Proto commits in openziti/ziti

These commits are when the Protocol Buffers files have changed: (only the last 100 relevant commits are shown)

Commit:7c19e44
Author:Andrew Martinez
Committer:Andrew Martinez

fixes openziti/ziti#3990 push service and posture state to subscribed SDKs - pushes indexed atomic ServiceChangeSet envelopes to subscribed SDK connections: a full snapshot on subscribe, incremental service changes per RDM scan pass, posture check definition changes as their own entries, and identity-resolved config bodies, all serialized so envelopes hit the wire in index order - pushes per-connection PostureStateChange state (monotonic seq, resync on request) for posture pass/fail, including flips caused by definition edits that mutate no posture data - registers pending RDM identity subscriptions for identities not yet synced to the router and sends an authoritative full sync plus full posture state when the identity arrives; an active push subscription pins the connection's RDM listener - advertises service subscriptions and router data model support on the control-channel capability bitmask; the controller persists each router's capabilities mask and version on the EdgeRouter entity via raft and renders them on the edge APIs, so SDKs can select capable routers before connecting - submits posture per router and corrects MFA posture semantics: pushed expiry is the earliest of timeout and pending wake/unlock grace deadlines, wake/unlock re-pass satisfies the re-prompt, api session tokens whose amr attests TOTP seed the MFA baseline from auth_time only (never iat), and token exchange carries the subject token's auth_time - sends structured denials on dial and bind refusals: posture failures carry the failing check ids, no-policy denials are access denied, unknown services are invalid service, and session token failures are invalid session; the denial's cause no longer rides the wire as an unserializable error - hard-closes accepted SDK connections on edge listener shutdown so clients observe a router going away immediately - adds integration coverage: subscription snapshots and change delivery, poll and push reconciliation as capable routers come and go, posture state and definition-change push, router views over the public SDK API, typed dial errors, MFA baseline seeding, and OIDC token-exchange auth_time preservation

Commit:9b9e560
Author:Andrew Martinez
Committer:Andrew Martinez

fixes openziti/ziti#3990 push service and posture changes to subscribed SDKs - routers push service change (ServiceChangeSet) and posture state (PostureStateChange) notifications directly to subscribed SDK connections, removing the controller from this path - adds RouterServiceSubscriptions and RouterDataModel capability bits and advertises them in the control-channel capabilities mask - persists each edge router's reported capabilities mask and version with a write-on-mismatch raft update, and renders them on the edge router APIs as a capability string list and version - normalizes a single PROCESS posture check to a one-element PROCESS_MULTI on the wire - closes accepted edge connections on router shutdown so SDKs detect a disconnect promptly rather than waiting for a heartbeat timeout - adds integration tests for capability reporting, service subscriptions, push/poll reconciliation, and posture-state push - resolves each subscribing identity's effective config set (service base configs merged with the identity's per-service overrides) and includes the config bodies on pushed service defs - adds GetIdentityServiceConfigs and refactors loadServiceConfigs to delegate to it - config edits ride the existing service-change path: a config change pushes a service-changed to every service that references it, carrying the new body - adds an integration test covering snapshot bodies, adding a config to a service, and editing a config shared by two services - asserts the resolved config body is returned by GetService, not just present on the service event, in the snapshot, config-added, and config-edited cases

Commit:d8ffdaf
Author:Paul Lorenz

Make identity revocation timestamps deterministic across controllers. Fixes #4088 - adds a mutation timestamp to the change context (both ChangeContext protos and the change.Context struct), stamped once when a command is dispatched so the replicated command carries the originating controller's time to every raft node, mirroring how raftIndex is threaded - has the identity revocation constraint derive the revocation's ExpiresAt and IssuedBefore from a cluster-consistent time instead of a per-node time.Now(): the disable transition uses the carried DisabledAt (also the correct cutoff), and delete uses the change-context timestamp; falls back to time.Now() only when no change context is present - adds change-context timestamp round-trip tests, including the zero-time mapping

Commit:102db69
Author:Paul Lorenz
Committer:Paul Lorenz

Auto-GC stale router links. Fixes #4005 - adds a structured xlink.LinkKey ({DialerBinding, Protocol, DestId, ListenerBinding}) used by all staleness and GC checks - adds the CheckStaleLinks ctrl message and the `ziti ops verify stale-links` CLI for operator-driven, two-sided staleness verification with optional --gc - implements auto-GC via the router.link.v1 gcMode (preserve/orphaned/changed): the router walks its xlinks after each Apply that mutates listeners, dialers, or gcMode and closes one-sided-stale entries under the configured mode For #3743.

Commit:af66c1f
Author:Paul Lorenz
Committer:Paul Lorenz

Manage router link configuration via the controller. Fixes #4004 - adds a link ConfigHandler (router/link FactoryRegistry) that applies router.link.v1 config: Apply rebuilds the listener/dialer set wholesale, and established Xlinks survive because Listener.Close() only closes the accept loop - translates local link: YAML into router.link.v1 JSON and pushes it through the managed-config registry at startup - adds the UpdateLinkListeners ctrl message so the router republishes its listener set to the controller on change; the controller re-fans via the existing PeerStateChange path - re-evaluates dialers on link group and listener changes via RescanForDialOpportunities For #3743.

