spiffe-rustls 0.6.1

SPIFFE-based mutual TLS integration for rustls
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311

//! Authorization abstractions for SPIFFE ID-based access control.

use crate::error::{AuthorizerConfigError, Result};
use spiffe::{SpiffeId, TrustDomain};
use std::collections::BTreeSet;
use std::sync::Arc;

/// Authorization policy for peer SPIFFE IDs.
///
/// Authorization runs **after** cryptographic verification succeeds.
/// Implementations must be thread-safe.
pub trait Authorizer: Send + Sync + 'static {
    /// Returns `true` if the peer SPIFFE ID is authorized.
    fn authorize(&self, peer: &SpiffeId) -> bool;
}

// ---- ergonomic blanket impl (closures / function pointers) ----

impl<F> Authorizer for F
where
    F: Fn(&SpiffeId) -> bool + Send + Sync + 'static,
{
    fn authorize(&self, peer: &SpiffeId) -> bool {
        self(peer)
    }
}

impl Authorizer for Arc<dyn Authorizer> {
    fn authorize(&self, peer: &SpiffeId) -> bool {
        (**self).authorize(peer)
    }
}

impl Authorizer for Box<dyn Authorizer> {
    fn authorize(&self, peer: &SpiffeId) -> bool {
        (**self).authorize(peer)
    }
}

/// Authorizes any authenticated SPIFFE ID under the active trust-domain policy.
///
/// By default (`TrustDomainPolicy::AnyInBundleSet`), every trust domain in the source
/// bundle set is accepted.
///
/// This is the default authorizer for client and server builders. Production
/// deployments should usually configure a more specific authorizer, such as
/// [`exact`] or [`trust_domains`].
#[must_use]
#[derive(Debug, Clone, Copy, Default)]
pub struct Any;

impl Authorizer for Any {
    fn authorize(&self, _peer: &SpiffeId) -> bool {
        true
    }
}

/// Authorizes only the exact SPIFFE IDs in the allow list.
#[must_use]
#[derive(Debug, Clone)]
pub struct Exact {
    allowed: BTreeSet<SpiffeId>,
}

impl Exact {
    /// Creates a new `Exact` authorizer.
    ///
    /// If the iterator is empty, the authorizer authorizes nothing.
    ///
    /// # Errors
    ///
    /// Returns `Error::AuthorizerConfig` if any ID cannot be parsed.
    pub fn new<I>(ids: I) -> Result<Self>
    where
        I: IntoIterator,
        I::Item: TryInto<SpiffeId>,
        <I::Item as TryInto<SpiffeId>>::Error: std::fmt::Display,
    {
        let mut allowed = BTreeSet::new();

        for id in ids {
            let spiffe_id = id
                .try_into()
                .map_err(|e| AuthorizerConfigError::InvalidSpiffeId(e.to_string()))?;
            allowed.insert(spiffe_id);
        }

        Ok(Self { allowed })
    }
}

impl Authorizer for Exact {
    fn authorize(&self, peer: &SpiffeId) -> bool {
        self.allowed.contains(peer)
    }
}

/// Authorizes any SPIFFE ID whose trust domain is in the allow-list.
#[must_use]
#[derive(Debug, Clone)]
pub struct TrustDomainAllowList {
    allowed: BTreeSet<TrustDomain>,
}

/// Compatibility alias for [`TrustDomainAllowList`].
///
/// This type was renamed for clarity. New code should use
/// [`TrustDomainAllowList`] directly.
#[deprecated(
    since = "0.4.1",
    note = "Renamed to TrustDomainAllowList; TrustDomains remains as a compatibility alias."
)]
pub type TrustDomains = TrustDomainAllowList;

impl TrustDomainAllowList {
    /// Creates a new `TrustDomainAllowList` authorizer.
    ///
    /// If the iterator is empty, the authorizer authorizes nothing.
    ///
    /// # Errors
    ///
    /// Returns `Error::AuthorizerConfig` if any trust domain cannot be parsed.
    pub fn new<I>(domains: I) -> Result<Self>
    where
        I: IntoIterator,
        I::Item: TryInto<TrustDomain>,
        <I::Item as TryInto<TrustDomain>>::Error: std::fmt::Display,
    {
        let mut allowed = BTreeSet::new();

        for domain in domains {
            let td = domain
                .try_into()
                .map_err(|e| AuthorizerConfigError::InvalidTrustDomain(e.to_string()))?;
            allowed.insert(td);
        }

        Ok(Self { allowed })
    }
}

impl Authorizer for TrustDomainAllowList {
    fn authorize(&self, peer: &SpiffeId) -> bool {
        self.allowed.contains(peer.trust_domain())
    }
}

/// Returns an authorizer that accepts any authenticated SPIFFE ID.
///
/// The peer's trust domain must be accepted by the configured trust-domain policy.
/// By default (`TrustDomainPolicy::AnyInBundleSet`), every trust domain in the source
/// bundle set is accepted.
///
/// This is useful when authorization is performed at another layer
/// (e.g., application-level RBAC). Authentication (certificate verification)
/// still applies.
///
/// This is the default authorizer for client and server builders. Production
/// deployments should usually configure a more specific authorizer.
///
/// Returns a zero-sized `Any` value that can be used directly.
///
/// # Examples
///
/// ```rust
/// use spiffe_rustls::authorizer;
///
/// let auth = authorizer::any();
/// ```
pub const fn any() -> Any {
    Any
}

