openziti
diff --git a/‎edge-apis/client_base.go‎
Lines changed: 48 additions & 22 deletions b/‎edge-apis/client_base.go‎
Lines changed: 48 additions & 22 deletions
diff --git a/‎edge-apis/client_edge_client.go‎
Lines changed: 23 additions & 9 deletions b/‎edge-apis/client_edge_client.go‎
Lines changed: 23 additions & 9 deletions
diff --git a/‎edge-apis/client_edge_management.go‎
Lines changed: 24 additions & 9 deletions b/‎edge-apis/client_edge_management.go‎
Lines changed: 24 additions & 9 deletions
@@ -18,22 +18,25 @@ const (
 	TotpRequiredHeader  = "totp-required"
 )
 
-// AuthEnabledApi is used as a sentinel interface to detect APIs that support authentication and to work around a golang
-// limitation dealing with accessing field of generically typed fields.
+// AuthEnabledApi is a sentinel interface that detects APIs supporting authentication.
+// It provides methods for authenticating, managing sessions, and discovering controllers for high-availability.
 type AuthEnabledApi interface {
-	//Authenticate will attempt to issue an authentication request using the provided credentials and http client.
-	//These functions act as abstraction around the underlying go-swagger generated client and will use the default
-	//http client if not provided.
+	// Authenticate authenticates using the provided credentials and returns an ApiSession for subsequent authenticated requests.
 	Authenticate(credentials Credentials, configTypes []string, httpClient *http.Client) (ApiSession, error)
+	// SetUseOidc forces OIDC mode (true) or legacy mode (false).
 	SetUseOidc(bool)
+	// ListControllers returns the list of available controllers for HA failover.
 	ListControllers() (*rest_model.ControllersList, error)
+	// GetClientTransportPool returns the transport pool managing multiple controller endpoints.
 	GetClientTransportPool() ClientTransportPool
+	// SetClientTransportPool sets the transport pool.
 	SetClientTransportPool(ClientTransportPool)
+	// RefreshApiSession refreshes an existing session.
 	RefreshApiSession(apiSession ApiSession, httpClient *http.Client) (ApiSession, error)
 }
 
-// BaseClient implements the Client interface specifically for the types specified in the ApiType constraint. It
-// provides shared functionality that all ApiType types require.
+// BaseClient provides shared authentication and session management for OpenZiti API clients.
+// It handles credential-based authentication, TLS configuration, session storage, and controller failover.
 type BaseClient[A ApiType] struct {
 	API            *A
 	AuthEnabledApi AuthEnabledApi
@@ -84,18 +87,19 @@ func (self *BaseClient[A]) SetAllowOidcDynamicallyEnabled(allow bool) {
 	apiType.SetAllowOidcDynamicallyEnabled(allow)
 }
 
-// Authenticate will attempt to use the provided credentials to authenticate via the underlying ApiType. On success
-// the API Session details will be returned and the current client will make authenticated requests on future
-// calls. On an error the API Session in use will be cleared and subsequent requests will become/continue to be
-// made in an unauthenticated fashion.
+// Authenticate authenticates using provided credentials, updating the TLS configuration based on the credential's CA pool.
+// On success, stores the session and processes controller endpoints for HA failover.
+// On failure, clears the session and credentials.
 func (self *BaseClient[A]) Authenticate(credentials Credentials, configTypesOverride []string) (ApiSession, error) {
 	self.Credentials = nil
 	self.ApiSession.Store(nil)
 
+	tlsClientConfig := self.TlsAwareTransport.GetTlsClientConfig()
+
 	if credCaPool := credentials.GetCaPool(); credCaPool != nil {
-		self.HttpTransport.TLSClientConfig.RootCAs = credCaPool
+		tlsClientConfig.RootCAs = credCaPool
 	} else {
-		self.HttpTransport.TLSClientConfig.RootCAs = self.CaPool
+		tlsClientConfig.RootCAs = self.CaPool
 	}
 
 	apiSession, err := self.AuthEnabledApi.Authenticate(credentials, configTypesOverride, self.HttpClient)
@@ -116,10 +120,11 @@ func (self *BaseClient[A]) AuthenticateWithPreviousSession(credentials Credentia
 	self.Credentials = nil
 	self.ApiSession.Store(nil)
 
