spiffe 0.13.0

Core SPIFFE identity types and Workload API sources
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323

// This file is @generated by prost-build.
/// The X509SVIDRequest message conveys parameters for requesting an X.509-SVID.
/// There are currently no request parameters.
#[derive(Clone, Copy, PartialEq, Eq, Hash, ::prost::Message)]
pub struct X509svidRequest {}
/// The X509SVIDResponse message carries X.509-SVIDs and related information,
/// including a set of global CRLs and a list of bundles the workload may use
/// for federating with foreign trust domains.
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct X509svidResponse {
    /// Required. A list of X509SVID messages, each of which includes a single
    /// X.509-SVID, its private key, and the bundle for the trust domain.
    #[prost(message, repeated, tag = "1")]
    pub svids: ::prost::alloc::vec::Vec<X509svid>,
    /// Optional. ASN.1 DER encoded certificate revocation lists.
    #[prost(bytes = "bytes", repeated, tag = "2")]
    pub crl: ::prost::alloc::vec::Vec<::prost::bytes::Bytes>,
    /// Optional. CA certificate bundles belonging to foreign trust domains that
    /// the workload should trust, keyed by the SPIFFE ID of the foreign trust
    /// domain. Bundles are ASN.1 DER encoded.
    #[prost(map = "string, bytes", tag = "3")]
    pub federated_bundles:
        ::std::collections::HashMap<::prost::alloc::string::String, ::prost::bytes::Bytes>,
}
/// The X509SVID message carries a single SVID and all associated information,
/// including the X.509 bundle for the trust domain.
#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
pub struct X509svid {
    /// Required. The SPIFFE ID of the SVID in this entry
    #[prost(string, tag = "1")]
    pub spiffe_id: ::prost::alloc::string::String,
    /// Required. ASN.1 DER encoded certificate chain. MAY include
    /// intermediates, the leaf certificate (or SVID itself) MUST come first.
    #[prost(bytes = "bytes", tag = "2")]
    pub x509_svid: ::prost::bytes::Bytes,
    /// Required. ASN.1 DER encoded PKCS#8 private key. MUST be unencrypted.
    #[prost(bytes = "bytes", tag = "3")]
    pub x509_svid_key: ::prost::bytes::Bytes,
    /// Required. ASN.1 DER encoded X.509 bundle for the trust domain.
    #[prost(bytes = "bytes", tag = "4")]
    pub bundle: ::prost::bytes::Bytes,
    /// Optional. An operator-specified string used to provide guidance on how this
    /// identity should be used by a workload when more than one SVID is returned.
    /// For example, `internal` and `external` to indicate an SVID for internal or
    /// external use, respectively.
    #[prost(string, tag = "5")]
    pub hint: ::prost::alloc::string::String,
}
/// The X509BundlesRequest message conveys parameters for requesting X.509
/// bundles. There are currently no such parameters.
#[derive(Clone, Copy, PartialEq, Eq, Hash, ::prost::Message)]
pub struct X509BundlesRequest {}
/// The X509BundlesResponse message carries a set of global CRLs and a map of
/// trust bundles the workload should trust.
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct X509BundlesResponse {
    /// Optional. ASN.1 DER encoded certificate revocation lists.
    #[prost(bytes = "bytes", repeated, tag = "1")]
    pub crl: ::prost::alloc::vec::Vec<::prost::bytes::Bytes>,
    /// Required. CA certificate bundles belonging to trust domains that the
    /// workload should trust, keyed by the SPIFFE ID of the trust domain.
    /// Bundles are ASN.1 DER encoded.
    #[prost(map = "string, bytes", tag = "2")]
    pub bundles: ::std::collections::HashMap<::prost::alloc::string::String, ::prost::bytes::Bytes>,
}
#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
pub struct JwtsvidRequest {
    /// Required. The audience(s) the workload intends to authenticate against.
