fix: add zero trust flag to secret provider. regen mock. adapt code

Signed-off-by: dovholuknf <46322585+dovholuknf@users.noreply.github.com>

bootstrap/handlers/auth_middleware.go

@@ -28,7 +28,6 @@ import (
 	"github.com/edgexfoundry/go-mod-bootstrap/v3/bootstrap/secret"
 
 	"github.com/labstack/echo/v4"
-	"github.com/openziti/sdk-golang/ziti"
 	"github.com/openziti/sdk-golang/ziti/edge"
 )
 
@@ -57,24 +56,14 @@ func VaultAuthenticationHandlerFunc(secretProvider interfaces.SecretProviderExt,
 			authHeader := r.Header.Get("Authorization")
 			lc.Debugf("Authorizing incoming call to '%s' via JWT (Authorization len=%d)", r.URL.Path, len(authHeader))
 
-			zitiCtx := r.Context().Value("zitiContext")
-			if zitiCtx != nil {
-				zc := *zitiCtx.(*ziti.Context)
-				if zi, err := zc.GetCurrentIdentity(); err != nil {
-					lc.Warnf("Could not verify incoming connection via OpenZiti for %s", *zi.Name)
-					return echo.NewHTTPError(http.StatusUnauthorized, http.StatusText(http.StatusUnauthorized))
-				} else {
-					lc.Debugf("Authorizing incoming connection via OpenZiti for %s", *zi.Name)
-				}
-				return inner(c)
-			}
+			if secretProvider.ZeroTrustEnabled() {
+				zitiCtx := r.Context().Value("zero.trust.identityName")
+				if zitiCtx != nil {
+					zitiEdgeConn := zitiCtx.(edge.Conn)
 
-			zitiCtx = r.Context().Value("zero.trust.identityName")
-			if zitiCtx != nil {
-				zitiEdgeConn := zitiCtx.(edge.Conn)
-
-				lc.Debugf("Authorizing incoming connection via OpenZiti for %s", zitiEdgeConn.SourceIdentifier())
-				return inner(c)
+					lc.Debugf("Authorizing incoming connection via OpenZiti for %s", zitiEdgeConn.SourceIdentifier())
+					return inner(c)
+				}
 			}
 
 			authParts := strings.Split(authHeader, " ")

bootstrap/handlers/httpserver.go

@@ -177,6 +177,7 @@ func (b *HttpServer) BootstrapHandler(
 				err = errors.New("secret provider is nil. cannot proceed with zero trust configuration")
 				break
 			}
+			secretProvider.ZeroTrustEnabled() //mark the secret provider as zero trust enabled
 			var zitiCtx ziti.Context
 			var ctxErr error
 			jwt, jwtErr := secretProvider.GetSelfJWT()
@@ -291,13 +292,6 @@ func HandleOpenZiti(zitiCtx *ZitiContext) echo.MiddlewareFunc {
 
 	return func(next echo.HandlerFunc) echo.HandlerFunc {
 		return func(c echo.Context) error {
-			if zitiCtx != nil {
-				if zitiCtx != nil {
-					//newCtx := context.WithValue(r.Context(), "zitiContext", zitiCtx.c)
-					//r = r.WithContext(newCtx)
-				}
-			}
-
 			return next(c)
 		}
 	}

bootstrap/interfaces/secret.go

@@ -72,9 +72,15 @@ type SecretProviderExt interface {
 	// IsJWTValid evaluates a given JWT and returns a true/false if the JWT is valid (i.e. belongs to us and current) or not
 	IsJWTValid(jwt string) (bool, error)
 
-	// HttpTransport
+	// HttpTransport returns the http.RoundTripper to be used by http-based clients
 	HttpTransport() http.RoundTripper
 
-	// HttpTransport
+	// SetHttpTransport sets the http.RoundTripper to be used by http-based clients
 	SetHttpTransport(rt http.RoundTripper)
+
+	// ZeroTrustEnabled returns whether zero trust principles are enabled
+	ZeroTrustEnabled() bool
+
+	// EnableZeroTrust marks the provider as being zero trust enabled
+	EnableZeroTrust()
 }

bootstrap/secret/insecure.go

@@ -254,3 +254,11 @@ func (p *InsecureProvider) HttpTransport() http.RoundTripper {
 func (p *InsecureProvider) SetHttpTransport(_ http.RoundTripper) {
 	//empty on purpose
 }
+
+func (p *InsecureProvider) IsZeroTrustEnabled() bool {
+	return false
+}
+
+func (p *InsecureProvider) ZeroTrustEnabled() {
+	//empty on purpose
+}

bootstrap/secret/secure.go

@@ -67,6 +67,7 @@ type SecureProvider struct {
 	securityRuntimeSecretTokenDuration gometrics.Timer
 	securityGetSecretDuration          gometrics.Timer
 	httpRoundTripper                   http.RoundTripper
+	zeroTrustEnabled                   bool
 }
 
 // NewSecureProvider creates & initializes Provider instance for secure secrets.
@@ -487,3 +488,11 @@ func (p *SecureProvider) HttpTransport() http.RoundTripper {
 func (p *SecureProvider) SetHttpTransport(rt http.RoundTripper) {
 	p.httpRoundTripper = rt
 }
+
+func (p *SecureProvider) IsZeroTrustEnabled() bool {
+	return p.zeroTrustEnabled
+}
+
+func (p *SecureProvider) ZeroTrustEnabled() {
+	p.zeroTrustEnabled = true
+}

bootstrap/zerotrust/zerotrust.go

@@ -47,13 +47,9 @@ func AuthToOpenZiti(ozController, jwt string) (ziti.Context, error) {
 	return ctx, nil
 }
 
-func isZeroTrust(secOpts map[string]string) bool {
-	return secOpts != nil && secOpts["Mode"] == ConfigKey
-}
-
 func HttpTransportFromService(secretProvider interfaces.SecretProviderExt, serviceInfo config.ServiceInfo, lc logger.LoggingClient) (http.RoundTripper, error) {
 	roundTripper := http.DefaultTransport
-	if isZeroTrust(serviceInfo.SecurityOptions) {
+	if secretProvider.ZeroTrustEnabled() {
 		lc.Debugf("zero trust client detected for service: %s", serviceInfo.Host)
 		if rt, err := createZitifiedTransport(secretProvider, serviceInfo.SecurityOptions[OpenZitiControllerKey]); err != nil {
 			return nil, err
@@ -66,7 +62,7 @@ func HttpTransportFromService(secretProvider interfaces.SecretProviderExt, servi
 
 func HttpTransportFromClient(secretProvider interfaces.SecretProviderExt, clientInfo *config.ClientInfo, lc logger.LoggingClient) (http.RoundTripper, error) {
 	roundTripper := http.DefaultTransport
-	if isZeroTrust(clientInfo.SecurityOptions) {
+	if secretProvider.ZeroTrustEnabled() {
 		lc.Debugf("zero trust client detected for client: %s", clientInfo.Host)
 		if rt, err := createZitifiedTransport(secretProvider, clientInfo.SecurityOptions[OpenZitiControllerKey]); err != nil {
 			return nil, err