From b6305ce616705f86052f1bc5c904500e1558b828 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Fri, 4 Aug 2023 14:29:28 -0400 Subject: [PATCH 001/251] optionally send extra args to the cmake configure command --- scripts/ziti-builder.sh | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/scripts/ziti-builder.sh b/scripts/ziti-builder.sh index eb4f6bed..7db41841 100755 --- a/scripts/ziti-builder.sh +++ b/scripts/ziti-builder.sh @@ -6,7 +6,15 @@ set -euo pipefail BASENAME="$(basename "${0}")" -BASEDIR="$(cd "$(dirname "${0}")" && pwd)" +BASEDIR="$(cd "$(dirname "${0}")" && pwd)" # full path to scripts dir +SCRIPTSDIR="$(basename "${BASEDIR}")" # relative path to scripts dir, only works if executable is homed in a top-level dir of the project, .e.g. "/scripts" +REPODIR="$(dirname "${BASEDIR}")" # path to project root is parent of scripts dir + +[[ -x ${REPODIR}/${SCRIPTSDIR}/${BASENAME} ]] || { + echo "ERROR: ${REPODIR}/${SCRIPTSDIR}/${BASENAME} is not executable" >&2 + exit 1 +} + # set in ziti-builder image, but this default allows hacking the script to run # outside the ziti-builder container : "${GIT_CONFIG_GLOBAL:=/tmp/ziti-builder-gitconfig}" @@ -45,7 +53,7 @@ function set_workspace(){ fi # if project is mounted on WORKDIR then build, else restart in container - if [[ -x "${WORKDIR}/${BASENAME}" ]]; then + if [[ -x "${WORKDIR}/${SCRIPTSDIR}/${BASENAME}" ]]; then # container environment defines BUILD_ENVIRONMENT=ziti-builder-docker if [[ "${BUILD_ENVIRONMENT:-}" == "ziti-builder-docker" ]]; then echo "INFO: running in ziti-builder container" @@ -56,14 +64,14 @@ function set_workspace(){ fi else echo -e "INFO: project not mounted on ${WORKDIR}, re-running in container"\ - "\nINFO: 'docker run --user ${UID} --volume ${BASEDIR}:${WORKDIR} openziti/ziti-builder ${WORKDIR}/${BASENAME} ${*}'" + "\nINFO: 'docker run --user ${UID} --volume ${REPODIR}:${WORKDIR} openziti/ziti-builder ${WORKDIR}/${SCRIPTSDIR}/${BASENAME} ${*}'" exec docker run \ --rm \ --user "${UID}" \ - --volume "${BASEDIR}:${WORKDIR}" \ + --volume "${REPODIR}:${WORKDIR}" \ --platform "linux/amd64" \ openziti/ziti-builder \ - "${WORKDIR}/${BASENAME}" "${@}" + "${WORKDIR}/${SCRIPTSDIR}/${BASENAME}" "${@}" fi } @@ -76,11 +84,13 @@ function main() { # they're being ignored when an override command is sent at the same time : "${OPTS:=0}" - while getopts 'c::p:t:' OPT; do + while getopts 'c:e:p:t:' OPT; do case "${OPT}" in c) CMAKE_CONFIG="${OPTARG}" OPTS=1 ;; + e) CMAKE_EXTRA_ARGS="${OPTARG}" + ;; p) CMAKE_PRESET="${OPTARG}" OPTS=1 ;; @@ -101,6 +111,7 @@ function main() { if (( OPTS )); then echo "WARN: ignoring options because override command is present" >&2 fi + cd "${REPODIR}" exec "${@}" else [[ -d ./build ]] && rm -rf ./build @@ -113,7 +124,8 @@ function main() { -DBUILD_DIST_PACKAGES="${BUILD_DIST_PACKAGES:-OFF}" \ -DVCPKG_OVERLAY_PORTS="./vcpkg-overlays/linux-syslibs/ubuntu18" \ -S . \ - -B ./build + -B ./build \ + "${CMAKE_EXTRA_ARGS:-}" cmake \ --build ./build \ --config "${CMAKE_CONFIG:-Release}" \ From 689802201210cc57738624b28475c44bf7c869c8 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Fri, 18 Aug 2023 16:28:15 +0000 Subject: [PATCH 002/251] push packages to artifactory again (#710) * check release event for prerelease * ensure cmake version discovery works --- .github/workflows/cmake.yml | 13 +++++++++++++ .github/workflows/cpack.yml | 6 +++--- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml index c312c106..3b511786 100644 --- a/.github/workflows/cmake.yml +++ b/.github/workflows/cmake.yml @@ -54,6 +54,19 @@ jobs: preset: linux-arm64-static-libssl steps: + # only focal-20.04 has >= 2.18, which is required by actions/checkout to clone + # which enables cmake version discovery. remove this step when openziti:ziti-builder + # is upgraded to a version that contains git 2.18+ + - name: install contemporary Git if Ubuntu + if: ${{ matrix.distro.name == 'ubuntu' }} + run: | + apt -y update + apt-get -y install software-properties-common + add-apt-repository -y ppa:git-core/ppa + apt -y update + apt -y install git + git --version + - name: checkout workspace uses: actions/checkout@v3 with: diff --git a/.github/workflows/cpack.yml b/.github/workflows/cpack.yml index e6488a27..93c69ac6 100644 --- a/.github/workflows/cpack.yml +++ b/.github/workflows/cpack.yml @@ -180,13 +180,13 @@ jobs: if-no-files-found: error - name: Configure jFrog CLI - if: ${{ github.event.release.published && startsWith(github.ref, 'refs/tags/v') }} + if: ${{ !github.event.release.prerelease && startsWith(github.ref, 'refs/tags/v') }} uses: jfrog/setup-jfrog-cli@v3 env: JF_ENV_1: ${{ secrets.ZITI_ARTIFACTORY_CLI_CONFIG_PACKAGE_UPLOAD }} - name: Upload RPM to Artifactory with jFrog CLI - if: ${{ github.event.release.published && startsWith(github.ref, 'refs/tags/v') && matrix.distro.name == 'redhat' }} + if: ${{ !github.event.release.prerelease && startsWith(github.ref, 'refs/tags/v') && matrix.distro.name == 'redhat' }} run: > jf rt upload ./build/ziti-edge-tunnel-*.${{ matrix.distro.type }} @@ -195,7 +195,7 @@ jobs: --flat=true - name: Upload DEB to Artifactory with jFrog CLI - if: ${{ github.event.release.published && startsWith(github.ref, 'refs/tags/v') && matrix.distro.name == 'ubuntu' }} + if: ${{ !github.event.release.prerelease && startsWith(github.ref, 'refs/tags/v') && matrix.distro.name == 'ubuntu' }} run: > jf rt upload ./build/ziti-edge-tunnel-*.${{ matrix.distro.type }} From 790863c03c7a88cf1d87e287c71ca7662ecf156c Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Fri, 18 Aug 2023 17:55:08 +0000 Subject: [PATCH 003/251] ensure cmake version discovery works (#711) --- .github/workflows/cmake.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml index 3b511786..d0d01fe1 100644 --- a/.github/workflows/cmake.yml +++ b/.github/workflows/cmake.yml @@ -57,8 +57,8 @@ jobs: # only focal-20.04 has >= 2.18, which is required by actions/checkout to clone # which enables cmake version discovery. remove this step when openziti:ziti-builder # is upgraded to a version that contains git 2.18+ - - name: install contemporary Git if Ubuntu - if: ${{ matrix.distro.name == 'ubuntu' }} + - name: install contemporary Git if using ziti-builder + if: ${{ startsWith(matrix.container, 'openziti/ziti-builder') }} run: | apt -y update apt-get -y install software-properties-common From 77dcb27b7633a95b0de98499fdafd6a095a54b0a Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Mon, 21 Aug 2023 12:24:03 +0000 Subject: [PATCH 004/251] require semver verification for non-package builds too (#712) --- CMakeLists.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index f61e95b0..df570bea 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -54,8 +54,8 @@ endif() option(DISABLE_SEMVER_VERIFICATION "Toggle SEMVER verification for BUILD_DIST_PACKAGES" OFF) option(BUILD_DIST_PACKAGES "Build packages for distribution package managers" OFF) -# Require explicitly disabling SEMVER verification for building DIST packages. -if(NOT DISABLE_SEMVER_VERIFICATION AND BUILD_DIST_PACKAGES AND PROJECT_SEMVER VERSION_EQUAL "${DUMMY_SEMVER}") +# verify the semver unless DISABLE option is set +if((NOT DISABLE_SEMVER_VERIFICATION) AND PROJECT_SEMVER VERSION_EQUAL "${DUMMY_SEMVER}") unset(GIT_VERSION CACHE) unset(GIT_ERROR_CODE CACHE) unset(PROJECT_SEMVER CACHE) From 130e9cace156c54620298a0fa2c6559138f6c452 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 21 Aug 2023 15:43:53 -0400 Subject: [PATCH 005/251] let others read the Linux package signing pubkey; resolves #714 --- scripts/install-ubuntu.bash | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/install-ubuntu.bash b/scripts/install-ubuntu.bash index 4b4ae328..1e2d3f77 100755 --- a/scripts/install-ubuntu.bash +++ b/scripts/install-ubuntu.bash @@ -30,6 +30,8 @@ esac curl -sSLf https://get.openziti.io/tun/package-repos.gpg \ | sudo gpg --dearmor --output /usr/share/keyrings/openziti.gpg +sudo chmod +r /usr/share/keyrings/openziti.gpg + echo "deb [signed-by=/usr/share/keyrings/openziti.gpg] https://packages.openziti.org/zitipax-openziti-deb-stable ${UBUNTU_LTS} main" \ | sudo tee /etc/apt/sources.list.d/openziti.list >/dev/null From 3d7c67ebcf3b7cfafeb6c1098c1e361f1c5742ef Mon Sep 17 00:00:00 2001 From: "Steven A. Broderick Elias" Date: Wed, 23 Aug 2023 13:13:10 -0400 Subject: [PATCH 006/251] Fixes double free in buffer cleanup. Ensures buffer is freed correctly. --- .../netif_driver/linux/resolvers.c | 44 +++++++++---------- 1 file changed, 21 insertions(+), 23 deletions(-) diff --git a/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.c b/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.c index ff2be082..8e8ec923 100644 --- a/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.c +++ b/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.c @@ -420,25 +420,25 @@ void dns_update_resolvconf(const char *tun, unsigned int ifindex, const char *ad static bool make_copy(const char *src, const char *dst) { - uv_fs_t *req = (uv_fs_t *)malloc(sizeof(uv_fs_t)); + uv_fs_t req = {0}; ZITI_LOG(INFO, "attempting copy of: %s", src); - int ret = uv_fs_copyfile(uv_default_loop(), req, src, dst, UV_FS_COPYFILE_EXCL, NULL); + int ret = uv_fs_copyfile(uv_default_loop(), &req, src, dst, UV_FS_COPYFILE_EXCL, NULL); - if (req->result < 0) { - if (req->result == UV_EEXIST) { - ZITI_LOG(DEBUG, "%s has already been copied", req->path); + if (req.result < 0) { + if (req.result == UV_EEXIST) { + ZITI_LOG(DEBUG, "%s has already been copied", req.path); } else { - ZITI_LOG(WARN, "could not create copy[%s]: %s", req->new_path, uv_strerror(req->result)); - uv_fs_req_cleanup(req); + ZITI_LOG(WARN, "could not create copy[%s]: %s", req.new_path, uv_strerror(req.result)); + uv_fs_req_cleanup(&req); return false; } } - ZITI_LOG(INFO, "copy successful: %s", req->new_path); + ZITI_LOG(INFO, "copy successful: %s", req.new_path); - uv_fs_req_cleanup(req); + uv_fs_req_cleanup(&req); return true; } @@ -480,7 +480,7 @@ void dns_update_etc_resolv(const char *tun, unsigned int ifindex, const char *ad return; } - char *buffer = NULL; + _cleanup_(cleanup_bufferp) char *buffer = NULL; size_t buffer_size; ssize_t line_size; off_t match_start_offset = -1; @@ -488,7 +488,7 @@ void dns_update_etc_resolv(const char *tun, unsigned int ifindex, const char *ad while((line_size = getline(&buffer, &buffer_size, file)) != -1) { if(strstr(buffer, match) != NULL) { if(strstr(buffer, replace) != NULL) { - ZITI_LOG(TRACE, "ziti nameserver is already in %s", RESOLV_CONF_FILE); + ZITI_LOG(DEBUG, "ziti nameserver is already in %s", RESOLV_CONF_FILE); return; } match_start_offset = ftell(file) - line_size; @@ -537,11 +537,8 @@ void dns_update_etc_resolv(const char *tun, unsigned int ifindex, const char *ad CLEANUP_ETC_RESOLV(); } - // Handle case in which realloc moves the memory block - // and calls free() - if (rptr != replace) { - replace = NULL; - } + // prevent double free() when cleanup_bufferp() is called + replace = NULL; strcat(rptr, remaining_content); @@ -560,16 +557,17 @@ void dns_update_etc_resolv(const char *tun, unsigned int ifindex, const char *ad CLEANUP_ETC_RESOLV(); } } - ZITI_LOG(DEBUG, "Added ziti DNS resolver to %s", RESOLV_CONF_FILE); - return; + } else { + // If no nameserver directives to prepend, just append to the file. + if (fputs(replace, file) == EOF) { + ZITI_LOG(ERROR, "EOF received while appending to: %s", RESOLV_CONF_FILE); + CLEANUP_ETC_RESOLV(); + } } - // If no nameserver directives to prepend, just append to the file. - if (fputs(replace, file) == EOF) { - ZITI_LOG(ERROR, "EOF received while appending to: %s", RESOLV_CONF_FILE); - CLEANUP_ETC_RESOLV(); - } + ZITI_LOG(DEBUG, "Added ziti DNS resolver to %s", RESOLV_CONF_FILE); + return; } From 1144c30b2734919b6f7d3c45769ea288e18764a5 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Wed, 23 Aug 2023 17:32:01 -0400 Subject: [PATCH 007/251] use openziti/hello-world container image --- docker/docker-compose.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index fa8da3ca..6a6f5a03 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -61,8 +61,8 @@ services: - ziti-host privileged: false # no privileges necessary for run-host mode - hello: # http://hello:8080 from bridge network "ziti-host" - image: netfoundry/hello-world-webpage + hello: # http://hello:8000 from bridge network "ziti-host" + image: openziti/hello-world networks: - ziti-host From 5e2c3629945e4a184e30ae54755f49f44c13e350 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Thu, 24 Aug 2023 16:16:32 +0000 Subject: [PATCH 008/251] use mbedtls (#719) --- CMakePresets.json | 2 +- vcpkg.json | 5 +---- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/CMakePresets.json b/CMakePresets.json index cde3bfab..58ec46ae 100644 --- a/CMakePresets.json +++ b/CMakePresets.json @@ -110,7 +110,7 @@ "hidden": true, "cacheVariables": { "CMAKE_BUILD_TYPE": "Release", - "TLSUV_TLSLIB": "openssl" + "TLSUV_TLSLIB": "mbedtls" } }, { diff --git a/vcpkg.json b/vcpkg.json index a2eb0efe..7ae9dfa6 100644 --- a/vcpkg.json +++ b/vcpkg.json @@ -7,10 +7,7 @@ "llhttp", "libsodium", "getopt", - { - "name": "openssl", - "$comment": "on linux we use system installed OpenSSL, as determined by vcpkg-overlays/linux-syslibs)" - } + "mbedtls" ], "features": { "test": { From cadbbc63b7dff0768692f9603cc0ff2f7b05bd1e Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Thu, 24 Aug 2023 17:11:00 +0000 Subject: [PATCH 009/251] don't use -static-libssl cmake presets when building with mbedtls (#720) --- .github/workflows/cmake.yml | 6 +++--- .github/workflows/release.yml | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml index d0d01fe1..ce059ed0 100644 --- a/.github/workflows/cmake.yml +++ b/.github/workflows/cmake.yml @@ -41,17 +41,17 @@ jobs: - os: ubuntu-20.04 container: openziti/ziti-builder:1.0.3 name: Linux x86_64 - preset: linux-x64-static-libssl + preset: linux-x64 - os: ubuntu-20.04 container: openziti/ziti-builder:1.0.3 name: Linux arm - preset: linux-arm-static-libssl + preset: linux-arm - os: ubuntu-20.04 container: openziti/ziti-builder:1.0.3 name: Linux arm64 - preset: linux-arm64-static-libssl + preset: linux-arm64 steps: # only focal-20.04 has >= 2.18, which is required by actions/checkout to clone diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5b5b9c65..85647262 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -33,8 +33,8 @@ jobs: prerelease: false fail_on_unmatched_files: true files: | - ${{ runner.workspace }}/downloads/linux-x64-static-libssl/ziti-edge-tunnel-Linux_x86_64.zip - ${{ runner.workspace }}/downloads/linux-arm-static-libssl/ziti-edge-tunnel-Linux_arm.zip + ${{ runner.workspace }}/downloads/linux-x64/ziti-edge-tunnel-Linux_x86_64.zip + ${{ runner.workspace }}/downloads/linux-arm/ziti-edge-tunnel-Linux_arm.zip ${{ runner.workspace }}/downloads/macOS-x64/ziti-edge-tunnel-Darwin_x86_64.zip ${{ runner.workspace }}/downloads/macOS-arm64/ziti-edge-tunnel-Darwin_arm64.zip @@ -48,7 +48,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ steps.get_release.outputs.upload_url }} - asset_path: ${{ runner.workspace }}/downloads/linux-arm64-static-libssl/ziti-edge-tunnel-Linux_aarch64.zip + asset_path: ${{ runner.workspace }}/downloads/linux-arm64/ziti-edge-tunnel-Linux_aarch64.zip asset_name: ziti-edge-tunnel-Linux_arm64.zip asset_content_type: application/octet-stream From 44b45ccdf53532ad9ad8c16c44fa2e089fc6b61b Mon Sep 17 00:00:00 2001 From: Ken Bingham Date: Tue, 29 Aug 2023 07:39:36 -0400 Subject: [PATCH 010/251] document verbose container args --- docker/README.md | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/docker/README.md b/docker/README.md index 1953d7ba..7ed1d3c4 100644 --- a/docker/README.md +++ b/docker/README.md @@ -120,6 +120,20 @@ This example uses [the included Docker Compose project](docker-compose.yml) to i 1. Access the demo server via your OpenZiti Network: [http://hello-docker.ziti](http://hello-docker.ziti) +#### Troubleshooting `openziti/ziti-host` + +You may pass additional args by supplying the `run-host` mode and args when the container is run. + +```bash +docker run \ + --name ziti-host \ + --rm \ + --network=my-docker-bridge \ + --env ZITI_IDENTITY_JSON="$(< /opt/openziti/etc/identities/my-ziti-identity.json)" \ + openziti/ziti-host \ + run-host --verbose=4 +``` + #### Docker Compose Examples for `openziti/ziti-host` Get a single, enrolled identity configuration from an environment variable. You could define the variable with an `.env` file in the same directory as `docker-compose.yml`. @@ -220,6 +234,23 @@ docker run \ openziti/ziti-edge-tunnel ``` +#### Troubleshooting `openziti/ziti-edge-tunnel` + +You may pass additional args by supplying the `run` mode followed by args when the container is run. + +```bash +docker run \ + --name ziti-tun \ + --network host \ + --privileged \ + --volume ${PWD}:/ziti-edge-tunnel/ \ + --volume "/var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket" \ + --device "/dev/net/tun:/dev/net/tun" \ + --env ZITI_IDENTITY_BASENAME=ziti_id \ + openziti/ziti-edge-tunnel \ + run --verbose=4 +``` + #### Docker Compose Examples for `openziti/ziti-edge-tunnel` This example uses [the Docker Compose project](docker-compose.yml) included in this repo. From a61b8065e1540abcc84d7184a46b34352279d0ce Mon Sep 17 00:00:00 2001 From: Ken Bingham Date: Tue, 29 Aug 2023 17:35:46 -0400 Subject: [PATCH 011/251] Update docker/README.md --- docker/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/README.md b/docker/README.md index 7ed1d3c4..a84166e6 100644 --- a/docker/README.md +++ b/docker/README.md @@ -240,7 +240,7 @@ You may pass additional args by supplying the `run` mode followed by args when t ```bash docker run \ - --name ziti-tun \ + --name ziti-edge-tunnel \ --network host \ --privileged \ --volume ${PWD}:/ziti-edge-tunnel/ \ From d170b1e604ecd3fd27579b45d92a443d56689b8d Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Wed, 30 Aug 2023 15:53:23 +0000 Subject: [PATCH 012/251] only upload packages to artifactory for release events (#724) --- .github/workflows/cpack.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/cpack.yml b/.github/workflows/cpack.yml index 93c69ac6..73f4446e 100644 --- a/.github/workflows/cpack.yml +++ b/.github/workflows/cpack.yml @@ -180,13 +180,13 @@ jobs: if-no-files-found: error - name: Configure jFrog CLI - if: ${{ !github.event.release.prerelease && startsWith(github.ref, 'refs/tags/v') }} + if: ${{ github.event_name == 'release' && !github.event.release.prerelease && startsWith(github.ref, 'refs/tags/v') }} uses: jfrog/setup-jfrog-cli@v3 env: JF_ENV_1: ${{ secrets.ZITI_ARTIFACTORY_CLI_CONFIG_PACKAGE_UPLOAD }} - name: Upload RPM to Artifactory with jFrog CLI - if: ${{ !github.event.release.prerelease && startsWith(github.ref, 'refs/tags/v') && matrix.distro.name == 'redhat' }} + if: ${{ github.event_name == 'release' && !github.event.release.prerelease && startsWith(github.ref, 'refs/tags/v') && matrix.distro.name == 'redhat' }} run: > jf rt upload ./build/ziti-edge-tunnel-*.${{ matrix.distro.type }} @@ -195,7 +195,7 @@ jobs: --flat=true - name: Upload DEB to Artifactory with jFrog CLI - if: ${{ !github.event.release.prerelease && startsWith(github.ref, 'refs/tags/v') && matrix.distro.name == 'ubuntu' }} + if: ${{ github.event_name == 'release' && !github.event.release.prerelease && startsWith(github.ref, 'refs/tags/v') && matrix.distro.name == 'ubuntu' }} run: > jf rt upload ./build/ziti-edge-tunnel-*.${{ matrix.distro.type }} From d6254bd5fca08c63a1c34515ee8040b834fc3026 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Tue, 5 Sep 2023 15:35:29 -0400 Subject: [PATCH 013/251] do not let the Linux package signing pubkey expire --- package-repos.gpg | 58 +++++++++++++++++++++++------------------------ 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/package-repos.gpg b/package-repos.gpg index 5cee3489..4476fd12 100644 --- a/package-repos.gpg +++ b/package-repos.gpg @@ -9,33 +9,33 @@ OpMJNxvaVNFScXSlkqYvlFcLe3B/UhYPds9UTndeI3THnHb3v1r57pkadfp2r45Z 8nQdwoS+XLdU8S/S22XjKNv06GmEQja3G/QVcSnFsbo9Y9DzYyB9hIjRXIZjZ2bt Mn8YXcgYqyW1NIZy0/1oyZoNmXbTiQsgTK74gRpXLSIT/rQEFUy3+s/n+ZggQcYt phs02DQI0wXoJN0AEQEAAbQtT3BlblppdGkgRGV2ZWxvcGVycyA8ZGV2ZWxvcGVy -c0BvcGVueml0aS5vcmc+iQHUBBMBCgA+FiEENMvPGEJ9iBS1vbsN3jYj7wjJluUF -AmLMgtICGwMFCQPCZwAFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AACgkQ3jYj7wjJ -luVbDgwAoSffOAZT35se4fxUNzlQkDWAN1rvopxgXPRubT5SFMRCzEfaF4YteQL4 -zI4ibNwNyVJ9PLDVEpxG8Voxlnc4gXQLxaKMVXCC2A/D+HvMyrbTwYj+dcWSZtSH -Qjs7pzefRji1B7do/szyPP3DaItOXsF709oAMyZuxq226BmRHa2BHNgUooj8Rrk+ -m4kW6PIyMCJ1gClFEjY32JGIAKvpP/riUMjFIEzOV0WlEYTV6xf97OE558V4AMaw -SW4MSnER7kBSWKWBVv9s6+BqHLRwFcnR5ZJvkuEmZT0tnJiW52hXJiP//A7KcCDd -e9ioU/tBx/uhdE2diZhpHv+PHzW62U+cT+6T/5EWadNPliIdIQt9y93gEIYVfyHB -Ly6fEMJZBf1mhBFvDAc/6tmZamEgD7N4vix6Z0o+5U5fRY9jWORxka5fDWX5HN+t -pmEf2F0qXN2oNobJE1RPhBBR99JojQaVoRpI6EthbhMVc7XsNNSMG6XglSE3p1K1 -tqf51dmMuQGNBGLMgtIBDADiUbMpm9jyARnA9gHbziEOfC89skWJvjT5nuMFoQSg -Gpu/Tpgrc42JHrJtFv6J+5gmkFunX1HOcymqdMLS99OLFx+/1D/1JiWYoffsNiWu -qxAOGC8MhvvLRsv4ahP8F/hHnl+zgUaPKglO1yUSdOE3EalV1H+nCE6iLHCF2iZc -9+voNdul9xIJfJAlykdpfgY5+3RN3l6tFrX6BxEzlZsH6eM/V/iFsQubOkM6JXge -4s5lySimblvr1HSfDr84+dvyF+QnJ8QOJDD7B9oXpoG4lG9a8GFK16wLUq3n+3w7 -x4zs515s5CjKPVZBsNLgIqmXitGSOFHSWYqZA+8oHl6XzpbVBik9wQZuzJwLnTiN -uvbx5ndXgvYUAVNwKUZpO5phEM6F166qb8MQmVTyTWUB1lC6/xbSlP83g4l2mwOb -YqsKCRyEqAqK0GdG2dO397JHPCibi/PmyjSaQRzeHh2LWnC8YM/hqwChdMooP73v -5gnxZ+3ltUeSR0sK+OyxR98AEQEAAYkBvAQYAQoAJhYhBDTLzxhCfYgUtb27Dd42 -I+8IyZblBQJizILSAhsMBQkDwmcAAAoJEN42I+8IyZblHBAL/0VrLlKDFoy91rPA -F44+RFdGoQ7wb+t7uR41821Q2C3wcz2R9+e1/0/SUsnu1KG9twUsiFbgxMyI8tj4 -1BlAKdmIHvjLVVdasx/tP/CjahUID0ecbd+g0HtfRVNN18Z1amPgQe8ztaHQhH0n -EmC7wLR4Z4VJjhJmSgyG19GEOmPrsHJxmSYtISyZ84eqkMauQpV+m2Ipmw5gCxvz -Hz+3yK53LRh7Yr9utRnyyssiCGyepYSeXwZ4teJg7CbZEqT7GIjj8A+Jpumqc1UJ -roX0wFHN9l5mjEIck8QCLBFNeysDfI+HAlqnCpsoMDBufdBTgYZtKDCv640FQS4l -VMyZVdLhJ2AYeq2dlcSpCi/qeKX+Ik23k9hq69wVyuwWhenGAeAj8Po8jhzq43Bn -FGJ0QVYloHa3CWUQVycWjkt7N3GYhVa9RPS3HHj/XwHYUWI0PpE2rUrCtHC62Ecq -JOr5kDFAFInkdZouGw09jHGc0rZV8qVeHUkiVxgvkZjalyw+qw== -=zftM +c0BvcGVueml0aS5vcmc+iQHOBBMBCgA4AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4B +AheAFiEENMvPGEJ9iBS1vbsN3jYj7wjJluUFAmT3gMYACgkQ3jYj7wjJluXxbwv9 +Ge1iagTLnM54a9oJZC5+4tODj0yKpxLvM6FOYR7lZlvKhxLLJdcObvlNDXutrqko +ujGDg3qPlAKVmCgLfceVhNPtjFKO0IH3AMxZmpjnowezqm4AlPCBXY6gDbxB58WO +trQKVHEL7C52ae0Q+pBvzOE19KU1ggQBJS3oPWjiM5S+vSy+PYrasCLM1NSD9ONj +tIekJ7LhUD2vdumr26felMZ7p147vpxiO1jBGxV5m/HYV39QOibTLMcxM2wzKNCC +vHnmx3t5LmVlNqiH1NaQH4qeZIQDjqHc21tRSR30OUKjClqiBtxOGIttRa2yaZWQ +Xj8/5+1WSBMyE6zL3106QYwu5yf+gjHwm0IO+qciM4BwhHq+wulLocPlyQOlV+Wn +LkZizml4UP+BlJ26E90pgvtN1sIF88PyCdpq0KlPUa38F7wK7ucu4y31p9SGQoWJ +XiA4gJ0z80NTHNm87BbicvuM/Gn1XARGkHLenlblJw0qNOaZ0JRoNlb83ds7ZWj/ +uQGNBGLMgtIBDADiUbMpm9jyARnA9gHbziEOfC89skWJvjT5nuMFoQSgGpu/Tpgr +c42JHrJtFv6J+5gmkFunX1HOcymqdMLS99OLFx+/1D/1JiWYoffsNiWuqxAOGC8M +hvvLRsv4ahP8F/hHnl+zgUaPKglO1yUSdOE3EalV1H+nCE6iLHCF2iZc9+voNdul +9xIJfJAlykdpfgY5+3RN3l6tFrX6BxEzlZsH6eM/V/iFsQubOkM6JXge4s5lySim +blvr1HSfDr84+dvyF+QnJ8QOJDD7B9oXpoG4lG9a8GFK16wLUq3n+3w7x4zs515s +5CjKPVZBsNLgIqmXitGSOFHSWYqZA+8oHl6XzpbVBik9wQZuzJwLnTiNuvbx5ndX +gvYUAVNwKUZpO5phEM6F166qb8MQmVTyTWUB1lC6/xbSlP83g4l2mwObYqsKCRyE +qAqK0GdG2dO397JHPCibi/PmyjSaQRzeHh2LWnC8YM/hqwChdMooP73v5gnxZ+3l +tUeSR0sK+OyxR98AEQEAAYkBtgQYAQoAIAIbDBYhBDTLzxhCfYgUtb27Dd42I+8I +yZblBQJk94EDAAoJEN42I+8IyZblQzoL/imuppfaVcMQ4Qe0c+JEV0NQKwLIgnUy +bky26yyQ8DCOZUYGNQJORLXrWthSWWz6TBldfwoYOlof2qgOYpV/EEOo8l8uuqqP +CPQQI47mKF0As49RsWssEaRTqRpzIUgU/W2vpcub3b+NSzO4N2hBFvTx+SfSCLTC +53x1hP7QPR5BMiWGJ0ti9YIhJAWn65DmA33MUh0DoNeQW2+k5g35sHLREWsG/qB4 +nai7HrkKPIrI/J4eAwYSS2pxyT1IJ00YnTkjziICeZqxVBeox6d3zrYOrR3RB/rq +29beypZMZLqV3N5O/lOk6Mf6aaVdC484TYiqD7RwGNNGRJgT/BOElYG+Pj3i3yDD +cAIW8uxIQRVvasqJNZfPfIiVYVFQotivFWEyElXCPFdq2RTBDZ87Lyb1m1lkxLQf +vGibIWaL0W7L7CmeWQLpw8eAUiPX9RZMYD8dTwt9LGcXy7jS3FgEKxvlsrRpB8hn +n805lmL41AqzItzehi/DGxwjZpC6lYxQBA== +=vK0d -----END PGP PUBLIC KEY BLOCK----- From 5dad8ebf2c5ac8a32ebcd43d9c320093b2a72af8 Mon Sep 17 00:00:00 2001 From: Eugene K Date: Tue, 12 Sep 2023 12:59:11 -0400 Subject: [PATCH 014/251] update ziti-sdk@0.34.1 --- CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index df570bea..31db4235 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,7 +2,7 @@ cmake_minimum_required(VERSION 3.20) set(ZITI_SDK_DIR "" CACHE FILEPATH "developer option: use local ziti-sdk-c checkout") -set(ZITI_SDK_VERSION "0.33.4" CACHE STRING "ziti-sdk-c version or branch to use") +set(ZITI_SDK_VERSION "0.34.1" CACHE STRING "ziti-sdk-c version or branch to use") # if TUNNEL_SDK_ONLY then don't descend into programs/ziti-edge-tunnel option(TUNNEL_SDK_ONLY "build only ziti-tunnel-sdk (without ziti)" OFF) From 97766f68a7433f004f1fc7277dc5a62343b16520 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Tue, 12 Sep 2023 18:25:16 +0000 Subject: [PATCH 015/251] install the service unit file instead of symlinking. (#727) --- programs/ziti-edge-tunnel/package/deb/postinst.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/programs/ziti-edge-tunnel/package/deb/postinst.in b/programs/ziti-edge-tunnel/package/deb/postinst.in index ce7e4822..1ff9f43c 100644 --- a/programs/ziti-edge-tunnel/package/deb/postinst.in +++ b/programs/ziti-edge-tunnel/package/deb/postinst.in @@ -1,5 +1,5 @@ ln -sf @CPACK_BIN_DIR@/@CPACK_PACKAGE_NAME@ /usr/bin/@CPACK_PACKAGE_NAME@ -ln -sf @CPACK_SHARE_DIR@/@SYSTEMD_UNIT_FILE_NAME@ @SYSTEMD_UNIT_DIR@/@SYSTEMD_UNIT_FILE_NAME@ +install -m 644 @CPACK_SHARE_DIR@/@SYSTEMD_UNIT_FILE_NAME@ @SYSTEMD_UNIT_DIR@/@SYSTEMD_UNIT_FILE_NAME@ # Source debconf library. . /usr/share/debconf/confmodule From 57e5571816dadd0e1347c22637db4fc9ef7a234e Mon Sep 17 00:00:00 2001 From: Eugene K Date: Wed, 13 Sep 2023 10:30:19 -0400 Subject: [PATCH 016/251] process CA bundle event - re-write config file or external CA bundle file --- .../include/ziti/ziti_tunnel_cbs.h | 3 +- lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c | 76 +++++++++++++++---- 2 files changed, 63 insertions(+), 16 deletions(-) diff --git a/lib/ziti-tunnel-cbs/include/ziti/ziti_tunnel_cbs.h b/lib/ziti-tunnel-cbs/include/ziti/ziti_tunnel_cbs.h index d537d9ac..7a412ce6 100644 --- a/lib/ziti-tunnel-cbs/include/ziti/ziti_tunnel_cbs.h +++ b/lib/ziti-tunnel-cbs/include/ziti/ziti_tunnel_cbs.h @@ -252,7 +252,8 @@ XX(code, int, none, code, __VA_ARGS__) #define ZTX_API_EVENT_MODEL(XX, ...) \ BASE_EVENT_MODEL(XX, __VA_ARGS__) \ -XX(new_ctrl_address, string, none, new_ctrl_address, __VA_ARGS__) +XX(new_ctrl_address, string, none, new_ctrl_address, __VA_ARGS__) \ +XX(new_ca_bundle, string, none, new_ca_bundle, __VA_ARGS__) DECLARE_MODEL(base_event, BASE_EVENT_MODEL) DECLARE_MODEL(ziti_ctx_event, ZTX_EVENT_MODEL) diff --git a/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c b/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c index 5c44f3f3..1ced8d7d 100644 --- a/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c +++ b/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c @@ -74,6 +74,7 @@ typedef struct api_update_req_s { uv_work_t wr; ziti_context ztx; char *new_url; + char *new_ca; int err; const char *errmsg; } api_update_req; @@ -830,12 +831,13 @@ static void on_ziti_event(ziti_context ztx, const ziti_event_t *event) { } case ZitiAPIEvent: { - if (event->event.api.new_ctrl_address) { + if (event->event.api.new_ctrl_address || event->event.api.new_ca_bundle) { if (instance->opts.config) { api_update_req *req = calloc(1, sizeof(api_update_req)); req->wr.data = req; req->ztx = ztx; - req->new_url = strdup(event->event.api.new_ctrl_address); + req->new_url = event->event.api.new_ctrl_address ? strdup(event->event.api.new_ctrl_address) : NULL; + req->new_ca = event->event.api.new_ca_bundle ? strdup(event->event.api.new_ca_bundle) : NULL; uv_queue_work(CMD_CTX.loop, &req->wr, update_config, update_config_done); } @@ -843,6 +845,7 @@ static void on_ziti_event(ziti_context ztx, const ziti_event_t *event) { ev.event_type = TunnelEvents.APIEvent; ev.identifier = instance->identifier; ev.new_ctrl_address = event->event.api.new_ctrl_address; + ev.new_ca_bundle = event->event.api.new_ca_bundle; CMD_CTX.on_event((const base_event *) &ev); } else { ZITI_LOG(WARN, "unexpected API event: new_ctrl_address is missing"); @@ -1178,6 +1181,36 @@ static void on_sigdump(uv_signal_t *sig, int signum) { fclose(dumpfile); } + +static int update_file(const char *path, char *content, size_t content_len) { +#define CHECK_UV(desc, op) do{ \ + uv_fs_req_cleanup(&fs_req); \ + rc = op; \ + if (rc < 0) { \ + ZITI_LOG(ERROR, "op[" desc "] failed: %d(%s)", rc, uv_strerror(rc)); \ + goto DONE; \ + }} while(0) + + int rc = 0; + uv_fs_t fs_req = {0}; + CHECK_UV("check exiting config", uv_fs_stat(NULL, &fs_req, path, NULL)); + uint64_t mode = fs_req.statbuf.st_mode; + + char backup[FILENAME_MAX]; + snprintf(backup, sizeof(backup), "%s.bak", path); + CHECK_UV("create backup", uv_fs_rename(NULL, &fs_req, path, backup, NULL)); + + uv_os_fd_t f; + CHECK_UV("open new config", f = uv_fs_open(NULL, &fs_req, path, UV_FS_O_WRONLY | UV_FS_O_CREAT, (int) mode, NULL)); + uv_buf_t buf = uv_buf_init(content, content_len); + CHECK_UV("write new config", uv_fs_write(NULL, &fs_req, f, &buf, 1, 0, NULL)); + CHECK_UV("close new config", uv_fs_close(NULL, &fs_req, f, NULL)); + + DONE: + return rc; +#undef CHECK_UV +} + #define CHECK_UV(desc, op) do{ \ int rc = op; \ if (rc < 0) { \ @@ -1200,7 +1233,6 @@ static void update_config(uv_work_t *wr) { cfg_len = fs_req.statbuf.st_size; cfg_buf = malloc(cfg_len); - uint64_t cfg_mode = fs_req.statbuf.st_mode; CHECK_UV("open existing config", f = uv_fs_open(wr->loop, &fs_req, config_file, UV_FS_O_RDONLY, 0, NULL)); uv_buf_t buf = uv_buf_init(cfg_buf, cfg_len); CHECK_UV("read existing config", uv_fs_read(wr->loop, &fs_req, f, &buf, 1, 0, NULL)); @@ -1215,21 +1247,35 @@ static void update_config(uv_work_t *wr) { } FREE(cfg_buf); - free(cfg.controller_url); - cfg.controller_url = req->new_url; - req->new_url = NULL; - - char backup[FILENAME_MAX]; + // attempt to update CA bundle external to config file + if (req->new_ca && strncmp(cfg.id.ca, "file://", strlen("file://")) == 0) { + struct tlsuv_url_s path_uri; + char path[FILENAME_MAX]; + CHECK_UV("parse CA bundle path", tlsuv_parse_url(&path_uri, cfg.id.ca)); + strncpy(path, path_uri.path, path_uri.path_len); + CHECK_UV("update CA bundle file", update_file(path, req->new_ca, strlen(req->new_ca))); + FREE(req->new_ca); + } - snprintf(backup, sizeof(backup), "%s.bak", config_file); - CHECK_UV("create backup", uv_fs_rename(wr->loop, &fs_req, config_file, backup, NULL)); + bool write_new_cfg = false; + if (req->new_url) { + free(cfg.controller_url); + cfg.controller_url = req->new_url; + req->new_url = NULL; + write_new_cfg = true; + } - CHECK_UV("open new config", f = uv_fs_open(wr->loop, &fs_req, config_file, UV_FS_O_WRONLY | UV_FS_O_CREAT, (int)cfg_mode, NULL)); - cfg_buf = ziti_config_to_json(&cfg, 0, &cfg_len); - buf = uv_buf_init(cfg_buf, cfg_len); - CHECK_UV("write new config", uv_fs_write(wr->loop, &fs_req, f, &buf, 1, 0, NULL)); - CHECK_UV("close new config", uv_fs_close(wr->loop, &fs_req, f, NULL)); + if (req->new_ca) { + free(cfg.id.ca); + cfg.id.ca = req->new_ca; + req->new_ca = NULL; + write_new_cfg = true; + } + if (write_new_cfg) { + cfg_buf = ziti_config_to_json(&cfg, 0, &cfg_len); + CHECK_UV("update config", update_file(config_file, cfg_buf, cfg_len)); + } DONE: free_ziti_config(&cfg); FREE(cfg_buf); From c0c0559e9b3bca1419c05523f7bc277fd557933a Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 21 Aug 2023 17:28:45 -0400 Subject: [PATCH 017/251] use contemporary git from new builder image --- .github/workflows/cmake.yml | 19 +++---------------- 1 file changed, 3 insertions(+), 16 deletions(-) diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml index ce059ed0..e4441ba7 100644 --- a/.github/workflows/cmake.yml +++ b/.github/workflows/cmake.yml @@ -39,34 +39,21 @@ jobs: preset: windows-arm64 - os: ubuntu-20.04 - container: openziti/ziti-builder:1.0.3 + container: openziti/ziti-builder:1.0.7 name: Linux x86_64 preset: linux-x64 - os: ubuntu-20.04 - container: openziti/ziti-builder:1.0.3 + container: openziti/ziti-builder:1.0.7 name: Linux arm preset: linux-arm - os: ubuntu-20.04 - container: openziti/ziti-builder:1.0.3 + container: openziti/ziti-builder:1.0.7 name: Linux arm64 preset: linux-arm64 steps: - # only focal-20.04 has >= 2.18, which is required by actions/checkout to clone - # which enables cmake version discovery. remove this step when openziti:ziti-builder - # is upgraded to a version that contains git 2.18+ - - name: install contemporary Git if using ziti-builder - if: ${{ startsWith(matrix.container, 'openziti/ziti-builder') }} - run: | - apt -y update - apt-get -y install software-properties-common - add-apt-repository -y ppa:git-core/ppa - apt -y update - apt -y install git - git --version - - name: checkout workspace uses: actions/checkout@v3 with: From df1701f6933b7b5b0ec7f3b11d02ff36842f45bc Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Sun, 17 Sep 2023 18:24:02 +0000 Subject: [PATCH 018/251] use logical or when testing dial_protocol_str (#732) --- lib/ziti-tunnel-cbs/ziti_hosting.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/ziti-tunnel-cbs/ziti_hosting.c b/lib/ziti-tunnel-cbs/ziti_hosting.c index 798d3bfa..29ee9a10 100644 --- a/lib/ziti-tunnel-cbs/ziti_hosting.c +++ b/lib/ziti-tunnel-cbs/ziti_hosting.c @@ -259,7 +259,7 @@ static bool addrinfo_from_host_ctx(struct addrinfo_params_s *dial_params, const if (host_ctx->forward_protocol) { dial_protocol_str = app_data->dst_protocol; - if (dial_protocol_str == NULL | dial_protocol_str[0] == '\0') { + if (dial_protocol_str == NULL || dial_protocol_str[0] == '\0') { snprintf(dial_params->err, sizeof(dial_params->err), "hosted_service[%s] config specifies 'forwardProtocol', but client didn't send %s", host_ctx->service_name, DST_PROTO_KEY); From ef4ccf0ec1a0862955a8ec29b0c97a1baa893139 Mon Sep 17 00:00:00 2001 From: Eugene K Date: Mon, 18 Sep 2023 14:55:52 -0400 Subject: [PATCH 019/251] avoid crash if -l or --loglevel option is not specified. output error for user --- programs/ziti-edge-tunnel/ziti-edge-tunnel.c | 27 ++++++++++++-------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/programs/ziti-edge-tunnel/ziti-edge-tunnel.c b/programs/ziti-edge-tunnel/ziti-edge-tunnel.c index cfda1cd4..3099c332 100644 --- a/programs/ziti-edge-tunnel/ziti-edge-tunnel.c +++ b/programs/ziti-edge-tunnel/ziti-edge-tunnel.c @@ -382,7 +382,9 @@ static bool process_tunnel_commands(const tunnel_command *tnl_cmd, command_cb cb cmd_accepted = true; tunnel_set_log_level tunnel_set_log_level_cmd = {0}; - if (tnl_cmd->data == NULL || parse_tunnel_set_log_level(&tunnel_set_log_level_cmd, tnl_cmd->data, strlen(tnl_cmd->data)) < 0) { + if (tnl_cmd->data == NULL || + parse_tunnel_set_log_level(&tunnel_set_log_level_cmd, tnl_cmd->data, strlen(tnl_cmd->data)) < 0 || + tunnel_set_log_level_cmd.loglevel == NULL) { result.error = "invalid command"; result.success = false; break; @@ -391,8 +393,9 @@ static bool process_tunnel_commands(const tunnel_command *tnl_cmd, command_cb cb if (strcasecmp(ziti_log_level_label(), tunnel_set_log_level_cmd.loglevel) != 0) { ziti_log_set_level_by_label(tunnel_set_log_level_cmd.loglevel); ziti_tunnel_set_log_level(get_log_level(tunnel_set_log_level_cmd.loglevel)); - set_log_level(ziti_log_level_label()); - ZITI_LOG(INFO, "Log level is set to %s", tunnel_set_log_level_cmd.loglevel); + const char *level = ziti_log_level_label(); + set_log_level(level); + ZITI_LOG(INFO, "Log level is set to %s", level); } else { ZITI_LOG(INFO, "Log level is already set to %s", tunnel_set_log_level_cmd.loglevel); } @@ -2665,15 +2668,12 @@ static int set_log_level_opts(int argc, char *argv[]) { int c, option_index, errors = 0; optind = 0; - tunnel_set_log_level *log_level_options = calloc(1, sizeof(tunnel_set_log_level)); - cmd = calloc(1, sizeof(tunnel_command)); - cmd->command = TunnelCommand_SetLogLevel; - + tunnel_set_log_level log_level_options = {0}; while ((c = getopt_long(argc, argv, "l:", opts, &option_index)) != -1) { switch (c) { case 'l': - log_level_options->loglevel = optarg; + log_level_options.loglevel = optarg; break; default: { fprintf(stderr, "Unknown option '%c'\n", c); @@ -2683,11 +2683,18 @@ static int set_log_level_opts(int argc, char *argv[]) { } } + if (log_level_options.loglevel == NULL) { + fprintf(stderr, "level option(-l|--loglevel) is not specified\n"); + errors++; + } + CHECK_COMMAND_ERRORS(errors); + cmd = calloc(1, sizeof(tunnel_command)); + cmd->command = TunnelCommand_SetLogLevel; + size_t json_len; - cmd->data = tunnel_set_log_level_to_json(log_level_options, MODEL_JSON_COMPACT, &json_len); - free(log_level_options); + cmd->data = tunnel_set_log_level_to_json(&log_level_options, MODEL_JSON_COMPACT, &json_len); return optind; } From 4d60176e0438abc6823177718263639cb2ba992b Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 18 Sep 2023 15:49:53 -0400 Subject: [PATCH 020/251] clarify log level usage hint --- programs/ziti-edge-tunnel/ziti-edge-tunnel.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/programs/ziti-edge-tunnel/ziti-edge-tunnel.c b/programs/ziti-edge-tunnel/ziti-edge-tunnel.c index 3099c332..e0335ab1 100644 --- a/programs/ziti-edge-tunnel/ziti-edge-tunnel.c +++ b/programs/ziti-edge-tunnel/ziti-edge-tunnel.c @@ -2684,7 +2684,7 @@ static int set_log_level_opts(int argc, char *argv[]) { } if (log_level_options.loglevel == NULL) { - fprintf(stderr, "level option(-l|--loglevel) is not specified\n"); + fprintf(stderr, "symbolic level option(-l|--loglevel) is not specified, e.g., INFO, DEBUG\n"); errors++; } From 7ce4f0aa1ef3eeb6e6486445a55d48b32b3310b0 Mon Sep 17 00:00:00 2001 From: ekoby <7406535+ekoby@users.noreply.github.com> Date: Fri, 22 Sep 2023 06:08:14 -0400 Subject: [PATCH 021/251] update ziti-sdk@0.34.3 (#737) --- CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 31db4235..1a85f15e 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,7 +2,7 @@ cmake_minimum_required(VERSION 3.20) set(ZITI_SDK_DIR "" CACHE FILEPATH "developer option: use local ziti-sdk-c checkout") -set(ZITI_SDK_VERSION "0.34.1" CACHE STRING "ziti-sdk-c version or branch to use") +set(ZITI_SDK_VERSION "0.34.3" CACHE STRING "ziti-sdk-c version or branch to use") # if TUNNEL_SDK_ONLY then don't descend into programs/ziti-edge-tunnel option(TUNNEL_SDK_ONLY "build only ziti-tunnel-sdk (without ziti)" OFF) From c4858461e612d39bba42096bc073c5e60246c4e4 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Tue, 3 Oct 2023 16:05:30 +0000 Subject: [PATCH 022/251] get ziti-sdk-c-0.35.0 (#740) get ziti-sdk-c-0.35.0 --- CMakeLists.txt | 2 +- lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 1a85f15e..f6021ce1 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,7 +2,7 @@ cmake_minimum_required(VERSION 3.20) set(ZITI_SDK_DIR "" CACHE FILEPATH "developer option: use local ziti-sdk-c checkout") -set(ZITI_SDK_VERSION "0.34.3" CACHE STRING "ziti-sdk-c version or branch to use") +set(ZITI_SDK_VERSION "0.35.0" CACHE STRING "ziti-sdk-c version or branch to use") # if TUNNEL_SDK_ONLY then don't descend into programs/ziti-edge-tunnel option(TUNNEL_SDK_ONLY "build only ziti-tunnel-sdk (without ziti)" OFF) diff --git a/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c b/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c index 1ced8d7d..3be72f35 100644 --- a/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c +++ b/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c @@ -727,7 +727,7 @@ static void on_ziti_event(ziti_context ztx, const ziti_event_t *event) { if (event->event.ctx.ctrl_status == ZITI_OK) { ev.name = ziti_get_identity(ztx)->name; ev.version = ziti_get_controller_version(ztx)->version; - ev.controller = instance->opts.controller; + ev.controller = (char *) ziti_get_controller(ztx); ZITI_LOG(INFO, "ziti_ctx[%s] connected to controller", ziti_get_identity(ztx)->name); ev.status = "OK"; const char *ctrl = ziti_get_controller(ztx); From ddfa0fb956dbc6f8db0d24a114da9201b528e7dc Mon Sep 17 00:00:00 2001 From: Eugene K Date: Wed, 4 Oct 2023 09:49:36 -0400 Subject: [PATCH 023/251] simplify ziti_instance initialization --- .../include/ziti/ziti_tunnel_cbs.h | 5 +- lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c | 70 +++++++++++-------- 2 files changed, 42 insertions(+), 33 deletions(-) diff --git a/lib/ziti-tunnel-cbs/include/ziti/ziti_tunnel_cbs.h b/lib/ziti-tunnel-cbs/include/ziti/ziti_tunnel_cbs.h index 7a412ce6..1db0eb26 100644 --- a/lib/ziti-tunnel-cbs/include/ziti/ziti_tunnel_cbs.h +++ b/lib/ziti-tunnel-cbs/include/ziti/ziti_tunnel_cbs.h @@ -323,7 +323,7 @@ struct add_identity_request_s { struct ziti_instance_s { char *identifier; - ziti_options opts; + char *config_path; command_cb load_cb; void *load_ctx; @@ -335,7 +335,8 @@ struct ziti_instance_s { void ziti_set_refresh_interval(unsigned long seconds); -struct ziti_instance_s *new_ziti_instance_ex(const char *identifier); +struct ziti_instance_s *new_ziti_instance(const char *identifier); +int init_ziti_instance(struct ziti_instance_s *inst, const ziti_config *cfg, const ziti_options *opts); void set_ziti_instance(const char *identifier, struct ziti_instance_s *inst); void remove_ziti_instance(const char *identifier); diff --git a/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c b/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c index 3be72f35..d299367b 100644 --- a/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c +++ b/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c @@ -44,12 +44,11 @@ static void on_ziti_event(ziti_context ztx, const ziti_event_t *event); static const char * cfg_types[] = { "ziti-tunneler-client.v1", "intercept.v1", "ziti-tunneler-server.v1", "host.v1", NULL }; -static unsigned long refresh_interval = 10; +static long refresh_interval = 10; static int process_cmd(const tunnel_command *cmd, void (*cb)(const tunnel_result *, void *ctx), void *ctx); static int load_identity(const char *identifier, const char *path, int api_page_size, command_cb cb, void *ctx); static void get_transfer_rates(const char *identifier, command_cb cb, void *ctx); -static struct ziti_instance_s *new_ziti_instance(const char *identifier, const char *path); static void load_ziti_async(uv_loop_t *loop, void *arg); static void on_sigdump(uv_signal_t *sig, int signum); static void enable_mfa(ziti_context ztx, void *ctx); @@ -612,17 +611,33 @@ static int process_cmd(const tunnel_command *cmd, command_cb cb, void *ctx) { } static int load_identity(const char *identifier, const char *path, int api_page_size, command_cb cb, void *ctx) { + ziti_config cfg = {0}; + int rc = ziti_load_config(&cfg, path); + if (rc != ZITI_OK) { + goto on_error; + } - struct ziti_instance_s *inst = new_ziti_instance(identifier, path); + struct ziti_instance_s *inst = new_ziti_instance(identifier ? identifier : path); + ziti_options opts = { + .config_types = cfg_types, + .events = -1, + .event_cb = on_ziti_event, + .api_page_size = api_page_size > 0 ? api_page_size : 0, + .refresh_interval = refresh_interval, + .app_ctx = inst, + }; + rc = init_ziti_instance(inst, &cfg, &opts); + if (rc != ZITI_OK) { + goto on_error; + } inst->load_cb = cb; inst->load_ctx = ctx; - inst->opts.config = strdup(path); - if (api_page_size > 0) { - inst->opts.api_page_size = api_page_size; - } load_ziti_async(CMD_CTX.loop, inst); - return 0; + + on_error: + free_ziti_config(&cfg); + return rc; } static void get_transfer_rates(const char *identifier, command_cb cb, void *ctx) { @@ -655,25 +670,22 @@ static void get_transfer_rates(const char *identifier, command_cb cb, void *ctx) free(result.data); } -static struct ziti_instance_s *new_ziti_instance(const char *identifier, const char *path) { +struct ziti_instance_s *new_ziti_instance(const char *identifier) { struct ziti_instance_s *inst = calloc(1, sizeof(struct ziti_instance_s)); + inst->identifier = strdup(identifier); + return inst; +} - inst->identifier = strdup(identifier ? identifier : path); - if (path) { - inst->opts.config = realpath(path, NULL); +int init_ziti_instance(struct ziti_instance_s *inst, const ziti_config *cfg, const ziti_options *opts) { + int rc = ziti_context_init(&inst->ztx, cfg); + if (rc != ZITI_OK) { + return rc; } - inst->opts.config_types = cfg_types; - inst->opts.events = -1; - inst->opts.event_cb = on_ziti_event; - inst->opts.refresh_interval = refresh_interval; /* default refresh */ - inst->opts.app_ctx = inst; - return inst; + rc = ziti_context_set_options(inst->ztx, opts); + return rc; } -struct ziti_instance_s *new_ziti_instance_ex(const char *identifier) { - return new_ziti_instance(identifier, NULL); -} void set_ziti_instance(const char *identifier, struct ziti_instance_s *inst) { model_map_set(&instances, identifier, inst); @@ -832,7 +844,7 @@ static void on_ziti_event(ziti_context ztx, const ziti_event_t *event) { case ZitiAPIEvent: { if (event->event.api.new_ctrl_address || event->event.api.new_ca_bundle) { - if (instance->opts.config) { + if (instance->config_path) { api_update_req *req = calloc(1, sizeof(api_update_req)); req->wr.data = req; req->ztx = ztx; @@ -868,17 +880,15 @@ static void load_ziti_async(uv_loop_t *loop, void *arg) { .code = IPC_SUCCESS, }; - char *config_path = realpath(inst->opts.config, NULL); - ZITI_LOG(INFO, "attempting to load ziti instance from file[%s]", inst->opts.config); + ZITI_LOG(INFO, "attempting to load ziti instance[%s]", inst->identifier); if (model_map_get(&instances, inst->identifier) != NULL) { - ZITI_LOG(WARN, "ziti context already loaded for %s", inst->opts.config); + ZITI_LOG(WARN, "ziti context already loaded for %s", inst->identifier); result.success = false; result.error = "context already loaded"; result.code = IPC_ERROR; } else { - ZITI_LOG(INFO, "loading ziti instance from %s", config_path); - inst->opts.app_ctx = inst; - if (ziti_init_opts(&inst->opts, loop) == ZITI_OK) { + ZITI_LOG(INFO, "loading ziti instance[%s]", inst->identifier); + if (ziti_context_run(inst->ztx, loop) == ZITI_OK) { model_map_set(&instances, inst->identifier, inst); } else { result.success = false; @@ -894,8 +904,6 @@ static void load_ziti_async(uv_loop_t *loop, void *arg) { if (!result.success) { free(inst); } - - free(config_path); } /* @@ -1223,7 +1231,7 @@ goto DONE; \ static void update_config(uv_work_t *wr) { api_update_req *req = wr->data; struct ziti_instance_s *inst = ziti_app_ctx(req->ztx); - const char *config_file = inst->opts.config; + const char *config_file = inst->config_path; size_t cfg_len; char *cfg_buf = NULL; uv_file f; From facfd88a88d041799828febcaec09430a2c0a700 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Sat, 7 Oct 2023 12:34:28 -0400 Subject: [PATCH 024/251] tweak local build script --- scripts/ziti-builder.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/scripts/ziti-builder.sh b/scripts/ziti-builder.sh index 7db41841..fbd1b86f 100755 --- a/scripts/ziti-builder.sh +++ b/scripts/ziti-builder.sh @@ -64,12 +64,14 @@ function set_workspace(){ fi else echo -e "INFO: project not mounted on ${WORKDIR}, re-running in container"\ - "\nINFO: 'docker run --user ${UID} --volume ${REPODIR}:${WORKDIR} openziti/ziti-builder ${WORKDIR}/${SCRIPTSDIR}/${BASENAME} ${*}'" + "\nINFO: re-running in ziti-builder container" + set -x exec docker run \ --rm \ --user "${UID}" \ --volume "${REPODIR}:${WORKDIR}" \ --platform "linux/amd64" \ + --env "VCPKG_DEFAULT_BINARY_CACHE=${WORKDIR}/.cache" \ openziti/ziti-builder \ "${WORKDIR}/${SCRIPTSDIR}/${BASENAME}" "${@}" fi @@ -115,6 +117,7 @@ function main() { exec "${@}" else [[ -d ./build ]] && rm -rf ./build + [[ -d ./.cache ]] || mkdir -v ./.cache cmake \ -E make_directory \ ./build @@ -132,6 +135,7 @@ function main() { --target "${CMAKE_TARGET:-bundle}" \ --verbose fi + ls -lAh ./build/programs/ziti-edge-tunnel/Release/ziti-edge-tunnel } # set global WORKDIR From a2f9d1a37ee347a03aa82b2557e005eb876fe67b Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Sat, 7 Oct 2023 12:34:44 -0400 Subject: [PATCH 025/251] add workflow to promote downstreams --- .github/cpack-matrix.yml | 67 +++++++++++ .github/workflows/cmake.yml | 6 +- .github/workflows/cpack.yml | 139 +++++++++------------- .github/workflows/draft-release.yml | 5 +- .github/workflows/promote-downstreams.yml | 121 +++++++++++++++++++ .github/workflows/publish-containers.yml | 30 ++--- .github/workflows/release.yml | 7 +- docker/Dockerfile.ziti-host | 6 +- 8 files changed, 275 insertions(+), 106 deletions(-) create mode 100644 .github/cpack-matrix.yml create mode 100644 .github/workflows/promote-downstreams.yml diff --git a/.github/cpack-matrix.yml b/.github/cpack-matrix.yml new file mode 100644 index 00000000..8f0f7f2e --- /dev/null +++ b/.github/cpack-matrix.yml @@ -0,0 +1,67 @@ +cpack_matrix: + arch: + - cmake: ci-linux-x64 # selects cmake preset + rpm: x86_64 # yum $basearch + deb: amd64 # dpkg --print-architecture + - cmake: ci-linux-arm + rpm: armhfp + deb: armhf + - cmake: ci-linux-arm64 + rpm: aarch64 + deb: arm64 + distro: + - name: ubuntu + version: "22.04" + release_name: jammy + type: deb + - name: ubuntu + version: "20.04" + release_name: focal + type: deb + - name: ubuntu + version: "18.04" + release_name: bionic + type: deb + - name: ubuntu + version: "16.04" + release_name: xenial + type: deb + - name: redhat + version: "7" + release_name: ${{ null }} + type: rpm + container: docker.io/library/centos:7 + - name: redhat + version: "8" + release_name: ${{ null }} + type: rpm + container: docker.io/library/rockylinux:8 + - name: redhat + version: "9" + release_name: ${{ null }} + type: rpm + container: docker.io/library/rockylinux:9 + exclude: + - distro: + name: ubuntu + release_name: xenial + arch: + cmake: ci-linux-arm + - distro: + name: ubuntu + release_name: xenial + arch: + cmake: ci-linux-arm64 + - distro: + name: ubuntu + release_name: bionic + arch: + cmake: ci-linux-arm + - distro: + name: redhat + arch: + cmake: ci-linux-arm + - distro: + name: redhat + arch: + cmake: ci-linux-arm64 diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml index e4441ba7..c6fa5202 100644 --- a/.github/workflows/cmake.yml +++ b/.github/workflows/cmake.yml @@ -54,6 +54,9 @@ jobs: preset: linux-arm64 steps: + - name: Debug action + uses: hmarr/debug-action@v2.1.0 + - name: checkout workspace uses: actions/checkout@v3 with: @@ -77,6 +80,5 @@ jobs: uses: actions/upload-artifact@v3 with: name: ${{ matrix.preset }} - path: | - ./build/bundle/ziti-edge-tunnel-*.zip + path: ./build/bundle/ziti-edge-tunnel-*.zip if-no-files-found: error diff --git a/.github/workflows/cpack.yml b/.github/workflows/cpack.yml index 73f4446e..d469939e 100644 --- a/.github/workflows/cpack.yml +++ b/.github/workflows/cpack.yml @@ -3,6 +3,8 @@ name: CI package on: workflow_dispatch: push: + branches: # ignore push to tags + - '**' paths: - programs/ziti-edge-tunnel/package/* - .github/actions/openziti-tunnel-build-action/* @@ -11,88 +13,52 @@ on: types: - published +# cancel older, redundant runs of same workflow on same branch +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.ref_name }} + cancel-in-progress: true + jobs: + set_matrix: + name: Set CPack Config Matrix + runs-on: ubuntu-latest + outputs: + matrix: ${{ steps.set_matrix.outputs.matrix }} + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + fetch-depth: 0 + - name: Set Matrix + id: set_matrix + shell: bash + run: | + matrix="$( + yq --output-format json .github/cpack-matrix.yml \ + | jq --compact-output '.cpack_matrix' + )" + echo "matrix=$matrix" | tee -a $GITHUB_OUTPUT package: + needs: set_matrix + name: ${{ matrix.arch.rpm }} ${{ matrix.distro.name }} ${{ matrix.distro.version }} runs-on: ubuntu-20.04 - # optionally override entire container image:tag string + # build image name it from matrix values name:version unless override container is specified container: ${{ matrix.distro.container || format('{0}:{1}', matrix.distro.name, matrix.distro.version) }} - # only override container image name and tag is distro version - #container: ${{ matrix.distro.container || matrix.distro.name }}:${{ matrix.distro.version }} strategy: fail-fast: false - matrix: - arch: - - cmake: ci-linux-x64 # selects cmake preset - rpm: x86_64 # yum $basearch - deb: amd64 # dpkg --print-architecture - - cmake: ci-linux-arm - rpm: armhfp - deb: armhf - - cmake: ci-linux-arm64 - rpm: aarch64 - deb: arm64 - distro: - - name: ubuntu - version: "22.04" - release_name: jammy - type: deb - - name: ubuntu - version: "20.04" - release_name: focal - type: deb - - name: ubuntu - version: "18.04" - release_name: bionic - type: deb - - name: ubuntu - version: "16.04" - release_name: xenial - type: deb - - name: redhat - version: "7" - release_name: ${{ null }} - type: rpm - container: docker.io/library/centos:7 - - name: redhat - version: "8" - release_name: ${{ null }} - type: rpm - container: docker.io/library/rockylinux:8 - - name: redhat - version: "9" - release_name: ${{ null }} - type: rpm - container: docker.io/library/rockylinux:9 - exclude: - - distro: - name: ubuntu - release_name: xenial - arch: - cmake: ci-linux-arm - - distro: - name: ubuntu - release_name: xenial - arch: - cmake: ci-linux-arm64 - - distro: - name: ubuntu - release_name: bionic - arch: - cmake: ci-linux-arm - - distro: - name: redhat - arch: - cmake: ci-linux-arm - - distro: - name: redhat - arch: - cmake: ci-linux-arm64 - + matrix: ${{ fromJSON(needs.set_matrix.outputs.matrix) }} + env: + ZITI_DEB_TEST_REPO: ${{ vars.ZITI_DEB_TEST_REPO || 'zitipax-openziti-deb-test' }} + ZITI_RPM_TEST_REPO: ${{ vars.ZITI_RPM_TEST_REPO || 'zitipax-openziti-rpm-test' }} steps: + - name: Debug action + uses: hmarr/debug-action@v2.1.0 + # only focal-20.04 has >= 2.18, which is required by actions/checkout to clone # which enables cmake version discovery - name: install contemporary Git in runner container if Ubuntu if: ${{ matrix.distro.name == 'ubuntu' }} + shell: bash run: | apt -y update apt-get -y install software-properties-common @@ -103,6 +69,7 @@ jobs: - name: install contemporary Git in runner container if RedHat 8 or 9 if: ${{ matrix.distro.name == 'redhat' && (matrix.distro.version == '8' || matrix.distro.version == '9') }} + shell: bash run: | dnf -y update dnf -y install git @@ -110,6 +77,7 @@ jobs: - name: install contemporary Git in runner container if RedHat 7 if: ${{ matrix.distro.name == 'redhat' && matrix.distro.version == '7' }} + shell: bash run: | yum -y update yum -y install centos-release-scl @@ -141,38 +109,39 @@ jobs: arch: ${{ matrix.arch.cmake }} config: Release - - name: list build artifacts - run: | - cat /etc/*-release - ls -horAS ./build/ - - - name: list program artifacts + - name: list artifacts + shell: bash run: | + set -x cat /etc/*-release - ls -horAS ./build/programs/ziti-edge-tunnel/ + ls -horAS ./build/*.${{ matrix.distro.type }} + ls -horAS ./build/programs/ziti-edge-tunnel/Release/ziti-edge-tunnel - name: install package artifact in runner container if Ubuntu x86_64 if: ${{ matrix.arch.cmake == 'ci-linux-x64' && matrix.distro.name == 'ubuntu' }} env: DEBIAN_FRONTEND: noninteractive + shell: bash run: | apt -y install ./build/ziti-edge-tunnel-*.deb - name: install package artifact in runner container if RedHat if: ${{ matrix.arch.cmake == 'ci-linux-x64' && matrix.distro.name == 'redhat' }} + shell: bash run: | set -x yum -y install ./build/ziti-edge-tunnel-*.rpm - name: run binary artifact if: ${{ matrix.arch.cmake == 'ci-linux-x64' }} + shell: bash run: | set -x cat /etc/*-release ldd ./build/programs/ziti-edge-tunnel/Release/ziti-edge-tunnel ./build/programs/ziti-edge-tunnel/Release/ziti-edge-tunnel version --verbose - - name: upload package artifact + - name: Upload Package to Workflow Summary Page uses: actions/upload-artifact@v3 with: name: ${{ matrix.distro.name }}-${{ matrix.distro.version }}-${{ matrix.arch.rpm }}-${{ matrix.distro.type }} @@ -180,26 +149,28 @@ jobs: if-no-files-found: error - name: Configure jFrog CLI - if: ${{ github.event_name == 'release' && !github.event.release.prerelease && startsWith(github.ref, 'refs/tags/v') }} + if: ${{ github.event_name == 'release' && startsWith(github.ref, 'refs/tags/v') }} uses: jfrog/setup-jfrog-cli@v3 env: JF_ENV_1: ${{ secrets.ZITI_ARTIFACTORY_CLI_CONFIG_PACKAGE_UPLOAD }} - name: Upload RPM to Artifactory with jFrog CLI - if: ${{ github.event_name == 'release' && !github.event.release.prerelease && startsWith(github.ref, 'refs/tags/v') && matrix.distro.name == 'redhat' }} + if: ${{ github.event_name == 'release' && startsWith(github.ref, 'refs/tags/v') && matrix.distro.name == 'redhat' }} + shell: bash run: > jf rt upload ./build/ziti-edge-tunnel-*.${{ matrix.distro.type }} - /zitipax-openziti-rpm-stable/redhat${{ matrix.distro.version }}/${{ matrix.arch.rpm }}/ + ${{ env.ZITI_RPM_TEST_REPO }}/redhat${{ matrix.distro.version }}/${{ matrix.arch.rpm }}/ --recursive=false --flat=true - name: Upload DEB to Artifactory with jFrog CLI - if: ${{ github.event_name == 'release' && !github.event.release.prerelease && startsWith(github.ref, 'refs/tags/v') && matrix.distro.name == 'ubuntu' }} + if: ${{ github.event_name == 'release' && startsWith(github.ref, 'refs/tags/v') && matrix.distro.name == 'ubuntu' }} + shell: bash run: > jf rt upload ./build/ziti-edge-tunnel-*.${{ matrix.distro.type }} - /zitipax-openziti-deb-stable/pool/ziti-edge-tunnel/${{ matrix.distro.release_name }}/${{ matrix.arch.deb }}/ + ${{ env.ZITI_DEB_TEST_REPO }}/pool/ziti-edge-tunnel/${{ matrix.distro.release_name }}/${{ matrix.arch.deb }}/ --deb=${{ matrix.distro.release_name }}/main/${{ matrix.arch.deb }} --recursive=false --flat=true diff --git a/.github/workflows/draft-release.yml b/.github/workflows/draft-release.yml index 50787535..b0408f12 100644 --- a/.github/workflows/draft-release.yml +++ b/.github/workflows/draft-release.yml @@ -10,6 +10,7 @@ jobs: runs-on: ubuntu-latest steps: # Drafts your next Release notes as Pull Requests are merged into "master" - - uses: release-drafter/release-drafter@v5 + - name: Draft Release + uses: release-drafter/release-drafter@v5 env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/promote-downstreams.yml b/.github/workflows/promote-downstreams.yml new file mode 100644 index 00000000..c94320cb --- /dev/null +++ b/.github/workflows/promote-downstreams.yml @@ -0,0 +1,121 @@ +name: Promote Downstream Releases + +on: + workflow_dispatch: + +# cancel older, redundant runs of same workflow on same branch +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.ref_name }} + cancel-in-progress: true + +jobs: + parse_version: + name: Parse Release Version + runs-on: ubuntu-latest + env: + RELEASE_REF: ${{ github.ref}} + outputs: + version: ${{ steps.parse.outputs.version }} + steps: + - name: Parse Release Version + id: parse + shell: bash + run: | + if [[ "${RELEASE_REF}" =~ ^refs\/tags\/v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then + echo "RELEASE_REF=${RELEASE_REF} is a semver release ref" + echo "version=${RELEASE_REF#refs/tags/v}" | tee -a $GITHUB_OUTPUT + else + echo "RELEASE_REF=${RELEASE_REF} is not a semver release ref" >&2 + exit 1 + fi + + set_matrix: + name: Set CPack Config Matrix + runs-on: ubuntu-latest + outputs: + matrix: ${{ steps.set_matrix.outputs.matrix }} + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + fetch-depth: 0 + - name: Set Matrix + id: set_matrix + shell: bash + run: | + matrix="$( + yq --output-format json .github/cpack-matrix.yml \ + | jq --compact-output '.cpack_matrix' + )" + echo "matrix=$matrix" | tee -a $GITHUB_OUTPUT + + promote_docker: + needs: parse_version + name: Promote Docker Hub to Latest + runs-on: ubuntu-latest + env: + ZITI_EDGE_TUNNEL_IMAGE: ${{ vars.ZITI_EDGE_TUNNEL_IMAGE || 'docker.io/openziti/ziti-edge-tunnel' }} + ZITI_HOST_IMAGE: ${{ vars.ZITI_HOST_IMAGE || 'docker.io/openziti/ziti-host' }} + steps: + - name: Login to Docker Hub + uses: docker/login-action@v2 + with: + username: ${{ vars.DOCKER_HUB_API_USER || secrets.DOCKER_HUB_API_USER }} + password: ${{ secrets.DOCKER_HUB_API_TOKEN }} + + - name: Tag Latest zti-edge-tunnel + shell: bash + run: > + docker buildx imagetools create --tag + ${{ env.ZITI_EDGE_TUNNEL_IMAGE }}:latest + ${{ env.ZITI_EDGE_TUNNEL_IMAGE }}:${{ needs.parse_version.outputs.version }} + + - name: Tag Latest zti-host + shell: bash + run: > + docker buildx imagetools create --tag + ${{ env.ZITI_HOST_IMAGE }}:latest + ${{ env.ZITI_HOST_IMAGE }}:${{ needs.parse_version.outputs.version }} + + promote_artifactory: + needs: + - set_matrix + - parse_version + name: ${{ matrix.arch.rpm }} ${{ matrix.distro.name }} ${{ matrix.distro.version }} + runs-on: ubuntu-latest + env: + ZITI_DEB_TEST_REPO: ${{ vars.ZITI_DEB_TEST_REPO || 'zitipax-openziti-deb-test' }} + ZITI_RPM_TEST_REPO: ${{ vars.ZITI_RPM_TEST_REPO || 'zitipax-openziti-rpm-test' }} + ZITI_DEB_PROD_REPO: ${{ vars.ZITI_DEB_PROD_REPO || 'zitipax-openziti-deb-stable' }} + ZITI_RPM_PROD_REPO: ${{ vars.ZITI_RPM_PROD_REPO || 'zitipax-openziti-rpm-stable' }} + strategy: + fail-fast: true + matrix: ${{ fromJSON(needs.set_matrix.outputs.matrix) }} + steps: + - name: Debug action + uses: hmarr/debug-action@v2.1.0 + + - name: Configure jFrog CLI + uses: jfrog/setup-jfrog-cli@v3 + env: + JF_ENV_1: ${{ secrets.ZITI_ARTIFACTORY_CLI_CONFIG_PACKAGE_UPLOAD }} + + - name: Copy RPM from testing to release Artifactory repo with jFrog CLI + if: matrix.distro.type == 'rpm' + shell: bash + run: > + jf rt copy + --recursive=false + --flat=true + ${{ env.ZITI_RPM_TEST_REPO }}/redhat${{ matrix.distro.version }}/${{ matrix.arch.rpm }}/ziti-edge-tunnel-${{ needs.parse_version.outputs.version }}-*.