Commit:187aa11
Author:Paul Lorenz
Committer:Paul Lorenz

Own the metrics wire format in ziti. Fixes #4036 - adds a common/servermetrics package that owns the metrics MetricsMessage wire format and the reporting/usage subsystem (message builder, usage registry, interval and usage counters), wrapping the openziti/metrics Registry for metric collection - moves the controllers metrics reporter into the router package and removes it from the shared metrics package, breaking a common -> router/env import cycle - repoints controller and router consumers to common/servermetrics; base metric collection stays on openziti/metrics - keeps the proto field numbers and the metrics content-type identical so the encoding is byte-compatible across the move, and uses a distinct proto package name so ziti's and the library's messages coexist without a global proto registry clash - adds a round-trip test asserting wire compatibility with the library's MetricsMessage - leaves openziti/metrics unchanged, so sdk-golang and the shared xgress data plane are unaffected

Commit:bb17872
Author:Andrew Martinez
Committer:Andrew Martinez

fixes openziti/ziti#3990 push service and posture changes to subscribed SDKs - routers push service change (ServiceChangeSet) and posture state (PostureStateChange) notifications directly to subscribed SDK connections, removing the controller from this path - adds RouterServiceSubscriptions and RouterDataModel capability bits and advertises them in the control-channel capabilities mask - persists each edge router's reported capabilities mask and version with a write-on-mismatch raft update, and renders them on the edge router APIs as a capability string list and version - normalizes a single PROCESS posture check to a one-element PROCESS_MULTI on the wire - closes accepted edge connections on router shutdown so SDKs detect a disconnect promptly rather than waiting for a heartbeat timeout - adds integration tests for capability reporting, service subscriptions, push/poll reconciliation, and posture-state push - resolves each subscribing identity's effective config set (service base configs merged with the identity's per-service overrides) and includes the config bodies on pushed service defs - adds GetIdentityServiceConfigs and refactors loadServiceConfigs to delegate to it - config edits ride the existing service-change path: a config change pushes a service-changed to every service that references it, carrying the new body - adds an integration test covering snapshot bodies, adding a config to a service, and editing a config shared by two services - asserts the resolved config body is returned by GetService, not just present on the service event, in the snapshot, config-added, and config-edited cases

Commit:b12d197
Author:Paul Lorenz
Committer:Paul Lorenz

Auto-GC stale router links. Fixes #4005 - adds a structured xlink.LinkKey ({DialerBinding, Protocol, DestId, ListenerBinding}) used by all staleness and GC checks - adds the CheckStaleLinks ctrl message and the `ziti ops verify stale-links` CLI for operator-driven, two-sided staleness verification with optional --gc - implements auto-GC via the router.link.v1 gcMode (preserve/orphaned/changed): the router walks its xlinks after each Apply that mutates listeners, dialers, or gcMode and closes one-sided-stale entries under the configured mode For #3743.

Commit:381e871
Author:Paul Lorenz
Committer:Paul Lorenz

Manage router link configuration via the controller. Fixes #4004 - adds a link ConfigHandler (router/link FactoryRegistry) that applies router.link.v1 config: Apply rebuilds the listener/dialer set wholesale, and established Xlinks survive because Listener.Close() only closes the accept loop - translates local link: YAML into router.link.v1 JSON and pushes it through the managed-config registry at startup - adds the UpdateLinkListeners ctrl message so the router republishes its listener set to the controller on change; the controller re-fans via the existing PeerStateChange path - re-evaluates dialers on link group and listener changes via RescanForDialOpportunities For #3743.

Commit:bfc8a9b
Author:Paul Lorenz
Committer:Paul Lorenz

Manage router link configuration via the controller. Fixes #4004 - adds a link ConfigHandler (router/link FactoryRegistry) that applies router.link.v1 config: Apply rebuilds the listener/dialer set wholesale, and established Xlinks survive because Listener.Close() only closes the accept loop - translates local link: YAML into router.link.v1 JSON and pushes it through the managed-config registry at startup - adds the UpdateLinkListeners ctrl message so the router republishes its listener set to the controller on change; the controller re-fans via the existing PeerStateChange path - re-evaluates dialers on link group and listener changes via RescanForDialOpportunities For #3743.

Commit:e12776b
Author:Paul Lorenz
Committer:Paul Lorenz

Auto-GC stale router links. Fixes #4005 - adds a structured xlink.LinkKey ({DialerBinding, Protocol, DestId, ListenerBinding}) used by all staleness and GC checks - adds the CheckStaleLinks ctrl message and the `ziti ops verify stale-links` CLI for operator-driven, two-sided staleness verification with optional --gc - implements auto-GC via the router.link.v1 gcMode (preserve/orphaned/changed): the router walks its xlinks after each Apply that mutates listeners, dialers, or gcMode and closes one-sided-stale entries under the configured mode For #3743.

Commit:cb68a9c
Author:Paul Lorenz

Add link metrics over gossip Replicates per-link latency across controllers via gossip so routing cost converges HA-wide, replacing per-controller derivation from the metrics firehose. - adds a link-metrics gossip store keyed by link id and owned by the reporting router, with a router publisher (threshold-based, force-publish on re-dial) and a controller listener (exact-iteration apply, both-end reconcile on link create) - adds a linkLatencyInGossip field to the servermetrics metrics message; the router sets it once every connected controller is gossip-capable, and the controller then stops deriving routing latency from that message while still relaying its histograms for observability - adds an inspect surface for the gossip link-metrics store

Commit:84b2026
Author:Paul Lorenz

Add link state replication over gossip. Fixes #3726 Replicates router-reported link state across HA controllers via a gossip store instead of per-controller fault forwarding, so every controller converges on the same view of links. - adds a versioned gossip store (Lamport clocks, deltas, acks, digests, anti-entropy, tombstones) and a generic per-state-type registration model - adds the link-state gossip type, controller listener, and router gossip client with reconcile and superseded-iteration tombstoning - adds a canary gossip type and controller/router canary handlers to detect divergence, plus inspect and `validate gossip` surfaces - advertises the ControllerLinkGossip capability and gates the router's link-state propagation on all controllers supporting it - ports the affected controller and router handlers from the channel v4 receive-handler API to v5 (AddReceiveHandlers / ContentTypeReceiver) - carries the gossip-stability work: bounded peer send timeouts, broadcast and digest on a separate I/O pool off the apply pool, digest debounce, and count-derivation, plus a per-peer broadcast message clone that fixes a concurrent-map-write crash - migrates the link subsystem to slog and adds observability (ctrl.is_leader gauge, messaging pool meters, slow-handler diagnostic) - adds a links-test fablab model and gossip chaos/validation for soak testing

