generalized implementation of public/private share (#34)

cmd/zrok/reserve.go

@@ -3,7 +3,6 @@ package main
 import (
 	httptransport "github.com/go-openapi/runtime/client"
 	"github.com/openziti/zrok/environment"
-	"github.com/openziti/zrok/model"
 	"github.com/openziti/zrok/rest_client_zrok/share"
 	"github.com/openziti/zrok/rest_model_zrok"
 	"github.com/openziti/zrok/sdk"
@@ -87,7 +86,7 @@ func (cmd *reserveCommand) run(_ *cobra.Command, args []string) {
 		ShareMode:            string(shareMode),
 		BackendMode:          cmd.backendMode,
 		BackendProxyEndpoint: target,
-		AuthScheme:           string(model.None),
+		AuthScheme:           string(sdk.None),
 		Reserved:             true,
 	}
 	if shareMode == sdk.PublicShareMode {
@@ -95,7 +94,7 @@ func (cmd *reserveCommand) run(_ *cobra.Command, args []string) {
 	}
 	if len(cmd.basicAuth) > 0 {
 		logrus.Infof("configuring basic auth")
-		req.Body.AuthScheme = string(model.Basic)
+		req.Body.AuthScheme = string(sdk.Basic)
 		for _, pair := range cmd.basicAuth {
 			tokens := strings.Split(pair, ":")
 			if len(tokens) == 2 {

cmd/zrok/sharePrivate.go

@@ -10,7 +10,6 @@ import (
 	"github.com/openziti/zrok/endpoints/tcpTunnel"
 	"github.com/openziti/zrok/endpoints/udpTunnel"
 	"github.com/openziti/zrok/environment"
-	"github.com/openziti/zrok/model"
 	"github.com/openziti/zrok/rest_client_zrok"
 	"github.com/openziti/zrok/rest_client_zrok/share"
 	"github.com/openziti/zrok/rest_model_zrok"
@@ -114,11 +113,11 @@ func (cmd *sharePrivateCommand) run(_ *cobra.Command, args []string) {
 		ShareMode:            string(sdk.PrivateShareMode),
 		BackendMode:          cmd.backendMode,
 		BackendProxyEndpoint: target,
-		AuthScheme:           string(model.None),
+		AuthScheme:           string(sdk.None),
 	}
 	if len(cmd.basicAuth) > 0 {
 		logrus.Infof("configuring basic auth")
-		req.Body.AuthScheme = string(model.Basic)
+		req.Body.AuthScheme = string(sdk.Basic)
 		for _, pair := range cmd.basicAuth {
 			tokens := strings.Split(pair, ":")
 			if len(tokens) == 2 {

cmd/zrok/sharePublic.go

@@ -8,7 +8,6 @@ import (
 	"github.com/openziti/zrok/endpoints"
 	"github.com/openziti/zrok/endpoints/proxy"
 	"github.com/openziti/zrok/environment"
-	"github.com/openziti/zrok/model"
 	"github.com/openziti/zrok/rest_client_zrok"
 	"github.com/openziti/zrok/rest_client_zrok/share"
 	"github.com/openziti/zrok/rest_model_zrok"
@@ -109,11 +108,11 @@ func (cmd *sharePublicCommand) run(_ *cobra.Command, args []string) {
 		FrontendSelection:    cmd.frontendSelection,
 		BackendMode:          cmd.backendMode,
 		BackendProxyEndpoint: target,
-		AuthScheme:           string(model.None),
+		AuthScheme:           string(sdk.None),
 	}
 	if len(cmd.basicAuth) > 0 {
 		logrus.Infof("configuring basic auth")
-		req.Body.AuthScheme = string(model.Basic)
+		req.Body.AuthScheme = string(sdk.Basic)
 		for _, pair := range cmd.basicAuth {
 			tokens := strings.Split(pair, ":")
 			if len(tokens) == 2 {

cmd/zrok/testLoopPublic.go

@@ -10,7 +10,6 @@ import (
 	"github.com/openziti/sdk-golang/ziti/edge"
 	"github.com/openziti/zrok/environment"
 	"github.com/openziti/zrok/environment/env_core"
-	"github.com/openziti/zrok/model"
 	"github.com/openziti/zrok/rest_client_zrok"
 	"github.com/openziti/zrok/rest_client_zrok/share"
 	"github.com/openziti/zrok/rest_model_zrok"
@@ -203,7 +202,7 @@ func (l *looper) startup() {
 		FrontendSelection:    l.cmd.frontendSelection,
 		BackendMode:          string(sdk.ProxyBackendMode),
 		BackendProxyEndpoint: fmt.Sprintf("looper#%d", l.id),
-		AuthScheme:           string(model.None),
+		AuthScheme:           string(sdk.None),
 	}
 	tunnelReq.SetTimeout(60 * time.Second)
 	tunnelResp, err := l.zrok.Share.Share(tunnelReq, l.auth)