${{ matrix.arch.rpm }}.rpm + ${{ env.ZITI_RPM_PROD_REPO }}/redhat${{ matrix.distro.version }}/${{ matrix.arch.rpm }}/ + + - name: Copy DEB from testing to release Artifactory repo with jFrog CLI + if: matrix.distro.type == 'deb' + shell: bash + run: > + jf rt copy + --recursive=false + --flat=true + ${{ env.ZITI_DEB_TEST_REPO }}/pool/ziti-edge-tunnel/${{ matrix.distro.release_name }}/${{ matrix.arch.deb }}/ziti-edge-tunnel-${{ needs.parse_version.outputs.version }}-*.deb + ${{ env.ZITI_DEB_PROD_REPO }}/pool/ziti-edge-tunnel/${{ matrix.distro.release_name }}/${{ matrix.arch.deb }}/ diff --git a/.github/workflows/publish-containers.yml b/.github/workflows/publish-containers.yml index 5f994e79..e2a9e916 100644 --- a/.github/workflows/publish-containers.yml +++ b/.github/workflows/publish-containers.yml @@ -14,12 +14,19 @@ on: type: string required: true +# no need for concurrency group in callable workflows + jobs: publish-containers: runs-on: ubuntu-latest env: ZITI_VERSION: ${{ inputs.ziti-version || github.event.inputs.ziti-version }} + ZITI_EDGE_TUNNEL_IMAGE: ${{ vars.ZITI_EDGE_TUNNEL_IMAGE || 'docker.io/openziti/ziti-edge-tunnel' }} + ZITI_HOST_IMAGE: ${{ vars.ZITI_HOST_IMAGE || 'docker.io/openziti/ziti-host' }} steps: + - name: Debug action + uses: hmarr/debug-action@v2.1.0 + - name: Checkout Workspace uses: actions/checkout@v3 @@ -35,18 +42,14 @@ jobs: - name: Login to Docker Hub uses: docker/login-action@v2 with: - username: ${{ secrets.DOCKER_HUB_API_USER }} + username: ${{ vars.DOCKER_HUB_API_USER || secrets.DOCKER_HUB_API_USER }} password: ${{ secrets.DOCKER_HUB_API_TOKEN }} - name: Set up Docker image tags for "run" container env: - RELEASE_REPO: openziti/ziti-edge-tunnel + IMAGE_REPO: ${{ env.ZITI_EDGE_TUNNEL_IMAGE }} id: tagprep_run - run: | - DOCKER_TAGS="" - DOCKER_TAGS="${RELEASE_REPO}:${ZITI_VERSION},${RELEASE_REPO}:latest" - echo "DEBUG: DOCKER_TAGS=${DOCKER_TAGS}" - echo DOCKER_TAGS="${DOCKER_TAGS}" >> $GITHUB_OUTPUT + run: echo DOCKER_TAGS="${IMAGE_REPO}:${ZITI_VERSION}" | tee -a $GITHUB_OUTPUT - name: Build & Push Multi-Platform Container Image to Hub uses: docker/build-push-action@v3 @@ -63,13 +66,10 @@ jobs: - name: Set up Docker image tags for "run-host" container env: - RELEASE_REPO: openziti/ziti-host + IMAGE_REPO: ${{ env.ZITI_HOST_IMAGE }} id: tagprep_run_host - run: | - DOCKER_TAGS="" - DOCKER_TAGS="${RELEASE_REPO}:${ZITI_VERSION},${RELEASE_REPO}:latest" - echo "DEBUG: DOCKER_TAGS=${DOCKER_TAGS}" - echo DOCKER_TAGS="${DOCKER_TAGS}" >> $GITHUB_OUTPUT + run: echo DOCKER_TAGS="${IMAGE_REPO}:${ZITI_VERSION}" | tee -a $GITHUB_OUTPUT + - name: Build & Push Multi-Platform Container Image to Hub uses: docker/build-push-action@v3 @@ -80,6 +80,6 @@ jobs: platforms: linux/amd64,linux/arm64 tags: ${{ steps.tagprep_run_host.outputs.DOCKER_TAGS }} build-args: | - ZITI_VERSION=${{ env.ZITI_VERSION }} - GITHUB_REPO=${{ github.repository }} + ZITI_EDGE_TUNNEL_TAG=${{ env.ZITI_VERSION }} + ZITI_EDGE_TUNNEL_IMAGE=${{ env.ZITI_EDGE_TUNNEL_IMAGE }} push: true diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 85647262..63b7dd18 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,6 +14,9 @@ jobs: outputs: ZITI_VERSION: ${{ steps.get_version.outputs.ZITI_VERSION }} steps: + - name: Debug action + uses: hmarr/debug-action@v2.1.0 + - name: download uses: actions/download-artifact@v3 with: @@ -22,6 +25,8 @@ jobs: - name: List Release Artifacts run: ls -horRAS ${{runner.workspace}}/downloads/ + # the purpose of this step is to identify the release that was created for the current tag and upload the + # artifacts that do not need to be renamed - name: Release id: get_release uses: softprops/action-gh-release@v1 @@ -29,8 +34,6 @@ jobs: # name: defaults to tag name # tag_name: defaults to github.ref # token: defaults to github.token - draft: false - prerelease: false fail_on_unmatched_files: true files: | ${{ runner.workspace }}/downloads/linux-x64/ziti-edge-tunnel-Linux_x86_64.zip diff --git a/docker/Dockerfile.ziti-host b/docker/Dockerfile.ziti-host index 22641e31..826a5d6a 100644 --- a/docker/Dockerfile.ziti-host +++ b/docker/Dockerfile.ziti-host @@ -1,5 +1,9 @@ # this builds docker.io/openziti/ziti-host -FROM docker.io/openziti/ziti-edge-tunnel +ARG ZITI_EDGE_TUNNEL_TAG="latest" +ARG ZITI_EDGE_TUNNEL_IMAGE="docker.io/openziti/ziti-edge-tunnel" +# this builds docker.io/openziti/ziti-host +FROM ${ZITI_EDGE_TUNNEL_IMAGE}:${ZITI_EDGE_TUNNEL_TAG} + ### Required OpenShift Labels From e8553cf4baab3eea5f2833bed4136dd083fb9175 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Wed, 11 Oct 2023 09:38:32 -0400 Subject: [PATCH 026/251] add releaser procedure --- RELEASING.md | 52 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 RELEASING.md diff --git a/RELEASING.md b/RELEASING.md new file mode 100644 index 00000000..f3d614fb --- /dev/null +++ b/RELEASING.md @@ -0,0 +1,52 @@ + +# Release Process for ziti-edge-tunnel + +## Releaser Steps + +1. [Create a release in GitHub](https://github.com/openziti/ziti-tunnel-sdk-c/releases). +1. Run ["Promote Downstream Releases"](https://github.com/openziti/ziti-tunnel-sdk-c/actions/workflows/promote-downstreams.yml) + on the release tag you created in the first step. + +The rest of this document describes these two steps in greater detail. + +## Release Artifacts + +A release produces these artifacts. + +* binary executables attached to [the GitHub Release](https://github.com/openziti/ziti-tunnel-sdk-c/releases/latest) +* Linux packages in Artifactory + * DEBs for Debian distros ([doc](https://openziti.io/docs/reference/tunnelers/linux/#installing-the-deb)) + * RPMs for RedHat distros ([doc](https://openziti.io/docs/reference/tunnelers/linux/#installing-the-rpm)) +* Docker images in Docker Hub + * `openziti/ziti-edge-tunnel` for `run` proxy mode in a container ([doc](https://openziti.io/docs/reference/tunnelers/linux/container/#use-case-intercepting-proxy-and-nameserver)) + * `openziti/ziti-host` for `run-host` reverse-proxy mode in a container ([doc](https://openziti.io/docs/reference/tunnelers/linux/container/#use-case-hosting-openziti-services)) + +## Create a Release + +Creating a release in GitHub triggers these workflows. + +1. Build release artifacts (CMake): binary executables are uploaded to the GitHub Release. +1. CI package (CPack): Linux packages are uploaded to testing repos in Artifactory. + 1. [the testing repo for RPMs](https://netfoundry.jfrog.io/ui/repos/tree/General/zitipax-openziti-rpm-test?projectKey=zitipax) + 1. [the testing repo for DEBs](https://netfoundry.jfrog.io/ui/repos/tree/General/zitipax-openziti-deb-test?projectKey=zitipax) +1. Docker images are uploaded to Docker Hub. + 1. [ziti-edge-tunnel](https://hub.docker.com/r/openziti/ziti-edge-tunnel/tags) + 1. [ziti-host](https://hub.docker.com/r/openziti/ziti-host/tags) + +## Promote Downstream Releases + +Running the "Promote Downstream Releases" workflow has these effects in downstream repositories. + +1. Linux packages in Artifactory are promoted to the release repositories in Artifactory. + 1. [the release repo for RPMs](https://netfoundry.jfrog.io/ui/repos/tree/General/zitipax-openziti-rpm-stable?projectKey=zitipax) + 1. [the release repo for DEBs](https://netfoundry.jfrog.io/ui/repos/tree/General/zitipax-openziti-deb-stable?projectKey=zitipax) +1. Previously-uploaded Docker images in Docker Hub are tagged `:latest`. +1. There are no effects for the executable binaries that were previously uploaded to the GitHub Release. + +## GitHub Pre-Release vs. Latest Release + +Newly-created GitHub Releases set as the "latest" release in GitHub by default. The Releaser may override the latest +label by marking any release as "latest" in the GitHub UI or Releases API. The Releaser may mark a release as +"prerelease" instead of "latest" when creating the release in the GitHub UI or Releases API. This has no effect on +downstream builds for Artifactory or Docker Hub and only running the "Promote Downstream Releases" workflow will +cause those downstreams to advertise a new release as "latest". From 739b13d6f691566a0957f2e97482f7ec942c2e24 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Wed, 11 Oct 2023 11:03:29 -0400 Subject: [PATCH 027/251] wait for release builds before promoting --- .github/workflows/promote-downstreams.yml | 27 ++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/.github/workflows/promote-downstreams.yml b/.github/workflows/promote-downstreams.yml index c94320cb..97c1936b 100644 --- a/.github/workflows/promote-downstreams.yml +++ b/.github/workflows/promote-downstreams.yml @@ -8,12 +8,31 @@ concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.ref_name }} cancel-in-progress: true +env: + RELEASE_REF: ${{ github.ref}} + jobs: + wait_for_release: + name: Wait for Release Builds to Succeed + runs-on: ubuntu-latest + steps: + - name: Debug action + uses: hmarr/debug-action@v2.1.0 + + - name: Wait for all checks on this ref + uses: lewagon/wait-on-check-action@v1.3.1 + with: + ref: ${{ env.RELEASE_REF }} + repo-token: ${{ secrets.GITHUB_TOKEN }} + # seconds between polling the checks api for job statuses + wait-interval: 20 + # confusingly, this means "pause this step until all jobs from all workflows in same run have completed" + running-workflow-name: Wait for Release Builds to Succeed + parse_version: + needs: wait_for_release name: Parse Release Version runs-on: ubuntu-latest - env: - RELEASE_REF: ${{ github.ref}} outputs: version: ${{ steps.parse.outputs.version }} steps: @@ -30,6 +49,7 @@ jobs: fi set_matrix: + needs: wait_for_release name: Set CPack Config Matrix runs-on: ubuntu-latest outputs: @@ -92,9 +112,6 @@ jobs: fail-fast: true matrix: ${{ fromJSON(needs.set_matrix.outputs.matrix) }} steps: - - name: Debug action - uses: hmarr/debug-action@v2.1.0 - - name: Configure jFrog CLI uses: jfrog/setup-jfrog-cli@v3 env: From fcdefad92765d13b561a7310126031ef1e2796a5 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Thu, 12 Oct 2023 17:28:30 +0000 Subject: [PATCH 028/251] set required options in init_ziti_instance (#745) provide setter for required ziti_options on existing ziti_instances --- .../include/ziti/ziti_tunnel_cbs.h | 2 ++ lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c | 34 ++++++++++++++++--- 2 files changed, 31 insertions(+), 5 deletions(-) diff --git a/lib/ziti-tunnel-cbs/include/ziti/ziti_tunnel_cbs.h b/lib/ziti-tunnel-cbs/include/ziti/ziti_tunnel_cbs.h index 1db0eb26..2b1fd367 100644 --- a/lib/ziti-tunnel-cbs/include/ziti/ziti_tunnel_cbs.h +++ b/lib/ziti-tunnel-cbs/include/ziti/ziti_tunnel_cbs.h @@ -337,6 +337,8 @@ void ziti_set_refresh_interval(unsigned long seconds); struct ziti_instance_s *new_ziti_instance(const char *identifier); int init_ziti_instance(struct ziti_instance_s *inst, const ziti_config *cfg, const ziti_options *opts); +/** set options for tsdk usage on a ziti_instance's ziti_context */ +int set_tnlr_options(struct ziti_instance_s *inst); void set_ziti_instance(const char *identifier, struct ziti_instance_s *inst); void remove_ziti_instance(const char *identifier); diff --git a/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c b/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c index d299367b..87262d91 100644 --- a/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c +++ b/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c @@ -619,12 +619,7 @@ static int load_identity(const char *identifier, const char *path, int api_page_ struct ziti_instance_s *inst = new_ziti_instance(identifier ? identifier : path); ziti_options opts = { - .config_types = cfg_types, - .events = -1, - .event_cb = on_ziti_event, .api_page_size = api_page_size > 0 ? api_page_size : 0, - .refresh_interval = refresh_interval, - .app_ctx = inst, }; rc = init_ziti_instance(inst, &cfg, &opts); if (rc != ZITI_OK) { @@ -677,15 +672,44 @@ struct ziti_instance_s *new_ziti_instance(const char *identifier) { } int init_ziti_instance(struct ziti_instance_s *inst, const ziti_config *cfg, const ziti_options *opts) { + FREE(inst->ztx); int rc = ziti_context_init(&inst->ztx, cfg); if (rc != ZITI_OK) { + ZITI_LOG(ERROR, "ziti_context_init failed: %s", ziti_errorstr(rc)); return rc; } rc = ziti_context_set_options(inst->ztx, opts); + if (rc != ZITI_OK) { + ZITI_LOG(ERROR, "ziti_context_set_options failed: %s", ziti_errorstr(rc)); + FREE(inst->ztx); + return rc; + } + + rc = set_tnlr_options(inst); + if (rc != ZITI_OK) { + FREE(inst->ztx); + } + return rc; } +int set_tnlr_options(struct ziti_instance_s *inst) { + ziti_options tunneler_ziti_options = { + .config_types = cfg_types, + .event_cb = on_ziti_event, // ensure ziti events are propagated (as tunnel events) via the command interface + .events = -1, + .refresh_interval = refresh_interval, + .app_ctx = inst + }; + int rc = ziti_context_set_options(inst->ztx, &tunneler_ziti_options); + if (rc != ZITI_OK) { + ZITI_LOG(ERROR, "ziti_context_set_options failed: %s", ziti_errorstr(rc)); + FREE(inst->ztx); + } + + return rc; +} void set_ziti_instance(const char *identifier, struct ziti_instance_s *inst) { model_map_set(&instances, identifier, inst); From b6ca3f8a2e74bdd9eb71fecab2746fe6ad8be49d Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Thu, 12 Oct 2023 18:19:29 +0000 Subject: [PATCH 029/251] get ziti-sdk-c 0.35.2 (#746) --- CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index f6021ce1..7fc452d0 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,7 +2,7 @@ cmake_minimum_required(VERSION 3.20) set(ZITI_SDK_DIR "" CACHE FILEPATH "developer option: use local ziti-sdk-c checkout") -set(ZITI_SDK_VERSION "0.35.0" CACHE STRING "ziti-sdk-c version or branch to use") +set(ZITI_SDK_VERSION "0.35.2" CACHE STRING "ziti-sdk-c version or branch to use") # if TUNNEL_SDK_ONLY then don't descend into programs/ziti-edge-tunnel option(TUNNEL_SDK_ONLY "build only ziti-tunnel-sdk (without ziti)" OFF) From af5b506d16e6bb4a0c0e31c9ce67bbba796b4a22 Mon Sep 17 00:00:00 2001 From: ekoby <7406535+ekoby@users.noreply.github.com> Date: Thu, 19 Oct 2023 12:07:09 -0400 Subject: [PATCH 030/251] Update ziti-sdk@0.35.4 --- CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 7fc452d0..f4c8739b 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,7 +2,7 @@ cmake_minimum_required(VERSION 3.20) set(ZITI_SDK_DIR "" CACHE FILEPATH "developer option: use local ziti-sdk-c checkout") -set(ZITI_SDK_VERSION "0.35.2" CACHE STRING "ziti-sdk-c version or branch to use") +set(ZITI_SDK_VERSION "0.35.4" CACHE STRING "ziti-sdk-c version or branch to use") # if TUNNEL_SDK_ONLY then don't descend into programs/ziti-edge-tunnel option(TUNNEL_SDK_ONLY "build only ziti-tunnel-sdk (without ziti)" OFF) From b2c0271bab4419ea99eeb477f3928d72c30104f9 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Tue, 31 Oct 2023 09:02:15 -0400 Subject: [PATCH 031/251] add an unstable container image tag to unpromoted releases --- .github/workflows/publish-containers.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish-containers.yml b/.github/workflows/publish-containers.yml index e2a9e916..eda22605 100644 --- a/.github/workflows/publish-containers.yml +++ b/.github/workflows/publish-containers.yml @@ -49,7 +49,7 @@ jobs: env: IMAGE_REPO: ${{ env.ZITI_EDGE_TUNNEL_IMAGE }} id: tagprep_run - run: echo DOCKER_TAGS="${IMAGE_REPO}:${ZITI_VERSION}" | tee -a $GITHUB_OUTPUT + run: echo DOCKER_TAGS="${IMAGE_REPO}:unstable,${IMAGE_REPO}:${ZITI_VERSION}" | tee -a $GITHUB_OUTPUT - name: Build & Push Multi-Platform Container Image to Hub uses: docker/build-push-action@v3 @@ -68,7 +68,7 @@ jobs: env: IMAGE_REPO: ${{ env.ZITI_HOST_IMAGE }} id: tagprep_run_host - run: echo DOCKER_TAGS="${IMAGE_REPO}:${ZITI_VERSION}" | tee -a $GITHUB_OUTPUT + run: echo DOCKER_TAGS="${IMAGE_REPO}:unstable,${IMAGE_REPO}:${ZITI_VERSION}" | tee -a $GITHUB_OUTPUT - name: Build & Push Multi-Platform Container Image to Hub From e222b519b79f53092ddd598829dffa04195b2001 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Thu, 2 Nov 2023 08:43:13 -0400 Subject: [PATCH 032/251] assume latest Ubuntu LTS if release name not recognized --- scripts/install-ubuntu.bash | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/install-ubuntu.bash b/scripts/install-ubuntu.bash index 1e2d3f77..1bc3190f 100755 --- a/scripts/install-ubuntu.bash +++ b/scripts/install-ubuntu.bash @@ -12,7 +12,7 @@ case ${UBUNTU_CODENAME} in jammy|focal|bionic) UBUNTU_LTS=${UBUNTU_CODENAME} ;; - lunar|kinetic) + lunar|kinetic|mantic) UBUNTU_LTS=jammy ;; impish|hirsute|groovy) @@ -22,8 +22,8 @@ case ${UBUNTU_CODENAME} in UBUNTU_LTS=bionic ;; *) - echo "Unsupported Ubuntu version: ${UBUNTU_CODENAME}" >&2 - exit 1 + echo "WARN: Ubuntu version: ${UBUNTU_CODENAME} not recognized, assuming latest" >&2 + UBUNTU_LTS=jammy ;; esac From cf0edb320ad0485412d88fcabcf5debf099ae7a8 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 13 Nov 2023 11:45:20 -0500 Subject: [PATCH 033/251] continue if not a C-SDK log line --- scripts/timestamp.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/timestamp.sh b/scripts/timestamp.sh index 105c76a1..6aeaf29b 100755 --- a/scripts/timestamp.sh +++ b/scripts/timestamp.sh @@ -29,6 +29,7 @@ STARTSTAMP=$(grep -Po 'starting at \(\K[0-9-]+T[0-9:.]+' <<< "${STARTSTAMP_LINE} REALSTARTSTAMP=$(date --utc --date "${STARTSTAMP} -${STARTOFFSET} seconds" +%Y-%m-%dT%H:%M:%S.%3NZ) while read -r; do + grep -qP '^\([0-9]+\)\[(\s+)?\K[0-9.]+' <<< "${REPLY}" || continue OFFSET=$(grep -Po '^\([0-9]+\)\[(\s+)?\K[0-9.]+' <<< "${REPLY}") MESSAGE=$(grep -Po '^\([0-9]+\)\[(\s+)?[0-9.]+(\s+)?\]\K.*' <<< "${REPLY}") UTCSTAMP=$(date --utc --date "${REALSTARTSTAMP} +${OFFSET} seconds" +%Y-%m-%dT%H:%M:%S.%3NZ) From fafabeb93ae1eed7182eaa4392c8cffb332b25b9 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Tue, 14 Nov 2023 20:03:53 +0000 Subject: [PATCH 034/251] Resolve hostnames in uv worker threads (#754) * resolve hosted server address off-loop * increase default uv worker threads (4 -> 8) * don't re-parse app data (and leak previous app_data strings) * pin lukka/run-cmake to avoid glibc mismatch --- .github/actions/build/action.yml | 4 +- .../include/ziti/ziti_tunnel_cbs.h | 6 - lib/ziti-tunnel-cbs/ziti_hosting.c | 614 ++++++++++-------- lib/ziti-tunnel-cbs/ziti_tunnel_cbs.c | 58 +- programs/ziti-edge-tunnel/ziti-edge-tunnel.c | 1 + 5 files changed, 379 insertions(+), 304 deletions(-) diff --git a/.github/actions/build/action.yml b/.github/actions/build/action.yml index 07932bba..55556536 100644 --- a/.github/actions/build/action.yml +++ b/.github/actions/build/action.yml @@ -25,7 +25,7 @@ runs: shell: bash - name: install contemporary cmake - uses: lukka/get-cmake@latest + uses: lukka/get-cmake@v3.27.7 # pin version to avoid failed glibc dependency on ubuntu 20 runners. go back to @latest when ubuntu 22+ is adopted for runner os. - uses: lukka/run-vcpkg@v10 with: @@ -33,7 +33,7 @@ runs: # see https://learn.microsoft.com/en-us/vcpkg/users/examples/versioning.getting-started#builtin-baseline vcpkgGitCommitId: 'a7b6122f6b6504d16d96117336a0562693579933' - - uses: lukka/run-cmake@v10 + - uses: lukka/run-cmake@v10.6 # pin version to avoid failed glibc dependency on ubuntu 20 runners. go back to @latest when ubuntu 22+ is adopted for runner os. name: Configure CMake with: configurePreset: ci-${{ inputs.preset }} diff --git a/lib/ziti-tunnel-cbs/include/ziti/ziti_tunnel_cbs.h b/lib/ziti-tunnel-cbs/include/ziti/ziti_tunnel_cbs.h index 2b1fd367..8ce9c1ad 100644 --- a/lib/ziti-tunnel-cbs/include/ziti/ziti_tunnel_cbs.h +++ b/lib/ziti-tunnel-cbs/include/ziti/ziti_tunnel_cbs.h @@ -35,12 +35,6 @@ extern "C" { XX(data, __VA_ARGS__) \ XX(resolver, __VA_ARGS__) - -enum tunnel_conn_type { - data_conn_type, - resolve_conn_type -}; - #define TUNNELER_APP_DATA_MODEL(XX, ...) \ XX(conn_type, TunnelConnectionType, none, connType, __VA_ARGS__) \ XX(dst_protocol, string, none, dst_protocol, __VA_ARGS__)\ diff --git a/lib/ziti-tunnel-cbs/ziti_hosting.c b/lib/ziti-tunnel-cbs/ziti_hosting.c index 29ee9a10..ab96921d 100644 --- a/lib/ziti-tunnel-cbs/ziti_hosting.c +++ b/lib/ziti-tunnel-cbs/ziti_hosting.c @@ -41,20 +41,33 @@ static void on_bridge_close(uv_handle_t *handle); struct hosted_io_ctx_s { struct hosted_service_ctx_s *service; ziti_connection client; - char server_dial_str[64]; + tunneler_app_data *app_data; + char client_identity[80]; + const char *computed_dst_protocol; + const char *computed_dst_ip_or_hn; + const char *computed_dst_port; + char resolved_dst[80]; union { uv_tcp_t tcp; uv_udp_t udp; } server; }; +static void hosted_io_context_free(hosted_io_context io) { + if (io) { + if (io->app_data) { + free_tunneler_app_data_ptr(io->app_data); + } + free(io); + } +} static void ziti_conn_close_cb(ziti_connection zc) { struct hosted_io_ctx_s *io_ctx = ziti_conn_data(zc); if (io_ctx) { - ZITI_LOG(TRACE, "hosted_service[%s] client[%s] ziti_conn[%p] closed", - io_ctx->service->service_name, ziti_conn_source_identity(zc), zc); - free(io_ctx); + ZITI_LOG(TRACE, "hosted_service[%s] client[%s] ziti_conn[%p] io[%p] closed", + io_ctx->service->service_name, io_ctx->client_identity, zc, io_ctx); + hosted_io_context_free(io_ctx); ziti_conn_set_data(zc, NULL); } else { ZITI_LOG(TRACE, "ziti_conn[%p] is closed", zc); @@ -115,7 +128,7 @@ static void hosted_server_close_cb(uv_handle_t *handle) { if (io_ctx->client) { ziti_close(io_ctx->client, ziti_conn_close_cb); ZITI_LOG(TRACE, "hosted_service[%s] client[%s] server_conn[%p] closed", - io_ctx->service->service_name, ziti_conn_source_identity(io_ctx->client), handle); + io_ctx->service->service_name, io_ctx->client_identity, handle); } else { ZITI_LOG(TRACE, "server_conn[%p] closed", handle); handle->data = NULL; @@ -159,7 +172,7 @@ void *local_addr(uv_handle_t *h, struct sockaddr *name, int *len) { static void on_hosted_client_connect_complete(ziti_connection clt, int err) { struct hosted_io_ctx_s *io_ctx = ziti_conn_data(clt); if (err == ZITI_OK) { - uv_handle_t *server = (uv_handle_t *) &io_ctx->server; + uv_handle_t *server = (uv_handle_t *) &io_ctx->server.tcp; struct sockaddr_storage name_storage; struct sockaddr *name = (struct sockaddr *) &name_storage; int len = sizeof(name_storage); @@ -167,17 +180,17 @@ static void on_hosted_client_connect_complete(ziti_connection clt, int err) { uv_getnameinfo_t req = {0}; uv_getnameinfo(io_ctx->service->loop, &req, NULL, name, NI_NUMERICHOST|NI_NUMERICSERV); uv_os_fd_t fd; - int e = uv_fileno((uv_handle_t *) &io_ctx->server, &fd); + uv_fileno((uv_handle_t *) &io_ctx->server, &fd); ZITI_LOG(DEBUG, "hosted_service[%s] client[%s] local_addr[%s:%s] fd[%d] server[%s] connected %d", io_ctx->service->service_name, - ziti_conn_source_identity(clt), req.host, req.service, fd, io_ctx->server_dial_str, len); + io_ctx->client_identity, req.host, req.service, fd, io_ctx->resolved_dst, len); int rc = ziti_conn_bridge(clt, (uv_handle_t *) &io_ctx->server, on_bridge_close); if (rc != 0) { - ZITI_LOG(ERROR, "failed to bridge client[%s] with hosted_service[%s]", ziti_conn_source_identity(clt), io_ctx->service->service_name); + ZITI_LOG(ERROR, "failed to bridge client[%s] with hosted_service[%s]", io_ctx->client_identity, io_ctx->service->service_name); hosted_server_close(io_ctx); } } else { ZITI_LOG(ERROR, "hosted_service[%s] client[%s] failed to connect: %s", io_ctx->service->service_name, - ziti_conn_source_identity(clt), ziti_errorstr(err)); + io_ctx->client_identity, ziti_errorstr(err)); } } @@ -190,6 +203,7 @@ static void on_hosted_client_connect_complete(ziti_connection clt, int err) { static void on_hosted_tcp_server_connect_complete(uv_connect_t *c, int status) { if (c == NULL || c->handle == NULL || c->handle->data == NULL) { ZITI_LOG(ERROR, "null handle or io_ctx"); + // todo get out } struct hosted_io_ctx_s *io_ctx = c->handle->data; if (io_ctx->client == NULL) { @@ -201,25 +215,17 @@ static void on_hosted_tcp_server_connect_complete(uv_connect_t *c, int status) { if (status < 0) { ZITI_LOG(ERROR, "hosted_service[%s], client[%s]: connect to %s failed: %s", io_ctx->service->service_name, - ziti_conn_source_identity(io_ctx->client), io_ctx->server_dial_str, uv_strerror(status)); + io_ctx->client_identity, io_ctx->resolved_dst, uv_strerror(status)); hosted_server_close(io_ctx); free(c); return; } ZITI_LOG(DEBUG, "hosted_service[%s], client[%s]: connected to server %s", io_ctx->service->service_name, - ziti_conn_source_identity(io_ctx->client), io_ctx->server_dial_str); + io_ctx->client_identity, io_ctx->resolved_dst); ziti_accept(io_ctx->client, on_hosted_client_connect_complete, NULL); free(c); } -struct addrinfo_params_s { - const char * address; - const char * port; - char _port_str[12]; // buffer used when config type uses int for port - struct addrinfo hints; - char err[128]; -}; - static int get_protocol_id(const char *protocol) { if (strcasecmp(protocol, "tcp") == 0) { return IPPROTO_TCP; @@ -254,322 +260,404 @@ static bool allowed_hostname_match(const char *hostname, const allowed_hostnames return false; } -static bool addrinfo_from_host_ctx(struct addrinfo_params_s *dial_params, const host_ctx_t *host_ctx, tunneler_app_data *app_data) { - const char *dial_protocol_str = NULL; - - if (host_ctx->forward_protocol) { - dial_protocol_str = app_data->dst_protocol; - if (dial_protocol_str == NULL || dial_protocol_str[0] == '\0') { - snprintf(dial_params->err, sizeof(dial_params->err), - "hosted_service[%s] config specifies 'forwardProtocol', but client didn't send %s", - host_ctx->service_name, DST_PROTO_KEY); - return false; +static const char *compute_dst_protocol(const host_ctx_t *service, const tunneler_app_data *app_data, + int *protocol_number, char *err, size_t err_sz) { + const char *dst_proto; + if (service->forward_protocol) { + if (app_data == NULL || app_data->dst_protocol == NULL || app_data->dst_protocol[0] == '\0') { + snprintf(err, err_sz, "config specifies 'forwardProtocol', but client didn't send %s in app_data", + DST_PROTO_KEY); + return NULL; } - if (!protocol_match(app_data->dst_protocol, &host_ctx->proto_u.allowed_protocols)) { - snprintf(dial_params->err, sizeof(dial_params->err), - "hosted_service[%s] client requested protocol '%s' is not allowed", host_ctx->service_name, - app_data->dst_protocol); - return false; + if (!protocol_match(app_data->dst_protocol, &service->proto_u.allowed_protocols)) { + snprintf(err, err_sz, "requested protocol '%s' is not in 'allowedProtocols", app_data->dst_protocol); + return NULL; } - dial_protocol_str = app_data->dst_protocol; + dst_proto = app_data->dst_protocol; } else { - dial_protocol_str = host_ctx->proto_u.protocol; + dst_proto = service->proto_u.protocol; } - dial_params->hints.ai_protocol = get_protocol_id(dial_protocol_str); - if (dial_params->hints.ai_protocol < 0) { - snprintf(dial_params->err, sizeof(dial_params->err), "unsupported %s '%s'", DST_PROTO_KEY, dial_protocol_str); - return false; + if ((*protocol_number = get_protocol_id(app_data->dst_protocol)) < 0) { + snprintf(err, err_sz, "requested protocol '%s' is not supported", app_data->dst_protocol); + return NULL; } - if (host_ctx->forward_address) { - if (app_data->dst_hostname != NULL && app_data->dst_hostname[0] != 0) { - if (!allowed_hostname_match(app_data->dst_hostname, &host_ctx->addr_u.allowed_hostnames)) { - snprintf(dial_params->err, sizeof(dial_params->err), - "hosted_service[%s] client requested address '%s' is not allowed", host_ctx->service_name, - app_data->dst_hostname); - return false; - } + return dst_proto; +} - dial_params->address = app_data->dst_hostname; - dial_params->hints.ai_flags = AI_ADDRCONFIG; - } else if (app_data->dst_ip != NULL && app_data->dst_ip[0] != 0) { - uv_getaddrinfo_t gai_req = {0}; - int s; - if((s = uv_getaddrinfo(host_ctx->loop, &gai_req, NULL, app_data->dst_ip, - app_data->dst_port, &dial_params->hints)) != 0) { - ZITI_LOG(ERROR, "hosted_service[%s],getaddrinfo(%s,%s) failed: %s", - host_ctx->service_name, app_data->dst_ip, app_data->dst_port, gai_strerror(s)); - if (gai_req.addrinfo != NULL) { - uv_freeaddrinfo(gai_req.addrinfo); - } - return false; - } - ziti_address dst; - ziti_address_from_sockaddr(&dst, gai_req.addrinfo->ai_addr); - if (!address_match(&dst, &host_ctx->addr_u.allowed_addresses)) { - ZITI_LOG(ERROR, "hosted_service[%s] client requested address '%s' is not allowed", - host_ctx->service_name,app_data->dst_ip); - if (gai_req.addrinfo != NULL) { - uv_freeaddrinfo(gai_req.addrinfo); - } - return false; - } - if (gai_req.addrinfo != NULL) { - uv_freeaddrinfo(gai_req.addrinfo); +static const char *compute_dst_ip_or_hn(const host_ctx_t *service, const tunneler_app_data *app_data, + bool *is_ip, char *err, size_t err_sz) { + const char *ip_or_hn; + bool ip_expected = false; + bool hn_expected = false; + if (service->forward_address) { + if (app_data != NULL) { + if (app_data->dst_hostname != NULL) { + ZITI_LOG(VERBOSE, "using address from dst_hostname"); + ip_or_hn = app_data->dst_hostname; + hn_expected = true; + } else if (app_data->dst_ip != NULL) { + ZITI_LOG(VERBOSE, "using address from dst_ip"); + ip_or_hn = app_data->dst_ip; + ip_expected = true; + } else { + snprintf(err, err_sz, "config specifies 'forwardAddress', but client didn't send %s or %s in app_data", + DST_IP_KEY, DST_HOST_KEY); + return NULL; } - dial_params->address = app_data->dst_ip; - dial_params->hints.ai_flags = AI_ADDRCONFIG | AI_NUMERICSERV; - } else { - snprintf(dial_params->err, sizeof(dial_params->err), - "hosted_service[%s] config specifies 'forwardAddress' but client didn't send %s or %s", - host_ctx->service_name, DST_HOST_KEY, DST_IP_KEY); - return false; } } else { - dial_params->address = host_ctx->addr_u.address; + ZITI_LOG(VERBOSE, "using address from config"); + ip_or_hn = service->addr_u.address; + } + + ziti_address dst; + if (!ziti_address_from_string(&dst, ip_or_hn)) { + snprintf(err, sizeof(err), "failed to parse %s", ip_or_hn); + return NULL; } + *is_ip = (dst.type == ziti_address_cidr); - if (host_ctx->forward_port) { - if (app_data->dst_port == NULL) { - snprintf(dial_params->err, sizeof(dial_params->err), - "hosted_service[%s] config specifies 'forwardPort' but client didn't send %s", - host_ctx->service_name, DST_PORT_KEY); - return false; + if (ip_expected && *is_ip == false) { + ZITI_LOG(DEBUG, "client forwarded non-IP %s in dst_ip", ip_or_hn); + } + if (hn_expected && *is_ip == true) { + ZITI_LOG(DEBUG, "client forwarded IP %s in dst_hostname", ip_or_hn); + } + + // authorize address if forwarding + if (service->forward_address) { + if (dst.type == ziti_address_hostname) { + if (!allowed_hostname_match(ip_or_hn, &service->addr_u.allowed_hostnames)) { + snprintf(err, err_sz, "requested address '%s' is not in allowedAddresses", + app_data->dst_hostname); + return NULL; + } + } else if (dst.type == ziti_address_cidr) { + if (!address_match(&dst, &service->addr_u.allowed_addresses)) { + snprintf(err, err_sz, "requested address '%s' is not in allowedAddresses", app_data->dst_ip); + return NULL; + } } + } + return ip_or_hn; +} + +static const char *compute_dst_port(const host_ctx_t *service, const tunneler_app_data *app_data, char *err, size_t err_sz) { + if (service->forward_port) { + if (app_data == NULL || app_data->dst_port == NULL || app_data->dst_port[0] == '\0') { + snprintf(err, err_sz, "config specifies 'forwardPort' but client didn't send %s in app_data", DST_PORT_KEY); + return NULL; + } errno = 0; int port = (int) strtol(app_data->dst_port, NULL, 10); if (errno != 0) { - snprintf(dial_params->err, sizeof(dial_params->err), - "hosted_service[%s] client sent invalid %s '%s'", host_ctx->service_name, - DST_PORT_KEY, app_data->dst_port); - return false; + snprintf(err, err_sz, "invalid %s '%s' in app_data", DST_PORT_KEY, app_data->dst_port); + return NULL; } - - if (!port_match(port, &host_ctx->port_u.allowed_port_ranges)) { - snprintf(dial_params->err, sizeof(dial_params->err), - "hosted_service[%s] client requested port '%s' is not allowed", host_ctx->service_name, - app_data->dst_port); - return false; + if (!port_match(port, &service->port_u.allowed_port_ranges)) { + snprintf(err, err_sz, "requested port '%s' is not in allowedPortRanges", app_data->dst_port); + return NULL; } - dial_params->port = app_data->dst_port; + return app_data->dst_port; + } + + static char port_from_config[12]; + snprintf(port_from_config, sizeof(port_from_config), "%d", service->port_u.port); + return port_from_config; +} + +static int do_bind(hosted_io_context io, const char *addr, int socktype) { + // split out the ip and port if port was specified + char *src_ip = strdup(io->app_data->source_addr); + char *port = strchr(src_ip, ':'); + if (port != NULL) { + *port = '\0'; + port++; + } + + uv_getaddrinfo_t ai_req = {0}; + struct addrinfo hints = {0}; + hints.ai_flags = AI_NUMERICHOST | AI_NUMERICSERV; + hints.ai_protocol = get_protocol_id(io->computed_dst_protocol); + hints.ai_socktype = socktype; + + int uv_err = uv_getaddrinfo(io->service->loop, &ai_req, NULL, src_ip, port, &hints); + free(src_ip); + + if (uv_err != 0) { + ZITI_LOG(ERROR, "hosted_service[%s], client[%s]: getaddrinfo(%s) failed: %s", + io->service->service_name, io->client_identity, io->app_data->source_addr, uv_strerror(uv_err)); + return -1; + } + + if (ai_req.addrinfo->ai_next != NULL) { + ZITI_LOG(DEBUG, "hosted_service[%s], client[%s]: getaddrinfo(%s) returned multiple results; using first", + io->service->service_name, io->client_identity, io->app_data->source_addr); + } + + ziti_address src_za; + ziti_address_from_sockaddr(&src_za, ai_req.addrinfo->ai_addr); // convert for easy validation + uv_freeaddrinfo(ai_req.addrinfo); + + if (!address_match(&src_za, &io->service->allowed_source_addresses)) { + ZITI_LOG(ERROR, "hosted_service[%s], client[%s] client requested source IP %s is not allowed", + io->service->service_name, io->client_identity, io->app_data->source_addr); + return -1; + } + + switch (hints.ai_protocol) { + case IPPROTO_TCP: + uv_err = uv_tcp_bind(&io->server.tcp, ai_req.addrinfo->ai_addr, 0); + break; + case IPPROTO_UDP: + uv_err = uv_udp_bind(&io->server.udp, ai_req.addrinfo->ai_addr, 0); + break; + default: + ZITI_LOG(ERROR, "hosted_service[%s] client[%s] unsupported protocol %d when binding source address", + io->service->service_name, io->client_identity, hints.ai_protocol); + return -1; + } + + if (uv_err != 0) { + ZITI_LOG(ERROR, "hosted_service[%s] client[%s]: bind failed: %s", io->service->service_name, + io->client_identity, uv_strerror(uv_err)); + return -1; + } + + return 0; +} + +static hosted_io_context hosted_io_context_new(struct hosted_service_ctx_s *service_ctx, ziti_connection client, + tunneler_app_data *app_data, const char *dst_protocol, const char *dst_ip_or_hn, const char *dst_port) { + hosted_io_context io = calloc(1, sizeof(struct hosted_io_ctx_s)); + io->service = service_ctx; + + // include underlay details in client identity if available + if (app_data && app_data->src_protocol && app_data->src_ip && app_data->src_port) { + snprintf(io->client_identity, sizeof(io->client_identity), "%s] client_src_addr[%s:%s:%s", ziti_conn_source_identity(client), + app_data->src_protocol, app_data->src_ip, app_data->src_port); } else { - snprintf(dial_params->_port_str, sizeof(dial_params->_port_str), "%d", host_ctx->port_u.port); - dial_params->port = dial_params->_port_str; + strncpy(io->client_identity, ziti_conn_source_identity(client), sizeof(io->client_identity)); } + io->computed_dst_protocol = dst_protocol; + io->computed_dst_ip_or_hn = dst_ip_or_hn; + io->computed_dst_port = dst_port; - return true; + int socktype, uv_err = -1; + int protocol_number = get_protocol_id(dst_protocol); + switch (protocol_number) { + case IPPROTO_TCP: + uv_err = uv_tcp_init(service_ctx->loop, &io->server.tcp); + socktype = SOCK_STREAM; + io->server.tcp.data = io; + break; + case IPPROTO_UDP: + uv_err = uv_udp_init(service_ctx->loop, &io->server.udp); + socktype = SOCK_DGRAM; + io->server.udp.data = io; + break; + default: + ZITI_LOG(ERROR, "hosted_service[%s] client[%s] unsupported protocol '%s''", service_ctx->service_name, + io->client_identity, dst_protocol); + free(io); + return NULL; + } + if (uv_err != 0) { + ZITI_LOG(ERROR, "hosted_service[%s] client[%s] dst[%s:%s:%s] failed to initialize underlay handle: %s", + service_ctx->service_name, io->client_identity, dst_protocol, dst_ip_or_hn, dst_port, uv_strerror(uv_err)); + free(io); + return NULL; + } + // uv handle has been initialized and must be closed before freeing `io` now. + + // if app_data includes source ip[:port], verify that it is allowed before attempting to bind + if (app_data && app_data->source_addr && app_data->source_addr[0] != '\0') { + if (do_bind(io, app_data->source_addr, socktype) != 0) { + hosted_server_close(io); + return NULL; + } + } + + // success. now set references to ziti connection and app_data so cleanup happens in ziti_conn_close_cb + io->client = client; + io->app_data = app_data; + + return io; } -/** called by ziti sdk when a ziti endpoint (client) initiates connection to a hosted service */ +static void on_hosted_client_connect_resolved(uv_getaddrinfo_t* req, int status, struct addrinfo* res); + +/** called by ziti sdk when a ziti endpoint (client) initiates connection to a hosted service + * - compute dial address (from appdata if forwarding, or from dial address in config) + * - if forwarding, validate address is allowed + * - validate src address if specified + * - initiate async dns resolution of dial address (if computed address is hostname?) + */ static void on_hosted_client_connect(ziti_connection serv, ziti_connection clt, int status, ziti_client_ctx *clt_ctx) { struct hosted_service_ctx_s *service_ctx = ziti_conn_data(serv); if (service_ctx == NULL) { ZITI_LOG(ERROR, "null service_ctx"); - ziti_close(clt, ziti_conn_close_cb); + ziti_close(clt, NULL); return; } if (status != ZITI_OK) { - ZITI_LOG(ERROR, "incoming connection to service[%s] failed: %s", service_ctx->service_name, ziti_errorstr(status)); - ziti_close(clt, ziti_conn_close_cb); + ZITI_LOG(ERROR, "hosted_service[%s] incoming connection failed: %s", service_ctx->service_name, ziti_errorstr(status)); + ziti_close(clt, NULL); return; } - const char *client_identity = clt_ctx->caller_id; - if (client_identity == NULL) client_identity = ""; - - uv_getaddrinfo_t dial_ai_req = {0}; - uv_getaddrinfo_t source_ai_req = {0}; - struct hosted_io_ctx_s *io_ctx = NULL; - bool err = false; - - tunneler_app_data app_data; - memset(&app_data, 0, sizeof(app_data)); + tunneler_app_data *app_data = NULL; if (clt_ctx->app_data != NULL) { - ZITI_LOG(DEBUG, "hosted_service[%s], client[%s]: received app_data_json='%.*s'", service_ctx->service_name, - client_identity, (int)clt_ctx->app_data_sz, clt_ctx->app_data); - if (parse_tunneler_app_data(&app_data, (char *)clt_ctx->app_data, clt_ctx->app_data_sz) < 0) { - ZITI_LOG(ERROR, "hosted_service[%s], client[%s]: failed to parse app_data_json '%.*s'", - service_ctx->service_name, - client_identity, (int)clt_ctx->app_data_sz, clt_ctx->app_data); - err = true; - goto done; + ZITI_LOG(DEBUG, "hosted_service[%s] client[%s]: received app_data_json='%.*s'", service_ctx->service_name, + clt_ctx->caller_id, (int) clt_ctx->app_data_sz, clt_ctx->app_data); + if (parse_tunneler_app_data_ptr(&app_data, (char *) clt_ctx->app_data, clt_ctx->app_data_sz) < 0) { + ZITI_LOG(ERROR, "hosted_service[%s] client[%s]: failed to parse app_data_json '%.*s'", + service_ctx->service_name, clt_ctx->caller_id, (int) clt_ctx->app_data_sz, clt_ctx->app_data); + ziti_close(clt, NULL); + return; } } - if (app_data.conn_type == TunnelConnectionTypes.resolver) { + if (app_data != NULL && app_data->conn_type == TunnelConnectionTypes.resolver) { accept_resolver_conn(clt, &service_ctx->addr_u.allowed_hostnames); - free_tunneler_app_data(&app_data); + free_tunneler_app_data_ptr(app_data); return; } - struct addrinfo_params_s dial_ai_params; - memset(&dial_ai_params, 0, sizeof(dial_ai_params)); - int s = addrinfo_from_host_ctx(&dial_ai_params, service_ctx, &app_data); - if (!s) { - ZITI_LOG(ERROR, "hosted_service[%s], client[%s]: failed to create dial addrinfo params: %s", - service_ctx->service_name, client_identity, dial_ai_params.err); - err = true; - goto done; + char err[80]; + int protocol_number; + const char *protocol = compute_dst_protocol(service_ctx, app_data, &protocol_number, err, sizeof(err)); + if (protocol == NULL) { + ZITI_LOG(ERROR, "hosted_service[%s] client[%s] failed to compute destination protocol: %s", + service_ctx->service_name, clt_ctx->caller_id, err); + free_tunneler_app_data_ptr(app_data); + ziti_close(clt, NULL); + return; } - switch (dial_ai_params.hints.ai_protocol) { - case IPPROTO_TCP: - dial_ai_params.hints.ai_socktype = SOCK_STREAM; - break; - case IPPROTO_UDP: - dial_ai_params.hints.ai_socktype = SOCK_DGRAM; - break; + bool is_ip; + const char *ip_or_hn = compute_dst_ip_or_hn(service_ctx, app_data, &is_ip, err, sizeof(err)); + if (ip_or_hn == NULL) { + ZITI_LOG(ERROR, "hosted_service[%s] client[%s] failed to compute destination address: %s", + service_ctx->service_name, clt_ctx->caller_id, err); + free_tunneler_app_data_ptr(app_data); + ziti_close(clt, NULL); + return; } - if ((s = uv_getaddrinfo(service_ctx->loop, &dial_ai_req, NULL, dial_ai_params.address, dial_ai_params.port, &dial_ai_params.hints)) != 0) { - ZITI_LOG(ERROR, "hosted_service[%s], client[%s]: getaddrinfo(%s,%s) failed: %s", - service_ctx->service_name, client_identity, dial_ai_params.address, dial_ai_params.port, gai_strerror(s)); - err = true; - goto done; + const char *port = compute_dst_port(service_ctx, app_data, err, sizeof(err)); + if (port == NULL) { + ZITI_LOG(ERROR, "hosted_service[%s] client[%s] failed to compute destination port: %s", + service_ctx->service_name, clt_ctx->caller_id, err); + free_tunneler_app_data_ptr(app_data); + ziti_close(clt, NULL); + return; } - if (dial_ai_req.addrinfo->ai_next != NULL) { - ZITI_LOG(DEBUG, "hosted_service[%s], client[%s]: getaddrinfo(%s,%s) returned multiple results; using first", - service_ctx->service_name, client_identity, dial_ai_params.address, dial_ai_params.port); + + hosted_io_context io = hosted_io_context_new(service_ctx, clt, app_data, protocol, ip_or_hn, port); + if (io == NULL) { + ZITI_LOG(ERROR, "hosted_service[%s] client[%s] failed to create io context", service_ctx->service_name, + clt_ctx->caller_id); + free_tunneler_app_data_ptr(app_data); + ziti_close(clt, NULL); + return; } - const char *dst_proto = app_data.dst_protocol; - const char *dst_ip = app_data.dst_hostname ? app_data.dst_hostname : app_data.dst_ip; - const char *dst_port = app_data.dst_port; - if (dst_proto != NULL && dst_ip != NULL && dst_port != NULL) { - ZITI_LOG(INFO, "hosted_service[%s], client[%s] dst_addr[%s:%s:%s]: incoming connection", - service_ctx->service_name, client_identity, dst_proto, dst_ip, dst_port); - } else { - ZITI_LOG(INFO, "hosted_service[%s], client[%s] incoming connection", - service_ctx->service_name, client_identity); - } - - const char *source_addr = app_data.source_addr; - if (source_addr != NULL && *source_addr != 0) { - struct addrinfo source_hints = {0}; - const char *port_sep = strchr(source_addr, ':'); - const char *source_port = NULL; - char source_ip_cp[64]; - if (port_sep != NULL) { - source_port = port_sep + 1; - strncpy(source_ip_cp, source_addr, port_sep - source_addr); - source_ip_cp[port_sep - source_addr] = '\0'; - source_addr = source_ip_cp; - } - source_hints.ai_flags = AI_ADDRCONFIG | AI_NUMERICHOST | AI_NUMERICSERV; - source_hints.ai_protocol = dial_ai_params.hints.ai_protocol; - source_hints.ai_socktype = dial_ai_params.hints.ai_socktype; - if ((s = uv_getaddrinfo(service_ctx->loop, &source_ai_req, NULL, source_addr, source_port, &source_hints)) != 0) { - ZITI_LOG(ERROR, "hosted_service[%s], client[%s]: getaddrinfo(%s,%s) failed: %s", - service_ctx->service_name, client_identity, source_addr, source_port, gai_strerror(s)); - err = true; - goto done; - } - if (source_ai_req.addrinfo->ai_next != NULL) { - ZITI_LOG(DEBUG, "hosted_service[%s], client[%s]: getaddrinfo(%s,%s) returned multiple results; using first", - service_ctx->service_name, client_identity, source_addr, source_port); - } - ziti_address src_za; - ziti_address_from_sockaddr(&src_za, source_ai_req.addrinfo->ai_addr); - if (!address_match(&src_za, &service_ctx->allowed_source_addresses)) { - ZITI_LOG(ERROR, "hosted_service[%s], client[%s] client requested source IP %s is not allowed", - service_ctx->service_name, client_identity, source_addr); - err = true; - goto done; - } + ZITI_LOG(INFO, "hosted_service[%s] client[%s] dst_addr[%s:%s:%s]: incoming connection", + service_ctx->service_name, io->client_identity, protocol, ip_or_hn, port); + + struct addrinfo hints = {0}; + hints.ai_protocol = protocol_number; + hints.ai_socktype = protocol_number == IPPROTO_UDP ? SOCK_DGRAM : SOCK_STREAM; + hints.ai_flags = AI_NUMERICSERV; + if (is_ip) hints.ai_flags |= AI_NUMERICHOST; + + uv_getaddrinfo_t *ai_req = calloc(1, sizeof(uv_getaddrinfo_t)); + ai_req->data = io; + ziti_conn_set_data(clt, io); + + int s = uv_getaddrinfo(service_ctx->loop, ai_req, on_hosted_client_connect_resolved, ip_or_hn, port, &hints); + if (s != 0) { + ZITI_LOG(ERROR, "hosted_service[%s] client[%s]: getaddrinfo(%s:%s:%s) failed: %s", + service_ctx->service_name, io->client_identity, protocol, ip_or_hn, port, uv_strerror(s)); + free(ai_req); + hosted_server_close(io); + return; + } +} + +static void on_hosted_client_connect_resolved(uv_getaddrinfo_t* ai_req, int status, struct addrinfo* res) { + hosted_io_context io = ai_req->data; + if (io == NULL) { + ZITI_LOG(ERROR, "null io"); + if (status >= 0) uv_freeaddrinfo(res); + free(ai_req); + return; + } + + if (status < 0) { + ZITI_LOG(ERROR, "hosted_service[%s] client[%s] getaddrinfo(%s:%s:%s) failed: %s", io->service->service_name, + io->client_identity, io->computed_dst_protocol, io->computed_dst_ip_or_hn, io->computed_dst_port, + uv_strerror(status)); + free(ai_req); + ZITI_LOG(DEBUG, "closing c[%p] io[%p]", io->client, ziti_conn_data(io->client)); + hosted_server_close(io); + return; } - io_ctx = calloc(1, sizeof(struct hosted_io_ctx_s)); - io_ctx->service = service_ctx; - io_ctx->client = clt; - ziti_conn_set_data(clt, io_ctx); + if (res->ai_next != NULL) { + ZITI_LOG(DEBUG, "hosted_service[%s], client[%s]: getaddrinfo(%s:%s:%s) returned multiple results; using first", + io->service->service_name, io->client_identity, io->computed_dst_protocol, + io->computed_dst_ip_or_hn, io->computed_dst_port); + } - char host[48]; - char port[12]; - s = getnameinfo(dial_ai_req.addrinfo->ai_addr, dial_ai_req.addrinfo->ai_addrlen, host, sizeof(host), port, sizeof(port), - NI_NUMERICHOST | NI_NUMERICSERV); - if (s == 0) { - snprintf(io_ctx->server_dial_str, sizeof(io_ctx->server_dial_str), "%s:%s:%s", - get_protocol_str(dial_ai_req.addrinfo->ai_protocol), host, port); + uv_getnameinfo_t ni_req = {0}; + int uv_err = uv_getnameinfo(io->service->loop, &ni_req, NULL, res->ai_addr, NI_NUMERICHOST | NI_NUMERICSERV); + if (uv_err == 0) { + snprintf(io->resolved_dst, sizeof(io->resolved_dst), "%s:%s:%s", + get_protocol_str(res->ai_protocol), ni_req.host, ni_req.service); } else { - ZITI_LOG(WARN, "hosted_service[%s] client[%s] getnameinfo failed: %s", io_ctx->service->service_name, - ziti_conn_source_identity(io_ctx->client), gai_strerror(s)); - strncpy(io_ctx->server_dial_str, "", sizeof(io_ctx->server_dial_str)); + ZITI_LOG(WARN, "hosted_service[%s] client[%s] getnameinfo failed: %s", io->service->service_name, + io->client_identity, uv_strerror(uv_err)); + strncpy(io->resolved_dst, "", sizeof(io->resolved_dst)); } - int uv_err; - switch (dial_ai_req.addrinfo->ai_protocol) { + ZITI_LOG(DEBUG, "hosted_service[%s] client[%s] initiating connection to %s", + io->service->service_name, io->client_identity, io->resolved_dst); + + switch (res->ai_protocol) { case IPPROTO_TCP: - uv_tcp_init(service_ctx->loop, &io_ctx->server.tcp); - io_ctx->server.tcp.data = io_ctx; - if (source_ai_req.addrinfo != NULL) { - uv_err = uv_tcp_bind(&io_ctx->server.tcp, source_ai_req.addrinfo->ai_addr, 0); - if (uv_err != 0) { - ZITI_LOG(ERROR, "hosted_service[%s], client[%s]: uv_tcp_bind failed: %s", - service_ctx->service_name, client_identity, uv_err_name(uv_err)); - err = true; - goto done; - } - } { uv_connect_t *c = malloc(sizeof(uv_connect_t)); - uv_err = uv_tcp_connect(c, &io_ctx->server.tcp, dial_ai_req.addrinfo->ai_addr, on_hosted_tcp_server_connect_complete); + uv_err = uv_tcp_connect(c, &io->server.tcp, res->ai_addr, on_hosted_tcp_server_connect_complete); if (uv_err != 0) { ZITI_LOG(ERROR, "hosted_service[%s], client[%s]: uv_tcp_connect failed: %s", - service_ctx->service_name, client_identity, uv_err_name(uv_err)); - err = true; - goto done; + io->service->service_name, io->client_identity, uv_strerror(uv_err)); + hosted_server_close(io); } } break; case IPPROTO_UDP: - uv_udp_init(service_ctx->loop, &io_ctx->server.udp); - io_ctx->server.udp.data = io_ctx; - if (source_ai_req.addrinfo != NULL) { - uv_err = uv_udp_bind(&io_ctx->server.udp, source_ai_req.addrinfo->ai_addr, 0); - if (uv_err != 0) { - ZITI_LOG(ERROR, "hosted_service[%s] client[%s]: uv_udp_bind failed: %s", - service_ctx->service_name, client_identity, uv_err_name(uv_err)); - err = true; - goto done; - } - } - uv_err = uv_udp_connect(&io_ctx->server.udp, dial_ai_req.addrinfo->ai_addr); + uv_err = uv_udp_connect(&io->server.udp, res->ai_addr); if (uv_err != 0) { ZITI_LOG(ERROR, "hosted_service[%s], client[%s]: uv_udp_connect failed: %s", - service_ctx->service_name, client_identity, uv_err_name(uv_err)); - err = true; - goto done; + io->service->service_name, io->client_identity, uv_strerror(uv_err)); + hosted_server_close(io); } - if (ziti_accept(clt, on_hosted_client_connect_complete, NULL) != ZITI_OK) { + if (ziti_accept(io->client, on_hosted_client_connect_complete, NULL) != ZITI_OK) { ZITI_LOG(ERROR, "ziti_accept failed"); - err = true; - goto done; + hosted_server_close(io); } break; } - done: - if (err) { - if (io_ctx == NULL) { - // if we get an error before creating io_ctx, just close incoming connection - ziti_close(clt, ziti_conn_close_cb); - } else { - hosted_server_close(io_ctx); - } - } - if (clt_ctx->app_data != NULL) { - free_tunneler_app_data(&app_data); - } - if (dial_ai_req.addrinfo != NULL) { - uv_freeaddrinfo(dial_ai_req.addrinfo); - } - if (source_ai_req.addrinfo != NULL) { - uv_freeaddrinfo(source_ai_req.addrinfo); - } + uv_freeaddrinfo(res); + free(ai_req); } /** called by ziti SDK when a hosted service listener is ready */ @@ -583,7 +671,7 @@ static void hosted_listen_cb(ziti_connection serv, int status) { if (status != ZITI_OK) { ZITI_LOG(ERROR, "unable to host service %s: %s", host_ctx->service_name, ziti_errorstr(status)); ziti_conn_set_data(serv, NULL); - ziti_close(serv, ziti_conn_close_cb); + ziti_close(serv, NULL); free_hosted_service_ctx(host_ctx); } } @@ -778,7 +866,7 @@ host_ctx_t *ziti_sdk_c_host(void *ziti_ctx, uv_loop_t *loop, const char *service static void on_uv_close(uv_handle_t *handle) { struct hosted_io_ctx_s *io_ctx = handle->data; - free(io_ctx); + hosted_io_context_free(io_ctx); } static void on_bridge_close(uv_handle_t *handle) { diff --git a/lib/ziti-tunnel-cbs/ziti_tunnel_cbs.c b/lib/ziti-tunnel-cbs/ziti_tunnel_cbs.c index e1670c01..884482e8 100644 --- a/lib/ziti-tunnel-cbs/ziti_tunnel_cbs.c +++ b/lib/ziti-tunnel-cbs/ziti_tunnel_cbs.c @@ -219,11 +219,10 @@ static void parse_socket_address(const char *address, char **proto, char **ip, c } } -/** render app_data as string (json) */ -static ssize_t get_app_data_json(char *buf, size_t bufsz, tunneler_io_context io, ziti_context ziti_ctx, const char *source_ip, tunneler_app_data *app_data) { +/** initialize app_data and render json for a dial request. */ +static ssize_t get_app_data(char *buf, size_t bufsz, tunneler_io_context io, ziti_context ziti_ctx, const char *source_ip, tunneler_app_data *app_data) { const char *intercepted = get_intercepted_address(io); const char *client = get_client_address(io); - char source_addr[64]; if (intercepted != NULL) { parse_socket_address(intercepted, &app_data->dst_protocol, &app_data->dst_ip, &app_data->dst_port); @@ -239,18 +238,17 @@ static ssize_t get_app_data_json(char *buf, size_t bufsz, tunneler_io_context io } if (source_ip != NULL && *source_ip != 0) { const ziti_identity *zid = ziti_get_identity(ziti_ctx); - strncpy(source_addr, source_ip, sizeof(source_addr)); - string_replace(source_addr, sizeof(source_addr), "$tunneler_id.name", zid->name); - string_replace(source_addr, sizeof(source_addr), "$dst_ip", app_data->dst_ip); - string_replace(source_addr, sizeof(source_addr), "$dst_port", app_data->dst_port); - string_replace(source_addr, sizeof(source_addr), "$src_ip", app_data->src_ip); - string_replace(source_addr, sizeof(source_addr), "$src_port", app_data->src_port); - app_data->source_addr = source_addr; + size_t source_addr_maxlen = 64; + size_t source_addr_sz = source_addr_maxlen * sizeof(char); + app_data->source_addr = calloc(source_addr_maxlen, sizeof(char)); + strncpy(app_data->source_addr, source_ip, source_addr_sz); + string_replace(app_data->source_addr, source_addr_sz, "$tunneler_id.name", zid->name); + string_replace(app_data->source_addr, source_addr_sz, "$dst_ip", app_data->dst_ip); + string_replace(app_data->source_addr, source_addr_sz, "$dst_port", app_data->dst_port); + string_replace(app_data->source_addr, source_addr_sz, "$src_ip", app_data->src_ip); + string_replace(app_data->source_addr, source_addr_sz, "$src_port", app_data->src_port); } ssize_t json_len = tunneler_app_data_to_json_r(app_data, MODEL_JSON_COMPACT, buf, bufsz); - - // value points to stack buffer - app_data->source_addr = NULL; return json_len; } @@ -302,8 +300,7 @@ void * ziti_sdk_c_dial(const void *intercept_ctx, struct io_ctx_s *io) { return NULL; } - ziti_dial_opts dial_opts; - memset(&dial_opts, 0, sizeof(dial_opts)); + ziti_dial_opts dial_opts = {0}; char app_data_json[256]; const char *source_ip = NULL; @@ -320,7 +317,7 @@ void * ziti_sdk_c_dial(const void *intercept_ctx, struct io_ctx_s *io) { } tunneler_app_data app_data = {0}; - ssize_t json_len = get_app_data_json(app_data_json, sizeof(app_data_json), io->tnlr_io, ziti_ctx, source_ip, &app_data); + ssize_t json_len = get_app_data(app_data_json, sizeof(app_data_json), io->tnlr_io, ziti_ctx, source_ip, &app_data); if (json_len < 0) { ZITI_LOG(ERROR, "service[%s] failed to encode app_data", zi_ctx->service_name); free(ziti_io_ctx); @@ -329,23 +326,18 @@ void * ziti_sdk_c_dial(const void *intercept_ctx, struct io_ctx_s *io) { char resolved_dial_identity[128]; if (dial_opts.identity != NULL && dial_opts.identity[0] != '\0') { - const char *dst_addr = get_intercepted_address(io->tnlr_io); - if (dst_addr != NULL) { - strncpy(resolved_dial_identity, dial_opts.identity, sizeof(resolved_dial_identity)); - if (parse_tunneler_app_data(&app_data, (char *)app_data_json, json_len) >= 0){ - if (app_data.dst_protocol != NULL) { - string_replace(resolved_dial_identity, sizeof(resolved_dial_identity), "$dst_protocol", app_data.dst_protocol); - } - if (app_data.dst_ip != NULL) { - string_replace(resolved_dial_identity, sizeof(resolved_dial_identity), "$dst_ip", app_data.dst_ip); - } - if (app_data.dst_port != NULL) { - string_replace(resolved_dial_identity, sizeof(resolved_dial_identity), "$dst_port", app_data.dst_port); - } - if (app_data.dst_hostname != NULL){ - string_replace(resolved_dial_identity, sizeof(resolved_dial_identity), "$dst_hostname", app_data.dst_hostname); - } - } + strncpy(resolved_dial_identity, dial_opts.identity, sizeof(resolved_dial_identity)); + if (app_data.dst_protocol != NULL) { + string_replace(resolved_dial_identity, sizeof(resolved_dial_identity), "$dst_protocol", app_data.dst_protocol); + } + if (app_data.dst_ip != NULL) { + string_replace(resolved_dial_identity, sizeof(resolved_dial_identity), "$dst_ip", app_data.dst_ip); + } + if (app_data.dst_port != NULL) { + string_replace(resolved_dial_identity, sizeof(resolved_dial_identity), "$dst_port", app_data.dst_port); + } + if (app_data.dst_hostname != NULL) { + string_replace(resolved_dial_identity, sizeof(resolved_dial_identity), "$dst_hostname", app_data.dst_hostname); } dial_opts.identity = resolved_dial_identity; } diff --git a/programs/ziti-edge-tunnel/ziti-edge-tunnel.c b/programs/ziti-edge-tunnel/ziti-edge-tunnel.c index e0335ab1..daace82e 100644 --- a/programs/ziti-edge-tunnel/ziti-edge-tunnel.c +++ b/programs/ziti-edge-tunnel/ziti-edge-tunnel.c @@ -1918,6 +1918,7 @@ static void interrupt_handler(int sig) { #endif static void run(int argc, char *argv[]) { + setenv("UV_THREADPOOL_SIZE", "8", 0); uv_loop_t *ziti_loop = uv_default_loop(); main_ziti_loop = ziti_loop; uv_cond_init(&stop_cond); From 9438976b72d8e0f9afa42f77a4e8e62a0625f8b4 Mon Sep 17 00:00:00 2001 From: eugene Date: Wed, 15 Nov 2023 12:38:03 -0500 Subject: [PATCH 035/251] use ziti-sdk fix branch --- CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index f4c8739b..a1dfb1ed 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,7 +2,7 @@ cmake_minimum_required(VERSION 3.20) set(ZITI_SDK_DIR "" CACHE FILEPATH "developer option: use local ziti-sdk-c checkout") -set(ZITI_SDK_VERSION "0.35.4" CACHE STRING "ziti-sdk-c version or branch to use") +set(ZITI_SDK_VERSION "more-resilient-rebinding" CACHE STRING "ziti-sdk-c version or branch to use") # if TUNNEL_SDK_ONLY then don't descend into programs/ziti-edge-tunnel option(TUNNEL_SDK_ONLY "build only ziti-tunnel-sdk (without ziti)" OFF) From ed16e17ff11a6f09e6a989777f00b379359a82de Mon Sep 17 00:00:00 2001 From: eugene Date: Fri, 17 Nov 2023 16:37:57 -0500 Subject: [PATCH 036/251] update ziti-sdk@0.35.5 --- CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index a1dfb1ed..6cf83036 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,7 +2,7 @@ cmake_minimum_required(VERSION 3.20) set(ZITI_SDK_DIR "" CACHE FILEPATH "developer option: use local ziti-sdk-c checkout") -set(ZITI_SDK_VERSION "more-resilient-rebinding" CACHE STRING "ziti-sdk-c version or branch to use") +set(ZITI_SDK_VERSION "0.35.5" CACHE STRING "ziti-sdk-c version or branch to use") # if TUNNEL_SDK_ONLY then don't descend into programs/ziti-edge-tunnel option(TUNNEL_SDK_ONLY "build only ziti-tunnel-sdk (without ziti)" OFF) From fbb434ced7c6c36992c7f839dd1a3aac65c585e8 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Mon, 20 Nov 2023 22:04:04 +0000 Subject: [PATCH 037/251] avoid invalid memory access when processing queries with zero-length name (#757) * avoid invalid reads/writes when processing queries with zero-length name * use vcpkg baseline 2023.06.20 to avoid invalid/missing libwinpthread dependency on getopt-win32 --- .github/actions/build/action.yml | 4 ++-- lib/ziti-tunnel-cbs/dns_msg.c | 2 +- vcpkg.json | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/actions/build/action.yml b/.github/actions/build/action.yml index 55556536..25707e8b 100644 --- a/.github/actions/build/action.yml +++ b/.github/actions/build/action.yml @@ -29,9 +29,9 @@ runs: - uses: lukka/run-vcpkg@v10 with: - # use 2023.02.24 vcpkg baseline, + # use 2023.06.20 vcpkg baseline, # see https://learn.microsoft.com/en-us/vcpkg/users/examples/versioning.getting-started#builtin-baseline - vcpkgGitCommitId: 'a7b6122f6b6504d16d96117336a0562693579933' + vcpkgGitCommitId: 'f6a5d4e8eb7476b8d7fc12a56dff300c1c986131' - uses: lukka/run-cmake@v10.6 # pin version to avoid failed glibc dependency on ubuntu 20 runners. go back to @latest when ubuntu 22+ is adopted for runner os. name: Configure CMake diff --git a/lib/ziti-tunnel-cbs/dns_msg.c b/lib/ziti-tunnel-cbs/dns_msg.c index 4bffe65d..7a267e20 100644 --- a/lib/ziti-tunnel-cbs/dns_msg.c +++ b/lib/ziti-tunnel-cbs/dns_msg.c @@ -19,7 +19,7 @@ static int parse_dns_q(dns_question *q, const unsigned char *buf, size_t buflen) { const uint8_t *p = buf; - size_t namelen = 0; + size_t namelen = 1; // ensure there's room for a nul byte if name is empty while(*p != 0) { namelen += (*p + 1); diff --git a/vcpkg.json b/vcpkg.json index 7ae9dfa6..5167a2e0 100644 --- a/vcpkg.json +++ b/vcpkg.json @@ -20,5 +20,5 @@ ] } }, - "builtin-baseline": "f14984af3738e69f197bf0e647a8dca12de92996" + "builtin-baseline": "f6a5d4e8eb7476b8d7fc12a56dff300c1c986131" } From 4f994918a0bd378ce8c5ad8d744650649de9fd25 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Tue, 21 Nov 2023 16:34:45 +0000 Subject: [PATCH 038/251] update vcpkg baseline used in CI package workflow (#759) * update vcpkg baseline in Dockerfiles --- .../actions/openziti-tunnel-build-action/redhat-7/Dockerfile | 2 +- .../actions/openziti-tunnel-build-action/redhat-8/Dockerfile | 2 +- .../actions/openziti-tunnel-build-action/redhat-9/Dockerfile | 2 +- .../openziti-tunnel-build-action/ubuntu-16.04/Dockerfile | 2 +- .../openziti-tunnel-build-action/ubuntu-18.04/Dockerfile | 2 +- .../openziti-tunnel-build-action/ubuntu-20.04/Dockerfile | 2 +- .../openziti-tunnel-build-action/ubuntu-22.04/Dockerfile | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/actions/openziti-tunnel-build-action/redhat-7/Dockerfile b/.github/actions/openziti-tunnel-build-action/redhat-7/Dockerfile index 5e9b788c..cae01f04 100644 --- a/.github/actions/openziti-tunnel-build-action/redhat-7/Dockerfile +++ b/.github/actions/openziti-tunnel-build-action/redhat-7/Dockerfile @@ -39,7 +39,7 @@ ENV VCPKG_ROOT=/usr/local/vcpkg ENV VCPKG_FORCE_SYSTEM_BINARIES=yes RUN cd /usr/local \ - && git clone --branch 2023.04.15 https://github.com/microsoft/vcpkg \ + && git clone --branch 2023.06.20 https://github.com/microsoft/vcpkg \ && ./vcpkg/bootstrap-vcpkg.sh -disableMetrics COPY ./entrypoint.sh /root/ diff --git a/.github/actions/openziti-tunnel-build-action/redhat-8/Dockerfile b/.github/actions/openziti-tunnel-build-action/redhat-8/Dockerfile index 3866ce0c..b1f5695a 100644 --- a/.github/actions/openziti-tunnel-build-action/redhat-8/Dockerfile +++ b/.github/actions/openziti-tunnel-build-action/redhat-8/Dockerfile @@ -42,7 +42,7 @@ ENV VCPKG_ROOT=/usr/local/vcpkg ENV VCPKG_FORCE_SYSTEM_BINARIES=yes RUN cd /usr/local \ - && git clone --branch 2023.04.15 https://github.com/microsoft/vcpkg \ + && git clone --branch 2023.06.20 https://github.com/microsoft/vcpkg \ && ./vcpkg/bootstrap-vcpkg.sh -disableMetrics WORKDIR /github/workspace diff --git a/.github/actions/openziti-tunnel-build-action/redhat-9/Dockerfile b/.github/actions/openziti-tunnel-build-action/redhat-9/Dockerfile index bb42556f..c089216e 100644 --- a/.github/actions/openziti-tunnel-build-action/redhat-9/Dockerfile +++ b/.github/actions/openziti-tunnel-build-action/redhat-9/Dockerfile @@ -43,7 +43,7 @@ ENV VCPKG_ROOT=/usr/local/vcpkg ENV VCPKG_FORCE_SYSTEM_BINARIES=yes RUN cd /usr/local \ - && git clone --branch 2023.04.15 https://github.com/microsoft/vcpkg \ + && git clone --branch 2023.06.20 https://github.com/microsoft/vcpkg \ && ./vcpkg/bootstrap-vcpkg.sh -disableMetrics \ && chmod -R ugo+rwX /usr/local/vcpkg diff --git a/.github/actions/openziti-tunnel-build-action/ubuntu-16.04/Dockerfile b/.github/actions/openziti-tunnel-build-action/ubuntu-16.04/Dockerfile index 50f9e826..43201d0e 100644 --- a/.github/actions/openziti-tunnel-build-action/ubuntu-16.04/Dockerfile +++ b/.github/actions/openziti-tunnel-build-action/ubuntu-16.04/Dockerfile @@ -41,7 +41,7 @@ ENV VCPKG_FORCE_SYSTEM_BINARIES=yes RUN cd /usr/local \ && git config --global advice.detachedHead false \ - && git clone --branch 2023.04.15 https://github.com/microsoft/vcpkg \ + && git clone --branch 2023.06.20 https://github.com/microsoft/vcpkg \ && ./vcpkg/bootstrap-vcpkg.sh -disableMetrics WORKDIR /github/workspace diff --git a/.github/actions/openziti-tunnel-build-action/ubuntu-18.04/Dockerfile b/.github/actions/openziti-tunnel-build-action/ubuntu-18.04/Dockerfile index 7295d8f4..fbd91f9f 100644 --- a/.github/actions/openziti-tunnel-build-action/ubuntu-18.04/Dockerfile +++ b/.github/actions/openziti-tunnel-build-action/ubuntu-18.04/Dockerfile @@ -54,7 +54,7 @@ ENV VCPKG_FORCE_SYSTEM_BINARIES=yes RUN cd /usr/local \ && git config --global advice.detachedHead false \ - && git clone --branch 2023.04.15 https://github.com/microsoft/vcpkg \ + && git clone --branch 2023.06.20 https://github.com/microsoft/vcpkg \ && ./vcpkg/bootstrap-vcpkg.sh -disableMetrics WORKDIR /github/workspace diff --git a/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/Dockerfile b/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/Dockerfile index 28629145..bf2a65c2 100644 --- a/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/Dockerfile +++ b/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/Dockerfile @@ -55,7 +55,7 @@ ENV VCPKG_FORCE_SYSTEM_BINARIES=yes RUN cd /usr/local \ && git config --global advice.detachedHead false \ - && git clone --branch 2023.04.15 https://github.com/microsoft/vcpkg \ + && git clone --branch 2023.06.20 https://github.com/microsoft/vcpkg \ && ./vcpkg/bootstrap-vcpkg.sh -disableMetrics COPY ./entrypoint.sh /root/ diff --git a/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/Dockerfile b/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/Dockerfile index bd8bd863..8ce82c68 100644 --- a/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/Dockerfile +++ b/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/Dockerfile @@ -55,7 +55,7 @@ ENV VCPKG_FORCE_SYSTEM_BINARIES=yes RUN cd /usr/local \ && git config --global advice.detachedHead false \ - && git clone --branch 2023.04.15 https://github.com/microsoft/vcpkg \ + && git clone --branch 2023.06.20 https://github.com/microsoft/vcpkg \ && ./vcpkg/bootstrap-vcpkg.sh -disableMetrics COPY ./entrypoint.sh /root/ From 77358cb5b635850a08d259f244a35b5634caa0e1 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Tue, 28 Nov 2023 19:58:12 +0000 Subject: [PATCH 039/251] get ziti-sdk-c 0.35.6 (#760) --- CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 6cf83036..53ece8a1 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,7 +2,7 @@ cmake_minimum_required(VERSION 3.20) set(ZITI_SDK_DIR "" CACHE FILEPATH "developer option: use local ziti-sdk-c checkout") -set(ZITI_SDK_VERSION "0.35.5" CACHE STRING "ziti-sdk-c version or branch to use") +set(ZITI_SDK_VERSION "0.35.6" CACHE STRING "ziti-sdk-c version or branch to use") # if TUNNEL_SDK_ONLY then don't descend into programs/ziti-edge-tunnel option(TUNNEL_SDK_ONLY "build only ziti-tunnel-sdk (without ziti)" OFF) From 9eb9e10e8562eff37f02660a43a52b5bef46b561 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Wed, 29 Nov 2023 22:11:27 +0000 Subject: [PATCH 040/251] always check app_data before dereferencing (#761) --- lib/ziti-tunnel-cbs/ziti_hosting.