back merge to python setup

.flake8

@@ -0,0 +1,2 @@
+[flake8]
+max-line-length = 120

.github/workflows/build-wheels.yml

@@ -35,6 +35,7 @@ jobs:
       - name: Build distro
         env:
           ZROK_VERSION: ${{ github.event.release.tag_name }}
+          ZROK_PY_NAME: ${{ vars.ZROK_PY_NAME || null }}
         run: |
           python setup.py sdist
 

.github/workflows/publish-docker-images.yml

@@ -72,11 +72,12 @@ jobs:
 
       - name: Set Up Container Image Tags for zrok CLI Container
         env:
-          RELEASE_REPO: openziti/zrok
-          ZROK_VERSION: ${{ steps.semver.outputs.zrok_semver }}
+          ZROK_CONTAINER_IMAGE_REPO: ${{ vars.ZROK_CONTAINER_IMAGE_REPO || 'openziti/zrok' }}
+          ZROK_CONTAINER_IMAGE_TAG: ${{ steps.semver.outputs.zrok_semver }}
         id: tagprep_cli
         run: |
-          echo DOCKER_TAGS="${RELEASE_REPO}:${ZROK_VERSION},${RELEASE_REPO}:latest" | tee -a $GITHUB_OUTPUT
+          echo DOCKER_TAGS="${ZROK_CONTAINER_IMAGE_REPO}:${ZROK_CONTAINER_IMAGE_TAG},${ZROK_CONTAINER_IMAGE_REPO}:latest" \
+          | tee -a $GITHUB_OUTPUT
 
       # this is the CLI image with the Linux binary for each
       # arch that was downloaded in ./dist/

CHANGELOG.md

@@ -1,11 +1,21 @@
 # CHANGELOG
 
+## v0.4.20
+
+CHANGE: OpenZiti SDK updated to `v0.21.2`. All `ziti.ListenOptions` listener options configured to use `WaitForNEstablishedListeners: 1`. When a `zrok share` client or an `sdk.Share` client are connected to an OpenZiti router that supports "listener established" events, then listen calls will not return until the listener is fully established on the OpenZiti network. Previously a `zrok share` client could report that it is fully operational and listening before the listener is fully established on the OpenZiti network; in practice this produced a very small window of time when the share would not be ready to accept requests. This change eliminates this window of time (https://github.com/openziti/zrok/issues/490)
+
+FIX: Require the JWT in a zrok OAuth cookie to have an audience claim that matches the public share hostname. This prevents a cookie from one share from being use to log in to another share.
+
 ## v0.4.19
 
 FEATURE: Reserved shares now support unique names ("vanity tokens"). This allows for the creation of reserved shares with identifiable names rather than generated share tokens. Includes basic support for profanity checking (https://github.com/openziti/zrok/issues/401)
 
+CHANGE: The `publicProxy` endpoint implementation used in the `zrok access public` frontend has been updated to use the new `RefreshService(serviceName)` call instead of `RefreshServices()`. This should greatly improve the performance of requests against missing or non-responsive zrok shares (https://github.com/openziti/zrok/issues/487)
+
 CHANGE: The Python SDK has been updated to properly support the "reserved" flag on the `ShareRequest` passed to `CreateShare`
 
+CHANGE: Dependency updates; `github.com/openziti/[email protected]`; `github.com/caddyserver/caddy/[email protected]`; indirect dependencies
+
 ## v0.4.18
 
 FEATURE: Python SDK added. Can be found on [pypi](https://test.pypi.org/project/zrok-sdk). `pastebin` example illustrates basic SDK usage (see `sdk/python/examples/README.md` for details) (https://github.com/openziti/zrok/issues/401)

cmd/zrok/testLoopPublic.go

@@ -149,16 +149,17 @@ func (l *looper) serviceListener() {
 		logrus.Errorf("error opening ziti config '%v': %v", l.zif, err)
 		return
 	}
-	opts := ziti.ListenOptions{
-		ConnectTimeout: 5 * time.Minute,
-		MaxConnections: 10,
+	options := ziti.ListenOptions{
+		ConnectTimeout:               5 * time.Minute,
+		MaxConnections:               64,
+		WaitForNEstablishedListeners: 1,
 	}
 	zctx, err := ziti.NewContext(zcfg)
 	if err != nil {
 		logrus.Errorf("error loading ziti context: %v", err)
 		return
 	}
-	if l.listener, err = zctx.ListenWithOptions(l.shrToken, &opts); err == nil {
+	if l.listener, err = zctx.ListenWithOptions(l.shrToken, &options); err == nil {
 		if err := http.Serve(l.listener, l); err != nil {
 			logrus.Errorf("looper #%d, error serving: %v", l.id, err)
 		}

cmd/zrok/testWebsocket.go

@@ -87,7 +87,7 @@ func (cmd *testWebsocketCommand) run(_ *cobra.Command, args []string) {
 		addr = cmd.serviceName
 	} else {
 		if len(args) == 0 {
-			logrus.Error("Address required if not using ziti")
+			logrus.Error("address required if not using ziti")
 			flag.Usage()
 			os.Exit(1)
 		}
@@ -102,13 +102,13 @@ func (cmd *testWebsocketCommand) run(_ *cobra.Command, args []string) {
 	}
 	defer c.Close(websocket.StatusInternalError, "the sky is falling")
 
-	logrus.Info("Writing to server...")
+	logrus.Info("writing to server...")
 	err = wsjson.Write(ctx, c, "hi")
 	if err != nil {
 		logrus.Error(err)
 		return
 	}
-	logrus.Info("Reading response...")
+	logrus.Info("reading response...")
 	typ, dat, err := c.Read(ctx)
 	if err != nil {
 		logrus.Error(err)

docker/compose/zrok-public-reserved/compose.yml

@@ -43,7 +43,7 @@ services:
       ZROK_TARGET:          # backend target, is a path in container filesystem unless proxy mode
       ZROK_INSECURE:        # "--insecure" if proxy target has unverifiable TLS server certificate
       ZROK_OAUTH_PROVIDER:  # google, github
-      ZROK_OATH_EMAILS:     # allow space-separated list of OAuth email addresses or @domain.tld
+      ZROK_OAUTH_EMAILS:    # allow space-separated list of OAuth email addresses or @domain.tld
       ZROK_BASIC_AUTH:      # username:password, mutually-exclusive with ZROK_OAUTH_PROVIDER
 
       # least relevant options

docker/compose/zrok-public-share/compose.yml

@@ -44,7 +44,7 @@ services:
       ZROK_TARGET: http://zrok-test:9090  # backend target, is a path in container filesystem unless proxy mode
       ZROK_INSECURE:        # "--insecure" if proxy target has unverifiable TLS server certificate
       ZROK_OAUTH_PROVIDER:  # google, github
-      ZROK_OATH_EMAILS:     # space-separated list of OAuth email addresses or @domain.tld to allow
+      ZROK_OAUTH_EMAILS:    # space-separated list of OAuth email addresses or @domain.tld to allow
       ZROK_BASIC_AUTH:      # username:password, mutually-exclusive with ZROK_OAUTH_PROVIDER
 
       # least relevant options

docker/images/zrok/Dockerfile

@@ -1,5 +1,5 @@
 # this builds docker.io/openziti/zrok
-ARG ZITI_CLI_TAG="0.31.0"
+ARG ZITI_CLI_TAG="0.31.2"
 ARG ZITI_CLI_IMAGE="docker.io/openziti/ziti-cli"
 # this builds docker.io/openziti/ziti-controller
 FROM ${ZITI_CLI_IMAGE}:${ZITI_CLI_TAG}

endpoints/drive/backend.go

@@ -26,8 +26,9 @@ type Backend struct {
 
 func NewBackend(cfg *BackendConfig) (*Backend, error) {
 	options := ziti.ListenOptions{
-		ConnectTimeout: 5 * time.Minute,
-		MaxConnections: 64,
+		ConnectTimeout:               5 * time.Minute,
+		MaxConnections:               64,
+		WaitForNEstablishedListeners: 1,
 	}
 	zcfg, err := ziti.NewConfigFromFile(cfg.IdentityPath)
 	if err != nil {

endpoints/proxy/backend.go

@@ -31,8 +31,9 @@ type Backend struct {
 
 func NewBackend(cfg *BackendConfig) (*Backend, error) {
 	options := ziti.ListenOptions{
-		ConnectTimeout: 5 * time.Minute,
-		MaxConnections: 64,
+		ConnectTimeout:               5 * time.Minute,
+		MaxConnections:               64,
+		WaitForNEstablishedListeners: 1,
 	}
 	zcfg, err := ziti.NewConfigFromFile(cfg.IdentityPath)
 	if err != nil {