-
github.com/openziti/sdk-golang: v0.23.45 -> v0.24.0
- Issue #663 - Add API to allow controlling proxying connections to controllers and routers.
-
github.com/go-resty/resty/v2: v2.15.3 -> v2.16.4
-
github.com/openziti/channel/v3: v3.0.26 -> v3.0.27
-
github.com/openziti/edge-api: v0.26.36 -> v0.26.38
-
github.com/openziti/transport/v2: v2.0.159 -> v2.0.160
-
golang.org/x/oauth2: v0.23.0 -> v0.25.0
-
google.golang.org/protobuf: v1.36.2 -> v1.36.3
-
github.com/openziti/sdk-golang: v0.23.44 -> v0.23.45
- Issue #659 - E2E encryption can encounter ordering issues with high-volume concurrent writes
-
github.com/openziti/channel/v3: v3.0.4 -> v3.0.26
- Issue #146 - Transport options aren't being set in dialer
-
github.com/openziti/edge-api: v0.26.34 -> v0.26.36
- Issue #138 - management api deletes were generally not mapping 404 properly
-
github.com/openziti/foundation/v2: v2.0.49 -> v2.0.56
-
github.com/openziti/identity: v1.0.85 -> v1.0.94
-
github.com/openziti/metrics: v1.2.58 -> v1.2.65
-
github.com/openziti/secretstream: v0.1.25 -> v0.1.28
-
github.com/openziti/transport/v2: v2.0.146 -> v2.0.159
-
github.com/stretchr/testify: v1.9.0 -> v1.10.0
-
golang.org/x/sys: v0.25.0 -> v0.29.0
-
google.golang.org/protobuf: v1.34.2 -> v1.36.2
-
golang.org/x/crypto: v0.27.0 -> v0.32.0
-
golang.org/x/net: v0.29.0 -> v0.34.0
-
golang.org/x/sync: v0.8.0 -> v0.10.0
-
golang.org/x/term: v0.24.0 -> v0.28.0
-
golang.org/x/text: v0.18.0 -> v0.21.0
- github.com/openziti/sdk-golang: v0.23.43 -> v0.23.44
- github.com/openziti/edge-api: v0.26.32 -> v0.26.34
-
github.com/openziti/sdk-golang: v0.23.42 -> v0.23.43
- Issue #629 - JWT session refresh interprets expiration date incorrectly
-
github.com/go-resty/resty/v2: v2.13.1 -> v2.15.3
-
github.com/openziti/channel/v3: v3.0.2 -> v3.0.4
- Issue #144 - Add ReadAdapter utility
-
github.com/openziti/edge-api: v0.26.30 -> v0.26.32
-
github.com/openziti/secretstream: v0.1.21 -> v0.1.25
-
go.mozilla.org/pkcs7: v0.0.0-20200128120323-432b2356ecb1 -> v0.9.0
-
golang.org/x/oauth2: v0.21.0 -> v0.23.0
-
go.mongodb.org/mongo-driver: v1.16.1 -> v1.17.0
- github.com/openziti/sdk-golang: v0.23.41 -> v0.23.42
- Issue #625 - traffic optimization: implement support for receiving multi-part edge payloads
-
github.com/openziti/sdk-golang: v0.23.40 -> v0.23.41
-
github.com/openziti/channel/v3: v2.0.136 -> v3.0.2
- Issue #138 - Allow custom message serialization. Add support for a 'raw' message type.