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/lib/ziti-tunnel-cbs/ziti_hosting.c b/lib/ziti-tunnel-cbs/ziti_hosting.c index ab96921d..9b148381 100644 --- a/lib/ziti-tunnel-cbs/ziti_hosting.c +++ b/lib/ziti-tunnel-cbs/ziti_hosting.c @@ -278,8 +278,8 @@ static const char *compute_dst_protocol(const host_ctx_t *service, const tunnele dst_proto = service->proto_u.protocol; } - if ((*protocol_number = get_protocol_id(app_data->dst_protocol)) < 0) { - snprintf(err, err_sz, "requested protocol '%s' is not supported", app_data->dst_protocol); + if ((*protocol_number = get_protocol_id(dst_proto)) < 0) { + snprintf(err, err_sz, "requested protocol '%s' is not supported", dst_proto); return NULL; } @@ -306,6 +306,9 @@ static const char *compute_dst_ip_or_hn(const host_ctx_t *service, const tunnele DST_IP_KEY, DST_HOST_KEY); return NULL; } + } else { + snprintf(err, sizeof(err), "config specifies 'forwardAddress', but client didn't send app_data"); + return NULL; } } else { ZITI_LOG(VERBOSE, "using address from config"); From 431e375f3322f2d50d56c1d18a5b7ebd91001129 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Wed, 6 Dec 2023 13:36:40 +0000 Subject: [PATCH 041/251] update ziti-sdk-c from 0.35.6 to 0.35.8 (#763) * update ziti-sdk-c from 0.35.6 to 0.35.8 --- CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 53ece8a1..fe62cef3 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,7 +2,7 @@ cmake_minimum_required(VERSION 3.20) set(ZITI_SDK_DIR "" CACHE FILEPATH "developer option: use local ziti-sdk-c checkout") -set(ZITI_SDK_VERSION "0.35.6" CACHE STRING "ziti-sdk-c version or branch to use") +set(ZITI_SDK_VERSION "0.35.8" CACHE STRING "ziti-sdk-c version or branch to use") # if TUNNEL_SDK_ONLY then don't descend into programs/ziti-edge-tunnel option(TUNNEL_SDK_ONLY "build only ziti-tunnel-sdk (without ziti)" OFF) From 1ad72ee7195cf4788622f605a1a0cab8cf58851f Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Sat, 9 Dec 2023 18:16:55 +0000 Subject: [PATCH 042/251] update ziti-sdk-c from 0.35.8 to 0.35.11 (#764) * update ziti-sdk-c to 0.35.11 --- CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index fe62cef3..6dd66d58 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,7 +2,7 @@ cmake_minimum_required(VERSION 3.20) set(ZITI_SDK_DIR "" CACHE FILEPATH "developer option: use local ziti-sdk-c checkout") -set(ZITI_SDK_VERSION "0.35.8" CACHE STRING "ziti-sdk-c version or branch to use") +set(ZITI_SDK_VERSION "0.35.11" CACHE STRING "ziti-sdk-c version or branch to use") # if TUNNEL_SDK_ONLY then don't descend into programs/ziti-edge-tunnel option(TUNNEL_SDK_ONLY "build only ziti-tunnel-sdk (without ziti)" OFF) From 8b04d36d876cec4741043e8649876b17f1eda3aa Mon Sep 17 00:00:00 2001 From: Eugene K Date: Tue, 12 Dec 2023 16:30:07 -0500 Subject: [PATCH 043/251] set TCP keepalive and nodelay on backend connections --- lib/ziti-tunnel-cbs/ziti_hosting.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/lib/ziti-tunnel-cbs/ziti_hosting.c b/lib/ziti-tunnel-cbs/ziti_hosting.c index 9b148381..79ecf15c 100644 --- a/lib/ziti-tunnel-cbs/ziti_hosting.c +++ b/lib/ziti-tunnel-cbs/ziti_hosting.c @@ -35,6 +35,8 @@ #endif #endif +#define KEEPALIVE_DELAY 60 + /********** hosting **********/ static void on_bridge_close(uv_handle_t *handle); @@ -185,7 +187,9 @@ static void on_hosted_client_connect_complete(ziti_connection clt, int err) { io_ctx->client_identity, req.host, req.service, fd, io_ctx->resolved_dst, len); int rc = ziti_conn_bridge(clt, (uv_handle_t *) &io_ctx->server, on_bridge_close); if (rc != 0) { - ZITI_LOG(ERROR, "failed to bridge client[%s] with hosted_service[%s]", io_ctx->client_identity, io_ctx->service->service_name); + ZITI_LOG(ERROR, "failed to bridge client[%s] with hosted_service[%s] laddr[%s:%s] fd[%d]: %s", + io_ctx->client_identity, io_ctx->service->service_name, + req.host, req.service, fd, uv_strerror(rc)); hosted_server_close(io_ctx); } } else { @@ -222,6 +226,18 @@ static void on_hosted_tcp_server_connect_complete(uv_connect_t *c, int status) { } ZITI_LOG(DEBUG, "hosted_service[%s], client[%s]: connected to server %s", io_ctx->service->service_name, io_ctx->client_identity, io_ctx->resolved_dst); + + uv_tcp_t *tcp = &io_ctx->server.tcp; + + if (uv_tcp_keepalive(tcp, 1, KEEPALIVE_DELAY) != 0) { + ZITI_LOG(WARN, "hosted_service[%s], client[%s]: failed to set TCP keepalive", + io_ctx->service->service_name, io_ctx->client_identity); + } + if (uv_tcp_nodelay(tcp, 1) != 0) { + ZITI_LOG(WARN, "hosted_service[%s], client[%s]: failed to set TCP nodelay", + io_ctx->service->service_name, io_ctx->client_identity); + } + ziti_accept(io_ctx->client, on_hosted_client_connect_complete, NULL); free(c); } From 7e74ad73607da8fb2a7a1168e293c555c9899bf6 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Tue, 12 Dec 2023 21:53:44 +0000 Subject: [PATCH 044/251] use buffer size when calling snprintf (#766) --- lib/ziti-tunnel-cbs/ziti_hosting.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/ziti-tunnel-cbs/ziti_hosting.c b/lib/ziti-tunnel-cbs/ziti_hosting.c index 79ecf15c..b0e33a2b 100644 --- a/lib/ziti-tunnel-cbs/ziti_hosting.c +++ b/lib/ziti-tunnel-cbs/ziti_hosting.c @@ -323,7 +323,7 @@ static const char *compute_dst_ip_or_hn(const host_ctx_t *service, const tunnele return NULL; } } else { - snprintf(err, sizeof(err), "config specifies 'forwardAddress', but client didn't send app_data"); + snprintf(err, err_sz, "config specifies 'forwardAddress', but client didn't send app_data"); return NULL; } } else { @@ -333,7 +333,7 @@ static const char *compute_dst_ip_or_hn(const host_ctx_t *service, const tunnele ziti_address dst; if (!ziti_address_from_string(&dst, ip_or_hn)) { - snprintf(err, sizeof(err), "failed to parse %s", ip_or_hn); + snprintf(err, err_sz, "failed to parse %s", ip_or_hn); return NULL; } *is_ip = (dst.type == ziti_address_cidr); From 11af7b29bba6bc9a7e22994db3c29bfc4a5d68d6 Mon Sep 17 00:00:00 2001 From: dovholuknf <46322585+dovholuknf@users.noreply.github.com> Date: Wed, 13 Dec 2023 16:02:48 -0500 Subject: [PATCH 045/251] x86-windows-build --- .github/workflows/cmake.yml | 4 ++++ CMakePresets.json | 22 ++++++++++++++++++++++ programs/ziti-edge-tunnel/wintun.cmake | 3 +-- 3 files changed, 27 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml index c6fa5202..40476211 100644 --- a/.github/workflows/cmake.yml +++ b/.github/workflows/cmake.yml @@ -34,6 +34,10 @@ jobs: name: Windows x86_64 preset: windows-x64 + - os: windows-latest + name: Windows x86 + preset: windows-x86 + - os: windows-latest name: Windows arm64 preset: windows-arm64 diff --git a/CMakePresets.json b/CMakePresets.json index 58ec46ae..1c2cd55d 100644 --- a/CMakePresets.json +++ b/CMakePresets.json @@ -94,6 +94,16 @@ }, "hidden": true }, + { + "name": "ci-win86", + "inherits": [ + "flags-windows", + "ci-std", + "vs-2022" + ], + "architecture": "Win32", + "hidden": true + }, { "name": "ci-win-arm64", "inherits": [ @@ -194,6 +204,18 @@ "vcpkg-win64-static" ] }, + { + "name": "ci-windows-x86", + "inherits": [ + "ci-build", + "ci-win86", + "dev-mode", + "vcpkg" + ], + "cacheVariables": { + "VCPKG_TARGET_TRIPLET": "x86-windows-static-md" + } + }, { "name": "ci-windows-arm64", "inherits": [ diff --git a/programs/ziti-edge-tunnel/wintun.cmake b/programs/ziti-edge-tunnel/wintun.cmake index 48651951..dd66e7f5 100644 --- a/programs/ziti-edge-tunnel/wintun.cmake +++ b/programs/ziti-edge-tunnel/wintun.cmake @@ -1,8 +1,7 @@ FetchContent_Declare(wintun - URL https://www.wintun.net/builds/wintun-0.10.3.zip - URL_HASH SHA256=97de836805006c39c3c6ddf57bac0707d096cc88a9ca0b552cb95f1de08da060 + URL https://www.wintun.net/builds/wintun-0.13.zip ) FetchContent_GetProperties(wintun) From bbad250b40f8306d577ec17c7314a3ed1b4c9555 Mon Sep 17 00:00:00 2001 From: dovholuknf <46322585+dovholuknf@users.noreply.github.com> Date: Wed, 13 Dec 2023 16:04:39 -0500 Subject: [PATCH 046/251] undo push to main by... pushing to main :/ --- .github/workflows/cmake.yml | 4 ++++ CMakePresets.json | 22 ++++++++++++++++++++++ programs/ziti-edge-tunnel/wintun.cmake | 3 +-- 3 files changed, 27 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml index c6fa5202..40476211 100644 --- a/.github/workflows/cmake.yml +++ b/.github/workflows/cmake.yml @@ -34,6 +34,10 @@ jobs: name: Windows x86_64 preset: windows-x64 + - os: windows-latest + name: Windows x86 + preset: windows-x86 + - os: windows-latest name: Windows arm64 preset: windows-arm64 diff --git a/CMakePresets.json b/CMakePresets.json index 58ec46ae..1c2cd55d 100644 --- a/CMakePresets.json +++ b/CMakePresets.json @@ -94,6 +94,16 @@ }, "hidden": true }, + { + "name": "ci-win86", + "inherits": [ + "flags-windows", + "ci-std", + "vs-2022" + ], + "architecture": "Win32", + "hidden": true + }, { "name": "ci-win-arm64", "inherits": [ @@ -194,6 +204,18 @@ "vcpkg-win64-static" ] }, + { + "name": "ci-windows-x86", + "inherits": [ + "ci-build", + "ci-win86", + "dev-mode", + "vcpkg" + ], + "cacheVariables": { + "VCPKG_TARGET_TRIPLET": "x86-windows-static-md" + } + }, { "name": "ci-windows-arm64", "inherits": [ diff --git a/programs/ziti-edge-tunnel/wintun.cmake b/programs/ziti-edge-tunnel/wintun.cmake index 48651951..dd66e7f5 100644 --- a/programs/ziti-edge-tunnel/wintun.cmake +++ b/programs/ziti-edge-tunnel/wintun.cmake @@ -1,8 +1,7 @@ FetchContent_Declare(wintun - URL https://www.wintun.net/builds/wintun-0.10.3.zip - URL_HASH SHA256=97de836805006c39c3c6ddf57bac0707d096cc88a9ca0b552cb95f1de08da060 + URL https://www.wintun.net/builds/wintun-0.13.zip ) FetchContent_GetProperties(wintun) From dd7475e998aea8905a3ffe2340d5d83f9d39cb15 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Mon, 18 Dec 2023 14:39:47 +0000 Subject: [PATCH 047/251] get ziti-sdk-c 0.35.12 (#767) * use sdk tag 0.35.12 --- .github/workflows/cmake.yml | 6 +++--- CMakeLists.txt | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml index 40476211..94d0d784 100644 --- a/.github/workflows/cmake.yml +++ b/.github/workflows/cmake.yml @@ -34,9 +34,9 @@ jobs: name: Windows x86_64 preset: windows-x64 - - os: windows-latest - name: Windows x86 - preset: windows-x86 +# - os: windows-latest +# name: Windows x86 +# preset: windows-x86 - os: windows-latest name: Windows arm64 diff --git a/CMakeLists.txt b/CMakeLists.txt index 6dd66d58..1289d1f2 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,7 +2,7 @@ cmake_minimum_required(VERSION 3.20) set(ZITI_SDK_DIR "" CACHE FILEPATH "developer option: use local ziti-sdk-c checkout") -set(ZITI_SDK_VERSION "0.35.11" CACHE STRING "ziti-sdk-c version or branch to use") +set(ZITI_SDK_VERSION "0.35.12" CACHE STRING "ziti-sdk-c version or branch to use") # if TUNNEL_SDK_ONLY then don't descend into programs/ziti-edge-tunnel option(TUNNEL_SDK_ONLY "build only ziti-tunnel-sdk (without ziti)" OFF) From 48107a57ffdfc59c41f920558274b6190c0b7747 Mon Sep 17 00:00:00 2001 From: Mario Trangoni Date: Mon, 18 Dec 2023 15:57:30 +0100 Subject: [PATCH 048/251] codespell: Add spelling check and fix all issues (#768) Signed-off-by: Mario Trangoni --- .github/workflows/linters.yml | 17 +++++++++++++++++ BUILD.md | 2 +- README.md | 2 +- programs/ziti-edge-tunnel/package/deb/postrm.in | 2 +- scripts/openwrt-build.sh | 2 +- 5 files changed, 21 insertions(+), 4 deletions(-) create mode 100644 .github/workflows/linters.yml diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml new file mode 100644 index 00000000..ffb7c605 --- /dev/null +++ b/.github/workflows/linters.yml @@ -0,0 +1,17 @@ +name: Linters + +on: pull_request + +jobs: + codespell: + runs-on: ubuntu-latest + steps: + - name: Checkout Code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: Run code spelling check + uses: codespell-project/actions-codespell@v2 + with: + ignore_words_list: ans,nd,precendence,seh,uknown diff --git a/BUILD.md b/BUILD.md index 4d31abcf..fc7f9aaa 100644 --- a/BUILD.md +++ b/BUILD.md @@ -6,7 +6,7 @@ tool chain used. These steps should work properly for you but if your OS has var ## Prerequisites This repository expects the user to have at least a basic understanding of what a Ziti Network -is. To use this library it is also required to have a functioning Ziti Network availalbe to use. +is. To use this library it is also required to have a functioning Ziti Network available to use. To learn more about what Ziti is or how to learn how to setup a Ziti Network head over to [the official documentation site](https://openziti.github.io/ziti/overview.html). diff --git a/README.md b/README.md index 6f7d185c..68a0d6da 100644 --- a/README.md +++ b/README.md @@ -76,7 +76,7 @@ int main(int argc, char *argv[]) { ``` Once the Ziti Tunneler SDK is initialized with a network device and ziti-sdk -callbacks, a tunneler application only needs to indiciate which service(s) +callbacks, a tunneler application only needs to indicate which service(s) that should be ## Run with Docker diff --git a/programs/ziti-edge-tunnel/package/deb/postrm.in b/programs/ziti-edge-tunnel/package/deb/postrm.in index 7de6cd2c..755f1f5f 100644 --- a/programs/ziti-edge-tunnel/package/deb/postrm.in +++ b/programs/ziti-edge-tunnel/package/deb/postrm.in @@ -11,7 +11,7 @@ if [ "$1" = "purge" ]; then deb-systemd-helper unmask @SYSTEMD_UNIT_FILE_NAME@ >/dev/null || true fi fi -# End copied seciton +# End copied section if [ -L @SYSTEMD_UNIT_DIR@/@SYSTEMD_UNIT_FILE_NAME@ ]; then unlink @SYSTEMD_UNIT_DIR@/@SYSTEMD_UNIT_FILE_NAME@ diff --git a/scripts/openwrt-build.sh b/scripts/openwrt-build.sh index 511fd49d..0e185acf 100755 --- a/scripts/openwrt-build.sh +++ b/scripts/openwrt-build.sh @@ -112,7 +112,7 @@ cmake $CMAKE_OPTS "${ziti_src}" #echo echo -echo Starting the buid +echo Starting the build echo cmake --build . --target bundle From 9237bb5162841d0db46ea4e6f4cb73051edc735e Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Wed, 20 Dec 2023 02:59:41 +0000 Subject: [PATCH 049/251] don't access source_addr through io->app_data. keep addrinfo for source address until bind is attempted (#770) --- lib/ziti-tunnel-cbs/ziti_hosting.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/ziti-tunnel-cbs/ziti_hosting.c b/lib/ziti-tunnel-cbs/ziti_hosting.c index b0e33a2b..3ce7215f 100644 --- a/lib/ziti-tunnel-cbs/ziti_hosting.c +++ b/lib/ziti-tunnel-cbs/ziti_hosting.c @@ -390,7 +390,7 @@ static const char *compute_dst_port(const host_ctx_t *service, const tunneler_ap static int do_bind(hosted_io_context io, const char *addr, int socktype) { // split out the ip and port if port was specified - char *src_ip = strdup(io->app_data->source_addr); + char *src_ip = strdup(addr); char *port = strchr(src_ip, ':'); if (port != NULL) { *port = '\0'; @@ -419,8 +419,6 @@ static int do_bind(hosted_io_context io, const char *addr, int socktype) { ziti_address src_za; ziti_address_from_sockaddr(&src_za, ai_req.addrinfo->ai_addr); // convert for easy validation - uv_freeaddrinfo(ai_req.addrinfo); - if (!address_match(&src_za, &io->service->allowed_source_addresses)) { ZITI_LOG(ERROR, "hosted_service[%s], client[%s] client requested source IP %s is not allowed", io->service->service_name, io->client_identity, io->app_data->source_addr); @@ -437,9 +435,11 @@ static int do_bind(hosted_io_context io, const char *addr, int socktype) { default: ZITI_LOG(ERROR, "hosted_service[%s] client[%s] unsupported protocol %d when binding source address", io->service->service_name, io->client_identity, hints.ai_protocol); - return -1; + uv_err = UV_EINVAL; } + uv_freeaddrinfo(ai_req.addrinfo); + if (uv_err != 0) { ZITI_LOG(ERROR, "hosted_service[%s] client[%s]: bind failed: %s", io->service->service_name, io->client_identity, uv_strerror(uv_err)); From 68dafb84aa03cb584937bbe609dfa949307192aa Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Thu, 21 Dec 2023 16:26:23 +0000 Subject: [PATCH 050/251] log tcp src and dst in LOG_STATE. also log tcp flags of incoming segments (#772) * log tcp src and dst in LOG_STATE. also log tcp flags of incoming segments. * change format string for incoming segments to be consistent with other messages. * add src/dst/service to udp log messages where possible. * log udp timeout --- lib/ziti-tunnel/tunnel_tcp.c | 46 ++++++++++++++++++++++++++---------- lib/ziti-tunnel/tunnel_udp.c | 30 +++++++++++++++-------- 2 files changed, 53 insertions(+), 23 deletions(-) diff --git a/lib/ziti-tunnel/tunnel_tcp.c b/lib/ziti-tunnel/tunnel_tcp.c index 716b7ed9..339858a5 100644 --- a/lib/ziti-tunnel/tunnel_tcp.c +++ b/lib/ziti-tunnel/tunnel_tcp.c @@ -25,8 +25,15 @@ #define MIN(a,b) ((a)<(b) ? (a) : (b)) #endif -#define LOG_STATE(level, op, pcb, ...) \ -TNL_LOG(level, op " %p, state=%d(%s) flags=%#0x", ##__VA_ARGS__, pcb, pcb->state, tcp_state_str(pcb->state), pcb->flags) +#define LOG_STATE(level, op, pcb, ...) do { \ + io_ctx_t *io = ((io_ctx_t *)(pcb)->callback_arg); \ + tunneler_io_context tnlr_io = io ? io->tnlr_io : NULL; \ + const char *service_name = tnlr_io ? tnlr_io->service_name : ""; \ + TNL_LOG(level, op " src[%s] dst[%s] state[%d/%s] flags[%#0x] service[%s]", ##__VA_ARGS__, \ + tnlr_io ? tnlr_io->client : "", \ + tnlr_io ? tnlr_io->intercepted : "", \ + pcb->state, tcp_state_str(pcb->state), pcb->flags, service_name); \ +} while (0) #define tcp_states(XX)\ XX(CLOSED)\ @@ -197,7 +204,7 @@ ssize_t tunneler_tcp_write(struct tcp_pcb *pcb, const void *data, size_t len) { } // avoid ERR_MEM. size_t sendlen = MIN(len, tcp_sndbuf(pcb)); - TNL_LOG(TRACE, "pcb[%p] sendlen=%zd", pcb, sendlen); + LOG_STATE(TRACE, "sendlen=%zd", pcb, sendlen); if (sendlen > 0) { err_t w_err = tcp_write(pcb, data, (u16_t) sendlen, TCP_WRITE_FLAG_COPY); // TODO hold data until client acks... via on_client_ack maybe? then we wouldn't need to copy here. @@ -287,7 +294,7 @@ void tunneler_tcp_dial_completed(struct io_ctx_s *io, bool ok) { tcp_output(io->tnlr_io->tcp); } -static tunneler_io_context new_tunneler_io_context(tunneler_context tnlr_ctx, const char *service_name, struct tcp_pcb *pcb) { +static tunneler_io_context new_tunneler_io_context(tunneler_context tnlr_ctx, const char *service_name, const char *src, const char *dst, struct tcp_pcb *pcb) { struct tunneler_io_ctx_s *ctx = calloc(1, sizeof(struct tunneler_io_ctx_s)); if (ctx == NULL) { TNL_LOG(ERR, "failed to allocate tunneler_io_ctx"); @@ -295,8 +302,8 @@ static tunneler_io_context new_tunneler_io_context(tunneler_context tnlr_ctx, co } ctx->tnlr_ctx = tnlr_ctx; ctx->service_name = strdup(service_name); - snprintf(ctx->client, sizeof(ctx->client), "tcp:%s:%d", ipaddr_ntoa(&pcb->remote_ip), pcb->remote_port); - snprintf(ctx->intercepted, sizeof(ctx->intercepted), "tcp:%s:%d", ipaddr_ntoa(&pcb->local_ip), pcb->local_port); + snprintf(ctx->client, sizeof(ctx->client), "tcp:%s:%d", src, pcb->remote_port); + snprintf(ctx->intercepted, sizeof(ctx->intercepted), "tcp:%s:%d", dst, pcb->local_port); ctx->proto = tun_tcp; ctx->tcp = pcb; return ctx; @@ -339,12 +346,26 @@ u8_t recv_tcp(void *tnlr_ctx_arg, struct raw_pcb *pcb, struct pbuf *p, const ip_ struct tcp_hdr *tcphdr = (struct tcp_hdr *)((char*)p->payload + iphdr_hlen); u16_t src_p = lwip_ntohs(tcphdr->src); u16_t dst_p = lwip_ntohs(tcphdr->dest); + char src_str[IPADDR_STRLEN_MAX]; char dst_str[IPADDR_STRLEN_MAX]; + ipaddr_ntoa_r(&src, src_str, sizeof(src_str)); ipaddr_ntoa_r(&dst, dst_str, sizeof(dst_str)); - TNL_LOG(TRACE, "received segment %s:%d->%s:%d", - ipaddr_ntoa(&src), src_p, dst_str, dst_p); - u8_t flags = TCPH_FLAGS(tcphdr); + + if (tunnel_log_level >= TRACE) { + char flags_str[40] = {0}; + if (flags & TCP_FIN) strcat(flags_str, "FIN,"); + if (flags & TCP_SYN) strcat(flags_str, "SYN,"); + if (flags & TCP_RST) strcat(flags_str, "RST,"); + if (flags & TCP_PSH) strcat(flags_str, "PSH,"); + if (flags & TCP_ACK) strcat(flags_str, "ACK,"); + if (flags & TCP_URG) strcat(flags_str, "URG,"); + if (flags & TCP_ECE) strcat(flags_str, "ECE,"); + if (flags & TCP_CWR) strcat(flags_str, "CWR,"); + if (strlen(flags_str) > 0) flags_str[strlen(flags_str) - 1] = '\0'; // remove trailing comma + TNL_LOG(TRACE, "received segment src[tcp:%s:%d] dst[tcp:%s:%d] flags[%s]", src_str, src_p, dst_str, dst_p, flags_str); + } + if (!(flags & TCP_SYN)) { /* this isn't a SYN segment, so let lwip process it */ return 0; @@ -353,7 +374,7 @@ u8_t recv_tcp(void *tnlr_ctx_arg, struct raw_pcb *pcb, struct pbuf *p, const ip_ intercept_ctx_t *intercept_ctx = lookup_intercept_by_address(tnlr_ctx, "tcp", &dst, dst_p); if (intercept_ctx == NULL) { /* dst address is not being intercepted. don't consume */ - TNL_LOG(TRACE, "no intercepted addresses match tcp:%s:%d", ipaddr_ntoa(&dst), dst_p); + TNL_LOG(TRACE, "no intercepted addresses match tcp:%s:%d", dst_str, dst_p); return 0; } @@ -363,7 +384,7 @@ u8_t recv_tcp(void *tnlr_ctx_arg, struct raw_pcb *pcb, struct pbuf *p, const ip_ tpcb->local_port == dst_p && ip_addr_cmp(&tpcb->remote_ip, &src) && ip_addr_cmp(&tpcb->local_ip, &dst)) { - TNL_LOG(VERBOSE, "received SYN on active connection: client=tcp:%s:%d, service=%s", ipaddr_ntoa(&src), src_p, intercept_ctx->service_name); + TNL_LOG(VERBOSE, "received SYN on active connection: client=tcp:%s:%d, service=%s", src_str, src_p, intercept_ctx->service_name); /* Move this PCB to the front of the list so that subsequent lookups will be faster (we exploit locality in TCP segment arrivals). */ @@ -395,7 +416,7 @@ u8_t recv_tcp(void *tnlr_ctx_arg, struct raw_pcb *pcb, struct pbuf *p, const ip_ TNL_LOG(ERR, "failed to allocate io_context"); goto done; } - io->tnlr_io = new_tunneler_io_context(tnlr_ctx, intercept_ctx->service_name, npcb); + io->tnlr_io = new_tunneler_io_context(tnlr_ctx, intercept_ctx->service_name, src_str, dst_str, npcb); if (io->tnlr_io == NULL) { TNL_LOG(ERR, "failed to allocate tunneler io context"); goto done; @@ -405,7 +426,6 @@ u8_t recv_tcp(void *tnlr_ctx_arg, struct raw_pcb *pcb, struct pbuf *p, const ip_ io->close_write_fn = intercept_ctx->close_write_fn ? intercept_ctx->close_write_fn : tnlr_ctx->opts.ziti_close_write; io->close_fn = intercept_ctx->close_fn ? intercept_ctx->close_fn : tnlr_ctx->opts.ziti_close; - snprintf(io->tnlr_io->intercepted, sizeof(io->tnlr_io->intercepted), "tcp:%s:%d", ipaddr_ntoa(&dst), dst_p); TNL_LOG(DEBUG, "intercepted address[%s] client[%s] service[%s]", io->tnlr_io->intercepted, io->tnlr_io->client, intercept_ctx->service_name); void *ziti_io_ctx = zdial(intercept_ctx->app_intercept_ctx, io); diff --git a/lib/ziti-tunnel/tunnel_udp.c b/lib/ziti-tunnel/tunnel_udp.c index 9ac32f86..5ddabd03 100644 --- a/lib/ziti-tunnel/tunnel_udp.c +++ b/lib/ziti-tunnel/tunnel_udp.c @@ -24,6 +24,11 @@ // initiate orderly shutdown static void udp_timeout_cb(uv_timer_t *t) { struct io_ctx_s *io = t->data; + tunneler_io_context tnlr_io = io->tnlr_io; + if (tnlr_io) { + TNL_LOG(TRACE, "initiating close idle_timeout[%d] src[%s] dst[%s] service[%s]", tnlr_io->idle_timeout, + tnlr_io->client, tnlr_io->intercepted, tnlr_io->service_name); + } io->close_fn(io->ziti_io); } @@ -55,7 +60,8 @@ static void to_ziti(struct io_ctx_s *io, struct pbuf *p) { uv_timer_start(io->tnlr_io->conn_timer, udp_timeout_cb, UDP_TIMEOUT, 0); do { - TNL_LOG(TRACE, "writing %d bytes to ziti", recv_data->len); + TNL_LOG(TRACE, "writing %d bytes to ziti src[%s] dst[%s] service[%s]", recv_data->len, + io->tnlr_io->client, io->tnlr_io->intercepted, io->tnlr_io->service_name); struct write_ctx_s *wr_ctx = calloc(1, sizeof(struct write_ctx_s)); wr_ctx->pbuf = recv_data; wr_ctx->udp = io->tnlr_io->udp.pcb; @@ -95,7 +101,8 @@ void on_udp_client_data_enqueue(void *io_context, struct udp_pcb *pcb, struct pb } else { pbuf_chain(tnlr_io_ctx->udp.queued, p); } - TNL_LOG(VERBOSE, "queued %d bytes", tnlr_io_ctx->udp.queued->len); + TNL_LOG(VERBOSE, "queued %d bytes src[%s] dst[%s] service[%s]", tnlr_io_ctx->udp.queued->len, + tnlr_io_ctx->client, tnlr_io_ctx->intercepted, tnlr_io_ctx->service_name); } /** called by lwip when a packet arrives from a connected client and the ziti service is connected */ @@ -116,7 +123,8 @@ void tunneler_udp_ack(struct write_ctx_s *write_ctx) { int tunneler_udp_close(struct udp_pcb *pcb) { struct io_ctx_s *io_ctx = pcb->recv_arg; tunneler_io_context tnlr_io_ctx = io_ctx->tnlr_io; - TNL_LOG(DEBUG, "closing %s session", tnlr_io_ctx->service_name); + TNL_LOG(DEBUG, "closing src[%s] dst[%s] service[%s]", + tnlr_io_ctx->client, tnlr_io_ctx->intercepted, tnlr_io_ctx->service_name); udp_remove(pcb); if (tnlr_io_ctx->udp.queued != NULL) { pbuf_free(tnlr_io_ctx->udp.queued); @@ -179,9 +187,11 @@ u8_t recv_udp(void *tnlr_ctx_arg, struct raw_pcb *pcb, struct pbuf *p, const ip_ struct udp_hdr *udphdr = (struct udp_hdr *)((char*)p->payload + iphdr_hlen); u16_t src_p = lwip_ntohs(udphdr->src); u16_t dst_p = lwip_ntohs(udphdr->dest); - - TNL_LOG(TRACE, "received datagram %s:%d->%s:%d", - ipaddr_ntoa(&src), src_p, ipaddr_ntoa(&dst), dst_p); + char src_str[IPADDR_STRLEN_MAX]; + char dst_str[IPADDR_STRLEN_MAX]; + ipaddr_ntoa_r(&src, src_str, sizeof(src_str)); + ipaddr_ntoa_r(&dst, dst_str, sizeof(dst_str)); + TNL_LOG(TRACE, "received datagram src[%s:%d] dst[%s:%d]", src_str, src_p, dst_str, dst_p); /* first see if this datagram belongs to an active connection */ for (struct udp_pcb *con_pcb = udp_pcbs, *prev = NULL; con_pcb != NULL; con_pcb = con_pcb->next) { @@ -205,7 +215,7 @@ u8_t recv_udp(void *tnlr_ctx_arg, struct raw_pcb *pcb, struct pbuf *p, const ip_ /* is the dest address being intercepted? */ intercept_ctx_t * intercept_ctx = lookup_intercept_by_address(tnlr_ctx, "udp", &dst, dst_p); if (intercept_ctx == NULL) { - TNL_LOG(TRACE, "no intercepted addresses match udp:%s:%d", ipaddr_ntoa(&dst), dst_p); + TNL_LOG(TRACE, "no intercepted addresses match udp:%s:%d", dst_str, dst_p); return 0; } @@ -222,7 +232,7 @@ u8_t recv_udp(void *tnlr_ctx_arg, struct raw_pcb *pcb, struct pbuf *p, const ip_ npcb->local_port = dst_p; err_t err = udp_connect(npcb, &src, src_p); if (err != ERR_OK) { - TNL_LOG(ERR, "failed to udp_connect %s:%d: err: %d", ipaddr_ntoa(&src), src_p, err); + TNL_LOG(ERR, "failed to udp_connect %s:%d: err: %d", src_str, src_p, err); udp_remove(npcb); pbuf_free(p); return 1; @@ -247,8 +257,8 @@ u8_t recv_udp(void *tnlr_ctx_arg, struct raw_pcb *pcb, struct pbuf *p, const ip_ io->tnlr_io->tnlr_ctx = tnlr_ctx; io->tnlr_io->proto = tun_udp; io->tnlr_io->service_name = strdup(intercept_ctx->service_name); - snprintf(io->tnlr_io->client, sizeof(io->tnlr_io->client), "udp:%s:%d", ipaddr_ntoa(&src), src_p); - snprintf(io->tnlr_io->intercepted, sizeof(io->tnlr_io->intercepted), "udp:%s:%d", ipaddr_ntoa(&dst), dst_p); + snprintf(io->tnlr_io->client, sizeof(io->tnlr_io->client), "udp:%s:%d", src_str, src_p); + snprintf(io->tnlr_io->intercepted, sizeof(io->tnlr_io->intercepted), "udp:%s:%d", dst_str, dst_p); io->tnlr_io->udp.pcb = npcb; io->tnlr_io->udp.queued = NULL; io->ziti_ctx = intercept_ctx->app_intercept_ctx; From 58caf2d83950bb88c2caae143beeee2916e8a1b5 Mon Sep 17 00:00:00 2001 From: Eugene K Date: Thu, 21 Dec 2023 17:56:04 -0500 Subject: [PATCH 051/251] handle failures on proxy resolve connections --- lib/ziti-tunnel-cbs/include/ziti/ziti_dns.h | 1 + lib/ziti-tunnel-cbs/ziti_dns.c | 36 +++++++++++++++------ lib/ziti-tunnel-cbs/ziti_tunnel_cbs.c | 8 ++++- 3 files changed, 34 insertions(+), 11 deletions(-) diff --git a/lib/ziti-tunnel-cbs/include/ziti/ziti_dns.h b/lib/ziti-tunnel-cbs/include/ziti/ziti_dns.h index 27dad6d2..42213690 100644 --- a/lib/ziti-tunnel-cbs/include/ziti/ziti_dns.h +++ b/lib/ziti-tunnel-cbs/include/ziti/ziti_dns.h @@ -20,6 +20,7 @@ #include #define DNS_NO_ERROR 0 +#define DNS_SERVFAIL 2 #define DNS_NXDOMAIN 3 #define DNS_NOT_IMPL 4 #define DNS_REFUSE 5 diff --git a/lib/ziti-tunnel-cbs/ziti_dns.c b/lib/ziti-tunnel-cbs/ziti_dns.c index 30061d07..e93f0e91 100644 --- a/lib/ziti-tunnel-cbs/ziti_dns.c +++ b/lib/ziti-tunnel-cbs/ziti_dns.c @@ -17,7 +17,6 @@ #include #include #include -#include #include "ziti_instance.h" #include "dns_host.h" @@ -56,7 +55,7 @@ struct dns_req { static void* on_dns_client(const void *app_intercept_ctx, io_ctx_t *io); static int on_dns_close(void *dns_io_ctx); -static ssize_t on_dns_req(void *ziti_io_ctx, void *write_ctx, const void *q_packet, size_t len); +static ssize_t on_dns_req(const void *ziti_io_ctx, void *write_ctx, const void *q_packet, size_t len); static int query_upstream(struct dns_req *req); static void udp_alloc(uv_handle_t *h, unsigned long reqlen, uv_buf_t *b); static void on_upstream_packet(uv_udp_t *h, ssize_t rc, const uv_buf_t *buf, const struct sockaddr* addr, unsigned int flags); @@ -588,6 +587,7 @@ static void on_proxy_connect(ziti_connection conn, int status) { dns_domain_t *domain = ziti_conn_data(conn); if (status == ZITI_OK) { ZITI_LOG(INFO, "proxy resolve connection established for domain[%s]", domain->name); + domain->resolv_proxy = conn; } else { ZITI_LOG(ERROR, "failed to establish proxy resolve connection for domain[%s]", domain->name); domain->resolv_proxy = NULL; @@ -595,9 +595,9 @@ static void on_proxy_connect(ziti_connection conn, int status) { } } -static ssize_t on_proxy_data(ziti_connection conn, uint8_t* data, ssize_t status) { +static ssize_t on_proxy_data(ziti_connection conn, const uint8_t* data, ssize_t status) { if (status >= 0) { - ZITI_LOG(INFO, "proxy resolve: %.*s", (int)status, data); + ZITI_LOG(DEBUG, "proxy resolve: %.*s", (int)status, data); dns_message msg = {0}; int rc = parse_dns_message(&msg, data, status); if (rc < 0) { @@ -624,7 +624,7 @@ static ssize_t on_proxy_data(ziti_connection conn, uint8_t* data, ssize_t status } static void on_proxy_write(ziti_connection conn, ssize_t status, void *ctx) { - ZITI_LOG(INFO, "proxy resolve write: %d", (int)status); + ZITI_LOG(DEBUG, "proxy resolve write: %d", (int)status); free(ctx); } @@ -632,18 +632,34 @@ static void proxy_domain_req(struct dns_req *req, dns_domain_t *domain) { if (domain->resolv_proxy == NULL) { model_map_iter it = model_map_iterator(&domain->intercepts); void *intercept = model_map_it_value(it); - domain->resolv_proxy = intercept_resolve_connect(intercept, domain, on_proxy_connect, on_proxy_data); } + char *json = NULL; size_t jsonlen; - char *json = dns_message_to_json(&req->msg, 0, &jsonlen); - ZITI_LOG(INFO, "writing proxy resolve [%s]", json); - ziti_write(domain->resolv_proxy, json, jsonlen, on_proxy_write, json); + + if (domain->resolv_proxy != NULL) { + json = dns_message_to_json(&req->msg, 0, &jsonlen); + ZITI_LOG(DEBUG, "writing proxy resolve [%s]", json); + + // intercept_resolve_connect above can quick-fail if context does not have a valid API session + // in that case resolve_proxy connection will be in Closed state and write will fail + if (ziti_write(domain->resolv_proxy, json, jsonlen, on_proxy_write, json) == ZITI_OK) { + return; + } + + ziti_close(domain->resolv_proxy, NULL); + domain->resolv_proxy = NULL; + } + + free(json); + req->msg.status = DNS_SERVFAIL; + format_resp(req); + complete_dns_req(req); } -ssize_t on_dns_req(void *ziti_io_ctx, void *write_ctx, const void *q_packet, size_t q_len) { +ssize_t on_dns_req(const void *ziti_io_ctx, void *write_ctx, const void *q_packet, size_t q_len) { ziti_dns_client_t *clt = ziti_io_ctx; const uint8_t *dns_packet = q_packet; size_t dns_packet_len = q_len; diff --git a/lib/ziti-tunnel-cbs/ziti_tunnel_cbs.c b/lib/ziti-tunnel-cbs/ziti_tunnel_cbs.c index 884482e8..7bc02e42 100644 --- a/lib/ziti-tunnel-cbs/ziti_tunnel_cbs.c +++ b/lib/ziti-tunnel-cbs/ziti_tunnel_cbs.c @@ -615,6 +615,12 @@ ziti_connection intercept_resolve_connect(ziti_intercept_t *intercept, void *ctx .app_data_sz = strlen(RESOLVE_APP_DATA) }; - ziti_dial_with_options(conn, intercept->service_name, &opts, conn_cb, data_cb); + int rc = ziti_dial_with_options(conn, intercept->service_name, &opts, conn_cb, data_cb); + if (rc != ZITI_OK) { + ZITI_LOG(WARN, "failed to establish proxy resolver connection: %s", ziti_errorstr(rc)); + ziti_close(conn, NULL); + return NULL; + } + return conn; } \ No newline at end of file From 1c031214c5973da2bfd81a6e814fd9a2b9574631 Mon Sep 17 00:00:00 2001 From: Eugene K Date: Fri, 22 Dec 2023 08:20:12 -0500 Subject: [PATCH 052/251] add more error logging --- lib/ziti-tunnel-cbs/ziti_dns.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/lib/ziti-tunnel-cbs/ziti_dns.c b/lib/ziti-tunnel-cbs/ziti_dns.c index e93f0e91..6c28d21c 100644 --- a/lib/ziti-tunnel-cbs/ziti_dns.c +++ b/lib/ziti-tunnel-cbs/ziti_dns.c @@ -639,15 +639,17 @@ static void proxy_domain_req(struct dns_req *req, dns_domain_t *domain) { size_t jsonlen; if (domain->resolv_proxy != NULL) { - json = dns_message_to_json(&req->msg, 0, &jsonlen); - ZITI_LOG(DEBUG, "writing proxy resolve [%s]", json); + json = dns_message_to_json(&req->msg, MODEL_JSON_COMPACT, &jsonlen); + ZITI_LOG(DEBUG, "writing proxy resolve req[%04x]: %s", req->id, json); // intercept_resolve_connect above can quick-fail if context does not have a valid API session // in that case resolve_proxy connection will be in Closed state and write will fail - if (ziti_write(domain->resolv_proxy, json, jsonlen, on_proxy_write, json) == ZITI_OK) { + int rc = ziti_write(domain->resolv_proxy, json, jsonlen, on_proxy_write, json); + if (rc == ZITI_OK) { return; } + ZITI_LOG(WARN, "failed to write proxy resolve request[%04x]: %s", req->id, ziti_errorstr(rc)); ziti_close(domain->resolv_proxy, NULL); domain->resolv_proxy = NULL; } From 0a23b9475b52c7d37ddba0dd3b6796f979587973 Mon Sep 17 00:00:00 2001 From: dovholuknf <46322585+dovholuknf@users.noreply.github.com> Date: Fri, 22 Dec 2023 10:58:51 -0500 Subject: [PATCH 053/251] X86 windows build (#771) * conform to win32 api for x86 builds * add windows-x86 toolchain file to set CMAKE_SYSTEM_PROCESSOR * copy wintun.dll to correct build directory when using the visual studio (multi-config) generator. Co-authored-by: Shawn Carey --- .github/workflows/cmake.yml | 4 ---- CMakeLists.txt | 6 +++--- CMakePresets.json | 3 ++- programs/ziti-edge-tunnel/CMakeLists.txt | 14 ++++++++++++-- .../include/windows/windows-service.h | 2 +- .../ziti-edge-tunnel/netif_driver/windows/tun.c | 8 ++++---- programs/ziti-edge-tunnel/windows-service.c | 4 ++-- programs/ziti-edge-tunnel/wintun.cmake | 1 + toolchains/Windows-x86.cmake | 5 +++++ 9 files changed, 30 insertions(+), 17 deletions(-) create mode 100644 toolchains/Windows-x86.cmake diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml index 94d0d784..c6fa5202 100644 --- a/.github/workflows/cmake.yml +++ b/.github/workflows/cmake.yml @@ -34,10 +34,6 @@ jobs: name: Windows x86_64 preset: windows-x64 -# - os: windows-latest -# name: Windows x86 -# preset: windows-x86 - - os: windows-latest name: Windows arm64 preset: windows-arm64 diff --git a/CMakeLists.txt b/CMakeLists.txt index 1289d1f2..169b8034 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -103,12 +103,12 @@ add_custom_target(bundle file(MAKE_DIRECTORY ${CMAKE_BINARY_DIR}/bundle) macro(BUNDLE_COMP comp) - message("adding target to bundle ${comp} for ${CMAKE_SYSTEM_NAME}:${CMAKE_SYSTEM_PROCESSOR}") add_custom_target(${comp}-bundle BYPRODUCTS ${CMAKE_BINARY_DIR}/bundle/${comp}-${CMAKE_SYSTEM_NAME}_${CMAKE_SYSTEM_PROCESSOR}.zip DEPENDS ${comp} - # copy target file when linker output directory isn't "." (e.g. visual studio) - COMMAND ${CMAKE_COMMAND} -E copy_if_different $ $ + # use generator expression to set working directory to the target's build directory. this works for multi-config generators, e.g. when "--config" is specified at build time. + WORKING_DIRECTORY "$" + COMMENT "adding components to bundle ${comp} for ${CMAKE_SYSTEM_NAME}:${CMAKE_SYSTEM_PROCESSOR}: $ ${${comp}_BUNDLE_COMPS}" COMMAND ${CMAKE_COMMAND} -E tar "cf" "${CMAKE_BINARY_DIR}/bundle/${comp}-${CMAKE_SYSTEM_NAME}_${CMAKE_SYSTEM_PROCESSOR}.zip" --format=zip -- $ ${${comp}_BUNDLE_COMPS}) add_dependencies(bundle ${comp}-bundle) endmacro() diff --git a/CMakePresets.json b/CMakePresets.json index 1c2cd55d..3d732704 100644 --- a/CMakePresets.json +++ b/CMakePresets.json @@ -213,7 +213,8 @@ "vcpkg" ], "cacheVariables": { - "VCPKG_TARGET_TRIPLET": "x86-windows-static-md" + "VCPKG_TARGET_TRIPLET": "x86-windows-static-md", + "VCPKG_CHAINLOAD_TOOLCHAIN_FILE": "${sourceDir}/toolchains/Windows-x86.cmake" } }, { diff --git a/programs/ziti-edge-tunnel/CMakeLists.txt b/programs/ziti-edge-tunnel/CMakeLists.txt index 9ac8c05e..37da1ea4 100644 --- a/programs/ziti-edge-tunnel/CMakeLists.txt +++ b/programs/ziti-edge-tunnel/CMakeLists.txt @@ -10,8 +10,7 @@ endif() if(CMAKE_SYSTEM_NAME STREQUAL Windows) include(wintun.cmake) set(tun_lib wintun) - configure_file(${wintun_SOURCE_DIR}/bin/${CMAKE_SYSTEM_PROCESSOR}/wintun.dll ${CMAKE_CURRENT_BINARY_DIR}/wintun.dll COPYONLY) - set(ziti-edge-tunnel_BUNDLE_COMPS ${CMAKE_CURRENT_BINARY_DIR}/wintun.dll) + set(wintun_dll "${wintun_SOURCE_DIR}/bin/${CMAKE_SYSTEM_PROCESSOR}/wintun.dll") set(NETIF_DRIVER_SOURCE netif_driver/windows/tun.c netif_driver/windows/tun.h) endif() @@ -33,6 +32,17 @@ endif () add_executable(ziti-edge-tunnel ziti-edge-tunnel.c ${NETIF_DRIVER_SOURCE} ${ZITI_INSTANCE_COMMON} ${ZITI_INSTANCE_OS}) set_property(TARGET ziti-edge-tunnel PROPERTY C_STANDARD 11) +if(CMAKE_SYSTEM_NAME STREQUAL Windows) + # copy wintun.dll to the directory that contains ziti-edge-tunnel.exe + add_custom_command( + TARGET ziti-edge-tunnel POST_BUILD + COMMAND "${CMAKE_COMMAND}" -E copy_if_different "${wintun_dll}" "$" + COMMENT "Copying ${wintun_dll} to $" + ) + # bundle components are relative to the target's build directory. no directory is needed here since we copied the dll to the build directory. + set(ziti-edge-tunnel_BUNDLE_COMPS wintun.dll) +endif() + if(CMAKE_SYSTEM_NAME STREQUAL "Linux") option(DISABLE_LIBSYSTEMD_FEATURE "libsystemd library integration toggle" OFF) message("DISABLE_LIBSYSTEMD_FEATURE: ${DISABLE_LIBSYSTEMD_FEATURE}") diff --git a/programs/ziti-edge-tunnel/include/windows/windows-service.h b/programs/ziti-edge-tunnel/include/windows/windows-service.h index 6a3d4996..0b6bdcfc 100644 --- a/programs/ziti-edge-tunnel/include/windows/windows-service.h +++ b/programs/ziti-edge-tunnel/include/windows/windows-service.h @@ -23,7 +23,7 @@ VOID SvcInit( DWORD, LPTSTR * ); VOID SvcReportEvent( LPTSTR, DWORD ); VOID SvcDelete(void); DWORD WINAPI ServiceWorkerThread (LPVOID lpParam); -DWORD LphandlerFunctionEx( +DWORD WINAPI LphandlerFunctionEx( DWORD dwControl, DWORD dwEventType, LPVOID lpEventData, diff --git a/programs/ziti-edge-tunnel/netif_driver/windows/tun.c b/programs/ziti-edge-tunnel/netif_driver/windows/tun.c index 2fa3ed6a..1bb999e8 100644 --- a/programs/ziti-edge-tunnel/netif_driver/windows/tun.c +++ b/programs/ziti-edge-tunnel/netif_driver/windows/tun.c @@ -68,7 +68,7 @@ static int tun_add_route(netif_handle tun, const char *dest); static int tun_del_route(netif_handle tun, const char *dest); int set_dns(netif_handle tun, uint32_t dns_ip); static int tun_exclude_rt(netif_handle dev, uv_loop_t *loop, const char *dest); -static void if_change_cb(PVOID CallerContext, PMIB_IPINTERFACE_ROW Row, MIB_NOTIFICATION_TYPE NotificationType); +static void WINAPI if_change_cb(PVOID CallerContext, PMIB_IPINTERFACE_ROW Row, MIB_NOTIFICATION_TYPE NotificationType); static void refresh_routes(uv_timer_t *timer); static void cleanup_adapters(wchar_t *tun_name); static HANDLE if_change_handle; @@ -393,7 +393,7 @@ int tun_del_route(netif_handle tun, const char *dest) { return 0; } -static void if_change_cb(PVOID CallerContext, PMIB_IPINTERFACE_ROW Row, MIB_NOTIFICATION_TYPE NotificationType) { +static void WINAPI if_change_cb(PVOID CallerContext, PMIB_IPINTERFACE_ROW Row, MIB_NOTIFICATION_TYPE NotificationType) { struct netif_handle_s *tun = CallerContext; MIB_IPFORWARD_ROW2 rt = {0}; @@ -507,7 +507,7 @@ static BOOL CALLBACK tun_delete_cb(_In_ WINTUN_ADAPTER_HANDLE adapter, _In_ LPARAM param) { wchar_t name[32]; WintunGetAdapterName(adapter, name); - wchar_t *tun_name = param; + wchar_t *tun_name = (wchar_t *) param; if (wcsncmp(name, tun_name, wcslen(tun_name)) == 0) { WintunDeleteAdapter(adapter, true, NULL); ZITI_LOG(INFO, "Deleted wintun adapter %ls", name); @@ -520,5 +520,5 @@ tun_delete_cb(_In_ WINTUN_ADAPTER_HANDLE adapter, _In_ LPARAM param) { static void cleanup_adapters(wchar_t *tun_name) { ZITI_LOG(INFO, "Cleaning up orphan wintun adapters"); - WintunEnumAdapters(L"Ziti", tun_delete_cb, tun_name); + WintunEnumAdapters(L"Ziti", tun_delete_cb, (LPARAM) tun_name); } diff --git a/programs/ziti-edge-tunnel/windows-service.c b/programs/ziti-edge-tunnel/windows-service.c index 0b702fa0..6546e980 100644 --- a/programs/ziti-edge-tunnel/windows-service.c +++ b/programs/ziti-edge-tunnel/windows-service.c @@ -437,7 +437,7 @@ DWORD get_process_path(LPTSTR lpBuffer, DWORD nBufferLength) { // Return value: // None // -DWORD LphandlerFunctionEx( +DWORD WINAPI LphandlerFunctionEx( DWORD dwControl, DWORD dwEventType, LPVOID lpEventData, @@ -489,7 +489,7 @@ BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege) // // Enable the privilege or disable all privileges. // - if (AdjustTokenPrivileges(hToken, FALSE, &tp, NULL, (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL)) + if (AdjustTokenPrivileges(hToken, FALSE, &tp, 0, (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL)) { // // Check to see if you have proper access. diff --git a/programs/ziti-edge-tunnel/wintun.cmake b/programs/ziti-edge-tunnel/wintun.cmake index dd66e7f5..bcd25438 100644 --- a/programs/ziti-edge-tunnel/wintun.cmake +++ b/programs/ziti-edge-tunnel/wintun.cmake @@ -2,6 +2,7 @@ FetchContent_Declare(wintun URL https://www.wintun.net/builds/wintun-0.13.zip + DOWNLOAD_EXTRACT_TIMESTAMP TRUE ) FetchContent_GetProperties(wintun) diff --git a/toolchains/Windows-x86.cmake b/toolchains/Windows-x86.cmake new file mode 100644 index 00000000..f82f2c2b --- /dev/null +++ b/toolchains/Windows-x86.cmake @@ -0,0 +1,5 @@ +# cross-compile for windows/x86 on windows host with visual studio +set(CMAKE_SYSTEM_NAME Windows) +set(CMAKE_SYSTEM_PROCESSOR X86) +#set(CMAKE_GENERATOR_PLATFORM X86) +set(CMAKE_C_COMPILER cl.exe) \ No newline at end of file From eb658a71dc22cda342ffb2ec17779b1b7395ddc2 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Fri, 22 Dec 2023 20:53:54 +0000 Subject: [PATCH 054/251] only proxy dns queries for supported query types (#774) * only proxy dns queries for supported query types * respect recursive flag on dns queries * avoid potential invalid free --- lib/ziti-tunnel-cbs/ziti_dns.c | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/lib/ziti-tunnel-cbs/ziti_dns.c b/lib/ziti-tunnel-cbs/ziti_dns.c index 6c28d21c..5306ff0e 100644 --- a/lib/ziti-tunnel-cbs/ziti_dns.c +++ b/lib/ziti-tunnel-cbs/ziti_dns.c @@ -339,7 +339,9 @@ static dns_entry_t *ziti_dns_lookup(const char *hostname) { if (domain && model_map_size(&domain->intercepts) > 0) { ZITI_LOG(DEBUG, "matching domain[%s] found for %s", domain->name, hostname); entry = new_ipv4_entry(clean); - entry->domain = domain; + if (entry) { + entry->domain = domain; + } } } @@ -634,12 +636,10 @@ static void proxy_domain_req(struct dns_req *req, dns_domain_t *domain) { void *intercept = model_map_it_value(it); domain->resolv_proxy = intercept_resolve_connect(intercept, domain, on_proxy_connect, on_proxy_data); } - - char *json = NULL; - size_t jsonlen; - - if (domain->resolv_proxy != NULL) { - json = dns_message_to_json(&req->msg, MODEL_JSON_COMPACT, &jsonlen); + dns_question *q = req->msg.question[0]; + if (domain->resolv_proxy != NULL && (q->type == NS_T_MX || q->type == NS_T_SRV || q->type == NS_T_TXT)) { + size_t jsonlen; + char *json = dns_message_to_json(&req->msg, MODEL_JSON_COMPACT, &jsonlen); ZITI_LOG(DEBUG, "writing proxy resolve req[%04x]: %s", req->id, json); // intercept_resolve_connect above can quick-fail if context does not have a valid API session @@ -652,15 +652,14 @@ static void proxy_domain_req(struct dns_req *req, dns_domain_t *domain) { ZITI_LOG(WARN, "failed to write proxy resolve request[%04x]: %s", req->id, ziti_errorstr(rc)); ziti_close(domain->resolv_proxy, NULL); domain->resolv_proxy = NULL; + free(json); } - free(json); - req->msg.status = DNS_SERVFAIL; + req->msg.status = domain->resolv_proxy == NULL ? DNS_SERVFAIL : DNS_NOT_IMPL; format_resp(req); complete_dns_req(req); } - ssize_t on_dns_req(const void *ziti_io_ctx, void *write_ctx, const void *q_packet, size_t q_len) { ziti_dns_client_t *clt = ziti_io_ctx; const uint8_t *dns_packet = q_packet; @@ -702,7 +701,7 @@ ssize_t on_dns_req(const void *ziti_io_ctx, void *write_ctx, const void *q_packe dns_question *q = req->msg.question[0]; if (q->type == NS_T_A || q->type == NS_T_AAAA) { - process_host_req(req); + process_host_req(req); // will send upstream if no local answer and req is recursive } else { // find domain requires normalized name char reqname[MAX_DNS_NAME]; @@ -737,7 +736,7 @@ int query_upstream(struct dns_req *req) { int rc = -1; uv_udp_send_t *sr = NULL; - if (avail) { + if (avail && req->msg.recursive) { sr = calloc(1, sizeof(uv_udp_send_t)); sr->data = req; uv_buf_t buf = uv_buf_init((char *) req->req, req->req_len); From e6b878d19680d9721ef22748fae59e446b587afa Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Wed, 27 Dec 2023 18:14:20 +0000 Subject: [PATCH 055/251] complete proxy dns request when ziti_write fails (#777) --- lib/ziti-tunnel-cbs/ziti_dns.c | 29 ++++++++++++++++++++++++----- 1 file changed, 24 insertions(+), 5 deletions(-) diff --git a/lib/ziti-tunnel-cbs/ziti_dns.c b/lib/ziti-tunnel-cbs/ziti_dns.c index 5306ff0e..e02e6d97 100644 --- a/lib/ziti-tunnel-cbs/ziti_dns.c +++ b/lib/ziti-tunnel-cbs/ziti_dns.c @@ -625,9 +625,25 @@ static ssize_t on_proxy_data(ziti_connection conn, const uint8_t* data, ssize_t return status; } +struct proxy_dns_req_wr_s { + struct dns_req *req; + char *json; +}; + static void on_proxy_write(ziti_connection conn, ssize_t status, void *ctx) { ZITI_LOG(DEBUG, "proxy resolve write: %d", (int)status); - free(ctx); + if (ctx) { + struct proxy_dns_req_wr_s *wr = ctx; + if (status != ZITI_OK) { + ZITI_LOG(WARN, "proxy resolve write failed: %s/%zd", ziti_errorstr(status), status); + wr->req->msg.status = DNS_SERVFAIL; + format_resp(wr->req); + complete_dns_req(wr->req); + + } + free(wr->json); + free(ctx); + } } static void proxy_domain_req(struct dns_req *req, dns_domain_t *domain) { @@ -639,12 +655,14 @@ static void proxy_domain_req(struct dns_req *req, dns_domain_t *domain) { dns_question *q = req->msg.question[0]; if (domain->resolv_proxy != NULL && (q->type == NS_T_MX || q->type == NS_T_SRV || q->type == NS_T_TXT)) { size_t jsonlen; - char *json = dns_message_to_json(&req->msg, MODEL_JSON_COMPACT, &jsonlen); - ZITI_LOG(DEBUG, "writing proxy resolve req[%04x]: %s", req->id, json); + struct proxy_dns_req_wr_s *wr = calloc(1, sizeof(struct proxy_dns_req_wr_s)); + wr->req = req; + wr->json = dns_message_to_json(&req->msg, MODEL_JSON_COMPACT, &jsonlen); + ZITI_LOG(DEBUG, "writing proxy resolve req[%04x]: %s", req->id, wr->json); // intercept_resolve_connect above can quick-fail if context does not have a valid API session // in that case resolve_proxy connection will be in Closed state and write will fail - int rc = ziti_write(domain->resolv_proxy, json, jsonlen, on_proxy_write, json); + int rc = ziti_write(domain->resolv_proxy, wr->json, jsonlen, on_proxy_write, wr); if (rc == ZITI_OK) { return; } @@ -652,7 +670,8 @@ static void proxy_domain_req(struct dns_req *req, dns_domain_t *domain) { ZITI_LOG(WARN, "failed to write proxy resolve request[%04x]: %s", req->id, ziti_errorstr(rc)); ziti_close(domain->resolv_proxy, NULL); domain->resolv_proxy = NULL; - free(json); + free(wr->json); + free(wr); } req->msg.status = domain->resolv_proxy == NULL ? DNS_SERVFAIL : DNS_NOT_IMPL; From 739cee61104b9ef9d6572122d5e3e57803ae3976 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Thu, 4 Jan 2024 16:29:28 -0500 Subject: [PATCH 056/251] add a script to create a debug tarball --- programs/ziti-edge-tunnel/instance-config.c | 2 +- scripts/debug.bash | 88 +++++++++++++++++++++ 2 files changed, 89 insertions(+), 1 deletion(-) create mode 100644 scripts/debug.bash diff --git a/programs/ziti-edge-tunnel/instance-config.c b/programs/ziti-edge-tunnel/instance-config.c index c4d738de..b9758c7d 100644 --- a/programs/ziti-edge-tunnel/instance-config.c +++ b/programs/ziti-edge-tunnel/instance-config.c @@ -162,7 +162,7 @@ bool save_tunnel_status_to_file() { free(config_file_name); free(bkp_config_file_name); free(config_path); - } + } free(tunnel_status); return saved; } diff --git a/scripts/debug.bash b/scripts/debug.bash new file mode 100644 index 00000000..6cf147ec --- /dev/null +++ b/scripts/debug.bash @@ -0,0 +1,88 @@ +#!/usr/bin/env bash +# +# this script creates a debug bundle for systemd service unit ziti-edge-tunnel.service +# + +set -euo pipefail + +cd "$(mktemp -d)" +mkdir ./dumps +chgrp -R ziti "${PWD}" +chmod -R g+rwX "${PWD}" + +NOW="$(date -u +'%Y-%m-%dT%H:%MZ')" +ZITI_VERSION=$(/opt/openziti/bin/ziti-edge-tunnel version) +LOG_FILE=ziti-edge-tunnel-${ZITI_VERSION#v}-${NOW}.log +BACKTRACE_FILE=ziti-edge-tunnel-${ZITI_VERSION#v}-${NOW}.backtrace +STRACE_FILE=ziti-edge-tunnel-${ZITI_VERSION#v}-${NOW}.strace +TUNNEL_STATUS_FILE=ziti-edge-tunnel-${ZITI_VERSION#v}-${NOW}.tunnel_status.json +SYSTEMD_RESOLVED_FILE=ziti-edge-tunnel-${ZITI_VERSION#v}-${NOW}.systemd-resolved +TARBALL=ziti-edge-tunnel-${ZITI_VERSION#v}-${NOW}.tgz + +# get the PID from systemd +ZET_PID="$(systemctl show -p MainPID --value ziti-edge-tunnel.service)" +if [[ -z "${ZET_PID}" ]] || [[ "${ZET_PID}" == "0" ]]; +then + echo "ERROR: failed to get ziti-edge-tunnel.service PID" >&2 + exit 1 +fi + +# save the systemd-resolved state +( + set +e + set -x + systemctl status systemd-resolved.service + resolvectl status + resolvectl dns ziti0 + resolvectl domain ziti0 + ls -l /etc/resolv.conf + cat /etc/resolv.conf +) &> "${SYSTEMD_RESOLVED_FILE}" + +# save the current service unit invocation's log messages +journalctl _SYSTEMD_INVOCATION_ID="$(systemctl show -p InvocationID --value ziti-edge-tunnel.service)" -l --no-pager \ +&> "${LOG_FILE}" + +# save the threads and backtrace +timeout --signal=SIGKILL 3s \ + gdb /opt/openziti/bin/ziti-edge-tunnel \ + --pid "${ZET_PID}" \ + --batch \ + --ex "set verbose on" \ + --ex "set pagination off" \ + --ex "info threads" \ + --ex "backtrace" \ + --ex "quit" \ + &> "${BACKTRACE_FILE}" \ + || echo "WARN: gdb backtrace timed out" >&2 + +# save 10s of strace calls +timeout --signal=SIGKILL 10s \ + strace --attach "${ZET_PID}" \ + --follow-forks \ + --absolute-timestamps=format:unix,precision:us \ + --syscall-times \ + --string-limit 4096 \ + --trace=%network \ + --trace=%process \ + --trace=%signal \ + --trace=%ipc \ + --trace=%desc \ + --trace=%memory \ + &> "${STRACE_FILE}" \ + || true # catch the expected timeout exit code + +# save the identity status dumps +timeout --signal=SIGKILL 3s \ + ziti-edge-tunnel dump -p ./dumps >/dev/null \ + || echo "WARN: failed to create dumps" >&2 + +# save the tunnel_status JSON +timeout --signal=SIGKILL 3s \ + ziti-edge-tunnel tunnel_status \ + | sed -E "s/(^received\sresponse\s<|>$)//g" > "${TUNNEL_STATUS_FILE}" \ + || echo "WARN: failed to get tunnel_status" >&2 + +tar -czf "/tmp/${TARBALL}" . + +echo "INFO: debug bundle created at /tmp/${TARBALL} from files in ${PWD}" From ef891387f901329920035ce0906bf730e182fcbb Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Thu, 4 Jan 2024 16:40:45 -0500 Subject: [PATCH 057/251] stop filtering syscalls --- scripts/debug.bash | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/scripts/debug.bash b/scripts/debug.bash index 6cf147ec..b4b3ee95 100644 --- a/scripts/debug.bash +++ b/scripts/debug.bash @@ -63,14 +63,14 @@ timeout --signal=SIGKILL 10s \ --absolute-timestamps=format:unix,precision:us \ --syscall-times \ --string-limit 4096 \ - --trace=%network \ - --trace=%process \ - --trace=%signal \ - --trace=%ipc \ - --trace=%desc \ - --trace=%memory \ &> "${STRACE_FILE}" \ || true # catch the expected timeout exit code + # --trace=%network \ + # --trace=%process \ + # --trace=%signal \ + # --trace=%ipc \ + # --trace=%desc \ + # --trace=%memory \ # save the identity status dumps timeout --signal=SIGKILL 3s \ From 5c96405f6b4e0f725bc866ae847a565172010b3b Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Thu, 4 Jan 2024 16:50:59 -0500 Subject: [PATCH 058/251] dry filenames --- scripts/debug.bash | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/scripts/debug.bash b/scripts/debug.bash index b4b3ee95..ecb09ac0 100644 --- a/scripts/debug.bash +++ b/scripts/debug.bash @@ -10,14 +10,15 @@ mkdir ./dumps chgrp -R ziti "${PWD}" chmod -R g+rwX "${PWD}" -NOW="$(date -u +'%Y-%m-%dT%H:%MZ')" +NOW=$(date -u +'%Y-%m-%dT%H:%MZ') ZITI_VERSION=$(/opt/openziti/bin/ziti-edge-tunnel version) -LOG_FILE=ziti-edge-tunnel-${ZITI_VERSION#v}-${NOW}.log -BACKTRACE_FILE=ziti-edge-tunnel-${ZITI_VERSION#v}-${NOW}.backtrace -STRACE_FILE=ziti-edge-tunnel-${ZITI_VERSION#v}-${NOW}.strace -TUNNEL_STATUS_FILE=ziti-edge-tunnel-${ZITI_VERSION#v}-${NOW}.tunnel_status.json -SYSTEMD_RESOLVED_FILE=ziti-edge-tunnel-${ZITI_VERSION#v}-${NOW}.systemd-resolved -TARBALL=ziti-edge-tunnel-${ZITI_VERSION#v}-${NOW}.tgz +PREFIX=ziti-edge-tunnel-${ZITI_VERSION#v}-${NOW} +LOG_FILE=${PREFIX}.log +BACKTRACE_FILE=${PREFIX}.backtrace +STRACE_FILE=${PREFIX}.strace +TUNNEL_STATUS_FILE=${PREFIX}.tunnel_status.json +SYSTEMD_RESOLVED_FILE=${PREFIX}.systemd-resolved +TARBALL=${PREFIX}.tgz # get the PID from systemd ZET_PID="$(systemctl show -p MainPID --value ziti-edge-tunnel.service)" From b8fcf2753e8b8c3cec33992973a746c105d9fb9b Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Thu, 4 Jan 2024 17:11:42 -0500 Subject: [PATCH 059/251] save some info about the host --- scripts/debug.bash | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/scripts/debug.bash b/scripts/debug.bash index ecb09ac0..1262b004 100644 --- a/scripts/debug.bash +++ b/scripts/debug.bash @@ -18,6 +18,7 @@ BACKTRACE_FILE=${PREFIX}.backtrace STRACE_FILE=${PREFIX}.strace TUNNEL_STATUS_FILE=${PREFIX}.tunnel_status.json SYSTEMD_RESOLVED_FILE=${PREFIX}.systemd-resolved +HOST_INFO_FILE=${PREFIX}.host TARBALL=${PREFIX}.tgz # get the PID from systemd @@ -40,12 +41,21 @@ fi cat /etc/resolv.conf ) &> "${SYSTEMD_RESOLVED_FILE}" +# save host info +( + set +e + set -x + hostnamectl + hostname + cat /etc/hosts /etc/*-release +) &> "${HOST_INFO_FILE}" + # save the current service unit invocation's log messages journalctl _SYSTEMD_INVOCATION_ID="$(systemctl show -p InvocationID --value ziti-edge-tunnel.service)" -l --no-pager \ &> "${LOG_FILE}" # save the threads and backtrace -timeout --signal=SIGKILL 3s \ +timeout --kill-after=1s 3s \ gdb /opt/openziti/bin/ziti-edge-tunnel \ --pid "${ZET_PID}" \ --batch \ @@ -58,7 +68,7 @@ timeout --signal=SIGKILL 3s \ || echo "WARN: gdb backtrace timed out" >&2 # save 10s of strace calls -timeout --signal=SIGKILL 10s \ +timeout --kill-after=1s 10s \ strace --attach "${ZET_PID}" \ --follow-forks \ --absolute-timestamps=format:unix,precision:us \ @@ -74,12 +84,12 @@ timeout --signal=SIGKILL 10s \ # --trace=%memory \ # save the identity status dumps -timeout --signal=SIGKILL 3s \ +timeout --kill-after=1s 3s \ ziti-edge-tunnel dump -p ./dumps >/dev/null \ || echo "WARN: failed to create dumps" >&2 # save the tunnel_status JSON -timeout --signal=SIGKILL 3s \ +timeout --kill-after=1s 3s \ ziti-edge-tunnel tunnel_status \ | sed -E "s/(^received\sresponse\s<|>$)//g" > "${TUNNEL_STATUS_FILE}" \ || echo "WARN: failed to get tunnel_status" >&2 From b746f478fcae572dd13ec9614aa22d4a006dcdfc Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Thu, 4 Jan 2024 17:50:00 -0500 Subject: [PATCH 060/251] check for required commands; print progress meter --- scripts/debug.bash | 224 +++++++++++++++++++++++++++------------------ 1 file changed, 133 insertions(+), 91 deletions(-) diff --git a/scripts/debug.bash b/scripts/debug.bash index 1262b004..a55c119c 100644 --- a/scripts/debug.bash +++ b/scripts/debug.bash @@ -1,99 +1,141 @@ #!/usr/bin/env bash # -# this script creates a debug bundle for systemd service unit ziti-edge-tunnel.service +# create a debug bundle for systemd service unit ziti-edge-tunnel.service # -set -euo pipefail +set -o errexit +set -o nounset +set -o pipefail -cd "$(mktemp -d)" -mkdir ./dumps -chgrp -R ziti "${PWD}" -chmod -R g+rwX "${PWD}" +checkCommand() { + if ! command -v "$1" &>/dev/null; then + echo "ERROR: this script requires command '$1'. Please install on the search PATH and try again." >&2 + $1 + fi +} -NOW=$(date -u +'%Y-%m-%dT%H:%MZ') -ZITI_VERSION=$(/opt/openziti/bin/ziti-edge-tunnel version) -PREFIX=ziti-edge-tunnel-${ZITI_VERSION#v}-${NOW} -LOG_FILE=${PREFIX}.log -BACKTRACE_FILE=${PREFIX}.backtrace -STRACE_FILE=${PREFIX}.strace -TUNNEL_STATUS_FILE=${PREFIX}.tunnel_status.json -SYSTEMD_RESOLVED_FILE=${PREFIX}.systemd-resolved -HOST_INFO_FILE=${PREFIX}.host -TARBALL=${PREFIX}.tgz +main() { + # require commands + declare -a BINS=(sed gdb strace tar timeout /opt/openziti/bin/ziti-edge-tunnel systemctl journalctl resolvectl) + for BIN in "${BINS[@]}"; do + checkCommand "$BIN" + done -# get the PID from systemd -ZET_PID="$(systemctl show -p MainPID --value ziti-edge-tunnel.service)" -if [[ -z "${ZET_PID}" ]] || [[ "${ZET_PID}" == "0" ]]; -then - echo "ERROR: failed to get ziti-edge-tunnel.service PID" >&2 - exit 1 -fi + cd "$(mktemp -d)" + mkdir ./dump ./stack + chgrp -R ziti "${PWD}" + chmod -R g+rwX "${PWD}" + + echo -n "(estimated runtime 60s) [." + + NOW=$(date -u +'%Y-%m-%dT%H:%MZ') + ZITI_VERSION=$(/opt/openziti/bin/ziti-edge-tunnel version) + PREFIX=ziti-edge-tunnel-${ZITI_VERSION#v}-${NOW} + LOG_FILE=${PREFIX}.log + BACKTRACE_FILE=${PREFIX}.backtrace + STRACE_FILE=${PREFIX}.strace + TUNNEL_STATUS_FILE=${PREFIX}.tunnel_status.json + SYSTEMD_RESOLVED_FILE=${PREFIX}.systemd-resolved + HOST_INFO_FILE=${PREFIX}.host + TARBALL=${PREFIX}.tgz + + # get the PID from systemd + ZET_PID="$(systemctl show -p MainPID --value ziti-edge-tunnel.service)" + if [[ -z "${ZET_PID}" ]] || [[ "${ZET_PID}" == "0" ]]; + then + echo "ERROR: failed to get ziti-edge-tunnel.service PID" >&2 + exit 1 + fi + + # save the systemd-resolved state + ( + set +e + set -x + systemctl status systemd-resolved.service + resolvectl status + resolvectl dns ziti0 + resolvectl domain ziti0 + ls -l /etc/resolv.conf + cat /etc/resolv.conf + ) &> "${SYSTEMD_RESOLVED_FILE}" + echo -n "." + + # save host info + ( + set +e + set -x + hostnamectl + hostname + cat /etc/hosts /etc/*-release + ) &> "${HOST_INFO_FILE}" + echo -n "." + + # save the current service unit invocation's log messages + journalctl _SYSTEMD_INVOCATION_ID="$(systemctl show -p InvocationID --value ziti-edge-tunnel.service)" -l --no-pager \ + &> "${LOG_FILE}" + echo -n "." + + # save the threads and backtrace + timeout --kill-after=1s 3s \ + gdb /opt/openziti/bin/ziti-edge-tunnel \ + --pid "${ZET_PID}" \ + --batch \ + --ex "set verbose on" \ + --ex "set pagination off" \ + --ex "info threads" \ + --ex "backtrace" \ + --ex "quit" \ + &> "${BACKTRACE_FILE}" \ + || echo "WARN: gdb backtrace timed out" >&2 + echo -n "." + + # save 10s of strace calls + timeout --kill-after=1s 10s \ + strace --attach "${ZET_PID}" \ + --follow-forks \ + --absolute-timestamps=format:unix,precision:us \ + --syscall-times \ + --string-limit 4096 \ + &> "${STRACE_FILE}" \ + || true # catch the expected timeout exit code + # --trace=%network \ + # --trace=%process \ + # --trace=%signal \ + # --trace=%ipc \ + # --trace=%desc \ + # --trace=%memory \ + echo -n "." + + # save the call stack at intervals + STACK_COUNT=1 + STACK_MAX=3 + until [[ "${STACK_COUNT}" -gt "${STACK_MAX}" ]] + do + cat "/proc/${ZET_PID}/stack" \ + &> "./stack/${STACK_COUNT}_of_${STACK_MAX}-$(date -u +'%Y-%m-%dT%H:%M:%SZ').stack" + echo -n "." + # shellcheck disable=SC2034 # iterator is unused + for i in {1..10}; do sleep 1; echo -n "."; done + (( STACK_COUNT++ )) + done + + # save the identity status dumps + timeout --kill-after=1s 3s \ + ziti-edge-tunnel dump -p ./dump >/dev/null \ + || echo "WARN: failed to create dumps" >&2 + echo -n "." + + # save the tunnel_status JSON + timeout --kill-after=1s 3s \ + ziti-edge-tunnel tunnel_status \ + | sed -E "s/(^received\sresponse\s<|>$)//g" > "${TUNNEL_STATUS_FILE}" \ + || echo "WARN: failed to get tunnel_status" >&2 + echo -n "." + + tar -czf "/tmp/${TARBALL}" . + echo -en ".]\n" + + echo "INFO: debug bundle created at /tmp/${TARBALL} from files in ${PWD}" +} -# save the systemd-resolved state -( - set +e - set -x - systemctl status systemd-resolved.service - resolvectl status - resolvectl dns ziti0 - resolvectl domain ziti0 - ls -l /etc/resolv.conf - cat /etc/resolv.conf -) &> "${SYSTEMD_RESOLVED_FILE}" - -# save host info -( - set +e - set -x - hostnamectl - hostname - cat /etc/hosts /etc/*-release -) &> "${HOST_INFO_FILE}" - -# save the current service unit invocation's log messages -journalctl _SYSTEMD_INVOCATION_ID="$(systemctl show -p InvocationID --value ziti-edge-tunnel.service)" -l --no-pager \ -&> "${LOG_FILE}" - -# save the threads and backtrace -timeout --kill-after=1s 3s \ - gdb /opt/openziti/bin/ziti-edge-tunnel \ - --pid "${ZET_PID}" \ - --batch \ - --ex "set verbose on" \ - --ex "set pagination off" \ - --ex "info threads" \ - --ex "backtrace" \ - --ex "quit" \ - &> "${BACKTRACE_FILE}" \ - || echo "WARN: gdb backtrace timed out" >&2 - -# save 10s of strace calls -timeout --kill-after=1s 10s \ - strace --attach "${ZET_PID}" \ - --follow-forks \ - --absolute-timestamps=format:unix,precision:us \ - --syscall-times \ - --string-limit 4096 \ - &> "${STRACE_FILE}" \ - || true # catch the expected timeout exit code - # --trace=%network \ - # --trace=%process \ - # --trace=%signal \ - # --trace=%ipc \ - # --trace=%desc \ - # --trace=%memory \ - -# save the identity status dumps -timeout --kill-after=1s 3s \ - ziti-edge-tunnel dump -p ./dumps >/dev/null \ - || echo "WARN: failed to create dumps" >&2 - -# save the tunnel_status JSON -timeout --kill-after=1s 3s \ - ziti-edge-tunnel tunnel_status \ - | sed -E "s/(^received\sresponse\s<|>$)//g" > "${TUNNEL_STATUS_FILE}" \ - || echo "WARN: failed to get tunnel_status" >&2 - -tar -czf "/tmp/${TARBALL}" . - -echo "INFO: debug bundle created at /tmp/${TARBALL} from files in ${PWD}" +main "$@" From 25d78f675913128737f41823fa633f7bcc1da94b Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Thu, 4 Jan 2024 18:04:54 -0500 Subject: [PATCH 061/251] add debug.bash to RPM, DEB; set debug.bash execute filemode; --- programs/ziti-edge-tunnel/package/CPackPackage.cmake | 6 ++++++ scripts/debug.bash | 0 2 files changed, 6 insertions(+) mode change 100644 => 100755 scripts/debug.bash diff --git a/programs/ziti-edge-tunnel/package/CPackPackage.cmake b/programs/ziti-edge-tunnel/package/CPackPackage.cmake index f9a748dd..5f1dc7b0 100644 --- a/programs/ziti-edge-tunnel/package/CPackPackage.cmake +++ b/programs/ziti-edge-tunnel/package/CPackPackage.cmake @@ -124,6 +124,12 @@ install(FILES "${INSTALL_OUT_DIR}/${ZITI_POLKIT_RULES_FILE}.sample" COMPONENT "${COMPONENT_NAME}" RENAME "${ZITI_POLKIT_RULES_FILE}") +install(FILES "${CMAKE_SOURCE_DIR}/scripts/debug.bash" + COMPONENT "${COMPONENT_NAME}" + DESTINATION "${CPACK_BIN_DIR}" + PERMISSIONS OWNER_EXECUTE OWNER_WRITE OWNER_READ + GROUP_EXECUTE GROUP_READ) + if("RPM" IN_LIST CPACK_GENERATOR) set(CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION "/usr/share/polkit-1/rules.d") diff --git a/scripts/debug.bash b/scripts/debug.bash old mode 100644 new mode 100755 From d167666ebeea4f636c71349415576e1a8296db5c Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Thu, 4 Jan 2024 18:48:14 -0500 Subject: [PATCH 062/251] upload to webdav server if url --- scripts/debug.bash | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/scripts/debug.bash b/scripts/debug.bash index a55c119c..8f663d7b 100755 --- a/scripts/debug.bash +++ b/scripts/debug.bash @@ -2,6 +2,7 @@ # # create a debug bundle for systemd service unit ziti-edge-tunnel.service # +# usage: sudo /opt/openziti/bin/debug.bash [UPLOAD_URL] set -o errexit set -o nounset @@ -136,6 +137,12 @@ main() { echo -en ".]