Skip to content

Commit

Permalink
Merge pull request #2443 from openziti/auth-events
Browse files Browse the repository at this point in the history
auth events
  • Loading branch information
plorenz authored Sep 30, 2024
2 parents 76dbab8 + 694b9dc commit edcb40e
Show file tree
Hide file tree
Showing 13 changed files with 93 additions and 37 deletions.
11 changes: 11 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,17 @@

## Component Updates and Bug Fixes

* github.com/openziti/edge-api: [v0.26.30 -> v0.26.31](https://github.com/openziti/edge-api/compare/v0.26.30...v0.26.31)
* github.com/openziti/jwks: [v1.0.5 -> v1.0.6](https://github.com/openziti/jwks/compare/v1.0.5...v1.0.6)
* github.com/openziti/ziti: [v1.1.13 -> v1.1.14](https://github.com/openziti/ziti/compare/v1.1.13...v1.1.14)
* [Issue #2119](https://github.com/openziti/ziti/issues/2119) - Add authentication events
* [Issue #2424](https://github.com/openziti/ziti/issues/2424) - Enabling any health check causes WARNING to be logged
* [Issue #2454](https://github.com/openziti/ziti/issues/2454) - Fix release archive
* [Issue #1479](https://github.com/openziti/ziti/issues/1479) - ziti edge list ... show paginated output but no suggestions on how to go to next page
* [Issue #1420](https://github.com/openziti/ziti/issues/1420) - ziti-cli comma+space causes unhelpful error
* [Issue #2207](https://github.com/openziti/ziti/issues/2207) - ziti edge login --token -- gets "username and password fields are required"
* [Issue #2444](https://github.com/openziti/ziti/issues/2444) - Change default semantic for policies created from the CLI from AllOf to AnyOf

* github.com/openziti/xweb/v2: [v2.1.2 -> v2.1.3](https://github.com/openziti/xweb/compare/v2.1.2...v2.1.3)
* [Issue #2454](https://github.com/openziti/ziti/issues/2454) - Fix release archive
* [Issue #2429](https://github.com/openziti/ziti/issues/2429) - Controller configurations without default Edge API binding panics
Expand Down
4 changes: 4 additions & 0 deletions controller/env/appenv.go
Original file line number Diff line number Diff line change
Expand Up @@ -258,6 +258,10 @@ func (ae *AppEnv) GetManagers() *model.Managers {
return ae.Managers
}

func (ae *AppEnv) GetEventDispatcher() event.Dispatcher {
return ae.HostController.GetEventDispatcher()
}

func (ae *AppEnv) GetConfig() *config.Config {
return ae.HostController.GetConfig()
}
Expand Down
6 changes: 6 additions & 0 deletions controller/event/api_session.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,12 +23,18 @@ import (

const ApiSessionEventTypeCreated = "created"
const ApiSessionEventTypeDeleted = "deleted"
const ApiSessionEventTypeRefreshed = "refreshed"
const ApiSessionEventTypeExchanged = "exchanged"
const ApiSessionEventNS = "edge.apiSessions"

const ApiSessionTypeLegacy = "legacy"
const ApiSessionTypeJwt = "jwt"

type ApiSessionEvent struct {
Namespace string `json:"namespace"`
EventType string `json:"event_type"`
Id string `json:"id"`
Type string `json:"type"`
Timestamp time.Time `json:"timestamp"`
Token string `json:"token"`
IdentityId string `json:"identity_id"`
Expand Down
1 change: 1 addition & 0 deletions controller/event/dispatcher.go
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,7 @@ type Dispatcher interface {
AddEntityCountEventHandler(handler EntityCountEventHandler, interval time.Duration, onlyLeaderEvents bool)
RemoveEntityCountEventHandler(handler EntityCountEventHandler)

