An SDK for accessing Ziti from macOS and iOS applications using the Swift programming language.
This SDK provides a Swift-friendly wrapper of the Ziti Tunnel C SDK, an implementation of URLProtocol for intercepting HTTP and HTTPS traffic, and examples of using the SDK in an application.
The Ziti class is the main entry point for accessing Ziti networks. An instance of Ziti requires a ZitiIdentity at time of initialization.
Use Ziti.createConnection() to create instances of ZitiConnection to ZitiConnection.dial(_:_:_:) services or ZitiConnection.listen(_:_:_:) for service connections.
Use ZitiUrlProtocol to intercept HTTP and HTTPS connections and route them over a Ziti network.
A ZitiIdentity is created as part of the enrollment process with a Ziti network. Ziti support enrollment using a one-time JWT supplied by your Ziti network administror.
The Ziti.enroll(_:_:) method validates the JWT is properly signed, creates a private key and stores it in the keychain, initiates a Certificate Signing Request (CSR) with the controller, and stores the resultant certificate in the keychain.
Swift
import CZiti
let jwtFile = <...>
let outFile = <...>
Ziti.enroll(jwtFile) { zid, zErr in
guard let zid = zid else {
fputs("Invalid enrollment response, \(String(describing: zErr))\n", stderr)
exit(-1)
}
guard zid.save(outFile) else {
fputs("Unable to save to file \(outFile)\n", stderr)
exit(-1)
}
print("Successfully enrolled id \"\(zid.id)\" with controller \"\(zid.ztAPI)\"")
}Objective-C
#import "CZiti-Swift.h"
NSString *jwtFile = <...>
NSString *outFile = <...>
[Ziti enroll:jwtFile : ^(ZitiIdentity *zid, ZitiError *zErr) {
if (zErr != NULL) {
// Handle error
return;
}
if (![zid save:outFile]) {
// Handle error
return;
}
}];The identity file saved to outfile in the example code above contains information for contacting the Ziti controller and locally accessing the private key and certificate in the keychain.
A typical application flow would:
- Check a well-known location for a stored identity file
- If not present, initiate an enrollment (e.g., prompt the user for location of a one-time JWT enrollment file, or scan in a QR code)
- When identity file is available, use it to create and run an instance of
Ziti
Ziti executes on a loop, similar to Foundation's Runloop. The Ziti.run(_:) method essentially enters an infinite loop processing Ziti events, and will only exit after Ziti is shut down.
The Ziti.runAsync(_:) method is provided as a convenience to spawn a new thread and call Ziti.run(_:).
Swift
let zidFile = <...>
guard let ziti = Ziti(fromFile: zidFile) else {
print("Unable to create Ziti identity from file \(zidFile)")
return
}
ziti.runAsync { zErr in
guard zErr == nil else {
print("Unable to run Ziti: \(String(describing: zErr!))")
return
}
print("Successfully initialized Ziti!")
}Objective-C
NSString *zidFile = <...>
Ziti *ziti = [[Ziti alloc] initFromFile:[self zidFile]];
if (ziti != NULL) {
[ziti runAsync: ^(ZitiError *zErr) {
if (zErr != NULL) {
// Handle error
return;
}
[ZitiUrlProtocol register:ziti :10000];
}];
}To execute code on the thread running Ziti use the perform(_:) method.
The SDK also includes ZitiUrlProtocol, which implements a URLProtocol that interceptes HTTP and HTTPS requests for Ziti services and routes them over a Ziti network.
ZitiUrlProtocol should be instantiated as part of the Ziti.InitCallback of Ziti.run(_:) to ensure Ziti is initialized before
starting to intercept services.
Swift
ziti.runAsync { zErr in
guard zErr == nil else {
// Handle error
return
}
ZitiUrlProtocol.register(ziti)
}Objective-C
[ziti runAsync: ^(ZitiError *zErr) {
if (zErr != NULL) {
// Handle error
return;
}
[ZitiUrlProtocol register:ziti :10000];
}];If using your own URLSession insteal of URLSession.shared, ZitiUrlProtocol will need to be configured in your URLSession's configuration:
let configuration = URLSessionConfiguration.default
configuration.protocolClasses?.insert(ZitiUrlProtocol.self, at: 0)
urlSession = URLSession(configuration:configuration)See also the documentation included in the CZiti module available in the Xcode Quick Help pane.
CZiti is built into an XCFramework (CZiti.xcframework) that includes a static library (libCZiti.a) for each platform and architecture.
Note that that CZiti is not built for Bitcode, and when building for a device the Build Settings - Build Options should set Enable Bitcode to No.
Note that CZiti depends on libresolv.9.tbd, and requires access to outbound network connections and the Apple Keychain.
See ziti-sdk-swift-dist for access to CZiti.xcframework built from this repository and made available as a .binaryTarget.
To exercise modifications to the CZiti framework in your application, first add the CZiti module as a dependency to your app as described above, then override the CZiti framework with a local package. See Editing a package dependency as a local package for an overview of this process.
I used the following steps to override CZiti with a local build in the ziti-tunnel-apple project:
-
Build the CZiti framework. You may want to build for debugging:
$ CONFIGURATION=Debug ./build_all.sh
When complete, the build will be located in ./dist/CZiti.xcframework.