    #[prost(string, repeated, tag = "1")]
    pub audience: ::prost::alloc::vec::Vec<::prost::alloc::string::String>,
    /// Optional. The requested SPIFFE ID for the JWT-SVID. If unset, all
    /// JWT-SVIDs to which the workload is entitled are requested.
    #[prost(string, tag = "2")]
    pub spiffe_id: ::prost::alloc::string::String,
}
/// The JWTSVIDResponse message conveys JWT-SVIDs.
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct JwtsvidResponse {
    /// Required. The list of returned JWT-SVIDs.
    #[prost(message, repeated, tag = "1")]
    pub svids: ::prost::alloc::vec::Vec<Jwtsvid>,
}
/// The JWTSVID message carries the JWT-SVID token and associated metadata.
#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
pub struct Jwtsvid {
    /// Required. The SPIFFE ID of the JWT-SVID.
    #[prost(string, tag = "1")]
    pub spiffe_id: ::prost::alloc::string::String,
    /// Required. Encoded JWT using JWS Compact Serialization.
    #[prost(string, tag = "2")]
    pub svid: ::prost::alloc::string::String,
    /// Optional. An operator-specified string used to provide guidance on how this
    /// identity should be used by a workload when more than one SVID is returned.
    /// For example, `internal` and `external` to indicate an SVID for internal or
    /// external use, respectively.
    #[prost(string, tag = "3")]
    pub hint: ::prost::alloc::string::String,
}
/// The JWTBundlesRequest message conveys parameters for requesting JWT bundles.
/// There are currently no such parameters.
#[derive(Clone, Copy, PartialEq, Eq, Hash, ::prost::Message)]
pub struct JwtBundlesRequest {}
/// The JWTBundlesReponse conveys JWT bundles.
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct JwtBundlesResponse {
    /// Required. JWK encoded JWT bundles, keyed by the SPIFFE ID of the trust
    /// domain.
    #[prost(map = "string, bytes", tag = "1")]
    pub bundles: ::std::collections::HashMap<::prost::alloc::string::String, ::prost::bytes::Bytes>,
}
/// The ValidateJWTSVIDRequest message conveys request parameters for
/// JWT-SVID validation.
#[derive(Clone, PartialEq, Eq, Hash, ::prost::Message)]
pub struct ValidateJwtsvidRequest {
    /// Required. The audience of the validating party. The JWT-SVID must
    /// contain an audience claim which contains this value in order to
    /// succesfully validate.
    #[prost(string, tag = "1")]
    pub audience: ::prost::alloc::string::String,
    /// Required. The JWT-SVID to validate, encoded using JWS Compact
    /// Serialization.
    #[prost(string, tag = "2")]
    pub svid: ::prost::alloc::string::String,
}
/// The ValidateJWTSVIDReponse message conveys the JWT-SVID validation results.
#[derive(Clone, PartialEq, ::prost::Message)]
pub struct ValidateJwtsvidResponse {
    /// Required. The SPIFFE ID of the validated JWT-SVID.
    #[prost(string, tag = "1")]
    pub spiffe_id: ::prost::alloc::string::String,
    /// Optional. Arbitrary claims contained within the payload of the validated
    /// JWT-SVID.
    #[prost(message, optional, tag = "2")]
    pub claims: ::core::option::Option<::prost_types::Struct>,
}
/// Generated client implementations.
pub mod spiffe_workload_api_client {
    #![allow(
        unused_variables,
        dead_code,
        missing_docs,
        clippy::wildcard_imports,
        clippy::let_unit_value
    )]
    use tonic::codegen::http::Uri;
    use tonic::codegen::*;
    #[derive(Debug, Clone)]
    pub struct SpiffeWorkloadApiClient<T> {
        inner: tonic::client::Grpc<T>,
    }
    impl SpiffeWorkloadApiClient<tonic::transport::Channel> {
        /// Attempt to create a new client by connecting to a given endpoint.