- Issue #82 - Remove transport.Configuration from UnderlayFactory.Create
- Issue #136 - Fix timeout on classic dialer
- Issue #134 - Support the dtls transport
-
github.com/openziti/edge-api: v0.26.23 -> v0.26.30
-
github.com/openziti/foundation/v2: v2.0.47 -> v2.0.49
-
github.com/openziti/identity: v1.0.81 -> v1.0.85
-
github.com/openziti/metrics: v1.2.56 -> v1.2.58
-
github.com/openziti/transport/v2: v2.0.138 -> v2.0.146
-
github.com/zitadel/oidc/v2: v2.12.0 -> v2.12.2
-
golang.org/x/sys: v0.22.0 -> v0.25.0
-
github.com/gorilla/schema: v1.2.0 -> v1.3.0
-
github.com/gorilla/securecookie: v1.1.1 -> v1.1.2
-
github.com/gorilla/websocket: v1.5.1 -> v1.5.3
-
go.mongodb.org/mongo-driver: v1.16.0 -> v1.16.1
-
go.opentelemetry.io/otel: v1.28.0 -> v1.29.0
-
go.opentelemetry.io/otel/metric: v1.28.0 -> v1.29.0
-
go.opentelemetry.io/otel/trace: v1.28.0 -> v1.29.0
-
golang.org/x/crypto: v0.25.0 -> v0.27.0
-
golang.org/x/net: v0.27.0 -> v0.29.0
-
golang.org/x/sync: v0.7.0 -> v0.8.0
-
golang.org/x/term: v0.22.0 -> v0.24.0
-
golang.org/x/text: v0.16.0 -> v0.18.0
-
gopkg.in/go-jose/go-jose.v2: v2.6.3 (new)
-
nhooyr.io/websocket: v1.8.11 -> v1.8.17
-
github.com/openziti/sdk-golang: v0.23.39 -> v0.23.40
- Issue #601 - Only send config types on service list if controller version supports it
- No Issue - Fixes a TOTP OIDC redirect
-
github.com/openziti/edge-api: v0.26.21 -> v0.26.23
- Issue #120 - Add API for retrieving services referencing a config
- Issue #121 - Add API for retrieving the set of attribute roles used by posture checks
-
github.com/openziti/sdk-golang: v0.23.38 -> v0.23.39
- Issue #596 - SDK should submit selected config types to auth and service list APIs
- Issue #593 - SDK Golang OIDC Get API Session Returns Wrong Value
-
github.com/openziti/channel/v2: v2.0.132 -> v2.0.136
- Issue #132 - reconnecting dialer doesn't take local binding into account when reconnecting
-
github.com/openziti/edge-api: v0.26.20 -> v0.26.21
-
github.com/openziti/foundation/v2: v2.0.46 -> v2.0.47
-
github.com/openziti/identity: v1.0.79 -> v1.0.81
-
github.com/openziti/metrics: v1.2.55 -> v1.2.56
-
github.com/openziti/secretstream: v0.1.20 -> v0.1.21
-
github.com/openziti/transport/v2: v2.0.135 -> v2.0.138
- Issue #83 - tls.Dial should use proxy configuration if provided
-
github.com/shirou/gopsutil/v3: v3.24.4 -> v3.24.5
-
golang.org/x/oauth2: v0.20.0 -> v0.21.0
-
golang.org/x/sys: v0.21.0 -> v0.22.0
-
google.golang.org/protobuf: v1.34.1 -> v1.34.2
-
go.mongodb.org/mongo-driver: v1.15.0 -> v1.16.0
-
go.opentelemetry.io/otel: v1.27.0 -> v1.28.0
-
go.opentelemetry.io/otel/metric: v1.27.0 -> v1.28.0
-
go.opentelemetry.io/otel/trace: v1.27.0 -> v1.28.0
-
golang.org/x/crypto: v0.24.0 -> v0.25.0
-
golang.org/x/net: v0.26.0 -> v0.27.0
-
golang.org/x/term: v0.21.0 -> v0.22.0
-
github.com/openziti/sdk-golang: v0.23.37 -> v0.23.38
- Issue #573 - api session refresh spins in a tight loop if there is no current api session
- Issue #562 - Support sticky dials
-
github.com/openziti/channel/v2: v2.0.130 -> v2.0.132
-
github.com/openziti/edge-api: v0.26.19 -> v0.26.20
- Issue #113 - RecoveryCodesEnvelope is wrong
-
github.com/openziti/foundation/v2: v2.0.45 -> v2.0.46
- Issue #407 - Remove Branch from build info
-
github.com/openziti/identity: v1.0.77 -> v1.0.79
-
github.com/openziti/metrics: v1.2.54 -> v1.2.55
-
github.com/openziti/transport/v2: v2.0.133 -> v2.0.135
-
golang.org/x/sys: v0.20.0 -> v0.21.0
-
github.com/go-logr/logr: v1.4.1 -> v1.4.2
-
go.opentelemetry.io/otel: v1.25.0 -> v1.27.0