+	tlsClientConfig := self.TlsAwareTransport.GetTlsClientConfig()
 	if credCaPool := credentials.GetCaPool(); credCaPool != nil {
-		self.HttpTransport.TLSClientConfig.RootCAs = credCaPool
+		tlsClientConfig.RootCAs = credCaPool
 	} else {
-		self.HttpTransport.TLSClientConfig.RootCAs = self.CaPool
+		tlsClientConfig.RootCAs = self.CaPool
 	}
 
 	refreshedSession, refreshErr := self.AuthEnabledApi.RefreshApiSession(prevApiSession, self.HttpClient)
@@ -136,24 +141,46 @@ func (self *BaseClient[A]) AuthenticateWithPreviousSession(credentials Credentia
 	return refreshedSession, nil
 }
 
-// initializeComponents assembles the lower level components necessary for the go-swagger/openapi facilities.
+// initializeComponents assembles HTTP client infrastructure, either using provided Components or creating new ones.
+// If Components are provided with nil transport/client, they are initialized with warnings logged.
 func (self *BaseClient[A]) initializeComponents(config *ApiClientConfig) {
+	if config.Components != nil {
+
+		if config.Components.TlsAwareTransport == nil {
+			pfxlog.Logger().Warn("components were provided but the transport was nil, it is being initialized")
+			config.Components.TlsAwareTransport = NewTlsAwareHttpTransport(nil)
+		}
+
+		if config.Components.HttpClient == nil {
+			pfxlog.Logger().Warn("components were provided but the http client was nil, it is being initialized")
+			config.Components.HttpClient = NewHttpClient(config.Components.TlsAwareTransport)
+		}
+
+		self.Components = *config.Components
+		if config.Proxy != nil {
+			pfxlog.Logger().Warn("components were provided along with a proxy function on the ApiClientConfig, it is being ignored, if needed properly set on components")
+		}
+		return
+	}
+
 	components := NewComponentsWithConfig(&ComponentsConfig{
 		Proxy: config.Proxy,
 	})
-	components.HttpTransport.TLSClientConfig.RootCAs = config.CaPool
+
+	tlsClientConfig := components.TlsAwareTransport.GetTlsClientConfig()
+	tlsClientConfig.RootCAs = config.CaPool
 	components.CaPool = config.CaPool
 
 	self.Components = *components
 }
 
-// NewRuntime creates an OpenAPI runtime configured for the specified API endpoint.
+// NewRuntime creates an OpenAPI runtime for communicating with a controller endpoint. Used for HA failover to add multiple controller endpoints.
 func NewRuntime(apiUrl *url.URL, schemes []string, httpClient *http.Client) *openapiclient.Runtime {
 	return openapiclient.NewWithClient(apiUrl.Host, apiUrl.Path, schemes, httpClient)
 }
 
-// AuthenticateRequest implements the openapi runtime.ClientAuthInfoWriter interface from the OpenAPI libraries. It is used
-// to authenticate outgoing requests.
+// AuthenticateRequest authenticates outgoing API requests using the current session or credentials.
+// It implements the openapi runtime.ClientAuthInfoWriter interface.
 func (self *BaseClient[A]) AuthenticateRequest(request runtime.ClientRequest, registry strfmt.Registry) error {
 	if self.AuthInfoWriter != nil {
 		return self.AuthInfoWriter.AuthenticateRequest(request, registry)
@@ -184,8 +211,7 @@ func (self *BaseClient[A]) AuthenticateRequest(request runtime.ClientRequest, re
 	return nil
 }
 
-// ProcessControllers queries the authenticated controller for its list of peer controllers
-// and registers them for high-availability failover.
+// ProcessControllers discovers peer controllers and registers them for HA failover. Called after successful authentication.
 func (self *BaseClient[A]) ProcessControllers(authEnabledApi AuthEnabledApi) {
 	list, err := authEnabledApi.ListControllers()
 
 
@@ -37,10 +37,10 @@ type ClientApiClient struct {
 // that have not been verified from an outside secret (such as an enrollment token).
 func NewClientApiClient(apiUrls []*url.URL, caPool *x509.CertPool, totpCallback func(chan string)) *ClientApiClient {
 	return NewClientApiClientWithConfig(&ApiClientConfig{
-		ApiUrls:      apiUrls,
-		CaPool:       caPool,
-		TotpCallback: totpCallback,
-		Proxy:        http.ProxyFromEnvironment,
+		ApiUrls:          apiUrls,
+		CaPool:           caPool,
+		TotpCodeProvider: NewTotpCodeProviderFromChStringFunc(totpCallback),
+		Proxy:            http.ProxyFromEnvironment,
 	})
 }
 
