support external jwts and authentication

Author: scareything

lib/Ziti.swift

@@ -330,7 +330,7 @@ import CZitiPrivate
             }
 
             // Store certificates
-            let certs = dropFirst("pem:", resp.id.cert)
+            let certs = dropFirst("pem:", resp.id.cert!)
             _ = zkc.deleteCertificate(silent: true)
             // storeCertificate only stores the first (leaf) certificate in the pem. that's ok - the full chain of certs is stored in the .zid
             // file. only the leaf/pubkey needs to be in the keychain.
@@ -348,7 +348,28 @@ import CZitiPrivate
             }
 
             let zid = ZitiIdentity(id: subj, ztAPIs: resp.ztAPIs, certs: certs, ca: ca)
-            log.info("Enrolled id:\(subj) with controller: \(zid.ztAPI), cert: \(resp.id.cert)", function:"enroll()")
+            log.info("Enrolled id:\(subj) with controller: \(zid.ztAPI), cert: \(resp.id.cert!)", function:"enroll()")
+            
+            enrollCallback(zid, nil)
+        }
+    }
+    
+    @objc public static func enroll(controllerURL:String, _ enrollCallback: @escaping EnrollmentCallback) {
+        ZitiEnroller.enroll(url: controllerURL) { resp, _, zErr in
+            guard let resp = resp, zErr == nil else {
+                log.error(String(describing: zErr), function:"enroll()")
+                enrollCallback(nil, zErr)
+                return
+            }
+            
+            // Grab CA if specified
+            var ca = resp.id.ca
+            if let idCa = resp.id.ca {
+                ca = dropFirst("pem:", idCa)
+            }
+            
+            let zid = ZitiIdentity(id: controllerURL, ztAPIs: resp.ztAPIs, ca: ca)
+            log.info("Enrolled id:\(zid.id) with controller: \(zid.ztAPI)", function:"enroll()")
 
             enrollCallback(zid, nil)
         }
@@ -383,24 +404,35 @@ import CZitiPrivate
     /// - See also:
     ///     - `runAsync(_:)`
     @objc public func run(_ postureChecks:ZitiPostureChecks?, _ initCallback: @escaping InitCallback) {
-        // Get certificate
+        // Get certificates. There won't be any if this identity uses external authentication.
         let zkc = ZitiKeychain(tag: id.id)
-        guard let certPEM = id.getCertificates(zkc) else {
-            let errStr = "unable to retrieve certificates"
-            log.error(errStr)
-            initCallback(ZitiError(errStr))
-            return
+        var certPEMPtr:UnsafeMutablePointer<Int8>? = nil
+        let certPEM = id.getCertificates(zkc)
+        if (certPEM != nil) {
+            certPEMPtr = UnsafeMutablePointer<Int8>.allocate(capacity: certPEM!.count + 1)
+            certPEMPtr!.initialize(from: certPEM!, count: certPEM!.count + 1)
+        } else {
+            // is there any way to know at this point that ext auth is needed? maybe check ext auth signers? add "extAuthEnabled" field?
+            //let errStr = "unable to retrieve certificates"
+            //log.error(errStr)
+            //initCallback(ZitiError(errStr))
+            //return
         }
 
         // Get private key
-        guard let privKey = zkc.getPrivateKey() else {
-            let errStr = "unable to retrieve private key from keychain"
-            log.error(errStr)
-            initCallback(ZitiError(errStr))
-            return
+        var privKeyPEMPtr: UnsafeMutablePointer<Int8>? = nil
+        if let privKey = zkc.getPrivateKey() {
+            let privKeyPEM = zkc.getKeyPEM(privKey)
+            privKeyPEMPtr = UnsafeMutablePointer<Int8>.allocate(capacity: privKeyPEM.count + 1)
+            privKeyPEMPtr!.initialize(from: privKeyPEM, count: privKeyPEM.count + 1)
+        } else {
+            // check if we should have a key (same deal as with cert above)
+            //let errStr = "unable to retrieve private key from keychain"
+            //log.error(errStr)
+            //initCallback(ZitiError(errStr))
+            //return
         }
-        let privKeyPEM = zkc.getKeyPEM(privKey)
-        
+
         // init ziti
         self.initCallback = initCallback
         self.postureChecks = postureChecks
@@ -416,12 +448,6 @@ import CZitiPrivate
         let ctrlPtr = UnsafeMutablePointer<Int8>.allocate(capacity: id.ztAPI.count + 1)
         ctrlPtr.initialize(from: id.ztAPI, count: id.ztAPI.count + 1)
 