controller/bootstrap.go

@@ -15,7 +15,7 @@ import (
 	"github.com/openziti/zrok/controller/store"
 	"github.com/openziti/zrok/controller/zrokEdgeSdk"
 	"github.com/openziti/zrok/environment"
-	"github.com/openziti/zrok/model"
+	"github.com/openziti/zrok/sdk"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"time"
@@ -85,7 +85,7 @@ func Bootstrap(skipFrontend bool, inCfg *config.Config) error {
 }
 
 func assertZrokProxyConfigType(edge *rest_management_api_client.ZitiEdgeManagement) error {
-	filter := fmt.Sprintf("name=\"%v\"", model.ZrokProxyConfig)
+	filter := fmt.Sprintf("name=\"%v\"", sdk.ZrokProxyConfig)
 	limit := int64(100)
 	offset := int64(0)
 	listReq := &restMgmtEdgeConfig.ListConfigTypesParams{
@@ -100,7 +100,7 @@ func assertZrokProxyConfigType(edge *rest_management_api_client.ZitiEdgeManageme
 		return err
 	}
 	if len(listResp.Payload.Data) < 1 {
-		name := model.ZrokProxyConfig
+		name := sdk.ZrokProxyConfig
 		ct := &restModelEdge.ConfigTypeCreate{Name: &name}
 		createReq := &restMgmtEdgeConfig.CreateConfigTypeParams{ConfigType: ct}
 		createReq.SetTimeout(30 * time.Second)
@@ -108,11 +108,11 @@ func assertZrokProxyConfigType(edge *rest_management_api_client.ZitiEdgeManageme
 		if err != nil {
 			return err
 		}
-		logrus.Infof("created '%v' config type with id '%v'", model.ZrokProxyConfig, createResp.Payload.Data.ID)
+		logrus.Infof("created '%v' config type with id '%v'", sdk.ZrokProxyConfig, createResp.Payload.Data.ID)
 	} else if len(listResp.Payload.Data) > 1 {
-		return errors.Errorf("found %d '%v' config types; expected 0 or 1", len(listResp.Payload.Data), model.ZrokProxyConfig)
+		return errors.Errorf("found %d '%v' config types; expected 0 or 1", len(listResp.Payload.Data), sdk.ZrokProxyConfig)
 	} else {
-		logrus.Infof("found '%v' config type with id '%v'", model.ZrokProxyConfig, *(listResp.Payload.Data[0].ID))
+		logrus.Infof("found '%v' config type with id '%v'", sdk.ZrokProxyConfig, *(listResp.Payload.Data[0].ID))
 	}
 	return nil
 }

controller/sharePrivate.go

@@ -3,8 +3,8 @@ package controller
 import (
 	"github.com/openziti/edge-api/rest_management_api_client"
 	"github.com/openziti/zrok/controller/zrokEdgeSdk"
-	"github.com/openziti/zrok/model"
 	"github.com/openziti/zrok/rest_server_zrok/operations/share"
+	"github.com/openziti/zrok/sdk"
 )
 
 type privateResourceAllocator struct{}
@@ -14,9 +14,9 @@ func newPrivateResourceAllocator() *privateResourceAllocator {
 }
 
 func (a *privateResourceAllocator) allocate(envZId, shrToken string, params share.ShareParams, edge *rest_management_api_client.ZitiEdgeManagement) (shrZId string, frontendEndpoints []string, err error) {
-	var authUsers []*model.AuthUser
+	var authUsers []*sdk.AuthUser
 	for _, authUser := range params.Body.AuthUsers {
-		authUsers = append(authUsers, &model.AuthUser{authUser.Username, authUser.Password})
+		authUsers = append(authUsers, &sdk.AuthUser{authUser.Username, authUser.Password})
 	}
 	cfgZId, err := zrokEdgeSdk.CreateConfig(zrokProxyConfigId, envZId, shrToken, params.Body.AuthScheme, authUsers, edge)
 	if err != nil {

