fixes #699 allows UPDB enrollment via flags on generic Enroll func

example/go.mod

@@ -115,7 +115,7 @@ require (
 	go.opentelemetry.io/otel/trace v1.29.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/crypto v0.36.0 // indirect
-	golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect
+	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect
 	golang.org/x/image v0.18.0 // indirect
 	golang.org/x/net v0.37.0 // indirect
 	golang.org/x/oauth2 v0.28.0 // indirect

example/go.sum

@@ -539,6 +539,7 @@ golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EH
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
 golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI=
 golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
+golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/image v0.0.0-20191009234506-e7c1f5e7dbb8/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=

example/influxdb-client-go/go.mod

@@ -52,7 +52,7 @@ require (
 	github.com/go-playground/validator/v10 v10.15.4 // indirect
 	github.com/go-resty/resty/v2 v2.16.5 // indirect
 	github.com/goccy/go-json v0.10.2 // indirect
-	github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/gomarkdown/markdown v0.0.0-20230922112808-5421fefb8386 // indirect
 	github.com/google/uuid v1.6.0 // indirect
@@ -131,7 +131,7 @@ require (
 	go.opentelemetry.io/otel/trace v1.29.0 // indirect
 	golang.org/x/arch v0.5.0 // indirect
 	golang.org/x/crypto v0.36.0 // indirect
-	golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect
+	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect
 	golang.org/x/net v0.37.0 // indirect
 	golang.org/x/oauth2 v0.28.0 // indirect
 	golang.org/x/sync v0.12.0 // indirect

example/influxdb-client-go/go.sum

@@ -175,6 +175,7 @@ github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5x
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
 github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -601,6 +602,7 @@ golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EH
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
 golang.org/x/exp v0.0.0-20230905200255-921286631fa9 h1:GoHiUyI/Tp2nVkLI2mCxVkOjsbSXD66ic0XW0js0R9g=
 golang.org/x/exp v0.0.0-20230905200255-921286631fa9/go.mod h1:S2oDrQGGwySpoQPVqRShND87VCbxmc6bL1Yd2oYrm6k=
+golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=

go.mod

@@ -17,13 +17,13 @@ require (
 	github.com/michaelquigley/pfxlog v0.6.10
 	github.com/mitchellh/go-ps v1.0.0
 	github.com/mitchellh/mapstructure v1.5.0
-	github.com/openziti/channel/v3 v3.0.39
+	github.com/openziti/channel/v3 v3.0.37
 	github.com/openziti/edge-api v0.26.42
 	github.com/openziti/foundation/v2 v2.0.59
 	github.com/openziti/identity v1.0.100
 	github.com/openziti/metrics v1.3.0
 	github.com/openziti/secretstream v0.1.32
-	github.com/openziti/transport/v2 v2.0.167
+	github.com/openziti/transport/v2 v2.0.165
 	github.com/orcaman/concurrent-map/v2 v2.0.1
 	github.com/pkg/errors v0.9.1
 	github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475
@@ -32,7 +32,7 @@ require (
 	github.com/stretchr/testify v1.10.0
 	github.com/zitadel/oidc/v2 v2.12.2
 	go.mozilla.org/pkcs7 v0.9.0
-	golang.org/x/exp v0.0.0-20221031165847-c99f073a8326
+	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842
 	golang.org/x/oauth2 v0.28.0
 	golang.org/x/sys v0.31.0
 	google.golang.org/protobuf v1.36.5