-        let certPEMPtr = UnsafeMutablePointer<Int8>.allocate(capacity: certPEM.count + 1)
-        certPEMPtr.initialize(from: certPEM, count: certPEM.count + 1)
-
-        let privKeyPEMPtr = UnsafeMutablePointer<Int8>.allocate(capacity: privKeyPEM.count + 1)
-        privKeyPEMPtr.initialize(from: privKeyPEM, count: privKeyPEM.count + 1)
-
         var caPEMPtr:UnsafeMutablePointer<Int8>? = nil // todo empty string
         if (id.ca != nil) {
             caPEMPtr = UnsafeMutablePointer<Int8>.allocate(capacity: id.ca!.count + 1)
@@ -451,8 +477,8 @@ import CZitiPrivate
         var zitiStatus = ziti_context_init(&self.ztx, &zitiCfg)
 
         ctrlPtr.deallocate()
-        certPEMPtr.deallocate()
-        privKeyPEMPtr.deallocate()
+        if let certPEMPtr = certPEMPtr { certPEMPtr.deallocate() }
+        if let privKeyPEMPtr = privKeyPEMPtr { privKeyPEMPtr.deallocate() }
         caPEMPtr?.deallocate()
 
         withUnsafeMutablePointer(to: &ctrls) { ctrlListPtr in
@@ -826,7 +852,18 @@ import CZitiPrivate
         mfaAuthResponseStatusCallback = cb
         ziti_mfa_auth(ztx, code.cString(using: .utf8), Ziti.onMfaAuthResponseStatus, self.toVoidPtr())
     }
-        
+    
+    /// Type definition of callback method for external authentication
+    public typealias ExtAuthCallback = (_ ziti:Ziti, _ url:String, _ ctx:UnsafeMutableRawPointer?) -> Void
+    private var extAuthStatusCallback:ExtAuthCallback?
+    public func extAuth(_ provider:String, _ cb: @escaping ExtAuthCallback) {
+        extAuthStatusCallback = cb
+        let cProvider = provider.cString(using: .utf8)
+        let cProviderCpy = copyString(cProvider) // grr
+        ziti_use_ext_jwt_signer(ztx, cProviderCpy)
+        ziti_ext_auth(ztx, Ziti.onExtAuthStatus, self.toVoidPtr())
+        freeString(cProviderCpy)
+    }
     // MARK: - Static C Callbacks
 
     static private let onMfaAuthResponseStatus:ziti_mfa_cb = { ztx, status, ctx in
@@ -1126,6 +1163,14 @@ import CZitiPrivate
         }
     }
 
+    static private let onExtAuthStatus:ziti_ext_auth_launch_cb = { ztx, url, ctx in
+        guard let mySelf = zitiUnretained(Ziti.self, ctx) else {
+            log.wtf("invalid context")
+            return
+        }
+        mySelf.extAuthStatusCallback?(mySelf, String(cString:url!), ctx)
+    }
+    
     // MARK: - Helpers
 
     private static func dropFirst(_ drop:String, _ str:String) -> String {

lib/ZitiEnroller.swift

@@ -37,16 +37,16 @@ import CZitiPrivate
     @objc public class EnrollmentResponse : NSObject, Codable {
         /// Identity portion of successful enrollment attempt
         public class Identity : Codable {
-            ///locally generated private key used for generating CSR as part of enrollmen
+            ///locally generated private key used for generating CSR as part of enrollment
             public var key:String?,
 
-            /// signed certificate created as part of CSR process
-            cert:String,
+            /// signed certificate created as part of CSR process. will be nill for url enrollments
+            cert:String?,
 
             /// root certificates for trusting the Ziti Controller
             ca:String?
 
-            init(cert:String, key:String?, ca:String?) {
+            init(cert:String?, key:String?, ca:String?) {
                 self.cert = cert
                 self.key = key
                 self.ca = ca
@@ -92,10 +92,12 @@ import CZitiPrivate
         var enrollmentCallback:EnrollmentCallback?
         var jwtFile_c:UnsafeMutablePointer<Int8>?
         var privatePem_c:UnsafeMutablePointer<Int8>?
+        var url_c:UnsafeMutablePointer<Int8>?
 
         deinit {
             jwtFile_c?.deallocate()
             privatePem_c?.deallocate()
+            url_c?.deallocate()
         }
     }
 
