Add API for controlling proxy use when connecting to controller

plorenz · plorenz · commit 4e2cb3aa4bbf · 2025-01-22T00:21:21.000-05:00
diff --git a/edge-apis/clients.go b/edge-apis/clients.go
@@ -123,10 +123,12 @@ func (self *BaseClient[A]) Authenticate(credentials Credentials, configTypesOver
 }
 
 // initializeComponents assembles the lower level components necessary for the go-swagger/openapi facilities.
-func (self *BaseClient[A]) initializeComponents(apiUrls []*url.URL, caPool *x509.CertPool) {
-	components := NewComponents()
-	components.HttpTransport.TLSClientConfig.RootCAs = caPool
-	components.CaPool = caPool
+func (self *BaseClient[A]) initializeComponents(config *ApiClientConfig) {
+	components := NewComponentsWithConfig(&ComponentsConfig{
+		Proxy: config.Proxy,
+	})
+	components.HttpTransport.TLSClientConfig.RootCAs = config.CaPool
+	components.CaPool = config.CaPool
 
 	self.Components = *components
 }
@@ -205,6 +207,13 @@ type ManagementApiClient struct {
 	BaseClient[ZitiEdgeManagement]
 }
 
+type ApiClientConfig struct {
+	ApiUrls      []*url.URL
+	CaPool       *x509.CertPool
+	TotpCallback func(chan string)
+	Proxy        func(r *http.Request) (*url.URL, error)
+}
+
 // NewManagementApiClient will assemble an ManagementApiClient. The apiUrl should be the full URL
 // to the Edge Management API (e.g. `https://example.com/edge/management/v1`).
 //
@@ -217,16 +226,25 @@ type ManagementApiClient struct {
 // to obtain and verify the target controllers CAs. Tools should allow users to verify and accept new controllers
 // that have not been verified from an outside secret (such as an enrollment token).
 func NewManagementApiClient(apiUrls []*url.URL, caPool *x509.CertPool, totpCallback func(chan string)) *ManagementApiClient {
+	return NewManagementApiClientWithConfig(&ApiClientConfig{
+		ApiUrls:      apiUrls,
+		CaPool:       caPool,
+		TotpCallback: totpCallback,
+		Proxy:        http.ProxyFromEnvironment,
+	})
+}
+
+func NewManagementApiClientWithConfig(config *ApiClientConfig) *ManagementApiClient {
 	ret := &ManagementApiClient{}
 	ret.Schemes = rest_management_api_client.DefaultSchemes
 	ret.ApiBinding = "edge-management"
 	ret.ApiVersion = "v1"
-	ret.ApiUrls = apiUrls
-	ret.initializeComponents(apiUrls, caPool)
+	ret.ApiUrls = config.ApiUrls
+	ret.initializeComponents(config)
 
 	transportPool := NewClientTransportPoolRandom()
 
-	for _, apiUrl := range apiUrls {
+	for _, apiUrl := range config.ApiUrls {
 		newRuntime := NewRuntime(apiUrl, ret.Schemes, ret.Components.HttpClient)
 		newRuntime.DefaultAuthentication = ret
 		transportPool.Add(apiUrl, newRuntime)
@@ -235,7 +253,7 @@ func NewManagementApiClient(apiUrls []*url.URL, caPool *x509.CertPool, totpCallb
 	newApi := rest_management_api_client.New(transportPool, nil)
 	api := ZitiEdgeManagement{
 		ZitiEdgeManagement:  newApi,
-		TotpCallback:        totpCallback,
+		TotpCallback:        config.TotpCallback,
 		ClientTransportPool: transportPool,
 	}
 
@@ -261,17 +279,26 @@ type ClientApiClient struct {
 // to obtain and verify the target controllers CAs. Tools should allow users to verify and accept new controllers
 // that have not been verified from an outside secret (such as an enrollment token).
 func NewClientApiClient(apiUrls []*url.URL, caPool *x509.CertPool, totpCallback func(chan string)) *ClientApiClient {
+	return NewClientApiClientWithConfig(&ApiClientConfig{
+		ApiUrls:      apiUrls,
+		CaPool:       caPool,
+		TotpCallback: totpCallback,
+		Proxy:        http.ProxyFromEnvironment,
+	})
+}
+
+func NewClientApiClientWithConfig(config *ApiClientConfig) *ClientApiClient {
 	ret := &ClientApiClient{}
 	ret.ApiBinding = "edge-client"
 	ret.ApiVersion = "v1"
 	ret.Schemes = rest_client_api_client.DefaultSchemes
-	ret.ApiUrls = apiUrls
+	ret.ApiUrls = config.ApiUrls
 
-	ret.initializeComponents(apiUrls, caPool)
+	ret.initializeComponents(config)
 
 	transportPool := NewClientTransportPoolRandom()
 