go.sum

@@ -299,8 +299,8 @@ github.com/onsi/gomega v1.13.0 h1:7lLHu94wT9Ij0o6EWWclhu0aOh32VxhkwEJvzuWPeak=
 github.com/onsi/gomega v1.13.0/go.mod h1:lRk9szgn8TxENtWd0Tp4c3wjlRfMTMH27I+3Je41yGY=
 github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
-github.com/openziti/channel/v3 v3.0.39 h1:UM0iY0tbz4EbOVT3tX4mfN1wSAXxkkWIrKmQ7RhE/Hg=
-github.com/openziti/channel/v3 v3.0.39/go.mod h1:7k3mQhtWlgX0HaQBkllDTOH5WAf7DcyyMLqJXrL+/fI=
+github.com/openziti/channel/v3 v3.0.37 h1:PYZDODCM3daYyRB+p3/VOAZFYu7yXQ9ZosZDOAqzuvA=
+github.com/openziti/channel/v3 v3.0.37/go.mod h1:8Jkg4b+CO4WJifxy06SRkG5+dlpEiEJ+BUPA0rRk/To=
 github.com/openziti/edge-api v0.26.42 h1:Wi/BUttSUvedT9XGht7vi/zI/TNGc3ApvjkAviWhauA=
 github.com/openziti/edge-api v0.26.42/go.mod h1:sYHVpm26Jr1u7VooNJzTb2b2nGSlmCHMnbGC8XfWSng=
 github.com/openziti/foundation/v2 v2.0.59 h1:PJwrcTq62x+cONBeKMlnsuphsTlOvTz8j8prYnehm8o=
@@ -311,8 +311,8 @@ github.com/openziti/metrics v1.3.0 h1:oeythnUY2gs48MYM/HelAbJupfP/u81VYKMEwaGHeR
 github.com/openziti/metrics v1.3.0/go.mod h1:MOLcoTxhPNla6+NWUCMVTnl1PNqTU40qrbKVa/lVVgg=
 github.com/openziti/secretstream v0.1.32 h1:89/ZVcwIQjdVmWDfVRfMEChJJXTLXJ59AYBw5j646M4=
 github.com/openziti/secretstream v0.1.32/go.mod h1:8YaIbjyMwBeKQ7eOYcoVPKHT10u+4OVPXpnZAeDzC6o=
-github.com/openziti/transport/v2 v2.0.167 h1:KE2u04cPAO+Xx9eidcYMhAwoGccXZOVnqmhG7nWeuBo=
-github.com/openziti/transport/v2 v2.0.167/go.mod h1:RYom6Xjt8gZaCmL0t4FrIcM46RfvqDtoRSUixq8V+mI=
+github.com/openziti/transport/v2 v2.0.165 h1:/ks1HSN/+cN7gX1ajyK8TnqEKPvtOmAhOoM34FzA7h4=
+github.com/openziti/transport/v2 v2.0.165/go.mod h1:wgXqfcEeDKr+FIHhp4O4Q+FHT/2Q2WJK6ZsVWD8CY98=
 github.com/orcaman/concurrent-map/v2 v2.0.1 h1:jOJ5Pg2w1oeB6PeDurIYf6k9PQ+aTITr/6lP/L/zp6c=
 github.com/orcaman/concurrent-map/v2 v2.0.1/go.mod h1:9Eq3TG2oBe5FirmYWQfYO5iH1q0Jv47PLaNK++uCdOM=
 github.com/parallaxsecond/parsec-client-go v0.0.0-20221025095442-f0a77d263cf9 h1:mOvehYivJ4Aqu2CPe3D3lv8jhqOI9/1o0THxJHBE0qw=
@@ -430,8 +430,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0
 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
-golang.org/x/exp v0.0.0-20221031165847-c99f073a8326 h1:QfTh0HpN6hlw6D3vu8DAwC8pBIwikq0AI1evdm+FksE=
-golang.org/x/exp v0.0.0-20221031165847-c99f073a8326/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
+golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM=
+golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=

ziti/enroll/enroll.go

@@ -132,11 +132,13 @@ func ValidateToken(token *jwt.Token) (interface{}, error) {
 	return cert.PublicKey, nil
 }
 
-func EnrollUpdb(enFlags EnrollmentFlags) error {
+func EnrollUpdb(enFlags EnrollmentFlags) (string, error) {
 	caPool, allowedCerts := enFlags.GetCertPool()
 	ztApiRoot := enFlags.Token.Issuer
 
-	if err := enrollUpdb(enFlags.Username, enFlags.Password, enFlags.Token, caPool); err != nil {
+	resultUsername := ""
+	var err error
+	if resultUsername, err = enrollUpdb(enFlags.Username, enFlags.Password, enFlags.Token, caPool); err != nil {
 		pfxlog.Logger().Debug("fetching certificates from server")
 		rootCaPool := x509.NewCertPool()
 		rootCaPool.AddCert(enFlags.Token.SignatureCert)
@@ -146,14 +148,14 @@ func EnrollUpdb(enFlags EnrollmentFlags) error {
 			caPool.AddCert(xcert)
 		}
 