controller/sharePublic.go

@@ -3,8 +3,8 @@ package controller
 import (
 	"github.com/openziti/edge-api/rest_management_api_client"
 	"github.com/openziti/zrok/controller/zrokEdgeSdk"
-	"github.com/openziti/zrok/model"
 	"github.com/openziti/zrok/rest_server_zrok/operations/share"
+	"github.com/openziti/zrok/sdk"
 )
 
 type publicResourceAllocator struct{}
@@ -14,9 +14,9 @@ func newPublicResourceAllocator() *publicResourceAllocator {
 }
 
 func (a *publicResourceAllocator) allocate(envZId, shrToken string, frontendZIds, frontendTemplates []string, params share.ShareParams, edge *rest_management_api_client.ZitiEdgeManagement) (shrZId string, frontendEndpoints []string, err error) {
-	var authUsers []*model.AuthUser
+	var authUsers []*sdk.AuthUser
 	for _, authUser := range params.Body.AuthUsers {
-		authUsers = append(authUsers, &model.AuthUser{authUser.Username, authUser.Password})
+		authUsers = append(authUsers, &sdk.AuthUser{authUser.Username, authUser.Password})
 	}
 	cfgId, err := zrokEdgeSdk.CreateConfig(zrokProxyConfigId, envZId, shrToken, params.Body.AuthScheme, authUsers, edge)
 	if err != nil {

controller/startup.go

@@ -6,7 +6,7 @@ import (
 	"github.com/openziti/edge-api/rest_management_api_client"
 	"github.com/openziti/edge-api/rest_management_api_client/config"
 	"github.com/openziti/zrok/controller/zrokEdgeSdk"
-	"github.com/openziti/zrok/model"
+	"github.com/openziti/zrok/sdk"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"time"
@@ -36,7 +36,7 @@ func inspectZiti() error {
 }
 
 func findZrokProxyConfigType(edge *rest_management_api_client.ZitiEdgeManagement) error {
-	filter := fmt.Sprintf("name=\"%v\"", model.ZrokProxyConfig)
+	filter := fmt.Sprintf("name=\"%v\"", sdk.ZrokProxyConfig)
 	limit := int64(100)
 	offset := int64(0)
 	listReq := &config.ListConfigTypesParams{
@@ -53,7 +53,7 @@ func findZrokProxyConfigType(edge *rest_management_api_client.ZitiEdgeManagement
 	if len(listResp.Payload.Data) != 1 {
 		return errors.Errorf("expected 1 zrok proxy config type, found %d", len(listResp.Payload.Data))
 	}
-	logrus.Infof("found '%v' config type with id '%v'", model.ZrokProxyConfig, *(listResp.Payload.Data[0].ID))
+	logrus.Infof("found '%v' config type with id '%v'", sdk.ZrokProxyConfig, *(listResp.Payload.Data[0].ID))
 	zrokProxyConfigId = *(listResp.Payload.Data[0].ID)
 
 	return nil

controller/zrokEdgeSdk/config.go

@@ -6,23 +6,23 @@ import (
 	"github.com/openziti/edge-api/rest_management_api_client"
 	"github.com/openziti/edge-api/rest_management_api_client/config"
 	"github.com/openziti/edge-api/rest_model"
-	"github.com/openziti/zrok/model"
+	"github.com/openziti/zrok/sdk"
 	"github.com/sirupsen/logrus"
 	"time"
 )
 
-func CreateConfig(cfgTypeZId, envZId, shrToken string, authSchemeStr string, authUsers []*model.AuthUser, edge *rest_management_api_client.ZitiEdgeManagement) (cfgZId string, err error) {
+func CreateConfig(cfgTypeZId, envZId, shrToken string, authSchemeStr string, authUsers []*sdk.AuthUser, edge *rest_management_api_client.ZitiEdgeManagement) (cfgZId string, err error) {
-	authScheme, err := model.ParseAuthScheme(authSchemeStr)
+	authScheme, err := sdk.ParseAuthScheme(authSchemeStr)
 	if err != nil {
 		return "", err
 	}
-	cfg := &model.ProxyConfig{
+	cfg := &sdk.ProxyConfig{
 		AuthScheme: authScheme,
 	}
-	if cfg.AuthScheme == model.Basic {
+	if cfg.AuthScheme == sdk.Basic {
-		cfg.BasicAuth = &model.BasicAuth{}
+		cfg.BasicAuth = &sdk.BasicAuth{}
 		for _, authUser := range authUsers {
-			cfg.BasicAuth.Users = append(cfg.BasicAuth.Users, &model.AuthUser{Username: authUser.Username, Password: authUser.Password})
+			cfg.BasicAuth.Users = append(cfg.BasicAuth.Users, &sdk.AuthUser{Username: authUser.Username, Password: authUser.Password})
 		}
 	}
 	cfgCrt := &rest_model.ConfigCreate{

