spiffe 0.15.0

Core SPIFFE identity types and Workload API sources
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205

use super::builder::ResourceLimits;
use super::errors::{LimitKind, MetricsErrorKind, X509SourceError};
use super::metrics::MetricsRecorder;
use crate::workload_api::x509_context::X509Context;
use crate::x509_source::types::SvidPicker;
use crate::X509Svid;
use std::sync::Arc;
use std::time::{SystemTime, UNIX_EPOCH};

pub(super) fn validate_limits(
    ctx: &X509Context,
    limits: ResourceLimits,
) -> Result<(), X509SourceError> {
    if let Some(max_svids) = limits.max_svids {
        let actual = ctx.svids().len();
        if actual > max_svids {
            return Err(X509SourceError::ResourceLimitExceeded {
                kind: LimitKind::MaxSvids,
                limit: max_svids,
                actual,
            });
        }
    }

    if let Some(max_bundles) = limits.max_bundles {
        let actual = ctx.bundle_set().len();
        if actual > max_bundles {
            return Err(X509SourceError::ResourceLimitExceeded {
                kind: LimitKind::MaxBundles,
                limit: max_bundles,
                actual,
            });
        }
    }

    if let Some(max_bundle_der_bytes) = limits.max_bundle_der_bytes {
        for (_, bundle) in ctx.bundle_set().iter() {
            // Definition: sum of DER bytes of all authority certificates in the bundle.
            let actual: usize = bundle
                .authorities()
                .iter()
                .map(|cert| cert.as_bytes().len())
                .sum();

            if actual > max_bundle_der_bytes {
                return Err(X509SourceError::ResourceLimitExceeded {
                    kind: LimitKind::MaxBundleDerBytes,
                    limit: max_bundle_der_bytes,
                    actual,
                });
            }
        }
    }

    Ok(())
}

/// Validates resource limits and records the appropriate metric if a limit is exceeded.
///
/// This is the single authoritative function for limit validation and metric recording.
/// It ensures that limit violations are recorded exactly once with the correct metric kind.
///
/// # Arguments
///
/// * `ctx` - The X.509 context to validate
/// * `limits` - The resource limits to enforce
/// * `metrics` - Optional metrics recorder for recording limit violations
///
/// # Returns
///
/// Returns `Ok(())` if all limits are satisfied, or `Err(X509SourceError::ResourceLimitExceeded)`
/// if any limit is exceeded. When a limit is exceeded, the corresponding metric is recorded
/// (e.g., `LimitMaxSvids`, `LimitMaxBundles`, `LimitMaxBundleDerBytes`).
pub(super) fn validate_limits_and_record_metric(
    ctx: &X509Context,
    limits: ResourceLimits,
    metrics: Option<&dyn MetricsRecorder>,
) -> Result<(), X509SourceError> {
    if let Err(e) = validate_limits(ctx, limits) {
        if let X509SourceError::ResourceLimitExceeded { kind, .. } = &e {
            if let Some(m) = metrics {
                m.record_error(metric_kind_for_limit(*kind));
            }
        }
        return Err(e);
    }
    Ok(())
}

/// Maps a `LimitKind` to the corresponding `MetricsErrorKind` for limit violations.
///
/// This is the single authoritative mapping used throughout the codebase to ensure
/// consistent metric recording for limit violations.
pub(super) const fn metric_kind_for_limit(kind: LimitKind) -> MetricsErrorKind {
    match kind {
        LimitKind::MaxSvids => MetricsErrorKind::LimitMaxSvids,
        LimitKind::MaxBundles => MetricsErrorKind::LimitMaxBundles,
        LimitKind::MaxBundleDerBytes => MetricsErrorKind::LimitMaxBundleDerBytes,
    }
}

/// Selects an SVID from the context using the picker (if provided) or default selection.
///
/// This is the single authoritative function for SVID selection, ensuring consistent
/// logic across validation, health checks, and SVID retrieval.
///
/// Returns `Some(Arc<X509Svid>)` if a valid SVID can be selected, `None` otherwise.
pub(super) fn select_svid(
    ctx: &X509Context,
    picker: Option<&dyn SvidPicker>,
) -> Option<Arc<X509Svid>> {
    if let Some(p) = picker {
        // Picker must return a valid index that maps to an actual SVID.
        p.pick_svid(ctx.svids())
            .and_then(|idx| ctx.svids().get(idx))
            .cloned()
    } else {
        ctx.default_svid().cloned()
    }
}

/// Validates an X.509 context for acceptability (limits and SVID selection).
///
/// This is the single authoritative function for context validation used in both
/// initial sync and steady-state updates. It ensures consistent validation logic
/// and correct metric recording.
pub(super) fn validate_context(
    ctx: &X509Context,
    picker: Option<&dyn SvidPicker>,
    limits: ResourceLimits,
    metrics: Option<&dyn MetricsRecorder>,
) -> Result<Arc<X509Svid>, X509SourceError> {
    // Validate limits and record specific limit metrics if exceeded.
    validate_limits_and_record_metric(ctx, limits, metrics)?;

    // Ensure the context is usable for callers (picker or default can select).
    match select_svid(ctx, picker) {
        Some(svid) if selected_svid_is_not_expired(&svid) => Ok(svid),
        Some(_) | None => {
            if let Some(m) = metrics {
                m.record_error(MetricsErrorKind::NoSuitableSvid);
            }
            Err(X509SourceError::NoSuitableSvid)
        }
    }
}

fn selected_svid_is_not_expired(svid: &X509Svid) -> bool {
    let now = SystemTime::now()
        .duration_since(UNIX_EPOCH)
        .map(|d| i64::try_from(d.as_secs()).ok())
        .ok()
        .flatten();

    now.is_none_or(|now| svid.expiry_unix() > now)
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::X509BundleSet;
    use std::collections::HashMap;
    use std::sync::Mutex;

    struct TestMetricsRecorder {
        counts: Mutex<HashMap<MetricsErrorKind, u64>>,
    }

    impl TestMetricsRecorder {
        fn new() -> Self {
            Self {
                counts: Mutex::new(HashMap::new()),
            }
        }

        fn count(&self, kind: MetricsErrorKind) -> u64 {
            *self.counts.lock().unwrap().get(&kind).unwrap_or(&0)
        }
    }

    impl MetricsRecorder for TestMetricsRecorder {
        fn record_update(&self) {}
        fn record_reconnect(&self) {}
        fn record_error(&self, kind: MetricsErrorKind) {
            *self.counts.lock().unwrap().entry(kind).or_insert(0) += 1;
        }
    }

    #[test]
    fn validate_context_rejects_expired_selected_svid_once() {
        let cert_bytes = include_bytes!("../../tests/testdata/svid/x509/expired-svid-chain.der");
        let key_bytes = include_bytes!("../../tests/testdata/svid/x509/expired-key.der");
        let svid = Arc::new(
            X509Svid::parse_from_der(cert_bytes, key_bytes)
                .expect("expired fixture should parse as an X509-SVID"),
        );
        let ctx = X509Context::new([svid], Arc::new(X509BundleSet::new()));
        let metrics = TestMetricsRecorder::new();

        let result = validate_context(&ctx, None, ResourceLimits::default(), Some(&metrics));

        assert!(matches!(result, Err(X509SourceError::NoSuitableSvid)));
        assert_eq!(metrics.count(MetricsErrorKind::NoSuitableSvid), 1);
    }
}