From 090c6afacc06bf86898f682a86ab5ac729b6d12b Mon Sep 17 00:00:00 2001 From: Eugene K Date: Tue, 19 Sep 2023 09:42:05 -0400 Subject: [PATCH 1/4] avoid launching concurrent /current-api-session requests --- inc_internal/zt_internal.h | 1 + library/ziti.c | 10 ++++++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/inc_internal/zt_internal.h b/inc_internal/zt_internal.h index f0d47047..e0829a2c 100644 --- a/inc_internal/zt_internal.h +++ b/inc_internal/zt_internal.h @@ -252,6 +252,7 @@ struct ziti_ctx { bool enabled; int ctrl_status; + bool active_session_request; ziti_api_session *api_session; uv_timeval64_t api_session_expires_at; ziti_api_session_state api_session_state; diff --git a/library/ziti.c b/library/ziti.c index f72ecdd4..4f88e9f8 100644 --- a/library/ziti.c +++ b/library/ziti.c @@ -866,8 +866,13 @@ static void api_session_refresh(uv_timer_t *t) { if (ztx->api_session_state == ZitiApiSessionStatePartiallyAuthenticated || ztx->api_session_state == ZitiApiSessionStateFullyAuthenticated) { struct ziti_init_req *req = calloc(1, sizeof(struct ziti_init_req)); req->ztx = ztx; - ZTX_LOG(DEBUG, "api_session_refresh refreshing api session by querying controller"); - ziti_ctrl_current_api_session(&ztx->controller, api_session_cb, req); + if (ztx->active_session_request) { + ZTX_LOG(WARN, "active refresh request: skipping"); + } else { + ztx->active_session_request = true; + ZTX_LOG(DEBUG, "api_session_refresh refreshing api session by querying controller"); + ziti_ctrl_current_api_session(&ztx->controller, api_session_cb, req); + } } else { ZTX_LOG(DEBUG, "api_session_refresh refreshing api session skipped, waiting for api session state change"); } @@ -1541,6 +1546,7 @@ static void api_session_cb(ziti_api_session *session, const ziti_error *err, voi struct ziti_init_req *init_req = ctx; ziti_context ztx = init_req->ztx; ztx->loop_thread = uv_thread_self(); + ztx->active_session_request = false; int errCode = err ? err->err : ZITI_OK; From aa7fef7cdec43632cbe6f10a1fb461ee91c833fc Mon Sep 17 00:00:00 2001 From: Eugene K Date: Tue, 19 Sep 2023 09:50:13 -0400 Subject: [PATCH 2/4] clear session key/cert when clearing api-session --- library/ziti.c | 42 ++++++++++++++++++++++++++++++++---------- 1 file changed, 32 insertions(+), 10 deletions(-) diff --git a/library/ziti.c b/library/ziti.c index 4f88e9f8..79f1ccfe 100644 --- a/library/ziti.c +++ b/library/ziti.c @@ -129,20 +129,15 @@ static int parse_getopt(const char *q, const char *opt, char *out, size_t maxout return ZITI_INVALID_CONFIG; } -int load_tls(ziti_config *cfg, tls_context **ctx) { +static int init_tls_from_config(tls_context *tls, ziti_config *cfg) { PREP(ziti); - // load ca from ziti config if present - const char *ca; - size_t ca_len = parse_ref(cfg->id.ca, &ca); - tls_context *tls = default_tls_context(ca, ca_len); tlsuv_private_key_t pk; - if (cfg->id.key == NULL) { - TRY(ziti, ("TLS key should be provided", ZITI_INVALID_CONFIG)); - } + TRY(ziti, cfg->id.key == NULL ? ZITI_INVALID_CONFIG : ZITI_OK); TRY(ziti, load_key_internal(tls, &pk, cfg->id.key)); + tls_cert c = NULL; if (cfg->id.cert) { const char *cert; @@ -154,11 +149,27 @@ int load_tls(ziti_config *cfg, tls_context **ctx) { CATCH(ziti) { return ERR(ziti); } - - *ctx = tls; return ZITI_OK; } +int load_tls(ziti_config *cfg, tls_context **ctx) { + + // load ca from ziti config if present + const char *ca; + size_t ca_len = parse_ref(cfg->id.ca, &ca); + tls_context *tls = default_tls_context(ca, ca_len); + + int rc = init_tls_from_config(tls, cfg); + + if (rc == ZITI_OK) { + *ctx = tls; + } else { + tls->free_ctx(tls); + *ctx = NULL; + } + return rc; +} + int ziti_set_client_cert(ziti_context ztx, const char *cert_buf, size_t cert_len, const char *key_buf, size_t key_len) { tlsuv_private_key_t pk; tls_cert c; @@ -264,6 +275,17 @@ void ziti_set_unauthenticated(ziti_context ztx) { FREE(ztx->api_session); ztx->api_session_state = ZitiApiSessionStateUnauthenticated; + if (ztx->sessionKey) { + init_tls_from_config(ztx->tlsCtx, &ztx->config); + if (ztx->sessonCert) { + ztx->tlsCtx->free_cert(&ztx->sessonCert); + ztx->sessonCert = NULL; + } + + ztx->sessionKey->free(ztx->sessionKey); + ztx->sessionKey = NULL; + } + ziti_ctrl_clear_api_session(&ztx->controller); } From b799dab60cf281f8168714f614dfa816597eb2fa Mon Sep 17 00:00:00 2001 From: Eugene K Date: Tue, 19 Sep 2023 09:51:02 -0400 Subject: [PATCH 3/4] disable using api-session certificates (for now) --- library/ziti.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/library/ziti.c b/library/ziti.c index 79f1ccfe..3dba5ec7 100644 --- a/library/ziti.c +++ b/library/ziti.c @@ -1470,6 +1470,8 @@ static void session_post_auth_query_cb(ziti_context ztx, int status, void *ctx) ziti_ctrl_current_api_session(&ztx->controller, update_session_data, ztx); } + // disable this until we figure out expiration and rolling requirements +#if ENABLE_SESSION_CERTIFICATES if (ztx->sessionKey == NULL) { char common_name[128]; snprintf(common_name, sizeof(common_name), "%s-%u-%" PRIu64, @@ -1487,6 +1489,7 @@ static void session_post_auth_query_cb(ziti_context ztx, int status, void *ctx) ziti_ctrl_create_api_certificate(&ztx->controller, ztx->sessionCsr, on_create_cert, ztx); } +#endif ziti_services_refresh(ztx, true); From 8897e18ab84253fd4790d38f67008d38db464418 Mon Sep 17 00:00:00 2001 From: Eugene K Date: Tue, 19 Sep 2023 13:36:24 -0400 Subject: [PATCH 4/4] log level --- library/ziti.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ziti.c b/library/ziti.c index 3dba5ec7..30d9cf31 100644 --- a/library/ziti.c +++ b/library/ziti.c @@ -889,7 +889,7 @@ static void api_session_refresh(uv_timer_t *t) { struct ziti_init_req *req = calloc(1, sizeof(struct ziti_init_req)); req->ztx = ztx; if (ztx->active_session_request) { - ZTX_LOG(WARN, "active refresh request: skipping"); + ZTX_LOG(DEBUG, "active refresh request: skipping"); } else { ztx->active_session_request = true; ZTX_LOG(DEBUG, "api_session_refresh refreshing api session by querying controller");