\n" echo "INFO: debug bundle created at /tmp/${TARBALL} from files in ${PWD}" + + if [[ -n "${1:-}" ]] + then + echo "INFO: uploading debug bundle to ${1}" + curl -sSf -T "/tmp/${TARBALL}" "${1}" + fi } main "$@" From 0b08e3cd20325eb05d60e395519abc29454832a8 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Thu, 4 Jan 2024 23:10:00 -0500 Subject: [PATCH 063/251] refactor docker entrypoint to deprecate legacy vars and fix the no-start problem with getting identity from a var --- docker/BUILD.md | 109 +++++++++++++++++---------- docker/Dockerfile.ziti-host | 2 - docker/docker-entrypoint.sh | 146 +++++++++++++++++++----------------- 3 files changed, 149 insertions(+), 108 deletions(-) diff --git a/docker/BUILD.md b/docker/BUILD.md index e18ef489..38778efe 100644 --- a/docker/BUILD.md +++ b/docker/BUILD.md @@ -1,4 +1,7 @@ -The Dockerfile and scripts in this directory build a `ziti-edge-tunnel` (tunneler from C-SDK) Docker image. This procedure is highly similar to that of the `ziti-tunnel` (Go tunneler) Docker image [documented here](https://github.com/openziti/ziti/blob/main/ziti-tunnel/docker/BUILD.md). + +# Building the ziti-edge-tunnel Docker Images + +The Dockerfile and scripts in this directory build a `ziti-edge-tunnel` (tunneler from C-SDK) Docker image. Ziti binaries are downloaded from https://github.com/openziti/ziti-tunnel-sdk-c/ by default. The following build arguments are supported: @@ -24,46 +27,56 @@ the image to a public registry. 1. Enable Docker Experimental Features - See https://docs.docker.com/engine/reference/commandline/cli/#experimental-features + See https://docs.docker.com/engine/reference/commandline/cli/#experimental-features 2. Install & Enable qemu Emulation for Arm (Docker CE / Linux only) - This is taken care of by Docker Desktop if you're building on macOS or Windows, - but you'll need to install qemu emulation support and register Arm binaries to - run on your (presumably) x86_64 build host if you are running Docker CE on Linux: + This is taken care of by Docker Desktop if you're building on macOS or Windows, + but you'll need to install qemu emulation support and register Arm binaries to + run on your (presumably) x86_64 build host if you are running Docker CE on Linux: - $ sudo dnf install -y qemu-system-arm - $ docker run --rm --privileged docker/binfmt:66f9012c56a8316f9244ffd7622d7c21c1f6f28d + ```bash + sudo dnf install -y qemu-system-arm + docker run --rm --privileged docker/binfmt:66f9012c56a8316f9244ffd7622d7c21c1f6f28d + ``` 3. Verify that the Arm qemu handler is registered. The first line of the file is "enabled". - $ cat /proc/sys/fs/binfmt_misc/qemu-arm - enabled - interpreter /usr/bin/qemu-arm - -Optionally, run an ARM arch container and print system information to test qemu-arm + ```bash + $ cat /proc/sys/fs/binfmt_misc/qemu-arm + enabled + interpreter /usr/bin/qemu-arm + ``` - $ docker run --rm arm64v8/alpine uname -a - Linux 00eea7912eb1 5.11.0-7612-generic #13~1617215757~20.10~97a8d1a-Ubuntu SMP Thu Apr 1 21:09:17 UTC 2 aarch64 Linux + Optionally, run an ARM arch container and print system information to test qemu-arm - $ docker run --rm arm32v7/alpine uname -a - Linux 6fcaad6c8b37 5.11.0-7612-generic #13~1617215757~20.10~97a8d1a-Ubuntu SMP Thu Apr 1 21:09:17 UTC 2 armv7l Linux + ```bash + $ docker run --rm arm64v8/alpine uname -a + Linux 00eea7912eb1 5.11.0-7612-generic #13~1617215757~20.10~97a8d1a-Ubuntu SMP Thu Apr 1 21:09:17 UTC 2 aarch64 Linux + + $ docker run --rm arm32v7/alpine uname -a + Linux 6fcaad6c8b37 5.11.0-7612-generic #13~1617215757~20.10~97a8d1a-Ubuntu SMP Thu Apr 1 21:09:17 UTC 2 armv7l Linux + ``` 4. Create a Builder Instance - $ docker buildx create --use --name=ziti-builder + ```bash + docker buildx create --use --name=ziti-builder + ``` ## Building Run `docker buildx` like this: - $ git fetch --tags && git tag -l | sort -Vr | head -1 - v0.16.1 - $ ZITI_VERSION="0.16.1" - $ docker buildx build \ - --platform linux/amd64,linux/arm/v7,linux/aarch64 \ - --build-arg ZITI_VERSION="${ZITI_VERSION}" \ - -t "netfoundry/ziti-edge-tunnel:${ZITI_VERSION}" . +```bash +$ git fetch --tags && git tag -l | sort -Vr | head -1 +v0.16.1 +$ ZITI_VERSION="0.16.1" +$ docker buildx build \ + --platform linux/amd64,linux/arm/v7,linux/aarch64 \ + --build-arg ZITI_VERSION="${ZITI_VERSION}" \ + -t "netfoundry/ziti-edge-tunnel:${ZITI_VERSION}" . +``` Notes: @@ -93,24 +106,44 @@ This build method produces an image for the CPU that is running the build host (typically amd64), and places the resulting image into your local Docker image cache. - $ ZITI_VERSION="0.16.1" \ - $ docker build \ - --build-arg ZITI_VERSION="${ZITI_VERSION}" \ - -t "netfoundry/ziti-edge-tunnel:${ZITI_VERSION}" . +```bash +ZITI_VERSION=$( + curl -sSf https://api.github.com/repos/openziti/ziti-tunnel-sdk-c/releases/latest \ + | jq -r '.tag_name' \ + | sed -E 's/^v//' +); + +docker buildx build \ + --tag ziti-edge-tunnel:${ZITI_VERSION} \ + --build-arg ZITI_VERSION=${ZITI_VERSION} \ + --file ./docker/Dockerfile.base \ + --load \ + ./docker + +docker buildx build \ + --tag ziti-host:${ZITI_VERSION} \ + --build-arg ZITI_EDGE_TUNNEL_IMAGE=ziti-edge-tunnel \ + --build-arg ZITI_EDGE_TUNNEL_TAG=${ZITI_VERSION} \ + --file ./docker/Dockerfile.ziti-host \ + --load \ + ./docker +``` ## Shell Script for Linux - $ ./buildx.sh -h - Usage: VARIABLES ./buildx.sh [OPTION]... +```bash +$ ./buildx.sh -h +Usage: VARIABLES ./buildx.sh [OPTION]... - Build multi-platform Docker container image on Linux. +Build multi-platform Docker container image on Linux. - VARIABLES - ZITI_VERSION e.g. "0.16.1" corresponding to Git tag "v0.16.1" +VARIABLES + ZITI_VERSION e.g. "0.16.1" corresponding to Git tag "v0.16.1" - OPTIONS - -r REPO container image repository e.g. netfoundry/ziti-edge-tunnel - -c don't check out v${ZITI_VERSION} (use Git working copy) +OPTIONS + -r REPO container image repository e.g. netfoundry/ziti-edge-tunnel + -c don't check out v${ZITI_VERSION} (use Git working copy) - EXAMPLES - ZITI_VERSION=0.16.1 ./buildx.sh -r netfoundry/ziti-edge-tunnel +EXAMPLES + ZITI_VERSION=0.16.1 ./buildx.sh -r netfoundry/ziti-edge-tunnel +``` diff --git a/docker/Dockerfile.ziti-host b/docker/Dockerfile.ziti-host index 826a5d6a..9742bef4 100644 --- a/docker/Dockerfile.ziti-host +++ b/docker/Dockerfile.ziti-host @@ -4,8 +4,6 @@ ARG ZITI_EDGE_TUNNEL_IMAGE="docker.io/openziti/ziti-edge-tunnel" # this builds docker.io/openziti/ziti-host FROM ${ZITI_EDGE_TUNNEL_IMAGE}:${ZITI_EDGE_TUNNEL_TAG} - - ### Required OpenShift Labels LABEL name="openziti/ziti-host" \ maintainer="developers@openziti.org" \ diff --git a/docker/docker-entrypoint.sh b/docker/docker-entrypoint.sh index 756f756b..bd4cdb47 100755 --- a/docker/docker-entrypoint.sh +++ b/docker/docker-entrypoint.sh @@ -16,103 +16,108 @@ # limitations under the License. # -set -e -u -o pipefail +set -o errexit -o nounset -o pipefail function alldone() { - # if successfully sent to background then send SIGTERM to trigger a cleanup - # of resolver config, tun devices and associated routes + # if successfully sent to background then send SIGTERM because ZET does not respond to SIGINT [[ "${ZITI_EDGE_TUNNEL_PID:-}" =~ ^[0-9]+$ ]] && { - kill -TERM "$ZITI_EDGE_TUNNEL_PID" - # let entrypoint script exit after ziti-edge-tunnel PID - kill -0 "$ZITI_EDGE_TUNNEL_PID" && wait "$ZITI_EDGE_TUNNEL_PID" + kill -0 "$ZITI_EDGE_TUNNEL_PID" &>/dev/null && { + kill -TERM "$ZITI_EDGE_TUNNEL_PID" + # let entrypoint script exit after ziti-edge-tunnel PID + wait "$ZITI_EDGE_TUNNEL_PID" + } } } trap alldone SIGTERM SIGINT EXIT -IDENTITIES_DIR="/ziti-edge-tunnel" -if ! [[ -d "${IDENTITIES_DIR}" ]]; then - echo "ERROR: need directory ${IDENTITIES_DIR} to find tokens and identities" >&2 - exit 1 -fi +unset \ + IDENTITIES_DIR \ + IDENTITY_FILE \ + JSON_FILES \ + JWT_CANDIDATE \ + JWT_FILE \ + TUNNEL_OPTS \ + TUNNEL_RUN_MODE -if ! mountpoint "${IDENTITIES_DIR}" &>/dev/null; then - echo "WARN: the identities directory is only available inside this container because ${IDENTITIES_DIR} is not a mounted volume. Be careful to not publish this image with identity inside or lose access to the identity by removing the image prematurely." >&2 -else - if [[ -n "${ZITI_IDENTITY_JSON:-}" ]]; then - echo "WARNING: you supplied the Ziti identity as an env var and you mounted a volume on the identities dir. You may avoid this warning and future errors by not mounting a volume on ${IDENTITIES_DIR} when ZITI_IDENTITY_JSON is defined." >&2 +# adapt deprecated NF_REG_* env vars to undefined ZITI_* env vars +if [[ -z "${ZITI_IDENTITY_BASENAME:-}" ]]; then + if [[ -n "${NF_REG_NAME:-}" ]]; then + echo "WARN: replacing deprecated NF_REG_NAME with ZITI_IDENTITY_BASENAME=${NF_REG_NAME}" + ZITI_IDENTITY_BASENAME="${NF_REG_NAME}" + elif [[ -n "${IOTEDGE_DEVICEID:-}" ]]; then + echo "WARN: replacing deprecated IOTEDGE_DEVICEID with ZITI_IDENTITY_BASENAME=${IOTEDGE_DEVICEID}" + ZITI_IDENTITY_BASENAME="${IOTEDGE_DEVICEID}" fi fi - -# -## Map the preferred, Ziti var names to legacy NF names. This allows us to begin using the preferred vars right away -## while minimizing immediate differences to the main control structure. This eases code review. Later, the legacy -## names can be retired and replaced. -# -if [[ -n "${ZITI_IDENTITY_BASENAME:-}" ]]; then - echo "INFO: setting NF_REG_NAME to \${ZITI_IDENTITY_BASENAME} (${ZITI_IDENTITY_BASENAME})" - NF_REG_NAME="${ZITI_IDENTITY_BASENAME}" -fi -if [[ -n "${ZITI_ENROLL_TOKEN:-}" ]]; then - echo "INFO: setting NF_REG_TOKEN to \${ZITI_ENROLL_TOKEN} (${ZITI_ENROLL_TOKEN})" - NF_REG_TOKEN="${ZITI_ENROLL_TOKEN}" +if [[ -z "${ZITI_ENROLL_TOKEN:-}" && -n "${NF_REG_TOKEN:-}" ]]; then + echo "WARN: replacing deprecated NF_REG_TOKEN with ZITI_ENROLL_TOKEN=${NF_REG_TOKEN}" + ZITI_ENROLL_TOKEN="${NF_REG_TOKEN}" fi -if [[ -n "${ZITI_IDENTITY_WAIT:-}" ]]; then - echo "INFO: setting NF_REG_WAIT to \${ZITI_IDENTITY_WAIT} (${ZITI_IDENTITY_WAIT})" - NF_REG_WAIT="${ZITI_IDENTITY_WAIT}" +if [[ -z "${ZITI_IDENTITY_WAIT:-}" && -n "${NF_REG_WAIT:-}" ]]; then + echo "WARN: replacing deprecated var NF_REG_WAIT with ZITI_IDENTITY_WAIT=${NF_REG_WAIT}" + ZITI_IDENTITY_WAIT="${NF_REG_WAIT}" fi -# treat IOTEDGE_DEVICEID, a standard var assigned by Azure IoT, as an alias for NF_REG_NAME -if [[ -z "${NF_REG_NAME:-}" ]]; then - if [[ -n "${IOTEDGE_DEVICEID:-}" ]]; then - echo "INFO: setting NF_REG_NAME to \${IOTEDGE_DEVICEID} (${IOTEDGE_DEVICEID})" - NF_REG_NAME="${IOTEDGE_DEVICEID}" - fi -fi - -# if identity JSON var is defined then write to a file +# if identity env var is defined then do not look for mounted identities if [[ -n "${ZITI_IDENTITY_JSON:-}" ]]; then - # if the basename is not defined then use a default basename to write JSON to a file - if [[ -z "${NF_REG_NAME:-}" ]]; then - NF_REG_NAME="ziti_id" + IDENTITIES_DIR="/tmp/openziti" + mkdir -m0700 "${IDENTITIES_DIR}" + if [[ -z "${ZITI_IDENTITY_BASENAME:-}" ]]; then + ZITI_IDENTITY_BASENAME="ziti_id" fi - if [[ -s "${IDENTITIES_DIR}/${NF_REG_NAME}.json" ]]; then - echo "ERROR: refusing to clobber non-empty Ziti identity file ${NF_REG_NAME}.json with contents of env var ZITI_IDENTITY_JSON!" >&2 + IDENTITY_FILE="${IDENTITIES_DIR}/${ZITI_IDENTITY_BASENAME}.json" + if [[ -s "${IDENTITY_FILE}" ]]; then + echo "ERROR: refusing to clobber non-empty Ziti identity file ${IDENTITY_FILE} with contents of env var ZITI_IDENTITY_JSON!" >&2 exit 1 else - echo "${ZITI_IDENTITY_JSON}" > "${IDENTITIES_DIR}/${NF_REG_NAME}.json" + echo "${ZITI_IDENTITY_JSON}" > "${IDENTITIES_DIR}/${ZITI_IDENTITY_BASENAME}.json" + fi +else + # presumed to be a mountpoint for one or more identities + IDENTITIES_DIR="/ziti-edge-tunnel" + if ! [[ -d "${IDENTITIES_DIR}" ]]; then + echo "ERROR: need directory ${IDENTITIES_DIR} to find tokens and identities" >&2 + exit 1 fi fi typeset -a TUNNEL_OPTS -# if identity file, else multiple identities dir -if [[ -n "${NF_REG_NAME:-}" ]]; then - IDENTITY_FILE="${IDENTITIES_DIR}/${NF_REG_NAME}.json" +# if identity basename is specified then look for an identity file with that name, else load all identities in the +# identities dir mountpoint +if [[ -n "${ZITI_IDENTITY_BASENAME:-}" ]]; then + : "${IDENTITY_FILE:=${IDENTITIES_DIR}/${ZITI_IDENTITY_BASENAME}.json}" TUNNEL_OPTS=("--identity" "${IDENTITY_FILE}") - : ${NF_REG_WAIT:=1} - if [[ "${NF_REG_WAIT}" =~ ^[0-9]+$ ]]; then - echo "DEBUG: waiting ${NF_REG_WAIT}s for ${IDENTITY_FILE} (or token) to appear" - elif (( "${NF_REG_WAIT}" < 0 )); then + + # if wait is specified then wait for the identity file or token to appear + : "${ZITI_IDENTITY_WAIT:=3}" + # if a positive integer then wait that many seconds for the identity file or token to appear + if [[ "${ZITI_IDENTITY_WAIT}" =~ ^[0-9]+$ ]]; then + echo "DEBUG: waiting ${ZITI_IDENTITY_WAIT}s for ${IDENTITY_FILE} (or token) to appear" + # if a negative integer then wait forever for the identity file or token to appear + elif (( ZITI_IDENTITY_WAIT < 0 )); then echo "DEBUG: waiting forever for ${IDENTITY_FILE} (or token) to appear" + # error if not an integer else - echo "ERROR: need integer for NF_REG_WAIT" >&2 + echo "ERROR: ZITI_IDENTITY_WAIT must be an integer (seconds to wait)" >&2 exit 1 fi - while (( $NF_REG_WAIT > 0 || $NF_REG_WAIT < 0)); do + while (( ZITI_IDENTITY_WAIT > 0 || ZITI_IDENTITY_WAIT < 0)); do # if non-empty identity file if [[ -s "${IDENTITY_FILE}" ]]; then echo "INFO: found identity file ${IDENTITY_FILE}" break 1 # look for enrollment token else - echo "INFO: identity file ${IDENTITY_FILE} does not exist" + echo "DEBUG: identity file ${IDENTITY_FILE} not found" for dir in "/var/run/secrets/netfoundry.io/enrollment-token" \ "/enrollment-token" \ "${IDENTITIES_DIR}"; do - JWT_CANDIDATE="${dir}/${NF_REG_NAME}.jwt" - echo "INFO: looking for ${JWT_CANDIDATE}" + JWT_CANDIDATE="${dir}/${ZITI_IDENTITY_BASENAME}.jwt" if [[ -s "${JWT_CANDIDATE}" ]]; then JWT_FILE="${JWT_CANDIDATE}" break 1 + else + echo "DEBUG: ${JWT_CANDIDATE} not found" fi done if [[ -n "${JWT_FILE:-}" ]]; then @@ -121,12 +126,14 @@ if [[ -n "${NF_REG_NAME:-}" ]]; then echo "ERROR: failed to enroll with token from ${JWT_FILE} ($(wc -c < "${JWT_FILE}")B)" >&2 exit 1 } - elif [[ -n "${NF_REG_TOKEN:-}" ]]; then - echo "INFO: attempting enrollment with NF_REG_TOKEN" - ziti-edge-tunnel enroll --jwt - --identity "${IDENTITY_FILE}" <<< "${NF_REG_TOKEN}" || { - echo "ERROR: failed to enroll with token from NF_REG_TOKEN ($(wc -c <<<"${NF_REG_TOKEN}")B)" >&2 + elif [[ -n "${ZITI_ENROLL_TOKEN:-}" ]]; then + echo "INFO: attempting enrollment with ZITI_ENROLL_TOKEN" + ziti-edge-tunnel enroll --jwt - --identity "${IDENTITY_FILE}" <<< "${ZITI_ENROLL_TOKEN}" || { + echo "ERROR: failed to enroll with token from ZITI_ENROLL_TOKEN ($(wc -c <<<"${ZITI_ENROLL_TOKEN}")B)" >&2 exit 1 } + # this works but the legacy var name was never deprecated because of doubts about the utility of this + # feature elif [[ -n "${NF_REG_STDIN:-}" ]]; then echo "INFO: trying to get token from stdin" >&2 ziti-edge-tunnel enroll --jwt - --identity "${IDENTITY_FILE}" || { @@ -136,22 +143,24 @@ if [[ -n "${NF_REG_NAME:-}" ]]; then fi fi # decrement the wait seconds until zero or forever if negative - (( NF_REG_WAIT-- )) + (( ZITI_IDENTITY_WAIT-- )) sleep 1 done +# if no identity basename is specified then load all *.json files in the identities dir mountpoint, ignoring enrollment +# tokens else typeset -a JSON_FILES mapfile -t JSON_FILES < <(ls -1 "${IDENTITIES_DIR}"/*.json) if [[ ${#JSON_FILES[*]} -gt 0 ]]; then - echo "INFO: NF_REG_NAME not set, loading ${#JSON_FILES[*]} identities from ${IDENTITIES_DIR}" + echo "INFO: loading ${#JSON_FILES[*]} identities from ${IDENTITIES_DIR}" TUNNEL_OPTS=("--identity-dir" "${IDENTITIES_DIR}") else - echo "ERROR: NF_REG_NAME not set and zero identities found in ${IDENTITIES_DIR}" >&2 + echo "ERROR: ZITI_IDENTITY_BASENAME not set and zero identities found in ${IDENTITIES_DIR}" >&2 exit 1 fi fi -echo "DEBUG: evaluating positionals: $*" +echo "DEBUG: checking for run mode as first positional in: $*" if (( ${#} )) && [[ ${1:0:3} == run ]]; then TUNNEL_RUN_MODE=${1} shift @@ -159,7 +168,8 @@ else TUNNEL_RUN_MODE=run fi -echo "INFO: running ziti-edge-tunnel" +echo "INFO: running: ziti-edge-tunnel ${TUNNEL_RUN_MODE} ${TUNNEL_OPTS[*]} ${*}" ziti-edge-tunnel "${TUNNEL_RUN_MODE}" "${TUNNEL_OPTS[@]}" "${@}" & ZITI_EDGE_TUNNEL_PID=$! +echo "DEBUG: waiting for ziti-edge-tunnel PID: ${ZITI_EDGE_TUNNEL_PID}" wait $ZITI_EDGE_TUNNEL_PID From b19de247d3327f3dffd451c842711b97b13f349c Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Fri, 5 Jan 2024 14:47:12 -0500 Subject: [PATCH 064/251] backtrace all threads; report all devices, not just ziti0 --- scripts/debug.bash | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/scripts/debug.bash b/scripts/debug.bash index 8f663d7b..d4df6ae7 100755 --- a/scripts/debug.bash +++ b/scripts/debug.bash @@ -54,8 +54,8 @@ main() { set -x systemctl status systemd-resolved.service resolvectl status - resolvectl dns ziti0 - resolvectl domain ziti0 + resolvectl dns + resolvectl domain ls -l /etc/resolv.conf cat /etc/resolv.conf ) &> "${SYSTEMD_RESOLVED_FILE}" @@ -65,8 +65,8 @@ main() { ( set +e set -x - hostnamectl - hostname + hostnamectl; hostname + ip link show; ip addr show; ip route show cat /etc/hosts /etc/*-release ) &> "${HOST_INFO_FILE}" echo -n "." @@ -84,7 +84,7 @@ main() { --ex "set verbose on" \ --ex "set pagination off" \ --ex "info threads" \ - --ex "backtrace" \ + --ex "thread apply all backtrace" \ --ex "quit" \ &> "${BACKTRACE_FILE}" \ || echo "WARN: gdb backtrace timed out" >&2 From 35046459380fee764bb6bf7b14e763cdef11e126 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Fri, 5 Jan 2024 16:30:35 -0500 Subject: [PATCH 065/251] refine parsing policykit and systemd versions with sed --- programs/ziti-edge-tunnel/package/deb/postinst.in | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/programs/ziti-edge-tunnel/package/deb/postinst.in b/programs/ziti-edge-tunnel/package/deb/postinst.in index 1ff9f43c..2cadf9fa 100644 --- a/programs/ziti-edge-tunnel/package/deb/postinst.in +++ b/programs/ziti-edge-tunnel/package/deb/postinst.in @@ -30,8 +30,10 @@ if [ "$1" = "configure" ]; then chmod 0770 "@ZITI_IDENTITY_DIR@" find "@ZITI_IDENTITY_DIR@" -maxdepth 1 -name "*.json" -type f -exec chown ziti:ziti "{}" + -exec chmod 0400 "{}" + - policykit_version=$(dpkg-query -Wf '${Version;5}' policykit-1 | cut -d . -f 2) - systemd_version=$(dpkg-query -Wf '${Version;3}' systemd) + # use minor version as major version, ignoring the magic zero major version + policykit_version=$(dpkg-query -Wf '${Version}' policykit-1 | sed -E 's/^([0-9]+\.)?([0-9]+).*/\2/') + # use major version + systemd_version=$(dpkg-query -Wf '${Version}' systemd | sed -E 's/^([0-9]+)\..*/\1/') # install PolicyKit policy if using policykit < 0.106 (https://askubuntu.com/questions/1287924/whats-going-on-with-policykit) if [ ${policykit_version} -lt 106 ]; then From 9fbe7a6e8f641875583edbbebae6e2761b421ec6 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Fri, 5 Jan 2024 18:36:56 -0500 Subject: [PATCH 066/251] let sort -V parse version strings so we can avoid regexp assumptions about version string format --- .../ziti-edge-tunnel/package/deb/postinst.in | 23 ++++++++++++------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/programs/ziti-edge-tunnel/package/deb/postinst.in b/programs/ziti-edge-tunnel/package/deb/postinst.in index 2cadf9fa..cc805e32 100644 --- a/programs/ziti-edge-tunnel/package/deb/postinst.in +++ b/programs/ziti-edge-tunnel/package/deb/postinst.in @@ -30,15 +30,22 @@ if [ "$1" = "configure" ]; then chmod 0770 "@ZITI_IDENTITY_DIR@" find "@ZITI_IDENTITY_DIR@" -maxdepth 1 -name "*.json" -type f -exec chown ziti:ziti "{}" + -exec chmod 0400 "{}" + - # use minor version as major version, ignoring the magic zero major version - policykit_version=$(dpkg-query -Wf '${Version}' policykit-1 | sed -E 's/^([0-9]+\.)?([0-9]+).*/\2/') - # use major version - systemd_version=$(dpkg-query -Wf '${Version}' systemd | sed -E 's/^([0-9]+)\..*/\1/') + # sort ascending the installed and max policykit versions, saving the highest version, so we + # can ensure the installed version is less than the max version + policykit_version="$(dpkg-query -Wf '${Version}' policykit-1)" + max_policykit_version="0.106" + highest_policykit_version="$(printf '%s\n' ${policykit_version} ${max_policykit_version} | sort -V | tail -n1)" - # install PolicyKit policy if using policykit < 0.106 (https://askubuntu.com/questions/1287924/whats-going-on-with-policykit) - if [ ${policykit_version} -lt 106 ]; then - # ... the set-llmnr action was exposed with v243 (https://github.com/systemd/systemd/commit/52aaef0f5dc81b9a08d720f551eac53ac88aa596) - if [ ${systemd_version} -ge 243 ]; then + # sort ascending the installed and min systemd versions, saving the lowest version, so we can ensure the installed + # version is greater than or equal to the min version + systemd_version=$(dpkg-query -Wf '${Version}' systemd) + min_systemd_version="243" + lowest_systemd_version="$(printf '%s\n' ${systemd_version} ${min_systemd_version} | sort -V | head -n1)" + + # install PolicyKit policy if < v0.106 (https://askubuntu.com/questions/1287924/whats-going-on-with-policykit) + if [ ${policykit_version} != ${max_policykit_version} ] && [ ${max_policykit_version} = ${highest_policykit_version} ]; then + # run as root unless systemd > v242 (required set-llmnr introduced v243 https://github.com/systemd/systemd/commit/52aaef0f5dc81b9a08d720f551eac53ac88aa596) + if [ ${systemd_version} = ${min_systemd_version} ] || [ ${min_systemd_version} = ${lowest_systemd_version} ]; then cp "@CPACK_SHARE_DIR@/@ZITI_POLKIT_PKLA_FILE@.sample" "/var/lib/polkit-1/localauthority/10-vendor.d/@ZITI_POLKIT_PKLA_FILE@" db_set ziti_edge_tunnel/install_pkla true else From 3ce7bc065c4823c020d4a533e21c1a605fb66adb Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Fri, 5 Jan 2024 18:38:13 -0500 Subject: [PATCH 067/251] fix min systemd version comment --- programs/ziti-edge-tunnel/package/deb/postinst.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/programs/ziti-edge-tunnel/package/deb/postinst.in b/programs/ziti-edge-tunnel/package/deb/postinst.in index cc805e32..f2c465b1 100644 --- a/programs/ziti-edge-tunnel/package/deb/postinst.in +++ b/programs/ziti-edge-tunnel/package/deb/postinst.in @@ -44,7 +44,7 @@ if [ "$1" = "configure" ]; then # install PolicyKit policy if < v0.106 (https://askubuntu.com/questions/1287924/whats-going-on-with-policykit) if [ ${policykit_version} != ${max_policykit_version} ] && [ ${max_policykit_version} = ${highest_policykit_version} ]; then - # run as root unless systemd > v242 (required set-llmnr introduced v243 https://github.com/systemd/systemd/commit/52aaef0f5dc81b9a08d720f551eac53ac88aa596) + # run as root unless systemd >= v243 (required set-llmnr introduced v243 https://github.com/systemd/systemd/commit/52aaef0f5dc81b9a08d720f551eac53ac88aa596) if [ ${systemd_version} = ${min_systemd_version} ] || [ ${min_systemd_version} = ${lowest_systemd_version} ]; then cp "@CPACK_SHARE_DIR@/@ZITI_POLKIT_PKLA_FILE@.sample" "/var/lib/polkit-1/localauthority/10-vendor.d/@ZITI_POLKIT_PKLA_FILE@" db_set ziti_edge_tunnel/install_pkla true From a65c1d2ebed33ef9abb0660530220b84459dc399 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Fri, 5 Jan 2024 18:58:54 -0500 Subject: [PATCH 068/251] use apt-get for scripts because apt is interactive --- .github/workflows/cpack.yml | 12 ++++++------ scripts/install-ubuntu.bash | 4 ++-- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/cpack.yml b/.github/workflows/cpack.yml index d469939e..85d52eb1 100644 --- a/.github/workflows/cpack.yml +++ b/.github/workflows/cpack.yml @@ -60,11 +60,11 @@ jobs: if: ${{ matrix.distro.name == 'ubuntu' }} shell: bash run: | - apt -y update - apt-get -y install software-properties-common - add-apt-repository -y ppa:git-core/ppa - apt -y update - apt -y install git + apt-get update + apt-get install --yes software-properties-common + add-apt-repository --yes ppa:git-core/ppa + apt-get update + apt-get install --yes git git --version - name: install contemporary Git in runner container if RedHat 8 or 9 @@ -123,7 +123,7 @@ jobs: DEBIAN_FRONTEND: noninteractive shell: bash run: | - apt -y install ./build/ziti-edge-tunnel-*.deb + apt-get -y install ./build/ziti-edge-tunnel-*.deb - name: install package artifact in runner container if RedHat if: ${{ matrix.arch.cmake == 'ci-linux-x64' && matrix.distro.name == 'redhat' }} diff --git a/scripts/install-ubuntu.bash b/scripts/install-ubuntu.bash index 1bc3190f..b5b87bad 100755 --- a/scripts/install-ubuntu.bash +++ b/scripts/install-ubuntu.bash @@ -35,5 +35,5 @@ sudo chmod +r /usr/share/keyrings/openziti.gpg echo "deb [signed-by=/usr/share/keyrings/openziti.gpg] https://packages.openziti.org/zitipax-openziti-deb-stable ${UBUNTU_LTS} main" \ | sudo tee /etc/apt/sources.list.d/openziti.list >/dev/null -sudo apt update -sudo apt install -y ziti-edge-tunnel +sudo apt-get update +sudo apt-get install --yes ziti-edge-tunnel From 227eb40f44db81c1576b9d507bc65c96428245cf Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 22 Jan 2024 12:44:30 -0500 Subject: [PATCH 069/251] capture 10 consecutive backtraces --- scripts/debug.bash | 41 ++++++++++++++++++++++++----------------- 1 file changed, 24 insertions(+), 17 deletions(-) diff --git a/scripts/debug.bash b/scripts/debug.bash index d4df6ae7..707ef366 100755 --- a/scripts/debug.bash +++ b/scripts/debug.bash @@ -23,7 +23,7 @@ main() { done cd "$(mktemp -d)" - mkdir ./dump ./stack + mkdir ./dump ./stack ./backtrace chgrp -R ziti "${PWD}" chmod -R g+rwX "${PWD}" @@ -33,7 +33,6 @@ main() { ZITI_VERSION=$(/opt/openziti/bin/ziti-edge-tunnel version) PREFIX=ziti-edge-tunnel-${ZITI_VERSION#v}-${NOW} LOG_FILE=${PREFIX}.log - BACKTRACE_FILE=${PREFIX}.backtrace STRACE_FILE=${PREFIX}.strace TUNNEL_STATUS_FILE=${PREFIX}.tunnel_status.json SYSTEMD_RESOLVED_FILE=${PREFIX}.systemd-resolved @@ -75,21 +74,29 @@ main() { journalctl _SYSTEMD_INVOCATION_ID="$(systemctl show -p InvocationID --value ziti-edge-tunnel.service)" -l --no-pager \ &> "${LOG_FILE}" echo -n "." - - # save the threads and backtrace - timeout --kill-after=1s 3s \ - gdb /opt/openziti/bin/ziti-edge-tunnel \ - --pid "${ZET_PID}" \ - --batch \ - --ex "set verbose on" \ - --ex "set pagination off" \ - --ex "info threads" \ - --ex "thread apply all backtrace" \ - --ex "quit" \ - &> "${BACKTRACE_FILE}" \ - || echo "WARN: gdb backtrace timed out" >&2 - echo -n "." - + + # save the call stack at intervals + BTRACE_COUNT=1 + BTRACE_MAX=10 + until [[ "${BTRACE_COUNT}" -gt "${BTRACE_MAX}" ]] + do + # save the threads and backtrace + timeout --kill-after=1s 3s \ + gdb /opt/openziti/bin/ziti-edge-tunnel \ + --pid "${ZET_PID}" \ + --batch \ + --ex "set verbose on" \ + --ex "set pagination off" \ + --ex "info threads" \ + --ex "thread apply all backtrace" \ + --ex "quit" \ + &> "./backtrace/${BTRACE_COUNT}_of_${BTRACE_MAX}-$(date -u +'%Y-%m-%dT%H:%M:%SZ').backtrace" \ + || echo "WARN: gdb backtrace timed out" >&2 + echo -n "." + sleep 1 + (( BTRACE_COUNT++ )) + done + # save 10s of strace calls timeout --kill-after=1s 10s \ strace --attach "${ZET_PID}" \ From 17874b678225a19b30db45fc4a71ca4d5cd3d437 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 22 Jan 2024 14:15:39 -0500 Subject: [PATCH 070/251] stop requiring resolvectl because it's unavailable on bionic --- scripts/debug.bash | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/debug.bash b/scripts/debug.bash index 707ef366..9351293d 100755 --- a/scripts/debug.bash +++ b/scripts/debug.bash @@ -17,7 +17,7 @@ checkCommand() { main() { # require commands - declare -a BINS=(sed gdb strace tar timeout /opt/openziti/bin/ziti-edge-tunnel systemctl journalctl resolvectl) + declare -a BINS=(sed gdb strace tar timeout /opt/openziti/bin/ziti-edge-tunnel systemctl journalctl) for BIN in "${BINS[@]}"; do checkCommand "$BIN" done From d1200acee601349850ad932b4a4d87457c367d55 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 22 Jan 2024 14:16:31 -0500 Subject: [PATCH 071/251] stop redirecting stderr when attempting to print the call stack because permission denied is a legitimate error when running this debug.bash in certain environments, like lxc --- scripts/debug.bash | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/debug.bash b/scripts/debug.bash index 9351293d..449e5e92 100755 --- a/scripts/debug.bash +++ b/scripts/debug.bash @@ -120,7 +120,7 @@ main() { until [[ "${STACK_COUNT}" -gt "${STACK_MAX}" ]] do cat "/proc/${ZET_PID}/stack" \ - &> "./stack/${STACK_COUNT}_of_${STACK_MAX}-$(date -u +'%Y-%m-%dT%H:%M:%SZ').stack" + > "./stack/${STACK_COUNT}_of_${STACK_MAX}-$(date -u +'%Y-%m-%dT%H:%M:%SZ').stack" echo -n "." # shellcheck disable=SC2034 # iterator is unused for i in {1..10}; do sleep 1; echo -n "."; done From 009fce5ceceedd9dbadf01f985993c95cadaf267 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 22 Jan 2024 14:49:27 -0500 Subject: [PATCH 072/251] improve filenames and error handling --- scripts/debug.bash | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/scripts/debug.bash b/scripts/debug.bash index 449e5e92..43588f39 100755 --- a/scripts/debug.bash +++ b/scripts/debug.bash @@ -77,8 +77,11 @@ main() { # save the call stack at intervals BTRACE_COUNT=1 - BTRACE_MAX=10 - until [[ "${BTRACE_COUNT}" -gt "${BTRACE_MAX}" ]] + # allow parent env to override max count + : "${BTRACE_MAX:=10}" + BTRACE_MAX_LEN=$(( $(wc -c <<< "${BTRACE_MAX}") - 1 )) + # compare decimal form of iterator to decimal max + until [[ "10#${BTRACE_COUNT}" -gt "${BTRACE_MAX}" ]] do # save the threads and backtrace timeout --kill-after=1s 3s \ @@ -90,11 +93,14 @@ main() { --ex "info threads" \ --ex "thread apply all backtrace" \ --ex "quit" \ - &> "./backtrace/${BTRACE_COUNT}_of_${BTRACE_MAX}-$(date -u +'%Y-%m-%dT%H:%M:%SZ').backtrace" \ + > "./backtrace/${BTRACE_COUNT}_of_${BTRACE_MAX}-$(date -u +'%Y-%m-%dT%H:%M:%SZ').backtrace" \ || echo "WARN: gdb backtrace timed out" >&2 echo -n "." sleep 1 - (( BTRACE_COUNT++ )) + # increment decimal form of iterator + BTRACE_COUNT=$((10#${BTRACE_COUNT} + 1)) + # pad the decimal form of iterator for filename sorting + BTRACE_COUNT=$(printf "%0${BTRACE_MAX_LEN}d" "${BTRACE_COUNT}") done # save 10s of strace calls @@ -116,15 +122,22 @@ main() { # save the call stack at intervals STACK_COUNT=1 - STACK_MAX=3 - until [[ "${STACK_COUNT}" -gt "${STACK_MAX}" ]] + # allow parent env to override max count + : "${STACK_MAX:=3}" + # find width of decimal max + STACK_MAX_LEN=$(( $(wc -c <<< "${STACK_MAX}") - 1 )) + # compare decimal form of iterator to decimal max + until [[ "10#${STACK_COUNT}" -gt "${STACK_MAX}" ]] do cat "/proc/${ZET_PID}/stack" \ > "./stack/${STACK_COUNT}_of_${STACK_MAX}-$(date -u +'%Y-%m-%dT%H:%M:%SZ').stack" echo -n "." # shellcheck disable=SC2034 # iterator is unused for i in {1..10}; do sleep 1; echo -n "."; done - (( STACK_COUNT++ )) + # increment decimal form of iterator + STACK_COUNT=$((10#${STACK_COUNT} + 1)) + # pad the decimal form of iterator for filename sorting + STACK_COUNT=$(printf "%0${STACK_MAX_LEN}d" "${STACK_COUNT}") done # save the identity status dumps From ad61167d083875cc5bc780fdce3e850da0901225 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 22 Jan 2024 14:56:56 -0500 Subject: [PATCH 073/251] set sysroot / to prevent gdb from attempting to resolve the source code location of kernel calls --- scripts/debug.bash | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scripts/debug.bash b/scripts/debug.bash index 43588f39..25a05203 100755 --- a/scripts/debug.bash +++ b/scripts/debug.bash @@ -88,12 +88,13 @@ main() { gdb /opt/openziti/bin/ziti-edge-tunnel \ --pid "${ZET_PID}" \ --batch \ + --ex "set sysroot /" \ --ex "set verbose on" \ --ex "set pagination off" \ --ex "info threads" \ --ex "thread apply all backtrace" \ --ex "quit" \ - > "./backtrace/${BTRACE_COUNT}_of_${BTRACE_MAX}-$(date -u +'%Y-%m-%dT%H:%M:%SZ').backtrace" \ + &> "./backtrace/${BTRACE_COUNT}_of_${BTRACE_MAX}-$(date -u +'%Y-%m-%dT%H:%M:%SZ').backtrace" \ || echo "WARN: gdb backtrace timed out" >&2 echo -n "." sleep 1 From 9213b2c4ba20c401596811439c0a99bb4cf90735 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 22 Jan 2024 16:13:52 -0500 Subject: [PATCH 074/251] notify and direct the user to install undeclared dependencies instead of informing them about an error --- scripts/debug.bash | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/debug.bash b/scripts/debug.bash index 25a05203..0cc77f2e 100755 --- a/scripts/debug.bash +++ b/scripts/debug.bash @@ -10,7 +10,7 @@ set -o pipefail checkCommand() { if ! command -v "$1" &>/dev/null; then - echo "ERROR: this script requires command '$1'. Please install on the search PATH and try again." >&2 + echo "NOTICE: install '$1' and try again." >&2 $1 fi } From 52e5244a12141eca3e7cabb1c59f1c424de43b1f Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 22 Jan 2024 18:37:04 -0500 Subject: [PATCH 075/251] clean up the installed service unit file to avoid confusion --- .../package/CPackPackage.cmake | 78 +++++++++---------- .../ziti-edge-tunnel/package/deb/postinst.in | 20 ++++- .../ziti-edge-tunnel/package/deb/postrm.in | 14 ++-- .../ziti-edge-tunnel/package/rpm/post.sh.in | 16 +++- .../ziti-edge-tunnel/package/rpm/postun.sh.in | 6 +- .../package/systemd/ziti-edge-tunnel.env.in | 6 ++ 6 files changed, 88 insertions(+), 52 deletions(-) diff --git a/programs/ziti-edge-tunnel/package/CPackPackage.cmake b/programs/ziti-edge-tunnel/package/CPackPackage.cmake index 5f1dc7b0..7a3274e1 100644 --- a/programs/ziti-edge-tunnel/package/CPackPackage.cmake +++ b/programs/ziti-edge-tunnel/package/CPackPackage.cmake @@ -103,7 +103,6 @@ install(FILES "${INSTALL_OUT_DIR}/${SYSTEMD_UNIT_FILE_NAME}" DESTINATION "${CPACK_SHARE_DIR}" COMPONENT "${COMPONENT_NAME}") - install(FILES "${INSTALL_OUT_DIR}/${SYSTEMD_EXECSTARTPRE}" DESTINATION "${CPACK_BIN_DIR}" PERMISSIONS @@ -131,46 +130,45 @@ install(FILES "${CMAKE_SOURCE_DIR}/scripts/debug.bash" GROUP_EXECUTE GROUP_READ) if("RPM" IN_LIST CPACK_GENERATOR) - set(CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION "/usr/share/polkit-1/rules.d") - - set(RPM_IN_DIR "${PACKAGING_BASE}/rpm") - set(RPM_PRE_INSTALL_IN "${RPM_IN_DIR}/pre.sh.in") - set(RPM_POST_INSTALL_IN "${RPM_IN_DIR}/post.sh.in") - set(RPM_PRE_UNINSTALL_IN "${RPM_IN_DIR}/preun.sh.in") - set(RPM_POST_UNINSTALL_IN "${RPM_IN_DIR}/postun.sh.in") - - set(CPACK_RPM_PRE_INSTALL "${INSTALL_OUT_DIR}/pre.sh") - set(CPACK_RPM_POST_INSTALL "${INSTALL_OUT_DIR}/post.sh") - set(CPACK_RPM_PRE_UNINSTALL "${INSTALL_OUT_DIR}/preun.sh") - set(CPACK_RPM_POST_UNINSTALL "${INSTALL_OUT_DIR}/postun.sh") - - configure_file("${RPM_PRE_INSTALL_IN}" "${CPACK_RPM_PRE_INSTALL}" @ONLY) - configure_file("${RPM_POST_INSTALL_IN}" "${CPACK_RPM_POST_INSTALL}" @ONLY) - configure_file("${RPM_PRE_UNINSTALL_IN}" "${CPACK_RPM_PRE_UNINSTALL}" @ONLY) - configure_file("${RPM_POST_UNINSTALL_IN}" "${CPACK_RPM_POST_UNINSTALL}" @ONLY) + set(CPACK_RPM_EXCLUDE_FROM_AUTO_FILELIST_ADDITION "/usr/share/polkit-1/rules.d") + + set(RPM_IN_DIR "${PACKAGING_BASE}/rpm") + set(RPM_PRE_INSTALL_IN "${RPM_IN_DIR}/pre.sh.in") + set(RPM_POST_INSTALL_IN "${RPM_IN_DIR}/post.sh.in") + set(RPM_PRE_UNINSTALL_IN "${RPM_IN_DIR}/preun.sh.in") + set(RPM_POST_UNINSTALL_IN "${RPM_IN_DIR}/postun.sh.in") + + set(CPACK_RPM_PRE_INSTALL "${INSTALL_OUT_DIR}/pre.sh") + set(CPACK_RPM_POST_INSTALL "${INSTALL_OUT_DIR}/post.sh") + set(CPACK_RPM_PRE_UNINSTALL "${INSTALL_OUT_DIR}/preun.sh") + set(CPACK_RPM_POST_UNINSTALL "${INSTALL_OUT_DIR}/postun.sh") + + configure_file("${RPM_PRE_INSTALL_IN}" "${CPACK_RPM_PRE_INSTALL}" @ONLY) + configure_file("${RPM_POST_INSTALL_IN}" "${CPACK_RPM_POST_INSTALL}" @ONLY) + configure_file("${RPM_PRE_UNINSTALL_IN}" "${CPACK_RPM_PRE_UNINSTALL}" @ONLY) + configure_file("${RPM_POST_UNINSTALL_IN}" "${CPACK_RPM_POST_UNINSTALL}" @ONLY) endif() if("DEB" IN_LIST CPACK_GENERATOR) - - set(DEB_IN_DIR "${PACKAGING_BASE}/deb") - set(DEB_CONFFILES_IN "${DEB_IN_DIR}/conffiles.in") - set(DEB_PRE_INSTALL_IN "${DEB_IN_DIR}/preinst.in") - set(DEB_POST_INSTALL_IN "${DEB_IN_DIR}/postinst.in") - set(DEB_PRE_UNINSTALL_IN "${DEB_IN_DIR}/prerm.in") - set(DEB_POST_UNINSTALL_IN "${DEB_IN_DIR}/postrm.in") - set(DEB_TEMPLATES_IN "${DEB_IN_DIR}/templates.in") - - set(CPACK_DEB_CONFFILES "${INSTALL_OUT_DIR}/conffiles") - set(CPACK_DEB_PRE_INSTALL "${INSTALL_OUT_DIR}/preinst") - set(CPACK_DEB_POST_INSTALL "${INSTALL_OUT_DIR}/postinst") - set(CPACK_DEB_PRE_UNINSTALL "${INSTALL_OUT_DIR}/prerm") - set(CPACK_DEB_POST_UNINSTALL "${INSTALL_OUT_DIR}/postrm") - set(CPACK_DEB_TEMPLATES "${INSTALL_OUT_DIR}/templates") - - configure_file("${DEB_CONFFILES_IN}" "${CPACK_DEB_CONFFILES}" @ONLY) - configure_file("${DEB_PRE_INSTALL_IN}" "${CPACK_DEB_PRE_INSTALL}" @ONLY) - configure_file("${DEB_POST_INSTALL_IN}" "${CPACK_DEB_POST_INSTALL}" @ONLY) - configure_file("${DEB_PRE_UNINSTALL_IN}" "${CPACK_DEB_PRE_UNINSTALL}" @ONLY) - configure_file("${DEB_POST_UNINSTALL_IN}" "${CPACK_DEB_POST_UNINSTALL}" @ONLY) - configure_file("${DEB_TEMPLATES_IN}" "${CPACK_DEB_TEMPLATES}" @ONLY) + set(DEB_IN_DIR "${PACKAGING_BASE}/deb") + set(DEB_CONFFILES_IN "${DEB_IN_DIR}/conffiles.in") + set(DEB_PRE_INSTALL_IN "${DEB_IN_DIR}/preinst.in") + set(DEB_POST_INSTALL_IN "${DEB_IN_DIR}/postinst.in") + set(DEB_PRE_UNINSTALL_IN "${DEB_IN_DIR}/prerm.in") + set(DEB_POST_UNINSTALL_IN "${DEB_IN_DIR}/postrm.in") + set(DEB_TEMPLATES_IN "${DEB_IN_DIR}/templates.in") + + set(CPACK_DEB_CONFFILES "${INSTALL_OUT_DIR}/conffiles") + set(CPACK_DEB_PRE_INSTALL "${INSTALL_OUT_DIR}/preinst") + set(CPACK_DEB_POST_INSTALL "${INSTALL_OUT_DIR}/postinst") + set(CPACK_DEB_PRE_UNINSTALL "${INSTALL_OUT_DIR}/prerm") + set(CPACK_DEB_POST_UNINSTALL "${INSTALL_OUT_DIR}/postrm") + set(CPACK_DEB_TEMPLATES "${INSTALL_OUT_DIR}/templates") + + configure_file("${DEB_CONFFILES_IN}" "${CPACK_DEB_CONFFILES}" @ONLY) + configure_file("${DEB_PRE_INSTALL_IN}" "${CPACK_DEB_PRE_INSTALL}" @ONLY) + configure_file("${DEB_POST_INSTALL_IN}" "${CPACK_DEB_POST_INSTALL}" @ONLY) + configure_file("${DEB_PRE_UNINSTALL_IN}" "${CPACK_DEB_PRE_UNINSTALL}" @ONLY) + configure_file("${DEB_POST_UNINSTALL_IN}" "${CPACK_DEB_POST_UNINSTALL}" @ONLY) + configure_file("${DEB_TEMPLATES_IN}" "${CPACK_DEB_TEMPLATES}" @ONLY) endif() diff --git a/programs/ziti-edge-tunnel/package/deb/postinst.in b/programs/ziti-edge-tunnel/package/deb/postinst.in index f2c465b1..7705ab26 100644 --- a/programs/ziti-edge-tunnel/package/deb/postinst.in +++ b/programs/ziti-edge-tunnel/package/deb/postinst.in @@ -1,10 +1,24 @@ -ln -sf @CPACK_BIN_DIR@/@CPACK_PACKAGE_NAME@ /usr/bin/@CPACK_PACKAGE_NAME@ -install -m 644 @CPACK_SHARE_DIR@/@SYSTEMD_UNIT_FILE_NAME@ @SYSTEMD_UNIT_DIR@/@SYSTEMD_UNIT_FILE_NAME@ +# always place a symlink to the installed executable in /usr/bin +ln -sfn @CPACK_BIN_DIR@/@CPACK_PACKAGE_NAME@ /usr/bin/@CPACK_PACKAGE_NAME@ + +# copy the unit file to the systemd unit directory as a regular file; buffer stderr together with stdout to avoid +# confusing output line order where stderr appears after subsequent command's stdout; this also seems to influence order +# of operations in an important way because, when stdout and stderr are buffered independently, the install command +# always reports an error as if the subsequent ln command had already succeeded: "install: +# '/opt/openziti/share/ziti-edge-tunnel.service' and '/lib/systemd/system/ziti-edge-tunnel.service' are the same file" +install -m 644 @CPACK_SHARE_DIR@/@SYSTEMD_UNIT_FILE_NAME@ @SYSTEMD_UNIT_DIR@/@SYSTEMD_UNIT_FILE_NAME@ 2>&1 + +# delete the old copy of the unit file to reduce confusion; this has the downside of an error during dpkg remove +# operation because this file was specified to be installed with this package and no longer exists; modifying the file +# with an explanation or warning or link is an alternative to removing it, but it would only work for this deb, not the +# rpm, artifact of this build because rpm creates unwanted *.rpmsave backups of files that were modified after the +# specified version was installed +unlink @CPACK_SHARE_DIR@/@SYSTEMD_UNIT_FILE_NAME@ # Source debconf library. . /usr/share/debconf/confmodule -# Add user `ziti' +# ensure user `ziti' exists if install or upgrade if [ "$1" = "configure" ]; then # create user / group # systemd-sysusers isn't on xenial, possibly others? test and fall back to useradd as a last ditch diff --git a/programs/ziti-edge-tunnel/package/deb/postrm.in b/programs/ziti-edge-tunnel/package/deb/postrm.in index 755f1f5f..2e1eaba1 100644 --- a/programs/ziti-edge-tunnel/package/deb/postrm.in +++ b/programs/ziti-edge-tunnel/package/deb/postrm.in @@ -13,7 +13,13 @@ if [ "$1" = "purge" ]; then fi # End copied section -if [ -L @SYSTEMD_UNIT_DIR@/@SYSTEMD_UNIT_FILE_NAME@ ]; then +# delete the symlink to the executable that was created by the postinst scriptlet +if [ -L /usr/bin/@CPACK_PACKAGE_NAME@ ]; then + unlink /usr/bin/@CPACK_PACKAGE_NAME@ +fi + +# delete the regular file of the service unit that was copied by the postinst scriptlet +if [ -e @SYSTEMD_UNIT_DIR@/@SYSTEMD_UNIT_FILE_NAME@ ]; then unlink @SYSTEMD_UNIT_DIR@/@SYSTEMD_UNIT_FILE_NAME@ fi @@ -23,10 +29,6 @@ if [ -d /run/systemd/system ]; then fi # End copied section -if [ -L /usr/bin/@CPACK_PACKAGE_NAME@ ]; then - unlink /usr/bin/@CPACK_PACKAGE_NAME@ -fi - if [ -e /usr/share/debconf/confmodule ]; then # Source debconf library. . /usr/share/debconf/confmodule @@ -46,7 +48,7 @@ fi ### ### Unlikely all files and directories were removed. ### Some of the unremoved files and directories are likely owned by `ziti' user or group. -### Conseequently, don't remove 'ziti` user and group as it will strand the files +### Consequently, don't remove 'ziti` user and group as it will strand the files ### #if [ "$1" = "purge" ]; then # if command -v deluser >/dev/null; then diff --git a/programs/ziti-edge-tunnel/package/rpm/post.sh.in b/programs/ziti-edge-tunnel/package/rpm/post.sh.in index 6f7819a5..280ec458 100644 --- a/programs/ziti-edge-tunnel/package/rpm/post.sh.in +++ b/programs/ziti-edge-tunnel/package/rpm/post.sh.in @@ -1,8 +1,20 @@ SYSTEMD_SERVICE_NAME=@SYSTEMD_SERVICE_NAME@ SYSTEMD_UNIT_FILE_NAME=@SYSTEMD_UNIT_FILE_NAME@ -if [ $1 -eq 1 ]; then + +# if not 0 (uninstall) then 1 or 2 (initial or upgrade) +if [ $1 -ne 0 ]; then [ -d @CPACK_ETC_DIR@ ] || %{__mkdir} @CPACK_ETC_DIR@ - %{__install} -m 644 @CPACK_SHARE_DIR@/$SYSTEMD_UNIT_FILE_NAME %{_unitdir}/$SYSTEMD_UNIT_FILE_NAME + + # place a symlink in /usr/bin targeting the installed binary + ln -sfn @CPACK_BIN_DIR@/@CPACK_PACKAGE_NAME@ /usr/bin/@CPACK_PACKAGE_NAME@ + + # copy the unit file to the systemd unit directory as a regular file + %{__install} -m 644 @CPACK_SHARE_DIR@/$SYSTEMD_UNIT_FILE_NAME %{_unitdir}/$SYSTEMD_UNIT_FILE_NAME 2>&1 + + # delete the old copy of the unit file to reduce confusion; modifying the file with an explanation or warning or + # link is an alternative to removing it, but that causes unwanted *.rpmsave backups since it is then presumed to be + # a user modification + unlink @CPACK_SHARE_DIR@/$SYSTEMD_UNIT_FILE_NAME fi %systemd_post $SYSTEMD_SERVICE_NAME diff --git a/programs/ziti-edge-tunnel/package/rpm/postun.sh.in b/programs/ziti-edge-tunnel/package/rpm/postun.sh.in index 6f7f90be..81a9b103 100644 --- a/programs/ziti-edge-tunnel/package/rpm/postun.sh.in +++ b/programs/ziti-edge-tunnel/package/rpm/postun.sh.in @@ -5,5 +5,9 @@ systemctl daemon-reload >/dev/null 2>&1 || : %systemd_postun_with_restart ${SYSTEMD_SERVICE_NAME} if [ $1 -eq 0 ]; then - rm %{_unitdir}/${SYSTEMD_UNIT_FILE_NAME} + # delete the symlink to the executable that was created by the post scriptlet + unlink /usr/bin/$SYSTEMD_SERVICE_NAME + + # delete the regular file of the service unit that was copied by the post scriptlet + unlink %{_unitdir}/${SYSTEMD_UNIT_FILE_NAME} fi diff --git a/programs/ziti-edge-tunnel/package/systemd/ziti-edge-tunnel.env.in b/programs/ziti-edge-tunnel/package/systemd/ziti-edge-tunnel.env.in index 5ff6e32d..b4abce72 100644 --- a/programs/ziti-edge-tunnel/package/systemd/ziti-edge-tunnel.env.in +++ b/programs/ziti-edge-tunnel/package/systemd/ziti-edge-tunnel.env.in @@ -1,3 +1,9 @@ +# all enrollment tokens named *.jwt are consumed and replaced with identity JSON files to be loaded at startup ZITI_IDENTITY_DIR='@ZITI_IDENTITY_DIR@' + +# reserved dynamic IP range for proxied services ZITI_DNS_IP_RANGE='100.64.0.1/10' + +# the log level specified in @ZITI_STATE_DIR@/config.json has higher precedence than this env var; delete or modify that +# file or set via IPC "ziti-edge-tunnel set_log_level --loglevel DEBUG" ZITI_VERBOSE=2 From 999db2e85ff3a4ee66e3d5c34d9987883608b918 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Tue, 23 Jan 2024 19:50:27 -0500 Subject: [PATCH 076/251] grant read perm on ziti identities to members of group 'ziti' --- programs/ziti-edge-tunnel/package/deb/postinst.in | 2 +- programs/ziti-edge-tunnel/package/rpm/post.sh.in | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/programs/ziti-edge-tunnel/package/deb/postinst.in b/programs/ziti-edge-tunnel/package/deb/postinst.in index f2c465b1..504258de 100644 --- a/programs/ziti-edge-tunnel/package/deb/postinst.in +++ b/programs/ziti-edge-tunnel/package/deb/postinst.in @@ -28,7 +28,7 @@ if [ "$1" = "configure" ]; then chown root:ziti "@ZITI_IDENTITY_DIR@" chmod 0770 "@ZITI_IDENTITY_DIR@" - find "@ZITI_IDENTITY_DIR@" -maxdepth 1 -name "*.json" -type f -exec chown ziti:ziti "{}" + -exec chmod 0400 "{}" + + find "@ZITI_IDENTITY_DIR@" -maxdepth 1 -name "*.json" -type f -exec chown ziti:ziti "{}" + -exec chmod 0440 "{}" + # sort ascending the installed and max policykit versions, saving the highest version, so we # can ensure the installed version is less than the max version diff --git a/programs/ziti-edge-tunnel/package/rpm/post.sh.in b/programs/ziti-edge-tunnel/package/rpm/post.sh.in index 6f7819a5..315d2cea 100644 --- a/programs/ziti-edge-tunnel/package/rpm/post.sh.in +++ b/programs/ziti-edge-tunnel/package/rpm/post.sh.in @@ -13,7 +13,7 @@ chmod -R u=rwX,g=rwX,o= "@ZITI_STATE_DIR@" || : chown root:ziti "@ZITI_IDENTITY_DIR@" || : chmod 0770 "@ZITI_IDENTITY_DIR@" || : -find "@ZITI_IDENTITY_DIR@" -maxdepth 1 -name "*.json" -type f -exec chown ziti:ziti "{}" + -exec chmod 0400 "{}" + || : +find "@ZITI_IDENTITY_DIR@" -maxdepth 1 -name "*.json" -type f -exec chown ziti:ziti "{}" + -exec chmod 0440 "{}" + || : # remove socket files that were created by older ziti-edge-tunnel versions rm -f /tmp/ziti-edge-tunnel.sock /tmp/ziti-edge-tunnel-event.sock From 71094db7d54469bfd70c0b7990df1de030b3b722 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Tue, 23 Jan 2024 19:52:47 -0500 Subject: [PATCH 077/251] update stale docs links --- BUILD.md | 17 +++++++++++------ CODE_OF_CONDUCT.md | 2 +- CONTRIBUTING.md | 2 +- README.md | 2 +- docker/README.md | 8 ++++---- .../package/CPackGenConfig.cmake | 2 +- 6 files changed, 19 insertions(+), 14 deletions(-) diff --git a/BUILD.md b/BUILD.md index fc7f9aaa..ffdcc08a 100644 --- a/BUILD.md +++ b/BUILD.md @@ -8,7 +8,7 @@ tool chain used. These steps should work properly for you but if your OS has var This repository expects the user to have at least a basic understanding of what a Ziti Network is. To use this library it is also required to have a functioning Ziti Network available to use. To learn more about what Ziti is or how to learn how to setup a Ziti Network head over to [the official documentation -site](https://openziti.github.io/ziti/overview.html). +site](https://openziti.io/). ### Building Requirements @@ -22,14 +22,15 @@ To setup vcpkg you'll need to clone the actual vcpkg repository. The first step It should be set to somewhere durable, such as wherever you check your projects into. The example commands below use $HOME/%USERPROFILE% but you should probably change this to your liking. -Linux/MacOS: +#### Linux or macOS * set/export an environment variable named `VCPKG_ROOT`. for example (use an appropriate location): `export VCPKG_ROOT=${HOME}/vcpkg` * create the directory: `mkdir -p ${VCPKG_ROOT}` * clone the vcpkg project: `git clone git@github.com:microsoft/vcpkg.git ${VCPKG_ROOT}` * run the bootstrap-vcpkg for your platform: `${VCPKG_ROOT}/bootstrap-vcpkg.sh` -Windows: +#### Windows + * set/export an environment variable named `VCPKG_ROOT`. for example (use an appropriate location): `SET VCPKG_ROOT=%USERPROFILE%\vcpkg` * create the directory: `mkdir %VCPKG_ROOT%` * clone the vcpkg project: `git clone git@github.com:microsoft/vcpkg.git %VCPKG_ROOT%` @@ -37,7 +38,7 @@ Windows: ## Building -Make sure you have setup vcpkg (see above). Building the SDK is accomplished with the following commands from the +Make sure you have set up vcpkg (see above). Building the SDK is accomplished with the following commands from the checkout root. Replace the `--preset` value with the one that matches your needs or create your own preset. You can run `cmake` from the checkout root with an `unknown` param passed to `--preset` to see the list of presets: `cmake --preset unknown ${ZITI_TUNNELER_SDK_C_ROOT}/.` @@ -147,9 +148,13 @@ threads your CPU has. You may also want to add that to your preset using the ## Docker Crossbuilder Image -The CI job which also runs the included `ziti-builder.sh` builds this project inside a Docker container. The script will run the necessary container image if needed. The container image has the tools to cross-compile for target architectures arm, arm64. This script works for Linux, macOS, and WSL2 on Windows. Arm architecture hosts will experience slower build times due to emulation of this x86_64 container image. +The CI job which also runs the included `ziti-builder.sh` builds the `ziti-edge-tunnel` binary inside a Docker +container. The script will run the necessary container image if needed. The container image has the tools to +cross-compile for target architectures arm, arm64. This script works for Linux, macOS, and WSL2 on Windows. Arm +architecture hosts will experience slower build times due to emulation of this x86_64 container image. -Without any arguments, the `ziti-builder.sh` script will build the `bundle` target with the `ci-linux-x64` (amd64) preset, placing the resulting ZIP archive in `./build/bundle`. +Without any arguments, the `ziti-builder.sh` script will build the `bundle` target with the `ci-linux-x64` (amd64) +preset, placing the resulting ZIP archive in `./build/bundle`. ```bash ./ziti-builder.sh diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md index 86c6a7c1..8c4b4228 100644 --- a/CODE_OF_CONDUCT.md +++ b/CODE_OF_CONDUCT.md @@ -1,4 +1,4 @@ # Code of Conduct -All open source projects managed by OpenZiti share a common [code of conduct](https://docs.openziti.io/policies/CODE_OF_CONDUCT.html) +All open source projects managed by OpenZiti share a common [code of conduct](https://openziti.io/policies/CODE_OF_CONDUCT.html) which all contributors are expected to follow. Please be sure you read, understand and adhere to the guidelines expressed therein. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 4862e51e..683885bf 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -1,6 +1,6 @@ # Contributing NetFoundry welcomes all and any contributions. All open source projects managed by NetFoundry share a common -[guide for contributions](https://docs.openziti.io/policies/CONTRIBUTING.html). +[guide for contributions](https://openziti.io/policies/CONTRIBUTING.html). If you are eager to contribute to a NetFoundry-managed open source project please read and act accordingly. diff --git a/README.md b/README.md index 68a0d6da..077b8070 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ that are useful to Ziti Tunnelers. ## What's a Ziti Tunneler? -[The main article about tunnellers is here](https://docs.openziti.io/docs/reference/tunnelers/linux/). Editors may follow the +[The main article about tunnellers is here](https://openziti.io/docs/reference/tunnelers/linux/). Editors may follow the "Edit this page" link on every page. ## What is the Ziti Tunneler SDK? diff --git a/docker/README.md b/docker/README.md index a84166e6..0d39bcd4 100644 --- a/docker/README.md +++ b/docker/README.md @@ -27,7 +27,7 @@ You may bind a host directory to the container filesystem in `/ziti-edge-tunnel` ## Use Case: Hosting OpenZiti Services -This use case involves deploying the OpenZiti tunneler as a reverse proxy to publish regular network servers to your OpenZiti Network. You may locate the published servers in a Docker bridge network (use network mode `bridge`) or the Docker host's network (use network mode `host`). See [the Linux tunneler doc](https://docs.openziti.io/docs/reference/tunnelers/linux/) for general info about the OpenZiti tunneler. Use the `openziti/ziti-host` container image for this case. +This use case involves deploying the OpenZiti tunneler as a reverse proxy to publish regular network servers to your OpenZiti Network. You may locate the published servers in a Docker bridge network (use network mode `bridge`) or the Docker host's network (use network mode `host`). See [the Linux tunneler doc](https://openziti.io/docs/reference/tunnelers/linux/) for general info about the OpenZiti tunneler. Use the `openziti/ziti-host` container image for this case. ### Container Image `openziti/ziti-host` @@ -195,7 +195,7 @@ volumes: #### Kubernetes Deployments for `openziti/ziti-host` -Refer to [the workload tunneling guides for Kubernetes](https://docs.openziti.io/docs/guides/kubernetes/workload-tunneling/). +Refer to [the workload tunneling guides for Kubernetes](https://openziti.io/docs/guides/kubernetes/workload-tunneling/). ## Use Case: Intercepting Proxy and Nameserver @@ -207,7 +207,7 @@ The "run" mode requires elevated privileges to configure the OS with a DNS resol This image runs `ziti-edge-tunnel run`, the intercepting proxy mode of the tunneler. The Red Hat 8 Universal Base Image (UBI) is the base image of this container. -See [the Linux tunneler doc](https://docs.openziti.io/docs/reference/tunnelers/linux/) for general info about the OpenZiti tunneler. +See [the Linux tunneler doc](https://openziti.io/docs/reference/tunnelers/linux/) for general info about the OpenZiti tunneler. #### Tags for `openziti/ziti-edge-tunnel` @@ -281,4 +281,4 @@ services: #### Kubernetes Deployments for `openziti/ziti-edge-tunnel` -Refer to [the workload tunneling guides for Kubernetes](https://docs.openziti.io/docs/guides/kubernetes/workload-tunneling/). +Refer to [the workload tunneling guides for Kubernetes](https://openziti.io/docs/guides/kubernetes/workload-tunneling/). diff --git a/programs/ziti-edge-tunnel/package/CPackGenConfig.cmake b/programs/ziti-edge-tunnel/package/CPackGenConfig.cmake index 8087ede2..77497067 100644 --- a/programs/ziti-edge-tunnel/package/CPackGenConfig.cmake +++ b/programs/ziti-edge-tunnel/package/CPackGenConfig.cmake @@ -14,7 +14,7 @@ if(CPACK_GENERATOR MATCHES "RPM") set(CPACK_RPM_PACKAGE_LICENSE "Apache-2.0") set(CPACK_RPM_PACKAGE_RELEASE_DIST "OFF") set(CPACK_RPM_PACKAGE_SUMMARY "OpenZiti Edge Tunneling Software Client") - set(CPACK_RPM_PACKAGE_URL "https://openziti.github.io/") + set(CPACK_RPM_PACKAGE_URL "https://openziti.io/") set(CPACK_RPM_PRE_INSTALL_SCRIPT_FILE "${CPACK_RPM_PRE_INSTALL}") set(CPACK_RPM_POST_INSTALL_SCRIPT_FILE "${CPACK_RPM_POST_INSTALL}") From e9c1a8ef30e65e58acc015f1f27bea0aa9dc9d19 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Tue, 23 Jan 2024 19:54:36 -0500 Subject: [PATCH 078/251] stop emitting an error about stdin not being a tty when installing the package non-interactively --- programs/ziti-edge-tunnel/package/deb/postinst.in | 7 ++++++- programs/ziti-edge-tunnel/package/rpm/post.sh.in | 10 ++++++++-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/programs/ziti-edge-tunnel/package/deb/postinst.in b/programs/ziti-edge-tunnel/package/deb/postinst.in index f2c465b1..b15015b8 100644 --- a/programs/ziti-edge-tunnel/package/deb/postinst.in +++ b/programs/ziti-edge-tunnel/package/deb/postinst.in @@ -91,7 +91,12 @@ fi # End copied section if [ "$1" = "configure" ]; then - ssize=$(tput cols) + # if interactive and stdin is a tty + if [ $DEBIAN_FRONTEND != "noninteractive" -a -t 0 ]; then + ssize=$(tput cols) + else + ssize=80 + fi printf '\n' printf %"$ssize"s | tr " " "-" echo "@SYSTEMD_SERVICE_NAME@ was installed..." diff --git a/programs/ziti-edge-tunnel/package/rpm/post.sh.in b/programs/ziti-edge-tunnel/package/rpm/post.sh.in index 6f7819a5..db028b2a 100644 --- a/programs/ziti-edge-tunnel/package/rpm/post.sh.in +++ b/programs/ziti-edge-tunnel/package/rpm/post.sh.in @@ -18,8 +18,14 @@ find "@ZITI_IDENTITY_DIR@" -maxdepth 1 -name "*.json" -type f -exec chown ziti:z # remove socket files that were created by older ziti-edge-tunnel versions rm -f /tmp/ziti-edge-tunnel.sock /tmp/ziti-edge-tunnel-event.sock -if [ $1 -eq 1 ]; then - ssize=$(tput cols) +# if not 0 (uninstall) then 1 or 2 (initial or upgrade) +if [ $1 -ne 0 ]; then + # if stdin is a tty + if [ -t 0 ]; then + ssize=$(tput cols) + else + ssize=80 + fi printf '\n' printf %"$ssize"s | tr " " "-" echo "$SYSTEMD_SERVICE_NAME was installed..." From edbe8a9188b388a84f15bfd4e5419301d6c679b6 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 29 Jan 2024 10:08:12 -0500 Subject: [PATCH 079/251] identity JSON from env var has highest precedence > tmp identity from prior run if container paused and resumed, not stopped --- docker/docker-entrypoint.sh | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/docker/docker-entrypoint.sh b/docker/docker-entrypoint.sh index bd4cdb47..52cc663c 100755 --- a/docker/docker-entrypoint.sh +++ b/docker/docker-entrypoint.sh @@ -67,11 +67,9 @@ if [[ -n "${ZITI_IDENTITY_JSON:-}" ]]; then fi IDENTITY_FILE="${IDENTITIES_DIR}/${ZITI_IDENTITY_BASENAME}.json" if [[ -s "${IDENTITY_FILE}" ]]; then - echo "ERROR: refusing to clobber non-empty Ziti identity file ${IDENTITY_FILE} with contents of env var ZITI_IDENTITY_JSON!" >&2 - exit 1 - else - echo "${ZITI_IDENTITY_JSON}" > "${IDENTITIES_DIR}/${ZITI_IDENTITY_BASENAME}.json" + echo "WARN: clobbering non-empty Ziti identity file ${IDENTITY_FILE} with contents of env var ZITI_IDENTITY_JSON!" >&2 fi + echo "${ZITI_IDENTITY_JSON}" > "${IDENTITIES_DIR}/${ZITI_IDENTITY_BASENAME}.json" else # presumed to be a mountpoint for one or more identities IDENTITIES_DIR="/ziti-edge-tunnel" From 6d97cc93d94f23a88629c49b17213f10cc8dc7d2 Mon Sep 17 00:00:00 2001 From: ekoby <7406535+ekoby@users.noreply.github.com> Date: Tue, 13 Feb 2024 15:56:46 -0500 Subject: [PATCH 080/251] update ziti-sdk to v0.36.5 (#797) * update vcpkg baseline to 2023.12.12 * update ziti-sdk-c@0.36.5 --------- Co-authored-by: Shawn Carey --- .github/actions/build/action.yml | 4 ++-- .../redhat-7/Dockerfile | 2 +- .../redhat-8/Dockerfile | 2 +- .../redhat-9/Dockerfile | 2 +- .../ubuntu-16.04/Dockerfile | 2 +- .../ubuntu-18.04/Dockerfile | 2 +- .../ubuntu-20.04/Dockerfile | 2 +- .../ubuntu-22.04/Dockerfile | 2 +- CMakeLists.txt | 15 +-------------- lib/ziti-tunnel/CMakeLists.txt | 1 - programs/tests/CMakeLists.txt | 18 +++++++++++++++++- vcpkg.json | 2 +- 12 files changed, 28 insertions(+), 26 deletions(-) diff --git a/.github/actions/build/action.yml b/.github/actions/build/action.yml index 25707e8b..a2151976 100644 --- a/.github/actions/build/action.yml +++ b/.github/actions/build/action.yml @@ -29,9 +29,9 @@ runs: - uses: lukka/run-vcpkg@v10 with: - # use 2023.06.20 vcpkg baseline, + # use 2023.12.12 vcpkg baseline, # see https://learn.microsoft.com/en-us/vcpkg/users/examples/versioning.getting-started#builtin-baseline - vcpkgGitCommitId: 'f6a5d4e8eb7476b8d7fc12a56dff300c1c986131' + vcpkgGitCommitId: 'c8696863d371ab7f46e213d8f5ca923c4aef2a00' - uses: lukka/run-cmake@v10.6 # pin version to avoid failed glibc dependency on ubuntu 20 runners. go back to @latest when ubuntu 22+ is adopted for runner os. name: Configure CMake diff --git a/.github/actions/openziti-tunnel-build-action/redhat-7/Dockerfile b/.github/actions/openziti-tunnel-build-action/redhat-7/Dockerfile index cae01f04..ec3719cd 100644 --- a/.github/actions/openziti-tunnel-build-action/redhat-7/Dockerfile +++ b/.github/actions/openziti-tunnel-build-action/redhat-7/Dockerfile @@ -39,7 +39,7 @@ ENV VCPKG_ROOT=/usr/local/vcpkg ENV VCPKG_FORCE_SYSTEM_BINARIES=yes RUN cd /usr/local \ - && git clone --branch 2023.06.20 https://github.com/microsoft/vcpkg \ + && git clone --branch 2023.12.12 https://github.com/microsoft/vcpkg \ && ./vcpkg/bootstrap-vcpkg.sh -disableMetrics COPY ./entrypoint.sh /root/ diff --git a/.github/actions/openziti-tunnel-build-action/redhat-8/Dockerfile b/.github/actions/openziti-tunnel-build-action/redhat-8/Dockerfile index b1f5695a..03adcc9b 100644 --- a/.github/actions/openziti-tunnel-build-action/redhat-8/Dockerfile +++ b/.github/actions/openziti-tunnel-build-action/redhat-8/Dockerfile @@ -42,7 +42,7 @@ ENV VCPKG_ROOT=/usr/local/vcpkg ENV VCPKG_FORCE_SYSTEM_BINARIES=yes RUN cd /usr/local \ - && git clone --branch 2023.06.20 https://github.com/microsoft/vcpkg \ + && git clone --branch 2023.12.12 https://github.com/microsoft/vcpkg \ && ./vcpkg/bootstrap-vcpkg.sh -disableMetrics WORKDIR /github/workspace diff --git a/.github/actions/openziti-tunnel-build-action/redhat-9/Dockerfile b/.github/actions/openziti-tunnel-build-action/redhat-9/Dockerfile index c089216e..4dcc19f8 100644 --- a/.github/actions/openziti-tunnel-build-action/redhat-9/Dockerfile +++ b/.github/actions/openziti-tunnel-build-action/redhat-9/Dockerfile @@ -43,7 +43,7 @@ ENV VCPKG_ROOT=/usr/local/vcpkg ENV VCPKG_FORCE_SYSTEM_BINARIES=yes RUN cd /usr/local \ - && git clone --branch 2023.06.20 https://github.com/microsoft/vcpkg \ + && git clone --branch 2023.12.12 https://github.com/microsoft/vcpkg \ && ./vcpkg/bootstrap-vcpkg.sh -disableMetrics \ && chmod -R ugo+rwX /usr/local/vcpkg diff --git a/.github/actions/openziti-tunnel-build-action/ubuntu-16.04/Dockerfile b/.github/actions/openziti-tunnel-build-action/ubuntu-16.04/Dockerfile index 43201d0e..1734cc1a 100644 --- a/.github/actions/openziti-tunnel-build-action/ubuntu-16.04/Dockerfile +++ b/.github/actions/openziti-tunnel-build-action/ubuntu-16.04/Dockerfile @@ -41,7 +41,7 @@ ENV VCPKG_FORCE_SYSTEM_BINARIES=yes RUN cd /usr/local \ && git config --global advice.detachedHead false \ - && git clone --branch 2023.06.20 https://github.com/microsoft/vcpkg \ + && git clone --branch 2023.12.12 https://github.com/microsoft/vcpkg \ && ./vcpkg/bootstrap-vcpkg.sh -disableMetrics WORKDIR /github/workspace diff --git a/.github/actions/openziti-tunnel-build-action/ubuntu-18.04/Dockerfile b/.github/actions/openziti-tunnel-build-action/ubuntu-18.04/Dockerfile index fbd91f9f..738004c6 100644 --- a/.github/actions/openziti-tunnel-build-action/ubuntu-18.04/Dockerfile +++ b/.github/actions/openziti-tunnel-build-action/ubuntu-18.04/Dockerfile @@ -54,7 +54,7 @@ ENV VCPKG_FORCE_SYSTEM_BINARIES=yes RUN cd /usr/local \ && git config --global advice.detachedHead false \ - && git clone --branch 2023.06.20 https://github.com/microsoft/vcpkg \ + && git clone --branch 2023.12.12 https://github.com/microsoft/vcpkg \ && ./vcpkg/bootstrap-vcpkg.sh -disableMetrics WORKDIR /github/workspace diff --git a/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/Dockerfile b/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/Dockerfile index bf2a65c2..bd0f95ed 100644 --- a/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/Dockerfile +++ b/.github/actions/openziti-tunnel-build-action/ubuntu-20.04/Dockerfile @@ -55,7 +55,7 @@ ENV VCPKG_FORCE_SYSTEM_BINARIES=yes RUN cd /usr/local \ && git config --global advice.detachedHead false \ - && git clone --branch 2023.06.20 https://github.com/microsoft/vcpkg \ + && git clone --branch 2023.12.12 https://github.com/microsoft/vcpkg \ && ./vcpkg/bootstrap-vcpkg.sh -disableMetrics COPY ./entrypoint.sh /root/ diff --git a/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/Dockerfile b/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/Dockerfile index 8ce82c68..d057fd9a 100644 --- a/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/Dockerfile +++ b/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/Dockerfile @@ -55,7 +55,7 @@ ENV VCPKG_FORCE_SYSTEM_BINARIES=yes RUN cd /usr/local \ && git config --global advice.detachedHead false \ - && git clone --branch 2023.06.20 https://github.com/microsoft/vcpkg \ + && git clone --branch 2023.12.12 https://github.com/microsoft/vcpkg \ && ./vcpkg/bootstrap-vcpkg.sh -disableMetrics COPY ./entrypoint.sh /root/ diff --git a/CMakeLists.txt b/CMakeLists.txt index 169b8034..dad349a5 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,7 +2,7 @@ cmake_minimum_required(VERSION 3.20) set(ZITI_SDK_DIR "" CACHE FILEPATH "developer option: use local ziti-sdk-c checkout") -set(ZITI_SDK_VERSION "0.35.12" CACHE STRING "ziti-sdk-c version or branch to use") +set(ZITI_SDK_VERSION "0.36.5" CACHE STRING "ziti-sdk-c version or branch to use") # if TUNNEL_SDK_ONLY then don't descend into programs/ziti-edge-tunnel option(TUNNEL_SDK_ONLY "build only ziti-tunnel-sdk (without ziti)" OFF) @@ -119,19 +119,6 @@ message("cross-compiling: ${CMAKE_CROSSCOMPILING}") link_directories(${CMAKE_BINARY_DIR}/lib) add_subdirectory(deps) - -find_package(libuv CONFIG QUIET) -if (libuv_FOUND) - if (TARGET uv_a) - set(tunnel_libuv_lib uv_a) - else() - set(tunnel_libuv_lib uv) - endif() -else() - find_path(tunnel_libuv_include_dir NAMES uv.h) - find_library(tunnel_libuv_lib uv_a NAMES uv) -endif() - add_subdirectory(lib/ziti-tunnel) if(NOT TUNNEL_SDK_ONLY) diff --git a/lib/ziti-tunnel/CMakeLists.txt b/lib/ziti-tunnel/CMakeLists.txt index c2a99bbc..6b8f4d45 100644 --- a/lib/ziti-tunnel/CMakeLists.txt +++ b/lib/ziti-tunnel/CMakeLists.txt @@ -46,7 +46,6 @@ target_include_directories(ziti-tunnel-sdk-c target_link_libraries(ziti-tunnel-sdk-c PUBLIC ziti PUBLIC lwipcore - PUBLIC ${tunnel_libuv_lib} ) #copy relevant .h files to the include folder diff --git a/programs/tests/CMakeLists.txt b/programs/tests/CMakeLists.txt index 77ec37c0..9a2d6679 100644 --- a/programs/tests/CMakeLists.txt +++ b/programs/tests/CMakeLists.txt @@ -3,8 +3,24 @@ project(tests) add_executable(ziti-edge-tunnel-test ziti-edge-tunnel-test.c) set_property(TARGET ziti-edge-tunnel-test PROPERTY C_STANDARD 11) +find_package(libuv CONFIG QUIET) +if (libuv_FOUND) + # newer libuv versions have proper namespacing + if (TARGET libuv::uv_a) + set(libuv_lib libuv::uv_a) + elseif (TARGET uv_a) + set(libuv_lib uv_a) + elseif (TARGET libuv::uv) + set(libuv_lib libuv::uv) + else() + set(libuv_lib uv) + endif() +else() + find_library(libuv_lib uv_a NAMES uv) +endif() + target_link_libraries(ziti-edge-tunnel-test - PUBLIC ${tunnel_libuv_lib} + PUBLIC ${libuv_lib} ) install(TARGETS ziti-edge-tunnel-test diff --git a/vcpkg.json b/vcpkg.json index 5167a2e0..9c9b00be 100644 --- a/vcpkg.json +++ b/vcpkg.json @@ -20,5 +20,5 @@ ] } }, - "builtin-baseline": "f6a5d4e8eb7476b8d7fc12a56dff300c1c986131" + "builtin-baseline": "c8696863d371ab7f46e213d8f5ca923c4aef2a00" } From 6cde40d9d029b1dcd188d7080c1df862dac48d71 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Wed, 14 Feb 2024 17:29:36 -0500 Subject: [PATCH 081/251] override jammy-builder tls lib --- .../openziti-tunnel-build-action/ubuntu-22.04/Dockerfile | 6 ++++-- .../openziti-tunnel-build-action/ubuntu-22.04/entrypoint.sh | 1 + 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/Dockerfile b/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/Dockerfile index d057fd9a..f003b5b9 100644 --- a/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/Dockerfile +++ b/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/Dockerfile @@ -1,9 +1,11 @@ ARG CMAKE_VERSION="3.26.3" +ARG VCPKG_VERSION="2024.01.12" # Ubuntu Jammy 22.04 LTS FROM ubuntu:jammy ARG CMAKE_VERSION +ARG VCPKG_VERSION LABEL org.opencontainers.image.authors="support@netfoundry.io" @@ -45,7 +47,7 @@ RUN apt-get update \ zlib1g-dev:armhf \ && rm -rf /var/lib/apt/lists/* -RUN curl -sSfL https://cmake.org/files/v${CMAKE_VERSION%.