1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83

#![deny(missing_docs)]
#![warn(missing_debug_implementations)]
// #![warn(rust_2018_idioms)]

//! This library provides functions to interact with the [SPIFFE Workload API](https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Workload_API.md)
//! to fetch X.509 and JWT SVIDs and Bundles. It also provides types that comply with the [SPIFFE standards](https://github.com/spiffe/spiffe/tree/main/standards).
//!
//! # Examples
//!
//! ```no_run
//! use spiffe::bundle::jwt::{JwtAuthority, JwtBundle};
//! use spiffe::bundle::x509::{X509Bundle, X509BundleSet};
//! use spiffe::bundle::BundleSource;
//! use spiffe::cert::{Certificate, PrivateKey};
//! use spiffe::spiffe_id::{SpiffeId, TrustDomain};
//! use spiffe::svid::jwt::{JwtSvid, JwtSvidError};
//! use spiffe::svid::x509::X509Svid;
//! use spiffe::workload_api::client::WorkloadApiClient;
//! use spiffe::workload_api::x509_context::X509Context;
//! use std::convert::TryFrom;
//! use std::error::Error;
//!
//! # fn main() -> Result<(), Box< dyn Error>> {
//!
//! // create a new Workload API client connecting to the provided endpoint socket path
//! let client = WorkloadApiClient::new("unix:/tmp/spire-agent/api/public.sock")?;
//!
//! // fetch the default X.509 SVID
//! let x509_svid: X509Svid = client.fetch_x509_svid()?;
//!
//! // fetch a set of X.509 bundles (X.509 public key authorities)
//! let x509_bundles: X509BundleSet = client.fetch_x509_bundles()?;
//!
//! // fetch all the X.509 materials (SVIDs and bundles)
//! let x509_context: X509Context = client.fetch_x509_context()?;
//!
//! // get the X.509 chain of certificates from the SVID
//! let cert_chain: &Vec<Certificate> = x509_svid.cert_chain();
//!
//! // get the private key from the SVID
//! let private_key: &PrivateKey = x509_svid.private_key();
//!
//! // parse a SPIFFE trust domain
//! let trust_domain = TrustDomain::try_from("example.org")?;
//!
//! // get the X.509 bundle associated to the trust domain
//! let x509_bundle: &X509Bundle = x509_bundles.get_bundle(&trust_domain).unwrap();
//!
//! // get the X.509 authorities (public keys) in the bundle
//! let x509_authorities: &Vec<Certificate> = x509_bundle.authorities();
//!
//! // parse a SPIFFE ID
//! let spiffe_id = SpiffeId::try_from("spiffe://example.org/my-service")?;
//!
//! let target_audience = &["service1", "service2"];
//! // fetch a jwt token for the provided SPIFFE-ID and with the target audience `service1.com`
//! let jwt_token = client.fetch_jwt_token(target_audience, Some(&spiffe_id))?;
//!
//! // fetch the jwt token and parses it as a `JwtSvid`
//! let jwt_svid = client.fetch_jwt_svid(target_audience, Some(&spiffe_id))?;
//!
//! // fetch a set of jwt bundles (public keys for validating jwt token)
//! let jwt_bundles_set = client.fetch_jwt_bundles()?;
//!
//! // get the JWT bundle associated to the trust domain
//! let jwt_bundle: &JwtBundle = jwt_bundles_set.get_bundle(&trust_domain).unwrap();
//!
//! // get the JWT authorities (public keys) in the bundle
//! let jwt_authority: &JwtAuthority = jwt_bundle.find_jwt_authority("a_key_id").unwrap();
//!
//! // parse a `JwtSvid` validating the token signature with a JWT bundle source.
//! let validated_jwt_svid = JwtSvid::parse_and_validate(&jwt_token, &jwt_bundles_set, &["service1.com"])?;
//!
//! # Ok(())
//! # }
//! ```

pub mod bundle;
pub mod cert;
pub(crate) mod proto;
pub mod spiffe_id;
pub mod svid;
pub mod workload_api;