Build V1 Rest APIs.

• Based on OpenAPI 2.0
• Build on top of fabric framework (openziti/fabric#55)

Run
ziti edge controller login localhost:1280 -u admin1 -p admin -c etc/ca/intermediate/certs/intermediate.cert.pem

Get:

error: unable to authenticate to https://localhost:1280. Status code: 500 Internal Server Error, Server returned: {"error":{"args":{"cause":{},"urlVars":{}},"cause":{},"causeMessage":"could not cast from \u003cnil\u003e to authenticator","code":"UNHANDLED","message":"An unhandled error occurred","requestId":"b1a87bc4-e1d5-4ae5-852e-9e16ba7e67af"},"meta":{"apiEnrolmentVersion":"0.0.1","apiVersion":"0.0.1"}}

1. create tx router
2. enroll tx router
3. observe errors during list/connect

{"error":{"args":{"cause":{},"urlVars":{}},"cause":{},"causeMessage":"expected enrollment not found for unverified transit router ecffe062-50f4-4683-bba8-b870ae46b1a7","code":"UNHANDLED","message":"An unhandled error occurred","requestId":"9ec55d75-1268-4451-a9da-f097335c9e08"},"meta":{"apiEnrolmentVersion":"0.0.1","apiVersion":"0.0.1"}}
{u'meta': {u'apiEnrolmentVersion': u'0.0.1', u'apiVersion': u'0.0.1'}, u'error': {u'code': u'UNHANDLED', u'args': {u'cause': {}, u'urlVars': {}}, u'requestId': u'9ec55d75-1268-4451-a9da-f097335c9e08', u'causeMessage': u'expected enrollment not found for unverified transit router ecffe062-50f4-4683-bba8-b870ae46b1a7', u'cause': {}, u'message': u'An unhandled error occurred'}}

API errors return causeMessage in some situations. This should be moved to cause.message.

There is no need for ziti-edge/edge/...

Remove the 'edge' folder to de-stutter.

Right now if you refer to a router that does not exist the service is created without complaint. This can leads to this error in the edge router:

authentication failure: (missing egress)

SDKs can optionally send anonymous sdk info and environment info (versions, OS, etc.). This information needs to be externally digestible/reportable.

1. Support in REST API for UIs
2. Support for external logging/reporting

Item 1 can be handled within the Edge. Item 2 will most likely require fabric support for a unified approach.

This was previously handled by the event_log construct which has fallen out of use.

Allow UIs to show effects of policies changes as they are being made.

Input roles output, output list of matching entities

• Add dial/bind configuration type(s) for tunneler.
• Migrate existing data to configs and remove dns hostname/port from service.
• Update smoke.

API should be able help diagnose policy problems.

• iterate across all identities. See if they have access to services but no routers for those services.
• Given a specific identity and service, show if they should be able to dial/bind it, and if not, why not.
• Iterate across routers, and ensure that something is able to use them.
• Given two entities that are linked, show via which policies they are linked

During edge router hello to controller the following error message is output by the controller:

INFO github.com/netfoundry/ziti-edge/controller/env.(*Broker).sendHello: edge router connecting with version [unknown] to controller with version [v0.9.0]

The version "[unknown]" should be set to the build version.

Currently clusters dictate which edge routers may be used by which services.

Edge router policies will instead link identities and edge routers. Identities and edge routers may have role tags defined on them, and edge router policies can be tied to identities and edge routers by both role tags and ids.

Edge routers can still be limited by services by specifying a edge router ids/role tags on the service directly.

If a service doesn't specify edge routers, all edge routers accessible to the identity dialing/binding the service will be available, otherwise it will be the intersection of the edge routers available to the service and the edge routers available to the identity

Instead of polling for sessions which need to be closed based on lost service access, do it immediately when access is lost.

Today using the sample-host i ran a host and a client:

ziti edge controller create service sdk-hosted-svc localhost 10000 --hosted
ziti edge controller create service-policy bind-all Bind --service-roles '@all' --identity-roles '@all'
sample-host.exe server identity.json sdk-hosted-svc
sample-host.exe client identity.json sdk-hosted-svc

stop the server observe:

[ 120.557]    INFO github.com/netfoundry/ziti-edge/gateway/xgress_edge.(*localMessageSink).close [ch{edge}->u{classic}->i{Ab4X}]: {connId=[0]} closing message sink, reason: underlying channel closing
[ 120.557] WARNING github.com/netfoundry/ziti-edge/gateway/xgress_edge.(*localMessageSink).close [ch{edge}->u{classic}->i{Ab4X}]: {connId=[0] error=[channel closed]} unable to send close msg to edge client

start the server again and then disconnect the client.

observe this in the logs over and over:

[ 165.371]   ERROR github.com/netfoundry/ziti-fabric/xgress.(*PayloadBuffer).ReceiveAcknowledgement.func1 [s/AbjA]: send on closed channel
[ 170.373]   ERROR github.com/netfoundry/ziti-fabric/xgress.(*PayloadBuffer).ReceiveAcknowledgement.func1 [s/AbjA]: send on closed channel
[ 175.373]   ERROR github.com/netfoundry/ziti-fabric/xgress.(*PayloadBuffer).ReceiveAcknowledgement.func1 [s/AbjA]: send on closed channel
...```

Need the following APIs

• /services/role-attributes
• /identities/role-attributes
• /edge-routers/role-attributes

Each API service should return a unique array of role attributes associated with the given entity

/current-api-session bumps session expiration time but still puts old value into response

• Add new configurables field to identity, to indicate which configurables the identity should recieve
• Add configurable -> configId mapping on service

When an identity retrieves services they should receive the configuration data for mapped configurables.

