HA OIDC auth mechanisms, start of white label support, new JSPI Origin Trial token

Author: rentallect

assets/template-zbr.ejs

@@ -9,7 +9,7 @@
             <div class="zbr-error">
                 <h3>
                     <span>
-                        BrowZer Runtime code: 
+                        {{ browzer_name }} Runtime code: 
                     </span>
                     <span style="color:#d9202e">
                         {{ code }}

index.js

@@ -366,16 +366,19 @@ ${thirdPartyHTML}
             }
             res.setEncoding('utf8');
             res.on('data', function (chunk) {
-                var jsonTargetArray = JSON.parse(chunk);
-                let controllerVersion = jsonTargetArray.data.version.replace('v','');
-                logger.info({message: 'attached controller version', controllerVersion: controllerVersion});
-                let compatibleControllerVersion = `${pjson.compatibleControllerVersion}`;
-                if (controllerVersion !== '0.0.0') {
-                    if (!satisfies(controllerVersion, compatibleControllerVersion)) {
-                        logger.error({message: 'incompatible controller version', controllerVersion: controllerVersion, compatibleControllerVersion: compatibleControllerVersion});
-                        process.exit(-1);
+                try {
+                    var jsonTargetArray = JSON.parse(chunk);
+                    let controllerVersion = jsonTargetArray.data.version.replace('v','');
+                    logger.info({message: 'attached controller version', controllerVersion: controllerVersion});
+                    let compatibleControllerVersion = `${pjson.compatibleControllerVersion}`;
+                    if (controllerVersion !== '0.0.0') {
+                        if (!satisfies(controllerVersion, compatibleControllerVersion)) {
+                            logger.error({message: 'incompatible controller version', controllerVersion: controllerVersion, compatibleControllerVersion: compatibleControllerVersion});
+                            process.exit(-1);
+                        }
                     }
                 }
+                catch (e) {}
             });
         }).end();
         request.on('timeout', () => {
@@ -642,6 +645,73 @@ ${thirdPartyHTML}
         return;
     });
 
+    /**
+     * 
+     */
+    app.use(express.json()); 
+    app.post('/controller-oidc-proxy', async (req, res) => {
+
+        let { 
+            urlWithParams,
+            method,
+            headers,
+            postData
+        } = req.body; // Extract the proxy variables from POST body
+
+        if (!urlWithParams) {
+            return res.status(400).json({ error: 'Missing urlWithParams parameter' });
+        }
+
+        const url = new URL(urlWithParams);
+
+        const options = {
+            hostname:   url.hostname,
+            port:       url.port || 443,
+            path:       url.pathname + url.search, 
+            method:     method,
+            headers:    headers,
+            redirect:   'manual' 
+        };
+
+        if (isEqual(method, 'POST')) {
+
+            postData = JSON.stringify(postData);              
+            options.headers['Content-Length'] = Buffer.byteLength(postData);
+
+            const req = https.request(options, (response) => {
+                let data = '';
+                response.on('data', (chunk) => {
+                  data += chunk;
+                });
+              
+                response.on('end', () => {
+                  if (response.statusCode >= 300 && response.statusCode < 400) {
+                      res.json({ redirectUrl: response.headers.location });
+                  } else {
+                      res.status(400).json({ error: 'expected redirect did not occur' });
+                  }
+                  res.end();
+                });
+              });
+                            
+              req.write(postData);
+              req.end();
+
+        } else {
+
+            https.request(options, async function(response) {
+
+                if (response.statusCode >= 300 && response.statusCode < 400) {
+                    res.json({ redirectUrl: response.headers.location });
+                } else {
+                    res.status(400).json({ error: 'expected redirect did not occur' });
+                }
+                res.end();
+
+            }).end();
+        }    
+    });    
+
     var proxy = httpProxy.createProxyServer(options);
 
     app.use(require('./lib/inject')(options, [], selects));
@@ -711,7 +781,9 @@ ${thirdPartyHTML}
         filter: function(data, req, res) {
             if (data.error && data.error.browzer_error_data) {
 
-                let footer = `<a href="https://openziti.io/docs/learn/quickstarts/browzer/"><strong>powered by OpenZiti BrowZer v${pjson.version}</strong><img src="https://ziti-logo.s3.amazonaws.com/ziti-browzer-logo.svg" style="width: 2%;position: fixed;bottom: 15px;margin-left: 10px;"></a>`;
+                let whitelabel = JSON.parse(env('ZITI_BROWZER_WHITELABEL'));
+
+                let footer = `<a href="https://openziti.io/docs/learn/quickstarts/browzer/"><strong>powered by ${whitelabel.branding.browZerName} v${pjson.version}</strong><img src="${whitelabel.branding.browZerButtonIconSvgUrl}" style="width: 2%;position: fixed;bottom: 15px;margin-left: 10px;"></a>`;
 