*}/cmake-${CMAKE_VERSION}-linux-$(uname -m).sh -o cmake.sh \ +RUN curl -sSfL "https://cmake.org/files/v${CMAKE_VERSION%.*}/cmake-${CMAKE_VERSION}-linux-$(uname -m).sh" -o cmake.sh \ && (bash cmake.sh --skip-license --prefix=/usr/local) \ && rm cmake.sh @@ -55,7 +57,7 @@ ENV VCPKG_FORCE_SYSTEM_BINARIES=yes RUN cd /usr/local \ && git config --global advice.detachedHead false \ - && git clone --branch 2023.12.12 https://github.com/microsoft/vcpkg \ + && git clone --branch "${VCPKG_VERSION}" https://github.com/microsoft/vcpkg \ && ./vcpkg/bootstrap-vcpkg.sh -disableMetrics COPY ./entrypoint.sh /root/ diff --git a/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/entrypoint.sh b/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/entrypoint.sh index d82561ae..fb163abd 100755 --- a/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/entrypoint.sh +++ b/.github/actions/openziti-tunnel-build-action/ubuntu-22.04/entrypoint.sh @@ -44,6 +44,7 @@ cmake \ --preset "${cmake_preset}" \ -DCMAKE_BUILD_TYPE="${cmake_config}" \ -DBUILD_DIST_PACKAGES=ON \ + "${TLSUV_TLSLIB:+-DTLSUV_TLSLIB=${TLSUV_TLSLIB}}" \ -S "${PWD}/" \ -B ./build cmake \ From 5d0d39bb29ff9915c6ea77db5b22d4e280d9d50b Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Wed, 14 Feb 2024 17:35:47 -0500 Subject: [PATCH 082/251] document cross-compiling --- BUILD.md | 61 ++++++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 48 insertions(+), 13 deletions(-) diff --git a/BUILD.md b/BUILD.md index ffdcc08a..cd9aa810 100644 --- a/BUILD.md +++ b/BUILD.md @@ -143,29 +143,64 @@ the number of jobs to use, which should ideally be specified to the number of threads your CPU has. You may also want to add that to your preset using the `jobs` property, see the [presets documentation][1] for more details. -[1]: https://cmake.org/cmake/help/latest/manual/cmake-presets.7.html -[2]: https://cmake.org/download/ +## Cross-compile with Docker -## Docker Crossbuilder Image +The default build architecture is x86_64. You can also cross-compile the distribution-specific Linux package or the +generic binary with Docker. Both approaches use an x86 (x86_64, amd64) container image to build the artifacts for arm64 +and arm architectures. -The CI job which also runs the included `ziti-builder.sh` builds the `ziti-edge-tunnel` binary inside a Docker -container. The script will run the necessary container image if needed. The container image has the tools to -cross-compile for target architectures arm, arm64. This script works for Linux, macOS, and WSL2 on Windows. Arm -architecture hosts will experience slower build times due to emulation of this x86_64 container image. +### Build the Linux Package with Docker -Without any arguments, the `ziti-builder.sh` script will build the `bundle` target with the `ci-linux-x64` (amd64) -preset, placing the resulting ZIP archive in `./build/bundle`. +The Debian and RedHat packages are built in GitHub and uploaded to DEB and RPM repositories. The Debian package may be +cross-compiled for arm64 or arm with [a few exceptions](.github/cpack-matrix.yml). Cross-compiling the RPM is not yet +supported. + +1. build the x64 package builder image +1. run the x64 builder image to build the package for the target architecture + +The `ziti-edge-tunnel` binary is also built for the target architecture and included in the package with appropriate +parameters for the target distribution. + +#### Build the Package Builder Image + +Build the x64 package builder image for Ubuntu Bionic 18.04. There are builder images for several Ubuntu and RedHat +vintages that will work with a wide variety of Debian and RPM family distros. ```bash -./ziti-builder.sh +cd ./.github/actions/openziti-tunnel-build-action/ubuntu-22.04/ +docker buildx build --platform linux/amd64 --tag jammy-builder . --load ``` -To build for a specific target architecture, use the `-p` argument to specify the vcpkg preset. +#### Run the Package Builder Container + +Cross-build the Debian package for arm64 in the x64 builder container. The `ci-linux-arm64` in this example is an +architecture-specific CMake [preset][1], and the optional TLS library variable overrides the default library, MBed-TLS. ```bash -./ziti-builder.sh -p ci-linux-arm64 +docker run \ + --rm \ + --volume "${PWD}:/github/workspace" \ + --workdir "/github/workspace" \ + --env "TLSUV_TLSLIB=openssl" \ + bionic-builder \ + ci-linux-arm64 ``` +### Build the Binary with Docker + +All of the Ziti projects that leverage Ziti's C-SDK are built with a shared builder image: `openziti/ziti-builder`. This +project provides a wrapper script for cross-building the generic `ziti-edge-tunnel` binary using this builder image +optimized for compatibility, i.e., libc 2.27 and static TLS library. + +Without any arguments, the `ziti-builder.sh` script will build the `bundle` target with the `ci-linux-x64` (amd64) +preset, placing the resulting ZIP archive in `./build/bundle/`, and the bare executable in +`./build/programs/ziti-edge-tunnel/Release/`. + +Build the generic binary for arm64 with the `ci-linux-arm64` preset. + ```bash -./cmake help +./scripts/ziti-builder.sh -p ci-linux-arm64 ``` + +[1]: https://cmake.org/cmake/help/latest/manual/cmake-presets.7.html +[2]: https://cmake.org/download/ From 775412a7260aa9afa8f0386411e987f9ab75caf9 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Wed, 14 Feb 2024 18:31:52 -0500 Subject: [PATCH 083/251] document how to use the generic builder image to produce a binary for old libc w/ old static libssl --- BUILD.md | 7 +++++-- scripts/ziti-builder.sh | 4 +++- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/BUILD.md b/BUILD.md index cd9aa810..9cf9f584 100644 --- a/BUILD.md +++ b/BUILD.md @@ -182,7 +182,7 @@ docker run \ --volume "${PWD}:/github/workspace" \ --workdir "/github/workspace" \ --env "TLSUV_TLSLIB=openssl" \ - bionic-builder \ + jammy-builder \ ci-linux-arm64 ``` @@ -190,7 +190,7 @@ docker run \ All of the Ziti projects that leverage Ziti's C-SDK are built with a shared builder image: `openziti/ziti-builder`. This project provides a wrapper script for cross-building the generic `ziti-edge-tunnel` binary using this builder image -optimized for compatibility, i.e., libc 2.27 and static TLS library. +optimized for compatibility, i.e., libc 2.27 and static Mbed-TLS library. Without any arguments, the `ziti-builder.sh` script will build the `bundle` target with the `ci-linux-x64` (amd64) preset, placing the resulting ZIP archive in `./build/bundle/`, and the bare executable in @@ -202,5 +202,8 @@ Build the generic binary for arm64 with the `ci-linux-arm64` preset. ./scripts/ziti-builder.sh -p ci-linux-arm64 ``` +To build with OpenSSL on this Ubuntu Bionic-based (glibc 2.27) builder image, `export TLSUV_TLSLIB=openssl` and change +`vcpkg.json` to statically compile "openssl" instead of "mbedtls." + [1]: https://cmake.org/cmake/help/latest/manual/cmake-presets.7.html [2]: https://cmake.org/download/ diff --git a/scripts/ziti-builder.sh b/scripts/ziti-builder.sh index fbd1b86f..83c5ac31 100755 --- a/scripts/ziti-builder.sh +++ b/scripts/ziti-builder.sh @@ -72,7 +72,8 @@ function set_workspace(){ --volume "${REPODIR}:${WORKDIR}" \ --platform "linux/amd64" \ --env "VCPKG_DEFAULT_BINARY_CACHE=${WORKDIR}/.cache" \ - openziti/ziti-builder \ + --env "TLSUV_TLSLIB" \ + "openziti/ziti-builder:${ZITI_BUILDER_TAG:-latest}" \ "${WORKDIR}/${SCRIPTSDIR}/${BASENAME}" "${@}" fi } @@ -126,6 +127,7 @@ function main() { -DCMAKE_BUILD_TYPE="${CMAKE_CONFIG:-Release}" \ -DBUILD_DIST_PACKAGES="${BUILD_DIST_PACKAGES:-OFF}" \ -DVCPKG_OVERLAY_PORTS="./vcpkg-overlays/linux-syslibs/ubuntu18" \ + "${TLSUV_TLSLIB:+-DTLSUV_TLSLIB=${TLSUV_TLSLIB}}" \ -S . \ -B ./build \ "${CMAKE_EXTRA_ARGS:-}" From 07e367671ce7eabfcf7d6413525c4066a3245ca2 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Wed, 14 Feb 2024 18:36:48 -0500 Subject: [PATCH 084/251] switch builder script default target from bundle to binary --- scripts/ziti-builder.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/ziti-builder.sh b/scripts/ziti-builder.sh index 83c5ac31..ecddbc99 100755 --- a/scripts/ziti-builder.sh +++ b/scripts/ziti-builder.sh @@ -25,7 +25,7 @@ REPODIR="$(dirname "${BASEDIR}")" # path to project root is parent of "\ndefault target if no CMD is specified\n"\ "\n -c [Release|Debug] set CMAKE_BUILD_TYPE (default: Release)"\ "\n -p CMAKE_PRESET set CMAKE_TOOLCHAIN_FILE preset (default: ci-linux-x64)"\ - "\n -t [bundle|package] set CMAKE_TARGET (default: bundle)" + "\n -t [bundle|package] set CMAKE_TARGET (default: ziti-edge-tunnel)" exit 0 } @@ -134,7 +134,7 @@ function main() { cmake \ --build ./build \ --config "${CMAKE_CONFIG:-Release}" \ - --target "${CMAKE_TARGET:-bundle}" \ + --target "${CMAKE_TARGET:-ziti-edge-tunnel}" \ --verbose fi ls -lAh ./build/programs/ziti-edge-tunnel/Release/ziti-edge-tunnel From e72fb71b122a785d1c535e92516b57a61465fa1a Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Thu, 15 Feb 2024 18:19:21 -0500 Subject: [PATCH 085/251] enable building rh9 rpm with shared openssl --- .../actions/openziti-tunnel-build-action/redhat-9/Dockerfile | 4 +++- .../openziti-tunnel-build-action/redhat-9/entrypoint.sh | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/actions/openziti-tunnel-build-action/redhat-9/Dockerfile b/.github/actions/openziti-tunnel-build-action/redhat-9/Dockerfile index 4dcc19f8..e3a0f173 100644 --- a/.github/actions/openziti-tunnel-build-action/redhat-9/Dockerfile +++ b/.github/actions/openziti-tunnel-build-action/redhat-9/Dockerfile @@ -1,8 +1,10 @@ ARG CMAKE_VERSION="3.26.3" +ARG VCPKG_VERSION="2024.01.12" FROM rockylinux:9 ARG CMAKE_VERSION +ARG VCPKG_VERSION LABEL org.opencontainers.image.authors="support@netfoundry.io" @@ -43,7 +45,7 @@ ENV VCPKG_ROOT=/usr/local/vcpkg ENV VCPKG_FORCE_SYSTEM_BINARIES=yes RUN cd /usr/local \ - && git clone --branch 2023.12.12 https://github.com/microsoft/vcpkg \ + && git clone --branch "${VCPKG_VERSION}" https://github.com/microsoft/vcpkg \ && ./vcpkg/bootstrap-vcpkg.sh -disableMetrics \ && chmod -R ugo+rwX /usr/local/vcpkg diff --git a/.github/actions/openziti-tunnel-build-action/redhat-9/entrypoint.sh b/.github/actions/openziti-tunnel-build-action/redhat-9/entrypoint.sh index e435407f..d9f5982c 100755 --- a/.github/actions/openziti-tunnel-build-action/redhat-9/entrypoint.sh +++ b/.github/actions/openziti-tunnel-build-action/redhat-9/entrypoint.sh @@ -45,6 +45,7 @@ done --preset "${cmake_preset}" \ -DCMAKE_BUILD_TYPE="${cmake_config}" \ -DBUILD_DIST_PACKAGES=ON \ + "${TLSUV_TLSLIB:+-DTLSUV_TLSLIB=${TLSUV_TLSLIB}}" \ -S . \ -B ./build cmake \ From 39fb20c0a2e97d29444cbe525a397776bbecc557 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 19 Feb 2024 13:38:30 -0500 Subject: [PATCH 086/251] fix mkdir command that enables clobbering tmp identity in container --- docker/docker-entrypoint.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docker/docker-entrypoint.sh b/docker/docker-entrypoint.sh index 52cc663c..3985dae5 100755 --- a/docker/docker-entrypoint.sh +++ b/docker/docker-entrypoint.sh @@ -61,7 +61,8 @@ fi # if identity env var is defined then do not look for mounted identities if [[ -n "${ZITI_IDENTITY_JSON:-}" ]]; then IDENTITIES_DIR="/tmp/openziti" - mkdir -m0700 "${IDENTITIES_DIR}" + # shellcheck disable=SC2174 + mkdir -pm0700 "${IDENTITIES_DIR}" if [[ -z "${ZITI_IDENTITY_BASENAME:-}" ]]; then ZITI_IDENTITY_BASENAME="ziti_id" fi From e37f58ebc52ead03effd1cc563d7a34965ac088f Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Tue, 20 Feb 2024 12:24:07 -0500 Subject: [PATCH 087/251] add group ziti to container images --- docker/Dockerfile.base | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docker/Dockerfile.base b/docker/Dockerfile.base index dae58ea6..b064406e 100644 --- a/docker/Dockerfile.base +++ b/docker/Dockerfile.base @@ -40,7 +40,7 @@ RUN mkdir -m0755 /licenses COPY ./LICENSE-Apache /licenses/apache.txt ### Add necessary Red Hat repos and packages -RUN INSTALL_PKGS="iproute procps" && \ +RUN INSTALL_PKGS="iproute procps shadow-utils" && \ microdnf -y update --setopt=install_weak_deps=0 --setopt=tsflags=nodocs && \ microdnf -y install --setopt=install_weak_deps=0 --setopt=tsflags=nodocs ${INSTALL_PKGS} @@ -49,6 +49,7 @@ COPY --from=fetch-ziti-artifacts /tmp/ziti-edge-tunnel /usr/local/bin COPY ./docker-entrypoint.sh / RUN chmod +x /docker-entrypoint.sh RUN mkdir -m0777 /ziti-edge-tunnel +RUN groupadd --system --gid 2171 ziti ENTRYPOINT [ "/docker-entrypoint.sh" ] CMD [ "run" ] From cde47853a45f660ab71f9c5587ceec08596a7f22 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Tue, 20 Feb 2024 13:48:04 -0500 Subject: [PATCH 088/251] uninstall shadow-utils --- docker/Dockerfile.base | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docker/Dockerfile.base b/docker/Dockerfile.base index b064406e..70138051 100644 --- a/docker/Dockerfile.base +++ b/docker/Dockerfile.base @@ -51,5 +51,8 @@ RUN chmod +x /docker-entrypoint.sh RUN mkdir -m0777 /ziti-edge-tunnel RUN groupadd --system --gid 2171 ziti +RUN UNINSTALL_PKGS="shadow-utils" && \ + microdnf -y remove ${UNINSTALL_PKGS} + ENTRYPOINT [ "/docker-entrypoint.sh" ] CMD [ "run" ] From e1e2de89ae66d94b51059244180bfcafb4532d13 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Tue, 20 Feb 2024 19:44:37 +0000 Subject: [PATCH 089/251] get dns flags with bitmasks. (#803) --- lib/ziti-tunnel-cbs/dns_host.h | 17 ++--------------- lib/ziti-tunnel-cbs/dns_msg.c | 7 +++---- 2 files changed, 5 insertions(+), 19 deletions(-) diff --git a/lib/ziti-tunnel-cbs/dns_host.h b/lib/ziti-tunnel-cbs/dns_host.h index 51814de3..1d3bfa68 100644 --- a/lib/ziti-tunnel-cbs/dns_host.h +++ b/lib/ziti-tunnel-cbs/dns_host.h @@ -77,21 +77,8 @@ XX(comment, string, none, comment, __VA_ARGS__) extern "C" { #endif -typedef struct dns_flags_s { - union { - uint16_t raw; - struct { - uint8_t is_response: 1; - uint8_t opcode: 4; - uint8_t aa: 1; - uint8_t tc: 1; - uint8_t rd: 1; - uint8_t ra: 1; - uint8_t z: 3; - uint8_t rcode: 4; - }; - }; -} dns_flags_t; +#define DNS_FLAG_QR(f) (((f) & 0x8000U) != 0) +#define DNS_FLAG_RD(f) (((f) & 0x0100U) != 0) DECLARE_MODEL(dns_question, DNS_Q_MODEL) diff --git a/lib/ziti-tunnel-cbs/dns_msg.c b/lib/ziti-tunnel-cbs/dns_msg.c index 7a267e20..07dcb599 100644 --- a/lib/ziti-tunnel-cbs/dns_msg.c +++ b/lib/ziti-tunnel-cbs/dns_msg.c @@ -51,15 +51,14 @@ static int parse_dns_q(dns_question *q, const unsigned char *buf, size_t buflen) int parse_dns_req(dns_message *msg, const unsigned char* buf, size_t buflen) { msg->id = ntohs(*((uint16_t*)buf)); - dns_flags_t flags; - flags.raw = ntohs(*((uint16_t*)buf + 1)); + uint16_t flags = ntohs(*((uint16_t*)buf + 1)); - if (flags.is_response) return -1; + if (DNS_FLAG_QR(flags)) return -1; int qcount = ntohs(*((uint16_t*)buf + 2)); if (qcount != 1) return -1; - msg->recursive = flags.rd; + msg->recursive = DNS_FLAG_RD(flags); msg->question = calloc(2, sizeof(dns_question*)); msg->question[0] = calloc(1, sizeof(dns_question)); parse_dns_q(msg->question[0], buf + 12, buflen - 12); From ff12270bc69d2cf56ed862e81606f0f2e54976e4 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Tue, 20 Feb 2024 16:12:11 -0500 Subject: [PATCH 090/251] correct the deb and rpm hooks --- programs/ziti-edge-tunnel/package/deb/postinst.in | 7 +++++-- programs/ziti-edge-tunnel/package/rpm/post.sh.in | 4 +++- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/programs/ziti-edge-tunnel/package/deb/postinst.in b/programs/ziti-edge-tunnel/package/deb/postinst.in index 516fc1e5..311c4b6f 100644 --- a/programs/ziti-edge-tunnel/package/deb/postinst.in +++ b/programs/ziti-edge-tunnel/package/deb/postinst.in @@ -13,7 +13,10 @@ install -m 644 @CPACK_SHARE_DIR@/@SYSTEMD_UNIT_FILE_NAME@ @SYSTEMD_UNIT_DIR@/@SY # with an explanation or warning or link is an alternative to removing it, but it would only work for this deb, not the # rpm, artifact of this build because rpm creates unwanted *.rpmsave backups of files that were modified after the # specified version was installed -unlink @CPACK_SHARE_DIR@/@SYSTEMD_UNIT_FILE_NAME@ +if [ -e @CPACK_SHARE_DIR@/@SYSTEMD_UNIT_FILE_NAME@ ]; then + unlink @CPACK_SHARE_DIR@/@SYSTEMD_UNIT_FILE_NAME@ +fi + # Source debconf library. . /usr/share/debconf/confmodule @@ -106,7 +109,7 @@ fi if [ "$1" = "configure" ]; then # if interactive and stdin is a tty - if [ $DEBIAN_FRONTEND != "noninteractive" -a -t 0 ]; then + if [ "$DEBIAN_FRONTEND" != "noninteractive" -a -t 0 ]; then ssize=$(tput cols) else ssize=80 diff --git a/programs/ziti-edge-tunnel/package/rpm/post.sh.in b/programs/ziti-edge-tunnel/package/rpm/post.sh.in index 984e24c8..e147017f 100644 --- a/programs/ziti-edge-tunnel/package/rpm/post.sh.in +++ b/programs/ziti-edge-tunnel/package/rpm/post.sh.in @@ -14,7 +14,9 @@ if [ $1 -ne 0 ]; then # delete the old copy of the unit file to reduce confusion; modifying the file with an explanation or warning or # link is an alternative to removing it, but that causes unwanted *.rpmsave backups since it is then presumed to be # a user modification - unlink @CPACK_SHARE_DIR@/$SYSTEMD_UNIT_FILE_NAME + if [ -e @CPACK_SHARE_DIR@/$SYSTEMD_UNIT_FILE_NAME ]; then + unlink @CPACK_SHARE_DIR@/$SYSTEMD_UNIT_FILE_NAME + fi fi %systemd_post $SYSTEMD_SERVICE_NAME From 5e22ebad7fd07019e6b429bdd523f6ecfbdd4d46 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Thu, 22 Feb 2024 10:45:50 -0500 Subject: [PATCH 091/251] correct build doc --- BUILD.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/BUILD.md b/BUILD.md index 9cf9f584..39d543fb 100644 --- a/BUILD.md +++ b/BUILD.md @@ -163,8 +163,9 @@ parameters for the target distribution. #### Build the Package Builder Image -Build the x64 package builder image for Ubuntu Bionic 18.04. There are builder images for several Ubuntu and RedHat -vintages that will work with a wide variety of Debian and RPM family distros. +Build the x64 package builder image for Ubuntu Jammy 22.04. There are builder images for several Ubuntu and RedHat +vintages that will work with a wide variety of Debian and RPM family distros. Use an older builder image if your target +distribution is older to ensure LIBC compatibility. ```bash cd ./.github/actions/openziti-tunnel-build-action/ubuntu-22.04/ @@ -179,6 +180,7 @@ architecture-specific CMake [preset][1], and the optional TLS library variable o ```bash docker run \ --rm \ + --platform linux/amd64 \ --volume "${PWD}:/github/workspace" \ --workdir "/github/workspace" \ --env "TLSUV_TLSLIB=openssl" \ From 04c0901b2b6cbb1e49be1d3b147e1edeeba3f339 Mon Sep 17 00:00:00 2001 From: Mario Trangoni Date: Fri, 23 Feb 2024 16:11:52 +0100 Subject: [PATCH 092/251] ci: Add dependabot for github-actions (#806) Signed-off-by: Mario Trangoni --- .github/dependabot.yml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..7b500f39 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,7 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: "/" + schedule: + interval: weekly + open-pull-requests-limit: 10 From 0c4887a8366b67cb49babb65b0aefe9f1712353a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 23 Feb 2024 15:12:42 +0000 Subject: [PATCH 093/251] Bump actions/download-artifact from 3 to 4 Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 3 to 4. - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](https://github.com/actions/download-artifact/compare/v3...v4) --- updated-dependencies: - dependency-name: actions/download-artifact dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 63b7dd18..3903b132 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,7 +18,7 @@ jobs: uses: hmarr/debug-action@v2.1.0 - name: download - uses: actions/download-artifact@v3 + uses: actions/download-artifact@v4 with: path: ${{ runner.workspace }}/downloads/ From e151d999aeed7cb7a88366258beb69798f1ef7a5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 23 Feb 2024 10:41:24 -0500 Subject: [PATCH 094/251] Bump release-drafter/release-drafter from 5 to 6 (#815) Bumps [release-drafter/release-drafter](https://github.com/release-drafter/release-drafter) from 5 to 6. - [Release notes](https://github.com/release-drafter/release-drafter/releases) - [Commits](https://github.com/release-drafter/release-drafter/compare/v5...v6) --- updated-dependencies: - dependency-name: release-drafter/release-drafter dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/draft-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/draft-release.yml b/.github/workflows/draft-release.yml index b0408f12..a095d8f7 100644 --- a/.github/workflows/draft-release.yml +++ b/.github/workflows/draft-release.yml @@ -11,6 +11,6 @@ jobs: steps: # Drafts your next Release notes as Pull Requests are merged into "master" - name: Draft Release - uses: release-drafter/release-drafter@v5 + uses: release-drafter/release-drafter@v6 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 73141337ca91880c82fcf9bf9748cfe65a1178aa Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Mon, 26 Feb 2024 14:39:40 +0000 Subject: [PATCH 095/251] get ziti-sdk-c 0.36.6 for metrics fixes (#817) * get ziti-sdk-c 0.36.6 for metrics fixes * get dependencies needed for new ziti-sdk-c --- CMakeLists.txt | 2 +- vcpkg.json | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index dad349a5..8a0876ce 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,7 +2,7 @@ cmake_minimum_required(VERSION 3.20) set(ZITI_SDK_DIR "" CACHE FILEPATH "developer option: use local ziti-sdk-c checkout") -set(ZITI_SDK_VERSION "0.36.5" CACHE STRING "ziti-sdk-c version or branch to use") +set(ZITI_SDK_VERSION "0.36.6" CACHE STRING "ziti-sdk-c version or branch to use") # if TUNNEL_SDK_ONLY then don't descend into programs/ziti-edge-tunnel option(TUNNEL_SDK_ONLY "build only ziti-tunnel-sdk (without ziti)" OFF) diff --git a/vcpkg.json b/vcpkg.json index 9c9b00be..44899b49 100644 --- a/vcpkg.json +++ b/vcpkg.json @@ -7,7 +7,9 @@ "llhttp", "libsodium", "getopt", - "mbedtls" + "mbedtls", + "json-c", + "protobuf-c" ], "features": { "test": { From 010abc71f969199327f5854ec8c372e7212ef2e9 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 26 Feb 2024 11:18:19 -0500 Subject: [PATCH 096/251] install jq in container image --- docker/Dockerfile.base | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/Dockerfile.base b/docker/Dockerfile.base index 70138051..c127d077 100644 --- a/docker/Dockerfile.base +++ b/docker/Dockerfile.base @@ -40,7 +40,7 @@ RUN mkdir -m0755 /licenses COPY ./LICENSE-Apache /licenses/apache.txt ### Add necessary Red Hat repos and packages -RUN INSTALL_PKGS="iproute procps shadow-utils" && \ +RUN INSTALL_PKGS="iproute procps shadow-utils jq" && \ microdnf -y update --setopt=install_weak_deps=0 --setopt=tsflags=nodocs && \ microdnf -y install --setopt=install_weak_deps=0 --setopt=tsflags=nodocs ${INSTALL_PKGS} From 4bb73697a0b3e6921fc0c37d8ad9008e4c53c941 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Thu, 29 Feb 2024 20:49:13 +0000 Subject: [PATCH 097/251] get ziti-sdk-c 0.36.7 / tlsuv 0.28.3 (#820) --- CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 8a0876ce..e14455be 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,7 +2,7 @@ cmake_minimum_required(VERSION 3.20) set(ZITI_SDK_DIR "" CACHE FILEPATH "developer option: use local ziti-sdk-c checkout") -set(ZITI_SDK_VERSION "0.36.6" CACHE STRING "ziti-sdk-c version or branch to use") +set(ZITI_SDK_VERSION "0.36.7" CACHE STRING "ziti-sdk-c version or branch to use") # if TUNNEL_SDK_ONLY then don't descend into programs/ziti-edge-tunnel option(TUNNEL_SDK_ONLY "build only ziti-tunnel-sdk (without ziti)" OFF) From 3ae6fb1bfdf60d6e2ed23b65126da2db5dbc1849 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Wed, 6 Mar 2024 18:53:08 +0000 Subject: [PATCH 098/251] avoid segvs when processing add command. (#821) --- programs/ziti-edge-tunnel/ziti-edge-tunnel.c | 24 +++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/programs/ziti-edge-tunnel/ziti-edge-tunnel.c b/programs/ziti-edge-tunnel/ziti-edge-tunnel.c index daace82e..b4198ace 100644 --- a/programs/ziti-edge-tunnel/ziti-edge-tunnel.c +++ b/programs/ziti-edge-tunnel/ziti-edge-tunnel.c @@ -494,6 +494,24 @@ static bool process_tunnel_commands(const tunnel_command *tnl_cmd, command_cb cb break; } + if (tunnel_add_identity_cmd.jwtFileName == NULL) { + result.error = "identity filename not provided"; + result.success = false; + break; + } + + if (tunnel_add_identity_cmd.jwtContent == NULL) { + result.error = "jwt content not provided"; + result.success = false; + break; + } + + if (config_dir == NULL) { + result.error = "config directory not set"; + result.success = false; + break; + } + char* extension = strstr(tunnel_add_identity_cmd.jwtFileName, ".jwt"); size_t length; if (extension != NULL) { @@ -2983,9 +3001,9 @@ static CommandLine get_mfa_codes_cmd = make_command("get_mfa_codes", "Get MFA co static CommandLine get_status_cmd = make_command("tunnel_status", "Get Tunnel Status", "", "", get_status_opts, send_message_to_tunnel_fn); static CommandLine delete_id_cmd = make_command("delete", "delete the identities information", "[-i ]", "\t-i|--identity\tidentity info that needs to be deleted\n", delete_identity_opts, send_message_to_tunnel_fn); -static CommandLine add_id_cmd = make_command("add", "enroll and load the identities information", "[-i ]", - "\t-i|--identity\tfile name for the identity file that will be generated\n" - "\t-j|--jwt\tjwt content that needs to be enrolled\n", add_identity_opts, send_message_to_tunnel_fn); +static CommandLine add_id_cmd = make_command("add", "enroll and load the identity", "-j -i ", + "\t-j|--jwt\tenrollment token content\n" + "\t-i|--identity\toutput identity .json file (relative to \"-I\" config directory)\n", add_identity_opts, send_message_to_tunnel_fn); static CommandLine set_log_level_cmd = make_command("set_log_level", "Set log level of the tunneler", "-l ", "\t-l|--loglevel\tlog level of the tunneler\n", set_log_level_opts, send_message_to_tunnel_fn); static CommandLine update_tun_ip_cmd = make_command("update_tun_ip", "Update tun ip of the tunneler", "[-t ] [-p ] [-d ]", From fda6af5a8a75f68912322a98ceffd2d0cf8f22f8 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Wed, 6 Mar 2024 19:36:19 +0000 Subject: [PATCH 099/251] advance map iterators with model_map_it_remove when removing items from iterated map (#822) --- lib/ziti-tunnel-cbs/ziti_dns.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/lib/ziti-tunnel-cbs/ziti_dns.c b/lib/ziti-tunnel-cbs/ziti_dns.c index e02e6d97..c9b86d72 100644 --- a/lib/ziti-tunnel-cbs/ziti_dns.c +++ b/lib/ziti-tunnel-cbs/ziti_dns.c @@ -370,22 +370,24 @@ void ziti_dns_deregister_intercept(void *intercept) { dns_entry_t *e = model_map_it_value(it); model_map_remove_key(&e->intercepts, &intercept, sizeof(intercept)); if (model_map_size(&e->intercepts) == 0 && (e->domain == NULL || model_map_size(&e->domain->intercepts) == 0)) { - model_map_remove(&ziti_dns.hostnames, e->name); + it = model_map_it_remove(it); model_map_removel(&ziti_dns.ip_addresses, ip_2_ip4(&e->addr)->addr); ZITI_LOG(DEBUG, "%zu active hostnames mapped to %zu IPs", model_map_size(&ziti_dns.hostnames), model_map_size(&ziti_dns.ip_addresses)); ZITI_LOG(INFO, "DNS mapping %s -> %s is now inactive", e->name, e->ip); + } else { + it = model_map_it_next(it); } - it = model_map_it_next(it); } it = model_map_iterator(&ziti_dns.domains); while (it != NULL) { dns_domain_t *domain = model_map_it_value(it); if (model_map_size(&domain->intercepts) == 0) { - model_map_remove(&ziti_dns.domains, domain->name); + it = model_map_it_remove(it); ZITI_LOG(INFO, "wildcard domain[*%s] is now inactive", domain->name); + } else { + it = model_map_it_next(it); } - it = model_map_it_next(it); } } From aedde16b12cf81ce39bcd4e9bb5022292d3f50a2 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Thu, 7 Mar 2024 19:22:15 -0500 Subject: [PATCH 100/251] enable setting only the enroll token var in default run state --- docker/docker-entrypoint.sh | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/docker/docker-entrypoint.sh b/docker/docker-entrypoint.sh index 3985dae5..36f382e5 100755 --- a/docker/docker-entrypoint.sh +++ b/docker/docker-entrypoint.sh @@ -58,7 +58,7 @@ if [[ -z "${ZITI_IDENTITY_WAIT:-}" && -n "${NF_REG_WAIT:-}" ]]; then ZITI_IDENTITY_WAIT="${NF_REG_WAIT}" fi -# if identity env var is defined then do not look for mounted identities +# if identity env vars are defined then do not look for mounted identities if [[ -n "${ZITI_IDENTITY_JSON:-}" ]]; then IDENTITIES_DIR="/tmp/openziti" # shellcheck disable=SC2174 @@ -68,9 +68,21 @@ if [[ -n "${ZITI_IDENTITY_JSON:-}" ]]; then fi IDENTITY_FILE="${IDENTITIES_DIR}/${ZITI_IDENTITY_BASENAME}.json" if [[ -s "${IDENTITY_FILE}" ]]; then - echo "WARN: clobbering non-empty Ziti identity file ${IDENTITY_FILE} with contents of env var ZITI_IDENTITY_JSON!" >&2 + echo "WARN: clobbering non-empty Ziti identity file ${IDENTITY_FILE} with contents of env var ZITI_IDENTITY_JSON" >&2 fi - echo "${ZITI_IDENTITY_JSON}" > "${IDENTITIES_DIR}/${ZITI_IDENTITY_BASENAME}.json" + echo "${ZITI_IDENTITY_JSON}" > "${IDENTITY_FILE}" +elif [[ -n "${ZITI_ENROLL_TOKEN:-}" ]]; then + IDENTITIES_DIR="/tmp/openziti" + # shellcheck disable=SC2174 + mkdir -pm0700 "${IDENTITIES_DIR}" + if [[ -z "${ZITI_IDENTITY_BASENAME:-}" ]]; then + ZITI_IDENTITY_BASENAME="ziti_id" + fi + JWT_FILE="${IDENTITIES_DIR}/${ZITI_IDENTITY_BASENAME}.jwt" + if [[ -s "${JWT_FILE}" ]]; then + echo "WARN: clobbering non-empty Ziti enrollment token file ${JWT_FILE} with contents of env var ZITI_ENROLL_TOKEN" >&2 + fi + echo "${ZITI_ENROLL_TOKEN}" > "${JWT_FILE}" else # presumed to be a mountpoint for one or more identities IDENTITIES_DIR="/ziti-edge-tunnel" From 2b4336e153b3f0dc52e5c80f91d9e681d3b20ee4 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Mon, 11 Mar 2024 16:43:57 +0000 Subject: [PATCH 101/251] declare data pointer as const (#825) --- lib/ziti-tunnel-cbs/dns_host.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/ziti-tunnel-cbs/dns_host.c b/lib/ziti-tunnel-cbs/dns_host.c index 36b539a3..81ec7ef9 100644 --- a/lib/ziti-tunnel-cbs/dns_host.c +++ b/lib/ziti-tunnel-cbs/dns_host.c @@ -204,7 +204,7 @@ static int fmt_txt(const ns_msg *msg, const ns_rr* rr, dns_answer *ans, size_t m #endif -static ssize_t on_dns_req(ziti_connection conn, uint8_t *data, ssize_t datalen) { +static ssize_t on_dns_req(ziti_connection conn, const uint8_t *data, ssize_t datalen) { if (datalen < 0) { ziti_close(conn, on_close); return 0; From f3adeff69c13407d1888db3a56c3521f48e8f88a Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Mon, 25 Mar 2024 15:49:47 +0000 Subject: [PATCH 102/251] Handle proxy dns responses correctly (#827) * get ziti-sdk-c 0.36.9 for queuing fix * don't misinterpret length argument as status in data callback for proxy domain requests --- CMakeLists.txt | 2 +- lib/ziti-tunnel-cbs/include/ziti/ziti_dns.h | 1 + lib/ziti-tunnel-cbs/ziti_dns.c | 86 +++++++++++---------- 3 files changed, 49 insertions(+), 40 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index e14455be..1e61a586 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,7 +2,7 @@ cmake_minimum_required(VERSION 3.20) set(ZITI_SDK_DIR "" CACHE FILEPATH "developer option: use local ziti-sdk-c checkout") -set(ZITI_SDK_VERSION "0.36.7" CACHE STRING "ziti-sdk-c version or branch to use") +set(ZITI_SDK_VERSION "0.36.9" CACHE STRING "ziti-sdk-c version or branch to use") # if TUNNEL_SDK_ONLY then don't descend into programs/ziti-edge-tunnel option(TUNNEL_SDK_ONLY "build only ziti-tunnel-sdk (without ziti)" OFF) diff --git a/lib/ziti-tunnel-cbs/include/ziti/ziti_dns.h b/lib/ziti-tunnel-cbs/include/ziti/ziti_dns.h index 42213690..b3102153 100644 --- a/lib/ziti-tunnel-cbs/include/ziti/ziti_dns.h +++ b/lib/ziti-tunnel-cbs/include/ziti/ziti_dns.h @@ -20,6 +20,7 @@ #include #define DNS_NO_ERROR 0 +#define DNS_FORMERR 1 #define DNS_SERVFAIL 2 #define DNS_NXDOMAIN 3 #define DNS_NOT_IMPL 4 diff --git a/lib/ziti-tunnel-cbs/ziti_dns.c b/lib/ziti-tunnel-cbs/ziti_dns.c index c9b86d72..db0ff137 100644 --- a/lib/ziti-tunnel-cbs/ziti_dns.c +++ b/lib/ziti-tunnel-cbs/ziti_dns.c @@ -71,9 +71,6 @@ typedef struct dns_domain_s { } dns_domain_t; -static void free_domain(dns_domain_t *domain); - - // hostname or domain typedef struct dns_entry_s { char name[MAX_DNS_NAME]; @@ -586,6 +583,12 @@ static void process_host_req(struct dns_req *req) { } } +static void proxy_domain_close_cb(ziti_connection c) { + dns_domain_t *domain = ziti_conn_data(c); + if (domain) { + domain->resolv_proxy = NULL; + } +} static void on_proxy_connect(ziti_connection conn, int status) { dns_domain_t *domain = ziti_conn_data(conn); @@ -594,8 +597,7 @@ static void on_proxy_connect(ziti_connection conn, int status) { domain->resolv_proxy = conn; } else { ZITI_LOG(ERROR, "failed to establish proxy resolve connection for domain[%s]", domain->name); - domain->resolv_proxy = NULL; - ziti_close(conn, NULL); + ziti_close(conn, proxy_domain_close_cb); } } @@ -603,9 +605,9 @@ static ssize_t on_proxy_data(ziti_connection conn, const uint8_t* data, ssize_t if (status >= 0) { ZITI_LOG(DEBUG, "proxy resolve: %.*s", (int)status, data); dns_message msg = {0}; - int rc = parse_dns_message(&msg, data, status); + int rc = parse_dns_message(&msg, (const char *) data, status); if (rc < 0) { - + // the original DNS client's request won't be completed because we can't get the msg ID. return rc; } uint16_t id = msg.id; @@ -619,10 +621,7 @@ static ssize_t on_proxy_data(ziti_connection conn, const uint8_t* data, ssize_t free_dns_message(&msg); } else { ZITI_LOG(ERROR, "proxy resolve connection failed: %d(%s)", (int)status, ziti_errorstr(status)); - - dns_domain_t *domain = ziti_conn_data(conn); - domain->resolv_proxy = NULL; - ziti_close(conn, NULL); + ziti_close(conn, proxy_domain_close_cb); } return status; } @@ -632,51 +631,65 @@ struct proxy_dns_req_wr_s { char *json; }; -static void on_proxy_write(ziti_connection conn, ssize_t status, void *ctx) { - ZITI_LOG(DEBUG, "proxy resolve write: %d", (int)status); +static void free_proxy_dns_wr(struct proxy_dns_req_wr_s *wr) { + if (wr->json) { + free(wr->json); + wr->json = NULL; + } + free(wr); +} + +static void on_proxy_write(ziti_connection conn, ssize_t len, void *ctx) { + ZITI_LOG(DEBUG, "proxy resolve write: %d", (int)len); if (ctx) { struct proxy_dns_req_wr_s *wr = ctx; - if (status != ZITI_OK) { - ZITI_LOG(WARN, "proxy resolve write failed: %s/%zd", ziti_errorstr(status), status); + if (len < 0) { + ZITI_LOG(WARN, "proxy resolve write failed: %s/%zd", ziti_errorstr(len), len); wr->req->msg.status = DNS_SERVFAIL; format_resp(wr->req); complete_dns_req(wr->req); - + ziti_close(conn, proxy_domain_close_cb); } - free(wr->json); - free(ctx); + free_proxy_dns_wr(wr); } } static void proxy_domain_req(struct dns_req *req, dns_domain_t *domain) { if (domain->resolv_proxy == NULL) { + // initiate connection to hosting endpoint for this domain model_map_iter it = model_map_iterator(&domain->intercepts); void *intercept = model_map_it_value(it); domain->resolv_proxy = intercept_resolve_connect(intercept, domain, on_proxy_connect, on_proxy_data); } dns_question *q = req->msg.question[0]; - if (domain->resolv_proxy != NULL && (q->type == NS_T_MX || q->type == NS_T_SRV || q->type == NS_T_TXT)) { + if (domain->resolv_proxy == NULL) { + req->msg.status = DNS_SERVFAIL; + } else if (q->type == NS_T_MX || q->type == NS_T_SRV || q->type == NS_T_TXT) { size_t jsonlen; struct proxy_dns_req_wr_s *wr = calloc(1, sizeof(struct proxy_dns_req_wr_s)); wr->req = req; wr->json = dns_message_to_json(&req->msg, MODEL_JSON_COMPACT, &jsonlen); - ZITI_LOG(DEBUG, "writing proxy resolve req[%04x]: %s", req->id, wr->json); - - // intercept_resolve_connect above can quick-fail if context does not have a valid API session - // in that case resolve_proxy connection will be in Closed state and write will fail - int rc = ziti_write(domain->resolv_proxy, wr->json, jsonlen, on_proxy_write, wr); - if (rc == ZITI_OK) { - return; + if (wr->json) { + ZITI_LOG(DEBUG, "writing proxy resolve req[%04x]: %s", req->id, wr->json); + + // intercept_resolve_connect above can quick-fail if context does not have a valid API session + // in that case resolve_proxy connection will be in Closed state and write will fail. + // ziti_write will queue the message if the connection state is Connecting (as it will be the first time through) + int rc = ziti_write(domain->resolv_proxy, (uint8_t *) wr->json, jsonlen, on_proxy_write, wr); + if (rc == ZITI_OK) { + // completion with client will happen in on_proxy_write if write fails, or on_proxy_data when response arrives + return; + } + ZITI_LOG(WARN, "failed to write proxy resolve request[%04x]: %s", req->id, ziti_errorstr(rc)); + ziti_close(domain->resolv_proxy, proxy_domain_close_cb); + } else { + req->msg.status = DNS_FORMERR; } - - ZITI_LOG(WARN, "failed to write proxy resolve request[%04x]: %s", req->id, ziti_errorstr(rc)); - ziti_close(domain->resolv_proxy, NULL); - domain->resolv_proxy = NULL; - free(wr->json); - free(wr); + free_proxy_dns_wr(wr); + } else { + req->msg.status = DNS_NOT_IMPL; } - req->msg.status = domain->resolv_proxy == NULL ? DNS_SERVFAIL : DNS_NOT_IMPL; format_resp(req); complete_dns_req(req); } @@ -804,6 +817,7 @@ static void on_upstream_packet(uv_udp_t *h, ssize_t rc, const uv_buf_t *buf, con } free(buf->base); } + static void free_dns_req(struct dns_req *req) { free_dns_message(&req->msg); free(req); @@ -822,10 +836,4 @@ static void complete_dns_req(struct dns_req *req) { ZITI_LOG(WARN, "query[%04x] is stale", req->id); } free_dns_req(req); -} - -static void free_domain(dns_domain_t *domain) { -// model_map_clear(&domain->resolv_cache, NULL); -// ziti_close(domain->resolv_proxy, NULL); - free(domain); } \ No newline at end of file From 5942b6485270164a0a61f10c0425dd3ad74eeb02 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Tue, 2 Apr 2024 13:01:50 +0000 Subject: [PATCH 103/251] Use mingw to build windows-x64 binaries (#826) * create mingw cmake preset * use mingw preset when building windows/x64 * get ziti-sdk-c 0.36.9 for queuing fix --- .github/workflows/cmake.yml | 4 +- CMakePresets.json | 71 ++++++++++++++++--- lib/ziti-tunnel-cbs/CMakeLists.txt | 9 ++- .../netif_driver/windows/tun.c | 4 ++ 4 files changed, 75 insertions(+), 13 deletions(-) diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml index c6fa5202..d7f1a39a 100644 --- a/.github/workflows/cmake.yml +++ b/.github/workflows/cmake.yml @@ -32,11 +32,11 @@ jobs: - os: windows-latest name: Windows x86_64 - preset: windows-x64 + preset: windows-x64-mingw - os: windows-latest name: Windows arm64 - preset: windows-arm64 + preset: windows-arm64-vs2022 - os: ubuntu-20.04 container: openziti/ziti-builder:1.0.7 diff --git a/CMakePresets.json b/CMakePresets.json index 3d732704..766acc6e 100644 --- a/CMakePresets.json +++ b/CMakePresets.json @@ -27,6 +27,13 @@ "VCPKG_TARGET_TRIPLET": "x64-windows-static-md" } }, + { + "name": "vcpkg-win64-mingw-static", + "hidden": true, + "cacheVariables": { + "VCPKG_TARGET_TRIPLET": "x64-mingw-static" + } + }, { "name": "ninja", "hidden": true, @@ -64,7 +71,7 @@ } }, { - "name": "flags-windows", + "name": "flags-windows-vs2022", "description": "Note that all the flags after /W4 are required for MSVC to conform to the language standard", "hidden": true, "cacheVariables": { @@ -72,6 +79,15 @@ "CMAKE_CXX_FLAGS": "/utf-8 /W4 /permissive- /volatile:iso /Zc:preprocessor /Zc:__cplusplus /Zc:externConstexpr /Zc:throwingNew /EHsc" } }, + { + "name": "flags-windows-mingw", + "hidden": true, + "cacheVariables": { + "CMAKE_C_COMPILER": "gcc", + "CMAKE_CXX_COMPILER": "g++" + } + }, + { "name": "ci-unix", "hidden": true, @@ -82,9 +98,9 @@ ] }, { - "name": "ci-win64", + "name": "ci-win64-vs2022", "inherits": [ - "flags-windows", + "flags-windows-vs2022", "ci-std", "vs-2022" ], @@ -95,9 +111,9 @@ "hidden": true }, { - "name": "ci-win86", + "name": "ci-win86-vs2022", "inherits": [ - "flags-windows", + "flags-windows-vs2022", "ci-std", "vs-2022" ], @@ -105,15 +121,28 @@ "hidden": true }, { - "name": "ci-win-arm64", + "name": "ci-win-arm64-vs2022", "inherits": [ - "flags-windows", + "flags-windows-vs2022", "ci-std", "vs-2022" ], "architecture": "ARM64", "hidden": true }, + { + "name": "ci-win64-mingw", + "inherits": [ + "flags-windows-mingw", + "ci-std", + "ninja" + ], + "architecture": { + "value": "x64", + "strategy": "external" + }, + "hidden": true + }, { "name": "ci-build", "binaryDir": "${sourceDir}/build", @@ -196,9 +225,13 @@ }, { "name": "ci-windows-x64", + "inherits": "ci-windows-x64-vs2022" + }, + { + "name": "ci-windows-x64-vs2022", "inherits": [ "ci-build", - "ci-win64", + "ci-win64-vs2022", "dev-mode", "vcpkg", "vcpkg-win64-static" @@ -206,9 +239,13 @@ }, { "name": "ci-windows-x86", + "inherits": "ci-windows-x86-vs2022" + }, + { + "name": "ci-windows-x86-vs2022", "inherits": [ "ci-build", - "ci-win86", + "ci-win86-vs2022", "dev-mode", "vcpkg" ], @@ -219,9 +256,13 @@ }, { "name": "ci-windows-arm64", + "inherits": [ "ci-windows-arm64-vs2022" ] + }, + { + "name": "ci-windows-arm64-vs2022", "inherits": [ "ci-build", - "ci-win-arm64", + "ci-win-arm64-vs2022", "dev-mode", "vcpkg" ], @@ -229,6 +270,16 @@ "VCPKG_TARGET_TRIPLET": "arm64-windows-static-md", "VCPKG_CHAINLOAD_TOOLCHAIN_FILE": "${sourceDir}/toolchains/Windows-arm64.cmake" } + }, + { + "name": "ci-windows-x64-mingw", + "inherits": [ + "ci-build", + "ci-win64-mingw", + "dev-mode", + "vcpkg", + "vcpkg-win64-mingw-static" + ] } ] } diff --git a/lib/ziti-tunnel-cbs/CMakeLists.txt b/lib/ziti-tunnel-cbs/CMakeLists.txt index 0b593b1e..cf689329 100644 --- a/lib/ziti-tunnel-cbs/CMakeLists.txt +++ b/lib/ziti-tunnel-cbs/CMakeLists.txt @@ -23,6 +23,13 @@ target_include_directories(ziti-tunnel-cbs-c PUBLIC include ) +if(MINGW) + # mingw's linker is single-pass, and we get undefined symbols from libmbedtls for symbols in winsock2 without this + # doing this here this is a bit of a hack, but I couldn't figure out how to influence cmake to get this right when + # we get mbledtls from vcpkg. + SET(socket_lib ws2_32) +endif() + if(CMAKE_SYSTEM_NAME STREQUAL Windows) SET(resolve_lib dnsapi) else() @@ -32,7 +39,7 @@ endif() target_link_libraries(ziti-tunnel-cbs-c PUBLIC ziti PUBLIC ziti-tunnel-sdk-c - PUBLIC ${resolve_lib} + PUBLIC ${resolve_lib} ${socket_lib} ) install(DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/include/ diff --git a/programs/ziti-edge-tunnel/netif_driver/windows/tun.c b/programs/ziti-edge-tunnel/netif_driver/windows/tun.c index 1bb999e8..01d2fd72 100644 --- a/programs/ziti-edge-tunnel/netif_driver/windows/tun.c +++ b/programs/ziti-edge-tunnel/netif_driver/windows/tun.c @@ -27,6 +27,10 @@ #define _Ret_bytecount_(n) #endif +#ifndef _Post_maybenull_ +#define _Post_maybenull_ +#endif + #include #include #include From 964e6abd7319975408a06f33724d747e33a413ef Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Tue, 2 Apr 2024 14:11:27 +0000 Subject: [PATCH 104/251] upload windows package from correct path (#829) --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 63b7dd18..e5be2034 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -61,7 +61,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ steps.get_release.outputs.upload_url }} - asset_path: ${{ runner.workspace }}/downloads/windows-x64/ziti-edge-tunnel-Windows_AMD64.zip + asset_path: ${{ runner.workspace }}/downloads/windows-x64-mingw/ziti-edge-tunnel-Windows_AMD64.zip asset_name: ziti-edge-tunnel-Windows_x86_64.zip asset_content_type: application/octet-stream From c6df1d3403d1cc46220a8b6d4d0e0244b1af7ab6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Apr 2024 22:19:11 +0000 Subject: [PATCH 105/251] Bump lewagon/wait-on-check-action from 1.3.1 to 1.3.4 Bumps [lewagon/wait-on-check-action](https://github.com/lewagon/wait-on-check-action) from 1.3.1 to 1.3.4. - [Release notes](https://github.com/lewagon/wait-on-check-action/releases) - [Commits](https://github.com/lewagon/wait-on-check-action/compare/v1.3.1...v1.3.4) --- updated-dependencies: - dependency-name: lewagon/wait-on-check-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- .github/workflows/promote-downstreams.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/promote-downstreams.yml b/.github/workflows/promote-downstreams.yml index 97c1936b..4d620e53 100644 --- a/.github/workflows/promote-downstreams.yml +++ b/.github/workflows/promote-downstreams.yml @@ -20,7 +20,7 @@ jobs: uses: hmarr/debug-action@v2.1.0 - name: Wait for all checks on this ref - uses: lewagon/wait-on-check-action@v1.3.1 + uses: lewagon/wait-on-check-action@v1.3.4 with: ref: ${{ env.RELEASE_REF }} repo-token: ${{ secrets.GITHUB_TOKEN }} From 91102842f9f3aada074f30754c8980d3be6c4d29 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Fri, 12 Apr 2024 17:12:44 +0000 Subject: [PATCH 106/251] check dns response buffer as it is filled, and set truncate flag accordingly (#831) check dns response buffer as it is filled, and set truncate flag accordingly --- lib/ziti-tunnel-cbs/dns_host.c | 47 ++++++++++++++++++++++++++++++---- lib/ziti-tunnel-cbs/ziti_dns.c | 46 ++++++++++++++++++++++++++++----- 2 files changed, 81 insertions(+), 12 deletions(-) diff --git a/lib/ziti-tunnel-cbs/dns_host.c b/lib/ziti-tunnel-cbs/dns_host.c index 81ec7ef9..aeb16d5b 100644 --- a/lib/ziti-tunnel-cbs/dns_host.c +++ b/lib/ziti-tunnel-cbs/dns_host.c @@ -145,14 +145,50 @@ static int fmt_txt(const ns_msg *msg, const ns_rr* rr, dns_answer *ans, size_t m #else -void do_query(const dns_question *q, dns_message *resp, resolver_t *resolver) { - uint8_t resp_msg[PACKETSZ]; - int rc = res_nquery(resolver, q->name, ns_c_in, q->type, resp_msg, PACKETSZ); +static uint8_t *send_and_parse_query(const dns_question *q, int class, ns_msg *ans, resolver_t *resolver) { + int buf_sz = PACKETSZ; + uint8_t *resp_msg = NULL; + int rc; + + for (int attempt = 0; attempt < 2; attempt++) { // retry the query with a larger buffer if first attempt was truncated + resp_msg = calloc(buf_sz, sizeof(uint8_t)); + memset(ans, 0, sizeof(dns_question)); + rc = res_nquery(resolver, q->name, class, q->type, resp_msg, buf_sz); + if (rc < 0) { + ZITI_LOG(DEBUG, "res_query for %s failed", q->name); + break; + } + ns_initparse(resp_msg, rc, ans); + bool trunc = ns_msg_getflag(*ans, ns_f_tc); + if (!trunc) { + break; + } else { + if (attempt == 0) { + ZITI_LOG(DEBUG, "dns response truncated, repeating query with %d byte buffer", rc); + free(resp_msg); + resp_msg = NULL; + buf_sz = rc; // try again with large enough buffer + } else { + rc = -1; + } + } + } + if (rc < 0) { + free(resp_msg); + resp_msg = NULL; + } + + return resp_msg; +} + +void do_query(const dns_question *q, dns_message *resp, resolver_t *resolver) { + ns_msg ans = {0}; + uint8_t *resp_msg = send_and_parse_query(q, ns_c_in, &ans, resolver); + if (resp_msg == NULL) { resp->status = ns_r_servfail; + return; } else { - ns_msg ans = {0}; - ns_initparse(resp_msg, rc, &ans); resp->status = ns_msg_getflag(ans, ns_f_rcode); int rr_count = ns_msg_count(ans, ns_s_an); if (rr_count > 0) { @@ -172,6 +208,7 @@ void do_query(const dns_question *q, dns_message *resp, resolver_t *resolver) { } } } + free(resp_msg); } } diff --git a/lib/ziti-tunnel-cbs/ziti_dns.c b/lib/ziti-tunnel-cbs/ziti_dns.c index db0ff137..11d39218 100644 --- a/lib/ziti-tunnel-cbs/ziti_dns.c +++ b/lib/ziti-tunnel-cbs/ziti_dns.c @@ -40,9 +40,9 @@ typedef struct ziti_dns_client_s { struct dns_req { uint16_t id; size_t req_len; - uint8_t req[512]; + uint8_t req[4096]; size_t resp_len; - uint8_t resp[512]; + uint8_t resp[4096]; dns_message msg; @@ -426,7 +426,7 @@ const ip_addr_t *ziti_dns_register_hostname(const ziti_address *addr, void *inte } } -static const char DNS_OPT[] = { 0x0, 0x0, 0x29, 0x02, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }; +static const char DNS_OPT[] = { 0x0, 0x0, 0x29, 0x10, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0 }; #define DNS_HEADER_LEN 12 #define DNS_ID(p) ((uint8_t)(p)[0] << 8 | (uint8_t)(p)[1]) @@ -436,6 +436,7 @@ static const char DNS_OPT[] = { 0x0, 0x0, 0x29, 0x02, 0x0, 0x0, 0x0, 0x0, 0x0, 0 #define DNS_RD(p) ((p)[2] & 0x1) #define DNS_SET_RA(p) ((p)[3] = (p)[3] | 0x80) +#define DNS_SET_TC(p) ((p)[2] = (p)[2] | 0x2) #define DNS_SET_CODE(p,c) ((p)[3] = (p)[3] | ((c) & 0xf)) #define DNS_SET_ANS(p) ((p)[2] = (p)[2] | 0x80) #define DNS_SET_ARS(p,n) do{ (p)[6] = (n) >> 8; (p)[7] = (n) & 0xff; } while(0) @@ -487,12 +488,20 @@ static void format_resp(struct dns_req *req) { memcpy(req->resp + DNS_HEADER_LEN, req->req + DNS_HEADER_LEN, query_section_len); uint8_t *rp = req->resp + DNS_HEADER_LEN + query_section_len; + uint8_t *resp_end = req->resp + sizeof(req->resp); + bool truncated = false; if (req->msg.status == DNS_NO_ERROR && req->msg.answer != NULL) { int ans_count = 0; for (int i = 0; req->msg.answer[i] != NULL; i++) { ans_count++; dns_answer *a = req->msg.answer[i]; + + if (resp_end - rp < 10) { // 2 bytes for name ref, 2 for type, 2 for class, and 4 for ttl + truncated = true; + goto done; + } + // name ref *rp++ = 0xc0; *rp++ = 0x0c; @@ -505,6 +514,10 @@ static void format_resp(struct dns_req *req) { switch (a->type) { case NS_T_A: { + if (resp_end - rp < (2 + sizeof(req->addr.s_addr))) { + truncated = true; + goto done; + } SET_U16(rp, sizeof(req->addr.s_addr)); memcpy(rp, &req->addr.s_addr, sizeof(req->addr.s_addr)); rp += sizeof(req->addr.s_addr); @@ -514,6 +527,10 @@ static void format_resp(struct dns_req *req) { case NS_T_TXT: { uint16_t txtlen = strlen(a->data); uint16_t datalen = 1 + txtlen; + if (resp_end - rp < (3 + txtlen)) { + truncated = true; + goto done; + } SET_U16(rp, datalen); SET_U8(rp, txtlen); memcpy(rp, a->data, txtlen); @@ -523,8 +540,11 @@ static void format_resp(struct dns_req *req) { case NS_T_MX: { uint8_t *hold = rp; rp += 2; -// uint16_t datalen = strlen(a->data) + 1 + 2; -// SET_U16(rp, datalen); + uint16_t datalen_est = strlen(a->data) + 1; + if (resp_end - hold < (4 + datalen_est)) { + truncated = true; + goto done; + } SET_U16(rp, a->priority); rp = format_name(rp, a->data); uint16_t datalen = rp - hold - 2; @@ -534,6 +554,11 @@ static void format_resp(struct dns_req *req) { case NS_T_SRV: { uint8_t *hold = rp; rp += 2; + uint16_t datalen_est = strlen(a->data) + 1; + if (resp_end - hold < (8 + datalen_est)) { + truncated = true; + goto done; + } SET_U16(rp, a->priority); SET_U16(rp, a->weight); SET_U16(rp, a->port); @@ -546,12 +571,19 @@ static void format_resp(struct dns_req *req) { ZITI_LOG(WARN, "unhandled response type[%d]", a->type); } } + done: + if (truncated) { + ZITI_LOG(DEBUG, "dns response truncated"); + DNS_SET_TC(req->resp); + } DNS_SET_ARS(req->resp, ans_count); } DNS_SET_AARS(req->resp, 1); - memcpy(rp, DNS_OPT, sizeof(DNS_OPT)); - rp += sizeof(DNS_OPT); + if (resp_end - rp > 11) { + memcpy(rp, DNS_OPT, sizeof(DNS_OPT)); + rp += sizeof(DNS_OPT); + } req->resp_len = rp - req->resp; } From e9f655b14b2bd7c25f23ce3f60a2ea1f797bd36a Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Fri, 12 Apr 2024 17:28:43 +0000 Subject: [PATCH 107/251] get ziti-sdk-c 0.36.10 (#832) --- CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 1e61a586..32cb86c6 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,7 +2,7 @@ cmake_minimum_required(VERSION 3.20) set(ZITI_SDK_DIR "" CACHE FILEPATH "developer option: use local ziti-sdk-c checkout") -set(ZITI_SDK_VERSION "0.36.9" CACHE STRING "ziti-sdk-c version or branch to use") +set(ZITI_SDK_VERSION "0.36.10" CACHE STRING "ziti-sdk-c version or branch to use") # if TUNNEL_SDK_ONLY then don't descend into programs/ziti-edge-tunnel option(TUNNEL_SDK_ONLY "build only ziti-tunnel-sdk (without ziti)" OFF) From 90b416d02392e00bd36055c5f83b486ef33cef94 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Fri, 26 Apr 2024 15:30:36 +0000 Subject: [PATCH 108/251] get ziti-sdk-c 0.36.11 / tlsuv 0.28.5 (#836) --- CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 32cb86c6..c3f5cacb 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,7 +2,7 @@ cmake_minimum_required(VERSION 3.20) set(ZITI_SDK_DIR "" CACHE FILEPATH "developer option: use local ziti-sdk-c checkout") -set(ZITI_SDK_VERSION "0.36.10" CACHE STRING "ziti-sdk-c version or branch to use") +set(ZITI_SDK_VERSION "0.36.11" CACHE STRING "ziti-sdk-c version or branch to use") # if TUNNEL_SDK_ONLY then don't descend into programs/ziti-edge-tunnel option(TUNNEL_SDK_ONLY "build only ziti-tunnel-sdk (without ziti)" OFF) From 94b479fb3fae32c99668354ad3d84af8663fd8fb Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Mon, 29 Apr 2024 20:20:00 +0000 Subject: [PATCH 109/251] wait for systemd tun device unit to be active before configuring dns (#837) --- .../netif_driver/linux/resolvers.c | 55 +++++++++++++++++-- .../netif_driver/linux/resolvers.h | 2 +- .../ziti-edge-tunnel/netif_driver/linux/tun.c | 2 +- 3 files changed, 52 insertions(+), 7 deletions(-) diff --git a/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.c b/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.c index 8e8ec923..031f055f 100644 --- a/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.c +++ b/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.c @@ -328,7 +328,53 @@ static bool set_systemd_resolved_link_setting(sd_bus *bus, const char *tun, cons return true; } -bool try_libsystemd_resolver(void) { +// wait for systemd to recognize the tun device before configuring, lest the configuration get overwritten +static bool wait_for_tun(const char *name, sd_bus *bus, unsigned int timeout_ms) { + const unsigned int delay_ms = 250; + char systemd_path[128]; + unsigned int iterations = timeout_ms / delay_ms; + bool active = false; + snprintf(systemd_path, sizeof(systemd_path), "/org/freedesktop/systemd1/unit/sys_2dsubsystem_2dnet_2ddevices_2d%s_2edevice", name); + + ZITI_LOG(DEBUG, "waiting %d ms for systemd path '%s' to become active", timeout_ms, systemd_path); + + for (int count = 0; count < iterations && active == false; count++, uv_sleep(delay_ms)) { + sd_bus_message *message = NULL; + + int r = sd_bus_get_property_f( + bus, + "org.freedesktop.systemd1", + systemd_path, + "org.freedesktop.systemd1.Unit", + "ActiveState", + NULL, + &message, + "s" + ); + if (r < 0) { + ZITI_LOG(VERBOSE, "failed to get ActiveState property: %s", strerror(-r)); + continue; + } + + const char *state = NULL; + r = sd_bus_message_read_f(message, "s", &state); + if (r < 0) { + ZITI_LOG(VERBOSE, "failed to read property: %s", strerror(-r)); + } else { + if (state) { + ZITI_LOG(DEBUG, "device state (c=%d): %s", count, state); + if (strcmp(state, "active") == 0) { + active = true; + } + } + } + sd_bus_message_unref_f(message); + } + + return false; +} + +bool try_libsystemd_resolver(const char *tun_name) { uv_once(&guard, init_libsystemd); if (!libsystemd_dl_success) { return false; @@ -347,15 +393,14 @@ bool try_libsystemd_resolver(void) { r = sd_bus_open_system_f(&bus); if ((r >= 0) && (sd_bus_is_bus_client_f(bus) > 0)) { ZITI_LOG(DEBUG, "Connected to system DBus"); + wait_for_tun(tun_name, bus, 3000); r = sd_bus_is_acquired_name(bus, RESOLVED_DBUS_NAME); if (r != 0) { ZITI_LOG(WARN, "libsystemd resolver unsuccessful. Falling back to legacy resolvers"); return false; } - if (r == 0) { - ZITI_LOG(INFO, "systemd-resolved selected as DNS resolver manager"); - return true; - } + ZITI_LOG(INFO, "systemd-resolved selected as DNS resolver manager"); + return true; } else { ZITI_LOG(DEBUG, "Could not create system DBus client"); } diff --git a/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.h b/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.h index b4c5dec7..b5a35d78 100644 --- a/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.h +++ b/programs/ziti-edge-tunnel/netif_driver/linux/resolvers.h @@ -46,7 +46,7 @@ #endif #ifndef EXCLUDE_LIBSYSTEMD_RESOLVER -bool try_libsystemd_resolver(void); +bool try_libsystemd_resolver(const char *tun_name); #endif bool is_systemd_resolved_primary_resolver(void); bool is_resolvconf_systemd_resolved(void); diff --git a/programs/ziti-edge-tunnel/netif_driver/linux/tun.c b/programs/ziti-edge-tunnel/netif_driver/linux/tun.c index c7ce5e14..b0f290e7 100644 --- a/programs/ziti-edge-tunnel/netif_driver/linux/tun.c +++ b/programs/ziti-edge-tunnel/netif_driver/linux/tun.c @@ -245,7 +245,7 @@ static void dns_update_systemd_resolve(const char* tun, unsigned int ifindex, co static void find_dns_updater() { #ifndef EXCLUDE_LIBSYSTEMD_RESOLVER - if(try_libsystemd_resolver()) { + if(try_libsystemd_resolver(dns_maintainer.tun_name)) { dns_updater = dns_update_systemd_resolved; return; } From 364e9c80b228ed2ab953de772e278ca972a92a24 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 29 Apr 2024 16:27:32 -0400 Subject: [PATCH 110/251] say 'tunneler' consistently --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 077b8070..5d75dd2a 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ that are useful to Ziti Tunnelers. ## What's a Ziti Tunneler? -[The main article about tunnellers is here](https://openziti.io/docs/reference/tunnelers/linux/). Editors may follow the +[The main article about tunnelers is here](https://openziti.io/docs/reference/tunnelers/linux/). Editors may follow the "Edit this page" link on every page. ## What is the Ziti Tunneler SDK? From 2c115c6b36c02dab9a31aacbbdbc3169508044e6 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Mon, 29 Apr 2024 20:33:04 +0000 Subject: [PATCH 111/251] build with gcc 14 (#838) * build with gcc 14 * get ziti-sdk-c 0.36.12 for gcc 14 compatibility --- CMakeLists.txt | 2 +- lib/ziti-tunnel/ziti_tunnel.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index c3f5cacb..6e6fce9f 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,7 +2,7 @@ cmake_minimum_required(VERSION 3.20) set(ZITI_SDK_DIR "" CACHE FILEPATH "developer option: use local ziti-sdk-c checkout") -set(ZITI_SDK_VERSION "0.36.11" CACHE STRING "ziti-sdk-c version or branch to use") +set(ZITI_SDK_VERSION "0.36.12" CACHE STRING "ziti-sdk-c version or branch to use") # if TUNNEL_SDK_ONLY then don't descend into programs/ziti-edge-tunnel option(TUNNEL_SDK_ONLY "build only ziti-tunnel-sdk (without ziti)" OFF) diff --git a/lib/ziti-tunnel/ziti_tunnel.c b/lib/ziti-tunnel/ziti_tunnel.c index d0963165..dcb02f9f 100644 --- a/lib/ziti-tunnel/ziti_tunnel.c +++ b/lib/ziti-tunnel/ziti_tunnel.c @@ -557,7 +557,7 @@ static void run_packet_loop(uv_loop_t *loop, tunneler_context tnlr_ctx) { } uv_timer_init(loop, &tnlr_ctx->lwip_timer_req); - uv_unref(&tnlr_ctx->lwip_timer_req); + uv_unref((uv_handle_t *) &tnlr_ctx->lwip_timer_req); uv_timer_start(&tnlr_ctx->lwip_timer_req, check_lwip_timeouts, 0, 10); } From fe59c8fc3c61ac5062c012674f28d89cd1edd15c Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Wed, 15 May 2024 17:04:12 -0400 Subject: [PATCH 112/251] expose ZITI_IDENTITY_DIR as a new configurable representing the persistence mountpoint --- docker/Dockerfile.ziti-host | 3 ++- docker/docker-entrypoint.sh | 38 ++++++++++++++++++------------------- 2 files changed, 20 insertions(+), 21 deletions(-) diff --git a/docker/Dockerfile.ziti-host b/docker/Dockerfile.ziti-host index 9742bef4..85995e85 100644 --- a/docker/Dockerfile.ziti-host +++ b/docker/Dockerfile.ziti-host @@ -1,6 +1,7 @@ # this builds docker.io/openziti/ziti-host -ARG ZITI_EDGE_TUNNEL_TAG="latest" ARG ZITI_EDGE_TUNNEL_IMAGE="docker.io/openziti/ziti-edge-tunnel" +ARG ZITI_EDGE_TUNNEL_TAG="latest" + # this builds docker.io/openziti/ziti-host FROM ${ZITI_EDGE_TUNNEL_IMAGE}:${ZITI_EDGE_TUNNEL_TAG} diff --git a/docker/docker-entrypoint.sh b/docker/docker-entrypoint.sh index 36f382e5..8b9f8667 100755 --- a/docker/docker-entrypoint.sh +++ b/docker/docker-entrypoint.sh @@ -31,7 +31,7 @@ function alldone() { trap alldone SIGTERM SIGINT EXIT unset \ - IDENTITIES_DIR \ + ZITI_IDENTITY_DIR \ IDENTITY_FILE \ JSON_FILES \ JWT_CANDIDATE \ @@ -58,36 +58,34 @@ if [[ -z "${ZITI_IDENTITY_WAIT:-}" && -n "${NF_REG_WAIT:-}" ]]; then ZITI_IDENTITY_WAIT="${NF_REG_WAIT}" fi -# if identity env vars are defined then do not look for mounted identities +# assign default identities dir if not set; this is a writeable path within the container image +: "${ZITI_IDENTITY_DIR:="/ziti-edge-tunnel"}" + +# if enrolled identity JSON is provided then write it to a file in the identities dir if [[ -n "${ZITI_IDENTITY_JSON:-}" ]]; then - IDENTITIES_DIR="/tmp/openziti" - # shellcheck disable=SC2174 - mkdir -pm0700 "${IDENTITIES_DIR}" if [[ -z "${ZITI_IDENTITY_BASENAME:-}" ]]; then ZITI_IDENTITY_BASENAME="ziti_id" fi - IDENTITY_FILE="${IDENTITIES_DIR}/${ZITI_IDENTITY_BASENAME}.json" + IDENTITY_FILE="${ZITI_IDENTITY_DIR}/${ZITI_IDENTITY_BASENAME}.json" if [[ -s "${IDENTITY_FILE}" ]]; then echo "WARN: clobbering non-empty Ziti identity file ${IDENTITY_FILE} with contents of env var ZITI_IDENTITY_JSON" >&2 fi echo "${ZITI_IDENTITY_JSON}" > "${IDENTITY_FILE}" +# if an enrollment token is provided then write it to a file in the identities dir so it will be found in the next step +# and used to enroll elif [[ -n "${ZITI_ENROLL_TOKEN:-}" ]]; then - IDENTITIES_DIR="/tmp/openziti" - # shellcheck disable=SC2174 - mkdir -pm0700 "${IDENTITIES_DIR}" if [[ -z "${ZITI_IDENTITY_BASENAME:-}" ]]; then ZITI_IDENTITY_BASENAME="ziti_id" fi - JWT_FILE="${IDENTITIES_DIR}/${ZITI_IDENTITY_BASENAME}.jwt" + JWT_FILE="${ZITI_IDENTITY_DIR}/${ZITI_IDENTITY_BASENAME}.jwt" if [[ -s "${JWT_FILE}" ]]; then echo "WARN: clobbering non-empty Ziti enrollment token file ${JWT_FILE} with contents of env var ZITI_ENROLL_TOKEN" >&2 fi echo "${ZITI_ENROLL_TOKEN}" > "${JWT_FILE}" +# otherwise, assume the identities dir is a mounted volume with identity files or tokens else - # presumed to be a mountpoint for one or more identities - IDENTITIES_DIR="/ziti-edge-tunnel" - if ! [[ -d "${IDENTITIES_DIR}" ]]; then - echo "ERROR: need directory ${IDENTITIES_DIR} to find tokens and identities" >&2 + if ! [[ -d "${ZITI_IDENTITY_DIR}" ]]; then + echo "ERROR: need directory ${ZITI_IDENTITY_DIR} to find tokens and identities" >&2 exit 1 fi fi @@ -96,7 +94,7 @@ typeset -a TUNNEL_OPTS # if identity basename is specified then look for an identity file with that name, else load all identities in the # identities dir mountpoint if [[ -n "${ZITI_IDENTITY_BASENAME:-}" ]]; then - : "${IDENTITY_FILE:=${IDENTITIES_DIR}/${ZITI_IDENTITY_BASENAME}.json}" + : "${IDENTITY_FILE:=${ZITI_IDENTITY_DIR}/${ZITI_IDENTITY_BASENAME}.json}" TUNNEL_OPTS=("--identity" "${IDENTITY_FILE}") # if wait is specified then wait for the identity file or token to appear @@ -122,7 +120,7 @@ if [[ -n "${ZITI_IDENTITY_BASENAME:-}" ]]; then echo "DEBUG: identity file ${IDENTITY_FILE} not found" for dir in "/var/run/secrets/netfoundry.io/enrollment-token" \ "/enrollment-token" \ - "${IDENTITIES_DIR}"; do + "${ZITI_IDENTITY_DIR}"; do JWT_CANDIDATE="${dir}/${ZITI_IDENTITY_BASENAME}.jwt" if [[ -s "${JWT_CANDIDATE}" ]]; then JWT_FILE="${JWT_CANDIDATE}" @@ -161,12 +159,12 @@ if [[ -n "${ZITI_IDENTITY_BASENAME:-}" ]]; then # tokens else typeset -a JSON_FILES - mapfile -t JSON_FILES < <(ls -1 "${IDENTITIES_DIR}"/*.json) + mapfile -t JSON_FILES < <(ls -1 "${ZITI_IDENTITY_DIR}"/*.json) if [[ ${#JSON_FILES[*]} -gt 0 ]]; then - echo "INFO: loading ${#JSON_FILES[*]} identities from ${IDENTITIES_DIR}" - TUNNEL_OPTS=("--identity-dir" "${IDENTITIES_DIR}") + echo "INFO: loading ${#JSON_FILES[*]} identities from ${ZITI_IDENTITY_DIR}" + TUNNEL_OPTS=("--identity-dir" "${ZITI_IDENTITY_DIR}") else - echo "ERROR: ZITI_IDENTITY_BASENAME not set and zero identities found in ${IDENTITIES_DIR}" >&2 + echo "ERROR: ZITI_IDENTITY_BASENAME not set and zero identities found in ${ZITI_IDENTITY_DIR}" >&2 exit 1 fi fi From 23a588d8be5d44245d29a19f4054ae03fa127136 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Wed, 15 May 2024 17:09:49 -0400 Subject: [PATCH 113/251] fix defect where IDENTITY_FILE could be inherited from parent env --- docker/docker-entrypoint.