endpoints/proxy/frontend.go

@@ -7,7 +7,7 @@ import (
 	"github.com/openziti/zrok/endpoints"
 	"github.com/openziti/zrok/endpoints/publicProxy/notFoundUi"
 	"github.com/openziti/zrok/environment"
-	"github.com/openziti/zrok/model"
+	"github.com/openziti/zrok/sdk"
 	"github.com/openziti/zrok/util"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -52,7 +52,7 @@ func NewFrontend(cfg *FrontendConfig) (*Frontend, error) {
 	if err != nil {
 		return nil, errors.Wrap(err, "error loading config")
 	}
-	zCfg.ConfigTypes = []string{model.ZrokProxyConfig}
+	zCfg.ConfigTypes = []string{sdk.ZrokProxyConfig}
 	zCtx, err := ziti.NewContext(zCfg)
 	if err != nil {
 		return nil, errors.Wrap(err, "error loading ziti context")
@@ -121,7 +121,7 @@ func serviceTargetProxy(cfg *FrontendConfig, ctx ziti.Context) *httputil.Reverse
 	director := func(req *http.Request) {
 		targetShrToken := cfg.ShrToken
 		if svc, found := endpoints.GetRefreshedService(targetShrToken, ctx); found {
-			if cfg, found := svc.Config[model.ZrokProxyConfig]; found {
+			if cfg, found := svc.Config[sdk.ZrokProxyConfig]; found {
 				logrus.Debugf("auth model: %v", cfg)
 			} else {
 				logrus.Warn("no config!")
@@ -153,15 +153,15 @@ func serviceTargetProxy(cfg *FrontendConfig, ctx ziti.Context) *httputil.Reverse
 func authHandler(shrToken string, handler http.Handler, realm string, cfg *FrontendConfig, ctx ziti.Context) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		if svc, found := endpoints.GetRefreshedService(shrToken, ctx); found {
-			if cfg, found := svc.Config[model.ZrokProxyConfig]; found {
+			if cfg, found := svc.Config[sdk.ZrokProxyConfig]; found {
 				if scheme, found := cfg["auth_scheme"]; found {
 					switch scheme {
-					case string(model.None):
+					case string(sdk.None):
 						logrus.Debugf("auth scheme none '%v'", shrToken)
 						handler.ServeHTTP(w, r)
 						return
 
-					case string(model.Basic):
+					case string(sdk.Basic):
 						logrus.Debugf("auth scheme basic '%v", shrToken)
 						inUser, inPass, ok := r.BasicAuth()
 						if !ok {

endpoints/publicProxy/http.go

@@ -8,7 +8,7 @@ import (
 	"github.com/openziti/zrok/endpoints/publicProxy/healthUi"
 	"github.com/openziti/zrok/endpoints/publicProxy/notFoundUi"
 	"github.com/openziti/zrok/environment"
-	"github.com/openziti/zrok/model"
+	"github.com/openziti/zrok/sdk"
 	"github.com/openziti/zrok/util"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
@@ -38,7 +38,7 @@ func NewHTTP(cfg *Config) (*httpFrontend, error) {
 	if err != nil {
 		return nil, errors.Wrap(err, "error loading config")
 	}
-	zCfg.ConfigTypes = []string{model.ZrokProxyConfig}
+	zCfg.ConfigTypes = []string{sdk.ZrokProxyConfig}
 	zCtx, err := ziti.NewContext(zCfg)
 	if err != nil {
 		return nil, errors.Wrap(err, "error loading ziti context")
@@ -99,7 +99,7 @@ func hostTargetReverseProxy(cfg *Config, ctx ziti.Context) *httputil.ReverseProx
 	director := func(req *http.Request) {
 		targetShrToken := resolveService(cfg.HostMatch, req.Host)
 		if svc, found := endpoints.GetRefreshedService(targetShrToken, ctx); found {
-			if cfg, found := svc.Config[model.ZrokProxyConfig]; found {
+			if cfg, found := svc.Config[sdk.ZrokProxyConfig]; found {
 				logrus.Debugf("auth model: %v", cfg)
 			} else {
 				logrus.Warn("no config!")
@@ -133,15 +133,15 @@ func authHandler(handler http.Handler, realm string, cfg *Config, ctx ziti.Conte
 		shrToken := resolveService(cfg.HostMatch, r.Host)
 		if shrToken != "" {
 			if svc, found := endpoints.GetRefreshedService(shrToken, ctx); found {
-				if cfg, found := svc.Config[model.ZrokProxyConfig]; found {
+				if cfg, found := svc.Config[sdk.ZrokProxyConfig]; found {
 					if scheme, found := cfg["auth_scheme"]; found {
 						switch scheme {
-						case string(model.None):
+						case string(sdk.None):
 							logrus.Debugf("auth scheme none '%v'", shrToken)
 							handler.ServeHTTP(w, r)
 							return
 