Commit:c9e58f2
Author:Paul Lorenz

Own the metrics wire format in ziti. Fixes #4036 - adds a common/servermetrics package that owns the metrics MetricsMessage wire format and the reporting/usage subsystem (message builder, usage registry, interval and usage counters), wrapping the openziti/metrics Registry for metric collection - moves the controllers metrics reporter into the router package and removes it from the shared metrics package, breaking a common -> router/env import cycle - repoints controller and router consumers to common/servermetrics; base metric collection stays on openziti/metrics - keeps the proto field numbers and the metrics content-type identical so the encoding is byte-compatible across the move, and uses a distinct proto package name so ziti's and the library's messages coexist without a global proto registry clash - adds a round-trip test asserting wire compatibility with the library's MetricsMessage - leaves openziti/metrics unchanged, so sdk-golang and the shared xgress data plane are unaffected

Commit:30256b9
Author:Paul Lorenz
Committer:Paul Lorenz

Enforce api-session and identity revocations on the router. Fixes #3929 Backport to release-v2.0.x of #3927 (main-line fix in PR #3930). The router's CheckConnections reaper enforced only JWT expiry, so a revoked OIDC api-session, or a disabled/deleted identity, kept its live circuits and hosted terminators until the access token expired. The router now enforces the RouterDataModel revocations directly, tightening access-loss propagation to the reaper interval. - adds a Type field to DataState_Revocation and the raft Revocation command proto, mirroring rest_model.RevocationTypeEnum (API_SESSION/IDENTITY/JTI) so the management API, OIDC producers, sync, and router enforcement share one vocabulary; the common.RevocationType* constants are compile-time bound to the enum to prevent drift - adds an IssuedBefore cutoff so an identity revocation invalidates only sessions issued before it; a session re-authenticated after the cutoff survives the still-lingering revocation. Persists IssuedBefore on the db and model Revocation and carries it (plus the Type) through the single and batched raft marshalling - adds RouterDataModel.IsApiSessionRevoked and IsIdentityRevoked and enforces both in CheckConnections, closing a revoked session's connections - revokes a deleted or disabled identity's live OIDC sessions via an IdentityRevocationConstraint in the db package, run as a store pre-commit constraint so the revocation is written in the same transaction as the identity change and cannot be skipped (self-contained OIDC JWTs aren't otherwise reachable). NewIdentityManager installs it with the revocation type and lifetime - has the OIDC end-session (TerminateSessionFromRequest) revoke the specific api-session named by the z_asid claim, with an identity-scoped fallback; sets IssuedBefore on the identity fallback and the management revocation API; adds RevocationManager.CreateOrReplace, routed through by both the OIDC paths and the management revocation API, so a repeat logout/termination/revocation refreshes the cutoff rather than colliding on the reused id. Expiry derives from the longest configured token duration via a shared common.MaxTokenDuration helper - adds tests/revocation_enforcement_oidc_test.go covering api-session revocation (and a fresh session staying unaffected), identity disable and delete, and the identity cutoff (a post-cutoff session surviving the lingering revocation) - regenerates edge_cmd.pb.go (protoc-gen-go v1.31.0) and edge_ctrl.pb.go (v1.36.11) against the release-v2.0.x base, matching each file's existing generator version

Commit:fabd691
Author:Andrew Martinez
Committer:Andrew Martinez

fixes openziti/ziti#3990 push service and posture changes to subscribed SDKs - routers push service change (ServiceChangeSet) and posture state (PostureStateChange) notifications directly to subscribed SDK connections, removing the controller from this path - adds RouterServiceSubscriptions and RouterDataModel capability bits and advertises them in the control-channel capabilities mask - persists each edge router's reported capabilities mask and version with a write-on-mismatch raft update, and renders them on the edge router APIs as a capability string list and version - normalizes a single PROCESS posture check to a one-element PROCESS_MULTI on the wire - closes accepted edge connections on router shutdown so SDKs detect a disconnect promptly rather than waiting for a heartbeat timeout - adds integration tests for capability reporting, service subscriptions, push/poll reconciliation, and posture-state push

Commit:2fd62f9
Author:Paul Lorenz
Committer:Paul Lorenz

Auto-GC stale router links. Fixes #4005 - adds a structured xlink.LinkKey ({DialerBinding, Protocol, DestId, ListenerBinding}) used by all staleness and GC checks - adds the CheckStaleLinks ctrl message and the `ziti ops verify stale-links` CLI for operator-driven, two-sided staleness verification with optional --gc - implements auto-GC via the router.link.v1 gcMode (preserve/orphaned/changed): the router walks its xlinks after each Apply that mutates listeners, dialers, or gcMode and closes one-sided-stale entries under the configured mode For #3743.

Commit:bb236d1
Author:Paul Lorenz
Committer:Paul Lorenz

Manage router link configuration via the controller. Fixes #4004 - adds a link ConfigHandler (router/link FactoryRegistry) that applies router.link.v1 config: Apply rebuilds the listener/dialer set wholesale, and established Xlinks survive because Listener.Close() only closes the accept loop - translates local link: YAML into router.link.v1 JSON and pushes it through the managed-config registry at startup - adds the UpdateLinkListeners ctrl message so the router republishes its listener set to the controller on change; the controller re-fans via the existing PeerStateChange path - re-evaluates dialers on link group and listener changes via RescanForDialOpportunities For #3743.