@@ -65,7 +65,7 @@ func NewClientApiClientWithConfig(config *ApiClientConfig) *ClientApiClient {
 	newApi := rest_client_api_client.New(transportPool, nil)
 	api := ZitiEdgeClient{
 		ZitiEdgeClient:      newApi,
-		TotpCallback:        config.TotpCallback,
+		TotpCodeProvider:    config.TotpCodeProvider,
 		ClientTransportPool: transportPool,
 	}
 	ret.API = &api
@@ -94,18 +94,21 @@ type ZitiEdgeClient struct {
 	versionInfo *rest_model.Version
 	versionOnce sync.Once
 
-	TotpCallback        func(chan string)
+	TotpCodeProvider    TotpCodeProvider
 	ClientTransportPool ClientTransportPool
 }
 
+// GetClientTransportPool returns the transport pool managing multiple controller endpoints for failover.
 func (self *ZitiEdgeClient) GetClientTransportPool() ClientTransportPool {
 	return self.ClientTransportPool
 }
 
+// SetClientTransportPool sets the transport pool.
 func (self *ZitiEdgeClient) SetClientTransportPool(transportPool ClientTransportPool) {
 	self.ClientTransportPool = transportPool
 }
 
+// ListControllers returns the list of available controllers for high-availability failover.
 func (self *ZitiEdgeClient) ListControllers() (*rest_model.ControllersList, error) {
 	params := clientControllers.NewListControllersParams()
 	resp, err := self.Controllers.ListControllers(params, nil)
@@ -133,6 +136,7 @@ func (self *ZitiEdgeClient) Authenticate(credentials Credentials, configTypesOve
 	return self.legacyAuth(credentials, configTypesOverrides, httpClient)
 }
 
+// legacyAuth performs zt-session token based authentication.
 func (self *ZitiEdgeClient) legacyAuth(credentials Credentials, configTypes []string, httpClient *http.Client) (ApiSession, error) {
 	params := clientAuth.NewAuthenticateParams()
 	params.Auth = credentials.Payload()
@@ -145,8 +149,9 @@ func (self *ZitiEdgeClient) legacyAuth(credentials Credentials, configTypes []st
 
 	certs := credentials.TlsCerts()
 	if len(certs) != 0 {
-		if transport, ok := httpClient.Transport.(*http.Transport); ok {
-			transport.TLSClientConfig.Certificates = certs
+		if transport, ok := httpClient.Transport.(TlsAwareTransport); ok {
+			tlsClientConf := transport.GetTlsClientConfig()
+			tlsClientConf.Certificates = certs
 			transport.CloseIdleConnections()
 		}
 	}
@@ -160,19 +165,23 @@ func (self *ZitiEdgeClient) legacyAuth(credentials Credentials, configTypes []st
 	return &ApiSessionLegacy{Detail: resp.GetPayload().Data, RequestHeaders: credentials.GetRequestHeaders()}, err
 }
 
+// oidcAuth performs OIDC OAuth flow based authentication.
 func (self *ZitiEdgeClient) oidcAuth(credentials Credentials, configTypeOverrides []string, httpClient *http.Client) (ApiSession, error) {
-	return oidcAuth(self.ClientTransportPool, credentials, configTypeOverrides, httpClient, self.TotpCallback)
+	return oidcAuth(self.ClientTransportPool, credentials, configTypeOverrides, httpClient, self.TotpCodeProvider)
 }
 
+// SetUseOidc forces OIDC mode (true) or legacy mode (false), overriding automatic detection.
 func (self *ZitiEdgeClient) SetUseOidc(use bool) {
 	self.useOidcExplicitlySet = true
 	self.useOidc = use
 }
 
+// SetAllowOidcDynamicallyEnabled enables automatic OIDC capability detection on the controller.
 func (self *ZitiEdgeClient) SetAllowOidcDynamicallyEnabled(allow bool) {
 	self.oidcDynamicallyEnabled = allow
 }
 