-		if err := enrollUpdb(enFlags.Username, enFlags.Password, enFlags.Token, caPool); err != nil {
-			return fmt.Errorf("unable to enroll after fetching server certs: %v", err)
+		if resultUsername, err = enrollUpdb(enFlags.Username, enFlags.Password, enFlags.Token, caPool); err != nil {
+			return "", fmt.Errorf("unable to enroll after fetching server certs: %v", err)
 		} else {
-			return nil
+			return resultUsername, nil
 		}
 	}
 
-	return nil
+	return resultUsername, nil
 }
 
 func Enroll(enFlags EnrollmentFlags) (*ziti.Config, error) {
@@ -164,47 +166,49 @@ func Enroll(enFlags EnrollmentFlags) (*ziti.Config, error) {
 		ZtAPI: edge_apis.ClientUrl(enFlags.Token.Issuer),
 	}
 
-	if strings.TrimSpace(enFlags.KeyFile) != "" {
-		stat, err := os.Stat(enFlags.KeyFile)
+	if enFlags.Token.EnrollmentMethod != "updb" {
+		if strings.TrimSpace(enFlags.KeyFile) != "" {
+			stat, err := os.Stat(enFlags.KeyFile)
 
-		if stat != nil && !os.IsNotExist(err) {
-			if stat.IsDir() {
-				return nil, errors.Errorf("specified key is a directory (%s)", enFlags.KeyFile)
-			}
+			if stat != nil && !os.IsNotExist(err) {
+				if stat.IsDir() {
+					return nil, errors.Errorf("specified key is a directory (%s)", enFlags.KeyFile)
+				}
+
+				if absPath, fileErr := filepath.Abs(enFlags.KeyFile); fileErr != nil {
+					return nil, fileErr
+				} else {
+					cfg.ID.Key = "file://" + absPath
+				}
 
-			if absPath, fileErr := filepath.Abs(enFlags.KeyFile); fileErr != nil {
-				return nil, fileErr
 			} else {
-				cfg.ID.Key = "file://" + absPath
+				cfg.ID.Key = enFlags.KeyFile
+				pfxlog.Logger().Infof("using engine : %s\n", strings.Split(enFlags.KeyFile, ":")[0])
 			}
-
 		} else {
-			cfg.ID.Key = enFlags.KeyFile
-			pfxlog.Logger().Infof("using engine : %s\n", strings.Split(enFlags.KeyFile, ":")[0])
-		}
-	} else {
-		var asnBytes []byte
-		var keyPem []byte
-		if enFlags.KeyAlg.EC() {
-			key, err = generateECKey()
-			asnBytes, _ := x509.MarshalECPrivateKey(key.(*ecdsa.PrivateKey))
-			keyPem = pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: asnBytes})
-		} else if enFlags.KeyAlg.RSA() {
-			key, err = generateRSAKey()
-			asnBytes = x509.MarshalPKCS1PrivateKey(key.(*rsa.PrivateKey))
-			keyPem = pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: asnBytes})
-		} else {
-			panic(fmt.Sprintf("invalid KeyAlg specified: %s", enFlags.KeyAlg.Get()))
-		}
-		cfg.ID.Key = "pem:" + string(keyPem)
-		if err != nil {
-			return nil, err
+			var asnBytes []byte
+			var keyPem []byte
+			if enFlags.KeyAlg.EC() {
+				key, err = generateECKey()
+				asnBytes, _ := x509.MarshalECPrivateKey(key.(*ecdsa.PrivateKey))
+				keyPem = pem.EncodeToMemory(&pem.Block{Type: "EC PRIVATE KEY", Bytes: asnBytes})
+			} else if enFlags.KeyAlg.RSA() {
+				key, err = generateRSAKey()
+				asnBytes = x509.MarshalPKCS1PrivateKey(key.(*rsa.PrivateKey))
+				keyPem = pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: asnBytes})
+			} else {
+				panic(fmt.Sprintf("invalid KeyAlg specified: %s", enFlags.KeyAlg.Get()))
+			}
+			cfg.ID.Key = "pem:" + string(keyPem)
+			if err != nil {
+				return nil, err
+			}
 		}
-	}
 
