jwtbundle

Documentation

Overview

Package jwtbundle provides JWT bundle related functionality.

A bundle represents a collection of JWT authorities, i.e., those that are used to authenticate SPIFFE JWT-SVIDs.

You can create a new bundle for a specific trust domain:

td := spiffeid.RequireTrustDomain("example.org")
bundle := jwtbundle.New(td)

Or you can load it from disk:

td := spiffeid.RequireTrustDomain("example.org")
bundle := jwtbundle.Load(td, "bundle.jwks")

The bundle can be initialized with JWT authorities:

td := spiffeid.RequireTrustDomain("example.org")
var jwtAuthorities map[string]crypto.PublicKey = ...
bundle := jwtbundle.FromJWTAuthorities(td, jwtAuthorities)

In addition, you can add JWT authorities to the bundle:

var keyID string = ...
var publicKey crypto.PublicKey = ...
bundle.AddJWTAuthority(keyID, publicKey)

Bundles can be organized into a set, keyed by trust domain:

set := jwtbundle.NewSet()
set.Add(bundle)

A Source is source of JWT bundles for a trust domain. Both the Bundle and Set types implement Source:

// Initialize the source from a bundle or set
var source jwtbundle.Source = bundle
// ... or ...
var source jwtbundle.Source = set

// Use the source to query for bundles by trust domain
bundle, err := source.GetJWTBundleForTrustDomain(td)

Index

• type Bundle
  • func FromJWTAuthorities(trustDomain spiffeid.TrustDomain, jwtAuthorities map[string]crypto.PublicKey) *Bundle
  • func Load(trustDomain spiffeid.TrustDomain, path string) (*Bundle, error)
  • func New(trustDomain spiffeid.TrustDomain) *Bundle
  • func Parse(trustDomain spiffeid.TrustDomain, bundleBytes []byte) (*Bundle, error)
  • func Read(trustDomain spiffeid.TrustDomain, r io.Reader) (*Bundle, error)
  • func (b *Bundle) AddJWTAuthority(keyID string, jwtAuthority crypto.PublicKey) error
  • func (b *Bundle) Clone() *Bundle
  • func (b *Bundle) Empty() bool
  • func (b *Bundle) Equal(other *Bundle) bool
  • func (b *Bundle) FindJWTAuthority(keyID string) (crypto.PublicKey, bool)
  • func (b *Bundle) GetJWTBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*Bundle, error)
  • func (b *Bundle) HasJWTAuthority(keyID string) bool
  • func (b *Bundle) JWTAuthorities() map[string]crypto.PublicKey
  • func (b *Bundle) Marshal() ([]byte, error)
  • func (b *Bundle) RemoveJWTAuthority(keyID string)
  • func (b *Bundle) SetJWTAuthorities(jwtAuthorities map[string]crypto.PublicKey)
  • func (b *Bundle) TrustDomain() spiffeid.TrustDomain
• type Set
  • func NewSet(bundles ...*Bundle) *Set
  • func (s *Set) Add(bundle *Bundle)
  • func (s *Set) Bundles() []*Bundle
  • func (s *Set) Get(trustDomain spiffeid.TrustDomain) (*Bundle, bool)
  • func (s *Set) GetJWTBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*Bundle, error)
  • func (s *Set) Has(trustDomain spiffeid.TrustDomain) bool
  • func (s *Set) Len() int
  • func (s *Set) Remove(trustDomain spiffeid.TrustDomain)
• type Source

Types

type Bundle

type Bundle struct {
	// contains filtered or unexported fields
}

Bundle is a collection of trusted JWT authorities for a trust domain.

func FromJWTAuthorities

func FromJWTAuthorities(trustDomain spiffeid.TrustDomain, jwtAuthorities map[string]crypto.PublicKey) *Bundle

FromJWTAuthorities creates a new bundle from JWT authorities

func Load

func Load(trustDomain spiffeid.TrustDomain, path string) (*Bundle, error)

Load loads a bundle from a file on disk. The file must contain a standard RFC 7517 JWKS document.

func New

func New(trustDomain spiffeid.TrustDomain) *Bundle

New creates a new bundle.

func Parse

func Parse(trustDomain spiffeid.TrustDomain, bundleBytes []byte) (*Bundle, error)

Parse parses a bundle from bytes. The data must be a standard RFC 7517 JWKS document.