ApiSessionEventHandler
CircuitEventHandler
EntityChangeEventHandler
LinkEventHandler
Expand Down
2 changes: 2 additions & 0 deletions controller/event/dispatcher_mock.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ var _ Dispatcher = DispatcherMock{}

type DispatcherMock struct{}

func (d DispatcherMock) AcceptApiSessionEvent(event *ApiSessionEvent) {}

func (d DispatcherMock) AddApiSessionEventHandler(handler ApiSessionEventHandler) {}

func (d DispatcherMock) RemoveApiSessionEventHandler(handler ApiSessionEventHandler) {}
Expand Down
20 changes: 12 additions & 8 deletions controller/events/dispatcher_api_session.go
Original file line number Diff line number Diff line change
Expand Up @@ -48,36 +48,40 @@ func (self *Dispatcher) initApiSessionEvents(stores *db.Stores) {
stores.ApiSession.AddEntityEventListenerF(self.apiSessionDeleted, boltz.EntityDeleted)
}

func (self *Dispatcher) AcceptApiSessionEvent(evt *event.ApiSessionEvent) {
for _, handler := range self.apiSessionEventHandlers.Value() {
go handler.AcceptApiSessionEvent(evt)
}
}

func (self *Dispatcher) apiSessionCreated(apiSession *db.ApiSession) {
event := &event.ApiSessionEvent{
evt := &event.ApiSessionEvent{
Namespace: event.ApiSessionEventNS,
EventType: event.ApiSessionEventTypeCreated,
Id: apiSession.Id,
Type: event.ApiSessionTypeLegacy,
Timestamp: time.Now(),
Token: apiSession.Token,
IdentityId: apiSession.IdentityId,
IpAddress: apiSession.IPAddress,
}

for _, handler := range self.apiSessionEventHandlers.Value() {
go handler.AcceptApiSessionEvent(event)
}
self.AcceptApiSessionEvent(evt)
}

func (self *Dispatcher) apiSessionDeleted(apiSession *db.ApiSession) {
event := &event.ApiSessionEvent{
evt := &event.ApiSessionEvent{
Namespace: event.ApiSessionEventNS,
EventType: event.ApiSessionEventTypeDeleted,
Id: apiSession.Id,
Type: event.ApiSessionTypeLegacy,
Timestamp: time.Now(),
Token: apiSession.Token,
IdentityId: apiSession.IdentityId,
IpAddress: apiSession.IPAddress,
}

for _, handler := range self.apiSessionEventHandlers.Value() {
go handler.AcceptApiSessionEvent(event)
}
self.AcceptApiSessionEvent(evt)
}

func (self *Dispatcher) registerApiSessionEventHandler(val interface{}, config map[string]interface{}) error {
Expand Down
1 change: 1 addition & 0 deletions controller/model/env.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ import (
type Env interface {
GetCommandDispatcher() command.Dispatcher
GetManagers() *Managers
GetEventDispatcher() event.Dispatcher
GetConfig() *config.Config
GetDb() boltz.Db
GetStores() *db.Stores
Expand Down
4 changes: 4 additions & 0 deletions controller/model/testing.go
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,10 @@ type TestContext struct {
dispatcher command.Dispatcher
}

func (ctx *TestContext) GetEventDispatcher() event.Dispatcher {
panic("implement me")
}

func (self *TestContext) GetCloseNotifyChannel() <-chan struct{} {
return self.closeNotify
}
Expand Down
28 changes: 25 additions & 3 deletions controller/oidc_auth/storage.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (
"errors"
"fmt"
"github.com/openziti/foundation/v2/errorz"
"github.com/openziti/ziti/controller/event"
"gopkg.in/go-jose/go-jose.v2"
"net/http"
"strings"
Expand Down Expand Up @@ -393,7 +394,7 @@ func (s *HybridStorage) DeleteAuthRequest(_ context.Context, id string) error {

// CreateAccessToken implements the op.Storage interface
func (s *HybridStorage) CreateAccessToken(ctx context.Context, request op.TokenRequest) (string, time.Time, error) {
accessTokenId, accessClaims, err := s.createAccessToken(request)
accessTokenId, accessClaims, err := s.createAccessToken(ctx, request)

if err != nil {
return "", time.Time{}, err
Expand All @@ -411,7 +412,7 @@ func (s *HybridStorage) CreateAccessToken(ctx context.Context, request op.TokenR
}