@@ -158,16 +160,48 @@ import CZitiPrivate
         }
     }
 
+    static func enroll(withLoop loop:UnsafeMutablePointer<uv_loop_t>?,
+                       controllerURL:String,
+                       cb:@escaping EnrollmentCallback) {
+        let enrollData = UnsafeMutablePointer<EnrollmentRequestData>.allocate(capacity: 1)
+        enrollData.initialize(to: EnrollmentRequestData())
+        enrollData.pointee.enrollmentCallback = cb
+        enrollData.pointee.url_c = UnsafeMutablePointer<Int8>.allocate(capacity: controllerURL.count + 1)
+        enrollData.pointee.url_c!.initialize(from: controllerURL.cString(using: .utf8)!, count: controllerURL.count + 1)
+        
+        var enroll_opts = ziti_enroll_opts(url: enrollData.pointee.url_c, token: nil, key: nil,
+                                           cert: nil, name: nil, use_keychain: false)
+        let status = ziti_enroll(&enroll_opts, loop, ZitiEnroller.on_enroll, enrollData)
+        guard status == ZITI_OK else {
+            let errStr = String(cString: ziti_errorstr(status))
+            log.error(errStr)
+            cb(nil, nil, ZitiError(errStr, errorCode: Int(status)))
+            return
+        }
+    }
+    
+    @objc public static func enroll(url:String, cb:@escaping EnrollmentCallback) {
+        self.enroll(withLoop: ZitiEnroller.loop, controllerURL: url, cb: cb)
+        
+        let runStatus = uv_run(ZitiEnroller.loop, UV_RUN_DEFAULT)
+        guard runStatus == 0 else {
+            let errStr = String(cString: uv_strerror(runStatus))
+            log.error(errStr)
+            cb(nil, nil, ZitiError(errStr, errorCode: Int(runStatus)))
+            return
+        }
+    }
+    
     /**
-     * Extract the sub (id) field from HWT file
+     * Extract the sub (id) field from JWT file
      */
     @objc public func getSubj() -> String? {
         return getClaims()?.sub
     }
 
     /**
      * Retreive the claims in the JWT file
-     * - returns: The claims in the file or nil if enable to decode
+     * - returns: The claims in the file or nil if unable to decode
      */
     public func getClaims() -> ZitiClaims? {
         do {
@@ -226,13 +260,14 @@ import CZitiPrivate
             log.wtf("invalid config", function:"on_enroll()")
             return
         }
-        guard let cert = String(cString: zc.id.cert, encoding: .utf8) else {
-            let errStr = "Unable to convert cert to string"
-            log.error(errStr, function:"on_enroll()")
-            let ze = ZitiError(errStr, errorCode: -1)
-            enrollData.pointee.enrollmentCallback?(nil, nil, ze)
-            return
-        }
+        // todo only do this if not using url.
+        //guard let cert = String(cString: zc.id.cert, encoding: .utf8) else {
+        //    let errStr = "Unable to convert cert to string"
+        //    log.error(errStr, function:"on_enroll()")
+        //    let ze = ZitiError(errStr, errorCode: -1)
+        //    enrollData.pointee.enrollmentCallback?(nil, nil, ze)
+        //    return
+        //}
 
         var controllers:[String] = []
         var ctrlList = zc.controllers
@@ -255,9 +290,14 @@ import CZitiPrivate
             return
         }
 
-        let id = EnrollmentResponse.Identity(cert: cert,
-                                             key: String(cString: zc.id.key, encoding: .utf8),
-                                             ca: String(cString: zc.id.ca, encoding: .utf8))
+        let cert:String? = zc.id.cert != nil ? String(cString: zc.id.cert, encoding: .utf8)! : nil
+        let key:String? = zc.id.key != nil ? String(cString: zc.id.key, encoding: .utf8)! : nil
+        let ca:String? = zc.id.ca != nil ? String(cString: zc.id.ca, encoding: .utf8)! : nil
+        
+        let id = EnrollmentResponse.Identity(cert: cert, key: key, ca: ca)
+        //let id = EnrollmentResponse.Identity(cert: cert,
+        //                                     key: String(cString: zc.id.key, encoding: .utf8),
+        //                                     ca: String(cString: zc.id.ca, encoding: .utf8))
         let enrollResp = EnrollmentResponse(ztAPIs: controllers, id: id)
         enrollData.pointee.enrollmentCallback?(enrollResp, enrollData.pointee.subj, nil)
     }

lib/ZitiEvent.swift

@@ -167,6 +167,9 @@ import CZitiPrivate
 
     /// Enumeration of possible authentication actions
     @objc public enum AuthAction : UInt32 {
+        /// Authentication flow is stuck, most likely due to (external auth) configuration
+        case CannotContinue
+        
         /// Request for MFA code
         case PromptTotp
 