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/docker-entrypoint.sh b/docker/docker-entrypoint.sh index 8b9f8667..5137dccc 100755 --- a/docker/docker-entrypoint.sh +++ b/docker/docker-entrypoint.sh @@ -58,7 +58,7 @@ if [[ -z "${ZITI_IDENTITY_WAIT:-}" && -n "${NF_REG_WAIT:-}" ]]; then ZITI_IDENTITY_WAIT="${NF_REG_WAIT}" fi -# assign default identities dir if not set; this is a writeable path within the container image +# assign default identity dir if not set in parent env; this is a writeable path within the container image : "${ZITI_IDENTITY_DIR:="/ziti-edge-tunnel"}" # if enrolled identity JSON is provided then write it to a file in the identities dir @@ -94,7 +94,7 @@ typeset -a TUNNEL_OPTS # if identity basename is specified then look for an identity file with that name, else load all identities in the # identities dir mountpoint if [[ -n "${ZITI_IDENTITY_BASENAME:-}" ]]; then - : "${IDENTITY_FILE:=${ZITI_IDENTITY_DIR}/${ZITI_IDENTITY_BASENAME}.json}" + IDENTITY_FILE="${ZITI_IDENTITY_DIR}/${ZITI_IDENTITY_BASENAME}.json}" TUNNEL_OPTS=("--identity" "${IDENTITY_FILE}") # if wait is specified then wait for the identity file or token to appear From 1f34dcb97b01230c73b0aa69101ff37faee7f70c Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Thu, 23 May 2024 11:04:53 -0400 Subject: [PATCH 114/251] remove stray closing brace --- docker/docker-entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/docker-entrypoint.sh b/docker/docker-entrypoint.sh index 5137dccc..2c3c3155 100755 --- a/docker/docker-entrypoint.sh +++ b/docker/docker-entrypoint.sh @@ -94,7 +94,7 @@ typeset -a TUNNEL_OPTS # if identity basename is specified then look for an identity file with that name, else load all identities in the # identities dir mountpoint if [[ -n "${ZITI_IDENTITY_BASENAME:-}" ]]; then - IDENTITY_FILE="${ZITI_IDENTITY_DIR}/${ZITI_IDENTITY_BASENAME}.json}" + IDENTITY_FILE="${ZITI_IDENTITY_DIR}/${ZITI_IDENTITY_BASENAME}.json" TUNNEL_OPTS=("--identity" "${IDENTITY_FILE}") # if wait is specified then wait for the identity file or token to appear From c339a15b217fdcd7d18bc76bdfc23251c37a02ee Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Thu, 23 May 2024 11:05:36 -0400 Subject: [PATCH 115/251] move log format documentation to ziti-doc --- docker/README.md | 1 - docker/docker-compose.yml | 1 - 2 files changed, 2 deletions(-) diff --git a/docker/README.md b/docker/README.md index 0d39bcd4..b5efa523 100644 --- a/docker/README.md +++ b/docker/README.md @@ -274,7 +274,6 @@ services: - /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket environment: - ZITI_IDENTITY_BASENAME=ziti_id - - PFXLOG_NO_JSON=true # suppress JSON logging network_mode: host privileged: true ``` diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index 6a6f5a03..0f4fb2b4 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -10,7 +10,6 @@ x-base-service: &base-service environment: - ZITI_IDENTITY_BASENAME # inherit when run like this: ZITI_IDENTITY_BASENAME=AcmeIdentity docker-compose up ziti-tun - ZITI_ENROLL_TOKEN # ZITI_IDENTITY_BASENAME=AcmeIdentity ZITI_ENROLL_TOKEN={JWT} docker-compose up ziti-tun - - PFXLOG_NO_JSON=true # suppress JSON logging network_mode: host # use the Docker host's network, not the Docker bridge privileged: true From ee8c959effc6f939c6c08918b737a2a319c92ce7 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Wed, 5 Jun 2024 14:07:01 +0000 Subject: [PATCH 116/251] support using http proxy for outbound connections (#845) * support http proxy for controller and ER connections * support http proxy for host.v1 configurations --- CMakeLists.txt | 2 +- lib/ziti-tunnel-cbs/ziti_hosting.c | 98 ++++++++++++++++---- lib/ziti-tunnel-cbs/ziti_hosting.h | 3 + programs/ziti-edge-tunnel/ziti-edge-tunnel.c | 81 ++++++++++++++-- 4 files changed, 156 insertions(+), 28 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 6e6fce9f..ad360941 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,7 +2,7 @@ cmake_minimum_required(VERSION 3.20) set(ZITI_SDK_DIR "" CACHE FILEPATH "developer option: use local ziti-sdk-c checkout") -set(ZITI_SDK_VERSION "0.36.12" CACHE STRING "ziti-sdk-c version or branch to use") +set(ZITI_SDK_VERSION "1.0.2" CACHE STRING "ziti-sdk-c version or branch to use") # if TUNNEL_SDK_ONLY then don't descend into programs/ziti-edge-tunnel option(TUNNEL_SDK_ONLY "build only ziti-tunnel-sdk (without ziti)" OFF) diff --git a/lib/ziti-tunnel-cbs/ziti_hosting.c b/lib/ziti-tunnel-cbs/ziti_hosting.c index 3ce7215f..9747399a 100644 --- a/lib/ziti-tunnel-cbs/ziti_hosting.c +++ b/lib/ziti-tunnel-cbs/ziti_hosting.c @@ -28,6 +28,7 @@ #include #include #include "ziti_hosting.h" +#include "tlsuv/tlsuv.h" #if _WIN32 #ifndef strcasecmp @@ -182,10 +183,10 @@ static void on_hosted_client_connect_complete(ziti_connection clt, int err) { uv_getnameinfo_t req = {0}; uv_getnameinfo(io_ctx->service->loop, &req, NULL, name, NI_NUMERICHOST|NI_NUMERICSERV); uv_os_fd_t fd; - uv_fileno((uv_handle_t *) &io_ctx->server, &fd); + uv_fileno(server, &fd); ZITI_LOG(DEBUG, "hosted_service[%s] client[%s] local_addr[%s:%s] fd[%d] server[%s] connected %d", io_ctx->service->service_name, io_ctx->client_identity, req.host, req.service, fd, io_ctx->resolved_dst, len); - int rc = ziti_conn_bridge(clt, (uv_handle_t *) &io_ctx->server, on_bridge_close); + int rc = ziti_conn_bridge(clt, server, on_bridge_close); if (rc != 0) { ZITI_LOG(ERROR, "failed to bridge client[%s] with hosted_service[%s] laddr[%s:%s] fd[%d]: %s", io_ctx->client_identity, io_ctx->service->service_name, @@ -198,6 +199,25 @@ static void on_hosted_client_connect_complete(ziti_connection clt, int err) { } } + +static void complete_hosted_tcp_connection(hosted_io_context io_ctx) { + ZITI_LOG(DEBUG, "hosted_service[%s], client[%s]: connected to server %s", io_ctx->service->service_name, + io_ctx->client_identity, io_ctx->resolved_dst); + + uv_tcp_t *tcp = &io_ctx->server.tcp; + + if (uv_tcp_keepalive(tcp, 1, KEEPALIVE_DELAY) != 0) { + ZITI_LOG(WARN, "hosted_service[%s], client[%s]: failed to set TCP keepalive", + io_ctx->service->service_name, io_ctx->client_identity); + } + if (uv_tcp_nodelay(tcp, 1) != 0) { + ZITI_LOG(WARN, "hosted_service[%s], client[%s]: failed to set TCP nodelay", + io_ctx->service->service_name, io_ctx->client_identity); + } + + ziti_accept(io_ctx->client, on_hosted_client_connect_complete, NULL); +} + /** * called by libuv when a connection is established (or failed) with a TCP server * @@ -207,7 +227,8 @@ static void on_hosted_client_connect_complete(ziti_connection clt, int err) { static void on_hosted_tcp_server_connect_complete(uv_connect_t *c, int status) { if (c == NULL || c->handle == NULL || c->handle->data == NULL) { ZITI_LOG(ERROR, "null handle or io_ctx"); - // todo get out + if (c) free(c); + return; } struct hosted_io_ctx_s *io_ctx = c->handle->data; if (io_ctx->client == NULL) { @@ -224,24 +245,33 @@ static void on_hosted_tcp_server_connect_complete(uv_connect_t *c, int status) { free(c); return; } - ZITI_LOG(DEBUG, "hosted_service[%s], client[%s]: connected to server %s", io_ctx->service->service_name, - io_ctx->client_identity, io_ctx->resolved_dst); + complete_hosted_tcp_connection(io_ctx); + free(c); +} - uv_tcp_t *tcp = &io_ctx->server.tcp; - - if (uv_tcp_keepalive(tcp, 1, KEEPALIVE_DELAY) != 0) { - ZITI_LOG(WARN, "hosted_service[%s], client[%s]: failed to set TCP keepalive", - io_ctx->service->service_name, io_ctx->client_identity); +/** + * called by tlsuv when a proxy connection to a hosted tcp server is established (or failed) + */ +static void on_proxy_connect(uv_os_sock_t sock, int status, void *ctx) { + hosted_io_context io = ctx; + + if (status != 0) { + ZITI_LOG(ERROR, "proxy connect failed: %s (e=%d)", uv_strerror(status), status); + hosted_server_close(io); + return; } - if (uv_tcp_nodelay(tcp, 1) != 0) { - ZITI_LOG(WARN, "hosted_service[%s], client[%s]: failed to set TCP nodelay", - io_ctx->service->service_name, io_ctx->client_identity); + + int uv_err = uv_tcp_open(&io->server.tcp, sock); + if (uv_err != 0) { + ZITI_LOG(ERROR, "uv_tcp_open failed: %s (e=%d)", uv_strerror(uv_err), uv_err); + hosted_server_close(io); + return; } - - ziti_accept(io_ctx->client, on_hosted_client_connect_complete, NULL); - free(c); + + complete_hosted_tcp_connection(io); } + static int get_protocol_id(const char *protocol) { if (strcasecmp(protocol, "tcp") == 0) { return IPPROTO_TCP; @@ -595,11 +625,24 @@ static void on_hosted_client_connect(ziti_connection serv, ziti_connection clt, hints.ai_socktype = protocol_number == IPPROTO_UDP ? SOCK_DGRAM : SOCK_STREAM; hints.ai_flags = AI_NUMERICSERV; if (is_ip) hints.ai_flags |= AI_NUMERICHOST; + ziti_conn_set_data(clt, io); + + if (service_ctx->proxy_connector) { + if (protocol_number == IPPROTO_TCP) { + ZITI_LOG(DEBUG, "hosted_service[%s] client[%s] dst_addr[%s:%s:%s] connecting through proxy %s", + service_ctx->service_name, io->client_identity, protocol, ip_or_hn, port, service_ctx->proxy_addr); + service_ctx->proxy_connector->connect(service_ctx->loop, service_ctx->proxy_connector, ip_or_hn, port, + on_proxy_connect, io); + } else { + ZITI_LOG(WARN, "hosted_service[%s] client[%s] cannot use proxy for udp. dropping connection", + service_ctx->service_name, io->client_identity); + hosted_server_close(io); + } + return; + } uv_getaddrinfo_t *ai_req = calloc(1, sizeof(uv_getaddrinfo_t)); ai_req->data = io; - ziti_conn_set_data(clt, io); - int s = uv_getaddrinfo(service_ctx->loop, ai_req, on_hosted_client_connect_resolved, ip_or_hn, port, &hints); if (s != 0) { ZITI_LOG(ERROR, "hosted_service[%s] client[%s]: getaddrinfo(%s:%s:%s) failed: %s", @@ -841,6 +884,25 @@ host_ctx_t *ziti_sdk_c_host(void *ziti_ctx, uv_loop_t *loop, const char *service memcpy(&a->za, allowed_src_addrs[i], sizeof(a->za)); STAILQ_INSERT_TAIL(&host_ctx->allowed_source_addresses, a, entries); } + + if (host_v1_cfg->proxy.type == ziti_proxy_server_type_http) { + const char *addr = host_v1_cfg->proxy.address; + if (addr != NULL && addr[0] != '\0') { + struct tlsuv_url_s url = {0}; + if (tlsuv_parse_url(&url, addr) == 0) { + host_ctx->proxy_addr = host_v1_cfg->proxy.address; + char host[128], port[6]; + snprintf(host, sizeof(host), "%.*s", (int) url.hostname_len, url.hostname); + snprintf(port, sizeof(port), "%d", url.port); + host_ctx->proxy_connector = tlsuv_new_proxy_connector(tlsuv_PROXY_HTTP, host, port); + } else { + ZITI_LOG(ERROR, "hosted_service[%s] could not parse host.v1 proxy address '%s' as ':'", + host_ctx->service_name, host_v1_cfg->proxy.address); + free_hosted_service_ctx(host_ctx); + return NULL; + } + } + } } break; case SERVER_CFG_V1: { diff --git a/lib/ziti-tunnel-cbs/ziti_hosting.h b/lib/ziti-tunnel-cbs/ziti_hosting.h index c9deb10d..eef80175 100644 --- a/lib/ziti-tunnel-cbs/ziti_hosting.h +++ b/lib/ziti-tunnel-cbs/ziti_hosting.h @@ -21,6 +21,7 @@ #ifndef ZITI_TUNNEL_SDK_C_ZITI_HOSTING_H #define ZITI_TUNNEL_SDK_C_ZITI_HOSTING_H #include +#include "tlsuv/http.h" // allowed address is one of: // - ip subnet address // - DNS name or wildcard @@ -58,6 +59,8 @@ struct hosted_service_ctx_s { uint16_t port; } port_u; address_list_t allowed_source_addresses; + char *proxy_addr; + tlsuv_connector_t *proxy_connector; }; struct tunneled_service_s { diff --git a/programs/ziti-edge-tunnel/ziti-edge-tunnel.c b/programs/ziti-edge-tunnel/ziti-edge-tunnel.c index b4198ace..405b8c7e 100644 --- a/programs/ziti-edge-tunnel/ziti-edge-tunnel.c +++ b/programs/ziti-edge-tunnel/ziti-edge-tunnel.c @@ -133,7 +133,6 @@ static LIST_HEAD(ipc_list, ipc_conn_s) ipc_clients_list = LIST_HEAD_INITIALIZER( static long refresh_metrics = 5000; static long metrics_latency = 5000; static char* configured_cidr; - static char *config_dir = NULL; static uv_pipe_t cmd_server; @@ -1807,6 +1806,7 @@ static struct option run_options[] = { { "refresh", required_argument, NULL, 'r'}, { "dns-ip-range", required_argument, NULL, 'd'}, { "dns-upstream", required_argument, NULL, 'u'}, + { "proxy", required_argument, NULL, 'x' }, }; static struct option run_host_options[] = { @@ -1814,6 +1814,7 @@ static struct option run_host_options[] = { { "identity-dir", required_argument, NULL, 'I'}, { "verbose", required_argument, NULL, 'v'}, { "refresh", required_argument, NULL, 'r'}, + { "proxy", required_argument, NULL, 'x' }, }; #ifndef DEFAULT_DNS_CIDR @@ -1822,12 +1823,53 @@ static struct option run_host_options[] = { static const char* dns_upstream = NULL; static bool host_only = false; +#include "tlsuv/http.h" + +static int init_proxy_connector(const char *url) { + if (url == NULL) url = getenv("HTTP_PROXY"); + if (url == NULL) url = getenv("http_proxy"); + if (url == NULL) { + ZITI_LOG(DEBUG, "proxy_url not set"); + return 0; + } + + struct tlsuv_url_s proxy_url; + int r = tlsuv_parse_url(&proxy_url, url); + if (r == 0 && proxy_url.scheme != NULL) { + } else { + ZITI_LOG(ERROR, "failed to parse '%s' as 'type://[username[:password]@]hostname:port'", url); + return -1; + } + + if (strncmp(proxy_url.scheme, "http", proxy_url.scheme_len) != 0) { + ZITI_LOG(ERROR, "proxy type '%.*s' is not supported. 'http' is currently the only supported type", + (int)proxy_url.scheme_len, proxy_url.scheme); + return -1; + } + + char host[128], port[6]; + snprintf(host, sizeof(host), "%.*s", (int)proxy_url.hostname_len, proxy_url.hostname); + snprintf(port, sizeof(port), "%d", proxy_url.port); + tlsuv_connector_t *proxy = tlsuv_new_proxy_connector(tlsuv_PROXY_HTTP, host, port); + if (proxy_url.username) { + char user[128], passwd[128]; + snprintf(user, sizeof(user), "%.*s", (int)proxy_url.username_len, proxy_url.username); + snprintf(passwd, sizeof(passwd), "%.*s", (int)proxy_url.password_len, proxy_url.password); + proxy->set_auth(proxy, tlsuv_PROXY_BASIC, user, passwd); + } + ZITI_LOG(INFO, "connecting to OpenZiti controller and edge routers through proxy '%s:%s'", host, port); + tlsuv_set_global_connector(proxy); + + return 0; +} + static int run_opts(int argc, char *argv[]) { int c, option_index, errors = 0; optind = 0; bool identity_provided = false; + const char *proxy_arg = NULL; - while ((c = getopt_long(argc, argv, "i:I:v:r:d:u:", + while ((c = getopt_long(argc, argv, "i:I:v:r:d:u:x:", run_options, &option_index)) != -1) { switch (c) { case 'i': { @@ -1855,6 +1897,9 @@ static int run_opts(int argc, char *argv[]) { case 'u': dns_upstream = optarg; break; + case 'x': + proxy_arg = optarg; + break; default: { ZITI_LOG(ERROR, "Unknown option '%c'", c); errors++; @@ -1863,6 +1908,10 @@ static int run_opts(int argc, char *argv[]) { } } + if (init_proxy_connector(proxy_arg) != 0) { + errors++; + } + CHECK_COMMAND_ERRORS(errors); printf("About to run tunnel service... %s", main_cmd.name); @@ -1876,7 +1925,7 @@ static int run_host_opts(int argc, char *argv[]) { optind = 0; bool identity_provided = false; - while ((c = getopt_long(argc, argv, "i:I:v:r:", + while ((c = getopt_long(argc, argv, "i:I:v:r:x:", run_host_options, &option_index)) != -1) { switch (c) { case 'i': { @@ -2102,16 +2151,18 @@ static char* config_file; static int parse_enroll_opts(int argc, char *argv[]) { static struct option opts[] = { - {"jwt", required_argument, NULL, 'j'}, - {"identity", required_argument, NULL, 'i'}, - {"key", required_argument, NULL, 'k'}, - {"cert", required_argument, NULL, 'c'}, - { "name", required_argument, NULL, 'n'} + { "jwt", required_argument, NULL, 'j'}, + { "identity", required_argument, NULL, 'i'}, + { "key", required_argument, NULL, 'k'}, + { "cert", required_argument, NULL, 'c'}, + { "name", required_argument, NULL, 'n'}, + { "proxy", required_argument, NULL, 'x' }, }; int c, option_index, errors = 0; + const char *proxy_arg = NULL; optind = 0; - while ((c = getopt_long(argc, argv, "j:i:k:c:n:", + while ((c = getopt_long(argc, argv, "j:i:k:c:n:x:", opts, &option_index)) != -1) { switch (c) { case 'j': @@ -2133,6 +2184,9 @@ static int parse_enroll_opts(int argc, char *argv[]) { case 'i': config_file = optarg; break; + case 'x': + proxy_arg = optarg; + break; default: { fprintf(stderr, "Unknown option '%c'\n", c); errors++; @@ -2141,6 +2195,10 @@ static int parse_enroll_opts(int argc, char *argv[]) { } } + if (init_proxy_connector(proxy_arg) != 0) { + errors++; + } + if (enroll_opts.jwt == NULL || config_file == NULL) { errors++; } @@ -2952,6 +3010,7 @@ static int add_identity_opts(int argc, char *argv[]) { static CommandLine enroll_cmd = make_command("enroll", "enroll Ziti identity", "-j|--jwt -i|--identity [-k|--key [-c|--cert ]] [-n|--name ]", "\t-j|--jwt\tenrollment token file\n" + "\t-x|--proxy type://[username[:password]@]hostname_or_ip:port\tproxy to use when connecting to OpenZiti controller. 'http' is currently the only supported type." "\t-i|--identity\toutput identity file\n" "\t-k|--key\tprivate key for enrollment\n" "\t-c|--cert\tcertificate for enrollment\n" @@ -2961,6 +3020,8 @@ static CommandLine run_cmd = make_command("run", "run Ziti tunnel (required supe "-i [-r N] [-v N] [-d|--dns-ip-range N.N.N.N/n]", "\t-i|--identity \trun with provided identity file (required)\n" "\t-I|--identity-dir \tload identities from provided directory\n" + "\t-x|--proxy type://[username[:password]@]hostname_or_ip:port\tproxy to use when" + " connecting to OpenZiti controller and edge routers. 'http' is currently the only supported type." "\t-v|--verbose N\tset log level, higher level -- more verbose (default 3)\n" "\t-r|--refresh N\tset service polling interval in seconds (default 10)\n" "\t-d|--dns-ip-range \tspecify CIDR block in which service DNS names" @@ -2970,6 +3031,8 @@ static CommandLine run_host_cmd = make_command("run-host", "run Ziti tunnel to h "-i [-r N] [-v N]", "\t-i|--identity \trun with provided identity file (required)\n" "\t-I|--identity-dir \tload identities from provided directory\n" + "\t-x|--proxy [username[:password]@]hostname_or_ip:port\tproxy to use when" + " connecting to OpenZiti controller and edge routers" "\t-v|--verbose N\tset log level, higher level -- more verbose (default 3)\n" "\t-r|--refresh N\tset service polling interval in seconds (default 10)\n", run_host_opts, run); From 33b8af72e7367e14ca94ae201e8dc415ce130866 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Wed, 5 Jun 2024 20:35:13 +0000 Subject: [PATCH 117/251] Assume http proxy if type is not specified (#847) * assume proxy type is "http" if not specified * get tlsuv 0.29.4 for errcode fixes --- CMakeLists.txt | 2 +- programs/ziti-edge-tunnel/ziti-edge-tunnel.c | 9 +++++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index ad360941..e3e9878d 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,7 +2,7 @@ cmake_minimum_required(VERSION 3.20) set(ZITI_SDK_DIR "" CACHE FILEPATH "developer option: use local ziti-sdk-c checkout") -set(ZITI_SDK_VERSION "1.0.2" CACHE STRING "ziti-sdk-c version or branch to use") +set(ZITI_SDK_VERSION "1.0.3" CACHE STRING "ziti-sdk-c version or branch to use") # if TUNNEL_SDK_ONLY then don't descend into programs/ziti-edge-tunnel option(TUNNEL_SDK_ONLY "build only ziti-tunnel-sdk (without ziti)" OFF) diff --git a/programs/ziti-edge-tunnel/ziti-edge-tunnel.c b/programs/ziti-edge-tunnel/ziti-edge-tunnel.c index 405b8c7e..8c51d6d1 100644 --- a/programs/ziti-edge-tunnel/ziti-edge-tunnel.c +++ b/programs/ziti-edge-tunnel/ziti-edge-tunnel.c @@ -1835,12 +1835,17 @@ static int init_proxy_connector(const char *url) { struct tlsuv_url_s proxy_url; int r = tlsuv_parse_url(&proxy_url, url); - if (r == 0 && proxy_url.scheme != NULL) { - } else { + if (r != 0) { ZITI_LOG(ERROR, "failed to parse '%s' as 'type://[username[:password]@]hostname:port'", url); return -1; } + // assume http if no protocol was specified + if (proxy_url.scheme == NULL) { + proxy_url.scheme = "http"; + proxy_url.scheme_len = strlen(proxy_url.scheme); + } + if (strncmp(proxy_url.scheme, "http", proxy_url.scheme_len) != 0) { ZITI_LOG(ERROR, "proxy type '%.*s' is not supported. 'http' is currently the only supported type", (int)proxy_url.scheme_len, proxy_url.scheme); From d59812aa7997589b627e8bc19149f908431f822e Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Wed, 5 Jun 2024 21:02:15 +0000 Subject: [PATCH 118/251] initialize ziti logger before command line parsing (#846) * initalize ziti logger before command line parsing --- programs/ziti-edge-tunnel/instance.c | 3 + programs/ziti-edge-tunnel/ziti-edge-tunnel.c | 60 ++++++++++---------- 2 files changed, 34 insertions(+), 29 deletions(-) diff --git a/programs/ziti-edge-tunnel/instance.c b/programs/ziti-edge-tunnel/instance.c index 58d1a063..2f55b1d1 100644 --- a/programs/ziti-edge-tunnel/instance.c +++ b/programs/ziti-edge-tunnel/instance.c @@ -772,6 +772,9 @@ int get_log_level(const char* log_level) { return (int) strtol(loglvl, NULL, 10); } } + if (isdigit(log_level[0])) { + return (int) strtol(log_level, NULL, 10); + } int lvl = 0; int num_levels = sizeof(level_labels) / sizeof(const char *); for (int i = 0;i < num_levels; i++) { diff --git a/programs/ziti-edge-tunnel/ziti-edge-tunnel.c b/programs/ziti-edge-tunnel/ziti-edge-tunnel.c index 8c51d6d1..1c9595c7 100644 --- a/programs/ziti-edge-tunnel/ziti-edge-tunnel.c +++ b/programs/ziti-edge-tunnel/ziti-edge-tunnel.c @@ -132,7 +132,8 @@ static LIST_HEAD(ipc_list, ipc_conn_s) ipc_clients_list = LIST_HEAD_INITIALIZER( static long refresh_metrics = 5000; static long metrics_latency = 5000; -static char* configured_cidr; +static char *configured_cidr = NULL; +static char *configured_log_level = NULL; static char *config_dir = NULL; static uv_pipe_t cmd_server; @@ -147,7 +148,7 @@ static const ziti_tunnel_ctrl *CMD_CTRL; static bool started_by_scm = false; static bool tunnel_interrupted = false; -uv_loop_t *main_ziti_loop; +uv_loop_t *ziti_loop = NULL; tunneler_context tunneler; static uv_mutex_t stop_mutex; static uv_cond_t stop_cond; @@ -256,7 +257,7 @@ static void on_command_resp(const tunnel_result* result, void *ctx) { } if (model_map_size(&hostnamesToRemove) > 0) { - remove_nrpt_rules(main_ziti_loop, &hostnamesToRemove); + remove_nrpt_rules(ziti_loop, &hostnamesToRemove); } } @@ -546,7 +547,7 @@ static bool process_tunnel_commands(const tunnel_command *tnl_cmd, command_cb cb add_id_req->identifier_file_name = strdup(new_identifier_name); add_id_req->jwt_content = strdup(tunnel_add_identity_cmd.jwtContent); - enroll_ziti_async(main_ziti_loop, add_id_req); + enroll_ziti_async(ziti_loop, add_id_req); free_tunnel_add_identity(&tunnel_add_identity_cmd); return true; } @@ -568,7 +569,7 @@ static bool process_tunnel_commands(const tunnel_command *tnl_cmd, command_cb cb if (!stop_windows_service()) { ZITI_LOG(INFO, "Could not send stop signal to scm, Tunnel must not be started as service"); stop_tunnel_and_cleanup(); - uv_stop(main_ziti_loop); + uv_stop(ziti_loop); } } free_tunnel_service_control(&tunnel_service_control_opts); @@ -1319,13 +1320,13 @@ static void on_event(const base_event *ev) { } } if (model_map_size(&hostnamesToEdit) > 0 && !is_host_only()) { - remove_and_add_nrpt_rules(main_ziti_loop, &hostnamesToEdit, get_dns_ip()); + remove_and_add_nrpt_rules(ziti_loop, &hostnamesToEdit, get_dns_ip()); } if (model_map_size(&hostnamesToAdd) > 0 && !is_host_only()) { - add_nrpt_rules(main_ziti_loop, &hostnamesToAdd, get_dns_ip()); + add_nrpt_rules(ziti_loop, &hostnamesToAdd, get_dns_ip()); } if (model_map_size(&hostnamesToRemove) > 0 && !is_host_only()) { - remove_nrpt_rules(main_ziti_loop, &hostnamesToRemove); + remove_nrpt_rules(ziti_loop, &hostnamesToRemove); } #endif @@ -1889,7 +1890,8 @@ static int run_opts(int argc, char *argv[]) { identity_provided = true; break; case 'v': - setenv("ZITI_LOG", optarg, true); + configured_log_level = optarg; + ziti_log_set_level(get_log_level(optarg), NULL); break; case 'r': { unsigned long interval = strtoul(optarg, NULL, 10); @@ -1945,7 +1947,8 @@ static int run_host_opts(int argc, char *argv[]) { identity_provided = true; break; case 'v': - setenv("ZITI_LOG", optarg, true); + configured_log_level = optarg; + ziti_log_set_level(get_log_level(optarg), NULL); break; case 'r': { unsigned long interval = strtoul(optarg, NULL, 10); @@ -1990,9 +1993,6 @@ static void interrupt_handler(int sig) { #endif static void run(int argc, char *argv[]) { - setenv("UV_THREADPOOL_SIZE", "8", 0); - uv_loop_t *ziti_loop = uv_default_loop(); - main_ziti_loop = ziti_loop; uv_cond_init(&stop_cond); uv_mutex_init(&stop_mutex); @@ -2001,15 +2001,13 @@ static void run(int argc, char *argv[]) { //set log level in precedence: command line flag (-v/--verbose) -> env var (ZITI_LOG) -> config file int log_level = get_log_level(NULL); - //initialize logger to INFO here. logger will be set further down #if _WIN32 + // initialize log function here. level will be set further down log_init(ziti_loop); - ziti_log_init(ziti_loop, INFO, ziti_log_writer); + ziti_log_set_logger(ziti_log_writer); remove_all_nrpt_rules(); signal(SIGINT, interrupt_handler); -#else - ziti_log_init(ziti_loop, log_level, NULL); #endif // generate tunnel status instance and save active state and start time @@ -2086,20 +2084,17 @@ static void run(int argc, char *argv[]) { } #endif - // set log level from instance/config, if NULL is returned, the default log level will be used - const char* log_lvl = get_log_level_label(); - if (log_lvl != NULL) { - ziti_log_set_level_by_label(log_lvl); + if (configured_log_level == NULL) { + // set log level from instance/config, if NULL is returned, the default log level will be used + const char *log_lvl = get_log_level_label(); + if (log_lvl != NULL) { + ziti_log_set_level_by_label(log_lvl); + } } - ziti_tunnel_set_log_level(get_log_level(log_lvl)); + ziti_tunnel_set_log_level(ziti_log_level(NULL, NULL)); set_log_level(ziti_log_level_label()); ziti_tunnel_set_logger(ziti_logger); - if (ziti_loop == NULL) { - ZITI_LOG(ERROR, "failed to initialize default uv loop"); - exit(EXIT_FAILURE); - } - int rc; if (is_host_only()) { rc = run_tunnel_host_mode(ziti_loop); @@ -2259,7 +2254,7 @@ static int write_close(FILE *fp, const uv_buf_t *data) static void enroll(int argc, char *argv[]) { uv_loop_t *l = uv_loop_new(); int log_level = get_log_level(NULL); - ziti_log_init(l, log_level, NULL); + ziti_log_set_level(log_level, NULL); if (config_file == 0) { ZITI_LOG(ERROR, "output file option(-i|--identity) is required"); @@ -3036,7 +3031,7 @@ static CommandLine run_host_cmd = make_command("run-host", "run Ziti tunnel to h "-i [-r N] [-v N]", "\t-i|--identity \trun with provided identity file (required)\n" "\t-I|--identity-dir \tload identities from provided directory\n" - "\t-x|--proxy [username[:password]@]hostname_or_ip:port\tproxy to use when" + "\t-x|--proxy type://[username[:password]@]hostname_or_ip:port\tproxy to use when" " connecting to OpenZiti controller and edge routers" "\t-v|--verbose N\tset log level, higher level -- more verbose (default 3)\n" "\t-r|--refresh N\tset service polling interval in seconds (default 10)\n", @@ -3296,6 +3291,13 @@ int main(int argc, char *argv[]) { } #endif + ziti_loop = uv_default_loop(); + if (ziti_loop == NULL) { + ZITI_LOG(ERROR, "failed to initialize default uv loop"); + exit(EXIT_FAILURE); + } + + ziti_log_init(ziti_loop, get_log_level(NULL), NULL); commandline_run(&main_cmd, argc, argv); return 0; } From afe442f4f015cb5a91097347b7b0e87270901bec Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Fri, 7 Jun 2024 10:28:08 +0000 Subject: [PATCH 119/251] get ziti-sdk-c 1.0.4 (#848) --- CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index e3e9878d..4f4ee62b 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,7 +2,7 @@ cmake_minimum_required(VERSION 3.20) set(ZITI_SDK_DIR "" CACHE FILEPATH "developer option: use local ziti-sdk-c checkout") -set(ZITI_SDK_VERSION "1.0.3" CACHE STRING "ziti-sdk-c version or branch to use") +set(ZITI_SDK_VERSION "1.0.4" CACHE STRING "ziti-sdk-c version or branch to use") # if TUNNEL_SDK_ONLY then don't descend into programs/ziti-edge-tunnel option(TUNNEL_SDK_ONLY "build only ziti-tunnel-sdk (without ziti)" OFF) From 03905e1abe48dea773c816cc11bea3eb4d78c2b9 Mon Sep 17 00:00:00 2001 From: eugene Date: Fri, 7 Jun 2024 17:03:01 -0400 Subject: [PATCH 120/251] allow builds with any tags --- .github/workflows/cmake.yml | 4 +++- .github/workflows/draft-release.yml | 1 + CMakeLists.txt | 28 +++++++++++++++++++++++++--- 3 files changed, 29 insertions(+), 4 deletions(-) diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml index d7f1a39a..cd9106ab 100644 --- a/.github/workflows/cmake.yml +++ b/.github/workflows/cmake.yml @@ -2,7 +2,9 @@ name: CI build on: pull_request: - branches: [ main ] + branches: + - main + - release-* workflow_dispatch: workflow_call: diff --git a/.github/workflows/draft-release.yml b/.github/workflows/draft-release.yml index a095d8f7..806fa856 100644 --- a/.github/workflows/draft-release.yml +++ b/.github/workflows/draft-release.yml @@ -4,6 +4,7 @@ on: push: branches: - main + - release-1.x jobs: update_release_draft: diff --git a/CMakeLists.txt b/CMakeLists.txt index 4f4ee62b..ca906f62 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -19,7 +19,7 @@ if(NOT GIT_VERSION AND GIT_FOUND) message("Found Git executable \"${GIT_EXECUTABLE}\".") # Generate a git-describe version string from Git repository tags execute_process( - COMMAND ${GIT_EXECUTABLE} describe --tags --dirty=-local --match "v*" + COMMAND ${GIT_EXECUTABLE} describe --long --tags WORKING_DIRECTORY ${CMAKE_BINARY_DIR} OUTPUT_VARIABLE GIT_VERSION RESULT_VARIABLE GIT_ERROR_CODE @@ -42,7 +42,17 @@ if(NOT GIT_VERSION) set(PROJECT_SEMVER "${DUMMY_SEMVER}") message(WARNING "GIT_VERSION not set. Using dummy PROJECT_SEMVER: \"${PROJECT_SEMVER}\", GIT_VERSION: \"${GIT_VERSION}\".") else() - string(REGEX MATCH "([0-9]+\\.[0-9]+\\.[0-9]+)" PROJECT_SEMVER "${GIT_VERSION}") + # tag-tweak-slug + string(REGEX REPLACE "(.*)-([0-9]+)-(.*)" "\\1" PROJECT_TAG "${GIT_VERSION}") + string(REGEX REPLACE "(.*)-([0-9]+)-(.*)" "\\2" PROJECT_TWEAK "${GIT_VERSION}") + string(REGEX REPLACE "(.*)-([0-9]+)-(.*)" "\\3" PROJECT_SLUG "${GIT_VERSION}") + + # extract semver from pre-release tags like 2.0.0-alpha + string(REGEX MATCH "([0-9]+.[0-9]+.[0-9]+)" PROJECT_SEMVER ${PROJECT_TAG}) + + message(NOTICE "tag = ${PROJECT_TAG}") + message(NOTICE "tweak = ${PROJECT_TWEAK}") + message(NOTICE "slug = ${PROJECT_SLUG}") if(NOT PROJECT_SEMVER) set(PROJECT_SEMVER "${DUMMY_SEMVER}") message(WARNING "SEMVER could not be parsed from GIT_VERSION: ${GIT_VERSION}. Setting to PROJECT_SEMVER: ${PROJECT_SEMVER}") @@ -64,10 +74,22 @@ if((NOT DISABLE_SEMVER_VERIFICATION) AND PROJECT_SEMVER VERSION_EQUAL "${DUMMY_S message(FATAL_ERROR "SEMVER Verification failed. A valid SEMVER is required for correct package version composition. To override, set DISABLE_SEMVER_VERIFICATION=ON.") endif() +unset(GIT_VERSION CACHE) +if (PROJECT_TWEAK STREQUAL "0") + set(GIT_VERSION ${PROJECT_TAG}) +else () + set(GIT_VERSION "${PROJECT_TAG}.${PROJECT_TWEAK}") +endif () + project(ziti-tunnel-sdk-c - VERSION "${PROJECT_SEMVER}" + DESCRIPTION "OpenZiti tunneler SDK" + HOMEPAGE_URL "https://github.com/openziti/ziti-tunneler-sdk-c" LANGUAGES C CXX) +set(PROJECT_VERSION ${version}) +message(NOTICE "ver = ${PROJECT_VERSION}" +) + if(NOT BUILD_DIST_PACKAGES) include(CPack) set(CPACK_PACKAGE_VENDOR "NetFoundry") From 1095fa9a40f7a91d9c2ee12d0ba5b744ff1abaa9 Mon Sep 17 00:00:00 2001 From: eugene Date: Fri, 7 Jun 2024 17:21:53 -0400 Subject: [PATCH 121/251] cleanup --- CMakeLists.txt | 5 ----- 1 file changed, 5 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index ca906f62..17f64cc9 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -50,9 +50,6 @@ else() # extract semver from pre-release tags like 2.0.0-alpha string(REGEX MATCH "([0-9]+.[0-9]+.[0-9]+)" PROJECT_SEMVER ${PROJECT_TAG}) - message(NOTICE "tag = ${PROJECT_TAG}") - message(NOTICE "tweak = ${PROJECT_TWEAK}") - message(NOTICE "slug = ${PROJECT_SLUG}") if(NOT PROJECT_SEMVER) set(PROJECT_SEMVER "${DUMMY_SEMVER}") message(WARNING "SEMVER could not be parsed from GIT_VERSION: ${GIT_VERSION}. Setting to PROJECT_SEMVER: ${PROJECT_SEMVER}") @@ -87,8 +84,6 @@ project(ziti-tunnel-sdk-c LANGUAGES C CXX) set(PROJECT_VERSION ${version}) -message(NOTICE "ver = ${PROJECT_VERSION}" -) if(NOT BUILD_DIST_PACKAGES) include(CPack) From 1971efc551cf9ae959194681f96247d7ce6edcc0 Mon Sep 17 00:00:00 2001 From: eugene Date: Fri, 7 Jun 2024 17:23:19 -0400 Subject: [PATCH 122/251] set project_version --- CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 17f64cc9..69cec7a6 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -83,7 +83,7 @@ project(ziti-tunnel-sdk-c HOMEPAGE_URL "https://github.com/openziti/ziti-tunneler-sdk-c" LANGUAGES C CXX) -set(PROJECT_VERSION ${version}) +set(PROJECT_VERSION ${GIT_VERSION}) if(NOT BUILD_DIST_PACKAGES) include(CPack) From 1416e2a6917b070e49fe38e23aa425216d6197e4 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Tue, 11 Jun 2024 20:44:26 +0000 Subject: [PATCH 123/251] initialize logger after command line parsing; use fprintf before then (#850) * initialize logger after command line parsing. use fprintf before then --- programs/ziti-edge-tunnel/ziti-edge-tunnel.c | 44 +++++++++++--------- 1 file changed, 25 insertions(+), 19 deletions(-) diff --git a/programs/ziti-edge-tunnel/ziti-edge-tunnel.c b/programs/ziti-edge-tunnel/ziti-edge-tunnel.c index 1c9595c7..8defe199 100644 --- a/programs/ziti-edge-tunnel/ziti-edge-tunnel.c +++ b/programs/ziti-edge-tunnel/ziti-edge-tunnel.c @@ -134,6 +134,7 @@ static long refresh_metrics = 5000; static long metrics_latency = 5000; static char *configured_cidr = NULL; static char *configured_log_level = NULL; +static char *configured_proxy = NULL; static char *config_dir = NULL; static uv_pipe_t cmd_server; @@ -1873,7 +1874,6 @@ static int run_opts(int argc, char *argv[]) { int c, option_index, errors = 0; optind = 0; bool identity_provided = false; - const char *proxy_arg = NULL; while ((c = getopt_long(argc, argv, "i:I:v:r:d:u:x:", run_options, &option_index)) != -1) { @@ -1891,7 +1891,6 @@ static int run_opts(int argc, char *argv[]) { break; case 'v': configured_log_level = optarg; - ziti_log_set_level(get_log_level(optarg), NULL); break; case 'r': { unsigned long interval = strtoul(optarg, NULL, 10); @@ -1905,23 +1904,19 @@ static int run_opts(int argc, char *argv[]) { dns_upstream = optarg; break; case 'x': - proxy_arg = optarg; + configured_proxy = optarg; break; default: { - ZITI_LOG(ERROR, "Unknown option '%c'", c); + fprintf(stderr, "Unknown option '%c'\n", c); errors++; break; } } } - if (init_proxy_connector(proxy_arg) != 0) { - errors++; - } - CHECK_COMMAND_ERRORS(errors); - printf("About to run tunnel service... %s", main_cmd.name); + fprintf(stderr, "About to run tunnel service... %s\n", main_cmd.name); ziti_set_app_info(main_cmd.name, ziti_tunneler_version()); return optind; @@ -1948,15 +1943,17 @@ static int run_host_opts(int argc, char *argv[]) { break; case 'v': configured_log_level = optarg; - ziti_log_set_level(get_log_level(optarg), NULL); break; case 'r': { unsigned long interval = strtoul(optarg, NULL, 10); ziti_set_refresh_interval(interval); break; } + case 'x': + configured_proxy = optarg; + break; default: { - ZITI_LOG(ERROR, "Unknown option '%c'", c); + fprintf(stderr, "Unknown option '%c'\n", c); errors++; break; } @@ -1969,7 +1966,7 @@ static int run_host_opts(int argc, char *argv[]) { CHECK_COMMAND_ERRORS(errors); - printf("About to run tunnel service that hosts services... %s", main_cmd.name); + fprintf(stderr, "About to run tunnel service that hosts services... %s\n", main_cmd.name); ziti_set_app_info(main_cmd.name, ziti_tunneler_version()); host_only = true; @@ -1999,17 +1996,20 @@ static void run(int argc, char *argv[]) { initialize_instance_config(); //set log level in precedence: command line flag (-v/--verbose) -> env var (ZITI_LOG) -> config file - int log_level = get_log_level(NULL); + int log_level = get_log_level(configured_log_level); + log_writer log_fn = NULL; #if _WIN32 // initialize log function here. level will be set further down log_init(ziti_loop); - ziti_log_set_logger(ziti_log_writer); + log_fn = ziti_log_writer; remove_all_nrpt_rules(); signal(SIGINT, interrupt_handler); #endif + ziti_log_init(ziti_loop, log_level, log_fn); + // generate tunnel status instance and save active state and start time if (config_dir != NULL) { set_identifier_path(config_dir); @@ -2095,6 +2095,10 @@ static void run(int argc, char *argv[]) { set_log_level(ziti_log_level_label()); ziti_tunnel_set_logger(ziti_logger); + if (init_proxy_connector(configured_proxy) != 0) { + exit(1); + } + int rc; if (is_host_only()) { rc = run_tunnel_host_mode(ziti_loop); @@ -2253,8 +2257,11 @@ static int write_close(FILE *fp, const uv_buf_t *data) static void enroll(int argc, char *argv[]) { uv_loop_t *l = uv_loop_new(); - int log_level = get_log_level(NULL); - ziti_log_set_level(log_level, NULL); + int log_level = get_log_level(configured_log_level); + ziti_log_init(ziti_loop, log_level, NULL); + if (init_proxy_connector(configured_proxy) != 0) { + exit(EXIT_FAILURE); + } if (config_file == 0) { ZITI_LOG(ERROR, "output file option(-i|--identity) is required"); @@ -2383,7 +2390,7 @@ void send_message_to_pipe(uv_stream_t *pipe, char *msg) { void on_connect(uv_connect_t* connect, int status){ if (status < 0) { - fprintf(stderr, "failed to connect: %d/%s", status, uv_strerror(status)); + fprintf(stderr, "failed to connect: %d/%s\n", status, uv_strerror(status)); free(connect->data); } else { int res = uv_read_start((uv_stream_t *) connect->handle, cmd_alloc, on_response); @@ -2417,7 +2424,7 @@ static void send_message_to_tunnel(char* message) { uv_loop_t* loop = connect_and_send_cmd(sockfile, connect, &client_handle); if (loop == NULL) { - fprintf(stderr, "Cannot run UV loop, loop is null"); + fprintf(stderr, "Cannot run UV loop, loop is null\n"); return; } @@ -3297,7 +3304,6 @@ int main(int argc, char *argv[]) { exit(EXIT_FAILURE); } - ziti_log_init(ziti_loop, get_log_level(NULL), NULL); commandline_run(&main_cmd, argc, argv); return 0; } From 7a351296df3799f7487b2136404239ebddf64dc2 Mon Sep 17 00:00:00 2001 From: eugene Date: Tue, 4 Jun 2024 17:02:49 -0400 Subject: [PATCH 124/251] pull ziti-sdk-c@2.0.0-alpha --- CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 69cec7a6..0b3f3c78 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,7 +2,7 @@ cmake_minimum_required(VERSION 3.20) set(ZITI_SDK_DIR "" CACHE FILEPATH "developer option: use local ziti-sdk-c checkout") -set(ZITI_SDK_VERSION "1.0.4" CACHE STRING "ziti-sdk-c version or branch to use") +set(ZITI_SDK_VERSION "2.0.0-alpha" CACHE STRING "ziti-sdk-c version or branch to use") # if TUNNEL_SDK_ONLY then don't descend into programs/ziti-edge-tunnel option(TUNNEL_SDK_ONLY "build only ziti-tunnel-sdk (without ziti)" OFF) From c02c5d70d8770b09cfdf8ea85576ba3cc18d53ee Mon Sep 17 00:00:00 2001 From: eugene Date: Fri, 7 Jun 2024 14:56:37 -0400 Subject: [PATCH 125/251] ziti-sdk-c@2.0.0-alpha1 --- CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 0b3f3c78..f060d811 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,7 +2,7 @@ cmake_minimum_required(VERSION 3.20) set(ZITI_SDK_DIR "" CACHE FILEPATH "developer option: use local ziti-sdk-c checkout") -set(ZITI_SDK_VERSION "2.0.0-alpha" CACHE STRING "ziti-sdk-c version or branch to use") +set(ZITI_SDK_VERSION "2.0.0-alpha1" CACHE STRING "ziti-sdk-c version or branch to use") # if TUNNEL_SDK_ONLY then don't descend into programs/ziti-edge-tunnel option(TUNNEL_SDK_ONLY "build only ziti-tunnel-sdk (without ziti)" OFF) From 3cc8a19a5d2219a7a09853e39cefd79318c08bae Mon Sep 17 00:00:00 2001 From: eugene Date: Wed, 12 Jun 2024 11:08:43 -0400 Subject: [PATCH 126/251] update to ziti-sdk-c@2.0.0-alpha2 --- CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index f060d811..cb6f5b51 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,7 +2,7 @@ cmake_minimum_required(VERSION 3.20) set(ZITI_SDK_DIR "" CACHE FILEPATH "developer option: use local ziti-sdk-c checkout") -set(ZITI_SDK_VERSION "2.0.0-alpha1" CACHE STRING "ziti-sdk-c version or branch to use") +set(ZITI_SDK_VERSION "2.0.0-alpha2" CACHE STRING "ziti-sdk-c version or branch to use") # if TUNNEL_SDK_ONLY then don't descend into programs/ziti-edge-tunnel option(TUNNEL_SDK_ONLY "build only ziti-tunnel-sdk (without ziti)" OFF) From 9ff737c39c241a84c6888e20c923ffd17290ebe5 Mon Sep 17 00:00:00 2001 From: eugene Date: Thu, 13 Jun 2024 10:30:41 -0400 Subject: [PATCH 127/251] ztx.identity might not be set at the time of MFA event --- lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c b/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c index 87262d91..274abf98 100644 --- a/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c +++ b/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c @@ -856,8 +856,9 @@ static void on_ziti_event(ziti_context ztx, const ziti_event_t *event) { } case ZitiMfaAuthEvent : { - const char *ctx_name = ziti_get_identity(ztx)->name; - ZITI_LOG(INFO, "ztx[%s] Mfa event received", ctx_name); + const ziti_identity *zid = ziti_get_identity(ztx); + const char *ctx_name = zid ? zid->name : ""; + ZITI_LOG(INFO, "ztx[%s/%s] Mfa event received", instance->identifier, ctx_name); mfa_event ev = {0}; ev.event_type = TunnelEvents.MFAEvent; ev.identifier = instance->identifier; From d0bdb78a3e826f177c497205979382cc6571ebe3 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Thu, 13 Jun 2024 13:23:48 -0400 Subject: [PATCH 128/251] add option to build T-SDK with C-SDK branch --- scripts/ziti-builder.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/scripts/ziti-builder.sh b/scripts/ziti-builder.sh index ecddbc99..be52b59d 100755 --- a/scripts/ziti-builder.sh +++ b/scripts/ziti-builder.sh @@ -70,9 +70,11 @@ function set_workspace(){ --rm \ --user "${UID}" \ --volume "${REPODIR}:${WORKDIR}" \ + "${ZITI_SDK_DIR:+--volume=${ZITI_SDK_DIR}:${ZITI_SDK_DIR}}" \ --platform "linux/amd64" \ --env "VCPKG_DEFAULT_BINARY_CACHE=${WORKDIR}/.cache" \ --env "TLSUV_TLSLIB" \ + --env "ZITI_SDK_DIR" \ "openziti/ziti-builder:${ZITI_BUILDER_TAG:-latest}" \ "${WORKDIR}/${SCRIPTSDIR}/${BASENAME}" "${@}" fi @@ -128,6 +130,7 @@ function main() { -DBUILD_DIST_PACKAGES="${BUILD_DIST_PACKAGES:-OFF}" \ -DVCPKG_OVERLAY_PORTS="./vcpkg-overlays/linux-syslibs/ubuntu18" \ "${TLSUV_TLSLIB:+-DTLSUV_TLSLIB=${TLSUV_TLSLIB}}" \ + "${ZITI_SDK_DIR:+-DZITI_SDK_DIR=${ZITI_SDK_DIR}}" \ -S . \ -B ./build \ "${CMAKE_EXTRA_ARGS:-}" From 35e298d0b707ecda86e7a93e0d6e078aa55d4bf5 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Thu, 13 Jun 2024 20:57:03 +0000 Subject: [PATCH 129/251] use addr arg instead of io->app_data->source_addr in do_bind (#867) --- lib/ziti-tunnel-cbs/ziti_hosting.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/ziti-tunnel-cbs/ziti_hosting.c b/lib/ziti-tunnel-cbs/ziti_hosting.c index 9747399a..18f841c2 100644 --- a/lib/ziti-tunnel-cbs/ziti_hosting.c +++ b/lib/ziti-tunnel-cbs/ziti_hosting.c @@ -438,20 +438,20 @@ static int do_bind(hosted_io_context io, const char *addr, int socktype) { if (uv_err != 0) { ZITI_LOG(ERROR, "hosted_service[%s], client[%s]: getaddrinfo(%s) failed: %s", - io->service->service_name, io->client_identity, io->app_data->source_addr, uv_strerror(uv_err)); + io->service->service_name, io->client_identity, addr, uv_strerror(uv_err)); return -1; } if (ai_req.addrinfo->ai_next != NULL) { ZITI_LOG(DEBUG, "hosted_service[%s], client[%s]: getaddrinfo(%s) returned multiple results; using first", - io->service->service_name, io->client_identity, io->app_data->source_addr); + io->service->service_name, io->client_identity, addr); } ziti_address src_za; ziti_address_from_sockaddr(&src_za, ai_req.addrinfo->ai_addr); // convert for easy validation if (!address_match(&src_za, &io->service->allowed_source_addresses)) { ZITI_LOG(ERROR, "hosted_service[%s], client[%s] client requested source IP %s is not allowed", - io->service->service_name, io->client_identity, io->app_data->source_addr); + io->service->service_name, io->client_identity, addr); return -1; } From 6c5c95da322c55f7685f793ec876176594db5f6e Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Fri, 14 Jun 2024 13:33:37 +0000 Subject: [PATCH 130/251] use addr arg instead of io->app_data->source_addr in do_bind (#867) (#868) --- lib/ziti-tunnel-cbs/ziti_hosting.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/ziti-tunnel-cbs/ziti_hosting.c b/lib/ziti-tunnel-cbs/ziti_hosting.c index 9747399a..18f841c2 100644 --- a/lib/ziti-tunnel-cbs/ziti_hosting.c +++ b/lib/ziti-tunnel-cbs/ziti_hosting.c @@ -438,20 +438,20 @@ static int do_bind(hosted_io_context io, const char *addr, int socktype) { if (uv_err != 0) { ZITI_LOG(ERROR, "hosted_service[%s], client[%s]: getaddrinfo(%s) failed: %s", - io->service->service_name, io->client_identity, io->app_data->source_addr, uv_strerror(uv_err)); + io->service->service_name, io->client_identity, addr, uv_strerror(uv_err)); return -1; } if (ai_req.addrinfo->ai_next != NULL) { ZITI_LOG(DEBUG, "hosted_service[%s], client[%s]: getaddrinfo(%s) returned multiple results; using first", - io->service->service_name, io->client_identity, io->app_data->source_addr); + io->service->service_name, io->client_identity, addr); } ziti_address src_za; ziti_address_from_sockaddr(&src_za, ai_req.addrinfo->ai_addr); // convert for easy validation if (!address_match(&src_za, &io->service->allowed_source_addresses)) { ZITI_LOG(ERROR, "hosted_service[%s], client[%s] client requested source IP %s is not allowed", - io->service->service_name, io->client_identity, io->app_data->source_addr); + io->service->service_name, io->client_identity, addr); return -1; } From 2cab71f7af62c9b76ee70c5b212447c7a2d40221 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Fri, 14 Jun 2024 22:54:41 +0000 Subject: [PATCH 131/251] reach into address bytes when converting struct in6_addr to ziti_address. (#869) --- lib/ziti-tunnel/intercept.c | 2 +- lib/ziti-tunnel/tests/address_test.cpp | 16 ++++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/lib/ziti-tunnel/intercept.c b/lib/ziti-tunnel/intercept.c index c681253e..e409bfe7 100644 --- a/lib/ziti-tunnel/intercept.c +++ b/lib/ziti-tunnel/intercept.c @@ -53,7 +53,7 @@ void ziti_address_from_in6_addr(ziti_address *za, const struct in6_addr *a) { za->type = ziti_address_cidr; za->addr.cidr.af = AF_INET6; za->addr.cidr.bits = 128; - memcpy(&za->addr.cidr.ip, &a, sizeof(struct in6_addr)); + memcpy(&za->addr.cidr.ip, &a->s6_addr, sizeof(struct in6_addr)); } void ziti_address_from_sockaddr_in(ziti_address *za, const struct sockaddr_in *sin) { diff --git a/lib/ziti-tunnel/tests/address_test.cpp b/lib/ziti-tunnel/tests/address_test.cpp index 1e972e0b..965fc48c 100644 --- a/lib/ziti-tunnel/tests/address_test.cpp +++ b/lib/ziti-tunnel/tests/address_test.cpp @@ -88,4 +88,20 @@ TEST_CASE("address_match", "[address]") { REQUIRE(model_map_get(&tctx.intercepts_cache, "tcp:192.168.0.10:81") == intercept_s3); // todo hostname and wildcard dns matching +} + +TEST_CASE("address_conversion", "[address]") { + const char *ip6_str = "2768:8631:c02:ffc9::1308"; + ip_addr_t ip6; + ipaddr_aton(ip6_str, &ip6); + ziti_address za_from_ip6; + ziti_address_from_ip_addr(&za_from_ip6, &ip6); + + ziti_address za_from_str; + ziti_address_from_string(&za_from_str, ip6_str); + + char za_str[128]; + ziti_address_print(za_str, sizeof(za_str), &za_from_ip6); + fprintf(stderr, "%s converted to %s\n", ip6_str, za_str); + REQUIRE(ziti_address_match(&za_from_ip6, &za_from_str) == 0); } \ No newline at end of file From 21d0f3d8725fbc0886c7cd4a681c20e52f8bd03f Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Wed, 19 Jun 2024 13:10:55 +0000 Subject: [PATCH 132/251] set output function for ipv6 packets (#870) --- lib/ziti-tunnel/lwip/netif_shim.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lib/ziti-tunnel/lwip/netif_shim.c b/lib/ziti-tunnel/lwip/netif_shim.c index 96124af7..28a89415 100644 --- a/lib/ziti-tunnel/lwip/netif_shim.c +++ b/lib/ziti-tunnel/lwip/netif_shim.c @@ -36,6 +36,13 @@ static err_t netif_shim_output(struct netif *netif, struct pbuf *p, const ip4_ad return ERR_OK; } +/** + * This function is called by the TCP/IP stack when an IP6 packet should be sent. + */ +static err_t netif_shim_output_ip6(struct netif *netif, struct pbuf *p, const ip6_addr_t *ipaddr) { + return netif_shim_output(netif, p, NULL); +} + /** * This function should be called when a packet is ready to be read * from the interface. It uses the function low_level_input() that @@ -93,6 +100,7 @@ err_t netif_shim_init(struct netif *netif) { netif->name[0] = IFNAME0; netif->name[1] = IFNAME1; netif->output = netif_shim_output; + netif->output_ip6 = netif_shim_output_ip6; return ERR_OK; } \ No newline at end of file From 5e20cb49f74ef3d8e9ef02eb6cc5525e6d4c4343 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Mon, 24 Jun 2024 20:33:59 +0000 Subject: [PATCH 133/251] sync release-1.x (#871) * use addr arg instead of io->app_data->source_addr in do_bind (#867) * reach into address bytes when converting struct in6_addr to ziti_address. (#869) * set output function for ipv6 packets (#870) --- lib/ziti-tunnel/intercept.c | 2 +- lib/ziti-tunnel/lwip/netif_shim.c | 8 ++++++++ lib/ziti-tunnel/tests/address_test.cpp | 16 ++++++++++++++++ 3 files changed, 25 insertions(+), 1 deletion(-) diff --git a/lib/ziti-tunnel/intercept.c b/lib/ziti-tunnel/intercept.c index c681253e..e409bfe7 100644 --- a/lib/ziti-tunnel/intercept.c +++ b/lib/ziti-tunnel/intercept.c @@ -53,7 +53,7 @@ void ziti_address_from_in6_addr(ziti_address *za, const struct in6_addr *a) { za->type = ziti_address_cidr; za->addr.cidr.af = AF_INET6; za->addr.cidr.bits = 128; - memcpy(&za->addr.cidr.ip, &a, sizeof(struct in6_addr)); + memcpy(&za->addr.cidr.ip, &a->s6_addr, sizeof(struct in6_addr)); } void ziti_address_from_sockaddr_in(ziti_address *za, const struct sockaddr_in *sin) { diff --git a/lib/ziti-tunnel/lwip/netif_shim.c b/lib/ziti-tunnel/lwip/netif_shim.c index 96124af7..28a89415 100644 --- a/lib/ziti-tunnel/lwip/netif_shim.c +++ b/lib/ziti-tunnel/lwip/netif_shim.c @@ -36,6 +36,13 @@ static err_t netif_shim_output(struct netif *netif, struct pbuf *p, const ip4_ad return ERR_OK; } +/** + * This function is called by the TCP/IP stack when an IP6 packet should be sent. + */ +static err_t netif_shim_output_ip6(struct netif *netif, struct pbuf *p, const ip6_addr_t *ipaddr) { + return netif_shim_output(netif, p, NULL); +} + /** * This function should be called when a packet is ready to be read * from the interface. It uses the function low_level_input() that @@ -93,6 +100,7 @@ err_t netif_shim_init(struct netif *netif) { netif->name[0] = IFNAME0; netif->name[1] = IFNAME1; netif->output = netif_shim_output; + netif->output_ip6 = netif_shim_output_ip6; return ERR_OK; } \ No newline at end of file diff --git a/lib/ziti-tunnel/tests/address_test.cpp b/lib/ziti-tunnel/tests/address_test.cpp index 1e972e0b..965fc48c 100644 --- a/lib/ziti-tunnel/tests/address_test.cpp +++ b/lib/ziti-tunnel/tests/address_test.cpp @@ -88,4 +88,20 @@ TEST_CASE("address_match", "[address]") { REQUIRE(model_map_get(&tctx.intercepts_cache, "tcp:192.168.0.10:81") == intercept_s3); // todo hostname and wildcard dns matching +} + +TEST_CASE("address_conversion", "[address]") { + const char *ip6_str = "2768:8631:c02:ffc9::1308"; + ip_addr_t ip6; + ipaddr_aton(ip6_str, &ip6); + ziti_address za_from_ip6; + ziti_address_from_ip_addr(&za_from_ip6, &ip6); + + ziti_address za_from_str; + ziti_address_from_string(&za_from_str, ip6_str); + + char za_str[128]; + ziti_address_print(za_str, sizeof(za_str), &za_from_ip6); + fprintf(stderr, "%s converted to %s\n", ip6_str, za_str); + REQUIRE(ziti_address_match(&za_from_ip6, &za_from_str) == 0); } \ No newline at end of file From a5cf86bc4c2e55b9b92e7e1ae44fb9329899f56d Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Mon, 24 Jun 2024 21:01:05 +0000 Subject: [PATCH 134/251] get latest alpha ziti-sdk-c (#873) --- CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index cb6f5b51..0c50e42f 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,7 +2,7 @@ cmake_minimum_required(VERSION 3.20) set(ZITI_SDK_DIR "" CACHE FILEPATH "developer option: use local ziti-sdk-c checkout") -set(ZITI_SDK_VERSION "2.0.0-alpha2" CACHE STRING "ziti-sdk-c version or branch to use") +set(ZITI_SDK_VERSION "2.0.0-alpha3" CACHE STRING "ziti-sdk-c version or branch to use") # if TUNNEL_SDK_ONLY then don't descend into programs/ziti-edge-tunnel option(TUNNEL_SDK_ONLY "build only ziti-tunnel-sdk (without ziti)" OFF) From 1da9da61b0a87de24b286291d9e4df08afdfdfe1 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Tue, 25 Jun 2024 10:49:33 +0000 Subject: [PATCH 135/251] update macos version (#874) --- .github/workflows/cmake.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml index cd9106ab..91ce8aaa 100644 --- a/.github/workflows/cmake.yml +++ b/.github/workflows/cmake.yml @@ -24,11 +24,11 @@ jobs: fail-fast: false matrix: include: - - os: macOS-11 + - os: macOS-12 name: macOS x86_64 preset: macOS-x64 - - os: macOS-11 + - os: macOS-12 name: macOS arm64 preset: macOS-arm64 From 484a53e2ebcbc618324ac7dfbe085ddd79192754 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Tue, 25 Jun 2024 18:50:44 +0000 Subject: [PATCH 136/251] access event fields through anonymous union (#876) --- lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c | 40 +++++++++++++------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c b/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c index 274abf98..3a5f2d97 100644 --- a/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c +++ b/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c @@ -759,8 +759,8 @@ static void on_ziti_event(ziti_context ztx, const ziti_event_t *event) { ziti_ctx_event ev = {0}; ev.event_type = TunnelEvents.ContextEvent; ev.identifier = instance->identifier; - ev.code = event->event.ctx.ctrl_status; - if (event->event.ctx.ctrl_status == ZITI_OK) { + ev.code = event->ctx.ctrl_status; + if (event->ctx.ctrl_status == ZITI_OK) { ev.name = ziti_get_identity(ztx)->name; ev.version = ziti_get_controller_version(ztx)->version; ev.controller = (char *) ziti_get_controller(ztx); @@ -778,8 +778,8 @@ static void on_ziti_event(ziti_context ztx, const ziti_event_t *event) { } } else { - ZITI_LOG(WARN, "ziti_ctx controller connections failed: %s", ziti_errorstr(event->event.ctx.ctrl_status)); - ev.status = (char*)ziti_errorstr(event->event.ctx.ctrl_status); + ZITI_LOG(WARN, "ziti_ctx controller connections failed: %s", ziti_errorstr(event->ctx.ctrl_status)); + ev.status = (char*)ziti_errorstr(event->ctx.ctrl_status); } CMD_CTX.on_event((const base_event *) &ev); break; @@ -793,17 +793,17 @@ static void on_ziti_event(ziti_context ztx, const ziti_event_t *event) { }; bool send_event = false; - if (event->event.service.removed != NULL) { - ev.removed_services = event->event.service.removed; - for (zs = event->event.service.removed; *zs != NULL; zs++) { + if (event->service.removed != NULL) { + ev.removed_services = event->service.removed; + for (zs = event->service.removed; *zs != NULL; zs++) { send_event = true; on_service(ztx, *zs, ZITI_SERVICE_UNAVAILABLE, CMD_CTX.tunnel_ctx); } } - if (event->event.service.added != NULL) { - ev.added_services = event->event.service.added; - for (zs = event->event.service.added; *zs != NULL; zs++) { + if (event->service.added != NULL) { + ev.added_services = event->service.added; + for (zs = event->service.added; *zs != NULL; zs++) { send_event = true; on_service(ztx, *zs, ZITI_OK, CMD_CTX.tunnel_ctx); } @@ -814,11 +814,11 @@ static void on_ziti_event(ziti_context ztx, const ziti_event_t *event) { CMD_CTX.on_event((const base_event *) &ev); } - if (event->event.service.changed != NULL) { - ev.added_services = event->event.service.changed; - ev.removed_services = event->event.service.changed; + if (event->service.changed != NULL) { + ev.added_services = event->service.changed; + ev.removed_services = event->service.changed; send_event = false; - for (zs = event->event.service.changed; *zs != NULL; zs++) { + for (zs = event->service.changed; *zs != NULL; zs++) { send_event = true; on_service(ztx, *zs, ZITI_OK, CMD_CTX.tunnel_ctx); } @@ -832,7 +832,7 @@ static void on_ziti_event(ziti_context ztx, const ziti_event_t *event) { } case ZitiRouterEvent: { - const struct ziti_router_event *rt_event = &event->event.router; + const struct ziti_router_event *rt_event = &event->router; const char *ctx_name = ziti_get_identity(ztx)->name; switch (rt_event->status) { case EdgeRouterAdded: @@ -868,21 +868,21 @@ static void on_ziti_event(ziti_context ztx, const ziti_event_t *event) { } case ZitiAPIEvent: { - if (event->event.api.new_ctrl_address || event->event.api.new_ca_bundle) { + if (event->api.new_ctrl_address || event->api.new_ca_bundle) { if (instance->config_path) { api_update_req *req = calloc(1, sizeof(api_update_req)); req->wr.data = req; req->ztx = ztx; - req->new_url = event->event.api.new_ctrl_address ? strdup(event->event.api.new_ctrl_address) : NULL; - req->new_ca = event->event.api.new_ca_bundle ? strdup(event->event.api.new_ca_bundle) : NULL; + req->new_url = event->api.new_ctrl_address ? strdup(event->api.new_ctrl_address) : NULL; + req->new_ca = event->api.new_ca_bundle ? strdup(event->api.new_ca_bundle) : NULL; uv_queue_work(CMD_CTX.loop, &req->wr, update_config, update_config_done); } api_event ev = {0}; ev.event_type = TunnelEvents.APIEvent; ev.identifier = instance->identifier; - ev.new_ctrl_address = event->event.api.new_ctrl_address; - ev.new_ca_bundle = event->event.api.new_ca_bundle; + ev.new_ctrl_address = event->api.new_ctrl_address; + ev.new_ca_bundle = event->api.new_ca_bundle; CMD_CTX.on_event((const base_event *) &ev); } else { ZITI_LOG(WARN, "unexpected API event: new_ctrl_address is missing"); From 0817c6c1272bd12a20534c385113f4989eb46be8 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Tue, 25 Jun 2024 17:24:12 -0400 Subject: [PATCH 137/251] don't fail release builds that contain a label in the version --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e5be2034..fbed4385 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -71,7 +71,7 @@ jobs: GITHUB_REF: ${{ github.ref }} run: | ZITI_VERSION="${GITHUB_REF#refs/*/v}" - if [[ "${ZITI_VERSION}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then + if [[ "${ZITI_VERSION}" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-.+)?$ ]]; then echo "DEBUG: ZITI_VERSION=${ZITI_VERSION}" echo ZITI_VERSION="${ZITI_VERSION}" >> $GITHUB_OUTPUT else From 66013a44bb5c00b0d6acd68ed7366a739bbbbee3 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Thu, 27 Jun 2024 10:48:12 -0400 Subject: [PATCH 138/251] use openssl tlsuv engine --- .github/workflows/cmake.yml | 6 +++--- CMakePresets.json | 2 +- vcpkg.json | 5 ++++- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml index 91ce8aaa..c1f64d12 100644 --- a/.github/workflows/cmake.yml +++ b/.github/workflows/cmake.yml @@ -43,17 +43,17 @@ jobs: - os: ubuntu-20.04 container: openziti/ziti-builder:1.0.7 name: Linux x86_64 - preset: linux-x64 + preset: linux-x64-static-libssl - os: ubuntu-20.04 container: openziti/ziti-builder:1.0.7 name: Linux arm - preset: linux-arm + preset: linux-arm-static-libssl - os: ubuntu-20.04 container: openziti/ziti-builder:1.0.7 name: Linux arm64 - preset: linux-arm64 + preset: linux-arm64-static-libssl steps: - name: Debug action diff --git a/CMakePresets.json b/CMakePresets.json index 766acc6e..0c5ddad8 100644 --- a/CMakePresets.json +++ b/CMakePresets.json @@ -149,7 +149,7 @@ "hidden": true, "cacheVariables": { "CMAKE_BUILD_TYPE": "Release", - "TLSUV_TLSLIB": "mbedtls" + "TLSUV_TLSLIB": "openssl" } }, { diff --git a/vcpkg.json b/vcpkg.json index 44899b49..38ea83ab 100644 --- a/vcpkg.json +++ b/vcpkg.json @@ -7,7 +7,10 @@ "llhttp", "libsodium", "getopt", - "mbedtls", + { + "name": "openssl", + "$comment": "on linux we use system installed OpenSSL, as determined by vcpkg-overlays/linux-syslibs)" + }, "json-c", "protobuf-c" ], From 2d6d1f1eec3ec6f87f1c66e4952b0f732edbf4b4 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Thu, 27 Jun 2024 21:21:05 -0400 Subject: [PATCH 139/251] adjust download paths to match cmake preset names --- .github/workflows/release.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fbed4385..beeeb7ae 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -36,8 +36,8 @@ jobs: # token: defaults to github.token fail_on_unmatched_files: true files: | - ${{ runner.workspace }}/downloads/linux-x64/ziti-edge-tunnel-Linux_x86_64.zip - ${{ runner.workspace }}/downloads/linux-arm/ziti-edge-tunnel-Linux_arm.zip + ${{ runner.workspace }}/downloads/linux-x64-static-libssl/ziti-edge-tunnel-Linux_x86_64.zip + ${{ runner.workspace }}/downloads/linux-arm-static-libssl/ziti-edge-tunnel-Linux_arm.zip ${{ runner.workspace }}/downloads/macOS-x64/ziti-edge-tunnel-Darwin_x86_64.zip ${{ runner.workspace }}/downloads/macOS-arm64/ziti-edge-tunnel-Darwin_arm64.zip @@ -51,7 +51,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: upload_url: ${{ steps.get_release.outputs.upload_url }} - asset_path: ${{ runner.workspace }}/downloads/linux-arm64/ziti-edge-tunnel-Linux_aarch64.zip + asset_path: ${{ runner.workspace }}/downloads/linux-arm64-static-libssl/ziti-edge-tunnel-Linux_aarch64.zip asset_name: ziti-edge-tunnel-Linux_arm64.zip asset_content_type: application/octet-stream From 53a41ea72bdbd3d9c7aa3c56d9cda12aa785cffa Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Fri, 28 Jun 2024 13:24:01 -0400 Subject: [PATCH 140/251] get ziti-sdk-c 2.0.0-alpha4 --- CMakeLists.txt | 2 +- lib/ziti-tunnel-cbs/ziti_hosting.