fixes #699 allows UPDB enrollment via flags on generic Enroll func (#700)

* fixes #699 allows UPDB enrollment via flags on generic Enroll func

Author: andrewpmartinez

example/go.mod

@@ -115,15 +115,15 @@ require (
 	go.opentelemetry.io/otel/trace v1.29.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/crypto v0.36.0 // indirect
-	golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect
+	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect
 	golang.org/x/image v0.18.0 // indirect
 	golang.org/x/net v0.37.0 // indirect
 	golang.org/x/oauth2 v0.28.0 // indirect
 	golang.org/x/sync v0.12.0 // indirect
 	golang.org/x/sys v0.31.0 // indirect
 	golang.org/x/term v0.30.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20231106174013-bbf56f31fb17 // indirect
-	google.golang.org/protobuf v1.36.5 // indirect
+	google.golang.org/protobuf v1.36.6 // indirect
 	gopkg.in/go-jose/go-jose.v2 v2.6.3 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

example/go.sum

@@ -537,8 +537,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0
 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
-golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI=
-golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
+golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM=
+golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/image v0.0.0-20191009234506-e7c1f5e7dbb8/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
@@ -898,8 +898,8 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
+google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

example/influxdb-client-go/go.mod

@@ -52,7 +52,7 @@ require (
 	github.com/go-playground/validator/v10 v10.15.4 // indirect
 	github.com/go-resty/resty/v2 v2.16.5 // indirect
 	github.com/goccy/go-json v0.10.2 // indirect
-	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/gomarkdown/markdown v0.0.0-20230922112808-5421fefb8386 // indirect
 	github.com/google/uuid v1.6.0 // indirect
@@ -131,7 +131,7 @@ require (
 	go.opentelemetry.io/otel/trace v1.29.0 // indirect
 	golang.org/x/arch v0.5.0 // indirect
 	golang.org/x/crypto v0.36.0 // indirect
-	golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect
+	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect
 	golang.org/x/net v0.37.0 // indirect
 	golang.org/x/oauth2 v0.28.0 // indirect
 	golang.org/x/sync v0.12.0 // indirect

example/influxdb-client-go/go.sum

@@ -175,6 +175,7 @@ github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5x
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
 github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -601,6 +602,7 @@ golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EH
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
 golang.org/x/exp v0.0.0-20230905200255-921286631fa9 h1:GoHiUyI/Tp2nVkLI2mCxVkOjsbSXD66ic0XW0js0R9g=
 golang.org/x/exp v0.0.0-20230905200255-921286631fa9/go.mod h1:S2oDrQGGwySpoQPVqRShND87VCbxmc6bL1Yd2oYrm6k=
+golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=

go.mod

@@ -32,10 +32,10 @@ require (
 	github.com/stretchr/testify v1.10.0
 	github.com/zitadel/oidc/v2 v2.12.2
 	go.mozilla.org/pkcs7 v0.9.0
-	golang.org/x/exp v0.0.0-20221031165847-c99f073a8326
+	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842
 	golang.org/x/oauth2 v0.28.0
 	golang.org/x/sys v0.31.0
-	google.golang.org/protobuf v1.36.5
+	google.golang.org/protobuf v1.36.6
 )
 
 require (

go.sum

@@ -430,8 +430,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0
 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
-golang.org/x/exp v0.0.0-20221031165847-c99f073a8326 h1:QfTh0HpN6hlw6D3vu8DAwC8pBIwikq0AI1evdm+FksE=
-golang.org/x/exp v0.0.0-20221031165847-c99f073a8326/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
+golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM=
+golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -768,8 +768,8 @@ google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGj
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
-google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
+google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

ziti/enroll/enroll.go

@@ -132,11 +132,13 @@ func ValidateToken(token *jwt.Token) (interface{}, error) {
 	return cert.PublicKey, nil
 }
 
-func EnrollUpdb(enFlags EnrollmentFlags) error {
+func EnrollUpdb(enFlags EnrollmentFlags) (string, error) {
 	caPool, allowedCerts := enFlags.GetCertPool()
 	ztApiRoot := enFlags.Token.Issuer
 