+// RefreshApiSession refreshes an existing API session (both legacy and OIDC types).
 func (self *ZitiEdgeClient) RefreshApiSession(apiSession ApiSession, httpClient *http.Client) (ApiSession, error) {
 	switch s := apiSession.(type) {
 	case *ApiSessionLegacy:
@@ -205,10 +214,12 @@ func (self *ZitiEdgeClient) RefreshApiSession(apiSession ApiSession, httpClient
 	return nil, errors.New("api session is an unknown type")
 }
 
+// ExchangeTokens exchanges OIDC tokens for refreshed tokens.
 func (self *ZitiEdgeClient) ExchangeTokens(curTokens *oidc.Tokens[*oidc.IDTokenClaims], httpClient *http.Client) (*oidc.Tokens[*oidc.IDTokenClaims], error) {
 	return exchangeTokens(self.ClientTransportPool, curTokens, httpClient)
 }
 
+// ControllerSupportsHa checks if the controller supports high-availability by inspecting its capabilities.
 func (self *ZitiEdgeClient) ControllerSupportsHa() bool {
 	self.doOnceCacheVersionInfo()
 
@@ -219,6 +230,7 @@ func (self *ZitiEdgeClient) ControllerSupportsHa() bool {
 	return false
 }
 
+// ControllerSupportsOidc checks if the controller supports OIDC authentication by inspecting its capabilities.
 func (self *ZitiEdgeClient) ControllerSupportsOidc() bool {
 	self.doOnceCacheVersionInfo()
 
@@ -229,6 +241,8 @@ func (self *ZitiEdgeClient) ControllerSupportsOidc() bool {
 	return false
 }
 
+// doOnceCacheVersionInfo caches the controller version information including capabilities on first call.
+// Subsequent calls are no-ops due to sync.Once synchronization.
 func (self *ZitiEdgeClient) doOnceCacheVersionInfo() {
 	self.versionOnce.Do(func() {
 		versionParams := clientInfo.NewListVersionParams()
 
@@ -37,10 +37,10 @@ type ManagementApiClient struct {
 // that have not been verified from an outside secret (such as an enrollment token).
 func NewManagementApiClient(apiUrls []*url.URL, caPool *x509.CertPool, totpCallback func(chan string)) *ManagementApiClient {
 	return NewManagementApiClientWithConfig(&ApiClientConfig{
-		ApiUrls:      apiUrls,
-		CaPool:       caPool,
-		TotpCallback: totpCallback,
-		Proxy:        http.ProxyFromEnvironment,
+		ApiUrls:          apiUrls,
+		CaPool:           caPool,
+		TotpCodeProvider: NewTotpCodeProviderFromChStringFunc(totpCallback),
+		Proxy:            http.ProxyFromEnvironment,
 	})
 }
 
@@ -51,6 +51,7 @@ func NewManagementApiClientWithConfig(config *ApiClientConfig) *ManagementApiCli
 	ret.ApiBinding = "edge-management"
 	ret.ApiVersion = "v1"
 	ret.ApiUrls = config.ApiUrls
+
 	ret.initializeComponents(config)
 
 	transportPool := NewClientTransportPoolRandom()
@@ -64,7 +65,7 @@ func NewManagementApiClientWithConfig(config *ApiClientConfig) *ManagementApiCli
 	newApi := rest_management_api_client.New(transportPool, nil)
 	api := ZitiEdgeManagement{
 		ZitiEdgeManagement:  newApi,
-		TotpCallback:        config.TotpCallback,
+		TotpCodeProvider:    config.TotpCodeProvider,
 		ClientTransportPool: transportPool,
 	}
 
@@ -94,18 +95,21 @@ type ZitiEdgeManagement struct {
 	versionOnce sync.Once
 	versionInfo *rest_model.Version
 
-	TotpCallback        func(chan string)
+	TotpCodeProvider    TotpCodeProvider
 	ClientTransportPool ClientTransportPool
 }
 
+// SetClientTransportPool sets the transport pool.
 func (self *ZitiEdgeManagement) SetClientTransportPool(transportPool ClientTransportPool) {
 	self.ClientTransportPool = transportPool
 }
 
+// GetClientTransportPool returns the transport pool managing multiple controller endpoints for failover.
 func (self *ZitiEdgeManagement) GetClientTransportPool() ClientTransportPool {
 	return self.ClientTransportPool
 }
 
+// ListControllers returns the list of available controllers for high-availability failover.
 func (self *ZitiEdgeManagement) ListControllers() (*rest_model.ControllersList, error) {
 	params := manControllers.NewListControllersParams()
 	resp, err := self.Controllers.ListControllers(params, nil)
@@ -133,6 +137,7 @@ func (self *ZitiEdgeManagement) Authenticate(credentials Credentials, configType
 	return self.legacyAuth(credentials, configTypes, httpClient)
 }
 
