ServerConfigBuilder

spiffe_rustls

Struct ServerConfigBuilder 

Source 
pub struct ServerConfigBuilder { /* private fields */ }
Expand description

Builds a rustls::ServerConfig backed by a live SPIFFE X509Source.

The resulting server configuration:

  • presents the current SPIFFE X.509 SVID as the server certificate
  • requires and validates client certificates (mTLS)
  • authorizes the client by SPIFFE ID (URI SAN)

§Trust Domain Selection

The builder uses the bundle set from X509Source, which may contain bundles for multiple trust domains (when SPIFFE federation is configured). The verifier automatically selects the correct bundle based on the peer’s SPIFFE ID—no manual configuration is required. You can optionally restrict which trust domains are accepted using Self::trust_domain_policy.

§Authorization

Client authorization is performed by invoking the provided Authorizer with the client’s SPIFFE ID extracted from the certificate’s URI SAN.

Use [authorizer::any] to disable authorization while retaining full TLS authentication.

§Examples

use spiffe::{TrustDomain, X509Source};
use spiffe_rustls::{authorizer, mtls_server, LocalOnly};

let source = X509Source::new().await?;

// Pass string literals directly - trust_domains() will convert them
let allowed_trust_domains = ["example.org"];

let local_trust_domain: TrustDomain = "example.org".try_into()?;

let server_config = mtls_server(source)
    .authorize(authorizer::trust_domains(allowed_trust_domains)?)
    .trust_domain_policy(LocalOnly(local_trust_domain))
    .build()?;

Implementations§

Source§

impl ServerConfigBuilder

Source

pub fn new(source: X509Source) -> Self

Creates a new builder from an X509Source.

Defaults:

  • Authorization: accepts any SPIFFE ID (authentication only)
  • Trust domain policy: AnyInBundleSet (uses all bundles from the Workload API)
  • ALPN protocols: empty (no ALPN)
Source

pub fn authorize<A: Authorizer>(self, authorizer: A) -> Self

Sets the authorization policy for client SPIFFE IDs.

Accepts any type that implements Authorizer, including closures.

§Examples
use spiffe_rustls::{authorizer, mtls_server};

let source = spiffe::X509Source::new().await?;

// Pass string literals directly
let config = mtls_server(source.clone())
    .authorize(authorizer::trust_domains([
        "example.org",
    ])?)
    .build()?;

// Using a closure
let config = mtls_server(source.clone())
    .authorize(|id: &spiffe::SpiffeId| id.path().starts_with("/api/"))
    .build()?;

// Using the Any authorizer (default)
let config = mtls_server(source)
    .authorize(authorizer::any())
    .build()?;
Source

pub fn trust_domain_policy(self, policy: TrustDomainPolicy) -> Self

Sets the trust domain policy.

Defaults to AnyInBundleSet (uses all bundles from the Workload API).

Source

pub fn with_alpn_protocols<I, P>(self, protocols: I) -> Self
where I: IntoIterator<Item = P>, P: AsRef<[u8]>,

Sets the ALPN (Application-Layer Protocol Negotiation) protocols.

The protocols are advertised during the TLS handshake. Common values:

  • b"h2" for HTTP/2 (required for gRPC)
  • b"http/1.1" for HTTP/1.1

Protocols should be specified in order of preference (most preferred first).

§Examples
use spiffe_rustls::mtls_server;

let source = spiffe::X509Source::new().await?;
let config = mtls_server(source)
    .with_alpn_protocols([b"h2"])
    .build()?;
Source

pub fn with_config_customizer<F>(self, customizer: F) -> Self
where F: FnOnce(&mut ServerConfig) + Send + 'static,

Applies a customizer function to the ServerConfig after it’s built.

This is an advanced API for configuration not directly exposed by the builder. The customizer is called last, after all other builder settings (including ALPN) have been applied, allowing you to override any configuration.

Warning: Do not modify or replace the verifier or server certificate resolver, as they are required for SPIFFE authentication and authorization. Safe to modify: ALPN, cipher suites, protocol versions, and other non-security-critical settings.

§Examples
use spiffe_rustls::mtls_server;

let source = spiffe::X509Source::new().await?;
let config = mtls_server(source)
    .with_config_customizer(|cfg| {
        // Example: adjust cipher suite preferences
    })
    .build()?;
Source

pub fn build(self) -> Result<ServerConfig>

Builds the rustls::ServerConfig.

§Errors

Returns an error if:

  • the SPIFFE X509Source does not currently have an SVID,
  • rustls crypto providers are not installed,
  • or the material watcher cannot be initialized.

Trait Implementations§

Source§

impl Debug for ServerConfigBuilder

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<'a, T, E> AsTaggedExplicit<'a, E> for T
where T: 'a,

Source§

fn explicit(self, class: Class, tag: u32) -> TaggedParser<'a, Explicit, Self, E>

Source§

impl<'a, T, E> AsTaggedImplicit<'a, E> for T
where T: 'a,

Source§

fn implicit( self, class: Class, constructed: bool, tag: u32, ) -> TaggedParser<'a, Implicit, Self, E>

Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> IntoRequest<T> for T

Source§

fn into_request(self) -> Request<T>

Wrap the input message T in a tonic::Request
Source§

impl<L> LayerExt<L> for L

Source§

fn named_layer<S>(&self, service: S) -> Layered<<L as Layer<S>>::Service, S>
where L: Layer<S>,

Applies the layer to a service and wraps it in Layered.
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more