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 0c50e42f..522c3bfb 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,7 +2,7 @@ cmake_minimum_required(VERSION 3.20) set(ZITI_SDK_DIR "" CACHE FILEPATH "developer option: use local ziti-sdk-c checkout") -set(ZITI_SDK_VERSION "2.0.0-alpha3" CACHE STRING "ziti-sdk-c version or branch to use") +set(ZITI_SDK_VERSION "2.0.0-alpha4" CACHE STRING "ziti-sdk-c version or branch to use") # if TUNNEL_SDK_ONLY then don't descend into programs/ziti-edge-tunnel option(TUNNEL_SDK_ONLY "build only ziti-tunnel-sdk (without ziti)" OFF) diff --git a/lib/ziti-tunnel-cbs/ziti_hosting.c b/lib/ziti-tunnel-cbs/ziti_hosting.c index 18f841c2..c265011c 100644 --- a/lib/ziti-tunnel-cbs/ziti_hosting.c +++ b/lib/ziti-tunnel-cbs/ziti_hosting.c @@ -545,7 +545,7 @@ static void on_hosted_client_connect_resolved(uv_getaddrinfo_t* req, int status, * - validate src address if specified * - initiate async dns resolution of dial address (if computed address is hostname?) */ -static void on_hosted_client_connect(ziti_connection serv, ziti_connection clt, int status, ziti_client_ctx *clt_ctx) { +static void on_hosted_client_connect(ziti_connection serv, ziti_connection clt, int status, const ziti_client_ctx *clt_ctx) { struct hosted_service_ctx_s *service_ctx = ziti_conn_data(serv); if (service_ctx == NULL) { From be5666d6c03262187d46917794b923a7d9ae0c1c Mon Sep 17 00:00:00 2001 From: dovholuknf <46322585+dovholuknf@users.noreply.github.com> Date: Sat, 29 Jun 2024 22:00:49 -0400 Subject: [PATCH 141/251] random warning cleanups. fix enrollment for networks requiring mfa for auth (secondary auth) --- lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c | 10 ++-- programs/ziti-edge-tunnel/instance.c | 12 +--- programs/ziti-edge-tunnel/ziti-edge-tunnel.c | 59 +++++++++++--------- 3 files changed, 42 insertions(+), 39 deletions(-) diff --git a/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c b/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c index 87262d91..df92d99b 100644 --- a/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c +++ b/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c @@ -1022,14 +1022,16 @@ static void on_enable_mfa(ziti_context ztx, int status, ziti_mfa_enrollment *enr ev->provisioning_url = strdup(enrollment->provisioning_url); char **rc = enrollment->recovery_codes; int size = 0; - while (*rc != NULL) { + while (rc != NULL && *rc != NULL) { rc++; size++; } ev->recovery_codes = calloc((size + 1), sizeof(char *)); - int idx; - for (idx=0; enrollment->recovery_codes[idx] !=0; idx++) { - ev->recovery_codes[idx] = strdup(enrollment->recovery_codes[idx]); + if(enrollment->recovery_codes != NULL) { + int idx; + for (idx = 0; enrollment->recovery_codes[idx] != 0; idx++) { + ev->recovery_codes[idx] = strdup(enrollment->recovery_codes[idx]); + } } } diff --git a/programs/ziti-edge-tunnel/instance.c b/programs/ziti-edge-tunnel/instance.c index 2f55b1d1..fd482c5c 100644 --- a/programs/ziti-edge-tunnel/instance.c +++ b/programs/ziti-edge-tunnel/instance.c @@ -76,7 +76,7 @@ tunnel_identity *create_or_get_tunnel_identity(const char* identifier, char* fil snprintf(tnl_id->Name, length+1, "%s", fingerprint); tnl_id->IdFileStatus = true; - + tnl_id->Active = true; } model_map_set(&tnl_identity_map, identifier, tnl_id); return tnl_id; @@ -555,7 +555,6 @@ void set_identifier_from_identities() { } //on startup - set mfa needed to false to correctly reflect tunnel status. After the identity is loaded these //are set to true __if necessary__ - tnl_id->MfaEnabled = false; tnl_id->MfaNeeded = false; } } @@ -565,14 +564,9 @@ void initialize_tunnel_status() { tnl_status.Duration = 0; uv_timeval64_t now; uv_gettimeofday(&now); - tnl_status.StartTime.tv_sec = now.tv_sec; + tnl_status.StartTime.tv_sec = (long)now.tv_sec; tnl_status.StartTime.tv_usec = now.tv_usec; - if (tnl_status.ApiPageSize < MIN_API_PAGESIZE) { - tnl_status.ApiPageSize = DEFAULT_API_PAGESIZE; - } - if (tnl_status.LogLevel == NULL) { - tnl_status.LogLevel = "info"; - } + tnl_status.ApiPageSize = DEFAULT_API_PAGESIZE; } diff --git a/programs/ziti-edge-tunnel/ziti-edge-tunnel.c b/programs/ziti-edge-tunnel/ziti-edge-tunnel.c index 8defe199..b66ca1ed 100644 --- a/programs/ziti-edge-tunnel/ziti-edge-tunnel.c +++ b/programs/ziti-edge-tunnel/ziti-edge-tunnel.c @@ -149,7 +149,7 @@ static const ziti_tunnel_ctrl *CMD_CTRL; static bool started_by_scm = false; static bool tunnel_interrupted = false; -uv_loop_t *ziti_loop = NULL; +uv_loop_t *global_loop_ref = NULL; tunneler_context tunneler; static uv_mutex_t stop_mutex; static uv_cond_t stop_cond; @@ -214,6 +214,15 @@ static void cmd_alloc(uv_handle_t *s, size_t sugg, uv_buf_t *b) { b->len = sugg; } +static void send_tunnel_status() { + tunnel_status_event tnl_sts_evt = {0}; + tnl_sts_evt.Op = strdup("status"); + tnl_sts_evt.Status = get_tunnel_status(); + send_events_message(&tnl_sts_evt, (to_json_fn) tunnel_status_event_to_json, true); + tnl_sts_evt.Status = NULL; //don't free + free_tunnel_status_event(&tnl_sts_evt); +} + static void on_cmd_write(uv_write_t *wr, int len) { if (wr->data) { free(wr->data); @@ -258,7 +267,7 @@ static void on_command_resp(const tunnel_result* result, void *ctx) { } if (model_map_size(&hostnamesToRemove) > 0) { - remove_nrpt_rules(ziti_loop, &hostnamesToRemove); + remove_nrpt_rules(global_loop_ref, &hostnamesToRemove); } } @@ -358,6 +367,7 @@ void tunnel_enroll_cb(const ziti_config *cfg, int status, const char *err, void send_tunnel_command(&tnl_cmd, add_id_req->cmd_ctx); free_tunnel_command(&tnl_cmd); free(add_id_req); + save_tunnel_status_to_file(); } static void enroll_ziti_async(uv_loop_t *loop, void *arg) { @@ -548,7 +558,7 @@ static bool process_tunnel_commands(const tunnel_command *tnl_cmd, command_cb cb add_id_req->identifier_file_name = strdup(new_identifier_name); add_id_req->jwt_content = strdup(tunnel_add_identity_cmd.jwtContent); - enroll_ziti_async(ziti_loop, add_id_req); + enroll_ziti_async(global_loop_ref, add_id_req); free_tunnel_add_identity(&tunnel_add_identity_cmd); return true; } @@ -570,7 +580,7 @@ static bool process_tunnel_commands(const tunnel_command *tnl_cmd, command_cb cb if (!stop_windows_service()) { ZITI_LOG(INFO, "Could not send stop signal to scm, Tunnel must not be started as service"); stop_tunnel_and_cleanup(); - uv_stop(ziti_loop); + uv_stop(global_loop_ref); } } free_tunnel_service_control(&tunnel_service_control_opts); @@ -734,13 +744,7 @@ static void on_events_client(uv_stream_t *s, int status) { ZITI_LOG(DEBUG,"Received events client connection request, count: %d", ++current_events_channels); // send status message immediately - tunnel_status_event tnl_sts_evt = {0}; - tnl_sts_evt.Op = strdup("status"); - tnl_sts_evt.Status = get_tunnel_status(); - send_events_message(&tnl_sts_evt, (to_json_fn) tunnel_status_event_to_json, true); - tnl_sts_evt.Status = NULL; - free_tunnel_status_event(&tnl_sts_evt); - + send_tunnel_status(); } @@ -750,7 +754,7 @@ void on_write_event(uv_write_t* req, int status) { if (status == UV_EPIPE) { struct event_conn_s *event_client; LIST_FOREACH(event_client, &event_clients_list, _next_event) { - if (event_client->event_client_conn == req->handle) { + if (event_client->event_client_conn == (uv_pipe_t*) req->handle) { break; } } @@ -1321,13 +1325,13 @@ static void on_event(const base_event *ev) { } } if (model_map_size(&hostnamesToEdit) > 0 && !is_host_only()) { - remove_and_add_nrpt_rules(ziti_loop, &hostnamesToEdit, get_dns_ip()); + remove_and_add_nrpt_rules(global_loop_ref, &hostnamesToEdit, get_dns_ip()); } if (model_map_size(&hostnamesToAdd) > 0 && !is_host_only()) { - add_nrpt_rules(ziti_loop, &hostnamesToAdd, get_dns_ip()); + add_nrpt_rules(global_loop_ref, &hostnamesToAdd, get_dns_ip()); } if (model_map_size(&hostnamesToRemove) > 0 && !is_host_only()) { - remove_nrpt_rules(ziti_loop, &hostnamesToRemove); + remove_nrpt_rules(global_loop_ref, &hostnamesToRemove); } #endif @@ -1361,12 +1365,13 @@ static void on_event(const base_event *ev) { case TunnelEvent_MFAEvent: { const mfa_event *mfa_ev = (mfa_event *) ev; - ZITI_LOG(INFO, "ztx[%s] is requesting MFA code", ev->identifier); + ZITI_LOG(INFO, "ztx[%s] is requesting MFA code. Identity needs MFA", ev->identifier); tunnel_identity *id = find_tunnel_identity(ev->identifier); if (id == NULL) { break; } - set_mfa_status(ev->identifier, true, true); + set_mfa_status(ev->identifier, id->MfaEnabled, true); + send_tunnel_status(); mfa_status_event mfa_sts_event = { .Op = strdup("mfa"), .Action = strdup(mfa_ev->operation), @@ -1411,9 +1416,11 @@ static void on_event(const base_event *ev) { send_events_message(&id_event, (to_json_fn) identity_event_to_json, true); id_event.Id = NULL; free_identity_event(&id_event); + save_tunnel_status_to_file(); // persist the mfa change break; case mfa_status_enrollment_remove: set_mfa_status(ev->identifier, false, false); + save_tunnel_status_to_file(); // persist the mfa change break; case mfa_status_enrollment_challenge: mfa_sts_event.RecoveryCodes = mfa_ev->recovery_codes; @@ -2001,19 +2008,19 @@ static void run(int argc, char *argv[]) { #if _WIN32 // initialize log function here. level will be set further down - log_init(ziti_loop); + log_init(global_loop_ref); log_fn = ziti_log_writer; remove_all_nrpt_rules(); signal(SIGINT, interrupt_handler); #endif - ziti_log_init(ziti_loop, log_level, log_fn); + ziti_log_init(global_loop_ref, log_level, log_fn); // generate tunnel status instance and save active state and start time if (config_dir != NULL) { set_identifier_path(config_dir); - load_tunnel_status_from_file(ziti_loop); + load_tunnel_status_from_file(global_loop_ref); } uint32_t tun_ip; @@ -2075,7 +2082,7 @@ static void run(int argc, char *argv[]) { ZITI_LOG(INFO," - initialized at : %s (local time), %s (UTC)", time_val, time_str); ZITI_LOG(INFO," - log file location: %s", get_log_file_name()); ZITI_LOG(INFO,"============================================================================"); - move_config_from_previous_windows_backup(ziti_loop); + move_config_from_previous_windows_backup(global_loop_ref); ZITI_LOG(DEBUG, "granting se_debug privilege to current process to allow access to privileged processes during posture checks"); //ensure this process has the necessary access token to get the full path of privileged processes @@ -2101,9 +2108,9 @@ static void run(int argc, char *argv[]) { int rc; if (is_host_only()) { - rc = run_tunnel_host_mode(ziti_loop); + rc = run_tunnel_host_mode(global_loop_ref); } else { - rc = run_tunnel(ziti_loop, tun_ip, dns_ip, configured_cidr, dns_upstream); + rc = run_tunnel(global_loop_ref, tun_ip, dns_ip, configured_cidr, dns_upstream); } exit(rc); } @@ -2258,7 +2265,7 @@ static int write_close(FILE *fp, const uv_buf_t *data) static void enroll(int argc, char *argv[]) { uv_loop_t *l = uv_loop_new(); int log_level = get_log_level(configured_log_level); - ziti_log_init(ziti_loop, log_level, NULL); + ziti_log_init(global_loop_ref, log_level, NULL); if (init_proxy_connector(configured_proxy) != 0) { exit(EXIT_FAILURE); } @@ -3298,8 +3305,8 @@ int main(int argc, char *argv[]) { } #endif - ziti_loop = uv_default_loop(); - if (ziti_loop == NULL) { + global_loop_ref = uv_default_loop(); + if (global_loop_ref == NULL) { ZITI_LOG(ERROR, "failed to initialize default uv loop"); exit(EXIT_FAILURE); } From f4164dc7a3f15e29a3260934f1b3429071310a3c Mon Sep 17 00:00:00 2001 From: dovholuknf <46322585+dovholuknf@users.noreply.github.com> Date: Sat, 29 Jun 2024 22:00:49 -0400 Subject: [PATCH 142/251] random warning cleanups. fix enrollment for networks requiring mfa for auth (secondary auth) --- lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c | 10 ++-- programs/ziti-edge-tunnel/instance.c | 12 +--- programs/ziti-edge-tunnel/ziti-edge-tunnel.c | 59 +++++++++++--------- 3 files changed, 42 insertions(+), 39 deletions(-) diff --git a/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c b/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c index 87262d91..df92d99b 100644 --- a/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c +++ b/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c @@ -1022,14 +1022,16 @@ static void on_enable_mfa(ziti_context ztx, int status, ziti_mfa_enrollment *enr ev->provisioning_url = strdup(enrollment->provisioning_url); char **rc = enrollment->recovery_codes; int size = 0; - while (*rc != NULL) { + while (rc != NULL && *rc != NULL) { rc++; size++; } ev->recovery_codes = calloc((size + 1), sizeof(char *)); - int idx; - for (idx=0; enrollment->recovery_codes[idx] !=0; idx++) { - ev->recovery_codes[idx] = strdup(enrollment->recovery_codes[idx]); + if(enrollment->recovery_codes != NULL) { + int idx; + for (idx = 0; enrollment->recovery_codes[idx] != 0; idx++) { + ev->recovery_codes[idx] = strdup(enrollment->recovery_codes[idx]); + } } } diff --git a/programs/ziti-edge-tunnel/instance.c b/programs/ziti-edge-tunnel/instance.c index 2f55b1d1..fd482c5c 100644 --- a/programs/ziti-edge-tunnel/instance.c +++ b/programs/ziti-edge-tunnel/instance.c @@ -76,7 +76,7 @@ tunnel_identity *create_or_get_tunnel_identity(const char* identifier, char* fil snprintf(tnl_id->Name, length+1, "%s", fingerprint); tnl_id->IdFileStatus = true; - + tnl_id->Active = true; } model_map_set(&tnl_identity_map, identifier, tnl_id); return tnl_id; @@ -555,7 +555,6 @@ void set_identifier_from_identities() { } //on startup - set mfa needed to false to correctly reflect tunnel status. After the identity is loaded these //are set to true __if necessary__ - tnl_id->MfaEnabled = false; tnl_id->MfaNeeded = false; } } @@ -565,14 +564,9 @@ void initialize_tunnel_status() { tnl_status.Duration = 0; uv_timeval64_t now; uv_gettimeofday(&now); - tnl_status.StartTime.tv_sec = now.tv_sec; + tnl_status.StartTime.tv_sec = (long)now.tv_sec; tnl_status.StartTime.tv_usec = now.tv_usec; - if (tnl_status.ApiPageSize < MIN_API_PAGESIZE) { - tnl_status.ApiPageSize = DEFAULT_API_PAGESIZE; - } - if (tnl_status.LogLevel == NULL) { - tnl_status.LogLevel = "info"; - } + tnl_status.ApiPageSize = DEFAULT_API_PAGESIZE; } diff --git a/programs/ziti-edge-tunnel/ziti-edge-tunnel.c b/programs/ziti-edge-tunnel/ziti-edge-tunnel.c index 8defe199..b66ca1ed 100644 --- a/programs/ziti-edge-tunnel/ziti-edge-tunnel.c +++ b/programs/ziti-edge-tunnel/ziti-edge-tunnel.c @@ -149,7 +149,7 @@ static const ziti_tunnel_ctrl *CMD_CTRL; static bool started_by_scm = false; static bool tunnel_interrupted = false; -uv_loop_t *ziti_loop = NULL; +uv_loop_t *global_loop_ref = NULL; tunneler_context tunneler; static uv_mutex_t stop_mutex; static uv_cond_t stop_cond; @@ -214,6 +214,15 @@ static void cmd_alloc(uv_handle_t *s, size_t sugg, uv_buf_t *b) { b->len = sugg; } +static void send_tunnel_status() { + tunnel_status_event tnl_sts_evt = {0}; + tnl_sts_evt.Op = strdup("status"); + tnl_sts_evt.Status = get_tunnel_status(); + send_events_message(&tnl_sts_evt, (to_json_fn) tunnel_status_event_to_json, true); + tnl_sts_evt.Status = NULL; //don't free + free_tunnel_status_event(&tnl_sts_evt); +} + static void on_cmd_write(uv_write_t *wr, int len) { if (wr->data) { free(wr->data); @@ -258,7 +267,7 @@ static void on_command_resp(const tunnel_result* result, void *ctx) { } if (model_map_size(&hostnamesToRemove) > 0) { - remove_nrpt_rules(ziti_loop, &hostnamesToRemove); + remove_nrpt_rules(global_loop_ref, &hostnamesToRemove); } } @@ -358,6 +367,7 @@ void tunnel_enroll_cb(const ziti_config *cfg, int status, const char *err, void send_tunnel_command(&tnl_cmd, add_id_req->cmd_ctx); free_tunnel_command(&tnl_cmd); free(add_id_req); + save_tunnel_status_to_file(); } static void enroll_ziti_async(uv_loop_t *loop, void *arg) { @@ -548,7 +558,7 @@ static bool process_tunnel_commands(const tunnel_command *tnl_cmd, command_cb cb add_id_req->identifier_file_name = strdup(new_identifier_name); add_id_req->jwt_content = strdup(tunnel_add_identity_cmd.jwtContent); - enroll_ziti_async(ziti_loop, add_id_req); + enroll_ziti_async(global_loop_ref, add_id_req); free_tunnel_add_identity(&tunnel_add_identity_cmd); return true; } @@ -570,7 +580,7 @@ static bool process_tunnel_commands(const tunnel_command *tnl_cmd, command_cb cb if (!stop_windows_service()) { ZITI_LOG(INFO, "Could not send stop signal to scm, Tunnel must not be started as service"); stop_tunnel_and_cleanup(); - uv_stop(ziti_loop); + uv_stop(global_loop_ref); } } free_tunnel_service_control(&tunnel_service_control_opts); @@ -734,13 +744,7 @@ static void on_events_client(uv_stream_t *s, int status) { ZITI_LOG(DEBUG,"Received events client connection request, count: %d", ++current_events_channels); // send status message immediately - tunnel_status_event tnl_sts_evt = {0}; - tnl_sts_evt.Op = strdup("status"); - tnl_sts_evt.Status = get_tunnel_status(); - send_events_message(&tnl_sts_evt, (to_json_fn) tunnel_status_event_to_json, true); - tnl_sts_evt.Status = NULL; - free_tunnel_status_event(&tnl_sts_evt); - + send_tunnel_status(); } @@ -750,7 +754,7 @@ void on_write_event(uv_write_t* req, int status) { if (status == UV_EPIPE) { struct event_conn_s *event_client; LIST_FOREACH(event_client, &event_clients_list, _next_event) { - if (event_client->event_client_conn == req->handle) { + if (event_client->event_client_conn == (uv_pipe_t*) req->handle) { break; } } @@ -1321,13 +1325,13 @@ static void on_event(const base_event *ev) { } } if (model_map_size(&hostnamesToEdit) > 0 && !is_host_only()) { - remove_and_add_nrpt_rules(ziti_loop, &hostnamesToEdit, get_dns_ip()); + remove_and_add_nrpt_rules(global_loop_ref, &hostnamesToEdit, get_dns_ip()); } if (model_map_size(&hostnamesToAdd) > 0 && !is_host_only()) { - add_nrpt_rules(ziti_loop, &hostnamesToAdd, get_dns_ip()); + add_nrpt_rules(global_loop_ref, &hostnamesToAdd, get_dns_ip()); } if (model_map_size(&hostnamesToRemove) > 0 && !is_host_only()) { - remove_nrpt_rules(ziti_loop, &hostnamesToRemove); + remove_nrpt_rules(global_loop_ref, &hostnamesToRemove); } #endif @@ -1361,12 +1365,13 @@ static void on_event(const base_event *ev) { case TunnelEvent_MFAEvent: { const mfa_event *mfa_ev = (mfa_event *) ev; - ZITI_LOG(INFO, "ztx[%s] is requesting MFA code", ev->identifier); + ZITI_LOG(INFO, "ztx[%s] is requesting MFA code. Identity needs MFA", ev->identifier); tunnel_identity *id = find_tunnel_identity(ev->identifier); if (id == NULL) { break; } - set_mfa_status(ev->identifier, true, true); + set_mfa_status(ev->identifier, id->MfaEnabled, true); + send_tunnel_status(); mfa_status_event mfa_sts_event = { .Op = strdup("mfa"), .Action = strdup(mfa_ev->operation), @@ -1411,9 +1416,11 @@ static void on_event(const base_event *ev) { send_events_message(&id_event, (to_json_fn) identity_event_to_json, true); id_event.Id = NULL; free_identity_event(&id_event); + save_tunnel_status_to_file(); // persist the mfa change break; case mfa_status_enrollment_remove: set_mfa_status(ev->identifier, false, false); + save_tunnel_status_to_file(); // persist the mfa change break; case mfa_status_enrollment_challenge: mfa_sts_event.RecoveryCodes = mfa_ev->recovery_codes; @@ -2001,19 +2008,19 @@ static void run(int argc, char *argv[]) { #if _WIN32 // initialize log function here. level will be set further down - log_init(ziti_loop); + log_init(global_loop_ref); log_fn = ziti_log_writer; remove_all_nrpt_rules(); signal(SIGINT, interrupt_handler); #endif - ziti_log_init(ziti_loop, log_level, log_fn); + ziti_log_init(global_loop_ref, log_level, log_fn); // generate tunnel status instance and save active state and start time if (config_dir != NULL) { set_identifier_path(config_dir); - load_tunnel_status_from_file(ziti_loop); + load_tunnel_status_from_file(global_loop_ref); } uint32_t tun_ip; @@ -2075,7 +2082,7 @@ static void run(int argc, char *argv[]) { ZITI_LOG(INFO," - initialized at : %s (local time), %s (UTC)", time_val, time_str); ZITI_LOG(INFO," - log file location: %s", get_log_file_name()); ZITI_LOG(INFO,"============================================================================"); - move_config_from_previous_windows_backup(ziti_loop); + move_config_from_previous_windows_backup(global_loop_ref); ZITI_LOG(DEBUG, "granting se_debug privilege to current process to allow access to privileged processes during posture checks"); //ensure this process has the necessary access token to get the full path of privileged processes @@ -2101,9 +2108,9 @@ static void run(int argc, char *argv[]) { int rc; if (is_host_only()) { - rc = run_tunnel_host_mode(ziti_loop); + rc = run_tunnel_host_mode(global_loop_ref); } else { - rc = run_tunnel(ziti_loop, tun_ip, dns_ip, configured_cidr, dns_upstream); + rc = run_tunnel(global_loop_ref, tun_ip, dns_ip, configured_cidr, dns_upstream); } exit(rc); } @@ -2258,7 +2265,7 @@ static int write_close(FILE *fp, const uv_buf_t *data) static void enroll(int argc, char *argv[]) { uv_loop_t *l = uv_loop_new(); int log_level = get_log_level(configured_log_level); - ziti_log_init(ziti_loop, log_level, NULL); + ziti_log_init(global_loop_ref, log_level, NULL); if (init_proxy_connector(configured_proxy) != 0) { exit(EXIT_FAILURE); } @@ -3298,8 +3305,8 @@ int main(int argc, char *argv[]) { } #endif - ziti_loop = uv_default_loop(); - if (ziti_loop == NULL) { + global_loop_ref = uv_default_loop(); + if (global_loop_ref == NULL) { ZITI_LOG(ERROR, "failed to initialize default uv loop"); exit(EXIT_FAILURE); } From 6aff67ee4543e632688d6ffb501dc7b0e5da0b36 Mon Sep 17 00:00:00 2001 From: dovholuknf <46322585+dovholuknf@users.noreply.github.com> Date: Mon, 1 Jul 2024 13:59:30 -0400 Subject: [PATCH 143/251] move to 1.0.5 of csdk --- CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 69cec7a6..aa96a0d6 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,7 +2,7 @@ cmake_minimum_required(VERSION 3.20) set(ZITI_SDK_DIR "" CACHE FILEPATH "developer option: use local ziti-sdk-c checkout") -set(ZITI_SDK_VERSION "1.0.4" CACHE STRING "ziti-sdk-c version or branch to use") +set(ZITI_SDK_VERSION "1.0.5" CACHE STRING "ziti-sdk-c version or branch to use") # if TUNNEL_SDK_ONLY then don't descend into programs/ziti-edge-tunnel option(TUNNEL_SDK_ONLY "build only ziti-tunnel-sdk (without ziti)" OFF) From e13f87a14fffa85adcb88bd391c3602d3a9a5adc Mon Sep 17 00:00:00 2001 From: dovholuknf <46322585+dovholuknf@users.noreply.github.com> Date: Mon, 1 Jul 2024 16:09:04 -0400 Subject: [PATCH 144/251] assign loop immediately --- programs/ziti-edge-tunnel/ziti-edge-tunnel.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/programs/ziti-edge-tunnel/ziti-edge-tunnel.c b/programs/ziti-edge-tunnel/ziti-edge-tunnel.c index b66ca1ed..03e6773b 100644 --- a/programs/ziti-edge-tunnel/ziti-edge-tunnel.c +++ b/programs/ziti-edge-tunnel/ziti-edge-tunnel.c @@ -3289,6 +3289,8 @@ int main(int argc, char *argv[]) { } else { name = name + 1; } + + global_loop_ref = uv_default_loop(); main_cmd.name = name; #if _WIN32 @@ -3305,7 +3307,6 @@ int main(int argc, char *argv[]) { } #endif - global_loop_ref = uv_default_loop(); if (global_loop_ref == NULL) { ZITI_LOG(ERROR, "failed to initialize default uv loop"); exit(EXIT_FAILURE); From 82608f3284d11ca1261b3e720849dd5b6df24d8f Mon Sep 17 00:00:00 2001 From: dovholuknf <46322585+dovholuknf@users.noreply.github.com> Date: Mon, 1 Jul 2024 16:12:17 -0400 Subject: [PATCH 145/251] move the check logic too --- programs/ziti-edge-tunnel/ziti-edge-tunnel.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/programs/ziti-edge-tunnel/ziti-edge-tunnel.c b/programs/ziti-edge-tunnel/ziti-edge-tunnel.c index 03e6773b..dc2783d7 100644 --- a/programs/ziti-edge-tunnel/ziti-edge-tunnel.c +++ b/programs/ziti-edge-tunnel/ziti-edge-tunnel.c @@ -3289,8 +3289,12 @@ int main(int argc, char *argv[]) { } else { name = name + 1; } - + global_loop_ref = uv_default_loop(); + if (global_loop_ref == NULL) { + ZITI_LOG(ERROR, "failed to initialize default uv loop"); + exit(EXIT_FAILURE); + } main_cmd.name = name; #if _WIN32 @@ -3307,11 +3311,6 @@ int main(int argc, char *argv[]) { } #endif - if (global_loop_ref == NULL) { - ZITI_LOG(ERROR, "failed to initialize default uv loop"); - exit(EXIT_FAILURE); - } - commandline_run(&main_cmd, argc, argv); return 0; } From fe276f719eb63171570834329f445c4cd4c6669c Mon Sep 17 00:00:00 2001 From: dovholuknf <46322585+dovholuknf@users.noreply.github.com> Date: Mon, 1 Jul 2024 16:12:53 -0400 Subject: [PATCH 146/251] can't use ziti_log at this point --- programs/ziti-edge-tunnel/ziti-edge-tunnel.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/programs/ziti-edge-tunnel/ziti-edge-tunnel.c b/programs/ziti-edge-tunnel/ziti-edge-tunnel.c index dc2783d7..3eb2a646 100644 --- a/programs/ziti-edge-tunnel/ziti-edge-tunnel.c +++ b/programs/ziti-edge-tunnel/ziti-edge-tunnel.c @@ -3292,7 +3292,7 @@ int main(int argc, char *argv[]) { global_loop_ref = uv_default_loop(); if (global_loop_ref == NULL) { - ZITI_LOG(ERROR, "failed to initialize default uv loop"); + printf("failed to initialize default uv loop"); //can't use ZITI_LOG here exit(EXIT_FAILURE); } From 11c431d0d7e036fe5fda9a915adea28a2de07abe Mon Sep 17 00:00:00 2001 From: dovholuknf <46322585+dovholuknf@users.noreply.github.com> Date: Tue, 2 Jul 2024 16:36:48 -0400 Subject: [PATCH 147/251] bump to 1.0.6 --- CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index aa96a0d6..2161f726 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,7 +2,7 @@ cmake_minimum_required(VERSION 3.20) set(ZITI_SDK_DIR "" CACHE FILEPATH "developer option: use local ziti-sdk-c checkout") -set(ZITI_SDK_VERSION "1.0.5" CACHE STRING "ziti-sdk-c version or branch to use") +set(ZITI_SDK_VERSION "1.0.6" CACHE STRING "ziti-sdk-c version or branch to use") # if TUNNEL_SDK_ONLY then don't descend into programs/ziti-edge-tunnel option(TUNNEL_SDK_ONLY "build only ziti-tunnel-sdk (without ziti)" OFF) From ad4cf9820426752628677f10b16970c44d56c5c7 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Mon, 8 Jul 2024 11:50:51 -0400 Subject: [PATCH 148/251] get ziti-sdk-c 2.0.0-a5 (tlsuv 0.30.1) --- CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 522c3bfb..7ac600bb 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,7 +2,7 @@ cmake_minimum_required(VERSION 3.20) set(ZITI_SDK_DIR "" CACHE FILEPATH "developer option: use local ziti-sdk-c checkout") -set(ZITI_SDK_VERSION "2.0.0-alpha4" CACHE STRING "ziti-sdk-c version or branch to use") +set(ZITI_SDK_VERSION "2.0.0-alpha5" CACHE STRING "ziti-sdk-c version or branch to use") # if TUNNEL_SDK_ONLY then don't descend into programs/ziti-edge-tunnel option(TUNNEL_SDK_ONLY "build only ziti-tunnel-sdk (without ziti)" OFF) From 05f3a7ff33b6465ff477e53324f44240e0c4e345 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Fri, 5 Jul 2024 14:49:12 -0400 Subject: [PATCH 149/251] adopt focal builder; drop redhat7 and ubuntu bionic cpack builds; --- .../openziti-tunnel-build-action/README.md | 7 -- .../redhat-7/Dockerfile | 46 ------------- .../redhat-7/entrypoint.sh | 60 ----------------- .../ubuntu-16.04/Dockerfile | 49 -------------- .../ubuntu-16.04/entrypoint.sh | 55 --------------- .../ubuntu-18.04/Dockerfile | 62 ----------------- .../ubuntu-18.04/crossbuild.list | 7 -- .../ubuntu-18.04/entrypoint.sh | 67 ------------------- .github/cpack-matrix.yml | 28 -------- .github/workflows/cmake.yml | 12 ++-- .github/workflows/cpack.yml | 25 ++----- .github/workflows/promote-downstreams.yml | 6 +- .github/workflows/publish-containers.yml | 4 +- .github/workflows/release.yml | 2 +- BUILD.md | 3 - 15 files changed, 17 insertions(+), 416 deletions(-) delete mode 100644 .github/actions/openziti-tunnel-build-action/redhat-7/Dockerfile delete mode 100755 .github/actions/openziti-tunnel-build-action/redhat-7/entrypoint.sh delete mode 100644 .github/actions/openziti-tunnel-build-action/ubuntu-16.04/Dockerfile delete mode 100755 .github/actions/openziti-tunnel-build-action/ubuntu-16.04/entrypoint.sh delete mode 100644 .github/actions/openziti-tunnel-build-action/ubuntu-18.04/Dockerfile delete mode 100644 .github/actions/openziti-tunnel-build-action/ubuntu-18.04/crossbuild.list delete mode 100755 .github/actions/openziti-tunnel-build-action/ubuntu-18.04/entrypoint.sh diff --git a/.github/actions/openziti-tunnel-build-action/README.md b/.github/actions/openziti-tunnel-build-action/README.md index e6c41ac3..7ef0c3c7 100644 --- a/.github/actions/openziti-tunnel-build-action/README.md +++ b/.github/actions/openziti-tunnel-build-action/README.md @@ -15,13 +15,6 @@ - name: ubuntu version: "20.04" type: deb - - name: ubuntu - version: "18.04" - type: deb - - name: redhat - version: "7" - type: rpm - container: docker.io/library/centos:7 - name: redhat version: "8" type: rpm diff --git a/.github/actions/openziti-tunnel-build-action/redhat-7/Dockerfile b/.github/actions/openziti-tunnel-build-action/redhat-7/Dockerfile deleted file mode 100644 index ec3719cd..00000000 --- a/.github/actions/openziti-tunnel-build-action/redhat-7/Dockerfile +++ /dev/null @@ -1,46 +0,0 @@ -ARG CMAKE_VERSION="3.26.3" - -FROM docker.io/library/centos:7 - -ARG CMAKE_VERSION - -LABEL org.opencontainers.image.authors="support@netfoundry.io" - -USER root -WORKDIR /root/ - -ENV PATH="/usr/local/:${PATH}" -ENV GIT_DISCOVERY_ACROSS_FILESYSTEM=1 -ENV TZ=UTC - -RUN yum -y install \ - "@Development Tools" \ - centos-release-scl \ - doxygen \ - graphviz \ - python3 \ - zlib-devel \ - epel-release \ - && yum -y install \ - devtoolset-11 \ - devtoolset-11-libatomic-devel \ - ninja-build \ - && yum clean all - -# needed only to build openssl. we can't use openssl from rocky's repos because it is too old. -RUN yum install -y perl-IPC-Cmd - -RUN curl -sSfL https://cmake.org/files/v${CMAKE_VERSION%.*}/cmake-${CMAKE_VERSION}-linux-$(uname -m).sh -o cmake.sh \ - && (bash cmake.sh --skip-license --prefix=/usr/local) \ - && rm cmake.sh - -ENV VCPKG_ROOT=/usr/local/vcpkg -# this must be set on arm. see https://learn.microsoft.com/en-us/vcpkg/users/config-environment#vcpkg_force_system_binaries -ENV VCPKG_FORCE_SYSTEM_BINARIES=yes - -RUN cd /usr/local \ - && git clone --branch 2023.12.12 https://github.com/microsoft/vcpkg \ - && ./vcpkg/bootstrap-vcpkg.sh -disableMetrics - -COPY ./entrypoint.sh /root/ -ENTRYPOINT [ "/root/entrypoint.sh" ] diff --git a/.github/actions/openziti-tunnel-build-action/redhat-7/entrypoint.sh b/.github/actions/openziti-tunnel-build-action/redhat-7/entrypoint.sh deleted file mode 100755 index cad61ac7..00000000 --- a/.github/actions/openziti-tunnel-build-action/redhat-7/entrypoint.sh +++ /dev/null @@ -1,60 +0,0 @@ -#!/usr/bin/env bash -# -# RedHat 7 -# - -set -euo pipefail - -# these commands must be in the entrypoint so they are run after workspace is mounted on Docker workdir -echo "INFO: GIT_DISCOVERY_ACROSS_FILESYSTEM=${GIT_DISCOVERY_ACROSS_FILESYSTEM}" -echo "INFO: WORKDIR=${PWD}" -echo "INFO: $(git --version)" - -# if first positional is an expected arch string then set cmake preset, -# else use ci-linux-x64 (which actually just uses native/host tools - e.g. not cross compile) -if [ ${#} -ge 1 ]; then - cmake_preset="${1}" -else - cmake_preset="ci-linux-x64" -fi - -if [ ${#} -ge 2 ]; then - cmake_config="${2}" -else - cmake_config="Release" -fi - -# workspace dir for each build env is added to "safe" dirs in global config e.g. -# ~/.gitconfig so both runner and builder containers trust these dirs -# owned by different UIDs from that of Git's EUID. This is made necessary -# by newly-enforced directory boundaries in Git v2.35.2 -# ref: https://lore.kernel.org/git/xmqqv8veb5i6.fsf@gitster.g/ -for SAFE in \ - /github/workspace \ - /__w/ziti-tunnel-sdk-c/ziti-tunnel-sdk-c \ - /mnt ; do - git config --global --add safe.directory ${SAFE} -done - -cmake -E make_directory ./build -( - [[ -d ./build ]] && rm -r ./build - cmake -E make_directory ./build - # allow unset for scl_source scripts - set +u - source scl_source enable devtoolset-11 \ - && cmake \ - --preset "${cmake_preset}" \ - -DCMAKE_BUILD_TYPE="${cmake_config}" \ - -DBUILD_DIST_PACKAGES=ON \ - -DDISABLE_LIBSYSTEMD_FEATURE=ON \ - -DVCPKG_OVERLAY_PORTS="./vcpkg-overlays/linux-syslibs/redhat7" \ - -S . \ - -B ./build - source scl_source enable devtoolset-11 \ - && cmake \ - --build ./build \ - --config "${cmake_config}" \ - --target package \ - --verbose -) diff --git a/.github/actions/openziti-tunnel-build-action/ubuntu-16.04/Dockerfile b/.github/actions/openziti-tunnel-build-action/ubuntu-16.04/Dockerfile deleted file mode 100644 index 1734cc1a..00000000 --- a/.github/actions/openziti-tunnel-build-action/ubuntu-16.04/Dockerfile +++ /dev/null @@ -1,49 +0,0 @@ -ARG CMAKE_VERSION="3.26.3" - -FROM ubuntu:xenial - -ARG CMAKE_VERSION - -LABEL org.opencontainers.image.authors="support@netfoundry.io" - -ENV DEBIAN_FRONTEND=noninteractive -ENV GIT_DISCOVERY_ACROSS_FILESYSTEM=1 -ENV TZ=UTC - -USER root -WORKDIR /root/ - -ENV PATH="/usr/local/:${PATH}" - -RUN apt-get -y update \ - && apt-get -y install \ - build-essential \ - curl \ - zip \ - unzip \ - tar \ - doxygen \ - git \ - graphviz \ - pkg-config \ - python3 \ - zlib1g-dev \ - ninja-build \ - && rm -rf /var/lib/apt/lists/* - -RUN curl -sSfL https://cmake.org/files/v${CMAKE_VERSION%.*}/cmake-${CMAKE_VERSION}-linux-$(uname -m).sh -o cmake.sh \ - && (bash cmake.sh --skip-license --prefix=/usr/local) \ - && rm cmake.sh - -ENV VCPKG_ROOT=/usr/local/vcpkg -# this must be set on arm. see https://learn.microsoft.com/en-us/vcpkg/users/config-environment#vcpkg_force_system_binaries -ENV VCPKG_FORCE_SYSTEM_BINARIES=yes - -RUN cd /usr/local \ - && git config --global advice.detachedHead false \ - && git clone --branch 2023.12.12 https://github.com/microsoft/vcpkg \ - && ./vcpkg/bootstrap-vcpkg.sh -disableMetrics - -WORKDIR /github/workspace -COPY ./entrypoint.sh /root/ -ENTRYPOINT [ "/root/entrypoint.sh" ] diff --git a/.github/actions/openziti-tunnel-build-action/ubuntu-16.04/entrypoint.sh b/.github/actions/openziti-tunnel-build-action/ubuntu-16.04/entrypoint.sh deleted file mode 100755 index ad3e167d..00000000 --- a/.github/actions/openziti-tunnel-build-action/ubuntu-16.04/entrypoint.sh +++ /dev/null @@ -1,55 +0,0 @@ -#!/usr/bin/env bash -# -# Ubuntu Xenial 16.04 -# - -set -euo pipefail - -# these commands must be in the entrypoint so they are run after workspace is mounted on Docker workdir -echo "INFO: GIT_DISCOVERY_ACROSS_FILESYSTEM=${GIT_DISCOVERY_ACROSS_FILESYSTEM}" -echo "INFO: WORKDIR=${PWD}" -echo "INFO: $(git --version)" - -# if first positional is an expected arch string then set cmake preset, -# else use ci-linux-x64 (which actually just uses native/host tools - e.g. not cross compile) -if [ ${#} -ge 1 ]; then - cmake_preset="${1}" -else - cmake_preset="ci-linux-x64" -fi - -if [ ${#} -ge 2 ]; then - cmake_config="${2}" -else - cmake_config="Release" -fi - -# workspace dir for each build env is added to "safe" dirs in global config e.g. -# ~/.gitconfig so both runner and builder containers trust these dirs -# owned by different UIDs from that of Git's EUID. This is made necessary -# by newly-enforced directory boundaries in Git v2.35.2 -# ref: https://lore.kernel.org/git/xmqqv8veb5i6.fsf@gitster.g/ -for SAFE in \ - /github/workspace \ - /__w/ziti-tunnel-sdk-c/ziti-tunnel-sdk-c \ - /mnt ; do - git config --global --add safe.directory ${SAFE} -done - -[[ -d ./build ]] && rm -r ./build -cmake \ - -E make_directory \ - ./build -cmake \ - --preset "${cmake_preset}" \ - -DCMAKE_BUILD_TYPE="${cmake_config}" \ - -DBUILD_DIST_PACKAGES=ON \ - -DDISABLE_LIBSYSTEMD_FEATURE=ON \ - -DVCPKG_OVERLAY_PORTS="./vcpkg-overlays/linux-syslibs/ubuntu16" \ - -S . \ - -B ./build -cmake \ - --build ./build \ - --config "${cmake_config}" \ - --target package \ - --verbose diff --git a/.github/actions/openziti-tunnel-build-action/ubuntu-18.04/Dockerfile b/.github/actions/openziti-tunnel-build-action/ubuntu-18.04/Dockerfile deleted file mode 100644 index 738004c6..00000000 --- a/.github/actions/openziti-tunnel-build-action/ubuntu-18.04/Dockerfile +++ /dev/null @@ -1,62 +0,0 @@ -ARG CMAKE_VERSION="3.26.3" - -# Ubuntu Bionic 18.04 LTS -FROM ubuntu:bionic - -ARG CMAKE_VERSION - -LABEL org.opencontainers.image.authors="support@netfoundry.io" - -ENV DEBIAN_FRONTEND=noninteractive -ENV GIT_DISCOVERY_ACROSS_FILESYSTEM=1 -ENV TZ=UTC - -USER root -WORKDIR /root/ - -ENV PATH="/usr/local/:${PATH}" - -RUN apt-get update \ - && apt-get -y install \ - build-essential \ - crossbuild-essential-armhf \ - crossbuild-essential-arm64 \ - curl zip unzip tar \ - doxygen \ - git \ - graphviz \ - libsystemd-dev \ - pkg-config \ - python3 \ - zlib1g-dev \ - libssl-dev \ - ninja-build \ - && rm -rf /var/lib/apt/lists/* - -RUN curl -sSfL https://cmake.org/files/v${CMAKE_VERSION%.*}/cmake-${CMAKE_VERSION}-linux-$(uname -m).sh -o cmake.sh \ - && (bash cmake.sh --skip-license --prefix=/usr/local) \ - && rm cmake.sh - -RUN dpkg --add-architecture armhf -RUN dpkg --add-architecture arm64 -COPY ./crossbuild.list /etc/apt/sources.list.d/crossbuild.list -RUN sed -Ei 's/^deb/deb [arch=amd64]/g' /etc/apt/sources.list -RUN apt-get update -RUN apt-get -y install \ - zlib1g-dev:armhf \ - zlib1g-dev:arm64 \ - libssl-dev:armhf \ - libssl-dev:arm64 - -ENV VCPKG_ROOT=/usr/local/vcpkg -# this must be set on arm. see https://learn.microsoft.com/en-us/vcpkg/users/config-environment#vcpkg_force_system_binaries -ENV VCPKG_FORCE_SYSTEM_BINARIES=yes - -RUN cd /usr/local \ - && git config --global advice.detachedHead false \ - && git clone --branch 2023.12.12 https://github.com/microsoft/vcpkg \ - && ./vcpkg/bootstrap-vcpkg.sh -disableMetrics - -WORKDIR /github/workspace -COPY ./entrypoint.sh /root/ -ENTRYPOINT [ "/root/entrypoint.sh" ] \ No newline at end of file diff --git a/.github/actions/openziti-tunnel-build-action/ubuntu-18.04/crossbuild.list b/.github/actions/openziti-tunnel-build-action/ubuntu-18.04/crossbuild.list deleted file mode 100644 index f4fb8ab6..00000000 --- a/.github/actions/openziti-tunnel-build-action/ubuntu-18.04/crossbuild.list +++ /dev/null @@ -1,7 +0,0 @@ -deb [arch=armhf,arm64] http://ports.ubuntu.com/ bionic main restricted -deb [arch=armhf,arm64] http://ports.ubuntu.com/ bionic-updates main restricted -deb [arch=armhf,arm64] http://ports.ubuntu.com/ bionic universe -deb [arch=armhf,arm64] http://ports.ubuntu.com/ bionic-updates universe -deb [arch=armhf,arm64] http://ports.ubuntu.com/ bionic multiverse -deb [arch=armhf,arm64] http://ports.ubuntu.com/ bionic-updates multiverse -deb [arch=armhf,arm64] http://ports.ubuntu.com/ bionic-backports main restricted universe multiverse diff --git a/.github/actions/openziti-tunnel-build-action/ubuntu-18.04/entrypoint.sh b/.github/actions/openziti-tunnel-build-action/ubuntu-18.04/entrypoint.sh deleted file mode 100755 index 01acd19f..00000000 --- a/.github/actions/openziti-tunnel-build-action/ubuntu-18.04/entrypoint.sh +++ /dev/null @@ -1,67 +0,0 @@ -#!/usr/bin/env bash -# -# Ubuntu Bionic 18.04 -# - -set -euo pipefail - -# these commands must be in the entrypoint so they are run after workspace is mounted on Docker workdir -echo "INFO: GIT_DISCOVERY_ACROSS_FILESYSTEM=${GIT_DISCOVERY_ACROSS_FILESYSTEM}" -echo "INFO: WORKDIR=${PWD}" -echo "INFO: $(git --version)" - -# if first positional is an expected arch string then set cmake preset, -# else use ci-linux-x64 (which actually just uses native/host tools - e.g. not cross compile) -if [ ${#} -ge 1 ]; then - cmake_preset="${1}" -else - cmake_preset="ci-linux-x64" -fi - -if [ ${#} -ge 2 ]; then - cmake_config="${2}" -else - cmake_config="Release" -fi - -# workspace dir for each build env is added to "safe" dirs in global config e.g. -# ~/.gitconfig so both runner and builder containers trust these dirs -# owned by different UIDs from that of Git's EUID. This is made necessary -# by newly-enforced directory boundaries in Git v2.35.2 -# ref: https://lore.kernel.org/git/xmqqv8veb5i6.fsf@gitster.g/ -for SAFE in \ - /github/workspace \ - /__w/ziti-tunnel-sdk-c/ziti-tunnel-sdk-c \ - /mnt ; do - git config --global --add safe.directory ${SAFE} -done - -[[ -d ./build ]] && rm -r ./build -cmake \ - -E make_directory \ - ./build -cmake \ - --preset "${cmake_preset}" \ - -DCMAKE_BUILD_TYPE="${cmake_config}" \ - -DBUILD_DIST_PACKAGES=ON \ - -DVCPKG_OVERLAY_PORTS="./vcpkg-overlays/linux-syslibs/ubuntu18" \ - -S . \ - -B ./build -cmake \ - --build ./build \ - --config "${cmake_config}" \ - --target package \ - --verbose - -# The original idea behind that was to crudely test the built artifact inside -# the container image with the correct architecture before returning to allow -# the build job to succeed. Basically a smoke test to see if it would execute as -# built at all. I don't recall why I/we abandoned that idea in favor of only -# running the x86 artifact in the job container. So, we're not getting any value -# from those lines of the entrypoint scripts right now, and I agree we'd have to -# embellish the option parsing a bit to get that working. -# if (( ${#} )); then -# echo "INFO: running ziti-edge-tunnel" -# set -x -# "./build/programs/ziti-edge-tunnel/${cmake_config}/ziti-edge-tunnel" ${@} -# fi diff --git a/.github/cpack-matrix.yml b/.github/cpack-matrix.yml index 8f0f7f2e..73a24efa 100644 --- a/.github/cpack-matrix.yml +++ b/.github/cpack-matrix.yml @@ -18,19 +18,6 @@ cpack_matrix: version: "20.04" release_name: focal type: deb - - name: ubuntu - version: "18.04" - release_name: bionic - type: deb - - name: ubuntu - version: "16.04" - release_name: xenial - type: deb - - name: redhat - version: "7" - release_name: ${{ null }} - type: rpm - container: docker.io/library/centos:7 - name: redhat version: "8" release_name: ${{ null }} @@ -42,21 +29,6 @@ cpack_matrix: type: rpm container: docker.io/library/rockylinux:9 exclude: - - distro: - name: ubuntu - release_name: xenial - arch: - cmake: ci-linux-arm - - distro: - name: ubuntu - release_name: xenial - arch: - cmake: ci-linux-arm64 - - distro: - name: ubuntu - release_name: bionic - arch: - cmake: ci-linux-arm - distro: name: redhat arch: diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml index 91ce8aaa..04fa4536 100644 --- a/.github/workflows/cmake.yml +++ b/.github/workflows/cmake.yml @@ -41,26 +41,26 @@ jobs: preset: windows-arm64-vs2022 - os: ubuntu-20.04 - container: openziti/ziti-builder:1.0.7 + container: openziti/ziti-builder:2.0.0 name: Linux x86_64 preset: linux-x64 - os: ubuntu-20.04 - container: openziti/ziti-builder:1.0.7 + container: openziti/ziti-builder:2.0.0 name: Linux arm preset: linux-arm - os: ubuntu-20.04 - container: openziti/ziti-builder:1.0.7 + container: openziti/ziti-builder:2.0.0 name: Linux arm64 preset: linux-arm64 steps: - name: Debug action - uses: hmarr/debug-action@v2.1.0 + uses: hmarr/debug-action@v3 - name: checkout workspace - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 @@ -79,7 +79,7 @@ jobs: working-directory: ./build/programs/ziti-edge-tunnel/ - name: upload bundle artifacts - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: ${{ matrix.preset }} path: ./build/bundle/ziti-edge-tunnel-*.zip diff --git a/.github/workflows/cpack.yml b/.github/workflows/cpack.yml index 85d52eb1..83895c1c 100644 --- a/.github/workflows/cpack.yml +++ b/.github/workflows/cpack.yml @@ -26,7 +26,7 @@ jobs: matrix: ${{ steps.set_matrix.outputs.matrix }} steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Set Matrix @@ -52,7 +52,7 @@ jobs: ZITI_RPM_TEST_REPO: ${{ vars.ZITI_RPM_TEST_REPO || 'zitipax-openziti-rpm-test' }} steps: - name: Debug action - uses: hmarr/debug-action@v2.1.0 + uses: hmarr/debug-action@v3 # only focal-20.04 has >= 2.18, which is required by actions/checkout to clone # which enables cmake version discovery @@ -75,23 +75,8 @@ jobs: dnf -y install git git --version - - name: install contemporary Git in runner container if RedHat 7 - if: ${{ matrix.distro.name == 'redhat' && matrix.distro.version == '7' }} - shell: bash - run: | - yum -y update - yum -y install centos-release-scl - yum -y install rh-git218 - source scl_source enable rh-git218 && git --version - cat << 'EOF' >| /root/git.sh - #!/bin/bash - source scl_source enable rh-git218 && git "${@}" - EOF - chmod +x /root/git.sh - update-alternatives --install /usr/bin/git git /root/git.sh 50 - - name: checkout workspace - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 @@ -142,7 +127,7 @@ jobs: ./build/programs/ziti-edge-tunnel/Release/ziti-edge-tunnel version --verbose - name: Upload Package to Workflow Summary Page - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 with: name: ${{ matrix.distro.name }}-${{ matrix.distro.version }}-${{ matrix.arch.rpm }}-${{ matrix.distro.type }} path: ./build/ziti-edge-tunnel-*.${{ matrix.distro.type }} @@ -150,7 +135,7 @@ jobs: - name: Configure jFrog CLI if: ${{ github.event_name == 'release' && startsWith(github.ref, 'refs/tags/v') }} - uses: jfrog/setup-jfrog-cli@v3 + uses: jfrog/setup-jfrog-cli@v4 env: JF_ENV_1: ${{ secrets.ZITI_ARTIFACTORY_CLI_CONFIG_PACKAGE_UPLOAD }} diff --git a/.github/workflows/promote-downstreams.yml b/.github/workflows/promote-downstreams.yml index 97c1936b..fbbb1d9d 100644 --- a/.github/workflows/promote-downstreams.yml +++ b/.github/workflows/promote-downstreams.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Debug action - uses: hmarr/debug-action@v2.1.0 + uses: hmarr/debug-action@v3 - name: Wait for all checks on this ref uses: lewagon/wait-on-check-action@v1.3.1 @@ -56,7 +56,7 @@ jobs: matrix: ${{ steps.set_matrix.outputs.matrix }} steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 - name: Set Matrix @@ -113,7 +113,7 @@ jobs: matrix: ${{ fromJSON(needs.set_matrix.outputs.matrix) }} steps: - name: Configure jFrog CLI - uses: jfrog/setup-jfrog-cli@v3 + uses: jfrog/setup-jfrog-cli@v4 env: JF_ENV_1: ${{ secrets.ZITI_ARTIFACTORY_CLI_CONFIG_PACKAGE_UPLOAD }} diff --git a/.github/workflows/publish-containers.yml b/.github/workflows/publish-containers.yml index eda22605..9d7ff466 100644 --- a/.github/workflows/publish-containers.yml +++ b/.github/workflows/publish-containers.yml @@ -25,10 +25,10 @@ jobs: ZITI_HOST_IMAGE: ${{ vars.ZITI_HOST_IMAGE || 'docker.io/openziti/ziti-host' }} steps: - name: Debug action - uses: hmarr/debug-action@v2.1.0 + uses: hmarr/debug-action@v3 - name: Checkout Workspace - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Set up QEMU uses: docker/setup-qemu-action@v2 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e5be2034..f3e6ab9e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,7 +15,7 @@ jobs: ZITI_VERSION: ${{ steps.get_version.outputs.ZITI_VERSION }} steps: - name: Debug action - uses: hmarr/debug-action@v2.1.0 + uses: hmarr/debug-action@v3 - name: download uses: actions/download-artifact@v3 diff --git a/BUILD.md b/BUILD.md index 39d543fb..afa8fc5e 100644 --- a/BUILD.md +++ b/BUILD.md @@ -204,8 +204,5 @@ Build the generic binary for arm64 with the `ci-linux-arm64` preset. ./scripts/ziti-builder.sh -p ci-linux-arm64 ``` -To build with OpenSSL on this Ubuntu Bionic-based (glibc 2.27) builder image, `export TLSUV_TLSLIB=openssl` and change -`vcpkg.json` to statically compile "openssl" instead of "mbedtls." - [1]: https://cmake.org/cmake/help/latest/manual/cmake-presets.7.html [2]: https://cmake.org/download/ From 027aab926b4cf03810f993509dc08c5ecdb6b278 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Fri, 5 Jul 2024 18:48:38 -0400 Subject: [PATCH 150/251] stop using bionic overlay --- .github/workflows/cmake.yml | 9 ++++++--- scripts/ziti-builder.sh | 15 ++++++++------- .../linux-syslibs/ubuntu20/zlib/portfile.cmake | 1 + .../linux-syslibs/ubuntu20/zlib/vcpkg.json | 4 ++++ 4 files changed, 19 insertions(+), 10 deletions(-) create mode 100644 vcpkg-overlays/linux-syslibs/ubuntu20/zlib/portfile.cmake create mode 100644 vcpkg-overlays/linux-syslibs/ubuntu20/zlib/vcpkg.json diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml index 04fa4536..734a3a41 100644 --- a/.github/workflows/cmake.yml +++ b/.github/workflows/cmake.yml @@ -41,17 +41,20 @@ jobs: preset: windows-arm64-vs2022 - os: ubuntu-20.04 - container: openziti/ziti-builder:2.0.0 + # container: openziti/ziti-builder:2.0.1 + container: kbinghamnetfoundry/ziti-builder:focaltest name: Linux x86_64 preset: linux-x64 - os: ubuntu-20.04 - container: openziti/ziti-builder:2.0.0 + # container: openziti/ziti-builder:2.0.1 + container: kbinghamnetfoundry/ziti-builder:focaltest name: Linux arm preset: linux-arm - os: ubuntu-20.04 - container: openziti/ziti-builder:2.0.0 + # container: openziti/ziti-builder:2.0.1 + container: kbinghamnetfoundry/ziti-builder:focaltest name: Linux arm64 preset: linux-arm64 diff --git a/scripts/ziti-builder.sh b/scripts/ziti-builder.sh index ecddbc99..15c00f1d 100755 --- a/scripts/ziti-builder.sh +++ b/scripts/ziti-builder.sh @@ -3,7 +3,8 @@ # build this project in the ziti-builder container # -set -euo pipefail +set -o errexit -o nounset -o pipefail +# set -o xtrace BASENAME="$(basename "${0}")" BASEDIR="$(cd "$(dirname "${0}")" && pwd)" # full path to scripts dir @@ -38,7 +39,7 @@ function set_git_safe_dirs() { local -a SAFE_DIRS=( "/github/workspace" ) - # the container environment defines GIT_CONFIG_GLOBAL=/tmp/gitconfig + # the container environment defines GIT_CONFIG_GLOBAL=/tmp/ziti-builder-gitconfig for SAFE in "${SAFE_DIRS[@]}" "${@}"; do git config --file "$GIT_CONFIG_GLOBAL" --add safe.directory "${SAFE}" done @@ -63,10 +64,10 @@ function set_workspace(){ exit 1 fi else - echo -e "INFO: project not mounted on ${WORKDIR}, re-running in container"\ - "\nINFO: re-running in ziti-builder container" + echo -e "INFO: project not mounted on ${WORKDIR}"\ + "\nINFO: re-running in ziti-builder container" set -x - exec docker run \ + eval exec docker run \ --rm \ --user "${UID}" \ --volume "${REPODIR}:${WORKDIR}" \ @@ -123,10 +124,10 @@ function main() { -E make_directory \ ./build cmake \ - --preset "${CMAKE_PRESET:-ci-linux-x64}" \ + --preset "${CMAKE_PRESET:-ci-linux-x64-static-libssl}" \ -DCMAKE_BUILD_TYPE="${CMAKE_CONFIG:-Release}" \ -DBUILD_DIST_PACKAGES="${BUILD_DIST_PACKAGES:-OFF}" \ - -DVCPKG_OVERLAY_PORTS="./vcpkg-overlays/linux-syslibs/ubuntu18" \ + -DVCPKG_OVERLAY_PORTS="./vcpkg-overlays/linux-syslibs/ubuntu20" \ "${TLSUV_TLSLIB:+-DTLSUV_TLSLIB=${TLSUV_TLSLIB}}" \ -S . \ -B ./build \ diff --git a/vcpkg-overlays/linux-syslibs/ubuntu20/zlib/portfile.cmake b/vcpkg-overlays/linux-syslibs/ubuntu20/zlib/portfile.cmake new file mode 100644 index 00000000..0015715f --- /dev/null +++ b/vcpkg-overlays/linux-syslibs/ubuntu20/zlib/portfile.cmake @@ -0,0 +1 @@ +set(VCPKG_POLICY_EMPTY_PACKAGE enabled) \ No newline at end of file diff --git a/vcpkg-overlays/linux-syslibs/ubuntu20/zlib/vcpkg.json b/vcpkg-overlays/linux-syslibs/ubuntu20/zlib/vcpkg.json new file mode 100644 index 00000000..03a0aca6 --- /dev/null +++ b/vcpkg-overlays/linux-syslibs/ubuntu20/zlib/vcpkg.json @@ -0,0 +1,4 @@ +{ + "name": "zlib", + "version": "0" +} \ No newline at end of file From 0f48bb769432f8423bc965858ff63ef0b5905190 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Fri, 5 Jul 2024 19:08:24 -0400 Subject: [PATCH 151/251] use future builder image 2.0.1 --- .github/workflows/cmake.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml index 734a3a41..fae97332 100644 --- a/.github/workflows/cmake.yml +++ b/.github/workflows/cmake.yml @@ -41,20 +41,17 @@ jobs: preset: windows-arm64-vs2022 - os: ubuntu-20.04 - # container: openziti/ziti-builder:2.0.1 - container: kbinghamnetfoundry/ziti-builder:focaltest + container: openziti/ziti-builder:2.0.1 name: Linux x86_64 preset: linux-x64 - os: ubuntu-20.04 - # container: openziti/ziti-builder:2.0.1 - container: kbinghamnetfoundry/ziti-builder:focaltest + container: openziti/ziti-builder:2.0.1 name: Linux arm preset: linux-arm - os: ubuntu-20.04 - # container: openziti/ziti-builder:2.0.1 - container: kbinghamnetfoundry/ziti-builder:focaltest + container: openziti/ziti-builder:2.0.1 name: Linux arm64 preset: linux-arm64 From e61fce7345bd5eff4db6f4383f4dac0bc743f8e6 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Fri, 5 Jul 2024 14:49:12 -0400 Subject: [PATCH 152/251] adopt focal builder; drop redhat7 and ubuntu bionic cpack builds; --- .github/workflows/cmake.yml | 6 +++--- .github/workflows/promote-downstreams.yml | 2 +- .github/workflows/publish-containers.yml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/cmake.yml b/.github/workflows/cmake.yml index fae97332..0c288489 100644 --- a/.github/workflows/cmake.yml +++ b/.github/workflows/cmake.yml @@ -41,17 +41,17 @@ jobs: preset: windows-arm64-vs2022 - os: ubuntu-20.04 - container: openziti/ziti-builder:2.0.1 + container: openziti/ziti-builder:v2 name: Linux x86_64 preset: linux-x64 - os: ubuntu-20.04 - container: openziti/ziti-builder:2.0.1 + container: openziti/ziti-builder:v2 name: Linux arm preset: linux-arm - os: ubuntu-20.04 - container: openziti/ziti-builder:2.0.1 + container: openziti/ziti-builder:v2 name: Linux arm64 preset: linux-arm64 diff --git a/.github/workflows/promote-downstreams.yml b/.github/workflows/promote-downstreams.yml index fbbb1d9d..9b216389 100644 --- a/.github/workflows/promote-downstreams.yml +++ b/.github/workflows/promote-downstreams.yml @@ -78,7 +78,7 @@ jobs: ZITI_HOST_IMAGE: ${{ vars.ZITI_HOST_IMAGE || 'docker.io/openziti/ziti-host' }} steps: - name: Login to Docker Hub - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: username: ${{ vars.DOCKER_HUB_API_USER || secrets.DOCKER_HUB_API_USER }} password: ${{ secrets.DOCKER_HUB_API_TOKEN }} diff --git a/.github/workflows/publish-containers.yml b/.github/workflows/publish-containers.yml index 9d7ff466..b92797e4 100644 --- a/.github/workflows/publish-containers.yml +++ b/.github/workflows/publish-containers.yml @@ -37,10 +37,10 @@ jobs: - name: Set up Docker BuildKit id: buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 - name: Login to Docker Hub - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: username: ${{ vars.DOCKER_HUB_API_USER || secrets.DOCKER_HUB_API_USER }} password: ${{ secrets.DOCKER_HUB_API_TOKEN }} From 1a4c63ab9bb1d261caf8ea38c8f4ca66ffe1daca Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 8 Jul 2024 18:31:55 -0400 Subject: [PATCH 153/251] stop using an overlay for focal, and stop using the static-libssl preset as a local build default --- scripts/ziti-builder.sh | 3 +-- vcpkg-overlays/linux-syslibs/ubuntu20/zlib/portfile.cmake | 1 - vcpkg-overlays/linux-syslibs/ubuntu20/zlib/vcpkg.json | 4 ---- 3 files changed, 1 insertion(+), 7 deletions(-) delete mode 100644 vcpkg-overlays/linux-syslibs/ubuntu20/zlib/portfile.cmake delete mode 100644 vcpkg-overlays/linux-syslibs/ubuntu20/zlib/vcpkg.json diff --git a/scripts/ziti-builder.sh b/scripts/ziti-builder.sh index 15c00f1d..400d8ee2 100755 --- a/scripts/ziti-builder.sh +++ b/scripts/ziti-builder.sh @@ -124,10 +124,9 @@ function main() { -E make_directory \ ./build cmake \ - --preset "${CMAKE_PRESET:-ci-linux-x64-static-libssl}" \ + --preset "${CMAKE_PRESET:-ci-linux-x64}" \ -DCMAKE_BUILD_TYPE="${CMAKE_CONFIG:-Release}" \ -DBUILD_DIST_PACKAGES="${BUILD_DIST_PACKAGES:-OFF}" \ - -DVCPKG_OVERLAY_PORTS="./vcpkg-overlays/linux-syslibs/ubuntu20" \ "${TLSUV_TLSLIB:+-DTLSUV_TLSLIB=${TLSUV_TLSLIB}}" \ -S . \ -B ./build \ diff --git a/vcpkg-overlays/linux-syslibs/ubuntu20/zlib/portfile.cmake b/vcpkg-overlays/linux-syslibs/ubuntu20/zlib/portfile.cmake deleted file mode 100644 index 0015715f..00000000 --- a/vcpkg-overlays/linux-syslibs/ubuntu20/zlib/portfile.cmake +++ /dev/null @@ -1 +0,0 @@ -set(VCPKG_POLICY_EMPTY_PACKAGE enabled) \ No newline at end of file diff --git a/vcpkg-overlays/linux-syslibs/ubuntu20/zlib/vcpkg.json b/vcpkg-overlays/linux-syslibs/ubuntu20/zlib/vcpkg.json deleted file mode 100644 index 03a0aca6..00000000 --- a/vcpkg-overlays/linux-syslibs/ubuntu20/zlib/vcpkg.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "name": "zlib", - "version": "0" -} \ No newline at end of file From d04c832f007afe06d1048fa19b339104827c45aa Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Wed, 10 Jul 2024 16:57:13 -0400 Subject: [PATCH 154/251] prevent dependency on libwinpthread-1.dll when building with mingw --- CMakePresets.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CMakePresets.json b/CMakePresets.json index 766acc6e..18a06a8a 100644 --- a/CMakePresets.json +++ b/CMakePresets.json @@ -84,7 +84,8 @@ "hidden": true, "cacheVariables": { "CMAKE_C_COMPILER": "gcc", - "CMAKE_CXX_COMPILER": "g++" + "CMAKE_CXX_COMPILER": "g++", + "CMAKE_EXE_LINKER_FLAGS": "-Wl,-Bstatic -lpthread" } }, From 1e6962ed423ff1bedec375253b2b4466c0bccdae Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Thu, 11 Jul 2024 12:06:28 -0400 Subject: [PATCH 155/251] get ziti-sdk-c v2.0.0-alpha6 --- CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 7ac600bb..b401a79a 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,7 +2,7 @@ cmake_minimum_required(VERSION 3.20) set(ZITI_SDK_DIR "" CACHE FILEPATH "developer option: use local ziti-sdk-c checkout") -set(ZITI_SDK_VERSION "2.0.0-alpha5" CACHE STRING "ziti-sdk-c version or branch to use") +set(ZITI_SDK_VERSION "2.0.0-alpha6" CACHE STRING "ziti-sdk-c version or branch to use") # if TUNNEL_SDK_ONLY then don't descend into programs/ziti-edge-tunnel option(TUNNEL_SDK_ONLY "build only ziti-tunnel-sdk (without ziti)" OFF) From a816f152a6e561276b6951649b042dacc15b7c86 Mon Sep 17 00:00:00 2001 From: eugene Date: Thu, 11 Jul 2024 14:49:25 -0400 Subject: [PATCH 156/251] attempt to cleanup exclusion routes on exit --- .../netif_driver/darwin/utun.c | 34 ++++++++++++++++--- programs/ziti-edge-tunnel/ziti-edge-tunnel.c | 22 ++++++++++++ 2 files changed, 52 insertions(+), 4 deletions(-) diff --git a/programs/ziti-edge-tunnel/netif_driver/darwin/utun.c b/programs/ziti-edge-tunnel/netif_driver/darwin/utun.c index 2fe13c04..5b9ecff7 100644 --- a/programs/ziti-edge-tunnel/netif_driver/darwin/utun.c +++ b/programs/ziti-edge-tunnel/netif_driver/darwin/utun.c @@ -14,6 +14,7 @@ limitations under the License. */ +#include #include #include #include @@ -30,6 +31,7 @@ #include #include "utun.h" +#include "ziti/model_collections.h" int utun_close(struct netif_handle_s *tun) { int r = 0; @@ -100,19 +102,41 @@ int utun_uv_poll_init(netif_handle tun, uv_loop_t *loop, uv_poll_t *tun_poll_req */ int utun_add_route(netif_handle tun, const char *dest) { char cmd[1024]; - snprintf(cmd, sizeof(cmd), "route add %s -interface %s", dest, tun->name); + snprintf(cmd, sizeof(cmd), "route -n add %s -interface %s", dest, tun->name); int s = system(cmd); return s; } int utun_delete_route(netif_handle tun, const char *dest) { char cmd[1024]; - snprintf(cmd, sizeof(cmd), "route delete %s -interface %s", dest, tun->name); + snprintf(cmd, sizeof(cmd), "route -n delete %s -interface %s", dest, tun->name); int s = system(cmd); return s; } +static model_map excluded; +static uv_once_t delete_once; + +static void delete_excluded() { + char cmd[1024]; + const char *rt; + void *dummy; + MODEL_MAP_FOREACH(rt, dummy, &excluded) { + snprintf(cmd, sizeof(cmd), "route -q -n delete %s", rt); + system(cmd); + } + model_map_clear(&excluded, free); +} +static void delete_init() { + int rc = atexit(delete_excluded); + if (rc) { + ZITI_LOG(WARN, "failed to register route cleanup: %s", strerror(errno)); + } +} + static int utun_exclude_rt(netif_handle dev, uv_loop_t *l, const char *addr) { + uv_once(&delete_once, delete_init); + char gw[128] = {0}; const char *get_gw_cmd = "route -n get default | awk '/gateway: / { printf \"%s\", $2 }'"; ZITI_LOG(DEBUG, "executing '%s'", get_gw_cmd); @@ -133,8 +157,10 @@ static int utun_exclude_rt(netif_handle dev, uv_loop_t *l, const char *addr) { } ZITI_LOG(DEBUG, "default route gw is '%s'", gw); + model_map_set(&excluded, addr, NULL); + char cmd[1024]; - snprintf(cmd, sizeof(cmd), "route add %s %s", addr, gw); + snprintf(cmd, sizeof(cmd), "route -n add %s %s", addr, gw); ZITI_LOG(DEBUG, "executing '%s'", cmd); s = system(cmd); return s; @@ -252,7 +278,7 @@ netif_driver utun_open(char *error, size_t error_len, const char *cidr) { // add a route for the subnet if one was specified if (prefix_sep != NULL) { - snprintf(cmd, sizeof(cmd), "route add -net %s -interface %s", cidr, tun->name); + snprintf(cmd, sizeof(cmd), "route -n add -net %s -interface %s", cidr, tun->name); system(cmd); } } diff --git a/programs/ziti-edge-tunnel/ziti-edge-tunnel.c b/programs/ziti-edge-tunnel/ziti-edge-tunnel.c index 3eb2a646..5a032e5f 100644 --- a/programs/ziti-edge-tunnel/ziti-edge-tunnel.c +++ b/programs/ziti-edge-tunnel/ziti-edge-tunnel.c @@ -1711,11 +1711,33 @@ static int make_socket_path(uv_loop_t *loop) { return 0; } +static void on_exit_signal(uv_signal_t *s, int sig) { + ZITI_LOG(WARN, "received signal: %s", sys_signame[sig]); + exit(1); +} + static void run_tunneler_loop(uv_loop_t* ziti_loop) { #if _WIN32 // set the service to running state scm_running_event(); +#endif + +#if __linux__ || __APPLE__ +#define handle_sig(n, f) \ + uv_signal_t sig_##n; \ + uv_signal_init(ziti_loop, &sig_##n); \ + uv_signal_start(&sig_##n, f, n); \ + uv_unref((uv_handle_t *) &sig_##n); + + handle_sig(SIGINT, on_exit_signal); + handle_sig(SIGTERM, on_exit_signal); + handle_sig(SIGABRT, on_exit_signal); + handle_sig(SIGSEGV, on_exit_signal); + handle_sig(SIGQUIT, on_exit_signal); + +#undef handle_sig + #endif CMD_CTRL = ziti_tunnel_init_cmd(ziti_loop, tunneler, on_event); From d72012adc73577fc4f49c95f0fcbff7ecd6691c3 Mon Sep 17 00:00:00 2001 From: eugene Date: Thu, 11 Jul 2024 15:11:18 -0400 Subject: [PATCH 157/251] fix --- programs/ziti-edge-tunnel/ziti-edge-tunnel.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/programs/ziti-edge-tunnel/ziti-edge-tunnel.c b/programs/ziti-edge-tunnel/ziti-edge-tunnel.c index 5a032e5f..8690b0d6 100644 --- a/programs/ziti-edge-tunnel/ziti-edge-tunnel.c +++ b/programs/ziti-edge-tunnel/ziti-edge-tunnel.c @@ -1711,10 +1711,12 @@ static int make_socket_path(uv_loop_t *loop) { return 0; } +#if __linux__ || __APPLE__ static void on_exit_signal(uv_signal_t *s, int sig) { - ZITI_LOG(WARN, "received signal: %s", sys_signame[sig]); + ZITI_LOG(WARN, "received signal: %s", strsignal(sig)); exit(1); } +#endif static void run_tunneler_loop(uv_loop_t* ziti_loop) { From 24f612b8aa005e1e5fe21112ce9b43aac9c3c72d Mon Sep 17 00:00:00 2001 From: eugene Date: Thu, 11 Jul 2024 15:49:56 -0400 Subject: [PATCH 158/251] fix crash during initial load -- `ztx.identity` may not be available yet --- lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c | 32 ++++---------------------- 1 file changed, 5 insertions(+), 27 deletions(-) diff --git a/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c b/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c index 844bd92d..28e0b33c 100644 --- a/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c +++ b/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c @@ -754,6 +754,9 @@ static void on_ziti_event(ziti_context ztx, const ziti_event_t *event) { ZITI_LOG(ERROR, "something bad had happened: incorrect context"); } + const ziti_identity *identity = ziti_get_identity(ztx); + const char *ctx_name = identity ? identity->name : instance->identifier; + switch (event->type) { case ZitiContextEvent: { ziti_ctx_event ev = {0}; @@ -761,10 +764,10 @@ static void on_ziti_event(ziti_context ztx, const ziti_event_t *event) { ev.identifier = instance->identifier; ev.code = event->ctx.ctrl_status; if (event->ctx.ctrl_status == ZITI_OK) { - ev.name = ziti_get_identity(ztx)->name; + ev.name = (char*)ctx_name; ev.version = ziti_get_controller_version(ztx)->version; ev.controller = (char *) ziti_get_controller(ztx); - ZITI_LOG(INFO, "ziti_ctx[%s] connected to controller", ziti_get_identity(ztx)->name); + ZITI_LOG(INFO, "ziti_ctx[%s] connected to controller", ctx_name); ev.status = "OK"; const char *ctrl = ziti_get_controller(ztx); @@ -833,7 +836,6 @@ static void on_ziti_event(ziti_context ztx, const ziti_event_t *event) { case ZitiRouterEvent: { const struct ziti_router_event *rt_event = &event->router; - const char *ctx_name = ziti_get_identity(ztx)->name; switch (rt_event->status) { case EdgeRouterAdded: ZITI_LOG(INFO, "ztx[%s] added edge router %s@%s", ctx_name, rt_event->name, rt_event->address); @@ -856,8 +858,6 @@ static void on_ziti_event(ziti_context ztx, const ziti_event_t *event) { } case ZitiMfaAuthEvent : { - const ziti_identity *zid = ziti_get_identity(ztx); - const char *ctx_name = zid ? zid->name : ""; ZITI_LOG(INFO, "ztx[%s/%s] Mfa event received", instance->identifier, ctx_name); mfa_event ev = {0}; ev.event_type = TunnelEvents.MFAEvent; @@ -931,28 +931,6 @@ static void load_ziti_async(uv_loop_t *loop, void *arg) { } } -/* -static void on_mfa_query(ziti_context ztx, void* mfa_ctx, ziti_auth_query_mfa *aq_mfa, ziti_ar_mfa_cb response_cb) { - struct ziti_instance_s *inst = ziti_app_ctx(ztx); - - struct mfa_request_s *mfar = calloc(1, sizeof(struct mfa_request_s)); - mfar->ztx = ztx; - mfar->submit_f = response_cb; - mfar->submit_ctx = mfa_ctx; - - inst->mfa_req = mfar; - - mfa_event ev = {0}; - ev.event_type = TunnelEvents.MFAEvent; - ev.provider = strdup(aq_mfa->provider); - ev.identifier = strdup(inst->identifier); - - CMD_CTX.on_event((const base_event *) &ev); - - free_mfa_event(&ev); -} - */ - static void on_submit_mfa(ziti_context ztx, int status, void *ctx) { struct tunnel_cb_s *req = ctx; tunnel_result result = {0}; From e1dd21818fd725a03ce56c097237ab1db7ae4161 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 15 Jul 2024 22:22:47 +0000 Subject: [PATCH 159/251] Bump docker/build-push-action from 3 to 6 Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 3 to 6. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/v3...v6) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/publish-containers.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish-containers.yml b/.github/workflows/publish-containers.yml index b92797e4..42cbb2ad 100644 --- a/.github/workflows/publish-containers.yml +++ b/.github/workflows/publish-containers.yml @@ -52,7 +52,7 @@ jobs: run: echo DOCKER_TAGS="${IMAGE_REPO}:unstable,${IMAGE_REPO}:${ZITI_VERSION}" | tee -a $GITHUB_OUTPUT - name: Build & Push Multi-Platform Container Image to Hub - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v6 with: builder: ${{ steps.buildx.outputs.name }} context: ${{ github.workspace }}/docker @@ -72,7 +72,7 @@ jobs: - name: Build & Push Multi-Platform Container Image to Hub - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v6 with: builder: ${{ steps.buildx.outputs.name }} context: ${{ github.workspace }}/docker From 632944c417dd9550c7ca9c7702b17fcc49e29a98 Mon Sep 17 00:00:00 2001 From: Shawn Carey Date: Fri, 19 Jul 2024 11:25:37 -0400 Subject: [PATCH 160/251] get ziti-sdk-c v2.0.0-alpha8 --- CMakeLists.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index b401a79a..b6ae70ea 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -2,7 +2,7 @@ cmake_minimum_required(VERSION 3.20) set(ZITI_SDK_DIR "" CACHE FILEPATH "developer option: use local ziti-sdk-c checkout") -set(ZITI_SDK_VERSION "2.0.0-alpha6" CACHE STRING "ziti-sdk-c version or branch to use") +set(ZITI_SDK_VERSION "2.0.0-alpha8" CACHE STRING "ziti-sdk-c version or branch to use") # if TUNNEL_SDK_ONLY then don't descend into programs/ziti-edge-tunnel option(TUNNEL_SDK_ONLY "build only ziti-tunnel-sdk (without ziti)" OFF) From f4d4787eb7102081d44c8440f3febf888c96f740 Mon Sep 17 00:00:00 2001 From: eugene Date: Fri, 19 Jul 2024 11:05:23 -0400 Subject: [PATCH 161/251] simplify IPC client more robust incoming command parsing get getopt via vcpkg --- .../include/ziti/ziti_tunnel_cbs.h | 3 +- programs/CMakeLists.txt | 1 - programs/tests/CMakeLists.txt | 28 -- programs/tests/ziti-edge-tunnel-test.c | 88 ----- programs/ziti-edge-tunnel/CMakeLists.txt | 11 +- programs/ziti-edge-tunnel/ziti-edge-tunnel.c | 309 +++++++++--------- vcpkg.json | 5 +- 7 files changed, 161 insertions(+), 284 deletions(-) delete mode 100644 programs/tests/CMakeLists.txt delete mode 100644 programs/tests/ziti-edge-tunnel-test.c diff --git a/lib/ziti-tunnel-cbs/include/ziti/ziti_tunnel_cbs.h b/lib/ziti-tunnel-cbs/include/ziti/ziti_tunnel_cbs.h index 8ce9c1ad..aceb7327 100644 --- a/lib/ziti-tunnel-cbs/include/ziti/ziti_tunnel_cbs.h +++ b/lib/ziti-tunnel-cbs/include/ziti/ziti_tunnel_cbs.h @@ -74,7 +74,8 @@ DECLARE_ENUM(TunnelCommand, TUNNEL_COMMANDS) #define TUNNEL_CMD(XX, ...) \ XX(command, TunnelCommand, none, Command, __VA_ARGS__) \ -XX(data, json, none, Data, __VA_ARGS__) +XX(data, json, none, Data, __VA_ARGS__) \ +XX(show_result, bool, none, , __VA_ARGS__) #define TUNNEL_CMD_RES(XX, ...) \ XX(success, bool, none, Success, __VA_ARGS__) \ diff --git a/programs/CMakeLists.txt b/programs/CMakeLists.txt index cb62d5e2..da92e82a 100644 --- a/programs/CMakeLists.txt +++ b/programs/CMakeLists.txt @@ -1,2 +1 @@ add_subdirectory(ziti-edge-tunnel) -add_subdirectory(tests) \ No newline at end of file diff --git a/programs/tests/CMakeLists.txt b/programs/tests/CMakeLists.txt deleted file mode 100644 index 9a2d6679..00000000 --- a/programs/tests/CMakeLists.txt +++ /dev/null @@ -1,28 +0,0 @@ -project(tests) - -add_executable(ziti-edge-tunnel-test ziti-edge-tunnel-test.c) -set_property(TARGET ziti-edge-tunnel-test PROPERTY C_STANDARD 11) - -find_package(libuv CONFIG QUIET) -if (libuv_FOUND) - # newer libuv versions have proper namespacing - if (TARGET libuv::uv_a) - set(libuv_lib libuv::uv_a) - elseif (TARGET uv_a) - set(libuv_lib uv_a) - elseif (TARGET libuv::uv) - set(libuv_lib libuv::uv) - else() - set(libuv_lib uv) - endif() -else() - find_library(libuv_lib uv_a NAMES uv) -endif() - -target_link_libraries(ziti-edge-tunnel-test - PUBLIC ${libuv_lib} - ) - -install(TARGETS ziti-edge-tunnel-test - DESTINATION ${CMAKE_INSTALL_BINDIR} - ) \ No newline at end of file diff --git a/programs/tests/ziti-edge-tunnel-test.c b/programs/tests/ziti-edge-tunnel-test.c deleted file mode 100644 index cf27c3c8..00000000 --- a/programs/tests/ziti-edge-tunnel-test.c +++ /dev/null @@ -1,88 +0,0 @@ -/* - Copyright 2019-2021 NetFoundry Inc. - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - https://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - */ - -#include -#include -#include -#include "uv.h" - -#if _WIN32 -static char eventsockfile[] = "\\\\.\\pipe\\ziti-edge-tunnel-event.sock"; -#elif __unix__ || unix || ( __APPLE__ && __MACH__ ) -static char eventsockfile[] = "/tmp/ziti-edge-tunnel-event.sock"; -#endif - - -static void cmd_alloc(uv_handle_t *s, size_t sugg, uv_buf_t *b) { - b->base = malloc(sugg); - b->len = sugg; -} - -static void on_response(uv_stream_t *s, ssize_t len, const uv_buf_t *b) { - if (len > 0) { - printf("received response <%.*s>\n", (int) len, b->base); - } else { - fprintf(stderr,"Read Response error %s\n", uv_err_name(len)); - } -} - -void on_connect(uv_connect_t* connect, int status){ - if (status < 0) { - puts("failed to connect!"); - } else { - puts("connected!"); - int res = uv_read_start((uv_stream_t *) connect->handle, cmd_alloc, on_response); - if (res != 0) { - printf("UV read error %s\n", uv_err_name(res)); - } - } -} - -static uv_loop_t* connect_and_read_message(char sockfile[],uv_connect_t* connect, uv_pipe_t* client_handle) { - uv_loop_t* loop = uv_default_loop(); - - int res = uv_pipe_init(loop, client_handle, 0); - if (res != 0) { - printf("UV client handle init failed %s\n", uv_err_name(res)); - return NULL; - } - - uv_pipe_connect(connect, client_handle, sockfile, on_connect); - - return loop; -} - -int main(int argc, char *argv[]) { - uv_pipe_t client_handle; - uv_connect_t* connect = (uv_connect_t*)malloc(sizeof(uv_connect_t)); - - uv_loop_t* loop = connect_and_read_message(eventsockfile, connect, &client_handle); - - if (loop == NULL) { - printf("Cannot run UV loop, loop is null"); - return 1; - } - - int res = uv_run(loop, UV_RUN_DEFAULT); - if (res != 0) { - printf("UV run error %s\n", uv_err_name(res)); - return 1; - } - uv_close((uv_handle_t *)&client_handle, NULL); - return 0; -} - - diff --git a/programs/ziti-edge-tunnel/CMakeLists.txt b/programs/ziti-edge-tunnel/CMakeLists.txt index 37da1ea4..a7a81c7e 100644 --- a/programs/ziti-edge-tunnel/CMakeLists.txt +++ b/programs/ziti-edge-tunnel/CMakeLists.txt @@ -12,17 +12,10 @@ if(CMAKE_SYSTEM_NAME STREQUAL Windows) set(tun_lib wintun) set(wintun_dll "${wintun_SOURCE_DIR}/bin/${CMAKE_SYSTEM_PROCESSOR}/wintun.dll") set(NETIF_DRIVER_SOURCE netif_driver/windows/tun.c netif_driver/windows/tun.h) + find_package(unofficial-getopt-win32 REQUIRED) + set(getopt unofficial::getopt-win32::getopt) endif() -if (MSVC) - message("using visual studio") - FetchContent_Declare(win-c - GIT_REPOSITORY https://github.com/netfoundry/win-c.git - GIT_TAG master - ) - FetchContent_MakeAvailable(win-c) - set(getopt libwinc) -endif() set(ZITI_INSTANCE_COMMON include/model/events.h include/model/dtos.h instance.c include/identity-utils.h config-utils.c include/config-utils.h instance-config.c include/instance-config.h) if (WIN32) diff --git a/programs/ziti-edge-tunnel/ziti-edge-tunnel.c b/programs/ziti-edge-tunnel/ziti-edge-tunnel.c index 8690b0d6..12ca0ad7 100644 --- a/programs/ziti-edge-tunnel/ziti-edge-tunnel.c +++ b/programs/ziti-edge-tunnel/ziti-edge-tunnel.c @@ -36,6 +36,7 @@ #include "netif_driver/linux/tun.h" #elif _WIN32 #include +#include #include "netif_driver/windows/tun.h" #include "windows/windows-service.h" #include "windows/windows-scripts.h" @@ -124,7 +125,7 @@ struct event_conn_s { static LIST_HEAD(events_list, event_conn_s) event_clients_list = LIST_HEAD_INITIALIZER(event_clients_list); struct ipc_conn_s { - uv_pipe_t *ipc_client_conn; + uv_pipe_t ipc; LIST_ENTRY(ipc_conn_s) _next_ipc_cmd; }; // list to store the ipc connections @@ -160,6 +161,7 @@ static char sockfile[] = "\\\\.\\pipe\\ziti-edge-tunnel.sock"; static char eventsockfile[] = "\\\\.\\pipe\\ziti-edge-tunnel-event.sock"; #elif __unix__ || unix || ( __APPLE__ && __MACH__ ) #include +#include #define SOCKET_PATH "/tmp/.ziti" static char sockfile[] = SOCKET_PATH "/ziti-edge-tunnel.sock"; static char eventsockfile[] = SOCKET_PATH "/ziti-edge-tunnel-event.sock"; @@ -431,7 +433,7 @@ static bool process_tunnel_commands(const tunnel_command *tnl_cmd, command_cb cb break; } char* tun_ip_str = strdup(tunnel_tun_ip_v4_cmd.tunIP); - // make a copy so we can free it later - validating ip address input + // make a copy, so we can free it later - validating ip address input char* tun_ip_cpy = tun_ip_str; char* ip_ptr = strtok(tun_ip_str, "."); //cut the string using dot delimiter if (ip_ptr == NULL) { @@ -629,9 +631,9 @@ static void queue_ipc_command(ipc_cmd_ctx_t *ipc_command_ctx, ssize_t len, char* uv_mutex_unlock(&ipc_command_ctx->cmd_lock); } -static void process_ipc_command(uv_stream_t *s, ssize_t len, char* base) { +static void process_ipc_command(uv_stream_t *s, json_object *json) { tunnel_command tnl_cmd = {0}; - if (parse_tunnel_command(&tnl_cmd, base, len) >= 0) { + if (tunnel_command_from_json(&tnl_cmd, json) >= 0) { // process_tunnel_commands is used to update the log level and the tun ip information in the config file through IPC command. // So when the user restarts the tunnel, the new values will be taken. // The config file can be modified only from ziti-edge-tunnel.c file. @@ -654,35 +656,42 @@ static void process_ipc_command(uv_stream_t *s, ssize_t len, char* base) { static void on_cmd(uv_stream_t *s, ssize_t len, const uv_buf_t *b) { + struct ipc_conn_s *ipc_client = (struct ipc_conn_s*)s; if (len < 0) { - ZITI_LOG(WARN, "received from client - %s. Closing connection.", uv_err_name(len)); - struct ipc_conn_s *del_ipc_client = NULL; - LIST_FOREACH(del_ipc_client, &ipc_clients_list, _next_ipc_cmd) { - if((uv_stream_t *)del_ipc_client->ipc_client_conn == s) { - break; - } + if (len != UV_EOF) { + ZITI_LOG(WARN, "received from client - %s. Closing connection.", uv_err_name(len)); } - if (del_ipc_client) { - LIST_REMOVE(del_ipc_client, _next_ipc_cmd); - free(del_ipc_client); - } - uv_close((uv_handle_t *) s, (uv_close_cb) free); - ZITI_LOG(WARN,"IPC client connection closed, count: %d", sizeof_ipc_clients_list()); + + LIST_REMOVE(ipc_client, _next_ipc_cmd); + + json_tokener *tokener = s->data; + if (tokener) json_tokener_free(tokener); + uv_close((uv_handle_t *) &ipc_client->ipc, (uv_close_cb) free); + ZITI_LOG(DEBUG, "IPC client connection closed, count: %d", sizeof_ipc_clients_list()); } else { - ZITI_LOG(INFO, "received cmd <%.*s>", (int) len, b->base); + ZITI_LOG(DEBUG, "received cmd <%.*s>", (int) len, b->base); -#if LAST_CHAR_IPC_CMD == '\0' - process_ipc_command(s, len, b->base); -#else - queue_ipc_command(ipc_cmd_ctx, len, b->base); - if (b->base[len-1] == LAST_CHAR_IPC_CMD) { - char* new_buff = ipc_cmd_buffered(ipc_cmd_ctx); - ZITI_LOG(TRACE, "buffered cmd <%.*s>", (int) (strlen(new_buff) + 1), new_buff); - process_ipc_command(s, strlen(new_buff) + 1, new_buff); - free(new_buff); + json_tokener *parser = s->data; + + size_t processed = 0; + while (processed < len) { + json_object *json = json_tokener_parse_ex(parser, b->base + processed, (int) (len - processed)); + size_t end = json_tokener_get_parse_end(parser); + processed += end; + if (json) { + process_ipc_command(s, json); + json_object_put(json); + } else if (json_tokener_get_error(parser) != json_tokener_continue) { + ZITI_LOG(ERROR, "failed to parse json command: %s, received[%.*s]", + json_tokener_error_desc(json_tokener_get_error(parser)), + (int) len, b->base); + json_tokener_free(parser); + LIST_REMOVE(ipc_client, _next_ipc_cmd); + uv_close((uv_handle_t *) &ipc_client->ipc, (uv_close_cb) free); + break; + } } -#endif } free(b->base); @@ -690,13 +699,12 @@ static void on_cmd(uv_stream_t *s, ssize_t len, const uv_buf_t *b) { static void on_cmd_client(uv_stream_t *s, int status) { int current_ipc_channels = sizeof_ipc_clients_list(); - uv_pipe_t *cmd_conn = malloc(sizeof(uv_pipe_t)); - uv_pipe_init(s->loop, cmd_conn, 0); - uv_accept(s, (uv_stream_t *) cmd_conn); - uv_read_start((uv_stream_t *) cmd_conn, cmd_alloc, on_cmd); - struct ipc_conn_s *ipc_conn = calloc(1, sizeof(struct ipc_conn_s)); - ipc_conn->ipc_client_conn = cmd_conn; - LIST_INSERT_HEAD(&ipc_clients_list, ipc_conn, _next_ipc_cmd); + struct ipc_conn_s *cmd_conn = calloc(1, sizeof(struct ipc_conn_s)); + cmd_conn->ipc.data = json_tokener_new(); + uv_pipe_init(s->loop, &cmd_conn->ipc, 0); + uv_accept(s, (uv_stream_t *) &cmd_conn->ipc); + uv_read_start((uv_stream_t *) &cmd_conn->ipc, cmd_alloc, on_cmd); + LIST_INSERT_HEAD(&ipc_clients_list, cmd_conn, _next_ipc_cmd); ZITI_LOG(DEBUG,"Received IPC client connection request, count: %d", ++current_ipc_channels); } @@ -732,7 +740,6 @@ static int start_cmd_socket(uv_loop_t *l) { return -1; } - static void on_events_client(uv_stream_t *s, int status) { int current_events_channels = sizeof_event_clients_list(); uv_pipe_t* event_conn = malloc(sizeof(uv_pipe_t)); @@ -1730,7 +1737,7 @@ static void run_tunneler_loop(uv_loop_t* ziti_loop) { uv_signal_t sig_##n; \ uv_signal_init(ziti_loop, &sig_##n); \ uv_signal_start(&sig_##n, f, n); \ - uv_unref((uv_handle_t *) &sig_##n); + uv_unref((uv_handle_t *) &sig_##n) handle_sig(SIGINT, on_exit_signal); handle_sig(SIGTERM, on_exit_signal); @@ -2343,7 +2350,9 @@ static void enroll(int argc, char *argv[]) { } } -static tunnel_command *cmd; +static tunnel_command cmd = { + .show_result = true, // consistent with old behaviour +}; static int dump_opts(int argc, char *argv[]) { static struct option opts[] = { @@ -2354,8 +2363,7 @@ static int dump_opts(int argc, char *argv[]) { optind = 0; tunnel_ziti_dump *dump_options = calloc(1, sizeof(tunnel_ziti_dump)); - cmd = calloc(1, sizeof(tunnel_command)); - cmd->command = TunnelCommand_ZitiDump; + cmd.command = TunnelCommand_ZitiDump; while ((c = getopt_long(argc, argv, "i:p:", opts, &option_index)) != -1) { @@ -2377,7 +2385,7 @@ static int dump_opts(int argc, char *argv[]) { CHECK_COMMAND_ERRORS(errors); size_t json_len; - cmd->data = tunnel_ziti_dump_to_json(dump_options, MODEL_JSON_COMPACT, &json_len); + cmd.data = tunnel_ziti_dump_to_json(dump_options, MODEL_JSON_COMPACT, &json_len); if (dump_options != NULL) { free_tunnel_ziti_dump(dump_options); free(dump_options); @@ -2386,92 +2394,96 @@ static int dump_opts(int argc, char *argv[]) { return optind; } -static void on_response(uv_stream_t *s, ssize_t len, const uv_buf_t *b) { - if (len > 0) { - printf("received response <%.*s>\n", (int) len, b->base); - } else { - fprintf(stderr,"Read Response error %s\n", uv_err_name(len)); - } - uv_read_stop(s); - free(b->base); - uv_close((uv_handle_t *)s, NULL); -} - -void on_write(uv_write_t* req, int status) { - if (status < 0) { - fprintf(stderr,"Could not sent message to the tunnel. Write error %s\n", uv_err_name(status)); +static int send_message_to_tunnel(char* message, bool show_result) { +#if _WIN32 + HANDLE cmd_soc = CreateFileA(sockfile, + GENERIC_READ | GENERIC_WRITE, + 0, NULL, + OPEN_EXISTING, + FILE_FLAG_OVERLAPPED, NULL); + if (cmd_soc == INVALID_HANDLE_VALUE) { + DWORD err = GetLastError(); + fprintf(stderr, "failed to connect to pipe: %lu", err); + exit(1); } - free(req); -} - -void send_message_to_pipe(uv_stream_t *pipe, char *msg) { - ZITI_LOG(VERBOSE, "Message...%s\n", msg); - uv_write_t *req = (uv_write_t*) malloc(sizeof(uv_write_t)); - req->data = msg; - - uv_buf_t bufs[2]; - bufs[0] = uv_buf_init(msg, strlen(msg)); - bufs[1] = uv_buf_init("\n", 1); +#else + uv_os_sock_t cmd_soc = socket(AF_UNIX, SOCK_STREAM, 0); + struct sockaddr_un addr = { + .sun_family = AF_UNIX, + .sun_len = sizeof(addr), + }; + strncpy(addr.sun_path, sockfile, sizeof(addr.sun_path)); - int rc = uv_write(req, pipe, bufs, 2, on_write); - if (rc != 0) { - on_write(req, rc); + if (connect(cmd_soc, (const struct sockaddr *) &addr, sizeof(addr))) { + perror("cmd socket connect"); } -} -void on_connect(uv_connect_t* connect, int status){ - if (status < 0) { - fprintf(stderr, "failed to connect: %d/%s\n", status, uv_strerror(status)); - free(connect->data); - } else { - int res = uv_read_start((uv_stream_t *) connect->handle, cmd_alloc, on_response); - if (res != 0) { - fprintf(stderr, "UV read error %d/%s\n", res, uv_strerror(res)); +#endif + size_t msg_size = strlen(message); + size_t count = 0; + while (count < strlen(message)) { +#if _WIN32 + DWORD c; + if (!WriteFile(cmd_soc, message + count, msg_size - count, &c, NULL)) { + fprintf(stderr, "failed to write to pipe: %lu", GetLastError()); + exit(1); + } +#else + ssize_t c; + c = write(cmd_soc, message + count, msg_size - count); +#endif + if (c < 0) { + perror("write command"); + exit(1); } - send_message_to_pipe(connect->handle, connect->data); + count += c; } - free(connect); -} - -static uv_loop_t* connect_and_send_cmd(char pipesockfile[],uv_connect_t* connect, uv_pipe_t* client_handle) { - uv_loop_t* loop = uv_default_loop(); - int res = uv_pipe_init(loop, client_handle, 0); - if (res != 0) { - fprintf(stderr, "UV client handle init failed %d/%s\n", res, uv_strerror(res)); - return NULL; + struct json_tokener *parser = json_tokener_new(); + char buf[8*1024]; + struct json_object *json = NULL; + while(json == NULL) { +#if _WIN32 + DWORD c; + if (!ReadFile(cmd_soc, buf, sizeof(buf), &c, NULL)) { + fprintf(stderr, "failed to read from pipe: %lu", GetLastError()); + exit(1); + } +#else + ssize_t c = read(cmd_soc, buf, sizeof(buf)); +#endif + if (c < 0) { + perror("read resp"); + exit(1); + } + json = json_tokener_parse_ex(parser, buf, (int) c); + if (json == NULL) { + enum json_tokener_error e = json_tokener_get_error(parser); + if (e != json_tokener_continue) { + fprintf(stderr, "JSON parsing error: %s\n in payload: %.*s", + json_tokener_error_desc(e), (int)c, buf); + exit(1); + } + } } - uv_pipe_connect(connect, client_handle, pipesockfile, on_connect); - - return loop; -} - -static void send_message_to_tunnel(char* message) { - uv_pipe_t client_handle; - uv_connect_t* connect = (uv_connect_t*)malloc(sizeof(uv_connect_t)); - connect->data = strdup(message); - - uv_loop_t* loop = connect_and_send_cmd(sockfile, connect, &client_handle); - - if (loop == NULL) { - fprintf(stderr, "Cannot run UV loop, loop is null\n"); - return; + if (show_result) { + printf("%s", json_object_to_json_string_ext(json, JSON_C_TO_STRING_PRETTY)); } + int code = json_object_get_boolean(json_object_object_get(json, "Success")) ? + 0 : json_object_get_int(json_object_object_get(json, "Code")); + json_object_put(json); + json_tokener_free(parser); - int res = uv_run(loop, UV_RUN_DEFAULT); - if (res != 0) { - fprintf(stderr, "UV run error %s\n", uv_err_name(res)); - } + return code; } static void send_message_to_tunnel_fn(int argc, char *argv[]) { - char* json = tunnel_command_to_json(cmd, MODEL_JSON_COMPACT, NULL); - send_message_to_tunnel(json); - free_tunnel_command(cmd); - free(cmd); - cmd = NULL; + char* json = tunnel_command_to_json(&cmd, MODEL_JSON_COMPACT, NULL); + int result = send_message_to_tunnel(json, cmd.show_result); + free_tunnel_command(&cmd); free(json); + exit(result); } static int on_off_identity_opts(int argc, char *argv[]) { @@ -2483,8 +2495,7 @@ static int on_off_identity_opts(int argc, char *argv[]) { optind = 0; tunnel_on_off_identity on_off_identity_options = {0}; - cmd = calloc(1, sizeof(tunnel_command)); - cmd->command = TunnelCommand_IdentityOnOff; + cmd.command = TunnelCommand_IdentityOnOff; while ((c = getopt_long(argc, argv, "i:o:", opts, &option_index)) != -1) { @@ -2511,7 +2522,7 @@ static int on_off_identity_opts(int argc, char *argv[]) { CHECK_COMMAND_ERRORS(errors); size_t json_len; - cmd->data = tunnel_on_off_identity_to_json(&on_off_identity_options, MODEL_JSON_COMPACT, &json_len); + cmd.data = tunnel_on_off_identity_to_json(&on_off_identity_options, MODEL_JSON_COMPACT, &json_len); on_off_identity_options.identifier = NULL; // don't try to free static memory (`optarg`) free_tunnel_on_off_identity(&on_off_identity_options); @@ -2526,8 +2537,7 @@ static int enable_identity_opts(int argc, char *argv[]) { optind = 0; tunnel_load_identity load_identity_options = {0}; - cmd = calloc(1, sizeof(tunnel_command)); - cmd->command = TunnelCommand_LoadIdentity; + cmd.command = TunnelCommand_LoadIdentity; while ((c = getopt_long(argc, argv, "i:", opts, &option_index)) != -1) { @@ -2546,7 +2556,7 @@ static int enable_identity_opts(int argc, char *argv[]) { CHECK_COMMAND_ERRORS(errors); size_t json_len; - cmd->data = tunnel_load_identity_to_json(&load_identity_options, MODEL_JSON_COMPACT, &json_len); + cmd.data = tunnel_load_identity_to_json(&load_identity_options, MODEL_JSON_COMPACT, &json_len); free_tunnel_load_identity(&load_identity_options); return optind; @@ -2560,8 +2570,7 @@ static int enable_mfa_opts(int argc, char *argv[]) { optind = 0; tunnel_enable_mfa *enable_mfa_options = calloc(1, sizeof(tunnel_enable_mfa)); - cmd = calloc(1, sizeof(tunnel_command)); - cmd->command = TunnelCommand_EnableMFA; + cmd.command = TunnelCommand_EnableMFA; while ((c = getopt_long(argc, argv, "i:", opts, &option_index)) != -1) { @@ -2580,7 +2589,7 @@ static int enable_mfa_opts(int argc, char *argv[]) { CHECK_COMMAND_ERRORS(errors); size_t json_len; - cmd->data = tunnel_enable_mfa_to_json(enable_mfa_options, MODEL_JSON_COMPACT, &json_len); + cmd.data = tunnel_enable_mfa_to_json(enable_mfa_options, MODEL_JSON_COMPACT, &json_len); free(enable_mfa_options); return optind; @@ -2595,8 +2604,7 @@ static int verify_mfa_opts(int argc, char *argv[]) { optind = 0; tunnel_verify_mfa *verify_mfa_options = calloc(1, sizeof(tunnel_verify_mfa)); - cmd = calloc(1, sizeof(tunnel_command)); - cmd->command = TunnelCommand_VerifyMFA; + cmd.command = TunnelCommand_VerifyMFA; while ((c = getopt_long(argc, argv, "i:c:", opts, &option_index)) != -1) { @@ -2618,7 +2626,7 @@ static int verify_mfa_opts(int argc, char *argv[]) { CHECK_COMMAND_ERRORS(errors); size_t json_len; - cmd->data = tunnel_verify_mfa_to_json(verify_mfa_options, MODEL_JSON_COMPACT, &json_len); + cmd.data = tunnel_verify_mfa_to_json(verify_mfa_options, MODEL_JSON_COMPACT, &json_len); free(verify_mfa_options); return optind; @@ -2633,8 +2641,7 @@ static int remove_mfa_opts(int argc, char *argv[]) { optind = 0; tunnel_remove_mfa *remove_mfa_options = calloc(1, sizeof(tunnel_remove_mfa)); - cmd = calloc(1, sizeof(tunnel_command)); - cmd->command = TunnelCommand_RemoveMFA; + cmd.command = TunnelCommand_RemoveMFA; while ((c = getopt_long(argc, argv, "i:c:", opts, &option_index)) != -1) { @@ -2656,7 +2663,7 @@ static int remove_mfa_opts(int argc, char *argv[]) { CHECK_COMMAND_ERRORS(errors); size_t json_len; - cmd->data = tunnel_remove_mfa_to_json(remove_mfa_options, MODEL_JSON_COMPACT, &json_len); + cmd.data = tunnel_remove_mfa_to_json(remove_mfa_options, MODEL_JSON_COMPACT, &json_len); free(remove_mfa_options); return optind; @@ -2671,8 +2678,7 @@ static int submit_mfa_opts(int argc, char *argv[]) { optind = 0; tunnel_submit_mfa *submit_mfa_options = calloc(1, sizeof(tunnel_submit_mfa)); - cmd = calloc(1, sizeof(tunnel_command)); - cmd->command = TunnelCommand_SubmitMFA; + cmd.command = TunnelCommand_SubmitMFA; while ((c = getopt_long(argc, argv, "i:c:", opts, &option_index)) != -1) { @@ -2694,7 +2700,7 @@ static int submit_mfa_opts(int argc, char *argv[]) { CHECK_COMMAND_ERRORS(errors); size_t json_len; - cmd->data = tunnel_submit_mfa_to_json(submit_mfa_options, MODEL_JSON_COMPACT, &json_len); + cmd.data = tunnel_submit_mfa_to_json(submit_mfa_options, MODEL_JSON_COMPACT, &json_len); free(submit_mfa_options); return optind; @@ -2709,8 +2715,7 @@ static int generate_mfa_codes_opts(int argc, char *argv[]) { optind = 0; tunnel_generate_mfa_codes *mfa_codes_options = calloc(1, sizeof(tunnel_generate_mfa_codes)); - cmd = calloc(1, sizeof(tunnel_command)); - cmd->command = TunnelCommand_GenerateMFACodes; + cmd.command = TunnelCommand_GenerateMFACodes; while ((c = getopt_long(argc, argv, "i:c:", opts, &option_index)) != -1) { @@ -2732,7 +2737,7 @@ static int generate_mfa_codes_opts(int argc, char *argv[]) { CHECK_COMMAND_ERRORS(errors); size_t json_len; - cmd->data = tunnel_generate_mfa_codes_to_json(mfa_codes_options, MODEL_JSON_COMPACT, &json_len); + cmd.data = tunnel_generate_mfa_codes_to_json(mfa_codes_options, MODEL_JSON_COMPACT, &json_len); free(mfa_codes_options); return optind; @@ -2747,8 +2752,7 @@ static int get_mfa_codes_opts(int argc, char *argv[]) { optind = 0; tunnel_get_mfa_codes *get_mfa_codes_options = calloc(1, sizeof(tunnel_get_mfa_codes)); - cmd = calloc(1, sizeof(tunnel_command)); - cmd->command = TunnelCommand_GetMFACodes; + cmd.command = TunnelCommand_GetMFACodes; while ((c = getopt_long(argc, argv, "i:c:", opts, &option_index)) != -1) { @@ -2770,7 +2774,7 @@ static int get_mfa_codes_opts(int argc, char *argv[]) { CHECK_COMMAND_ERRORS(errors); size_t json_len; - cmd->data = tunnel_get_mfa_codes_to_json(get_mfa_codes_options, MODEL_JSON_COMPACT, &json_len); + cmd.data = tunnel_get_mfa_codes_to_json(get_mfa_codes_options, MODEL_JSON_COMPACT, &json_len); free(get_mfa_codes_options); return optind; @@ -2805,11 +2809,10 @@ static int set_log_level_opts(int argc, char *argv[]) { CHECK_COMMAND_ERRORS(errors); - cmd = calloc(1, sizeof(tunnel_command)); - cmd->command = TunnelCommand_SetLogLevel; + cmd.command = TunnelCommand_SetLogLevel; size_t json_len; - cmd->data = tunnel_set_log_level_to_json(&log_level_options, MODEL_JSON_COMPACT, &json_len); + cmd.data = tunnel_set_log_level_to_json(&log_level_options, MODEL_JSON_COMPACT, &json_len); return optind; } @@ -2824,8 +2827,7 @@ static int update_tun_ip_opts(int argc, char *argv[]) { optind = 0; tunnel_tun_ip_v4 *tun_ip_v4_options = calloc(1, sizeof(tunnel_tun_ip_v4)); - cmd = calloc(1, sizeof(tunnel_command)); - cmd->command = TunnelCommand_UpdateTunIpv4; + cmd.command = TunnelCommand_UpdateTunIpv4; while ((c = getopt_long(argc, argv, "t:p:d:", opts, &option_index)) != -1) { @@ -2854,7 +2856,7 @@ static int update_tun_ip_opts(int argc, char *argv[]) { CHECK_COMMAND_ERRORS(errors); size_t json_len; - cmd->data = tunnel_tun_ip_v4_to_json(tun_ip_v4_options, MODEL_JSON_COMPACT, &json_len); + cmd.data = tunnel_tun_ip_v4_to_json(tun_ip_v4_options, MODEL_JSON_COMPACT, &json_len); free(tun_ip_v4_options); return optind; @@ -2869,8 +2871,7 @@ static int endpoint_status_change_opts(int argc, char *argv[]) { optind = 0; tunnel_status_change *tunnel_status_change_opts = calloc(1, sizeof(tunnel_status_change)); - cmd = calloc(1, sizeof(tunnel_command)); - cmd->command = TunnelCommand_StatusChange; + cmd.command = TunnelCommand_StatusChange; while ((c = getopt_long(argc, argv, "w:u:", opts, &option_index)) != -1) { @@ -2900,7 +2901,7 @@ static int endpoint_status_change_opts(int argc, char *argv[]) { CHECK_COMMAND_ERRORS(errors); size_t json_len; - cmd->data = tunnel_status_change_to_json(tunnel_status_change_opts, MODEL_JSON_COMPACT, &json_len); + cmd.data = tunnel_status_change_to_json(tunnel_status_change_opts, MODEL_JSON_COMPACT, &json_len); free(tunnel_status_change_opts); return optind; @@ -2910,7 +2911,7 @@ static int endpoint_status_change_opts(int argc, char *argv[]) { static void service_control(int argc, char *argv[]) { tunnel_service_control *tunnel_service_control_opt = calloc(1, sizeof(tunnel_service_control)); - if (parse_tunnel_service_control(tunnel_service_control_opt, cmd->data, strlen(cmd->data)) < 0) { + if (parse_tunnel_service_control(tunnel_service_control_opt, cmd.data, strlen(cmd.data)) < 0) { fprintf(stderr, "Could not fetch service control data"); return; } @@ -2932,8 +2933,7 @@ static int svc_opts(int argc, char *argv[]) { }; tunnel_service_control *tunnel_service_control_options = calloc(1, sizeof(tunnel_service_control)); - cmd = calloc(1, sizeof(tunnel_command)); - cmd->command = TunnelCommand_ServiceControl; + cmd.command = TunnelCommand_ServiceControl; int c, option_index, errors = 0; optind = 0; @@ -2956,7 +2956,7 @@ static int svc_opts(int argc, char *argv[]) { CHECK_COMMAND_ERRORS(errors); size_t json_len; - cmd->data = tunnel_service_control_to_json(tunnel_service_control_options, MODEL_JSON_COMPACT, &json_len); + cmd.data = tunnel_service_control_to_json(tunnel_service_control_options, MODEL_JSON_COMPACT, &json_len); return optind; } @@ -2965,8 +2965,7 @@ static int svc_opts(int argc, char *argv[]) { static int get_status_opts(int argc, char *argv[]) { optind = 0; - cmd = calloc(1, sizeof(tunnel_command)); - cmd->command = TunnelCommand_Status; + cmd.command = TunnelCommand_Status; return optind; } @@ -2979,8 +2978,7 @@ static int delete_identity_opts(int argc, char *argv[]) { optind = 0; tunnel_delete_identity *delete_identity_options = calloc(1, sizeof(tunnel_delete_identity)); - cmd = calloc(1, sizeof(tunnel_command)); - cmd->command = TunnelCommand_RemoveIdentity; + cmd.command = TunnelCommand_RemoveIdentity; while ((c = getopt_long(argc, argv, "i:", opts, &option_index)) != -1) { @@ -2999,7 +2997,7 @@ static int delete_identity_opts(int argc, char *argv[]) { CHECK_COMMAND_ERRORS(errors); size_t json_len; - cmd->data = tunnel_delete_identity_to_json(delete_identity_options, MODEL_JSON_COMPACT, &json_len); + cmd.data = tunnel_delete_identity_to_json(delete_identity_options, MODEL_JSON_COMPACT, &json_len); free(delete_identity_options); return optind; @@ -3015,8 +3013,7 @@ static int add_identity_opts(int argc, char *argv[]) { optind = 0; tunnel_add_identity *tunnel_add_identity_opt = calloc(1, sizeof(tunnel_add_identity)); - cmd = calloc(1, sizeof(tunnel_command)); - cmd->command = TunnelCommand_AddIdentity; + cmd.command = TunnelCommand_AddIdentity; while ((c = getopt_long(argc, argv, "i:j:", opts, &option_index)) != -1) { @@ -3038,7 +3035,7 @@ static int add_identity_opts(int argc, char *argv[]) { CHECK_COMMAND_ERRORS(errors); size_t json_len; - cmd->data = tunnel_add_identity_to_json(tunnel_add_identity_opt, MODEL_JSON_COMPACT, &json_len); + cmd.data = tunnel_add_identity_to_json(tunnel_add_identity_opt, MODEL_JSON_COMPACT, &json_len); free(tunnel_add_identity_opt); return optind; diff --git a/vcpkg.json b/vcpkg.json index 38ea83ab..8f2268bd 100644 --- a/vcpkg.json +++ b/vcpkg.json @@ -6,7 +6,10 @@ "zlib", "llhttp", "libsodium", - "getopt", + { + "name": "getopt-win32", + "platform": "windows" + }, { "name": "openssl", "$comment": "on linux we use system installed OpenSSL, as determined by vcpkg-overlays/linux-syslibs)" From 30cee5f65d9a91425bdbbe1bd2b83af5e1366a10 Mon Sep 17 00:00:00 2001 From: eugene Date: Fri, 19 Jul 2024 16:06:27 -0400 Subject: [PATCH 162/251] cleanup --- programs/ziti-edge-tunnel/ziti-edge-tunnel.c | 52 +------------------- 1 file changed, 1 insertion(+), 51 deletions(-) diff --git a/programs/ziti-edge-tunnel/ziti-edge-tunnel.c b/programs/ziti-edge-tunnel/ziti-edge-tunnel.c index 12ca0ad7..ff696ff9 100644 --- a/programs/ziti-edge-tunnel/ziti-edge-tunnel.c +++ b/programs/ziti-edge-tunnel/ziti-edge-tunnel.c @@ -107,8 +107,6 @@ struct enroll_cb_params { uv_buf_t config; /* out */ }; -static char* ipc_cmd_buffered(ipc_cmd_ctx_t *ipc_cmd_ctx_new); - struct cfg_instance_s { char *cfg; LIST_ENTRY(cfg_instance_s) _next; @@ -622,15 +620,6 @@ static bool process_tunnel_commands(const tunnel_command *tnl_cmd, command_cb cb } } -static void queue_ipc_command(ipc_cmd_ctx_t *ipc_command_ctx, ssize_t len, char* base) { - struct ipc_cmd_s *cmd_new = calloc(1, sizeof(struct ipc_cmd_s)); - cmd_new->cmd_data = strdup(base); - cmd_new->len = len; - uv_mutex_trylock(&ipc_command_ctx->cmd_lock); - STAILQ_INSERT_TAIL(&ipc_command_ctx->ipc_cmd_queue, cmd_new, _next); - uv_mutex_unlock(&ipc_command_ctx->cmd_lock); -} - static void process_ipc_command(uv_stream_t *s, json_object *json) { tunnel_command tnl_cmd = {0}; if (tunnel_command_from_json(&tnl_cmd, json) >= 0) { @@ -1121,7 +1110,7 @@ static void load_identities(uv_work_t *wr) { continue; } - char* ext = get_filename_ext(file.name); + const char* ext = get_filename_ext(file.name); // ignore back up files if (strcasecmp(ext, ".bak") == 0 || strcasecmp(ext, ".original") == 0 || strcasecmp(ext, "json") != 0) { @@ -1513,45 +1502,6 @@ static char* normalize_host(char* hostname) { return hostname_new; } -static char* ipc_cmd_buffered(ipc_cmd_ctx_t *ipc_cmd_ctx_new) { - - ipc_cmd_q cmd_q; - STAILQ_INIT(&cmd_q); - - uv_mutex_trylock(&ipc_cmd_ctx_new->cmd_lock); - cmd_q = ipc_cmd_ctx_new->ipc_cmd_queue; - uv_mutex_unlock(&ipc_cmd_ctx_new->cmd_lock); - - STAILQ_INIT(&ipc_cmd_ctx_new->ipc_cmd_queue); - struct ipc_cmd_s *ipc_cmd; - - char buff[MAXIPCCOMMANDLEN] = {0}; - ssize_t buff_len = 0; - while (!STAILQ_EMPTY(&cmd_q)) { - ipc_cmd = STAILQ_FIRST(&cmd_q); - STAILQ_REMOVE_HEAD(&cmd_q, _next); - - if (ipc_cmd->cmd_data != NULL) { - strncat(buff, ipc_cmd->cmd_data, ipc_cmd->len); - buff_len += ipc_cmd->len; - } - - free(ipc_cmd->cmd_data); - free(ipc_cmd); - - char lastChar = buff[buff_len - 1]; - if (lastChar == LAST_CHAR_IPC_CMD) { - // end of the ipc command - break; - } - } - - char* buf_new = calloc(buff_len + 1, sizeof(char)); - snprintf(buf_new, buff_len, buff); - return buf_new; - -} - static int run_tunnel(uv_loop_t *ziti_loop, uint32_t tun_ip, uint32_t dns_ip, const char *ip_range, const char *dns_upstream) { netif_driver tun; char tun_error[64]; From b2ffe4be2971175c4cb87b9f01e54d4094fc869b Mon Sep 17 00:00:00 2001 From: ekoby Date: Fri, 19 Jul 2024 17:30:20 -0400 Subject: [PATCH 163/251] sockaddr_un.sun_len is only on darwin --- programs/ziti-edge-tunnel/ziti-edge-tunnel.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/programs/ziti-edge-tunnel/ziti-edge-tunnel.c b/programs/ziti-edge-tunnel/ziti-edge-tunnel.c index ff696ff9..9261bfcb 100644 --- a/programs/ziti-edge-tunnel/ziti-edge-tunnel.c +++ b/programs/ziti-edge-tunnel/ziti-edge-tunnel.c @@ -2360,7 +2360,9 @@ static int send_message_to_tunnel(char* message, bool show_result) { uv_os_sock_t cmd_soc = socket(AF_UNIX, SOCK_STREAM, 0); struct sockaddr_un addr = { .sun_family = AF_UNIX, +#if __APPLE__ .sun_len = sizeof(addr), +#endif }; strncpy(addr.sun_path, sockfile, sizeof(addr.sun_path)); From e2fbd3b19e81c39d17fa74bc6b9c3039488f9228 Mon Sep 17 00:00:00 2001 From: ekoby Date: Fri, 19 Jul 2024 17:34:06 -0400 Subject: [PATCH 164/251] no need for getopt-win32 on mingw --- vcpkg.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vcpkg.json b/vcpkg.json index 8f2268bd..f4d7a77a 100644 --- a/vcpkg.json +++ b/vcpkg.json @@ -8,7 +8,7 @@ "libsodium", { "name": "getopt-win32", - "platform": "windows" + "platform": "windows & !mingw" }, { "name": "openssl", From fcd1c6ee99c26ea5380a63fc5264f497fbdf8a83 Mon Sep 17 00:00:00 2001 From: ekoby Date: Fri, 19 Jul 2024 19:11:50 -0400 Subject: [PATCH 165/251] mingw build --- programs/ziti-edge-tunnel/CMakeLists.txt | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/programs/ziti-edge-tunnel/CMakeLists.txt b/programs/ziti-edge-tunnel/CMakeLists.txt index a7a81c7e..df93bd9b 100644 --- a/programs/ziti-edge-tunnel/CMakeLists.txt +++ b/programs/ziti-edge-tunnel/CMakeLists.txt @@ -12,10 +12,12 @@ if(CMAKE_SYSTEM_NAME STREQUAL Windows) set(tun_lib wintun) set(wintun_dll "${wintun_SOURCE_DIR}/bin/${CMAKE_SYSTEM_PROCESSOR}/wintun.dll") set(NETIF_DRIVER_SOURCE netif_driver/windows/tun.c netif_driver/windows/tun.h) - find_package(unofficial-getopt-win32 REQUIRED) - set(getopt unofficial::getopt-win32::getopt) endif() +if (MSVC) + find_package(unofficial-getopt-win32 REQUIRED) + set(getopt unofficial::getopt-win32::getopt) +endif () set(ZITI_INSTANCE_COMMON include/model/events.h include/model/dtos.h instance.c include/identity-utils.h config-utils.c include/config-utils.h instance-config.c include/instance-config.h) if (WIN32) From e0c5f2d42fa6bda3d91c02601021a7ab68dce08d Mon Sep 17 00:00:00 2001 From: eugene Date: Mon, 22 Jul 2024 08:56:55 -0400 Subject: [PATCH 166/251] allow loading/starting ziti identity with provided config instead of a file --- .../include/ziti/ziti_tunnel_cbs.h | 3 +- lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c | 46 +++++++++++++++---- 2 files changed, 39 insertions(+), 10 deletions(-) diff --git a/lib/ziti-tunnel-cbs/include/ziti/ziti_tunnel_cbs.h b/lib/ziti-tunnel-cbs/include/ziti/ziti_tunnel_cbs.h index 8ce9c1ad..1c557750 100644 --- a/lib/ziti-tunnel-cbs/include/ziti/ziti_tunnel_cbs.h +++ b/lib/ziti-tunnel-cbs/include/ziti/ziti_tunnel_cbs.h @@ -84,7 +84,8 @@ XX(code, int, none, Code, __VA_ARGS__) #define TNL_LOAD_IDENTITY(XX, ...) \ XX(identifier, string, none, Identifier, __VA_ARGS__)\ -XX(path, string, none, Path, __VA_ARGS__) \ +XX(path, string, none, Path, __VA_ARGS__) \ +XX(config, ziti_config, ptr, Config, __VA_ARGS__) \ XX(apiPageSize, int, none, ApiPageSize, __VA_ARGS__) #define TNL_ON_OFF_IDENTITY(XX, ...) \ diff --git a/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c b/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c index 28e0b33c..6ab9e1f6 100644 --- a/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c +++ b/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c @@ -47,6 +47,8 @@ static const char * cfg_types[] = { "ziti-tunneler-client.v1", "intercept.v1", " static long refresh_interval = 10; static int process_cmd(const tunnel_command *cmd, void (*cb)(const tunnel_result *, void *ctx), void *ctx); +static int load_identity_cfg(const char *identifier, const ziti_config *cfg, + int api_page_size, command_cb cb, void *ctx); static int load_identity(const char *identifier, const char *path, int api_page_size, command_cb cb, void *ctx); static void get_transfer_rates(const char *identifier, command_cb cb, void *ctx); static void load_ziti_async(uv_loop_t *loop, void *arg); @@ -202,15 +204,34 @@ static int process_cmd(const tunnel_command *cmd, command_cb cb, void *ctx) { ZITI_LOG(TRACE, "processing command[%s] with data[%s]", TunnelCommands.name(cmd->command), cmd->data); switch (cmd->command) { case TunnelCommand_LoadIdentity: { - tunnel_load_identity load; + tunnel_load_identity load = {0}; if (cmd->data == NULL || parse_tunnel_load_identity(&load, cmd->data, strlen(cmd->data)) < 0) { result.success = false; result.error = "invalid command"; break; } - const char *id = load.identifier ? load.identifier : load.path; - load_identity(id, load.path, load.apiPageSize, cb, ctx); - return 0; + + int rc = ZITI_INVALID_CONFIG; + if (load.config != NULL) { + if (load.identifier == NULL) { + result.success = false; + result.code = rc; + result.error = "identifier is required when loading with config"; + break; + } + rc = load_identity_cfg(load.identifier, load.config, load.apiPageSize, cb, ctx); + } else if (load.path != NULL) { + const char *id = load.identifier ? load.identifier : load.path; + rc = load_identity(id, load.path, load.apiPageSize, cb, ctx); + } + + if (rc == ZITI_OK) { + return 0; + } + result.success = false; + result.error = (char*)ziti_errorstr(rc); + result.code = rc; + break; } case TunnelCommand_ListIdentities: { @@ -613,15 +634,23 @@ static int process_cmd(const tunnel_command *cmd, command_cb cb, void *ctx) { static int load_identity(const char *identifier, const char *path, int api_page_size, command_cb cb, void *ctx) { ziti_config cfg = {0}; int rc = ziti_load_config(&cfg, path); - if (rc != ZITI_OK) { - goto on_error; + if (rc == ZITI_OK) { + if (identifier == NULL) { + identifier = path; + } + rc = load_identity_cfg(identifier, &cfg, api_page_size, cb, ctx); } - struct ziti_instance_s *inst = new_ziti_instance(identifier ? identifier : path); + free_ziti_config(&cfg); + return rc; +} + +static int load_identity_cfg(const char *identifier, const ziti_config *cfg, int api_page_size, command_cb cb, void *ctx) { + struct ziti_instance_s *inst = new_ziti_instance(identifier ? identifier : cfg->cfg_source); ziti_options opts = { .api_page_size = api_page_size > 0 ? api_page_size : 0, }; - rc = init_ziti_instance(inst, &cfg, &opts); + int rc = init_ziti_instance(inst, cfg, &opts); if (rc != ZITI_OK) { goto on_error; } @@ -631,7 +660,6 @@ static int load_identity(const char *identifier, const char *path, int api_page_ load_ziti_async(CMD_CTX.loop, inst); on_error: - free_ziti_config(&cfg); return rc; } From fd3cfedb68fedd8978fb27dddf19e077c2db3a88 Mon Sep 17 00:00:00 2001 From: eugene Date: Mon, 22 Jul 2024 12:04:30 -0400 Subject: [PATCH 167/251] fix wintun.cmake --- programs/ziti-edge-tunnel/wintun.cmake | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/programs/ziti-edge-tunnel/wintun.cmake b/programs/ziti-edge-tunnel/wintun.cmake index bcd25438..e0fc368d 100644 --- a/programs/ziti-edge-tunnel/wintun.cmake +++ b/programs/ziti-edge-tunnel/wintun.cmake @@ -11,4 +11,4 @@ if(NOT wintun_POPULATED) endif() add_library(wintun INTERFACE) -target_include_directories(subcommand INTERFACE ${wintun_SOURCE_DIR}/include) +target_include_directories(wintun INTERFACE ${wintun_SOURCE_DIR}/include) From 19e7e4038f860b381430643def8d6bcafb2da634 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Jul 2024 22:42:58 +0000 Subject: [PATCH 168/251] Bump softprops/action-gh-release from 1 to 2 Bumps [softprops/action-gh-release](https://github.com/softprops/action-gh-release) from 1 to 2. - [Release notes](https://github.com/softprops/action-gh-release/releases) - [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md) - [Commits](https://github.com/softprops/action-gh-release/compare/v1...v2) --- updated-dependencies: - dependency-name: softprops/action-gh-release dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8764a157..eda395f1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -29,7 +29,7 @@ jobs: # artifacts that do not need to be renamed - name: Release id: get_release - uses: softprops/action-gh-release@v1 + uses: softprops/action-gh-release@v2 with: # name: defaults to tag name # tag_name: defaults to github.ref From 94c03f3c9fdff4287c14abe0c6bbeb16ad841b4b Mon Sep 17 00:00:00 2001 From: ekoby Date: Tue, 23 Jul 2024 15:54:56 -0400 Subject: [PATCH 169/251] make build adjustments for Android --- lib/ziti-tunnel-cbs/CMakeLists.txt | 1 + lib/ziti-tunnel-cbs/ziti_dns.c | 4 +- lib/ziti-tunnel/CMakeLists.txt | 4 + lib/ziti-tunnel/lwip/ports/android/arch/cc.h | 91 ++++++++++++++++++++ 4 files changed, 98 insertions(+), 2 deletions(-) create mode 100644 lib/ziti-tunnel/lwip/ports/android/arch/cc.h diff --git a/lib/ziti-tunnel-cbs/CMakeLists.txt b/lib/ziti-tunnel-cbs/CMakeLists.txt index cf689329..c817bd4c 100644 --- a/lib/ziti-tunnel-cbs/CMakeLists.txt +++ b/lib/ziti-tunnel-cbs/CMakeLists.txt @@ -32,6 +32,7 @@ endif() if(CMAKE_SYSTEM_NAME STREQUAL Windows) SET(resolve_lib dnsapi) +elseif(CMAKE_SYSTEM_NAME STREQUAL Android) else() SET(resolve_lib resolv) endif() diff --git a/lib/ziti-tunnel-cbs/ziti_dns.c b/lib/ziti-tunnel-cbs/ziti_dns.c index 11d39218..e35a629b 100644 --- a/lib/ziti-tunnel-cbs/ziti_dns.c +++ b/lib/ziti-tunnel-cbs/ziti_dns.c @@ -57,7 +57,7 @@ static void* on_dns_client(const void *app_intercept_ctx, io_ctx_t *io); static int on_dns_close(void *dns_io_ctx); static ssize_t on_dns_req(const void *ziti_io_ctx, void *write_ctx, const void *q_packet, size_t len); static int query_upstream(struct dns_req *req); -static void udp_alloc(uv_handle_t *h, unsigned long reqlen, uv_buf_t *b); +static void udp_alloc(uv_handle_t *h, size_t reqlen, uv_buf_t *b); static void on_upstream_packet(uv_udp_t *h, ssize_t rc, const uv_buf_t *buf, const struct sockaddr* addr, unsigned int flags); static void complete_dns_req(struct dns_req *req); static void free_dns_req(struct dns_req *req); @@ -825,7 +825,7 @@ int query_upstream(struct dns_req *req) { return rc == 0 ? DNS_NO_ERROR : DNS_REFUSE; } -static void udp_alloc(uv_handle_t *h, unsigned long reqlen, uv_buf_t *b) { +static void udp_alloc(uv_handle_t *h, size_t reqlen, uv_buf_t *b) { b->base = malloc(1024); b->len = 1024; } diff --git a/lib/ziti-tunnel/CMakeLists.txt b/lib/ziti-tunnel/CMakeLists.txt index 6b8f4d45..c6d79e67 100644 --- a/lib/ziti-tunnel/CMakeLists.txt +++ b/lib/ziti-tunnel/CMakeLists.txt @@ -26,7 +26,11 @@ else() set(lwip_sys_srcs ${LWIP_CONTRIB_DIR}/ports/unix/port/sys_arch.c) endif() +if (ANDROID) + set(platform_lwip_include ${CMAKE_CURRENT_SOURCE_DIR}/lwip/ports/android) +endif () set (LWIP_INCLUDE_DIRS + "${platform_lwip_include}" "${LWIP_DIR}/src/include" "${LWIP_CONTRIB_INCLUDE}" "${CMAKE_CURRENT_SOURCE_DIR}/lwip" diff --git a/lib/ziti-tunnel/lwip/ports/android/arch/cc.h b/lib/ziti-tunnel/lwip/ports/android/arch/cc.h new file mode 100644 index 00000000..11183225 --- /dev/null +++ b/lib/ziti-tunnel/lwip/ports/android/arch/cc.h @@ -0,0 +1,91 @@ +/* + * Copyright (c) 2001-2003 Swedish Institute of Computer Science. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without modification, + * are permitted provided that the following conditions are met: + * + * 1. Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation + * and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT + * SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT + * OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING + * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY + * OF SUCH DAMAGE. + * + * This file is part of the lwIP TCP/IP stack. + * + * Author: Adam Dunkels + * + */ + +// openziti: tweaked for Android build + +#ifndef LWIP_ARCH_CC_H +#define LWIP_ARCH_CC_H + +/* see https://sourceforge.net/p/predef/wiki/OperatingSystems/ */ +#if defined __ANDROID__ +#define LWIP_UNIX_ANDROID +#elif defined __linux__ +#define LWIP_UNIX_LINUX +#elif defined __APPLE__ +#define LWIP_UNIX_MACH +#elif defined __OpenBSD__ +#define LWIP_UNIX_OPENBSD +#elif defined __CYGWIN__ +#define LWIP_UNIX_CYGWIN +#elif defined __GNU__ +#define LWIP_UNIX_HURD +#endif + +#define LWIP_TIMEVAL_PRIVATE 0 +#include + +#define LWIP_ERRNO_INCLUDE + +#if defined(LWIP_UNIX_LINUX) || defined(LWIP_UNIX_HURD) +#define LWIP_ERRNO_STDINCLUDE 1 +#endif + +#define LWIP_RAND() ((u32_t)rand()) + +/* different handling for unit test, normally not needed */ +#ifdef LWIP_NOASSERT_ON_ERROR +#define LWIP_ERROR(message, expression, handler) do { if (!(expression)) { \ + handler;}} while(0) +#endif + +#if defined(LWIP_UNIX_ANDROID) && !defined(FD_SET) +typedef __kernel_fd_set fd_set; +#endif + +#if defined(LWIP_UNIX_MACH) +/* sys/types.h and signal.h bring in Darwin byte order macros. pull the + header here and disable LwIP's version so that apps still can get + the macros via LwIP headers and use system headers */ +#include +#define LWIP_DONT_PROVIDE_BYTEORDER_FUNCTIONS +#endif + +struct sio_status_s; +typedef struct sio_status_s sio_status_t; +#define sio_fd_t sio_status_t* +#define __sio_fd_t_defined + +typedef unsigned int sys_prot_t; + +struct __res_state{}; + +#endif /* LWIP_ARCH_CC_H */ From 2ea801d1a5b71765b04a7ef8443b247d9f560bea Mon Sep 17 00:00:00 2001 From: eugene Date: Wed, 24 Jul 2024 09:21:01 -0400 Subject: [PATCH 170/251] refactor simple identity subcommands --- CMakeLists.txt | 5 +- .../include/ziti/ziti_tunnel_cbs.h | 15 +- lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c | 47 +++--- programs/ziti-edge-tunnel/ziti-edge-tunnel.c | 135 ++++++++---------- 4 files changed, 90 insertions(+), 112 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index b6ae70ea..e1f677a2 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1,4 +1,4 @@ -cmake_minimum_required(VERSION 3.20) +cmake_minimum_required(VERSION 3.21) set(ZITI_SDK_DIR "" CACHE FILEPATH "developer option: use local ziti-sdk-c checkout") @@ -12,7 +12,6 @@ message("tunnel only = ${TUNNEL_SDK_ONLY}") option(EXCLUDE_PROGRAMS "exclude building the programs directory" OFF) message("exclude programs = ${EXCLUDE_PROGRAMS}") -option(ZITI_TUNNEL_BUILD_TESTS "Build tests." ON) find_package(Git) if(NOT GIT_VERSION AND GIT_FOUND) @@ -83,6 +82,8 @@ project(ziti-tunnel-sdk-c HOMEPAGE_URL "https://github.com/openziti/ziti-tunneler-sdk-c" LANGUAGES C CXX) +option(ZITI_TUNNEL_BUILD_TESTS "Build tests." "${${PROJECT_NAME}_IS_TOP_LEVEL}") + set(PROJECT_VERSION ${GIT_VERSION}) if(NOT BUILD_DIST_PACKAGES) diff --git a/lib/ziti-tunnel-cbs/include/ziti/ziti_tunnel_cbs.h b/lib/ziti-tunnel-cbs/include/ziti/ziti_tunnel_cbs.h index dfff1b58..bd73aa7c 100644 --- a/lib/ziti-tunnel-cbs/include/ziti/ziti_tunnel_cbs.h +++ b/lib/ziti-tunnel-cbs/include/ziti/ziti_tunnel_cbs.h @@ -68,7 +68,8 @@ XX(ServiceControl, __VA_ARGS__) \ XX(Status, __VA_ARGS__) \ XX(RemoveIdentity, __VA_ARGS__) \ XX(StatusChange, __VA_ARGS__) \ -XX(AddIdentity, __VA_ARGS__) +XX(AddIdentity, __VA_ARGS__) \ +XX(ExternalAuth, __VA_ARGS__) DECLARE_ENUM(TunnelCommand, TUNNEL_COMMANDS) @@ -106,7 +107,7 @@ XX(identities, tunnel_identity_info, array, Identities, __VA_ARGS__) XX(identifier, string, none, Identifier, __VA_ARGS__) \ XX(dump_path, string, none, DumpPath, __VA_ARGS__) -#define TNL_ENABLE_MFA(XX, ...) \ +#define TNL_IDENTITY_ID(XX, ...) \ XX(identifier, string, none, Identifier, __VA_ARGS__) #define TNL_MFA_ENROL_RES(XX,...) \ @@ -141,9 +142,6 @@ XX(recovery_codes, string, array, RecoveryCodes, __VA_ARGS__) XX(identifier, string, none, Identifier, __VA_ARGS__) \ XX(code, string, none, Code, __VA_ARGS__) -#define TNL_GET_IDENTITY_METRICS(XX, ...) \ -XX(identifier, string, none, Identifier, __VA_ARGS__) - #define TNL_IDENTITY_METRICS(XX, ...) \ XX(identifier, string, none, Identifier, __VA_ARGS__) \ XX(up, string, none, Up, __VA_ARGS__) \ @@ -153,9 +151,6 @@ XX(down, string, none, Down, __VA_ARGS__) XX(identifier, string, none, Identifier, __VA_ARGS__) \ XX(command, TunnelCommand, none, Command, __VA_ARGS__) -#define TNL_DELETE_IDENTITY(XX, ...) \ -XX(identifier, string, none, Identifier, __VA_ARGS__) - #define TUNNEL_SET_LOG_LEVEL(XX, ...) \ XX(loglevel, string, none, Level, __VA_ARGS__) @@ -182,7 +177,7 @@ DECLARE_MODEL(tunnel_identity_info, TNL_IDENTITY_INFO) DECLARE_MODEL(tunnel_identity_lst, TNL_IDENTITY_LIST) DECLARE_MODEL(tunnel_ziti_dump, TNL_ZITI_DUMP) DECLARE_MODEL(tunnel_on_off_identity, TNL_ON_OFF_IDENTITY) -DECLARE_MODEL(tunnel_enable_mfa, TNL_ENABLE_MFA) +DECLARE_MODEL(tunnel_identity_id, TNL_IDENTITY_ID) DECLARE_MODEL(tunnel_mfa_enrol_res, TNL_MFA_ENROL_RES) DECLARE_MODEL(tunnel_submit_mfa, TNL_SUBMIT_MFA) DECLARE_MODEL(tunnel_verify_mfa, TNL_VERIFY_MFA) @@ -190,13 +185,11 @@ DECLARE_MODEL(tunnel_remove_mfa, TNL_REMOVE_MFA) DECLARE_MODEL(tunnel_generate_mfa_codes, TNL_GENERATE_MFA_CODES) DECLARE_MODEL(tunnel_mfa_recovery_codes, TNL_MFA_RECOVERY_CODES) DECLARE_MODEL(tunnel_get_mfa_codes, TNL_GET_MFA_CODES) -DECLARE_MODEL(tunnel_get_identity_metrics, TNL_GET_IDENTITY_METRICS) DECLARE_MODEL(tunnel_identity_metrics, TNL_IDENTITY_METRICS) DECLARE_MODEL(tunnel_command_inline, TUNNEL_CMD_INLINE) DECLARE_MODEL(tunnel_set_log_level, TUNNEL_SET_LOG_LEVEL) DECLARE_MODEL(tunnel_tun_ip_v4, TUNNEL_TUN_IP_V4) DECLARE_MODEL(tunnel_service_control, TUNNEL_SERVICE_CONTROL) -DECLARE_MODEL(tunnel_delete_identity, TNL_DELETE_IDENTITY) DECLARE_MODEL(tunnel_status_change, TUNNEL_STATUS_CHANGE) DECLARE_MODEL(tunnel_add_identity, TUNNEL_ADD_IDENTITY) diff --git a/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c b/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c index 6ab9e1f6..ecb17e15 100644 --- a/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c +++ b/lib/ziti-tunnel-cbs/ziti_tunnel_ctrl.c @@ -353,21 +353,21 @@ static int process_cmd(const tunnel_command *cmd, command_cb cb, void *ctx) { } case TunnelCommand_EnableMFA: { - tunnel_enable_mfa enable_mfa_cmd = {0}; - if (cmd->data != NULL && parse_tunnel_enable_mfa(&enable_mfa_cmd, cmd->data, strlen(cmd->data)) < 0) { + tunnel_identity_id id = {0}; + if (cmd->data != NULL && parse_tunnel_identity_id(&id, cmd->data, strlen(cmd->data)) < 0) { result.success = false; result.error = "invalid command"; - free_tunnel_enable_mfa(&enable_mfa_cmd); + free_tunnel_identity_id(&id); break; } - if (is_null(enable_mfa_cmd.identifier, "Identifier info is not found in the request", &result)) { - free_tunnel_enable_mfa(&enable_mfa_cmd); + if (is_null(id.identifier, "Identifier info is not found in the request", &result)) { + free_tunnel_identity_id(&id); break; } - struct ziti_instance_s *inst = model_map_get(&instances, enable_mfa_cmd.identifier); + struct ziti_instance_s *inst = model_map_get(&instances, id.identifier); if (is_null(inst, "ziti context not found", &result) || is_null(inst->ztx, "ziti context is not loaded", &result)) { - free_tunnel_enable_mfa(&enable_mfa_cmd); + free_tunnel_identity_id(&id); break; } if (inst->ztx == NULL) { @@ -377,13 +377,14 @@ static int process_cmd(const tunnel_command *cmd, command_cb cb, void *ctx) { } struct tunnel_cb_s *req = malloc(sizeof(struct tunnel_cb_s)); - req->ctx = strdup(enable_mfa_cmd.identifier); + req->ctx = id.identifier; + id.identifier = NULL; req->cmd_cb = cb; req->cmd_ctx = ctx; enable_mfa(inst->ztx, req); - free_tunnel_enable_mfa(&enable_mfa_cmd); + free_tunnel_identity_id(&id); return 0; } @@ -541,47 +542,47 @@ static int process_cmd(const tunnel_command *cmd, command_cb cb, void *ctx) { } case TunnelCommand_GetMetrics: { - tunnel_get_identity_metrics get_identity_metrics_cmd = {0}; - if (cmd->data == NULL || parse_tunnel_get_identity_metrics(&get_identity_metrics_cmd, cmd->data, strlen(cmd->data)) < 0) { + tunnel_identity_id get_identity_metrics_cmd = {0}; + if (cmd->data == NULL || parse_tunnel_identity_id(&get_identity_metrics_cmd, cmd->data, strlen(cmd->data)) < 0) { result.error = "invalid command"; result.success = false; - free_tunnel_get_identity_metrics(&get_identity_metrics_cmd); + free_tunnel_identity_id(&get_identity_metrics_cmd); break; } if (is_null(get_identity_metrics_cmd.identifier, "Identifier info is not found in the request", &result)) { - free_tunnel_get_identity_metrics(&get_identity_metrics_cmd); + free_tunnel_identity_id(&get_identity_metrics_cmd); break; } struct ziti_instance_s *inst = model_map_get(&instances, get_identity_metrics_cmd.identifier); if (is_null(inst, "ziti context not found", &result) || is_null(inst->ztx, "ziti context is not loaded", &result)) { - free_tunnel_get_identity_metrics(&get_identity_metrics_cmd); + free_tunnel_identity_id(&get_identity_metrics_cmd); break; } get_transfer_rates(get_identity_metrics_cmd.identifier, (command_cb) cb, ctx); - free_tunnel_get_identity_metrics(&get_identity_metrics_cmd); + free_tunnel_identity_id(&get_identity_metrics_cmd); return 0; } case TunnelCommand_RemoveIdentity: { - tunnel_delete_identity delete_id = {0}; - if (cmd->data == NULL || parse_tunnel_delete_identity(&delete_id, cmd->data, strlen(cmd->data)) < 0) { + tunnel_identity_id delete_id = {0}; + if (cmd->data == NULL || parse_tunnel_identity_id(&delete_id, cmd->data, strlen(cmd->data)) < 0) { result.success = false; result.error = "invalid command"; - free_tunnel_delete_identity(&delete_id); + free_tunnel_identity_id(&delete_id); break; } result.data = tunnel_command_to_json(cmd, MODEL_JSON_COMPACT, NULL); if (is_null(delete_id.identifier, "Identifier info is not found in the remove identity request", &result)) { - free_tunnel_delete_identity(&delete_id); + free_tunnel_identity_id(&delete_id); break; } struct ziti_instance_s *inst = model_map_get(&instances, delete_id.identifier); if (is_null(inst, "ziti context not found", &result) || is_null(inst->ztx, "ziti context is not loaded", &result)) { - free_tunnel_delete_identity(&delete_id); + free_tunnel_identity_id(&delete_id); break; } @@ -592,7 +593,7 @@ static int process_cmd(const tunnel_command *cmd, command_cb cb, void *ctx) { result.success = true; result.code = IPC_SUCCESS; - free_tunnel_delete_identity(&delete_id); + free_tunnel_identity_id(&delete_id); break; } @@ -1342,7 +1343,7 @@ IMPL_MODEL(tunnel_identity_info, TNL_IDENTITY_INFO) IMPL_MODEL(tunnel_identity_lst, TNL_IDENTITY_LIST) IMPL_MODEL(tunnel_on_off_identity, TNL_ON_OFF_IDENTITY) IMPL_MODEL(tunnel_ziti_dump, TNL_ZITI_DUMP) -IMPL_MODEL(tunnel_enable_mfa, TNL_ENABLE_MFA) +IMPL_MODEL(tunnel_identity_id, TNL_IDENTITY_ID) IMPL_MODEL(tunnel_mfa_enrol_res, TNL_MFA_ENROL_RES) IMPL_MODEL(tunnel_submit_mfa, TNL_SUBMIT_MFA) IMPL_MODEL(tunnel_verify_mfa, TNL_VERIFY_MFA) @@ -1350,9 +1351,7 @@ IMPL_MODEL(tunnel_remove_mfa, TNL_REMOVE_MFA) IMPL_MODEL(tunnel_generate_mfa_codes, TNL_GENERATE_MFA_CODES) IMPL_MODEL(tunnel_mfa_recovery_codes, TNL_MFA_RECOVERY_CODES) IMPL_MODEL(tunnel_get_mfa_codes, TNL_GET_MFA_CODES) -IMPL_MODEL(tunnel_get_identity_metrics, TNL_GET_IDENTITY_METRICS) IMPL_MODEL(tunnel_identity_metrics, TNL_IDENTITY_METRICS) -IMPL_MODEL(tunnel_delete_identity, TNL_DELETE_IDENTITY) IMPL_MODEL(tunnel_status_change, TUNNEL_STATUS_CHANGE) // ************** TUNNEL Events diff --git a/programs/ziti-edge-tunnel/ziti-edge-tunnel.c b/programs/ziti-edge-tunnel/ziti-edge-tunnel.c index 9261bfcb..542dcd1f 100644 --- a/programs/ziti-edge-tunnel/ziti-edge-tunnel.c +++ b/programs/ziti-edge-tunnel/ziti-edge-tunnel.c @@ -241,8 +241,8 @@ static void on_command_resp(const tunnel_result* result, void *ctx) { if (parse_tunnel_command(&tnl_res_cmd, result->data, strlen(result->data)) >= 0) { switch (tnl_res_cmd.command) { case TunnelCommand_RemoveIdentity: { - tunnel_delete_identity tnl_delete_id; - if (tnl_res_cmd.data != NULL && parse_tunnel_delete_identity(&tnl_delete_id, tnl_res_cmd.data, strlen(tnl_res_cmd.data)) >= 0) { + tunnel_identity_id tnl_delete_id; + if (tnl_res_cmd.data != NULL && parse_tunnel_identity_id(&tnl_delete_id, tnl_res_cmd.data, strlen(tnl_res_cmd.data)) >= 0) { if (tnl_delete_id.identifier == NULL) { ZITI_LOG(ERROR, "Identity filename is not found in the remove identity request, not deleting the identity file"); break; @@ -273,7 +273,7 @@ static void on_command_resp(const tunnel_result* result, void *ctx) { #endif delete_identity_from_instance(tnl_delete_id.identifier); - free_tunnel_delete_identity(&tnl_delete_id); + free_tunnel_identity_id(&tnl_delete_id); // should be the last line in this function as it calls the mutex/lock save_tunnel_status_to_file(); } @@ -1011,13 +1011,13 @@ static void broadcast_metrics(uv_timer_t *timer) { if (tnl_id->Active && tnl_id->Loaded && tnl_id->IdFileStatus) { active_identities = true; - tunnel_get_identity_metrics get_metrics = { + tunnel_identity_id get_metrics = { .identifier = tnl_id->Identifier, }; size_t json_len; tunnel_command tnl_cmd = { .command = TunnelCommand_GetMetrics, - .data = tunnel_get_identity_metrics_to_json(&get_metrics, MODEL_JSON_COMPACT, &json_len), + .data = tunnel_identity_id_to_json(&get_metrics, MODEL_JSON_COMPACT, &json_len), }; tunnel_command_inline *tnl_cmd_inline = alloc_tunnel_command_inline(); @@ -2438,6 +2438,46 @@ static void send_message_to_tunnel_fn(int argc, char *argv[]) { exit(result); } +// reusable parsing of a single required `-i` option +static char* get_identity_opt(int argc, char *argv[]) { + static struct option opts[] = { + {"identity", required_argument, NULL, 'i'}, + }; + int c, option_index, errors = 0; + optind = 0; + char *id = NULL; + while ((c = getopt_long(argc, argv, "i:", + opts, &option_index)) != -1) { + switch (c) { + case 'i': + id = optarg; + break; + default: { + fprintf(stderr, "Unknown option '%c'\n", c); + errors++; + break; + } + } + } + + if (id == NULL) { + fprintf(stderr, "-i option is required"); + errors++; + } + CHECK_COMMAND_ERRORS(errors); + return id; +} + +static int ext_auth_opts(int argc, char *argv[]) { + tunnel_identity_id id = { + .identifier = (char*)get_identity_opt(argc, argv), + }; + + cmd.command = TunnelCommands.ExternalAuth; + cmd.data = tunnel_identity_id_to_json(&id, MODEL_JSON_COMPACT, NULL); + return optind; +} + static int on_off_identity_opts(int argc, char *argv[]) { static struct option opts[] = { {"identity", required_argument, NULL, 'i'}, @@ -2482,31 +2522,12 @@ static int on_off_identity_opts(int argc, char *argv[]) { } static int enable_identity_opts(int argc, char *argv[]) { - static struct option opts[] = { - {"identity", required_argument, NULL, 'i'}, - }; - int c, option_index, errors = 0; - optind = 0; - tunnel_load_identity load_identity_options = {0}; + tunnel_load_identity load_identity_options = { + .path = realpath(get_identity_opt(argc, argv), NULL), + }; cmd.command = TunnelCommand_LoadIdentity; - while ((c = getopt_long(argc, argv, "i:", - opts, &option_index)) != -1) { - switch (c) { - case 'i': - load_identity_options.path = realpath(optarg, NULL); - break; - default: { - fprintf(stderr, "Unknown option '%c'\n", c); - errors++; - break; - } - } - } - - CHECK_COMMAND_ERRORS(errors); - size_t json_len; cmd.data = tunnel_load_identity_to_json(&load_identity_options, MODEL_JSON_COMPACT, &json_len); free_tunnel_load_identity(&load_identity_options); @@ -2515,34 +2536,13 @@ static int enable_identity_opts(int argc, char *argv[]) { } static int enable_mfa_opts(int argc, char *argv[]) { - static struct option opts[] = { - {"identity", required_argument, NULL, 'i'}, + tunnel_identity_id id = { + .identifier = get_identity_opt(argc, argv), }; - int c, option_index, errors = 0; - optind = 0; - - tunnel_enable_mfa *enable_mfa_options = calloc(1, sizeof(tunnel_enable_mfa)); cmd.command = TunnelCommand_EnableMFA; - while ((c = getopt_long(argc, argv, "i:", - opts, &option_index)) != -1) { - switch (c) { - case 'i': - enable_mfa_options->identifier = optarg; - break; - default: { - fprintf(stderr, "Unknown option '%c'\n", c); - errors++; - break; - } - } - } - - CHECK_COMMAND_ERRORS(errors); - size_t json_len; - cmd.data = tunnel_enable_mfa_to_json(enable_mfa_options, MODEL_JSON_COMPACT, &json_len); - free(enable_mfa_options); + cmd.data = tunnel_identity_id_to_json(&id, MODEL_JSON_COMPACT, &json_len); return optind; } @@ -2923,34 +2923,13 @@ static int get_status_opts(int argc, char *argv[]) { } static int delete_identity_opts(int argc, char *argv[]) { - static struct option opts[] = { - {"identity", required_argument, NULL, 'i'}, + tunnel_identity_id id = { + .identifier = get_identity_opt(argc, argv), }; - int c, option_index, errors = 0; - optind = 0; - - tunnel_delete_identity *delete_identity_options = calloc(1, sizeof(tunnel_delete_identity)); cmd.command = TunnelCommand_RemoveIdentity; - while ((c = getopt_long(argc, argv, "i:", - opts, &option_index)) != -1) { - switch (c) { - case 'i': - delete_identity_options->identifier = optarg; - break; - default: { - fprintf(stderr, "Unknown option '%c'\n", c); - errors++; - break; - } - } - } - - CHECK_COMMAND_ERRORS(errors); - size_t json_len; - cmd.data = tunnel_delete_identity_to_json(delete_identity_options, MODEL_JSON_COMPACT, &json_len); - free(delete_identity_options); + cmd.data = tunnel_identity_id_to_json(&id, MODEL_JSON_COMPACT, &json_len); return optind; } @@ -3063,6 +3042,12 @@ static CommandLine update_tun_ip_cmd = make_command("update_tun_ip", "Update tun static CommandLine ep_status_change_cmd = make_command("endpoint_sts_change", "send endpoint status change message to the tunneler", "[-w ] [-u ]", "\t-w|--wake\twake the tunneler\n" "\t-u|--unlock\tunlock the tunneler\n", endpoint_status_change_opts, send_message_to_tunnel_fn); +static CommandLine ext_auth_login = make_command( + "ext-jwt-login", + "login with ext JWT signer", "-i ", + "\t-i|--identity\tidentity to authenticate\n", + ext_auth_opts, send_message_to_tunnel_fn); + #if _WIN32 static CommandLine service_control_cmd = make_command("service_control", "execute service control functions for Ziti tunnel (required superuser access)", "-o|--operation