+// legacyAuth performs zt-session token based authentication.
 func (self *ZitiEdgeManagement) legacyAuth(credentials Credentials, configTypes []string, httpClient *http.Client) (ApiSession, error) {
 	params := manAuth.NewAuthenticateParams()
 	params.Auth = credentials.Payload()
@@ -145,8 +150,9 @@ func (self *ZitiEdgeManagement) legacyAuth(credentials Credentials, configTypes
 
 	certs := credentials.TlsCerts()
 	if len(certs) != 0 {
-		if transport, ok := httpClient.Transport.(*http.Transport); ok {
-			transport.TLSClientConfig.Certificates = certs
+		if transport, ok := httpClient.Transport.(TlsAwareTransport); ok {
+			tlsClientConf := transport.GetTlsClientConfig()
+			tlsClientConf.Certificates = certs
 			transport.CloseIdleConnections()
 		}
 	}
@@ -162,19 +168,23 @@ func (self *ZitiEdgeManagement) legacyAuth(credentials Credentials, configTypes
 		RequestHeaders: credentials.GetRequestHeaders()}, err
 }
 
+// oidcAuth performs OIDC OAuth flow based authentication.
 func (self *ZitiEdgeManagement) oidcAuth(credentials Credentials, configTypeOverrides []string, httpClient *http.Client) (ApiSession, error) {
-	return oidcAuth(self.ClientTransportPool, credentials, configTypeOverrides, httpClient, self.TotpCallback)
+	return oidcAuth(self.ClientTransportPool, credentials, configTypeOverrides, httpClient, self.TotpCodeProvider)
 }
 
+// SetUseOidc forces OIDC mode (true) or legacy mode (false), overriding automatic detection.
 func (self *ZitiEdgeManagement) SetUseOidc(use bool) {
 	self.useOidcExplicitlySet = true
 	self.useOidc = use
 }
 
+// SetAllowOidcDynamicallyEnabled enables automatic OIDC capability detection on the controller.
 func (self *ZitiEdgeManagement) SetAllowOidcDynamicallyEnabled(allow bool) {
 	self.oidcDynamicallyEnabled = allow
 }
 
+// RefreshApiSession refreshes an existing API session (both legacy and OIDC types).
 func (self *ZitiEdgeManagement) RefreshApiSession(apiSession ApiSession, httpClient *http.Client) (ApiSession, error) {
 	switch s := apiSession.(type) {
 	case *ApiSessionLegacy:
@@ -207,10 +217,12 @@ func (self *ZitiEdgeManagement) RefreshApiSession(apiSession ApiSession, httpCli
 	return nil, errors.New("api session is an unknown type")
 }
 
+// ExchangeTokens exchanges OIDC tokens for refreshed tokens.
 func (self *ZitiEdgeManagement) ExchangeTokens(curTokens *oidc.Tokens[*oidc.IDTokenClaims], httpClient *http.Client) (*oidc.Tokens[*oidc.IDTokenClaims], error) {
 	return exchangeTokens(self.ClientTransportPool, curTokens, httpClient)
 }
 
+// ControllerSupportsHa checks if the controller supports high-availability by inspecting its capabilities.
 func (self *ZitiEdgeManagement) ControllerSupportsHa() bool {
 	self.doOnceCacheVersionInfo()
 
@@ -221,6 +233,7 @@ func (self *ZitiEdgeManagement) ControllerSupportsHa() bool {
 	return false
 }
 
+// ControllerSupportsOidc checks if the controller supports OIDC authentication by inspecting its capabilities.
 func (self *ZitiEdgeManagement) ControllerSupportsOidc() bool {
 	self.doOnceCacheVersionInfo()
 
@@ -231,6 +244,8 @@ func (self *ZitiEdgeManagement) ControllerSupportsOidc() bool {
 	return false
 }
 
+// doOnceCacheVersionInfo caches the controller version information including capabilities on first call.
+// Subsequent calls are no-ops due to sync.Once synchronization.
 func (self *ZitiEdgeManagement) doOnceCacheVersionInfo() {
 	self.versionOnce.Do(func() {
 		versionParams := manInfo.NewListVersionParams()