The backend mode {proxy, web, , caddy}") + + cmd.Flags().StringArrayVar(&command.basicAuth, "basic-auth", []string{}, "Basic authentication users (,...)") + cmd.Flags().StringVar(&command.oauthProvider, "oauth-provider", "", "Enable OAuth provider [google, github]") + cmd.Flags().StringArrayVar(&command.oauthEmailDomains, "oauth-email-domains", []string{}, "Allow only these email domains to authenticate via OAuth") + cmd.Flags().DurationVar(&command.oauthCheckInterval, "oauth-check-interval", 3*time.Hour, "Maximum lifetime for OAuth authentication; reauthenticate after expiry") + cmd.MarkFlagsMutuallyExclusive("basic-auth", "oauth-provider") + cmd.Run = command.run return command } @@ -89,6 +99,11 @@ func (cmd *reserveCommand) run(_ *cobra.Command, args []string) { if shareMode == sdk.PublicShareMode { req.Frontends = cmd.frontendSelection } + if cmd.oauthProvider != "" { + req.OauthProvider = cmd.oauthProvider + req.OauthEmailDomains = cmd.oauthEmailDomains + req.OauthAuthorizationCheckInterval = cmd.oauthCheckInterval + } shr, err := sdk.CreateShare(env, req) if err != nil { if !panicInstead { From aba9f683488961e13e7e4d455c98d9c47b46ba22 Mon Sep 17 00:00:00 2001 From: Michael Quigley Date: Wed, 25 Oct 2023 11:36:26 -0400 Subject: [PATCH 2/9] only allow --oauth-provider for 'zrok reserve public'; changelog (#421) --- CHANGELOG.md | 4 ++++ cmd/zrok/reserve.go | 3 +++ 2 files changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 217ff301..a24a0d79 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,7 @@ +# v0.4.11 + +FIX: Include `--oauth-provider` and associated flags for the `zrok reserve` command, allowing reserved shares to specify OAuth authentication (https://github.com/openziti/zrok/issues/421) + # v0.4.10 CHANGE: The public frontend configuration has been bumped from `v: 2` to `v: 3`. The `redirect_host`, `redirect_port` and `redirect_http_only` parameters have been removed. These three configuration options have been replaced with `bind_address`, `redirect_url` and `cookie_domain`. See the OAuth configuration guide at `docs/guides/self-hosting/oauth/configuring-oauth.md` for more details (https://github.com/openziti/zrok/issues/411) diff --git a/cmd/zrok/reserve.go b/cmd/zrok/reserve.go index 5d87f9a0..803d6d2e 100644 --- a/cmd/zrok/reserve.go +++ b/cmd/zrok/reserve.go @@ -100,6 +100,9 @@ func (cmd *reserveCommand) run(_ *cobra.Command, args []string) { req.Frontends = cmd.frontendSelection } if cmd.oauthProvider != "" { + if shareMode != sdk.PublicShareMode { + tui.Error("--oauth-provider only supported for public shares", nil) + } req.OauthProvider = cmd.oauthProvider req.OauthEmailDomains = cmd.oauthEmailDomains req.OauthAuthorizationCheckInterval = cmd.oauthCheckInterval From 870c1a083bdf7e846d5edaa2a3816a2762c6b6c6 Mon Sep 17 00:00:00 2001 From: Michael Quigley Date: Wed, 25 Oct 2023 11:44:21 -0400 Subject: [PATCH 3/9] incorporate '--json-output' flag to the 'zrok reserve' command (#422) --- CHANGELOG.md | 2 ++ cmd/zrok/reserve.go | 33 +++++++++++++++++---------------- sdk/model.go | 4 ++-- 3 files changed, 21 insertions(+), 18 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a24a0d79..be97ecdc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ # v0.4.11 +FEATURE: The `zrok reserve` command now incorporates the `--json-output|-j` flag, which outputs the reservation details as JSON, rather than as human-consumable log messages. Other commands will produce similar output in the future (https://github.com/openziti/zrok/issues/422) + FIX: Include `--oauth-provider` and associated flags for the `zrok reserve` command, allowing reserved shares to specify OAuth authentication (https://github.com/openziti/zrok/issues/421) # v0.4.10 diff --git a/cmd/zrok/reserve.go b/cmd/zrok/reserve.go index 803d6d2e..69e6ecf5 100644 --- a/cmd/zrok/reserve.go +++ b/cmd/zrok/reserve.go @@ -1,6 +1,7 @@ package main import ( + "encoding/json" "fmt" "github.com/openziti/zrok/environment" "github.com/openziti/zrok/sdk" @@ -18,6 +19,7 @@ type reserveCommand struct { basicAuth []string frontendSelection []string backendMode string + jsonOutput bool oauthProvider string oauthEmailDomains []string oauthCheckInterval time.Duration @@ -33,7 +35,7 @@ func