-
Create a Package.swift for the local CZiti framework:
cat > ./dist/Package.swift <<EOF // swift-tools-version: 5.7 import PackageDescription let package = Package( name: "CZiti", platforms: [ .macOS(.v10_14), .iOS(.v13) ], products: [ .library( name: "CZiti", targets: ["CZiti"]) ], targets: [ .binaryTarget( name: "CZiti", path: "./CZiti.xcframework") ] ) EOF
-
Move or copy the ./dist directory into your application's top-level source directory, renaming it to 'ziti-sdk-swift-dist'. The final directory structure should look like this:
- YourApplication/ - ziti-sdk-swift-dist/ - Package.swift - CZiti.xcframework/The apple documentation doesn't mention this, but I was unable to get Xcode to recognize that the local package overrides the released CZiti framework unless the parent directory of the local CZiti framework was named 'ziti-sdk-swift-dist' (to match the github repo the CZiti releases come from), and local CZiti framework was in the application's directory.
-
Add the local package to your application. This can be done by clicking "Add Local..." while adding a package dependency to your application. Select the 'ziti-sdk-swift-dist` directory in the dialog.
You should see the CZiti entry disappear from your project's Package Dependencies in the project navigator when the local CZiti package is referenced.
DEPECATED AS OF v0.30.11, please convert to use of Swift Package Manager
If you are using Cocoapods, update your Podfile:
target 'Some-macOS-Target'
use_frameworks!
platform :macos, '10.15'
pod 'CZiti-macOS', '~> 0.1'
end
target 'SomeTarget-iOS-Target'
use_frameworks!
platform :ios, '13.4'
pod 'CZiti-iOS', '~> 0.1'
endFor further information on Cocoapods, check their official documentation.
- Follow the build steps below to create
libCZiti.a - Add
libCZiti.alibrary to your project's Frameworks and Libraries, and ensure it is listed in your project's Build Phases under Link Binary with Libraries. - Your Library Search Path and Swift Compiler Seatch Paths - Import Paths should include the directory containing
libCZiti.aandCZiti.swiftmodule/ - When this project is built from
Xcode, theCZiti-Swift.hfile is copied to$(PROJECT_ROOT)/include/$(PLATFORM)(e.g.,./include/iphoneos).CZiti-Swift.hcan also be found the theDerivedSourcesdirectory under./DerivedDatafollowing a build from eitherXcodeor viabuild_all.sh. This file is needed to useCZitifrom Objective-C. Your Search Paths - Header Search Paths must include the directory containingCZiti-Swift.h. - Inspect the sample apps' configurations in this repository for relevant build settings for libraries and paths
This repository includes a few examples of using the library:
ziti-mac-enrolleris a utility that will enroll an identity using a supplied one-time JWT token. It can optionally update the keychain to trust for the CA pool used by the Ziti controllersample-mac-hostis a command-line utility that can operate as either a client or a server for a specified Ziti serversample-iosexercisesZitiUrlProtocolto interceptURLSessonrequests, route them over Ziti, and display the resultssample-ios-objcdemonstrates using Objective-C to exerciseZitiUrlProtocol
Create a file called Configs/workspace-settings-overrides.xcconfig and populate with appropriate values. See Configs/workplace-settings.xcconfig for all possible values.
DEVELOPMENT_TEAM = XXXXXXXXXX
ORGANIZATION_PREFIX = ...
The project depends on the Ziti Tunnel C SDK, which is built directly into the library. It is maintained as a submodule at ./deps/ziti-tunnel-sdk-c. Be sure to follow the vcpkg setup steps in deps/ziti-tunnel-sdk-c/BUILD.md. This project expects builds to be built in ./deps/ziti-tunnel-sdk-c/build-macosx-x86_64 and ./deps/ziti-tunnel-sdk-c/build-macosx-arm64 for macOS and ./deps/ziti-sdk-c/build-iphoneos-arm64 for iOS (or build-iphonesimulator-x86_64or build-iphonesimulator-arm64 for the simulator).
This project contains the buid_all.sh script that will build the project from the command-line for macosx, iphoneos, and iphonesimulator platforms.
Once the static libraries are built, the build_all.sh script executes make_dist.sh, creating an XCFramework called CZiti.xcframework, under the project's ./dist directory.
The scripts require the following executables to be on the caller's path:
xcodebuildused to buildCZiti-*schemes inCZiti.xcodeproj, avaialble as part of yourXcodeinstallationxcprettyalso used to buildCZiti-*schemes inCZiti.xcodeproj. (Can be installed viagem install xcpretty)cmakeused for building the Ziti Tunnel C SDK dependency. (Can be installed viabrew install cmake)
$ git clone --recurse-submodules https://github.com/openziti/ziti-sdk-swift.git
$ cd ziti-sdk-swift
$ /bin/sh build_all.shBy default, the scripts build for Release configuration. To build for Debug, execute
$ CONFIGURATION=Debug /bin/sh build_all.shThe resultant libCZiti.a and CZiti.swiftmodule are available in the appropriate sub-directory of ./DerivedData.
Please use these community resources for getting help.
- Read the docs
- Participate in discussion on Discourse
- Use GitHub issues for tracking bugs and feature requests.
Copyright NetFoundry Inc.