-						case string(model.Basic):
+						case string(sdk.Basic):
 							logrus.Debugf("auth scheme basic '%v", shrToken)
 							inUser, inPass, ok := r.BasicAuth()
 							if !ok {

endpoints/tcpTunnel/frontend.go

@@ -4,7 +4,7 @@ import (
 	"github.com/openziti/sdk-golang/ziti"
 	"github.com/openziti/zrok/endpoints"
 	"github.com/openziti/zrok/environment"
-	"github.com/openziti/zrok/model"
+	"github.com/openziti/zrok/sdk"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"net"
@@ -41,7 +41,7 @@ func NewFrontend(cfg *FrontendConfig) (*Frontend, error) {
 	if err != nil {
 		return nil, errors.Wrap(err, "error loading config")
 	}
-	zCfg.ConfigTypes = []string{model.ZrokProxyConfig}
+	zCfg.ConfigTypes = []string{sdk.ZrokProxyConfig}
 	zCtx, err := ziti.NewContext(zCfg)
 	if err != nil {
 		return nil, errors.Wrap(err, "error loading ziti context")

endpoints/udpTunnel/frontend.go

@@ -4,7 +4,7 @@ import (
 	"github.com/openziti/sdk-golang/ziti"
 	"github.com/openziti/zrok/endpoints"
 	"github.com/openziti/zrok/environment"
-	"github.com/openziti/zrok/model"
+	"github.com/openziti/zrok/sdk"
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
 	"net"
@@ -111,7 +111,7 @@ func NewFrontend(cfg *FrontendConfig) (*Frontend, error) {
 	if err != nil {
 		return nil, errors.Wrap(err, "error loading config")
 	}
-	zCfg.ConfigTypes = []string{model.ZrokProxyConfig}
+	zCfg.ConfigTypes = []string{sdk.ZrokProxyConfig}
 	zCtx, err := ziti.NewContext(zCfg)
 	if err != nil {
 		return nil, errors.Wrap(err, "error loading ziti context")

model/metrics.go

@@ -1,12 +0,0 @@
-package model
-
-type Metrics struct {
-	Namespace string
-	Sessions  map[string]SessionMetrics
-}
-
-type SessionMetrics struct {
-	BytesRead    int64
-	BytesWritten int64
-	LastUpdate   int64
-}

sdk/config.go

@@ -1,16 +1,9 @@
-package model
+package sdk
 
 import "github.com/pkg/errors"
 
 const ZrokProxyConfig = "zrok.proxy.v1"
 
-type AuthScheme string
-
-const (
-	None  AuthScheme = "none"
-	Basic AuthScheme = "basic"
-)
-
 type ProxyConfig struct {
 	AuthScheme AuthScheme `json:"auth_scheme"`
 	BasicAuth  *BasicAuth `json:"basic_auth"`

sdk/model.go

@@ -19,5 +19,25 @@ const (
 type ShareRequest struct {
 	BackendMode BackendMode
 	ShareMode   ShareMode
+	Frontends   []string
+	Auth        []string
 	Target      string
 }
+
+type Metrics struct {
+	Namespace string
+	Sessions  map[string]SessionMetrics
+}
+
+type SessionMetrics struct {
+	BytesRead    int64
+	BytesWritten int64
+	LastUpdate   int64
+}
+
+type AuthScheme string
+
+const (
+	None  AuthScheme = "none"
+	Basic AuthScheme = "basic"
+)

sdk/share.go

@@ -1,28 +1,108 @@
 package sdk
 
 import (
+	httptransport "github.com/go-openapi/runtime/client"
+	"github.com/openziti/zrok/environment/env_core"
+	"github.com/openziti/zrok/rest_client_zrok/share"
+	"github.com/openziti/zrok/rest_model_zrok"
 	"github.com/pkg/errors"
+	"strings"
 )
 
 type Share struct {
 	Token string
 }
 
-func NewShare(request *ShareRequest) (*Share, error) {
+func CreateShare(root env_core.Root, request *ShareRequest) (*Share, error) {
 	switch request.ShareMode {
 	case PrivateShareMode:
-		return newPrivateShare(request)
+		return newPrivateShare(root, request)
 	case PublicShareMode:
-		return newPublicShare(request)
+		return newPublicShare(root, request)
 	default:
 		return nil, errors.Errorf("unknown share mode '%v'", request.ShareMode)
 	}
 }
 