-	if err := enrollUpdb(enFlags.Username, enFlags.Password, enFlags.Token, caPool); err != nil {
+	resultUsername := ""
+	var err error
+	if resultUsername, err = enrollUpdb(enFlags.Username, enFlags.Password, enFlags.Token, caPool); err != nil {
 		pfxlog.Logger().Debug("fetching certificates from server")
 		rootCaPool := x509.NewCertPool()
 		rootCaPool.AddCert(enFlags.Token.SignatureCert)
@@ -146,14 +148,14 @@ func EnrollUpdb(enFlags EnrollmentFlags) error {
 			caPool.AddCert(xcert)
 		}
 
-		if err := enrollUpdb(enFlags.Username, enFlags.Password, enFlags.Token, caPool); err != nil {
-			return fmt.Errorf("unable to enroll after fetching server certs: %v", err)
+		if resultUsername, err = enrollUpdb(enFlags.Username, enFlags.Password, enFlags.Token, caPool); err != nil {
+			return "", fmt.Errorf("unable to enroll after fetching server certs: %v", err)
 		} else {
-			return nil
+			return resultUsername, nil
 		}
 	}
 
-	return nil
+	return resultUsername, nil
 }
 
 func Enroll(enFlags EnrollmentFlags) (*ziti.Config, error) {
@@ -164,47 +166,49 @@ func Enroll(enFlags EnrollmentFlags) (*ziti.Config, error) {
 		ZtAPI: edge_apis.ClientUrl(enFlags.Token.Issuer),
 	}
 
-	if strings.TrimSpace(enFlags.KeyFile) != "" {
-		stat, err := os.Stat(enFlags.KeyFile)
+	if enFlags.Token.EnrollmentMethod != "updb" {
+		if strings.TrimSpace(enFlags.KeyFile) != "" {
+			stat, err := os.Stat(enFlags.KeyFile)
 
-		if stat != nil && !os.IsNotExist(err) {
-			if stat.IsDir() {
-				return nil, errors.Errorf("specified key is a directory (%s)", enFlags.KeyFile)
-			}
+			if stat != nil && !os.IsNotExist(err) {
+				if stat.IsDir() {
+					return nil, errors.Errorf("specified key is a directory (%s)", enFlags.KeyFile)
+				}
+
+				if absPath, fileErr := filepath.Abs(enFlags.KeyFile); fileErr != nil {
+					return nil, fileErr
+				} else {
+					cfg.ID.Key = "file://" + absPath
+				}
 
-			if absPath, fileErr := filepath.Abs(enFlags.KeyFile); fileErr != nil {
-				return nil, fileErr
 			} else {
-				cfg.ID.Key = "file://" + absPath
+				cfg.ID.Key = enFlags.KeyFile
+				pfxlog.Logger().Infof("using engine : %s\n", strings.Split(enFlags.KeyFile, ":")[0])
 			}
-
 		} else {
-			cfg.ID.Key = enFlags.KeyFile
-			pfxlog.Logger().Infof("using engine : %s\n", strings.Split(enFlags.KeyFile, ":")[0])
-		}
-	} else {
-		var asnBytes []byte
-		var keyPem []byte
-		if enFlags.KeyAlg.EC() {
-			key, err = generateECKey()
-			asnBytes, _ := x509.MarshalECPrivateKey(key.(*ecdsa.PrivateKey))
-			keyPem = pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: asnBytes})
-		} else if enFlags.KeyAlg.RSA() {
-			key, err = generateRSAKey()
-			asnBytes = x509.MarshalPKCS1PrivateKey(key.(*rsa.PrivateKey))
-			keyPem = pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: asnBytes})
-		} else {
-			panic(fmt.Sprintf("invalid KeyAlg specified: %s", enFlags.KeyAlg.Get()))
-		}
-		cfg.ID.Key = "pem:" + string(keyPem)
-		if err != nil {
-			return nil, err
+			var asnBytes []byte
+			var keyPem []byte
+			if enFlags.KeyAlg.EC() {
+				key, err = generateECKey()
+				asnBytes, _ := x509.MarshalECPrivateKey(key.(*ecdsa.PrivateKey))
+				keyPem = pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: asnBytes})
+			} else if enFlags.KeyAlg.RSA() {
+				key, err = generateRSAKey()
+				asnBytes = x509.MarshalPKCS1PrivateKey(key.(*rsa.PrivateKey))
+				keyPem = pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: asnBytes})
+			} else {
+				panic(fmt.Sprintf("invalid KeyAlg specified: %s", enFlags.KeyAlg.Get()))
+			}
+			cfg.ID.Key = "pem:" + string(keyPem)
+			if err != nil {
+				return nil, err
+			}
 		}
-	}
 
