spiffebundle

package
v2.3.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 17, 2024 License: Apache-2.0 Imports: 15 Imported by: 24

Documentation

Overview

Package spiffebundle provides SPIFFE bundle related functionality.

A bundle represents a SPIFFE bundle, a collection authorities for authenticating SVIDs.

You can create a new bundle for a specific trust domain:

td := spiffeid.RequireTrustDomain("example.org")
bundle := spiffebundle.New(td)

Or you can load it from disk:

td := spiffeid.RequireTrustDomain("example.org")
bundle := spiffebundle.Load(td, "bundle.json")

The bundle can be initialized with X.509 or JWT authorities:

td := spiffeid.RequireTrustDomain("example.org")

var x509Authorities []*x509.Certificate = ...
bundle := spiffebundle.FromX509Authorities(td, x509Authorities)
// ... or ...
var jwtAuthorities map[string]crypto.PublicKey = ...
bundle := spiffebundle.FromJWTAuthorities(td, jwtAuthorities)

In addition, you can add authorities to the bundle:

var x509CA *x509.Certificate = ...
bundle.AddX509Authority(x509CA)
var keyID string = ...
var publicKey crypto.PublicKey = ...
bundle.AddJWTAuthority(keyID, publicKey)

Bundles can be organized into a set, keyed by trust domain:

set := spiffebundle.NewSet()
set.Add(bundle)

A Source is source of bundles for a trust domain. Both the Bundle and Set types implement Source:

// Initialize the source from a bundle or set
var source spiffebundle.Source = bundle
// ... or ...
var source spiffebundle.Source = set

// Use the source to query for X.509 bundles by trust domain
bundle, err := source.GetBundleForTrustDomain(td)

Additionally the Bundle and Set types also implement the x509bundle.Source and jwtbundle.Source interfaces:

// As an x509bundle.Source...
var source x509bundle.Source = bundle // or set
x509Bundle, err := source.GetX509BundleForTrustDomain(td)

// As a jwtbundle.Source...
var source jwtbundle.Source = bundle // or set
jwtBundle, err := source.GetJWTBundleForTrustDomain(td)

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Bundle

type Bundle struct {
	// contains filtered or unexported fields
}

Bundle is a collection of trusted public key material for a trust domain, conforming to the SPIFFE Bundle Format as part of the SPIFFE Trust Domain and Bundle specification: https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Trust_Domain_and_Bundle.md

func FromJWTAuthorities

func FromJWTAuthorities(trustDomain spiffeid.TrustDomain, jwtAuthorities map[string]crypto.PublicKey) *Bundle

FromJWTAuthorities creates a new bundle from JWT authorities.

func FromJWTBundle

func FromJWTBundle(jwtBundle *jwtbundle.Bundle) *Bundle

FromJWTBundle creates a bundle from a JWT bundle. The function panics in case of a nil JWT bundle.

func FromX509Authorities

func FromX509Authorities(trustDomain spiffeid.TrustDomain, x509Authorities []*x509.Certificate) *Bundle

FromX509Authorities creates a bundle from X.509 certificates.

func FromX509Bundle

func FromX509Bundle(x509Bundle *x509bundle.Bundle) *Bundle

FromX509Bundle creates a bundle from an X.509 bundle. The function panics in case of a nil X.509 bundle.

func Load

func Load(trustDomain spiffeid.TrustDomain, path string) (*Bundle, error)

Load loads a bundle from a file on disk. The file must contain a JWKS document following the SPIFFE Trust Domain and Bundle specification.

func New

func New(trustDomain spiffeid.TrustDomain) *Bundle

New creates a new bundle.

func Parse

func Parse(trustDomain spiffeid.TrustDomain, bundleBytes []byte) (*Bundle, error)

Parse parses a bundle from bytes. The data must be a JWKS document following the SPIFFE Trust Domain and Bundle specification.

func Read

func Read(trustDomain spiffeid.TrustDomain, r io.Reader) (*Bundle, error)