Commit:12d94b7
Author:Paul Lorenz
Committer:Paul Lorenz

Auto-GC stale router links. Fixes #4005 - adds a structured xlink.LinkKey ({DialerBinding, Protocol, DestId, ListenerBinding}) used by all staleness and GC checks - adds the CheckStaleLinks ctrl message and the `ziti ops verify stale-links` CLI for operator-driven, two-sided staleness verification with optional --gc - implements auto-GC via the router.link.v1 gcMode (preserve/orphaned/changed): the router walks its xlinks after each Apply that mutates listeners, dialers, or gcMode and closes one-sided-stale entries under the configured mode For #3743.

Commit:16ffe0b
Author:Paul Lorenz
Committer:Paul Lorenz

Manage router link configuration via the controller. Fixes #4004 - adds a link ConfigHandler (router/link FactoryRegistry) that applies router.link.v1 config: Apply rebuilds the listener/dialer set wholesale, and established Xlinks survive because Listener.Close() only closes the accept loop - translates local link: YAML into router.link.v1 JSON and pushes it through the managed-config registry at startup - adds the UpdateLinkListeners ctrl message so the router republishes its listener set to the controller on change; the controller re-fans via the existing PeerStateChange path - re-evaluates dialers on link group and listener changes via RescanForDialOpportunities For #3743.

Commit:5b9ba46
Author:Paul Lorenz

Use gossip to propagate link data between routers and controllers. Fixes #3726 Replaces the legacy link fault/refresh protocol with a gossip-based anti-entropy store so routers and controllers converge on link state. - adds the gossip store, anti-entropy, and link/canary gossip handlers on both controller and router - splits router connects into a separate pool from router gossip/canary events (routerEventsPool, peerEventsPool) so connect bursts can't starve the gossip hot path - tidies canary sender close handling - refactors gossip store data to be organized by owner - adds store metrics, host metrics, and drops router metrics on router delete - adds a per-owner FNV-64a hash digest to anti-entropy so matching owners short-circuit per-entry comparison, plus diagnostic instrumentation (slow-handler dumps, disk gauges, stale-send and iteration-mismatch logging) - fixes a cmap re-entry deadlock in the digest handler by collecting (owner, ownerData) pairs under iteration and hashing outside it - defers link registry side-effect events outside the registry lock (applyLinkLocked) to avoid piling dial/accept workers behind a back-pressured event channel

Commit:1081898
Author:Paul Lorenz
Committer:Paul Lorenz

Implement stale links checking

Commit:90e2848
Author:Paul Lorenz
Committer:Paul Lorenz

Handle changes to link groups and listeners by publishing listener changes and re-evaluating dialers

Commit:0ee288e
Author:Paul Lorenz
Committer:GitHub

Distribute routers and router-target configs through the RDM. Fixes #3976 (#3977) - adds a `DataState.Router` event variant (id, name, fingerprint, configs) to the RDM protobuf and the matching ConfigType.Target field flows - loads routers into `RouterDataModelSender` at startup and registers entity-change listeners so router create/update/delete and config reassignment emit RDM events - filters `Config` events per-router at `RouterSender`: each router sees the full `Router` set but only its own router-target Configs - receiver-side: parses and stores `Router` entities; GCs router-target Configs locally when they drop off the router's `Configs` list, so no synthetic remove events are needed on the wire - extends the `router-data-model-test` fablab model with router-config distribution scenarios (assignment, reassignment, controller restart, RDM cache miss) - updates `validate-router-data-model` to recognize the new event shape - refreshes the design doc to describe per-router filtering and the change-notification flow

Commit:5fc769c
Author:Paul Lorenz

Enforce api-session and identity revocations on the router. Fixes #3929 Backport to release-v2.0.x of #3927 (main-line fix in PR #3930). The router's CheckConnections reaper enforced only JWT expiry, so a revoked OIDC api-session, or a disabled/deleted identity, kept its live circuits and hosted terminators until the access token expired. The router now enforces the RouterDataModel revocations directly, tightening access-loss propagation to the reaper interval. - adds a Type field to DataState_Revocation and the raft Revocation command proto, mirroring rest_model.RevocationTypeEnum (API_SESSION/IDENTITY/JTI) so the management API, OIDC producers, sync, and router enforcement share one vocabulary; the common.RevocationType* constants are compile-time bound to the enum to prevent drift - adds an IssuedBefore cutoff so an identity revocation invalidates only sessions issued before it; a session re-authenticated after the cutoff survives the still-lingering revocation. Persists IssuedBefore on the db and model Revocation and carries it (plus the Type) through the single and batched raft marshalling - adds RouterDataModel.IsApiSessionRevoked and IsIdentityRevoked and enforces both in CheckConnections, closing a revoked session's connections - revokes a deleted or disabled identity's live OIDC sessions via an IdentityRevocationConstraint in the db package, run as a store pre-commit constraint so the revocation is written in the same transaction as the identity change and cannot be skipped (self-contained OIDC JWTs aren't otherwise reachable). NewIdentityManager installs it with the revocation type and lifetime - has the OIDC end-session (TerminateSessionFromRequest) revoke the specific api-session named by the z_asid claim, with an identity-scoped fallback; sets IssuedBefore on the identity fallback and the management revocation API; adds RevocationManager.CreateOrReplace, routed through by both the OIDC paths and the management revocation API, so a repeat logout/termination/revocation refreshes the cutoff rather than colliding on the reused id. Expiry derives from the longest configured token duration via a shared common.MaxTokenDuration helper - adds tests/revocation_enforcement_oidc_test.go covering api-session revocation (and a fresh session staying unaffected), identity disable and delete, and the identity cutoff (a post-cutoff session surviving the lingering revocation) - regenerates edge_cmd.pb.go (protoc-gen-go v1.31.0) and edge_ctrl.pb.go (v1.36.11) against the release-v2.0.x base, matching each file's existing generator version