-	for _, apiUrl := range apiUrls {
+	for _, apiUrl := range config.ApiUrls {
 		newRuntime := NewRuntime(apiUrl, ret.Schemes, ret.Components.HttpClient)
 		newRuntime.DefaultAuthentication = ret
 		transportPool.Add(apiUrl, newRuntime)
@@ -280,7 +307,7 @@ func NewClientApiClient(apiUrls []*url.URL, caPool *x509.CertPool, totpCallback
 	newApi := rest_client_api_client.New(transportPool, nil)
 	api := ZitiEdgeClient{
 		ZitiEdgeClient:      newApi,
-		TotpCallback:        totpCallback,
+		TotpCallback:        config.TotpCallback,
 		ClientTransportPool: transportPool,
 	}
 	ret.API = &api
diff --git a/edge-apis/component.go b/edge-apis/component.go
@@ -5,6 +5,7 @@ import (
 	"github.com/openziti/edge-api/rest_util"
 	"net/http"
 	"net/http/cookiejar"
+	"net/url"
 	"time"
 )
 
@@ -17,12 +18,22 @@ type Components struct {
 	CaPool        *x509.CertPool
 }
 
+type ComponentsConfig struct {
+	Proxy func(*http.Request) (*url.URL, error)
+}
+
 // NewComponents assembles a new set of components with reasonable production defaults.
 func NewComponents() *Components {
+	return NewComponentsWithConfig(&ComponentsConfig{
+		Proxy: http.ProxyFromEnvironment,
+	})
+}
+
+// NewComponentsWithConfig assembles a new set of components with reasonable production defaults.
+func NewComponentsWithConfig(cfg *ComponentsConfig) *Components {
 	tlsClientConfig, _ := rest_util.NewTlsConfig()
 
 	httpTransport := &http.Transport{
-		Proxy:                 http.ProxyFromEnvironment,
 		TLSClientConfig:       tlsClientConfig,
 		ForceAttemptHTTP2:     true,
 		MaxIdleConns:          10,
@@ -31,6 +42,10 @@ func NewComponents() *Components {
 		ExpectContinueTimeout: 1 * time.Second,
 	}
 
+	if cfg != nil && cfg.Proxy != nil {
+		httpTransport.Proxy = cfg.Proxy
+	}
+
 	jar, _ := cookiejar.New(nil)
 
 	httpClient := &http.Client{
diff --git a/version b/version
@@ -1 +1 @@
-0.23
+0.24
diff --git a/ziti/config.go b/ziti/config.go
@@ -23,6 +23,8 @@ import (
 	"github.com/openziti/identity"
 	apis "github.com/openziti/sdk-golang/edge-apis"
 	"github.com/pkg/errors"
+	"net/http"
+	"net/url"
 	"os"
 )
 
@@ -48,6 +50,10 @@ type Config struct {
 	//EnableHa will signal to the SDK to query and use OIDC authentication which is required for HA controller setups.
 	//This is a temporary feature flag that will be removed and "default to true" at a later date.
 	EnableHa bool `json:"enableHa"`
+
+	//Allows providing a function which controls how/where requests are proxied. See [http.Transport.Proxy] for
+	//more information
+	CtrlProxy func(*http.Request) (*url.URL, error)
 }
 
 // NewConfig will create a new Config object from a provided Ziti Edge Client API URL and identity configuration.
diff --git a/ziti/contexts.go b/ziti/contexts.go
@@ -115,8 +115,10 @@ func NewContextWithOpts(cfg *Config, options *Options) (Context, error) {
 		apiUrls = append(apiUrls, apiUrl)
 	}
 
-	newContext.CtrlClt = &CtrlClient{
-		ClientApiClient: edge_apis.NewClientApiClient(apiUrls, cfg.Credentials.GetCaPool(), func(codeCh chan string) {
+	apiClientConfig := &edge_apis.ApiClientConfig{
+		ApiUrls: apiUrls,
+		CaPool:  cfg.Credentials.GetCaPool(),
+		TotpCallback: func(codeCh chan string) {
 			provider := rest_model.MfaProvidersZiti
 
 			authQuery := &rest_model.AuthQueryDetail{
@@ -140,9 +142,14 @@ func NewContextWithOpts(cfg *Config, options *Options) (Context, error) {
 					return nil
 				})
 			}
-		}),
-		Credentials: cfg.Credentials,
-		ConfigTypes: cfg.ConfigTypes,
+		},
+		Proxy: cfg.CtrlProxy,
+	}
+
+	newContext.CtrlClt = &CtrlClient{
+		ClientApiClient: edge_apis.NewClientApiClientWithConfig(apiClientConfig),
+		Credentials:     cfg.Credentials,
+		ConfigTypes:     cfg.ConfigTypes,
 	}
 
 	newContext.CtrlClt.ClientApiClient.SetAllowOidcDynamicallyEnabled(cfg.EnableHa)