Read decodes a bundle from a reader. The contents must contain a JWKS document following the SPIFFE Trust Domain and Bundle specification.

func (*Bundle) AddJWTAuthority

func (b *Bundle) AddJWTAuthority(keyID string, jwtAuthority crypto.PublicKey) error

AddJWTAuthority adds a JWT authority to the bundle. If a JWT authority already exists under the given key ID, it is replaced. A key ID must be specified.

func (*Bundle) AddX509Authority

func (b *Bundle) AddX509Authority(x509Authority *x509.Certificate)

AddX509Authority adds an X.509 authority to the bundle. If the authority already exists in the bundle, the contents of the bundle will remain unchanged.

func (*Bundle) ClearRefreshHint

func (b *Bundle) ClearRefreshHint()

ClearRefreshHint clears the refresh hint.

func (*Bundle) ClearSequenceNumber

func (b *Bundle) ClearSequenceNumber()

ClearSequenceNumber clears the sequence number.

func (*Bundle) Clone

func (b *Bundle) Clone() *Bundle

Clone clones the bundle.

func (*Bundle) Empty

func (b *Bundle) Empty() bool

Empty returns true if the bundle has no X.509 and JWT authorities.

func (*Bundle) Equal

func (b *Bundle) Equal(other *Bundle) bool

Equal compares the bundle for equality against the given bundle.

func (*Bundle) FindJWTAuthority

func (b *Bundle) FindJWTAuthority(keyID string) (crypto.PublicKey, bool)

FindJWTAuthority finds the JWT authority with the given key ID from the bundle. If the authority is found, it is returned and the boolean is true. Otherwise, the returned value is nil and the boolean is false.

func (*Bundle) GetBundleForTrustDomain

func (b *Bundle) GetBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*Bundle, error)

GetBundleForTrustDomain returns the SPIFFE bundle for the given trust domain. It implements the Source interface. An error will be returned if the trust domain does not match that of the bundle.

func (*Bundle) GetJWTBundleForTrustDomain

func (b *Bundle) GetJWTBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*jwtbundle.Bundle, error)

GetJWTBundleForTrustDomain returns the JWT bundle of the given trust domain. It implements the jwtbundle.Source interface. An error will be returned if the trust domain does not match that of the bundle.

func (*Bundle) GetX509BundleForTrustDomain

func (b *Bundle) GetX509BundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*x509bundle.Bundle, error)

GetX509BundleForTrustDomain returns the X.509 bundle for the given trust domain. It implements the x509bundle.Source interface. An error will be returned if the trust domain does not match that of the bundle.

func (*Bundle) HasJWTAuthority

func (b *Bundle) HasJWTAuthority(keyID string) bool

HasJWTAuthority returns true if the bundle has a JWT authority with the given key ID.

func (*Bundle) HasX509Authority

func (b *Bundle) HasX509Authority(x509Authority *x509.Certificate) bool

HasX509Authority checks if the given X.509 authority exists in the bundle.

func (*Bundle) JWTAuthorities

func (b *Bundle) JWTAuthorities() map[string]crypto.PublicKey

JWTAuthorities returns the JWT authorities in the bundle, keyed by key ID.

func (*Bundle) JWTBundle

func (b *Bundle) JWTBundle() *jwtbundle.Bundle

JWTBundle returns a JWT bundle containing the JWT authorities in the SPIFFE bundle.

func (*Bundle) Marshal

func (b *Bundle) Marshal() ([]byte, error)

Marshal marshals the bundle according to the SPIFFE Trust Domain and Bundle specification. The trust domain is not marshaled as part of the bundle and must be conveyed separately. See the specification for details.

func (*Bundle) RefreshHint

func (b *Bundle) RefreshHint() (refreshHint time.Duration, ok bool)

RefreshHint returns the refresh hint. If the refresh hint is set in the bundle, it is returned and the boolean is true. Otherwise, the returned value is zero and the boolean is false.

func (*Bundle) RemoveJWTAuthority

func (b *Bundle) RemoveJWTAuthority(keyID string)