Commit:ff61927
Author:Paul Lorenz
Committer:Paul Lorenz

Enforce api-session and identity revocations on the router. Fixes #3927 The router's CheckConnections reaper enforced only JWT expiry, so a revoked OIDC api-session, or a disabled/deleted identity, kept its live circuits and hosted terminators until the access token expired. The router now enforces the RouterDataModel revocations directly, tightening access-loss propagation to the reaper interval. - adds a Type field to DataState_Revocation and the raft Revocation command proto, mirroring rest_model.RevocationTypeEnum (API_SESSION/IDENTITY/JTI) so the management API, OIDC producers, sync, and router enforcement share one vocabulary; the common.RevocationType* constants are compile-time bound to the enum to prevent drift - adds an IssuedBefore cutoff so an identity revocation invalidates only sessions issued before it; a session re-authenticated after the cutoff survives the still-lingering revocation. Persists IssuedBefore on the db and model Revocation and carries it (plus the Type) through the single and batched raft marshalling - adds RouterDataModel.IsApiSessionRevoked and IsIdentityRevoked and enforces both in CheckConnections, closing a revoked session's connections - revokes a deleted or disabled identity's live OIDC sessions via an IdentityRevocationConstraint in the db package, run as a store pre-commit constraint so the revocation is written in the same transaction as the identity change and cannot be skipped (self-contained OIDC JWTs aren't otherwise reachable). NewIdentityManager installs it with the revocation type and lifetime - has the OIDC end-session (TerminateSessionFromRequest) revoke the specific api-session named by the z_asid claim, with an identity-scoped fallback; sets IssuedBefore on the identity fallback and the management revocation API; adds RevocationManager.CreateOrReplace, routed through by both the OIDC paths and the management revocation API, so a repeat logout/termination/revocation refreshes the cutoff rather than colliding on the reused id. Expiry derives from the longest configured token duration via a shared common.MaxTokenDuration helper - adds tests/revocation_enforcement_oidc_test.go covering api-session revocation (and a fresh session staying unaffected), identity disable and delete, and the identity cutoff (a post-cutoff session surviving the lingering revocation)

Commit:cdc5d89
Author:Paul Lorenz
Committer:Paul Lorenz

Add configs field to routers. Fixes #3780

Commit:2bf9808
Author:Paul Lorenz
Committer:Paul Lorenz

Add target field to config types. Fixes #3744

Commit:09db468
Author:Paul Lorenz
Committer:Paul Lorenz

Update circuit-perf-diff test to report more metrics. Allow deploying ziti-traffic-test from git ref - adds stageziti.StageZitiTrafficTest / StageZitiTrafficTestOnce, which clone openziti/ziti, check out the requested ref (tag, branch, or commit SHA), and build zititest/ziti-traffic-test from source for linux/amd64; output is cached in the kit bin dir as ziti-traffic-test-<version> - extends StageZiti to build the ziti multi-tool from source via the same git-clone path when version is not a release tag (commit hash, branch name, "main"); semver-tagged versions still download the prebuilt GitHub release - introduces gitBuildSpec / buildFromGit in stageziti so the git-build pipeline is shared by both binaries; supports overriding the source repo via ZITI_TRAFFIC_TEST_REPO_URL (a local filesystem path works, letting developers build from a working tree) - adds Loop4SimType.Version: when set, the fablab run builds ziti-traffic-test from that ref before staging; empty preserves the legacy local-path behavior - relaxes canonicalizeGoAppVersion so bare commit hashes and branch names pass through unchanged and can flow into the git-build path, while bare semver still gets the leading "v" prefix; covered by a new unit test - shifts loop4.proto ContentType values from 1-3 to 1000-1002 to avoid collision with channel/v4 reserved types (Ping/Result/Latency/etc.), matching the convention used by ctrl_pb / edge_client_pb - collects xgress-level meters (retransmissions, retx failures, dup acks, dropped payloads, dup payloads, blocked-by-local/remote-window) per data-plane host and emits a "Network health" block in the per-pair report so flow-control regressions are visible alongside service throughput/latency - tags loop-host-xg with sim-services-client and adds a metrics connector block to its config so the listener can push its SDK xgress metrics into fablab via the metrics service - adds tc_actions.go registering netem-based scenarios (tcClear, tcJitter, tcLowLoss, tcHighLatency, tcHighRtt, ...) that apply tc qdiscs to the default interface of every data-plane host; auto- detects the interface so it works across AWS AMI variants without severing ssh on a mgmt NIC - hardens runFullComparison with consecutive-failure tracking: a single failed pair is logged and skipped after a best-effort stopDataPlane recovery, but maxConsecutivePairFailures (5) in a row aborts the run; protects 8-hour comparisons from a transient ssh blip on a single pair - replaces the old GOPATH-bin copy in stageBaselineTrafficTest with a StageZitiTrafficTestOnce call against the new git-build path, so baseline binaries are produced reproducibly from a pinned commit rather than whatever happens to be in GOPATH/bin

Commit:6515e36
Author:Andrew Martinez
Committer:GitHub

fixes #3680 add revocation management API, CLI, and enforcement (#3789) * fixes #3680 add revocation management API, CLI, and enforcement - adds Management API endpoints for revocations (POST, GET, LIST) with type-aware validation (JTI/API_SESSION require UUID, IDENTITY requires existing identity) - adds CLI commands: ziti edge create revocation identity|api-session|jti - adds revocation checks to resolveOidcSession in security_ctx.go so the REST API returns 401 for revoked OIDC tokens. Previously only ValidateAccessToken (router ctrl channel path) checked revocations, so revoked tokens still received 200 OK from the management and client HTTP APIs - adds api-session revocation check to ValidateAccessToken, which only checked JTI and identity revocations - adds Type field to Revocation model, store, and protobuf message - adds integration tests covering CRUD, input validation, and token enforcement for all three revocation types - use release edge-api@v0.28.1

