Merge branch 'main' into zrok_copy_p1

This commit is contained in:
Michael Quigley 2023-12-15 13:19:24 -05:00
commit 62b3cfb911
No known key found for this signature in database
GPG Key ID: 9B60314A9DD20A62
10 changed files with 60 additions and 33 deletions

2
.flake8 Normal file
View File

@ -0,0 +1,2 @@
[flake8]
max-line-length = 120

View File

@ -35,6 +35,7 @@ jobs:
- name: Build distro
env:
ZROK_VERSION: ${{ github.event.release.tag_name }}
ZROK_PY_NAME: ${{ vars.ZROK_PY_NAME || null }}
run: |
python setup.py sdist

View File

@ -72,11 +72,12 @@ jobs:
- name: Set Up Container Image Tags for zrok CLI Container
env:
RELEASE_REPO: openziti/zrok
ZROK_VERSION: ${{ steps.semver.outputs.zrok_semver }}
ZROK_CONTAINER_IMAGE_REPO: ${{ vars.ZROK_CONTAINER_IMAGE_REPO || 'openziti/zrok' }}
ZROK_CONTAINER_IMAGE_TAG: ${{ steps.semver.outputs.zrok_semver }}
id: tagprep_cli
run: |
echo DOCKER_TAGS="${RELEASE_REPO}:${ZROK_VERSION},${RELEASE_REPO}:latest" | tee -a $GITHUB_OUTPUT
echo DOCKER_TAGS="${ZROK_CONTAINER_IMAGE_REPO}:${ZROK_CONTAINER_IMAGE_TAG},${ZROK_CONTAINER_IMAGE_REPO}:latest" \
| tee -a $GITHUB_OUTPUT
# this is the CLI image with the Linux binary for each
# arch that was downloaded in ./dist/

View File

@ -4,6 +4,8 @@
CHANGE: OpenZiti SDK updated to `v0.21.2`. All `ziti.ListenOptions` listener options configured to use `WaitForNEstablishedListeners: 1`. When a `zrok share` client or an `sdk.Share` client are connected to an OpenZiti router that supports "listener established" events, then listen calls will not return until the listener is fully established on the OpenZiti network. Previously a `zrok share` client could report that it is fully operational and listening before the listener is fully established on the OpenZiti network; in practice this produced a very small window of time when the share would not be ready to accept requests. This change eliminates this window of time (https://github.com/openziti/zrok/issues/490)
FIX: Require the JWT in a zrok OAuth cookie to have an audience claim that matches the public share hostname. This prevents a cookie from one share from being use to log in to another share.
## v0.4.19
FEATURE: Reserved shares now support unique names ("vanity tokens"). This allows for the creation of reserved shares with identifiable names rather than generated share tokens. Includes basic support for profanity checking (https://github.com/openziti/zrok/issues/401)

View File

@ -87,7 +87,7 @@ func (cmd *testWebsocketCommand) run(_ *cobra.Command, args []string) {
addr = cmd.serviceName
} else {
if len(args) == 0 {
logrus.Error("Address required if not using ziti")
logrus.Error("address required if not using ziti")
flag.Usage()
os.Exit(1)
}
@ -102,13 +102,13 @@ func (cmd *testWebsocketCommand) run(_ *cobra.Command, args []string) {
}
defer c.Close(websocket.StatusInternalError, "the sky is falling")
logrus.Info("Writing to server...")
logrus.Info("writing to server...")
err = wsjson.Write(ctx, c, "hi")
if err != nil {
logrus.Error(err)
return
}
logrus.Info("Reading response...")
logrus.Info("reading response...")
typ, dat, err := c.Read(ctx)
if err != nil {
logrus.Error(err)

View File

@ -1,5 +1,5 @@
# this builds docker.io/openziti/zrok
ARG ZITI_CLI_TAG="0.31.0"
ARG ZITI_CLI_TAG="0.31.2"
ARG ZITI_CLI_IMAGE="docker.io/openziti/ziti-cli"
# this builds docker.io/openziti/ziti-controller
FROM ${ZITI_CLI_IMAGE}:${ZITI_CLI_TAG}