// createAccessToken converts an op.TokenRequest into an access token
func (s *HybridStorage) createAccessToken(request op.TokenRequest) (string, *common.AccessClaims, error) {
func (s *HybridStorage) createAccessToken(ctx context.Context, request op.TokenRequest) (string, *common.AccessClaims, error) {
now := time.Now()

claims := &common.AccessClaims{
Expand All @@ -430,8 +431,11 @@ func (s *HybridStorage) createAccessToken(request op.TokenRequest) (string, *com
CustomClaims: common.CustomClaims{},
}

var eventType = "unhandled"

switch req := request.(type) {
case *AuthRequest:
eventType = event.ApiSessionEventTypeCreated
claims.CustomClaims.ApiSessionId = req.ApiSessionId
claims.CustomClaims.ApplicationId = req.ClientID
claims.CustomClaims.ConfigTypes = req.ConfigTypes
Expand All @@ -445,11 +449,13 @@ func (s *HybridStorage) createAccessToken(request op.TokenRequest) (string, *com
claims.AccessTokenClaims.AuthenticationMethodsReferences = req.GetAMR()
claims.ClientID = req.ClientID
case *RefreshTokenRequest:
eventType = event.ApiSessionEventTypeRefreshed
claims.CustomClaims = req.CustomClaims
claims.AuthTime = req.AuthTime
claims.AccessTokenClaims.AuthenticationMethodsReferences = req.GetAMR()
claims.ClientID = req.ClientID
case op.TokenExchangeRequest:
eventType = event.ApiSessionEventTypeExchanged
mapClaims := req.GetExchangeSubjectTokenClaims()
subjectClaims := &common.AccessClaims{}
if mapClaims != nil {
Expand Down Expand Up @@ -501,12 +507,28 @@ func (s *HybridStorage) createAccessToken(request op.TokenRequest) (string, *com
claims.CustomClaims.IsAdmin = identity.IsAdmin
claims.CustomClaims.ExternalId = stringz.OrEmpty(identity.ExternalId)

ipAddr := ""
if httpRequest, _ := HttpRequestFromContext(ctx); httpRequest != nil {
ipAddr = httpRequest.RemoteAddr
}

evt := &event.ApiSessionEvent{
Namespace: event.ApiSessionEventNS,
EventType: eventType,
Id: claims.ApiSessionId,
Type: event.ApiSessionTypeJwt,
Timestamp: time.Now(),
IdentityId: identity.Id,
IpAddress: ipAddr,
}
s.env.GetEventDispatcher().AcceptApiSessionEvent(evt)

return claims.JWTID, claims, nil
}

// CreateAccessAndRefreshTokens implements the op.Storage interface
func (s *HybridStorage) CreateAccessAndRefreshTokens(ctx context.Context, request op.TokenRequest, currentRefreshToken string) (accessTokenID string, newRefreshToken string, expiration time.Time, err error) {
accessTokenId, accessClaims, err := s.createAccessToken(request)
accessTokenId, accessClaims, err := s.createAccessToken(ctx, request)