-	if enFlags.CertFile != "" {
-		enFlags.CertFile, _ = filepath.Abs(enFlags.CertFile)
-		cfg.ID.Cert = "file://" + enFlags.CertFile
+		if enFlags.CertFile != "" {
+			enFlags.CertFile, _ = filepath.Abs(enFlags.CertFile)
+			cfg.ID.Cert = "file://" + enFlags.CertFile
+		}
 	}
 
 	caPool, allowedCerts := enFlags.GetCertPool()
@@ -225,6 +229,8 @@ func Enroll(enFlags EnrollmentFlags) (*ziti.Config, error) {
 		caPool.AddCert(cert)
 	}
 
+	resultUsername := ""
+
 	var enrollErr error
 	switch enFlags.Token.EnrollmentMethod {
 	case "ott":
@@ -233,6 +239,8 @@ func Enroll(enFlags EnrollmentFlags) (*ziti.Config, error) {
 		enrollErr = enrollCA(enFlags.Token, cfg, caPool)
 	case "ca":
 		enrollErr = enrollCAAuto(enFlags, cfg, caPool)
+	case "updb":
+		resultUsername, enrollErr = enrollUpdb(enFlags.Username, enFlags.Password, enFlags.Token, caPool)
 	default:
 		enrollErr = errors.Errorf("enrollment method '%s' is not supported", enFlags.Token.EnrollmentMethod)
 	}
@@ -253,7 +261,17 @@ func Enroll(enFlags EnrollmentFlags) (*ziti.Config, error) {
 		cfg.ID.CA = "pem:" + buf.String()
 	}
 
-	cfg.Credentials = edge_apis.NewIdentityCredentialsFromConfig(cfg.ID)
+	if enFlags.Token.EnrollmentMethod == "updb" {
+		cfg.Credentials = &edge_apis.UpdbCredentials{
+			BaseCredentials: edge_apis.BaseCredentials{
+				CaPool: caPool,
+			},
+			Username: resultUsername,
+			Password: enFlags.Password,
+		}
+	} else {
+		cfg.Credentials = edge_apis.NewIdentityCredentialsFromConfig(cfg.ID)
+	}
 
 	return cfg, nil
 }
@@ -281,7 +299,7 @@ func useSystemCasIfEmpty(caPool *x509.CertPool) *x509.CertPool {
 	}
 }
 
-func enrollUpdb(username, password string, token *ziti.EnrollmentClaims, caPool *x509.CertPool) error {
+func enrollUpdb(username, password string, token *ziti.EnrollmentClaims, caPool *x509.CertPool) (string, error) {
 	caPool = useSystemCasIfEmpty(caPool)
 	client := http.Client{
 		Transport: &http.Transport{
@@ -301,21 +319,25 @@ func enrollUpdb(username, password string, token *ziti.EnrollmentClaims, caPool
 
 	resp, err := client.Post(token.EnrolmentUrl(), "application/json", bytes.NewBuffer(body.EncodeJSON()))
 	if err != nil {
-		return err
+		return "", err
 	}
 
 	if resp.StatusCode == http.StatusOK {
-		return nil
+		respBody, _ := io.ReadAll(resp.Body)
+		if respContainer, err := gabs.ParseJSON(respBody); err == nil {
+			username = respContainer.Path("data.username").Data().(string)
+		}
+		return username, nil
 	}
 
 	respBody, _ := io.ReadAll(resp.Body)
 
 	if respContainer, err := gabs.ParseJSON(respBody); err == nil {
 		code := respContainer.Path("error.code").Data().(string)
 		message := respContainer.Path("error.message").Data().(string)
-		return errors.Errorf("enroll error: %s: %s: %s", resp.Status, code, message)
+		return "", errors.Errorf("enroll error: %s: %s: %s", resp.Status, code, message)
 	} else {
-		return errors.Errorf("enroll error: %s: %s", resp.Status, body)
+		return "", errors.Errorf("enroll error: %s: %s", resp.Status, body)
 	}
 }