@@ -180,21 +183,24 @@ import CZitiPrivate
 
         init(_ action:ziti_auth_action) {
             switch action {
-            case ziti_auth_prompt_totp:    self = .PromptTotp
-            case ziti_auth_prompt_pin:     self = .PromptPin
-            case ziti_auth_login_external: self = .LoginExternal
+            case ziti_auth_cannot_continue: self = .CannotContinue
+            case ziti_auth_prompt_totp:     self = .PromptTotp
+            case ziti_auth_prompt_pin:      self = .PromptPin
+            case ziti_auth_login_external:  self = .LoginExternal
+            case ziti_auth_select_external: self = .LoginExternal
             default: self = .Unknown
             }
         }
 
         /// Returns string representation of AuthAction
         public var debug: String {
             switch self {
-            case .PromptTotp:    return ".PromptTotp"
-            case .PromptPin:     return ".PromptPin"
-            case .LoginExternal: return ".LoginExternal"
-            case .Unknown:       return ".Unknown"
-            @unknown default:    return "unknown \(self.rawValue)"
+            case .CannotContinue: return ".CannotContinue"
+            case .PromptTotp:     return ".PromptTotp"
+            case .PromptPin:      return ".PromptPin"
+            case .LoginExternal:  return ".LoginExternal"
+            case .Unknown:        return ".Unknown"
+            @unknown default:     return "unknown \(self.rawValue)"
             }
         }
     }

lib/ZitiTunnel.swift

@@ -361,6 +361,9 @@ public class ZitiTunnel : NSObject, ZitiUnretained {
             }
             // pass event to application
             mySelf.tunnelProvider?.tunnelEventCallback(event)
+        case TunnelEvents.ExtJWTEvent.rawValue:
+            var cExtJWTEvent = UnsafeRawPointer(cEvent).bindMemory(to: ext_signer_event.self, capacity: 1)
+            mySelf.tunnelProvider?.tunnelEventCallback(ZitiTunnelExtJWTEvent(ziti, cExtJWTEvent))
         default:
             log.warn("Unrecognized event type \(cEvent.pointee.event_type.rawValue)")
             return

lib/ZitiTunnelEvent.swift

@@ -27,11 +27,6 @@ import CZitiPrivate
         self.ziti = ziti
     }
 
-    func toStr(_ cStr:UnsafePointer<CChar>?) -> String {
-        if let cStr = cStr { return String(cString: cStr) }
-        return ""
-    }
-    
     /// Provide a debug description of the event
     /// - returns: String containing the debug description
     public override var debugDescription: String {
@@ -263,3 +258,45 @@ import CZitiPrivate
             "   cert: \(certPEM)"
     }
 }
+
+@objc public class JWTProvider : NSObject, Codable {
+    public var name:String = ""
+    public var issuer:String = ""
+
+    init(provider_c: UnsafeMutablePointer<jwt_provider>) {
+        self.name = toStr(provider_c.pointee.name)
+        self.issuer = toStr(provider_c.pointee.issuer)
+    }
+}
+
+/// Class encapsulating Ziti Tunnel SDK C External JWT Event
+@objc public class ZitiTunnelExtJWTEvent : ZitiTunnelEvent {
+
+    /// Authentication status
+    public var status:String = ""
+
+    /// JWT providers
+    public var providers:[JWTProvider] = []
+
+    init(_ ziti:Ziti, _ evt:UnsafePointer<ext_signer_event>) {
+        super.init(ziti)
+        status = toStr(evt.pointee.status)
+        var providerList = evt.pointee.providers
+        withUnsafeMutablePointer(to: &providerList) { providerListPtr in
+            var i = model_list_iterator(providerListPtr)
+            while i != nil {
+                let providerPtr = model_list_it_element(i)
+                if let provider_c = UnsafeMutablePointer<jwt_provider>(OpaquePointer(providerPtr)) {
+                    let provider = JWTProvider(provider_c: provider_c)
+                    providers.append(provider)
+                }
+                i = model_list_it_next(i)
+            }
+        }
+    }
+}
+
+func toStr(_ cStr:UnsafePointer<CChar>?) -> String {
+    if let cStr = cStr { return String(cString: cStr) }
+    return ""
+}