feat: initial implemention of openziti to go-mod-bootstrap

bootstrap/bootstrap.go

@@ -31,6 +31,7 @@ import (
 	"github.com/edgexfoundry/go-mod-bootstrap/v3/bootstrap/registration"
 	"github.com/edgexfoundry/go-mod-bootstrap/v3/bootstrap/secret"
 	"github.com/edgexfoundry/go-mod-bootstrap/v3/bootstrap/startup"
+	"github.com/edgexfoundry/go-mod-bootstrap/v3/bootstrap/utils"
 	"github.com/edgexfoundry/go-mod-bootstrap/v3/di"
 
 	"github.com/edgexfoundry/go-mod-registry/v3/registry"
@@ -107,6 +108,7 @@ func RunAndReturnWaitGroup(
 		})
 	}
 
+	utils.AdaptLogrusBasedLogging(lc)
 	translateInterruptToCancel(ctx, &wg, cancel)
 
 	envVars := environment.NewVariables(lc)

bootstrap/config/config.go

@@ -59,6 +59,9 @@ const (
 	allServicesKey    = "all-services"
 	appServicesKey    = "app-services"
 	deviceServicesKey = "device-services"
+
+	SecurityModeKey        = "Mode"
+	OpenZitiServiceNameKey = "OpenZitiServiceName"
 )
 
 var invalidRemoteHostsError = errors.New("-rsh/--remoteServiceHosts must contain 3 and only 3 comma seperated host names")

bootstrap/handlers/auth_middleware.go

@@ -28,6 +28,7 @@ import (
 	"github.com/edgexfoundry/go-mod-bootstrap/v3/bootstrap/secret"
 
 	"github.com/labstack/echo/v4"
+	"github.com/openziti/sdk-golang/ziti/edge"
 )
 
 // VaultAuthenticationHandlerFunc prefixes an existing HandlerFunc
@@ -53,7 +54,18 @@ func VaultAuthenticationHandlerFunc(secretProvider interfaces.SecretProviderExt,
 			r := c.Request()
 			w := c.Response()
 			authHeader := r.Header.Get("Authorization")
-			lc.Debugf("Authorizing incoming call to '%s' via JWT (Authorization len=%d)", r.URL.Path, len(authHeader))
+			lc.Debugf("Authorizing incoming call to '%s' via JWT (Authorization len=%d), %v", r.URL.Path, len(authHeader), secretProvider.IsZeroTrustEnabled())
+
+			if secretProvider.IsZeroTrustEnabled() {
+				zitiCtx := r.Context().Value(OpenZitiIdentityKey{})
+				if zitiCtx != nil {
+					zitiEdgeConn := zitiCtx.(edge.Conn)
+					lc.Debugf("Authorizing incoming connection via OpenZiti for %s", zitiEdgeConn.SourceIdentifier())
+					return inner(c)
+				}
+				lc.Debug("zero trust was enabled, but no marker was found. this is unexpected. falling back to token-based auth")
+			}
+
 			authParts := strings.Split(authHeader, " ")
 			if len(authParts) >= 2 && strings.EqualFold(authParts[0], "Bearer") {
 				token := authParts[1]

bootstrap/handlers/clients.go

@@ -32,6 +32,7 @@ import (
 	"github.com/edgexfoundry/go-mod-bootstrap/v3/bootstrap/container"
 	"github.com/edgexfoundry/go-mod-bootstrap/v3/bootstrap/secret"
 	"github.com/edgexfoundry/go-mod-bootstrap/v3/bootstrap/startup"
+	"github.com/edgexfoundry/go-mod-bootstrap/v3/bootstrap/zerotrust"
 	"github.com/edgexfoundry/go-mod-bootstrap/v3/di"
 )
 
@@ -58,13 +59,21 @@ func (cb *ClientsBootstrap) BootstrapHandler(
 	lc := container.LoggingClientFrom(dic.Get)
 	config := container.ConfigurationFrom(dic.Get)
 	cb.registry = container.RegistryFrom(dic.Get)
-	jwtSecretProvider := secret.NewJWTSecretProvider(container.SecretProviderExtFrom(dic.Get))
 
 	if config.GetBootstrap().Clients != nil {
 		for serviceKey, serviceInfo := range *config.GetBootstrap().Clients {
 			var url string
 			var err error
 