-
go.opentelemetry.io/otel/metric: v1.25.0 -> v1.27.0
-
go.opentelemetry.io/otel/trace: v1.25.0 -> v1.27.0
-
golang.org/x/crypto: v0.23.0 -> v0.24.0
-
golang.org/x/net: v0.25.0 -> v0.26.0
-
golang.org/x/term: v0.20.0 -> v0.21.0
-
golang.org/x/text: v0.15.0 -> v0.16.0
-
github.com/openziti/sdk-golang: v0.23.36 -> v0.23.37
- Issue #562 - Support sticky dials
-
github.com/openziti/edge-api: v0.26.18 -> v0.26.19
-
github.com/openziti/secretstream: v0.1.19 -> v0.1.20
- Fix DomainCheckRedirectPolicy for OIDC auth to controllers
- Update workflows
- Deps updates
- Add GetCircuitId to edge.Conn. Allows correlation with controller/router metrics. Requires support from controller.
- Adds
GetCurrentIdentityWithBackoff
so hosting doesn't fail on a single failure - Ensure that ER dial requests time-out in a reasonable time frame
- Further refine edge session refreshes based on session changes and if we have hit the requested terminator count
EnableHa
Feature Toggle
Configuration structs and files used to initialize SDK contexts now supports a boolean field named EnableHa
(struct)
and enableHa
(JSON configuration) that enables OIDC HA authentication models. Existing implementations should not
have to make any adjustments as it will default to false
/disabled. HA is experimental only and should not be used
unless one expects to test HA deployments.
ApiSession
interface abstraction for HA support
With the introduction of High Availability (HA) support, ApiSessions as a struct in zitContext.Events()
callbacks
is no longer supported. A new ApiSession
interface is provided in its place. This affects the following Events()
functions:
AddAuthenticationStatePartialListener
AddAuthenticationStateFullListener
AddAuthenticationStateUnauthenticatedListener
This change is meant to alleviate issues between ApiSession fidelity between legacy and HA modes. However, it is
possible that information that was available with the struct version of ApiSession
that is no longer available via
the interface value. As a short term work around, type casting the ApiSession
interface to ApiSessionLegacy
is
suggested. However, please provide feedback on scenarios where this is being done. It may be possible to enhance the
interface version if the data is available in both HA OIDC tokens and legacy ApiSession details.
The ApiSession
interface supports the following functions:
GetAccessHeader() (string, string)
- returns the HTTP header name and value that should be used to represent this ApiSessionAuthenticateRequest(request runtime.ClientRequest, _ strfmt.Registry) error
- AuthenticateRequest fulfills the interface defined by OpenAPI libraries to authenticate client HTTP requestsGetToken() []byte
- returns the ApiSessions' token bytesGetExpiresAt() *time.Time
- returns the time when the ApiSession will expire.GetAuthQueries() rest_model.AuthQueryList
- returns a list of authentication queries the ApiSession is subjected toGetIdentityName() string
- returns the name of the authenticating identityGetIdentityId() string
- returns the id of the authenticating identityGetId() string
- returns the id of the ApiSession
- Improve session refresh behavior.
- Limit refreshes of both api and sessions to at most every 30 seconds.
- Base faster refreshes not on number of available ERs but on usable ER endpoints, since some ERs may not have usable endpoints
- Only refresh API sessions if session is no longer valid, as opposed if an api session refresh fails, which can happen if the controller is down or busy.