Commit:949adaf
Author:Paul Lorenz
Committer:Paul Lorenz

Coalesce OIDC JWT revocations to reduce controller write pressure. Fixes #3764 - adds DeleteRevocationsBatchCommand so expired-revocation cleanup goes through raft as a single log entry per batch - adds CreateRevocationsBatchCommand for batched revocation creation through raft - moves refresh-token revocations from synchronous inline creation to a background batcher that flushes on a configurable interval, removing the database and raft as a bottleneck on token refreshes - skips revocation creation for tokens expiring within a configurable threshold (revocationMinTokenLifetime), since they become invalid on their own - validates that revocationMinTokenLifetime is less than 50% of the configured refresh token lifetime - makes the revocation enforcer frequency configurable and restricts it to run only on the raft leader - adds tests for multi-batch delete, batched create with router RDM propagation, and skip-threshold behavior - adds new configuration tunables under edge.oidc: revocationBucketInterval, revocationMinTokenLifetime, revocationBucketMaxSize, revocationMaxQueued, revocationEnforcerFrequency

Commit:3a945e4
Author:Paul Lorenz

Add initial POC work on federated routers

Commit:7b4ae12
Author:Paul Lorenz
Committer:Paul Lorenz

Add CreateCircuitV3 for RDM-authorized circuit creation. Fixes #3721 - adds CreateCircuitV3 message type and handler for routers that have already authorized dials locally via RDM, bypassing service session tokens in favor of identity ID, service ID, and pre-assigned circuit ID - renames CreateCircuitRequest/Response to CreateCircuitV2Request/V2Response for clarity now that V3 exists - adds CircuitManager.Reserve to atomically claim circuit IDs before routing, preventing collisions on pre-assigned IDs - extends CreateCircuitParams with GetCircuitId so V3 can supply a pre-assigned circuit ID (falls back to UUID generation when empty) - fixes IsDialableByIdentity which was incorrectly calling IsBindableByIdentity - extracts V2 handler into its own file create_circuit_v2.go - adds CreateCircuitV3RequestType/ResponseType (20222/20223) to edge_ctrl protobuf - registers V3 handler in controller server

Commit:62e2916
Author:Paul Lorenz
Committer:Paul Lorenz

Coalesce OIDC JWT revocations to reduce controller write pressure. Fixes #3681 - adds DeleteRevocationsBatchCommand so expired-revocation cleanup goes through raft as a single log entry per batch - adds CreateRevocationsBatchCommand for batched revocation creation through raft - moves refresh-token revocations from synchronous inline creation to a background batcher that flushes on a configurable interval, removing the database and raft as a bottleneck on token refreshes - skips revocation creation for tokens expiring within a configurable threshold (revocationMinTokenLifetime), since they become invalid on their own - validates that revocationMinTokenLifetime is less than 50% of the configured refresh token lifetime - makes the revocation enforcer frequency configurable and restricts it to run only on the raft leader - adds tests for multi-batch delete, batched create with router RDM propagation, and skip-threshold behavior - adds new configuration tunables under edge.oidc: revocationBucketInterval, revocationMinTokenLifetime, revocationBucketMaxSize, revocationMaxQueued, revocationEnforcerFrequency

Commit:e163817
Author:Paul Lorenz
Committer:Paul Lorenz

Fixes for SDK terminator management. Add support for ziti sdk inspection. Fixes #3609 - removes legacy v1 terminator code path; all terminators now use v2 flow - refactors edgeTerminator.close() to decouple SDK notification from control plane notification - adds pending SDK close notification queue with retry when channel is busy - adds post-create inspect mechanism that verifies SDK still holds the bind after terminator creation - queues second post-create inspect when establishment takes >30s to catch SDK timeout races - detects and discards stale reordered binds on the same connection by comparing connIds - re-establishes replacement terminators when a delete/create race is detected - eliminates IsEntityPresent pre-filter in removeTerminatorsHandler to prevent raft ordering races - fixes ValidateTerminators to query identities from the correct manager with the correct filter field - adds postCreate flag to ValidateTerminatorsV2Request so routers skip redundant SDK inspect - returns retry-later (nil result) from router validation when inspect is temporarily unavailable - blocks SyncAllSubscribers until completion and guards RouterDataModel replacement with in-progress flag - fixes InheritLocalData to enable service access tracking for all subscribed identities - adds Services.Has check in GetServiceAccessPolicies to prevent false policy grants - validates policy-to-identity associations in ValidateServicePolicies - adds `ziti agent tunnel dump-sdk` command for SDK context inspection via IPC agent - adds `ziti fabric inspect sdk` command to query SDK context through routers - fixes --expected-per-host CLI flag binding in validate terminators command - changes bind-access-lost retry hint from NotRetriable to RetryStartOver - moves trace route response and xgress close handling off channel handler goroutine - fixes listTerminators test helper to URL-encode filter parameter - improves sdk-hosting-test validation resilience with login and query retries - adds terminator_create_flow.md documenting the full lifecycle across SDK, router, and controller - adds detailed logging for data model sync, service access tracking, and subscriber change detection

Commit:6b869ce
Author:Paul Lorenz
Committer:Paul Lorenz

Add support for ctrlChanListener on router to the model. Fixes #3635

Commit:d1300de
Author:Paul Lorenz
Committer:Paul Lorenz

Add preferredLeader flag to raft configuration. Fixes #3600

Commit:6e50523
Author:Paul Lorenz
Committer:Paul Lorenz

Expand on controller details send for controller endpoint updates

Commit:abaed96
Author:Paul Lorenz
Committer:Paul Lorenz

Add groups to ctrlChanListeners. Add router listener.