+			sp := container.SecretProviderExtFrom(dic.Get)
+			jwtSecretProvider := secret.NewJWTSecretProvider(sp)
+			if rt, transpErr := zerotrust.HttpTransportFromClient(sp, serviceInfo, lc); transpErr != nil {
+				lc.Errorf("could not obtain an http client for use with zero trust provider: %v", transpErr)
+				return false
+			} else {
+				sp.SetHttpTransport(rt) //only need to set the transport when using SecretProviderExt
+			}
+
 			if !serviceInfo.UseMessageBus {
 				url, err = cb.getClientUrl(serviceKey, serviceInfo.Url(), startupTimer, dic, lc)
 				if err != nil {

bootstrap/handlers/clients_test.go

@@ -209,6 +209,10 @@ func TestClientsBootstrapHandler(t *testing.T) {
 			messageClient := &messagingMocks.MessageClient{}
 			messageClient.On("Subscribe", mock.Anything, mock.Anything).Return(nil)
 
+			secProviderExt := &mocks.SecretProviderExt{}
+			secProviderExt.On("SetHttpTransport", mock.Anything, mock.Anything).Return(nil)
+			secProviderExt.On("IsZeroTrustEnabled", mock.Anything, mock.Anything).Return(false)
+
 			dic := di.NewContainer(di.ServiceConstructorMap{
 				container.LoggingClientInterfaceName: func(get di.Get) interface{} {
 					return lc
@@ -222,6 +226,9 @@ func TestClientsBootstrapHandler(t *testing.T) {
 				container.MessagingClientName: func(get di.Get) interface{} {
 					return messageClient
 				},
+				container.SecretProviderExtName: func(get di.Get) interface{} {
+					return secProviderExt
+				},
 			})
 
 			actualResult := NewClientsBootstrap().BootstrapHandler(context.Background(), &sync.WaitGroup{}, startupTimer, dic)
@@ -327,6 +334,10 @@ func TestCommandMessagingClientErrors(t *testing.T) {
 			configMock := &mocks.Configuration{}
 			configMock.On("GetBootstrap").Return(bootstrapConfig)
 
+			secProviderExt := &mocks.SecretProviderExt{}
+			secProviderExt.On("SetHttpTransport", mock.Anything, mock.Anything).Return(nil)
+			secProviderExt.On("IsZeroTrustEnabled", mock.Anything, mock.Anything).Return(false)
+
 			dic := di.NewContainer(di.ServiceConstructorMap{
 				container.LoggingClientInterfaceName: func(get di.Get) interface{} {
 					return mockLogger
@@ -341,6 +352,9 @@ func TestCommandMessagingClientErrors(t *testing.T) {
 						return nil
 					}
 				},
+				container.SecretProviderExtName: func(get di.Get) interface{} {
+					return secProviderExt
+				},
 			})
 
 			startupTimer := startup.NewTimer(1, 1)

bootstrap/handlers/httpserver.go

@@ -19,23 +19,31 @@ package handlers
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
+	"net"
 	"net/http"
 	"os"
 	"strconv"
+	"strings"
 	"sync"
 	"time"
 
 	"github.com/edgexfoundry/go-mod-core-contracts/v3/clients/logger"
 	"github.com/edgexfoundry/go-mod-core-contracts/v3/common"
 	commonDTO "github.com/edgexfoundry/go-mod-core-contracts/v3/dtos/common"
 
+	"github.com/edgexfoundry/go-mod-bootstrap/v3/bootstrap/config"
 	"github.com/edgexfoundry/go-mod-bootstrap/v3/bootstrap/container"
 	"github.com/edgexfoundry/go-mod-bootstrap/v3/bootstrap/startup"
 	"github.com/edgexfoundry/go-mod-bootstrap/v3/di"
 
+	"github.com/edgexfoundry/go-mod-bootstrap/v3/bootstrap/zerotrust"
 	"github.com/labstack/echo/v4"
 	"github.com/labstack/echo/v4/middleware"
+	edge_apis "github.com/openziti/sdk-golang/edge-apis"
+	"github.com/openziti/sdk-golang/ziti"
+	"github.com/openziti/sdk-golang/ziti/edge"
 )
 
 // HttpServer contains references to dependencies required by the http server implementation.
@@ -45,6 +53,11 @@ type HttpServer struct {
 	doListenAndServe bool
 }
 