- Only allow one api session refresh at a time
- Use exponential backoff for api session refresh retries
- Deprecate ListenOptions.MaxConnections in favor of ListenOptions.MaxTerminators
- Add SessionRefreshInterval to DialOptions, with a default of 1 hour.
- New
ListenOptions
field:WaitForNEstablishedListeners
. Allows specifying that you want at least N listeners to be established before theListen
method returns. Defaults to 0.
- New
Context
API method:RefreshService
, which allows refreshing a single service, when that's all that's needed.
- SDK context's will now use the properly prefixed Edge Client API Path for enrollment configurations. Previous versions relied upon legacy path support in scenarios where Ziti Context configurations were generated from an enrollment JWT.
- Added
edge_apis.ClientUrl(hostname string)
andedge_apis.ManagementUrl(hostname string)
to convert hostnames to fully prefixed API URls.
- minor bug fixes
- dependency updates
- Edge Router Filter Options - now possible to filter Edge Routers based on connection URL
When creating Ziti SDK Context instances, the options argument can now contain an EdgeRouterUrlFilter
function
that takes in a string URL and returns a boolean to determine if the context will use that connection string
to connect to the Edge Router. This is useful when operating in restricted environments, GoLang WASM, where
some connection methods are no allowed (i.e. tcp/tls vs ws/wss).
cfg := &ziti.Config{
ZtAPI: "https://localhost:1280/edge/client/v1",
Credentials: credentials,
}
ctx, err := ziti.NewContextWithOpts(cfg, &ziti.Options{
EdgeRouterUrlFilter: func(addr string) bool {
return strings.HasPrefix(addr,"wss")
},
})
ziti.Options
has a new field: EdgeRouterUrlFilter func(string) bool
. This allows filtering which edge router URLS you
want the SDK to try and connect to. In most cases, filtering will be done by protocol. If no filter is provided, all
URL will be used.
- Change log - This change log was added and is a reflection of all changes from
v0.20.0
tov0.20.23
- Flattened Config Name Space - Reduce collisions for implementors by removing
config
package - New Authentication Options - alters the configuration options used to instantiate Ziti SDK contexts. This impacts context instantiation signatures.
- New Internal Edge Client & Management clients using
edge-apis
edge-apis
- A new root level package,edge-apis
has been added which provides a thin wrapper around the go-swagger generated Edge Client and Management APIs.- Usage of the
edge-apis
package is not required to use the OpenZiti Golang SDK but is exposed for those who which to.
- API Session Certificates - API Session Certificates allow authentication mechanisms that are not inherently backed by a x509 certificate to obtain ephemeral x509 certificate and interact with an OpenZiti network.
- Event API - The GoLang SDK now supports an eventing interface that allows implementors to register listeners
- Browser WASM Compilation support - Compiling the GO SDK to run in WASM browser environments is now supported.
Previously, the GoLang SDK provided a package named config
which would collide when used in other projects that also
contained variables or packages named config. To reduce collisions, the config
package has been removed. This has
the following impact:
- The type
config.Config
is nowziti.Config
for importers - Configuration instantiation is no long
config.New*()
but ratherziti.NewConfig*()
- Context instantiation is no longer
ziti.New*()
but ratherziti.NewContext*()
It is now possible to create an OpenZiti GoLang SDK Context by using alternative authentication mechanisms such as
raw private/public keys, JWTs, and Username Passwords (UPDB) in addition to the original configuration file approach.
This capability is provided by the edge-apis
package. To make use of these new option, configure them on
a ziti.Config
creds := edge_apis.NewJwtCredentials(jwtToken)
creds.CaPool = caPool
cfg := &ziti.Config{
ZtAPI: "https://localhost:1280/edge/client/v1",
Credentials: creds,
}
ctx, err := ziti.NewContext(cfg)
Previous file based implementations may still use identity files:
ctx, err := NewContextFromFile("identity.json")
The packaged edge-apis
can be used as a standalone way of interacting with the OpenZiti Edge Client and Management
APIs. They core API functionality is maintained in openziti/edge-apis
and contains the raw GoSwagger generated API
clients. The clients in this repository have been wrapped with a thin layer to make authentication easier.
