allow application to create ziti context without credentials and then query for external providers

Author: ekoby

ziti/client.go

@@ -25,6 +25,9 @@ import (
 	"crypto/x509/pkix"
 	"encoding/pem"
 	"fmt"
+	"strings"
+	"sync/atomic"
+
 	"github.com/go-openapi/strfmt"
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/google/uuid"
@@ -46,8 +49,6 @@ import (
 	"github.com/openziti/sdk-golang/ziti/edge/posture"
 	"github.com/openziti/transport/v2"
 	"github.com/pkg/errors"
-	"strings"
-	"sync/atomic"
 )
 
 // CtrlClient is a stateful version of ZitiEdgeClient that simplifies operations
@@ -69,6 +70,15 @@ type CtrlClient struct {
 	capabilitiesLoaded               atomic.Bool
 }
 
+func (self *CtrlClient) GetExternalSigners() (rest_model.ClientExternalJWTSignerList, error) {
+	response, err := self.API.ExternalJWTSigner.ListExternalJWTSigners(nil)
+	if err != nil {
+		return nil, err
+	}
+
+	return response.Payload.Data, nil
+}
+
 // GetCurrentApiSession returns the current cached ApiSession or nil
 func (self *CtrlClient) GetCurrentApiSession() apis.ApiSession {
 	return self.ClientApiClient.GetCurrentApiSession()
@@ -92,7 +102,7 @@ func (self *CtrlClient) Refresh() (apis.ApiSession, error) {
 }
 
 // IsServiceListUpdateAvailable will contact the controller to determine if a new set of services are available. Service
-// updates could entail gaining/losing services access via policy or runtime authorization revocation due to posture
+// updates could entail gaining/losing service access via policy or runtime authorization revocation due to posture
 // checks.
 func (self *CtrlClient) IsServiceListUpdateAvailable() (bool, *strfmt.DateTime, error) {
 	resp, err := self.API.CurrentAPISession.ListServiceUpdates(current_api_session.NewListServiceUpdatesParams(), self.GetCurrentApiSession())
@@ -104,7 +114,7 @@ func (self *CtrlClient) IsServiceListUpdateAvailable() (bool, *strfmt.DateTime,
 	return self.lastServiceUpdate == nil || !resp.Payload.Data.LastChangeAt.Equal(*self.lastServiceUpdate), resp.Payload.Data.LastChangeAt, nil
 }
 
-// Authenticate attempts to use authenticate, overwriting any existing ApiSession.
+// Authenticate attempts to authenticate, overwriting any existing ApiSession.
 func (self *CtrlClient) Authenticate() (apis.ApiSession, error) {
 	var err error
 

ziti/contexts.go

@@ -98,13 +98,9 @@ func NewContextWithOpts(cfg *Config, options *Options) (Context, error) {
 		newContext.maxDefaultConnections = 1
 	}
 
-	if cfg.ID.Cert != "" && cfg.ID.Key != "" {
-		idCredentials := edge_apis.NewIdentityCredentialsFromConfig(cfg.ID)
-		idCredentials.ConfigTypes = cfg.ConfigTypes
-		cfg.Credentials = idCredentials
-	} else if cfg.Credentials == nil {
-		return nil, errors.New("either cfg.ID or cfg.Credentials must be provided")
-	}
+	idCredentials := edge_apis.NewIdentityCredentialsFromConfig(cfg.ID)
+	idCredentials.ConfigTypes = cfg.ConfigTypes
+	cfg.Credentials = idCredentials
 
 	var apiStrs []string
 	if len(cfg.ZtAPIs) > 0 {

ziti/ziti.go

@@ -88,6 +88,10 @@ type Context interface {
 	// creation.
 	Authenticate() error
 
+	// GetExternalSigners retrieves a list of external JWT signers with their details.
+	// Returns an error if the operation fails.
+	GetExternalSigners() ([]*rest_model.ClientExternalJWTSignerDetail, error)
+
 	// SetCredentials sets the credentials used to authenticate against the Edge Client API.
 	SetCredentials(authenticator apis.Credentials)
 
@@ -107,17 +111,17 @@ type Context interface {
 	// DialWithOptions performs the same logic as Dial but allows specification of DialOptions.
 	DialWithOptions(serviceName string, options *DialOptions) (edge.Conn, error)
 
-	// DialAddr finds the service for given address and performs a Dial for it.
+	// DialAddr finds the service for a given address and performs a Dial for it.
 	DialAddr(network string, addr string) (edge.Conn, error)
 
 	// Listen attempts to host a service by the given service name;  authenticating as necessary in order to obtain
 	// a service session, attach to Edge Routers, and bind (host) the service.
 	Listen(serviceName string) (edge.Listener, error)
 
-	// ListenWithOptions performs the same logic as Listen, but allows the specification of ListenOptions.
+	// ListenWithOptions performs the same logic as Listen but allows the specification of ListenOptions.
 	ListenWithOptions(serviceName string, options *ListenOptions) (edge.Listener, error)
 
-	// GetServiceId will return the id of a specific service by service name. If not found, false, will be returned
+	// GetServiceId will return the id of a specific service by service name. If not found, false will be returned
 	// with an empty string.
 	GetServiceId(serviceName string) (string, bool, error)
 
@@ -128,15 +132,15 @@ type Context interface {
 	// GetService will return the service details of a specific service by service name.
 	GetService(serviceName string) (*rest_model.ServiceDetail, bool)
 
-	// GetServiceForAddr finds the service with intercept that matches best to given address
+	// GetServiceForAddr finds the service with intercept that matches best to the given address
 	GetServiceForAddr(network, hostname string, port uint16) (*rest_model.ServiceDetail, int, error)
 
 	// RefreshServices forces the context to refresh the list of services the current authenticating identity has access
 	// to.
 	RefreshServices() error
 
 	// RefreshService forces the context to refresh just the service with the given name. If the given service isn't
-	// found, a nil will be returned
+	// found, nil will be returned
 	RefreshService(serviceName string) (*rest_model.ServiceDetail, error)
 
 	// GetServiceTerminators will return a slice of rest_model.TerminatorClientDetail for a specific service name.
@@ -668,6 +672,11 @@ func (context *ContextImpl) refreshSessions() {
 	}
 }
 
+func (context *ContextImpl) GetExternalSigners() ([]*rest_model.ClientExternalJWTSignerDetail, error) {
+	result, err := context.CtrlClt.GetExternalSigners()
+	return result, err
+}
+
 func (context *ContextImpl) RefreshServices() error {
 	return context.refreshServices(true, false)
 }