+type ZitiContext struct {
+	c *ziti.Context
+}
+type OpenZitiIdentityKey struct{}
+
 // NewHttpServer is a factory method that returns an initialized HttpServer receiver struct.
 func NewHttpServer(router *echo.Echo, doListenAndServe bool) *HttpServer {
 	return &HttpServer{
@@ -124,6 +137,8 @@ func (b *HttpServer) BootstrapHandler(
 		Timeout: timeout,
 	}))
 
+	zc := &ZitiContext{}
+
 	b.router.Use(RequestLimitMiddleware(bootstrapConfig.Service.MaxRequestSize, lc))
 
 	b.router.Use(ProcessCORS(bootstrapConfig.Service.CORSConfiguration))
@@ -136,6 +151,7 @@ func (b *HttpServer) BootstrapHandler(
 		Handler:           b.router,
 		ReadHeaderTimeout: 5 * time.Second, // G112: A configured ReadHeaderTimeout in the http.Server averts a potential Slowloris Attack
 	}
+	server.ConnContext = mutator
 
 	wg.Add(1)
 	go func() {
@@ -156,7 +172,70 @@ func (b *HttpServer) BootstrapHandler(
 		}()
 
 		b.isRunning = true
-		err := server.ListenAndServe()
+		listenMode := strings.ToLower(bootstrapConfig.Service.SecurityOptions[config.SecurityModeKey])
+		switch listenMode {
+		case zerotrust.ConfigKey:
+			secretProvider := container.SecretProviderExtFrom(dic.Get)
+			if secretProvider == nil {
+				err = errors.New("secret provider is nil. cannot proceed with zero trust configuration")
+				break
+			}
+			secretProvider.EnableZeroTrust() //mark the secret provider as zero trust enabled
+			var zitiCtx ziti.Context
+			var ctxErr error
+			jwt, jwtErr := secretProvider.GetSelfJWT()
+			if jwtErr != nil {
+				lc.Errorf("could not load jwt: %v", jwtErr)
+				err = jwtErr
+				break
+			}
+			ozUrl := bootstrapConfig.Service.SecurityOptions["OpenZitiController"]
+			if !strings.Contains(ozUrl, "://") {
+				ozUrl = "https://" + ozUrl
+			}
+			caPool, caErr := ziti.GetControllerWellKnownCaPool(ozUrl)
+			if caErr != nil {
+				err = caErr
+				break
+			}
+
+			credentials := edge_apis.NewJwtCredentials(jwt)
+			credentials.CaPool = caPool
+
+			cfg := &ziti.Config{
+				ZtAPI:       ozUrl + "/edge/client/v1",
+				Credentials: credentials,
+			}
+			cfg.ConfigTypes = append(cfg.ConfigTypes, "all")
+
+			zitiCtx, ctxErr = ziti.NewContext(cfg)
+			if ctxErr != nil {
+				err = ctxErr
+				break
+			}
+
+			serviceName := bootstrapConfig.Service.SecurityOptions[config.OpenZitiServiceNameKey]
+			ln, listenErr := zitiCtx.Listen(serviceName)
+			if listenErr != nil {
+				err = fmt.Errorf("could not bind service " + serviceName + ": " + listenErr.Error())
+				break
+			}
+
+			zc.c = &zitiCtx
+			lc.Infof("listening on overlay network. ListenMode '%s' at %s", listenMode, addr)
+			err = server.Serve(ln)
+		case "http":
+			fallthrough
+		default:
+			lc.Infof("listening on underlay network. ListenMode '%s' at %s", listenMode, addr)
+			ln, listenErr := net.Listen("tcp", addr)
+			if listenErr != nil {
+				err = listenErr
+				break
+			}
+			err = server.Serve(ln)
+		}
+
 		// "Server closed" error occurs when Shutdown above is called in the Done processing, so it can be ignored
 		if err != nil && err != http.ErrServerClosed {
 			// Other errors occur during bootstrapping, like port bind fails, are considered fatal
@@ -204,3 +283,11 @@ func RequestLimitMiddleware(sizeLimit int64, lc logger.LoggingClient) echo.Middl
 		}
 	}
 }
+
+func mutator(srcCtx context.Context, c net.Conn) context.Context {
+	if zitiConn, ok := c.(edge.Conn); ok {
+		return context.WithValue(srcCtx, OpenZitiIdentityKey{}, zitiConn)
+	}
+
+	return srcCtx
+}