To use the GoLang Ziti SDK one does not have to use this package directly. The Golang SDK uses this package under the hood.
To create an instance of either the Client or Management clients, a Credential instance is required. The following types are currently supported:
IdentityCredentials
- JSON configuration that embeds the controller URL, public/private keys and location. This was the previous only authentication mechanism supported by the Golang SDKJwtCredentials
- an externally integrating solution that uses controllerexternal-jwt-signers
to integrate with any JWT providing IdPCertCredentials
- Raw handling of public and private key GoLang typesUpdbCredentials
- A username/password combination
Creating new Credential instances is enabled through direct instantiation or via helper functions. Here are two examples:
creds := edge_apis.NewCertCredentials([]*x509.Certificate{testIdCerts.cert}, testIdCerts.key)
creds.CaPool = ziti.GetControllerWellKnownCaPool("https://example.com:1280")
creds := edge_apis.New([]*x509.Certificate{testIdCerts.cert}, testIdCerts.key)
creds.CaPool = ziti.GetControllerWellKnownCaPool("https://example.com:1280")
After a credentials instance is created, a client may be created that will authenticate and provide API access.
creds := edge_apis.New([]*x509.Certificate{testIdCerts.cert}, testIdCerts.key)
creds.CaPool = ziti.GetControllerWellKnownCaPool("https://example.com:1280")
client := edge_apis.NewClientApiClient(clientApiUrl, nil)
apiSession, err := client.Authenticate(creds, nil)
fmt.Printf("identity name: %s", apiSession.Identity.Name)
resp, err := client.API.Service.ListServices(service2.NewListServicesParams(), nil)
OpenZiti Controllers support the creation of ephemeral, API Session scoped, x509 Certificates for fully authenticated API Sessions. These certificates are created automatically by the GoLang SDK when the authentication mechanism provided to the context is not backed by a x509 Certificate.
OpenZiti Context's returned now support an Event()
function which exposes the following function calls:
// AddServiceAddedListener adds an event listener for the EventServiceAdded event and returns a function to remove
// the listener. It is emitted any time a new service definition is received. The service detail provided is the
// service that was added.
AddServiceAddedListener(func(Context, *rest_model.ServiceDetail)) func()
// AddServiceChangedListener adds an event listener for the EventServiceChanged event and returns a function to remove
// the listener. It is emitted any time a known service definition is updated with new values. The service detail
// provided is the service that was changed.
AddServiceChangedListener(func(Context, *rest_model.ServiceDetail)) func()
// AddServiceRemovedListener adds an event listener for the EventServiceRemoved event and returns a function to remove
// the listener. It is emitted any time known service definition is no longer accessible. The service detail
// provided is the service that was removed.
AddServiceRemovedListener(func(Context, *rest_model.ServiceDetail)) func()
// AddRouterConnectedListener adds an event listener for the EventRouterConnected event and returns a function to remove
// the listener. It is emitted any time a router connection is established. The strings provided are router name and connection address.
AddRouterConnectedListener(func(ztx Context, name string, addr string)) func()
// AddRouterDisconnectedListener adds an event listener for the EventRouterDisconnected event and returns a function to remove
// the listener. It is emitted any time a router connection is closed. The strings provided are router name and connection address.
AddRouterDisconnectedListener(func(ztx Context, name string, addr string)) func()
// AddMfaTotpCodeListener adds an event listener for the EventMfaTotpCode event and returns a function to remove
// the listener. It is emitted any time the currently authenticated API Session requires an MFA TOTP Code for
// authentication. The authentication query detail and an MfaCodeResponse function are provided. The MfaCodeResponse
// should be invoked to answer the MFA TOTP challenge.