func Read

func Read(trustDomain spiffeid.TrustDomain, r io.Reader) (*Bundle, error)

Read decodes a bundle from a reader. The contents must contain a standard RFC 7517 JWKS document.

func (*Bundle) AddJWTAuthority

func (b *Bundle) AddJWTAuthority(keyID string, jwtAuthority crypto.PublicKey) error

AddJWTAuthority adds a JWT authority to the bundle. If a JWT authority already exists under the given key ID, it is replaced. A key ID must be specified.

func (*Bundle) Clone

func (b *Bundle) Clone() *Bundle

Clone clones the bundle.

func (*Bundle) Empty

func (b *Bundle) Empty() bool

Empty returns true if the bundle has no JWT authorities.

func (*Bundle) Equal

func (b *Bundle) Equal(other *Bundle) bool

Equal compares the bundle for equality against the given bundle.

func (*Bundle) FindJWTAuthority

func (b *Bundle) FindJWTAuthority(keyID string) (crypto.PublicKey, bool)

FindJWTAuthority finds the JWT authority with the given key ID from the bundle. If the authority is found, it is returned and the boolean is true. Otherwise, the returned value is nil and the boolean is false.

func (*Bundle) GetJWTBundleForTrustDomain

func (b *Bundle) GetJWTBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*Bundle, error)

GetJWTBundleForTrustDomain returns the JWT bundle for the given trust domain. It implements the Source interface. An error will be returned if the trust domain does not match that of the bundle.

func (*Bundle) HasJWTAuthority

func (b *Bundle) HasJWTAuthority(keyID string) bool

HasJWTAuthority returns true if the bundle has a JWT authority with the given key ID.

func (*Bundle) JWTAuthorities

func (b *Bundle) JWTAuthorities() map[string]crypto.PublicKey

JWTAuthorities returns the JWT authorities in the bundle, keyed by key ID.

func (*Bundle) Marshal

func (b *Bundle) Marshal() ([]byte, error)

Marshal marshals the JWT bundle into a standard RFC 7517 JWKS document. The JWKS does not contain any SPIFFE-specific parameters.

func (*Bundle) RemoveJWTAuthority

func (b *Bundle) RemoveJWTAuthority(keyID string)

RemoveJWTAuthority removes the JWT authority identified by the key ID from the bundle.

func (*Bundle) SetJWTAuthorities

func (b *Bundle) SetJWTAuthorities(jwtAuthorities map[string]crypto.PublicKey)

SetJWTAuthorities sets the JWT authorities in the bundle.

func (*Bundle) TrustDomain

func (b *Bundle) TrustDomain() spiffeid.TrustDomain

TrustDomain returns the trust domain that the bundle belongs to.

type Set

type Set struct {
	// contains filtered or unexported fields
}

Set is a set of bundles, keyed by trust domain.

func NewSet

func NewSet(bundles ...*Bundle) *Set

NewSet creates a new set initialized with the given bundles.

func (*Set) Add

func (s *Set) Add(bundle *Bundle)

Add adds a new bundle into the set. If a bundle already exists for the trust domain, the existing bundle is replaced.

func (*Set) Bundles

func (s *Set) Bundles() []*Bundle

Bundles returns the bundles in the set sorted by trust domain.

func (*Set) Get

func (s *Set) Get(trustDomain spiffeid.TrustDomain) (*Bundle, bool)

Get returns a bundle for the given trust domain. If the bundle is in the set it is returned and the boolean is true. Otherwise, the returned value is nil and the boolean is false.

func (*Set) GetJWTBundleForTrustDomain

func (s *Set) GetJWTBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*Bundle, error)

GetJWTBundleForTrustDomain returns the JWT bundle for the given trust domain. It implements the Source interface.

func (*Set) Has

func (s *Set) Has(trustDomain spiffeid.TrustDomain) bool

Has returns true if there is a bundle for the given trust domain.

func (*Set) Len

func (s *Set) Len() int

Len returns the number of bundles in the set.

func (*Set) Remove

func (s *Set) Remove(trustDomain spiffeid.TrustDomain)

Remove removes the bundle for the given trust domain.

type Source

type Source interface {
	// GetJWTBundleForTrustDomain returns the JWT bundle for the given trust
	// domain.
	GetJWTBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*Bundle, error)
}

Source represents a source of JWT bundles keyed by trust domain.