adds method type, ApiSession interface JSON wrapper

andrewpmartinez · andrewpmartinez · commit 7f6abe0510bc · 2025-10-24T10:56:43.000-04:00
- adds string alias type AuthMethod
- adds AuthMethodEmpty as a sentinal type
- adds ApiSessionJsonWrapper to allow direct (un)marshalling of
  ApiSession via interface
diff --git a/edge-apis/api_session.go b/edge-apis/api_session.go
@@ -16,6 +16,31 @@ import (
 	"golang.org/x/oauth2"
 )
 
+var _ json.Marshaler = (*ApiSessionJsonWrapper)(nil)
+var _ json.Unmarshaler = (*ApiSessionJsonWrapper)(nil)
+
+// ApiSessionJsonWrapper provides JSON marshaling and unmarshaling capabilities for ApiSession
+// interface types. It allows polymorphic ApiSession implementations (ApiSessionLegacy and
+// ApiSessionOidc) to be correctly serialized and deserialized by delegating to the underlying
+// ApiSession's JSON methods.
+//
+// This wrapper enables ApiSession instances to be embedded in structs and marshaled to/from
+// JSON.
+type ApiSessionJsonWrapper struct {
+	ApiSession ApiSession
+}
+
+func (a *ApiSessionJsonWrapper) UnmarshalJSON(bytes []byte) error {
+	var err error
+	a.ApiSession, err = UnmarshalApiSession(bytes)
+
+	return err
+}
+
+func (a *ApiSessionJsonWrapper) MarshalJSON() ([]byte, error) {
+	return a.ApiSession.MarshalJSON()
+}
+
 type ApiSession interface {
 	//GetAccessHeader returns the HTTP header name and value that should be used to represent this ApiSession
 	GetAccessHeader() (string, string)
diff --git a/edge-apis/api_session_test.go b/edge-apis/api_session_test.go
@@ -0,0 +1,33 @@
+package edge_apis
+
+import (
+	"encoding/json"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func Test_ApiSessionMarshalling(t *testing.T) {
+
+	t.Run("test marshalling", func(t *testing.T) {
+		req := require.New(t)
+		type testStruct struct {
+			ApiSession ApiSessionJsonWrapper `json:"apiSession"`
+		}
+
+		test := &testStruct{
+			ApiSession: ApiSessionJsonWrapper{
+				ApiSession: NewApiSessionOidc("access", "refresh"),
+			},
+		}
+
+		testJson, err := json.Marshal(test)
+		req.NoError(err)
+
+		testUnmarhsal := &testStruct{}
+
+		err = json.Unmarshal(testJson, testUnmarhsal)
+		req.NoError(err)
+		req.Equal(test.ApiSession.ApiSession.GetToken(), testUnmarhsal.ApiSession.ApiSession.GetToken())
+	})
+}
diff --git a/edge-apis/client_edge_client.go b/edge-apis/client_edge_client.go
@@ -3,6 +3,7 @@ package edge_apis
 import (
 	"crypto/x509"
 	"errors"
+	"fmt"
 	"net/http"
 	"net/url"
 	"sync"
@@ -143,9 +144,13 @@ func (self *ZitiEdgeClient) Authenticate(credentials Credentials, configTypesOve
 func (self *ZitiEdgeClient) legacyAuth(credentials Credentials, configTypes []string, httpClient *http.Client) (ApiSession, error) {
 	params := clientAuth.NewAuthenticateParams()
 	params.Auth = credentials.Payload()
-	params.Method = credentials.Method()
+	params.Method = string(credentials.Method())
 	params.Auth.ConfigTypes = append(params.Auth.ConfigTypes, configTypes...)
 
+	if credentials.Method() == AuthMethodEmpty {
+		return nil, fmt.Errorf("auth method %s cannot be used for authentication, please provide alternate credentials", AuthMethodEmpty)
+	}
+
 	certs := credentials.TlsCerts()
 	if len(certs) != 0 {
 		if transport, ok := httpClient.Transport.(*http.Transport); ok {
diff --git a/edge-apis/client_edge_management.go b/edge-apis/client_edge_management.go
@@ -3,6 +3,7 @@ package edge_apis
 import (
 	"crypto/x509"
 	"errors"
+	"fmt"
 	"net/http"
 	"net/url"
 	"sync"
@@ -143,9 +144,13 @@ func (self *ZitiEdgeManagement) Authenticate(credentials Credentials, configType
 func (self *ZitiEdgeManagement) legacyAuth(credentials Credentials, configTypes []string, httpClient *http.Client) (ApiSession, error) {
 	params := manAuth.NewAuthenticateParams()
 	params.Auth = credentials.Payload()
-	params.Method = credentials.Method()
+	params.Method = string(credentials.Method())
 	params.Auth.ConfigTypes = append(params.Auth.ConfigTypes, configTypes...)
 
+	if credentials.Method() == AuthMethodEmpty {
+		return nil, fmt.Errorf("auth method %s cannot be used for authentication, please provide alternate credentials", AuthMethodEmpty)
+	}
+
 	certs := credentials.TlsCerts()
 	if len(certs) != 0 {
 		if transport, ok := httpClient.Transport.(*http.Transport); ok {
diff --git a/edge-apis/clients_shared.go b/edge-apis/clients_shared.go
@@ -217,6 +217,10 @@ func oidcAuth(clientTransportPool ClientTransportPool, credentials Credentials,
 	}
 	method := credentials.Method()
 
+	if method == AuthMethodEmpty {
+		return nil, fmt.Errorf("auth method %s cannot be used for authentication, please provide alternate credentials", AuthMethodEmpty)
+	}
+
 	if configTypeOverrides != nil {
 		payload.ConfigTypes = configTypeOverrides
 	}
@@ -261,7 +265,7 @@ func oidcAuth(clientTransportPool ClientTransportPool, credentials Credentials,
 			return nil, errors.New("could not find auth request id header")
 		}
 
-		opLoginUri := "https://" + resp.RawResponse.Request.URL.Host + "/oidc/login/" + method
+		opLoginUri := "https://" + resp.RawResponse.Request.URL.Host + "/oidc/login/" + string(method)
 		totpUri := "https://" + resp.RawResponse.Request.URL.Host + "/oidc/login/totp"
 
 		formData := payload.toValues()
diff --git a/edge-apis/credentials.go b/edge-apis/credentials.go
@@ -4,13 +4,23 @@ import (
 	"crypto"
 	"crypto/tls"
 	"crypto/x509"
+	"net/http"
+
 	"github.com/go-openapi/runtime"
 	"github.com/go-openapi/strfmt"
 	"github.com/openziti/edge-api/rest_model"
 	"github.com/openziti/identity"
 	"github.com/openziti/sdk-golang/ziti/edge/network"
 	"github.com/openziti/sdk-golang/ziti/sdkinfo"
-	"net/http"
+)
+
+type AuthMethod string
+
+const (
+	AuthMethodCert   AuthMethod = "cert"
+	AuthMethodUpdb   AuthMethod = "password"
+	AuthMethodEmpty  AuthMethod = "empty"
+	AuthMethodJwtExt AuthMethod = "ext-jwt"
 )
 
 // Credentials represents the minimal information needed across all authentication mechanisms to authenticate an identity
@@ -26,7 +36,7 @@ type Credentials interface {
 	GetCaPool() *x509.CertPool
 
 	// Method returns the authentication necessary to complete an authentication request.
-	Method() string
+	Method() AuthMethod
 
 	// AddAuthHeader adds a header for all authentication requests.
 	AddAuthHeader(key, value string)
@@ -225,8 +235,8 @@ func NewCertCredentials(certs []*x509.Certificate, key crypto.PrivateKey) *CertC
 	}
 }
 
-func (c *CertCredentials) Method() string {
-	return "cert"
+func (c *CertCredentials) Method() AuthMethod {
+	return AuthMethodCert
 }
 
 func (c *CertCredentials) TlsCerts() []tls.Certificate {
@@ -264,8 +274,8 @@ func (c *IdentityCredentials) GetIdentity() identity.Identity {
 	return c.Identity
 }
 
-func (c *IdentityCredentials) Method() string {
-	return "cert"
+func (c *IdentityCredentials) Method() AuthMethod {
+	return AuthMethodCert
 }
 
 func (c *IdentityCredentials) GetCaPool() *x509.CertPool {
@@ -301,8 +311,8 @@ func NewJwtCredentials(jwt string) *JwtCredentials {
 	}
 }
 
-func (c *JwtCredentials) Method() string {
-	return "ext-jwt"
+func (c *JwtCredentials) Method() AuthMethod {
+	return AuthMethodJwtExt
 }
 
 func (c *JwtCredentials) AuthenticateRequest(request runtime.ClientRequest, reg strfmt.Registry) error {
@@ -330,8 +340,8 @@ type UpdbCredentials struct {
 	Password string
 }
 
-func (c *UpdbCredentials) Method() string {
-	return "password"
+func (c *UpdbCredentials) Method() AuthMethod {
+	return AuthMethodUpdb
 }
 
 // NewUpdbCredentials creates a Credentials instance based on a username/passwords combination.
@@ -354,3 +364,13 @@ func (c *UpdbCredentials) Payload() *rest_model.Authenticate {
 func (c *UpdbCredentials) AuthenticateRequest(request runtime.ClientRequest, reg strfmt.Registry) error {
 	return c.BaseCredentials.AuthenticateRequest(request, reg)
 }
+
+var _ Credentials = (*EmptyCredentials)(nil)
+
+type EmptyCredentials struct {
+	BaseCredentials
+}
+
+func (e EmptyCredentials) Method() AuthMethod {
+	return AuthMethodEmpty
+}
diff --git a/edge-apis/oidc.go b/edge-apis/oidc.go
@@ -131,7 +131,7 @@ func (t *localRpServer) Start() {
 
 // newLocalRpServer creates and configures a local HTTP server for handling OpenID Connect
 // authentication flows, including callback processing and token exchange.
-func newLocalRpServer(apiHost string, authMethod string) (*localRpServer, error) {
+func newLocalRpServer(apiHost string, authMethod AuthMethod) (*localRpServer, error) {
 	tokenOutChan := make(chan *oidc.Tokens[*oidc.IDTokenClaims], 1)
 	result := &localRpServer{
 		CallbackPath: "/auth/callback",
@@ -198,7 +198,7 @@ func newLocalRpServer(apiHost string, authMethod string) (*localRpServer, error)
 	}
 	serverMux := http.NewServeMux()
 
-	authHandler := rp.AuthURLHandler(state, provider, rp.WithPromptURLParam("Welcome back!"), rp.WithURLParam("method", authMethod))
+	authHandler := rp.AuthURLHandler(state, provider, rp.WithPromptURLParam("Welcome back!"), rp.WithURLParam("method", string(authMethod)))
 	loginHandler := http.HandlerFunc(func(writer http.ResponseWriter, request *http.Request) {
 		authHandler.ServeHTTP(writer, request)
 	})

Original file line number	Diff line number	Diff line change
`@@ -217,6 +217,10 @@ func oidcAuth(clientTransportPool ClientTransportPool, credentials Credentials,`
`217`	`217`	`}`
`218`	`218`	`method := credentials.Method()`
`219`	`219`
	`220`	`+ if method == AuthMethodEmpty {`
	`221`	`+ return nil, fmt.Errorf("auth method %s cannot be used for authentication, please provide alternate credentials", AuthMethodEmpty)`
	`222`	`+ }`
	`223`	`+`
`220`	`224`	`if configTypeOverrides != nil {`
`221`	`225`	`payload.ConfigTypes = configTypeOverrides`
`222`	`226`	`}`
`@@ -261,7 +265,7 @@ func oidcAuth(clientTransportPool ClientTransportPool, credentials Credentials,`
`261`	`265`	`return nil, errors.New("could not find auth request id header")`
`262`	`266`	`}`
`263`	`267`
`264`		`- opLoginUri := "https://" + resp.RawResponse.Request.URL.Host + "/oidc/login/" + method`
	`268`	`+ opLoginUri := "https://" + resp.RawResponse.Request.URL.Host + "/oidc/login/" + string(method)`
`265`	`269`	`totpUri := "https://" + resp.RawResponse.Request.URL.Host + "/oidc/login/totp"`
`266`	`270`
`267`	`271`	`formData := payload.toValues()`