View File

@ -80,7 +80,7 @@ func configureGithubOauth(cfg *OauthConfig, tls bool) error {
return func(w http.ResponseWriter, r *http.Request) {
host, err := url.QueryUnescape(r.URL.Query().Get("targethost"))
if err != nil {
logrus.Errorf("Unable to unescape target host: %v", err)
logrus.Errorf("unable to unescape target host: %v", err)
}
rp.AuthURLHandler(func() string {
id := uuid.New().String()
@ -99,7 +99,7 @@ func configureGithubOauth(cfg *OauthConfig, tls bool) error {
})
s, err := t.SignedString(key)
if err != nil {
logrus.Errorf("Unable to sign intermediate JWT: %v", err)
logrus.Errorf("unable to sign intermediate JWT: %v", err)
}
return s
}, party, rp.WithURLParam("access_type", "offline"))(w, r)
@ -121,7 +121,7 @@ func configureGithubOauth(cfg *OauthConfig, tls bool) error {
req.Header.Add("Authorization", fmt.Sprintf("Bearer %s", tokens.AccessToken))
resp, err := http.DefaultClient.Do(req)
if err != nil {
logrus.Error("Error getting user info from github: " + err.Error() + "\n")
logrus.Errorf("error getting user info from github: %v", err)
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
@ -130,14 +130,14 @@ func configureGithubOauth(cfg *OauthConfig, tls bool) error {
}()
response, err := io.ReadAll(resp.Body)
if err != nil {
logrus.Errorf("Error reading response body: %v", err)
logrus.Errorf("error reading response body: %v", err)
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
var rDat []githubUserResp
err = json.Unmarshal(response, &rDat)
if err != nil {
logrus.Errorf("Error unmarshalling google oauth response: %v", err)
logrus.Errorf("error unmarshalling google oauth response: %v", err)
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
@ -165,8 +165,7 @@ func configureGithubOauth(cfg *OauthConfig, tls bool) error {
} else {
authCheckInterval = i
}
SetZrokCookie(w, cfg.CookieDomain, primaryEmail, tokens.AccessToken, "github", authCheckInterval, key)
SetZrokCookie(w, cfg.CookieDomain, primaryEmail, tokens.AccessToken, "github", authCheckInterval, key, token.Claims.(*IntermediateJWT).Host)
http.Redirect(w, r, fmt.Sprintf("%s://%s", scheme, token.Claims.(*IntermediateJWT).Host), http.StatusFound)
}

View File

@ -78,7 +78,7 @@ func configureGoogleOauth(cfg *OauthConfig, tls bool) error {
return func(w http.ResponseWriter, r *http.Request) {
host, err := url.QueryUnescape(r.URL.Query().Get("targethost"))
if err != nil {
logrus.Errorf("Unable to unescape target host: %v", err)
logrus.Errorf("unable to unescape target host: %v", err)
}
rp.AuthURLHandler(func() string {
id := uuid.New().String()
@ -97,7 +97,7 @@ func configureGoogleOauth(cfg *OauthConfig, tls bool) error {
})
s, err := t.SignedString(key)
if err != nil {
logrus.Errorf("Unable to sign intermediate JWT: %v", err)
logrus.Errorf("unable to sign intermediate JWT: %v", err)
}
return s
}, party, rp.WithURLParam("access_type", "offline"))(w, r)
@ -108,7 +108,7 @@ func configureGoogleOauth(cfg *OauthConfig, tls bool) error {
getEmail := func(w http.ResponseWriter, r *http.Request, tokens *oidc.Tokens[*oidc.IDTokenClaims], state string, rp rp.RelyingParty) {
resp, err := http.Get("https://www.googleapis.com/oauth2/v2/userinfo?access_token=" + url.QueryEscape(tokens.AccessToken))
if err != nil {
logrus.Error("Error getting user info from google: " + err.Error() + "\n")
logrus.Errorf("error getting user info from google: %v", err)
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
@ -117,15 +117,15 @@ func configureGoogleOauth(cfg *OauthConfig, tls bool) error {
}()
response, err := io.ReadAll(resp.Body)
if err != nil {
logrus.Errorf("Error reading response body: %v", err)
logrus.Errorf("error reading response body: %v", err)
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
logrus.Infof("Response from google userinfo endpoint: %s", string(response))
logrus.Infof("response from google userinfo endpoint: %s", string(response))
rDat := googleOauthEmailResp{}
err = json.Unmarshal(response, &rDat)
if err != nil {
logrus.Errorf("Error unmarshalling google oauth response: %v", err)
logrus.Errorf("error unmarshalling google oauth response: %v", err)
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
@ -145,8 +145,7 @@ func configureGoogleOauth(cfg *OauthConfig, tls bool) error {
} else {
authCheckInterval = i
}
SetZrokCookie(w, cfg.CookieDomain, rDat.Email, tokens.AccessToken, "google", authCheckInterval, key)
SetZrokCookie(w, cfg.CookieDomain, rDat.Email, tokens.AccessToken, "google", authCheckInterval, key, token.Claims.(*IntermediateJWT).Host)
http.Redirect(w, r, fmt.Sprintf("%s://%s", scheme, token.Claims.(*IntermediateJWT).Host), http.StatusFound)
}