-func newPrivateShare(request *ShareRequest) (*Share, error) {
+func newPrivateShare(root env_core.Root, request *ShareRequest) (*Share, error) {
-	return nil, nil
+	req := share.NewShareParams()
+	req.Body = &rest_model_zrok.ShareRequest{
+		EnvZID:               root.Environment().ZitiIdentity,
+		ShareMode:            string(request.ShareMode),
+		BackendMode:          string(request.BackendMode),
+		BackendProxyEndpoint: request.Target,
+		AuthScheme:           string(None),
+	}
+	if len(request.Auth) > 0 {
+		req.Body.AuthScheme = string(Basic)
+		for _, pair := range request.Auth {
+			tokens := strings.Split(pair, ":")
+			if len(tokens) == 2 {
+				req.Body.AuthUsers = append(req.Body.AuthUsers, &rest_model_zrok.AuthUser{Username: strings.TrimSpace(tokens[0]), Password: strings.TrimSpace(tokens[1])})
+			} else {
+				return nil, errors.Errorf("invalid username:password pair '%v'", pair)
+			}
+		}
+	}
+	zrok, err := root.Client()
+	if err != nil {
+		return nil, errors.Wrap(err, "error getting zrok client")
+	}
+	auth := httptransport.APIKeyAuth("X-TOKEN", "header", root.Environment().Token)
+	resp, err := zrok.Share.Share(req, auth)
+	if err != nil {
+		return nil, errors.Wrap(err, "unable to create share")
+	}
+	return &Share{Token: resp.Payload.ShrToken}, nil
 }
 
-func newPublicShare(request *ShareRequest) (*Share, error) {
+func newPublicShare(root env_core.Root, request *ShareRequest) (*Share, error) {
-	return nil, nil
+	req := share.NewShareParams()
+	req.Body = &rest_model_zrok.ShareRequest{
+		EnvZID:               root.Environment().ZitiIdentity,
+		ShareMode:            string(request.ShareMode),
+		FrontendSelection:    request.Frontends,
+		BackendMode:          string(request.BackendMode),
+		BackendProxyEndpoint: request.Target,
+		AuthScheme:           string(None),
+	}
+	if len(request.Auth) > 0 {
+		req.Body.AuthScheme = string(Basic)
+		for _, pair := range request.Auth {
+			tokens := strings.Split(pair, ":")
+			if len(tokens) == 2 {
+				req.Body.AuthUsers = append(req.Body.AuthUsers, &rest_model_zrok.AuthUser{Username: strings.TrimSpace(tokens[0]), Password: strings.TrimSpace(tokens[1])})
+			} else {
+				return nil, errors.Errorf("invalid username:password pair '%v'", pair)
+			}
+		}
+	}
+	zrok, err := root.Client()
+	if err != nil {
+		return nil, errors.Wrap(err, "error getting zrok client")
+	}
+	auth := httptransport.APIKeyAuth("X-TOKEN", "header", root.Environment().Token)
+	resp, err := zrok.Share.Share(req, auth)
+	if err != nil {
+		return nil, errors.Wrap(err, "unable to create share")
+	}
+	return &Share{Token: resp.Payload.ShrToken}, nil
+}
+
+func DeleteShare(root env_core.Root, shrToken string) error {
+	req := share.NewUnshareParams()
+	req.Body = &rest_model_zrok.UnshareRequest{
+		EnvZID:   root.Environment().ZitiIdentity,
+		ShrToken: shrToken,
+	}
+	zrok, err := root.Client()
+	if err != nil {
+		return errors.Wrap(err, "error getting zrok client")
+	}
+	auth := httptransport.APIKeyAuth("X-TOKEN", "header", root.Environment().Token)
+	_, err = zrok.Share.Unshare(req, auth)
+	if err != nil {
+		return errors.Wrap(err, "error deleting share")
+	}
+	return nil
 }