                 if (isUndefined(data.error.browzer_error_data.myvar)) {
                     data.error.browzer_error_data.myvar = {type: 'zbr'}
@@ -723,6 +795,7 @@ ${thirdPartyHTML}
                             code: data.error.browzer_error_data.code,
                             title: data.error.browzer_error_data.title,
                             message: data.error.browzer_error_data.message,
+                            browzer_name: whitelabel.branding.browZerName,
                             footer: footer,
                         });
                         data.body = he.decode(data.body);
@@ -742,6 +815,7 @@ ${thirdPartyHTML}
                             code: data.error.browzer_error_data.code,
                             title: data.error.browzer_error_data.title,
                             message: data.error.browzer_error_data.message,
+                            browzer_name: whitelabel.branding.browZerName,
                             footer: footer,
                         });
                         data.body = he.decode(data.body);
@@ -859,7 +933,7 @@ Hello, from OpenZiti BrowZer v${pjson.version} !
         });
 
         server.listen(browzer_bootstrapper_listen_port, () => {
-            console.log(`Server listening on port ${browzer_bootstrapper_listen_port}`);
+            logger.info({message: 'listening', port: browzer_bootstrapper_listen_port, scheme: browzer_bootstrapper_scheme});
         });          
 
     }

lib/env.js

@@ -15,11 +15,36 @@ limitations under the License.
 */
 
 var path    = require('path');
+var fs      = require('fs');
 var nconf   = require('nconf');
 const isEqual = require('lodash.isequal');
 var nval    = require('nconf-validator')(nconf);
+const Ajv   = require("ajv");
+const ajv   = new Ajv({ validateFormats: true });
+const addFormats = require("ajv-formats");
+addFormats(ajv); // Adds support for formats like "uri", "email", "date", etc.
 
-
+/**
+ *  Reach into teh ZBR dependency, and obtain the "hashed" name of the ZBR CSS file.
+ *  This will be the default used
+ */
+function getZBRCSSname() {
+    try {
+      let pathToZitiBrowzerRuntimeModule = require.resolve('@openziti/ziti-browzer-runtime');
+      pathToZitiBrowzerRuntimeModule = pathToZitiBrowzerRuntimeModule.substring(0, pathToZitiBrowzerRuntimeModule.lastIndexOf('/'));
+      let zbrCSSName;
+      fs.readdirSync(pathToZitiBrowzerRuntimeModule).forEach(file => {
+        if (file.startsWith('ziti-browzer-css-')) {
+          zbrCSSName = file;
+        }
+      });
+      return zbrCSSName;
+    }
+    catch (e) {
+      console.error(e);
+    }
+}
+  
 /** -----------------------------------------------------------------------------------------------
  *   Config value Order-of-precedence is:
  *      1) cmd line args
@@ -50,9 +75,24 @@ nconf
             ZITI_BROWZER_RUNTIME_HOTKEY:                'alt+f12',
 
             // This token is for *.browzer.cloudziti.io
-            ZITI_BROWZER_RUNTIME_ORIGIN_TRIAL_TOKEN:    `AqxdaPfKzgJ7G5+oEtS/w/eesei0cf9vBuiHZ8Tq+5mRKOArzxpKS3CarVqc31oAWMjUoOihM8UjpTJl8rxaxAQAAACAeyJvcmlnaW4iOiJodHRwczovL2Jyb3d6ZXIuY2xvdWR6aXRpLmlvOjQ0MyIsImZlYXR1cmUiOiJXZWJBc3NlbWJseUpTUHJvbWlzZUludGVncmF0aW9uIiwiZXhwaXJ5IjoxNzM5OTIzMTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0=`,
+            ZITI_BROWZER_RUNTIME_ORIGIN_TRIAL_TOKEN:    `Al07oTIxNYQaS0fbv5GmElf9VsYoCQe0DU2tF4ogqmQDEXIA48+0ulbKxrVIRqUZCY0xC9BKLHTvthU5wcMQJQUAAACAeyJvcmlnaW4iOiJodHRwczovL2Jyb3d6ZXIuY2xvdWR6aXRpLmlvOjQ0MyIsImZlYXR1cmUiOiJXZWJBc3NlbWJseUpTUHJvbWlzZUludGVncmF0aW9uIiwiZXhwaXJ5IjoxNzUzMTQyNDAwLCJpc1N1YmRvbWFpbiI6dHJ1ZX0=`,
 