RemoveJWTAuthority removes the JWT authority identified by the key ID from the bundle.

func (*Bundle) RemoveX509Authority

func (b *Bundle) RemoveX509Authority(x509Authority *x509.Certificate)

RemoveX509Authority removes an X.509 authority from the bundle.

func (*Bundle) SequenceNumber

func (b *Bundle) SequenceNumber() (uint64, bool)

SequenceNumber returns the sequence number. If the sequence number is set in the bundle, it is returned and the boolean is true. Otherwise, the returned value is zero and the boolean is false.

func (*Bundle) SetJWTAuthorities

func (b *Bundle) SetJWTAuthorities(jwtAuthorities map[string]crypto.PublicKey)

SetJWTAuthorities sets the JWT authorities in the bundle.

func (*Bundle) SetRefreshHint

func (b *Bundle) SetRefreshHint(refreshHint time.Duration)

SetRefreshHint sets the refresh hint. The refresh hint value will be truncated to time.Second.

func (*Bundle) SetSequenceNumber

func (b *Bundle) SetSequenceNumber(sequenceNumber uint64)

SetSequenceNumber sets the sequence number.

func (*Bundle) SetX509Authorities

func (b *Bundle) SetX509Authorities(authorities []*x509.Certificate)

SetX509Authorities sets the X.509 authorities in the bundle.

func (*Bundle) TrustDomain

func (b *Bundle) TrustDomain() spiffeid.TrustDomain

TrustDomain returns the trust domain that the bundle belongs to.

func (*Bundle) X509Authorities

func (b *Bundle) X509Authorities() []*x509.Certificate

X509Authorities returns the X.509 authorities in the bundle.

func (*Bundle) X509Bundle

func (b *Bundle) X509Bundle() *x509bundle.Bundle

X509Bundle returns an X.509 bundle containing the X.509 authorities in the SPIFFE bundle.

type Set

type Set struct {
	// contains filtered or unexported fields
}

Set is a set of bundles, keyed by trust domain.

func NewSet

func NewSet(bundles ...*Bundle) *Set

NewSet creates a new set initialized with the given bundles.

func (*Set) Add

func (s *Set) Add(bundle *Bundle)

Add adds a new bundle into the set. If a bundle already exists for the trust domain, the existing bundle is replaced.

func (*Set) Bundles

func (s *Set) Bundles() []*Bundle

Bundles returns the bundles in the set sorted by trust domain.

func (*Set) Get

func (s *Set) Get(trustDomain spiffeid.TrustDomain) (*Bundle, bool)

Get returns a bundle for the given trust domain. If the bundle is in the set it is returned and the boolean is true. Otherwise, the returned value is nil and the boolean is false.

func (*Set) GetBundleForTrustDomain

func (s *Set) GetBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*Bundle, error)

GetBundleForTrustDomain returns the SPIFFE bundle for the given trust domain. It implements the Source interface.

func (*Set) GetJWTBundleForTrustDomain

func (s *Set) GetJWTBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*jwtbundle.Bundle, error)

GetJWTBundleForTrustDomain returns the JWT bundle for the given trust domain. It implements the jwtbundle.Source interface.

func (*Set) GetX509BundleForTrustDomain

func (s *Set) GetX509BundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*x509bundle.Bundle, error)

GetX509BundleForTrustDomain returns the X.509 bundle for the given trust domain. It implements the x509bundle.Source interface.

func (*Set) Has

func (s *Set) Has(trustDomain spiffeid.TrustDomain) bool

Has returns true if there is a bundle for the given trust domain.

func (*Set) Len

func (s *Set) Len() int

Len returns the number of bundles in the set.

func (*Set) Remove

func (s *Set) Remove(trustDomain spiffeid.TrustDomain)

Remove removes the bundle for the given trust domain.

type Source

type Source interface {
	// GetBundleForTrustDomain returns the SPIFFE bundle for the given trust
	// domain.
	GetBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*Bundle, error)
}

Source represents a source of SPIFFE bundles keyed by trust domain.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL