Initial implementation of the library #1
Conversation
…FE types: - Workload API client with one-shot call methods - Certificate and PrivateKey types - X.509 SVID and bundle types - JWT SVID and bundle types - TrustDomain and SpiffeId types Signed-off-by: Max Lambrecht <[email protected]>
Signed-off-by: Max Lambrecht <[email protected]>
Signed-off-by: Max Lambrecht <[email protected]>
Signed-off-by: Max Lambrecht <[email protected]>
…ode and enum variants closer to where they belong. Signed-off-by: Max Lambrecht <[email protected]>
Signed-off-by: Max Lambrecht <[email protected]>
There was a problem hiding this comment.
This is impressive work 👏 The amount of tests is really nice. I did not look at it in all details as I think this is pretty good for a first baseline release and provides the basis to use it correctly. Even more than that! We would be happy to try that with the Parsec project.
My knowledge of SPIFFE is also not too good for a thorough review but if you wanted I could take some time to analyse it properly.
| let spiffe_id = SpiffeId::try_from("spiffe://example.org/my-service")?; | ||
|
|
||
| // fetch a jwt token for the provided SPIFFE-ID and with the target audience `service1.com` | ||
| let jwt_token = client.fetch_jwt_token(&["audience1", "audience2"], Some(&spiffe_id))?; |
There was a problem hiding this comment.
Maybe my SPIFFE knowledge is a bit rusted by now but why is the SPIFFE ID needed as a parameter here? Could it be the case that the workload does not know its SPIFFE ID if its set by another entity during registration?
edit: ah I see, this is an Option in case you want the sub claim to be populated. In our case, we mainly use the fetch method for the workload to know which is its SPIFFE ID
There was a problem hiding this comment.
The usual case would be to just pass None in the SPIFFE ID parameter and the Workload API will return a JWT token with the 'sub' claim set with the SPIFFE ID corresponding to the default identity (the first one).
If the workload has multiple identities mapped to it, there is the possibility to select which SPIFFE ID to request the token for.
In case it's requested a token with a SPIFFE ID that the workload it's not mapped with, the Workload API will return an empty response.
Makes sense?
There was a problem hiding this comment.
That makes sense! Thank you for the explanation 👍
| @@ -0,0 +1,152 @@ | |||
| syntax = "proto3"; | |||
There was a problem hiding this comment.
Maybe instead of having a copy of the Workload API we could have spiffe/spiffe repo as a submodule and use spiffe/main/standards/workloadapi.proto directly!
There was a problem hiding this comment.
Not so sure about this, I'm not a big fan of git submodules 😁 I'd leave as it is and put more thinking on this later on.
src/proto/workload.rs
Outdated
| @@ -0,0 +1,2283 @@ | |||
| // This file is generated by rust-protobuf 2.23.0. Do not edit | |||
There was a problem hiding this comment.
Since we generate it here, maybe it's not needed to have a build file? Would save some compilation time. We can re-generate it manually when the Workload API gets updated.
There was a problem hiding this comment.
I removed the build file.
| /// assert_eq!("example.org", spiffe_id.trust_domain().to_string()); | ||
| /// assert_eq!("/path", spiffe_id.path()); | ||
| /// ``` | ||
| pub fn new(id: &str) -> Result<Self, SpiffeIdError> { |
There was a problem hiding this comment.
Thanks for adding the parsing and the validation of it as well 🙏
| None => Err(ClientError::EmptyResponse), | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
Would be very nice to have an abstraction for the ValidateJWTSVID call as well but I am happy to add it once this is merged 👌
Cargo.toml
Outdated
| @@ -0,0 +1,37 @@ | |||
| [package] | |||
| name = "rust-spiffe" | |||
There was a problem hiding this comment.
The spiffe name is free on crates.io so I guess this could just be "spiffe", when it will be used it will always be in a Rust context :)
There was a problem hiding this comment.
Good idea, it makes total sense!
Cargo.toml
Outdated
| description = "Rust client library implementation for SPIFFE" | ||
|
|
||
| [dependencies] | ||
| grpcio = { version = "0.6", default-features = false, features = ["protobuf-codec"] } |
There was a problem hiding this comment.
Do you want to bump that to at least 0.8 in order to include tikv/grpc-rs#499? That would boost compilation time and also help us in Parsec 👍
There was a problem hiding this comment.
Sure! Bumped it to 0.9. For some reason it needs grpcio-sys = "0.9.0" specified as build-dependency, otherwise the build throws an error.
Bump 'grpcio' dependency to 0.9. Signed-off-by: Max Lambrecht <[email protected]>
Signed-off-by: Max Lambrecht <[email protected]>
Great! Thanks for your review, I really appreciate it! I'll merge this and publish the first release. |
Initial commit defining and implementing the basic interface and SPIFFE types:
workload.protoand protobuf generated codeSigned-off-by: Max Lambrecht [email protected]