        pub async fn connect<D>(dst: D) -> Result<Self, tonic::transport::Error>
        where
            D: TryInto<tonic::transport::Endpoint>,
            D::Error: Into<StdError>,
        {
            let conn = tonic::transport::Endpoint::new(dst)?.connect().await?;
            Ok(Self::new(conn))
        }
    }
    impl<T> SpiffeWorkloadApiClient<T>
    where
        T: tonic::client::GrpcService<tonic::body::Body>,
        T::Error: Into<StdError>,
        T::ResponseBody: Body<Data = Bytes> + std::marker::Send + 'static,
        <T::ResponseBody as Body>::Error: Into<StdError> + std::marker::Send,
    {
        pub fn new(inner: T) -> Self {
            let inner = tonic::client::Grpc::new(inner);
            Self { inner }
        }
        pub fn with_origin(inner: T, origin: Uri) -> Self {
            let inner = tonic::client::Grpc::with_origin(inner, origin);
            Self { inner }
        }
        pub fn with_interceptor<F>(
            inner: T,
            interceptor: F,
        ) -> SpiffeWorkloadApiClient<InterceptedService<T, F>>
        where
            F: tonic::service::Interceptor,
            T::ResponseBody: Default,
            T: tonic::codegen::Service<
                http::Request<tonic::body::Body>,
                Response = http::Response<
                    <T as tonic::client::GrpcService<tonic::body::Body>>::ResponseBody,
                >,
            >,
            <T as tonic::codegen::Service<http::Request<tonic::body::Body>>>::Error:
                Into<StdError> + std::marker::Send + std::marker::Sync,
        {
            SpiffeWorkloadApiClient::new(InterceptedService::new(inner, interceptor))
        }
        /// Compress requests with the given encoding.
        ///
        /// This requires the server to support it otherwise it might respond with an
        /// error.
        #[must_use]
        pub fn send_compressed(mut self, encoding: CompressionEncoding) -> Self {
            self.inner = self.inner.send_compressed(encoding);
            self
        }
        /// Enable decompressing responses.
        #[must_use]
        pub fn accept_compressed(mut self, encoding: CompressionEncoding) -> Self {
            self.inner = self.inner.accept_compressed(encoding);
            self
        }
        /// Limits the maximum size of a decoded message.
        ///
        /// Default: `4MB`
        #[must_use]
        pub fn max_decoding_message_size(mut self, limit: usize) -> Self {
            self.inner = self.inner.max_decoding_message_size(limit);
            self
        }
        /// Limits the maximum size of an encoded message.
        ///
        /// Default: `usize::MAX`
        #[must_use]
        pub fn max_encoding_message_size(mut self, limit: usize) -> Self {
            self.inner = self.inner.max_encoding_message_size(limit);
            self
        }
        /// Fetch X.509-SVIDs for all SPIFFE identities the workload is entitled to,
        /// as well as related information like trust bundles and CRLs. As this
        /// information changes, subsequent messages will be streamed from the
        /// server.
        pub async fn fetch_x509svid(
            &mut self,
            request: impl tonic::IntoRequest<super::X509svidRequest>,
        ) -> std::result::Result<
            tonic::Response<tonic::codec::Streaming<super::X509svidResponse>>,
            tonic::Status,
        > {
            self.inner.ready().await.map_err(|e| {
                tonic::Status::unknown(format!("Service was not ready: {}", e.into()))
            })?;
            let codec = tonic_prost::ProstCodec::default();
            let path = http::uri::PathAndQuery::from_static("/SpiffeWorkloadAPI/FetchX509SVID");
            let mut req = request.into_request();
            req.extensions_mut()
                .insert(GrpcMethod::new("SpiffeWorkloadAPI", "FetchX509SVID"));
            self.inner.server_streaming(req, path, codec).await
        }
        /// Fetch trust bundles and CRLs. Useful for clients that only need to
        /// validate SVIDs without obtaining an SVID for themself. As this
        /// information changes, subsequent messages will be streamed from the
        /// server.