if err != nil {
return "", "", time.Time{}, err
Expand Down
1 change: 1 addition & 0 deletions router/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -757,6 +757,7 @@ func LoadConfig(path string) (*Config, error) {
pfxlog.Logger().Warn("invalid [healthChecks.linkCheck] stanza")
}
}
} else {
pfxlog.Logger().Warn("invalid [healthChecks] stanza")
}
}
Expand Down
12 changes: 6 additions & 6 deletions zititest/go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ require (
github.com/michaelquigley/pfxlog v0.6.10
github.com/openziti/agent v1.0.18
github.com/openziti/channel/v3 v3.0.3
github.com/openziti/edge-api v0.26.30
github.com/openziti/edge-api v0.26.31
github.com/openziti/fablab v0.5.60
github.com/openziti/foundation/v2 v2.0.49
github.com/openziti/identity v1.0.85
Expand Down Expand Up @@ -80,7 +80,7 @@ require (
github.com/go-openapi/strfmt v0.23.0 // indirect
github.com/go-openapi/swag v0.23.0 // indirect
github.com/go-openapi/validate v0.24.0 // indirect
github.com/go-resty/resty/v2 v2.15.0 // indirect
github.com/go-resty/resty/v2 v2.15.3 // indirect
github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
github.com/golang/protobuf v1.5.4 // indirect
github.com/gomarkdown/markdown v0.0.0-20230922112808-5421fefb8386 // indirect
Expand Down Expand Up @@ -182,11 +182,11 @@ require (
github.com/xeipuuv/gojsonschema v1.2.0 // indirect
github.com/yusufpapurcu/wmi v1.2.4 // indirect
github.com/zitadel/oidc/v2 v2.12.2 // indirect
go.mongodb.org/mongo-driver v1.16.1 // indirect
go.mongodb.org/mongo-driver v1.17.0 // indirect
go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 // indirect
go.opentelemetry.io/otel v1.29.0 // indirect
go.opentelemetry.io/otel/metric v1.29.0 // indirect
go.opentelemetry.io/otel/trace v1.29.0 // indirect
go.opentelemetry.io/otel v1.30.0 // indirect
go.opentelemetry.io/otel/metric v1.30.0 // indirect
go.opentelemetry.io/otel/trace v1.30.0 // indirect
go.uber.org/atomic v1.9.0 // indirect
go.uber.org/multierr v1.9.0 // indirect
go4.org v0.0.0-20180809161055-417644f6feb5 // indirect
Expand Down
24 changes: 12 additions & 12 deletions zititest/go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -245,8 +245,8 @@ github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+Gr
github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
github.com/go-openapi/validate v0.24.0 h1:LdfDKwNbpB6Vn40xhTdNZAnfLECL81w+VX3BumrGD58=
github.com/go-openapi/validate v0.24.0/go.mod h1:iyeX1sEufmv3nPbBdX3ieNviWnOZaJ1+zquzJEf2BAQ=
github.com/go-resty/resty/v2 v2.15.0 h1:clPQLZ2x9h4yGY81IzpMPnty+xoGyFaDg0XMkCsHf90=
github.com/go-resty/resty/v2 v2.15.0/go.mod h1:0fHAoK7JoBy/Ch36N8VFeMsK7xQOHhvWaC3iOktwmIU=
github.com/go-resty/resty/v2 v2.15.3 h1:bqff+hcqAflpiF591hhJzNdkRsFhlB96CYfBwSFvql8=
github.com/go-resty/resty/v2 v2.15.3/go.mod h1:0fHAoK7JoBy/Ch36N8VFeMsK7xQOHhvWaC3iOktwmIU=
github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
Expand Down Expand Up @@ -598,8 +598,8 @@ github.com/openziti/cobra-to-md v1.0.1 h1:WRinNoIRmwWUSJm+pSNXMjOrtU48oxXDZgeCYQ
github.com/openziti/cobra-to-md v1.0.1/go.mod h1:FjCpk/yzHF7/r28oSTNr5P57yN5VolpdAtS/g7KNi2c=
github.com/openziti/dilithium v0.3.5 h1:+envGNzxc3OyVPiuvtxivQmCsOjdZjtOMLpQBeMz7eM=
github.com/openziti/dilithium v0.3.5/go.mod h1:XONq1iK6te/WwNzkgZHfIDHordMPqb0hMwJ8bs9EfSk=
github.com/openziti/edge-api v0.26.30 h1:Zeit+UJbMhL8aJkcHKsq7XyRX2b7p/hBWL3nzo60gS8=
github.com/openziti/edge-api v0.26.30/go.mod h1:Ya4b6u+SmkqSU2HsWxahwhZ3g+aBqW8mzfm/OOSdCNM=
github.com/openziti/edge-api v0.26.31 h1:9XljIuZNhoPbiIicQYuxNyL7erpowZce3aOg1CkoxSo=
github.com/openziti/edge-api v0.26.31/go.mod h1:f5paewA+1G6JMZddYgXqA9Zp6BBXOJ1i4K42B+ET5ns=