Commit:3b345b8
Author:Paul Lorenz
Committer:Paul Lorenz

Add support for ctrlChanListener on router to the model

Commit:8f84dad
Author:Paul Lorenz
Committer:Paul Lorenz

Add gap detectino and handling to router data model. Fixes #3599

Commit:ab51fa8
Author:Paul Lorenz
Committer:Paul Lorenz

Fix the control channel header conflicts with channel headers. Use single strategy for sharing capabilities with bit mask.

Commit:45bf527
Author:Paul Lorenz
Committer:Paul Lorenz

Provide more error context to SDKs for terminator errors. Fixes #3524

Commit:2ffc6e1
Author:Paul Lorenz
Committer:Paul Lorenz

Update ziti version to 2.0

Commit:284a08b
Author:Paul Lorenz
Committer:Paul Lorenz

Remove support for create terminator v1. Fixes #3516

Commit:08359a9
Author:Paul Lorenz
Committer:Paul Lorenz

Remove legacy link management code from the controller. Fixes #3512

Commit:c18a594
Author:Paul Lorenz
Committer:Paul Lorenz

Clustering coordination fixes * Allow routers to request current cluster membership information. Fixes #3503 * Get cluster membership information from raft directly, rather than trying to cache it in the DB. Fixes #3501 * Set a router data model timeline when initializing a new HA setup, rather than letting it stay blank. Fixes #3500 * Reduce router data model full state updates. Fixes #3504

Commit:3cfc8b5
Author:Paul Lorenz
Committer:Paul Lorenz

Controller should clear links not in full link sync from router. Fixes #3492

Commit:ae83069
Author:Paul Lorenz
Committer:Paul Lorenz

Add permissions list to identity. Fixes #3430. Add read-only permission. Fixes #2109. Add CRUD permissions by entity type. Fixes #3435

Commit:ffe6e16
Author:Paul Lorenz
Committer:Paul Lorenz

Separate raft command submission limiting from in-flight limiting. Fix some create terminator error handling. Fixes #3318

Commit:d37c721
Author:Paul Lorenz
Committer:Paul Lorenz

Optimize router data model subscription code. Add additional events. Fixes #3359

Commit:ce83c0f
Author:Andrew Martinez
Committer:GitHub

fixes openziti/ziti#2324 add token based enrollment (#3342) * fixes openziti/ziti#2324 add token based enrollment - allows enrollment to certificate auth - allows enrollment to ext jwt token auth - alters ext jwt claimsProperty (maps identity id) to support JSON pointers, defaults to `/sub` - adds ext jwt enrollToCert, enrollToToken to controller valid enrollment end-authenticator state - adds ext jwt enrollAuthPolicyId to map end identity auth policy to, defaults to `default` - adds ext jwt enrollAttributeSelector, supports single field name or JSON pointer to point to a single string or array of string attributes to give the identity, defaults to no selector - adds ext jwt enrollNameSelector, supports single field name or JSON pointer to a string field to use as the name, defaults to `/sub` - add enrollment errors to determine if enrollment has occurred - adds CLI support for ext jwt signer enroll flags

Commit:928c5ec
Author:Andrew Martinez
Committer:Andrew Martinez

fixes openziti/ziti#2324 add token based enrollment - allows enrollment to certificate auth - allows enrollment to ext jwt token auth - alters ext jwt claimsProperty (maps identity id) to support JSON pointers, defaults to `/sub` - adds ext jwt enrollToCert, enrollToToken to controller valid enrollment end-authenticator state - adds ext jwt enrollAuthPolicyId to map end identity auth policy to, defaults to `default` - adds ext jwt enrollAttributeSelector, supports single field name or JSON pointer to point to a single string or array of string attributes to give the identity, defaults to no selector - adds ext jwt enrollNameSelector, supports single field name or JSON pointer to a string field to use as the name, defaults to `/sub` - add enrollment errors to determine if enrollment has occurred - adds CLI support for ext jwt signer enroll flags

Commit:6530637
Author:Paul Lorenz
Committer:Paul Lorenz

Add alert events. Fixes #3264

The documentation is generated from this commit.

Commit:a8220b4
Author:Paul Lorenz
Committer:Paul Lorenz

Add alert events. Fixes #3264

The documentation is generated from this commit.

Commit:19883df
Author:Paul Lorenz
Committer:Paul Lorenz

Add alert events. Fixes #3264

The documentation is generated from this commit.

Commit:e78595e
Author:Paul Lorenz
Committer:Paul Lorenz

Add alert events. Fixes #3264

The documentation is generated from this commit.

Commit:be49f22
Author:Paul Lorenz
Committer:Paul Lorenz

Add alert events. Fixes #3264

The documentation is generated from this commit.

Commit:e2e18b0
Author:Paul Lorenz
Committer:Paul Lorenz

Add alert events. Fixes #3264

The documentation is generated from this commit.

Commit:88d1026
Author:Paul Lorenz
Committer:Paul Lorenz

Add alert events. Fixes #3264

The documentation is generated from this commit.

Commit:d496df8
Author:Paul Lorenz

Add event types. Fixes #3264

The documentation is generated from this commit.