View File

@ -211,7 +211,7 @@ func authHandler(handler http.Handler, pcfg *Config, key []byte, ctx ziti.Contex
if provider, found := oauthCfg.(map[string]interface{})["provider"]; found {
var authCheckInterval time.Duration
if checkInterval, found := oauthCfg.(map[string]interface{})["authorization_check_interval"]; !found {
logrus.Errorf("Missing authorization check interval in share config. Defaulting to 3 hours")
logrus.Errorf("missing authorization check interval in share config. Defaulting to 3 hours")
authCheckInterval = 3 * time.Hour
} else {
i, err := time.ParseDuration(checkInterval.(string))
@ -253,6 +253,12 @@ func authHandler(handler http.Handler, pcfg *Config, key []byte, ctx ziti.Contex
oauthLoginRequired(w, r, pcfg.Oauth, provider.(string), target, authCheckInterval)
return
}
if claims.Audience != r.Host {
logrus.Errorf("audience claim '%s' does not match requested host '%s'; restarting auth flow", claims.Audience, r.Host)
oauthLoginRequired(w, r, pcfg.Oauth, provider.(string), target, authCheckInterval)
return
}
if validDomains, found := oauthCfg.(map[string]interface{})["email_domains"]; found {
if castedDomains, ok := validDomains.([]interface{}); !ok {
logrus.Error("invalid email domain format")
@ -313,15 +319,26 @@ type ZrokClaims struct {
Email string `json:"email"`
AccessToken string `json:"accessToken"`
Provider string `json:"provider"`
Audience string `json:"aud"`
AuthorizationCheckInterval time.Duration `json:"authorizationCheckInterval"`
jwt.RegisteredClaims
}
func SetZrokCookie(w http.ResponseWriter, domain, email, accessToken, provider string, checkInterval time.Duration, key []byte) {
func SetZrokCookie(w http.ResponseWriter, cookieDomain, email, accessToken, provider string, checkInterval time.Duration, key []byte, targetHost string) {
targetHost = strings.TrimSpace(targetHost)
if targetHost == "" {
logrus.Error("host claim must not be empty")
http.Error(w, "host claim must not be empty", http.StatusBadRequest)
return
}
targetHost = strings.Split(targetHost, "/")[0]
logrus.Debugf("setting zrok-access cookie JWT audience '%s'", targetHost)
tkn := jwt.NewWithClaims(jwt.SigningMethodHS256, ZrokClaims{
Email: email,
AccessToken: accessToken,
Provider: provider,
Audience: targetHost,
AuthorizationCheckInterval: checkInterval,
})
sTkn, err := tkn.SignedString(key)
@ -334,10 +351,12 @@ func SetZrokCookie(w http.ResponseWriter, domain, email, accessToken, provider s
Name: "zrok-access",
Value: sTkn,
MaxAge: int(checkInterval.Seconds()),
Domain: domain,
Domain: cookieDomain,
Path: "/",
Expires: time.Now().Add(checkInterval),
//Secure: true, //When tls gets added have this be configured on if tls
// Secure: true, // pending server tls feature https://github.com/openziti/zrok/issues/24
HttpOnly: true, // enabled because zrok frontend is the only intended consumer of this cookie, not client-side scripts
SameSite: http.SameSiteLaxMode, // explicitly set to the default Lax mode which allows the zrok share to be navigated to from another site and receive the cookie
})
}

View File

@ -1,16 +1,20 @@
from setuptools import setup, find_packages # noqa: H301
import os
NAME = "zrok_sdk"
VERSION = "0.4.0.dev"
try:
VERSION = os.environ['ZROK_VERSION']
except KeyError:
pass
from setuptools import find_packages, setup # noqa: H301
# optionally upload to TestPyPi with alternative name in testing repo
NAME = os.getenv('ZROK_PY_NAME', "zrok_sdk")
# inherit zrok version from environment or default to dev version
VERSION = os.getenv('ZROK_VERSION', "0.4.0.dev")
# To install the library, run the following
#
# python setup.py install
#
# or
#
# pip install --editable .
#
# prerequisite: setuptools
# http://pypi.python.org/pypi/setuptools