/// Returns an authorizer that only accepts the exact SPIFFE IDs.
///
/// # Arguments
///
/// * `ids` - An iterator of SPIFFE IDs (or types that can be converted to `SpiffeId`)
///
/// If the iterator is empty, the resulting authorizer will authorize no SPIFFE IDs
/// (all authorization checks will return `false`).
///
/// # Errors
///
/// Returns `Error::AuthorizerConfig` if any SPIFFE ID is invalid.
///
/// # Examples
///
/// ```rust
/// use spiffe_rustls::authorizer;
///
/// // Pass string literals directly - exact() will convert them
/// let auth = authorizer::exact([
///     "spiffe://example.org/payment",
///     "spiffe://example.org/checkout",
/// ])?;
/// # Ok::<(), spiffe_rustls::Error>(())
/// ```
pub fn exact<I>(ids: I) -> Result<Exact>
where
    I: IntoIterator,
    I::Item: TryInto<SpiffeId>,
    <I::Item as TryInto<SpiffeId>>::Error: std::fmt::Display,
{
    Exact::new(ids)
}

/// Returns an authorizer that accepts any SPIFFE ID from the given trust domains.
///
/// # Arguments
///
/// * `domains` - An iterator of trust domains (or types that can be converted to `TrustDomain`)
///
/// If the iterator is empty, the resulting authorizer will authorize no trust domains
/// (all authorization checks will return `false`).
///
/// # Errors
///
/// Returns `Error::AuthorizerConfig` if any trust domain is invalid.
///
/// # Examples
///
/// ```rust
/// use spiffe_rustls::authorizer;
///
/// // Pass string literals directly - trust_domains() will convert them
/// let auth = authorizer::trust_domains([
///     "broker.example",
///     "stockmarket.example",
/// ])?;
/// # Ok::<(), spiffe_rustls::Error>(())
/// ```
pub fn trust_domains<I>(domains: I) -> Result<TrustDomainAllowList>
where
    I: IntoIterator,
    I::Item: TryInto<TrustDomain>,
    <I::Item as TryInto<TrustDomain>>::Error: std::fmt::Display,
{
    TrustDomainAllowList::new(domains)
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_exact_authorizer() {
        let id1 = SpiffeId::new("spiffe://example.org/service1").unwrap();
        let id2 = SpiffeId::new("spiffe://example.org/service2").unwrap();
        let id3 = SpiffeId::new("spiffe://other.org/service1").unwrap();

        let auth = Exact::new([id1.clone(), id2.clone()]).unwrap();
        assert!(auth.authorize(&id1));
        assert!(auth.authorize(&id2));
        assert!(!auth.authorize(&id3));
    }

    #[test]
    fn test_exact_authorizer_rejects_invalid() {
        let result = Exact::new(["invalid-spiffe-id", "also-invalid"]);
        result.unwrap_err();
    }

    #[test]
    fn test_trust_domains_authorizer() {
        let td1 = TrustDomain::new("example.org").unwrap();
        let td2 = TrustDomain::new("other.org").unwrap();

        let id1 = SpiffeId::new("spiffe://example.org/service1").unwrap();
        let id2 = SpiffeId::new("spiffe://example.org/service2").unwrap();
        let id3 = SpiffeId::new("spiffe://other.org/service1").unwrap();
        let id4 = SpiffeId::new("spiffe://third.org/service1").unwrap();

        let auth = TrustDomainAllowList::new([td1, td2]).unwrap();
        assert!(auth.authorize(&id1));
        assert!(auth.authorize(&id2));
        assert!(auth.authorize(&id3));
        assert!(!auth.authorize(&id4));
    }

    #[test]
    fn test_trust_domains_authorizer_rejects_invalid() {
        // Use a string with invalid characters (uppercase and special chars not allowed)
        // TrustDomain::new explicitly validates the format, so this should fail
        let result = TrustDomainAllowList::new(["Invalid@Trust#Domain"]);
        result.unwrap_err();

        // Verify that valid trust domains are accepted
        let valid = TrustDomainAllowList::new(["example.org", "other.org"]).unwrap();
        let id1 = SpiffeId::new("spiffe://example.org/service").unwrap();
        let id2 = SpiffeId::new("spiffe://other.org/service").unwrap();
        let id3 = SpiffeId::new("spiffe://rejected.org/service").unwrap();
        assert!(valid.authorize(&id1));
        assert!(valid.authorize(&id2));
        assert!(!valid.authorize(&id3));
    }

    #[test]
    fn test_any_authorizer_always_authorizes() {
        // Verify that `Any` authorizer accepts all valid SPIFFE IDs regardless of trust domain
        let auth = any();
        let id1 = SpiffeId::new("spiffe://example.org/service").unwrap();
        let id2 = SpiffeId::new("spiffe://other.org/another").unwrap();
        let id3 = SpiffeId::new("spiffe://test.domain/path/to/resource").unwrap();

        // Any authorizer should accept all SPIFFE IDs
        assert!(auth.authorize(&id1));
        assert!(auth.authorize(&id2));
        assert!(auth.authorize(&id3));
    }
}