github.com/openziti/fablab v0.5.60 h1:RsqrEb3LV6asK5N97uZKyNSDhcNOeDcAuT4OAD/hY9Y=
github.com/openziti/fablab v0.5.60/go.mod h1:B/ib+GOtozEIytv2aXSFl9+dL7AiGfbpGS/VjnNduU8=
github.com/openziti/foundation/v2 v2.0.49 h1:aQ5I/lMhkHQ6urhRpLwrWP+7YtoeUitCfY/wub+nOqo=
Expand Down Expand Up @@ -838,8 +838,8 @@ go.etcd.io/bbolt v1.3.11/go.mod h1:dksAq7YMXoljX0xu6VF5DMZGbhYYoLUalEiSySYAS4I=
go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs=
go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g=
go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ=
go.mongodb.org/mongo-driver v1.16.1 h1:rIVLL3q0IHM39dvE+z2ulZLp9ENZKThVfuvN/IiN4l8=
go.mongodb.org/mongo-driver v1.16.1/go.mod h1:oB6AhJQvFQL4LEHyXi6aJzQJtBiTQHiAd83l0GdFaiw=
go.mongodb.org/mongo-driver v1.17.0 h1:Hp4q2MCjvY19ViwimTs00wHi7G4yzxh4/2+nTx8r40k=
go.mongodb.org/mongo-driver v1.17.0/go.mod h1:wwWm/+BuOddhcq3n68LKRmgk2wXzmF6s0SFOa0GINL4=
go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352 h1:CCriYyAfq1Br1aIYettdHZTy8mBTIPo7We18TuO/bak=
go.mozilla.org/pkcs7 v0.0.0-20210826202110-33d05740a352/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk=
go.opencensus.io v0.18.0/go.mod h1:vKdFvxhtzZ9onBp9VKHK8z/sRpBMnKAsufL7wlDrCOA=
Expand All @@ -850,14 +850,14 @@ go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
go.opentelemetry.io/otel v1.29.0 h1:PdomN/Al4q/lN6iBJEN3AwPvUiHPMlt93c8bqTG5Llw=
go.opentelemetry.io/otel v1.29.0/go.mod h1:N/WtXPs1CNCUEx+Agz5uouwCba+i+bJGFicT8SR4NP8=
go.opentelemetry.io/otel/metric v1.29.0 h1:vPf/HFWTNkPu1aYeIsc98l4ktOQaL6LeSoeV2g+8YLc=
go.opentelemetry.io/otel/metric v1.29.0/go.mod h1:auu/QWieFVWx+DmQOUMgj0F8LHWdgalxXqvp7BII/W8=
go.opentelemetry.io/otel v1.30.0 h1:F2t8sK4qf1fAmY9ua4ohFS/K+FUuOPemHUIXHtktrts=
go.opentelemetry.io/otel v1.30.0/go.mod h1:tFw4Br9b7fOS+uEao81PJjVMjW/5fvNCbpsDIXqP0pc=
go.opentelemetry.io/otel/metric v1.30.0 h1:4xNulvn9gjzo4hjg+wzIKG7iNFEaBMX00Qd4QIZs7+w=
go.opentelemetry.io/otel/metric v1.30.0/go.mod h1:aXTfST94tswhWEb+5QjlSqG+cZlmyXy/u8jFpor3WqQ=
go.opentelemetry.io/otel/sdk v1.24.0 h1:YMPPDNymmQN3ZgczicBY3B6sf9n62Dlj9pWD3ucgoDw=
go.opentelemetry.io/otel/sdk v1.24.0/go.mod h1:KVrIYw6tEubO9E96HQpcmpTKDVn9gdv35HoYiQWGDFg=
go.opentelemetry.io/otel/trace v1.29.0 h1:J/8ZNK4XgR7a21DZUAsbF8pZ5Jcw1VhACmnYt39JTi4=
go.opentelemetry.io/otel/trace v1.29.0/go.mod h1:eHl3w0sp3paPkYstJOmAimxhiFXPg+MMTlEh3nsQgWQ=
go.opentelemetry.io/otel/trace v1.30.0 h1:7UBkkYzeg3C7kQX8VAidWh2biiQbtAKjyIML8dQ9wmc=
go.opentelemetry.io/otel/trace v1.30.0/go.mod h1:5EyKqTzzmyqB9bwtCCq6pDLktPK6fmGf/Dph+8VI02o=
go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE=
Expand Down
16 changes: 8 additions & 8 deletions zititest/models/smoke/configs/ctrl.yml.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -38,9 +38,9 @@ ctrl:
# connections. The value of newListener must be resolvable both via DNS and validate via certificates
#newListener: tls:localhost:6262

#events:
# jsonLogger:
# subscriptions:
events:
jsonLogger:
subscriptions:
# - type: fabric.routers
# - type: fabric.terminators
# - type: metrics
Expand All @@ -52,16 +52,16 @@ ctrl:
# - type: edge.sessions
# include:
# - created
# - type: edge.apiSessions
- type: edge.apiSessions
# - type: fabric.usage
# - type: services
# - type: fabric.usage
# - type: edge.entityCounts
# interval: 5s
# handler:
# type: file
# format: json
# path: /tmp/ziti-events.log
handler:
type: file
format: json
path: /home/{{ .Model.MustVariable "credentials.ssh.username" }}/logs/events.json

healthChecks:
boltCheck:
Expand Down

0 comments on commit edcb40e

Please sign in to comment.