newReserveCommand() *reserveCommand { command := &reserveCommand{cmd: cmd} cmd.Flags().StringArrayVar(&command.frontendSelection, "frontends", []string{"public"}, "Selected frontends to use for the share") cmd.Flags().StringVarP(&command.backendMode, "backend-mode", "b", "proxy", "The backend mode {proxy, web, , caddy}") - + cmd.Flags().BoolVarP(&command.jsonOutput, "json-output", "j", false, "Emit JSON describing the created reserved share") cmd.Flags().StringArrayVar(&command.basicAuth, "basic-auth", []string{}, "Basic authentication users (,...)") cmd.Flags().StringVar(&command.oauthProvider, "oauth-provider", "", "Enable OAuth provider [google, github]") cmd.Flags().StringArrayVar(&command.oauthEmailDomains, "oauth-email-domains", []string{}, "Allow only these email domains to authenticate via OAuth") @@ -55,10 +57,7 @@ func (cmd *reserveCommand) run(_ *cobra.Command, args []string) { case "proxy": v, err := parseUrl(args[1]) if err != nil { - if !panicInstead { - tui.Error("invalid target endpoint URL", err) - } - panic(err) + tui.Error("invalid target endpoint URL", err) } target = v @@ -80,10 +79,7 @@ func (cmd *reserveCommand) run(_ *cobra.Command, args []string) { env, err := environment.LoadRoot() if err != nil { - if !panicInstead { - tui.Error("error loading environment", err) - } - panic(err) + tui.Error("error loading environment", err) } if !env.IsEnabled() { @@ -109,14 +105,19 @@ func (cmd *reserveCommand) run(_ *cobra.Command, args []string) { } shr, err := sdk.CreateShare(env, req) if err != nil { - if !panicInstead { - tui.Error("unable to create share", err) - } - panic(err) + tui.Error("unable to create share", err) } - logrus.Infof("your reserved share token is '%v'", shr.Token) - for _, fpe := range shr.FrontendEndpoints { - logrus.Infof("reserved frontend endpoint: %v", fpe) + if !cmd.jsonOutput { + logrus.Infof("your reserved share token is '%v'", shr.Token) + for _, fpe := range shr.FrontendEndpoints { + logrus.Infof("reserved frontend endpoint: %v", fpe) + } + } else { + out, err := json.Marshal(shr) + if err != nil { + tui.Error("error emitting JSON", err) + } + fmt.Println(string(out)) } } diff --git a/sdk/model.go b/sdk/model.go index fa0310eb..cefb1eb0 100644 --- a/sdk/model.go +++ b/sdk/model.go @@ -31,8 +31,8 @@ type ShareRequest struct { } type Share struct { - Token string - FrontendEndpoints []string + Token string `json:"token"` + FrontendEndpoints []string `json:"frontend_endpoints"` } type AccessRequest struct { From 818b4d8a3ec86d7cd0cc2d3a29784ca8fd8b9801 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Wed, 25 Oct 2023 12:59:57 -0400 Subject: [PATCH 4/9] bump ziti cli version and install jq --- docker/images/zrok/Dockerfile | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/docker/images/zrok/Dockerfile b/docker/images/zrok/Dockerfile index f9ff31fb..161b2df3 100644 --- a/docker/images/zrok/Dockerfile +++ b/docker/images/zrok/Dockerfile @@ -1,7 +1,8 @@ # this builds docker.io/openziti/zrok -FROM docker.io/openziti/ziti-cli:0.27.9 -# This build stage grabs artifacts that are copied into the final image. -# It uses the same base as the final image to maximize docker cache hits. +ARG ZITI_CLI_TAG="0.30.5" +ARG ZITI_CLI_IMAGE="docker.io/openziti/ziti-cli" +# this builds docker.io/openziti/ziti-controller +FROM ${ZITI_CLI_IMAGE}:${ZITI_CLI_TAG} ARG ARTIFACTS_DIR=./dist ARG DOCKER_BUILD_DIR=. @@ -19,6 +20,11 @@ LABEL name="openziti/zrok" \ USER root +### install packages (jq introduced in source image in next release 0.30.6) +RUN INSTALL_PKGS="jq" && \ + microdnf -y update --setopt=install_weak_deps=0 --setopt=tsflags=nodocs && \ + microdnf -y install --setopt=install_weak_deps=0 --setopt=tsflags=nodocs ${INSTALL_PKGS} + ### add licenses to this directory RUN mkdir -p -m0755 /licenses COPY ./LICENSE /licenses/apache.txt From 5934242c7bbdfa67fa9e2dd58197a93ef824aa6b Mon Sep 17 00:00:00 2001 From: Rui Chen Date: Wed, 25 Oct 2023 13:49:27 -0400 Subject: [PATCH 5/9] workflows(homebrew): bump action to v3.1 Signed-off-by: Rui Chen --- .github/workflows/homebrew.