Commit:e5fb699
Author:Paul Lorenz
Committer:Paul Lorenz

Support multi-underlay links. Fixes #3134

Commit:ce4dcdc
Author:Paul Lorenz
Committer:Paul Lorenz

Support multi-underlay links. Fixes #3134

Commit:403a45b
Author:Paul Lorenz
Committer:Paul Lorenz

Support multi-underlay links. Fixes #3134

Commit:26e886f
Author:Paul Lorenz
Committer:Paul Lorenz

Support multi-underlay links. Fixes #3134

Commit:11dd4df
Author:Paul Lorenz
Committer:Paul Lorenz

Support multi-underlay links. Fixes #3134

Commit:ba85c21
Author:Paul Lorenz
Committer:Paul Lorenz

Update circuit test and ziti traffic test

Commit:80b6202
Author:Paul Lorenz
Committer:Paul Lorenz

Start on circuit scale test

Commit:0054443
Author:Paul Lorenz

Support multi-underlay links. Fixes #3134

Commit:ca65434
Author:Paul Lorenz
Committer:Paul Lorenz

Start on circuit scale test

Commit:96a5568
Author:Paul Lorenz
Committer:Paul Lorenz

Start on circuit scale test

Commit:cc7eefa
Author:Paul Lorenz
Committer:Paul Lorenz

Add support for tracking network interfaces on routers and identities. Fixes #3082. Add network discover to router. Fixes #3083

Commit:28ef633
Author:Paul Lorenz
Committer:Paul Lorenz

Start on circuit scale test

Commit:cea45ba
Author:Paul Lorenz
Committer:Paul Lorenz

Implement remote control for ziti-traffic-test/loop4. Fixes #3102

Commit:b21db0f
Author:Paul Lorenz
Committer:Paul Lorenz

Implement circuit validation API and CLI. Fixes #3098

Commit:98d4299
Author:Paul Lorenz

Implement circuit validation API and CLI. Fixes #3098

Commit:1b419ea
Author:Paul Lorenz
Committer:Paul Lorenz

Add support for tracking network interfaces on routers and identities. Fixes #3082. Add network discover to router. Fixes #3083

Commit:0015627
Author:Paul Lorenz
Committer:Paul Lorenz

Add support for tracking network interfaces on routers and identities. Fixes #3082. Add network discover to router. Fixes #3083

Commit:3995091
Author:Andrew Martinez
Committer:GitHub

fixes #3068 adds event dispatching for auto ca enrollment (#3069)

Commit:b4874ca
Author:Paul Lorenz
Committer:Paul Lorenz

test updates

Commit:6dd1e30
Author:Paul Lorenz
Committer:Paul Lorenz

test updates

Commit:48add70
Author:Paul Lorenz
Committer:Paul Lorenz

Start on circuit scale test

Commit:de125f2
Author:Paul Lorenz
Committer:Paul Lorenz

test updates

Commit:545e813
Author:Paul Lorenz
Committer:Paul Lorenz

test updates

Commit:f07640d
Author:Paul Lorenz
Committer:Paul Lorenz

Start on circuit scale test

Commit:0506ef2
Author:Andrew Martinez
Committer:GitHub

fix.3048.auth.events.impropert.chain.flag (#3050) fixes #3084 adds events and improper chain flag - splits cert resolution into root, legacy root + intermediate, and third-party pool. Allowing the detection of client authentication with incomplete chains if root + intermediate succeeds after root only fails - adds `improperClientCertChain` to API Sessions and Current API Session. Added for OIDC and legacy auth. Set to true when a client certificate is used that was issued by the network and did not pass the root-only pool.

Commit:4cd2532
Author:Paul Lorenz

test updates

Commit:1c68b74
Author:Paul Lorenz
Committer:Paul Lorenz

test updates

Commit:206c673
Author:Paul Lorenz
Committer:Paul Lorenz

Start on circuit scale test

Commit:0ca8920
Author:Andrew Martinez
Committer:GitHub

fix #2996 add ability to flag cert authenticators for extension/key roll (#3025) * fix #2996 add ability to flag cert authenticators for extension/key roll

Commit:76125c5
Author:Paul Lorenz
Committer:Paul Lorenz

Initial pass at loop4 sim. Fixes #2978

Commit:30da593
Author:Paul Lorenz
Committer:GitHub

Cache ER/T terminator ids for faster restarts. Fixes #2807 (#2815)

Commit:ec57c80
Author:Paul Lorenz
Committer:GitHub

ER/T Hosting HA chaos test and fixes (#2806) * Add ERT hosting chaos test. Also add ert terminator validation utility. Fixes #2288 * Rework ER/T terminator management based on SDK terminator management code * Update deps * Make sdk/ert-terminators into a constant

Commit:fccc075
Author:Andrew Martinez
Committer:GitHub

fixes #2681 adds targetToken support for ext jwt signers (#2686) * fixes #2681 adds targetToken support for ext jwt signers - adds targetToken of values ACCESS, ID for management API CRUD - adds targetToken to client API reads - adds --target-token to external jwt signers CLI - updates/adds tests - update client test

Commit:0387076
Author:Paul Lorenz
Committer:Paul Lorenz

Ensure restores and migrations work properly with RDM. Add restore from db for HA Clusters. Fixes #2549. Fixes #2649. Fixes #2707

Commit:f20fb67
Author:Paul Lorenz
Committer:Paul Lorenz

Experimental support for accessing ziti components over the mgmt/ctrl channels. Fixes #2439

Commit:5429ce5
Author:Paul Lorenz

Separate leader updates from controller cluster member updates

Commit:a4d66f8
Author:Paul Lorenz
Committer:Paul Lorenz

Switch router storage to serialized protobuf, rather than json

Commit:6517a7c
Author:Paul Lorenz
Committer:Paul Lorenz

Move routers to a subscription model where they subcribe to model data from one controller for a limited time. Fixes #2599

Commit:29a199c
Author:Paul Lorenz
Committer:Paul Lorenz

Add router data model chaos test. Fixes #2550