spiffe-rs 0.1.0

Rust port of spiffe-go with SPIFFE IDs, bundles, SVIDs, Workload API client, federation helpers, and rustls-based SPIFFE TLS utilities.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160

use crate::bundle::{jwtbundle, spiffebundle, x509bundle};
use crate::spiffeid::TrustDomain;
use crate::workloadapi::option::{BundleSourceConfig, BundleSourceOption};
use crate::workloadapi::{Context, Result, Watcher, X509Context};
use std::collections::HashMap;
use std::sync::{Arc, RwLock};

pub struct BundleSource {
    watcher: Watcher,
    x509_authorities: Arc<RwLock<HashMap<TrustDomain, Vec<Vec<u8>>>>>,
    jwt_authorities: Arc<RwLock<HashMap<TrustDomain, HashMap<String, jwtbundle::JwtKey>>>>,
    closed: std::sync::atomic::AtomicBool,
}

impl BundleSource {
    pub async fn new<I>(ctx: &Context, options: I) -> Result<BundleSource>
    where
        I: IntoIterator<Item = Arc<dyn BundleSourceOption>>,
    {
        let mut config = BundleSourceConfig::default();
        for opt in options {
            opt.configure_bundle_source(&mut config);
        }

        let x509_authorities = Arc::new(RwLock::new(HashMap::new()));
        let jwt_authorities = Arc::new(RwLock::new(HashMap::new()));

        let x509_authorities_clone = x509_authorities.clone();
        let jwt_authorities_clone = jwt_authorities.clone();
        let x509_handler = Arc::new(move |context: X509Context| {
            let mut new_auth = HashMap::new();
            for bundle in context.bundles.bundles() {
                new_auth.insert(bundle.trust_domain(), bundle.x509_authorities());
            }
            if let Ok(mut guard) = x509_authorities_clone.write() {
                *guard = new_auth;
            }
        });

        let jwt_handler = Arc::new(move |bundles: jwtbundle::Set| {
            let mut new_auth = HashMap::new();
            for bundle in bundles.bundles() {
                new_auth.insert(bundle.trust_domain(), bundle.jwt_authorities());
            }
            if let Ok(mut guard) = jwt_authorities_clone.write() {
                *guard = new_auth;
            }
        });

        let watcher = Watcher::new(ctx, config.watcher, Some(x509_handler), Some(jwt_handler)).await?;
        Ok(BundleSource {
            watcher,
            x509_authorities,
            jwt_authorities,
            closed: std::sync::atomic::AtomicBool::new(false),
        })
    }

    pub async fn close(&self) -> Result<()> {
        self.closed.store(true, std::sync::atomic::Ordering::SeqCst);
        self.watcher.close().await
    }

    pub fn get_bundle_for_trust_domain(&self, trust_domain: TrustDomain) -> Result<spiffebundle::Bundle> {
        self.check_closed()?;
        let x509 = self
            .x509_authorities
            .read()
            .ok()
            .and_then(|guard| guard.get(&trust_domain).cloned());
        let jwt = self
            .jwt_authorities
            .read()
            .ok()
            .and_then(|guard| guard.get(&trust_domain).cloned());

        if x509.is_none() && jwt.is_none() {
            return Err(crate::workloadapi::Error::new(format!(
                "bundlesource: no SPIFFE bundle for trust domain {:?}",
                trust_domain
            )));
        }
        let bundle = spiffebundle::Bundle::new(trust_domain.clone());
        if let Some(x509) = x509 {
            bundle.set_x509_authorities(&x509);
        }
        if let Some(jwt) = jwt {
            bundle.set_jwt_authorities(&jwt);
        }
        Ok(bundle)
    }

    pub fn get_x509_bundle_for_trust_domain(&self, trust_domain: TrustDomain) -> Result<x509bundle::Bundle> {
        self.check_closed()?;
        let x509 = self
            .x509_authorities
            .read()
            .ok()
            .and_then(|guard| guard.get(&trust_domain).cloned())
            .ok_or_else(|| {
                crate::workloadapi::Error::new(format!(
                    "bundlesource: no X.509 bundle for trust domain {:?}",
                    trust_domain
                ))
            })?;
        Ok(x509bundle::Bundle::from_x509_authorities(trust_domain, &x509))
    }

    pub fn get_jwt_bundle_for_trust_domain(&self, trust_domain: TrustDomain) -> Result<jwtbundle::Bundle> {
        self.check_closed()?;
        let jwt = self
            .jwt_authorities
            .read()
            .ok()
            .and_then(|guard| guard.get(&trust_domain).cloned())
            .ok_or_else(|| {
                crate::workloadapi::Error::new(format!(
                    "bundlesource: no JWT bundle for trust domain {:?}",
                    trust_domain
                ))
            })?;
        Ok(jwtbundle::Bundle::from_jwt_authorities(trust_domain, &jwt))
    }

    pub async fn wait_until_updated(&self, ctx: &Context) -> Result<()> {
        self.watcher.wait_until_updated(ctx).await
    }

    pub fn updated(&self) -> tokio::sync::watch::Receiver<u64> {
        self.watcher.updated()
    }

    fn check_closed(&self) -> Result<()> {
        if self.closed.load(std::sync::atomic::Ordering::SeqCst) {
            return Err(crate::workloadapi::Error::new("bundlesource: source is closed"));
        }
        Ok(())
    }
}

impl spiffebundle::Source for BundleSource {
    fn get_bundle_for_trust_domain(&self, trust_domain: TrustDomain) -> spiffebundle::Result<spiffebundle::Bundle> {
        self.get_bundle_for_trust_domain(trust_domain)
            .map_err(|err| spiffebundle::Error::new(err.to_string()))
    }
}

impl x509bundle::Source for BundleSource {
    fn get_x509_bundle_for_trust_domain(&self, trust_domain: TrustDomain) -> x509bundle::Result<x509bundle::Bundle> {
        self.get_x509_bundle_for_trust_domain(trust_domain)
            .map_err(|err| x509bundle::Error::new(err.to_string()))
    }
}

impl jwtbundle::Source for BundleSource {
    fn get_jwt_bundle_for_trust_domain(&self, trust_domain: TrustDomain) -> jwtbundle::Result<jwtbundle::Bundle> {
        self.get_jwt_bundle_for_trust_domain(trust_domain)
            .map_err(|err| jwtbundle::Error::new(err.to_string()))
    }
}