 			NODE_EXTRA_CA_CERTS:						'node_modules/node_extra_ca_certs_mozilla_bundle/ca_bundle/ca_intermediate_root_bundle.pem',
+
+            ZITI_BROWZER_WHITELABEL: JSON.stringify({
+                "enable": {
+                    "browZerButton":            true,
+                    "browZerToastMessages":     true,
+                    "browZerSplashScreen":      true,
+                    "browZerThroughputChart":   true
+                },
+                "branding": {
+                    "browZerName":              "OpenZiti BrowZer",
+                    "browZerSplashMessage":     "Stand by while OpenZiti BrowZer Bootstraps your private web app",
+                    "browZerButtonIconSvgUrl":  `https://${nconf.get('ZITI_BROWZER_BOOTSTRAPPER_HOST')}/ziti-browzer-logo.svg`,
+                    "browZerCSS":               `https://${nconf.get('ZITI_BROWZER_BOOTSTRAPPER_HOST')}/${getZBRCSSname()}`
+                }
+            }),
 	    }
     )
     .required(
@@ -63,6 +103,45 @@ nconf
         ]
     );
 
+const whitelabelSchema = {
+    type: "object",
+    properties: {
+        enable: {
+            type: "object",
+            properties: {
+                browZerButton:          { type: "boolean" },
+                browZerToastMessages:   { type: "boolean" },
+                browZerSplashScreen:    { type: "boolean" },
+                browZerThroughputChart: { type: "boolean" }
+            },
+            required: [
+                "browZerButton", 
+                "browZerToastMessages", 
+                "browZerSplashScreen", 
+                "browZerThroughputChart"
+            ],
+            additionalProperties: false     // Prevent misspelled keys 
+        },
+        branding: {
+            type: "object",
+            properties: {
+                browZerName:                { type: "string" },
+                browZerSplashMessage:       { type: "string" },
+                browZerButtonIconSvgUrl:    { type: "string", format: "uri"},
+                browZerCSS:                 { type: "string", format: "uri"},
+            },
+            required: [
+                "browZerName", 
+                "browZerSplashMessage", 
+                "browZerButtonIconSvgUrl",
+                "browZerCSS"
+            ],
+            additionalProperties: false     // Prevent misspelled keys 
+        }
+    },
+    additionalProperties: false             // Prevent misspelled keys
+};
+      
 /** -----------------------------------------------------------------------------------------------
  *  config validation rules
  *  -----------------------------------------------------------------------------------------------*/
@@ -71,6 +150,8 @@ if (nconf.get('ZITI_BROWZER_BOOTSTRAPPER_LOG_TAGS')) {
     nval.addRule('ZITI_BROWZER_BOOTSTRAPPER_LOG_TAGS',                      'json');
 }
 
+nval.addRule('ZITI_BROWZER_WHITELABEL',                                     'json');
+
 nval.addRule('ZITI_BROWZER_BOOTSTRAPPER_WILDCARD_VHOSTS',                   Boolean);
 
 nval.addRule('ZITI_BROWZER_BOOTSTRAPPER_SCHEME',                            ['http', 'https']);
@@ -145,8 +226,16 @@ if (nconf.get('ZITI_BROWZER_BOOTSTRAPPER_GITHUB_API_TOKEN')) {
  */
 nval.validate();
 
+const validateWhitelabel = ajv.compile(whitelabelSchema);
+const whitelabelConfigData = JSON.parse(nconf.get('ZITI_BROWZER_WHITELABEL'));
+const valid = validateWhitelabel(whitelabelConfigData);
+
+if (!valid) {
+    console.error("Whitelabel Configuration validation failed:", validateWhitelabel.errors);
+    throw new Error("Whitelabel Configuration validation failed")
+}
+
 function asBool (value) {
-    console.log('asBool: value: ', value);
     const val = value.toLowerCase()
 
     const allowedValues = [

lib/http-proxy/common.js

@@ -358,6 +358,7 @@ common.generateZitiConfigObject = function(url, req, options) {
           host: browzer_load_balancer ? `${browzer_load_balancer}` : undefined,
           port: browzer_load_balancer ? `${browzer_load_balancer_port}` : undefined
         },
+        whitelabel: JSON.parse( env('ZITI_BROWZER_WHITELABEL') ),
       },
       idp: {
         host: `${idp_issuer_url}`,

package.json

@@ -1,6 +1,6 @@
 {
   "name": "ziti-browzer-bootstrapper",
-  "version": "0.81.2",
+  "version": "0.82.0",
   "compatibleControllerVersion": ">=0.27.9",
   "description": "Ziti BrowZer Bootstrapper -- providing Ziti network access into Dark web server",
   "main": "index.js",
@@ -20,9 +20,11 @@
   "license": "Apache-2.0",
   "dependencies": {
     "@openziti/ziti-browzer-edge-client": "^0.6.2",
-    "@openziti/ziti-browzer-runtime": "0.97.6",
-    "@openziti/ziti-browzer-sw": "^0.73.1",
+    "@openziti/ziti-browzer-runtime": "^0.98.0",
+    "@openziti/ziti-browzer-sw": "^0.74.0",
     "acme-http-01-standalone": "^3.0.5",
+    "ajv": "^8.17.1",
+    "ajv-formats": "^3.0.1",
     "compare-versions": "^6.0.0-rc.1",
     "connect": "^3.7.0",
     "cookie": "^0.5.0",