-	if enFlags.CertFile != "" {
-		enFlags.CertFile, _ = filepath.Abs(enFlags.CertFile)
-		cfg.ID.Cert = "file://" + enFlags.CertFile
+		if enFlags.CertFile != "" {
+			enFlags.CertFile, _ = filepath.Abs(enFlags.CertFile)
+			cfg.ID.Cert = "file://" + enFlags.CertFile
+		}
 	}
 
 	caPool, allowedCerts := enFlags.GetCertPool()
@@ -225,6 +229,8 @@ func Enroll(enFlags EnrollmentFlags) (*ziti.Config, error) {
 		caPool.AddCert(cert)
 	}
 
+	resultUsername := ""
+
 	var enrollErr error
 	switch enFlags.Token.EnrollmentMethod {
 	case "ott":
@@ -233,6 +239,8 @@ func Enroll(enFlags EnrollmentFlags) (*ziti.Config, error) {
 		enrollErr = enrollCA(enFlags.Token, cfg, caPool)
 	case "ca":
 		enrollErr = enrollCAAuto(enFlags, cfg, caPool)
+	case "updb":
+		resultUsername, enrollErr = enrollUpdb(enFlags.Username, enFlags.Password, enFlags.Token, caPool)
 	default:
 		enrollErr = errors.Errorf("enrollment method '%s' is not supported", enFlags.Token.EnrollmentMethod)
 	}
@@ -253,7 +261,17 @@ func Enroll(enFlags EnrollmentFlags) (*ziti.Config, error) {
 		cfg.ID.CA = "pem:" + buf.String()
 	}
 
-	cfg.Credentials = edge_apis.NewIdentityCredentialsFromConfig(cfg.ID)
+	if enFlags.Token.EnrollmentMethod == "updb" {
+		cfg.Credentials = &edge_apis.UpdbCredentials{
+			BaseCredentials: edge_apis.BaseCredentials{
+				CaPool: caPool,
+			},
+			Username: resultUsername,
+			Password: enFlags.Password,
+		}
+	} else {
+		cfg.Credentials = edge_apis.NewIdentityCredentialsFromConfig(cfg.ID)
+	}
 
 	return cfg, nil
 }
@@ -281,7 +299,7 @@ func useSystemCasIfEmpty(caPool *x509.CertPool) *x509.CertPool {
 	}
 }
 
-func enrollUpdb(username, password string, token *ziti.EnrollmentClaims, caPool *x509.CertPool) error {
+func enrollUpdb(username, password string, token *ziti.EnrollmentClaims, caPool *x509.CertPool) (string, error) {
 	caPool = useSystemCasIfEmpty(caPool)
 	client := http.Client{
 		Transport: &http.Transport{
@@ -301,21 +319,25 @@ func enrollUpdb(username, password string, token *ziti.EnrollmentClaims, caPool
 
 	resp, err := client.Post(token.EnrolmentUrl(), "application/json", bytes.NewBuffer(body.EncodeJSON()))
 	if err != nil {
-		return err
+		return "", err
 	}
 
 	if resp.StatusCode == http.StatusOK {
-		return nil
+		respBody, _ := io.ReadAll(resp.Body)
+		if respContainer, err := gabs.ParseJSON(respBody); err == nil {
+			username = respContainer.Path("data.username").Data().(string)
+		}
+		return username, nil
 	}
 
 	respBody, _ := io.ReadAll(resp.Body)
 
 	if respContainer, err := gabs.ParseJSON(respBody); err == nil {
 		code := respContainer.Path("error.code").Data().(string)
 		message := respContainer.Path("error.message").Data().(string)
-		return errors.Errorf("enroll error: %s: %s: %s", resp.Status, code, message)
+		return "", errors.Errorf("enroll error: %s: %s: %s", resp.Status, code, message)
 	} else {
-		return errors.Errorf("enroll error: %s: %s", resp.Status, body)
+		return "", errors.Errorf("enroll error: %s: %s", resp.Status, body)
 	}
 }