So given

• config entry with id = "1" and data { dnsHostname: "ssh", port: 22 }
• identity A has configurables = ["ziti-tunneler"]
• service ssh has configMappings { "ziti-tunneler" : 1 }

Then when identity A lists that services, it should have the following included in the S1 data

    "config" : {
        "ziti-tunneler" : {
            "dnsHostname" : "ssh",
            "port" : 22
        }
    }

Ensure the @ is updated when the entity name is updated.

The /services endpoint serves two usages:

1. admins see all services
2. non-admins see services that policies allow

The second use case should be moved to /current-identity/services like all other "current identity" scoped endpoints (authenticators, sessions, etc.)

The first should be the admin use case only.

Update Open API for 0.9 for 0.12

Add "identity role attributes" to CAs (API, CLI) such that they can be copied to identities that enroll automatically via that CA.

right now the router id must be used when creating services. it'd be more friendly to use the provided input as an id first and if not found by id then to look up a router with the same name. if only one router matches use the id of the provided router and log output stating that it was found by name not id

API consumers should handle this themselves by translating from name to id where appropriate.

in new service model services have permissions:
permissions: [Bind,Dial].
to request new session we should use same terminology, like this:
{ serviceId: 000-00-00, type: Dial }

instead of hosting: true

Generate server and client-side clients within ziti-edge for use within the ziti-edge code base.

Client: should be exportable for external use
Server: should be used to serve the API

In session_model we check if we have access to any edge routers. If we don't we return an error.

In session_api_model, we get the list of online edge routers, but don't return an error if the list is empty.

So if you have access to at least one edge router, but they all happen to be offline, you'll get back an empty list. Is this the desired behavior?

from session_model.go

	maxRows := 1
	result, err := handler.GetEnv().GetHandlers().EdgeRouter.ListForIdentityAndServiceWithTx(tx, apiSession.IdentityId, entity.ServiceId, &maxRows)
	if err != nil {
		return nil, err
	}
	if result.Count < 1 {
		return nil, errors.New("no edge routers available")
		// TODO: translate to model error
		//return nil, &response.ApiError{
		//	Code:           response.NoEdgeRoutersAvailableCode,
		//	Message:        response.NoEdgeRoutersAvailableMessage,
		//	HttpStatusCode: http.StatusConflict,
		//}
	}

Currently we have entity -> policy and policy -> entity lists. We need to add entity -> entity list APIs.

So currently you can list services linked to service policies and service policies linked to service, but you can't list identities linked to services and vice versa. Need to fix that.

POST returns the following

{
  "meta": {},
  "data": {
    "_links": {
      "self": {
        "href": "./network-sessions/3cb13415-e376-42ba-b7ea-8342bce05e2c"
      }
    },
    "gateways": [
      {
        "hostname": "demo.ziti.netfoundry.io:3022",
        "name": "azure1",
        "urls": {
          "tls": "tls://demo.ziti.netfoundry.io:3022"
        }
      }
    ],
    "hosting": false,
    "id": "3cb13415-e376-42ba-b7ea-8342bce05e2c",
    "token": "bc0d1565-bf17-4ea9-945c-25adc50dd447"
  }
}

GET /network-sessions/3cb13415-e376-42ba-b7ea-8342bce05e2c returns something like this:

{
    "data": {
        "_links": {
            "self": {
                "href": "./network-sessions/3cb13415-e376-42ba-b7ea-8342bce05e2c"
            }
        }, 
        "createdAt": "2019-12-26T18:25:02.929708Z", 
        "edgeRouters": [
            {
                "hostname": "demo.ziti.netfoundry.io:3022", 
                "name": "azure1", 
                "urls": {
                    "tls": "tls://demo.ziti.netfoundry.io:3022"
                }
            }
        ], 
        "hosting": false, 
        "id": "3cb13415-e376-42ba-b7ea-8342bce05e2c", 
        "service": {
            "_links": {
                "self": {
                    "href": "./services/7a2e510a-4946-41e3-a52e-b3b47cb3956b"
                }
            }, 
            "entity": "", 
            "id": "7a2e510a-4946-41e3-a52e-b3b47cb3956b", 
            "name": "wttr.in"
        }, 
        "session": {
            "_links": {
                "self": {
                    "href": "./sessions/0272b759-de53-4d65-85f4-da0867b8e11b"
                }
            }, 
            "entity": "", 
            "id": "0272b759-de53-4d65-85f4-da0867b8e11b", 
            "name": null
        }, 
        "tags": {}, 
        "updatedAt": "2019-12-26T18:25:02.929708Z"
    }, 
    "meta": {}
}

error: error listing https://localhost:1280/services?asIdentity=all in Ziti Edge Controller. Status code: 500 Internal Server Error, Server returned: {"error":{"args":{"cause":{},"urlVars":{}},"cause":{},"causeMessage":"identity with all id or name not found","code":"UNHANDLED","message":"An unhandled error occurred","requestId":"3c04809a-6996-454f-b951-8dbb797bad92"},"meta":{"apiEnrolmentVersion":"0.0.1","apiVersion":"0.0.1"}}

in the tunneler

Define Open API 2.0 that can work for client code generation for 0.9 (and impliclity 0.10 and 0.11 as there are no API changes).