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/homebrew.yml b/.github/workflows/homebrew.yml index fee97d74..b41d0df5 100644 --- a/.github/workflows/homebrew.yml +++ b/.github/workflows/homebrew.yml @@ -12,7 +12,7 @@ jobs: id: extract-version run: | printf "::set-output name=%s::%s\n" tag-name "${GITHUB_REF#refs/tags/}" - - uses: mislav/bump-homebrew-formula-action@v2 + - uses: mislav/bump-homebrew-formula-action@v3.1 if: "!contains(github.ref, '-')" with: formula-name: zrok From 7167251f980bbcb43f6af8e868396049de05610d Mon Sep 17 00:00:00 2001 From: Rui Chen Date: Wed, 25 Oct 2023 13:57:15 -0400 Subject: [PATCH 6/9] workflows(homebrew): update url format Signed-off-by: Rui Chen --- .github/workflows/homebrew.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/homebrew.yml b/.github/workflows/homebrew.yml index b41d0df5..87817243 100644 --- a/.github/workflows/homebrew.yml +++ b/.github/workflows/homebrew.yml @@ -16,6 +16,6 @@ jobs: if: "!contains(github.ref, '-')" with: formula-name: zrok - download-url: https://github.com/openziti/zrok/archive/${{ steps.extract-version.outputs.tag-name }}.tar.gz + download-url: https://github.com/openziti/zrok/archive/refs/tags/${{ steps.extract-version.outputs.tag-name }}.tar.gz env: COMMITTER_TOKEN: ${{ secrets.BREW_COMMITTER_TOKEN }} From 77964211b3ca7f445a3417ba768878dcd7a4971c Mon Sep 17 00:00:00 2001 From: Michael Quigley Date: Wed, 25 Oct 2023 14:16:18 -0400 Subject: [PATCH 7/9] sdk fixes to re-instate reserved share metadata (#427) --- cmd/zrok/reserve.go | 1 + sdk/model.go | 1 + sdk/share.go | 1 + 3 files changed, 3 insertions(+) diff --git a/cmd/zrok/reserve.go b/cmd/zrok/reserve.go index 69e6ecf5..b6be848d 100644 --- a/cmd/zrok/reserve.go +++ b/cmd/zrok/reserve.go @@ -87,6 +87,7 @@ func (cmd *reserveCommand) run(_ *cobra.Command, args []string) { } req := &sdk.ShareRequest{ + Reserved: true, BackendMode: sdk.BackendMode(cmd.backendMode), ShareMode: shareMode, BasicAuth: cmd.basicAuth, diff --git a/sdk/model.go b/sdk/model.go index cefb1eb0..4c27ecd9 100644 --- a/sdk/model.go +++ b/sdk/model.go @@ -20,6 +20,7 @@ const ( ) type ShareRequest struct { + Reserved bool BackendMode BackendMode ShareMode ShareMode Target string diff --git a/sdk/share.go b/sdk/share.go index 9a1838b8..45feb57f 100644 --- a/sdk/share.go +++ b/sdk/share.go @@ -25,6 +25,7 @@ func CreateShare(root env_core.Root, request *ShareRequest) (*Share, error) { default: return nil, errors.Errorf("unknown share mode '%v'", request.ShareMode) } + out.Body.Reserved = request.Reserved if len(request.BasicAuth) > 0 { out.Body.AuthScheme = string(Basic) From 64b9c68dae9cc322e65d977e2f0ca48f96bc4a2f Mon Sep 17 00:00:00 2001 From: Michael Quigley Date: Wed, 25 Oct 2023 14:33:00 -0400 Subject: [PATCH 8/9] changelog (#427) --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index be97ecdc..1cad89b7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,7 @@ +# v0.4.12 + +FIX: The `zrok reserve` command was not properly recording the reserved share status of the shares that it created, preventing the `zrok release` command from properly releasing them (https://github.com/openziti/zrok/issues/427) If a user encounters reserved shares that cannot be released with the `zrok release` command, they can be deleted through the web console. + # v0.4.11 FEATURE: The `zrok reserve` command now incorporates the `--json-output|-j` flag, which outputs the reservation details as JSON, rather than as human-consumable log messages. Other commands will produce similar output in the future (https://github.com/openziti/zrok/issues/422) From 0f930f70c5a20ca3a657f4d3a3482f4d6e199b38 Mon Sep 17 00:00:00 2001 From: Michael Quigley Date: Wed, 25 Oct 2023 14:40:03 -0400 Subject: [PATCH 9/9] changelog --- CHANGELOG.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1cad89b7..7c460360 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,7 @@ +# v0.4.13 + +FIX: Update to Homebrew automation to properly integrate with the latest version of the Homebrew release process. + # v0.4.12 FIX: The `zrok reserve` command was not properly recording the reserved share status of the shares that it created, preventing the `zrok release` command from properly releasing them (https://github.com/openziti/zrok/issues/427) If a user encounters reserved shares that cannot be released with the `zrok release` command, they can be deleted through the web console.