spiffe 0.13.0

Core SPIFFE identity types and Workload API sources
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143

use super::builder::ResourceLimits;
use super::errors::{LimitKind, MetricsErrorKind, X509SourceError};
use super::metrics::MetricsRecorder;
use crate::workload_api::x509_context::X509Context;
use crate::x509_source::types::SvidPicker;
use std::sync::Arc;

pub(super) fn validate_limits(
    ctx: &X509Context,
    limits: ResourceLimits,
) -> Result<(), X509SourceError> {
    if let Some(max_svids) = limits.max_svids {
        let actual = ctx.svids().len();
        if actual > max_svids {
            return Err(X509SourceError::ResourceLimitExceeded {
                kind: LimitKind::MaxSvids,
                limit: max_svids,
                actual,
            });
        }
    }

    if let Some(max_bundles) = limits.max_bundles {
        let actual = ctx.bundle_set().len();
        if actual > max_bundles {
            return Err(X509SourceError::ResourceLimitExceeded {
                kind: LimitKind::MaxBundles,
                limit: max_bundles,
                actual,
            });
        }
    }

    if let Some(max_bundle_der_bytes) = limits.max_bundle_der_bytes {
        for (_, bundle) in ctx.bundle_set().iter() {
            // Definition: sum of DER bytes of all authority certificates in the bundle.
            let actual: usize = bundle
                .authorities()
                .iter()
                .map(|cert| cert.as_bytes().len())
                .sum();

            if actual > max_bundle_der_bytes {
                return Err(X509SourceError::ResourceLimitExceeded {
                    kind: LimitKind::MaxBundleDerBytes,
                    limit: max_bundle_der_bytes,
                    actual,
                });
            }
        }
    }

    Ok(())
}

/// Validates resource limits and records the appropriate metric if a limit is exceeded.
///
/// This is the single authoritative function for limit validation and metric recording.
/// It ensures that limit violations are recorded exactly once with the correct metric kind.
///
/// # Arguments
///
/// * `ctx` - The X.509 context to validate
/// * `limits` - The resource limits to enforce
/// * `metrics` - Optional metrics recorder for recording limit violations
///
/// # Returns
///
/// Returns `Ok(())` if all limits are satisfied, or `Err(X509SourceError::ResourceLimitExceeded)`
/// if any limit is exceeded. When a limit is exceeded, the corresponding metric is recorded
/// (e.g., `LimitMaxSvids`, `LimitMaxBundles`, `LimitMaxBundleDerBytes`).
pub(super) fn validate_limits_and_record_metric(
    ctx: &X509Context,
    limits: ResourceLimits,
    metrics: Option<&dyn MetricsRecorder>,
) -> Result<(), X509SourceError> {
    if let Err(e) = validate_limits(ctx, limits) {
        if let X509SourceError::ResourceLimitExceeded { kind, .. } = &e {
            if let Some(m) = metrics {
                m.record_error(metric_kind_for_limit(*kind));
            }
        }
        return Err(e);
    }
    Ok(())
}

/// Maps a `LimitKind` to the corresponding `MetricsErrorKind` for limit violations.
///
/// This is the single authoritative mapping used throughout the codebase to ensure
/// consistent metric recording for limit violations.
pub(super) const fn metric_kind_for_limit(kind: LimitKind) -> MetricsErrorKind {
    match kind {
        LimitKind::MaxSvids => MetricsErrorKind::LimitMaxSvids,
        LimitKind::MaxBundles => MetricsErrorKind::LimitMaxBundles,
        LimitKind::MaxBundleDerBytes => MetricsErrorKind::LimitMaxBundleDerBytes,
    }
}

/// Selects an SVID from the context using the picker (if provided) or default selection.
///
/// This is the single authoritative function for SVID selection, ensuring consistent
/// logic across validation, health checks, and SVID retrieval.
///
/// Returns `Some(Arc<X509Svid>)` if a valid SVID can be selected, `None` otherwise.
pub(super) fn select_svid(
    ctx: &X509Context,
    picker: Option<&dyn SvidPicker>,
) -> Option<Arc<crate::X509Svid>> {
    if let Some(p) = picker {
        // Picker must return a valid index that maps to an actual SVID.
        p.pick_svid(ctx.svids())
            .and_then(|idx| ctx.svids().get(idx))
            .cloned()
    } else {
        ctx.default_svid().cloned()
    }
}

/// Validates an X.509 context for acceptability (limits and SVID selection).
///
/// This is the single authoritative function for context validation used in both
/// initial sync and steady-state updates. It ensures consistent validation logic
/// and correct metric recording.
pub(super) fn validate_context(
    ctx: &X509Context,
    picker: Option<&dyn SvidPicker>,
    limits: ResourceLimits,
    metrics: Option<&dyn MetricsRecorder>,
) -> Result<(), X509SourceError> {
    // Validate limits and record specific limit metrics if exceeded.
    validate_limits_and_record_metric(ctx, limits, metrics)?;

    // Ensure the context is usable for callers (picker or default can select).
    if select_svid(ctx, picker).is_none() {
        if let Some(m) = metrics {
            m.record_error(MetricsErrorKind::NoSuitableSvid);
        }
        return Err(X509SourceError::NoSuitableSvid);
    }

    Ok(())
}