        pub async fn fetch_x509_bundles(
            &mut self,
            request: impl tonic::IntoRequest<super::X509BundlesRequest>,
        ) -> std::result::Result<
            tonic::Response<tonic::codec::Streaming<super::X509BundlesResponse>>,
            tonic::Status,
        > {
            self.inner.ready().await.map_err(|e| {
                tonic::Status::unknown(format!("Service was not ready: {}", e.into()))
            })?;
            let codec = tonic_prost::ProstCodec::default();
            let path = http::uri::PathAndQuery::from_static("/SpiffeWorkloadAPI/FetchX509Bundles");
            let mut req = request.into_request();
            req.extensions_mut()
                .insert(GrpcMethod::new("SpiffeWorkloadAPI", "FetchX509Bundles"));
            self.inner.server_streaming(req, path, codec).await
        }
        /// Fetch JWT-SVIDs for all SPIFFE identities the workload is entitled to,
        /// for the requested audience. If an optional SPIFFE ID is requested, only
        /// the JWT-SVID for that SPIFFE ID is returned.
        pub async fn fetch_jwtsvid(
            &mut self,
            request: impl tonic::IntoRequest<super::JwtsvidRequest>,
        ) -> std::result::Result<tonic::Response<super::JwtsvidResponse>, tonic::Status> {
            self.inner.ready().await.map_err(|e| {
                tonic::Status::unknown(format!("Service was not ready: {}", e.into()))
            })?;
            let codec = tonic_prost::ProstCodec::default();
            let path = http::uri::PathAndQuery::from_static("/SpiffeWorkloadAPI/FetchJWTSVID");
            let mut req = request.into_request();
            req.extensions_mut()
                .insert(GrpcMethod::new("SpiffeWorkloadAPI", "FetchJWTSVID"));
            self.inner.unary(req, path, codec).await
        }
        /// Fetches the JWT bundles, formatted as JWKS documents, keyed by the
        /// SPIFFE ID of the trust domain. As this information changes, subsequent
        /// messages will be streamed from the server.
        pub async fn fetch_jwt_bundles(
            &mut self,
            request: impl tonic::IntoRequest<super::JwtBundlesRequest>,
        ) -> std::result::Result<
            tonic::Response<tonic::codec::Streaming<super::JwtBundlesResponse>>,
            tonic::Status,
        > {
            self.inner.ready().await.map_err(|e| {
                tonic::Status::unknown(format!("Service was not ready: {}", e.into()))
            })?;
            let codec = tonic_prost::ProstCodec::default();
            let path = http::uri::PathAndQuery::from_static("/SpiffeWorkloadAPI/FetchJWTBundles");
            let mut req = request.into_request();
            req.extensions_mut()
                .insert(GrpcMethod::new("SpiffeWorkloadAPI", "FetchJWTBundles"));
            self.inner.server_streaming(req, path, codec).await
        }
        /// Validates a JWT-SVID against the requested audience. Returns the SPIFFE
        /// ID of the JWT-SVID and JWT claims.
        pub async fn validate_jwtsvid(
            &mut self,
            request: impl tonic::IntoRequest<super::ValidateJwtsvidRequest>,
        ) -> std::result::Result<tonic::Response<super::ValidateJwtsvidResponse>, tonic::Status>
        {
            self.inner.ready().await.map_err(|e| {
                tonic::Status::unknown(format!("Service was not ready: {}", e.into()))
            })?;
            let codec = tonic_prost::ProstCodec::default();
            let path = http::uri::PathAndQuery::from_static("/SpiffeWorkloadAPI/ValidateJWTSVID");
            let mut req = request.into_request();
            req.extensions_mut()
                .insert(GrpcMethod::new("SpiffeWorkloadAPI", "ValidateJWTSVID"));
            self.inner.unary(req, path, codec).await
        }
    }
}