//
// Authentication challenges for MFA are modeled as authentication queries, and is provided to listeners for
// informational purposes. This event handler is a specific authentication query that responds to the internal Ziti
// MFA TOTP challenge only. All authentication queries, including MFA TOTP ones, are also available through
// AddAuthQueryListener, but does not provide typed response callbacks.
AddMfaTotpCodeListener(func(Context, *rest_model.AuthQueryDetail, MfaCodeResponse)) func()
// AddAuthQueryListener adds an event listener for the EventAuthQuery event and returns a function to remove
// the listener. The event is emitted any time the current API Session is required to pass additional authentication
// challenges - which enabled MFA functionality.
AddAuthQueryListener(func(Context, *rest_model.AuthQueryDetail)) func()
// AddAuthenticationStatePartialListener adds an event listener for the EventAuthenticationStatePartial event and
// returns a function to remove the listener. Partial authentication occurs when there are unmet authentication
// queries - which are defined by the authentication policy associated with the identity. The
// EventAuthQuery or EventMfaTotpCode events will also coincide with this event. Additionally, the authentication
// queries that triggered this event are available on the API Session detail in the `AuthQueries` field.
//
// In the partially authenticated state, a context will have reduced capabilities. It will not be able to
// update/list services, create service sessions, etc. It will be able to enroll in TOTP MFA and answer
// authentication queries.
//
// One all authentication queries are answered, the EventAuthenticationStateFull event will be emitted. For
// identities that do not have secondary authentication challenges associated with them, this even will never
// be emitted.
AddAuthenticationStatePartialListener(func(Context, *rest_model.CurrentAPISessionDetail)) func()
// AddAuthenticationStateFullListener adds an event listener for the EventAuthenticationStateFull event and
// returns a function to remove the listener. Full authentication occurs when there are no unmet authentication
// queries - which are defined by the authentication policy associated with the identity. In a fully authenticated
// state, the context will be able to perform all client actions.
AddAuthenticationStateFullListener(func(Context, *rest_model.CurrentAPISessionDetail)) func()
// AddAuthenticationStateUnauthenticatedListener adds an event listener for the EventAuthenticationStateUnauthenticated
// event and returns a function to remove the listener. The unauthenticated state occurs when the API session
// currently being used is no longer valid. API Sessions may become invalid due to prolonged inactivity due to
// network disconnection, the host machine entering a power saving/sleep mode, etc. It may also occur due to
// administrative action such as removing specific API Sessions or removing entire identities.
//
// The API Session detail provided to the listener may be nil. If it is not nil, the API Session detail is the
// now expired API Session.
AddAuthenticationStateUnauthenticatedListener(func(Context, *rest_model.CurrentAPISessionDetail)) func()
The above functions allow for the addition of strongly typed event handlers and removal of those listeners with the
returned func()
. These functions do not require knowing the event names or handling type assertions as the events are
emitted.
The underlying event functionality is provided by github.com/kataras/go-events
which uses a weakly typed arguments
for events. The go-events
interface for event emitters is available for use and will require usage of the documented
event names in ziti/events.go
.
All events, either through the strongly typed or weakly typed interface, are called synchronously. Performing operations that take longer than a few milliseconds is not suggested. If necessary, when your event handler is called spawn a goroutine to offload any extended processing.
Synchronous Event:
ctx, err := ziti.NewContext(cfg)
ctx.Events().AddServiceAddedListener(func(detail *rest_model.ServiceDetail) {
fmt.Printf("New service %s", *detail.Name)
})
Asynchronous Event:
ctx, err := ziti.NewContext(cfg)
ctx.Events().AddServiceAddedListener(func(detail *rest_model.ServiceDetail) {
go func(){
fmt.Printf("New service %s", *detail.Name
}()
})
Compiling projects that use the GO SDK with js
tag will now alter internal components to deal with running in a
browser environment. This includes enabling WebSocket Secure (WSS) connections to Edge Routers.
go build ./my-project -tags=js