spiffebundle

package
v2.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 28, 2023 License: Apache-2.0 Imports: 15 Imported by: 3

Documentation

Overview

Package spiffebundle provides SPIFFE bundle related functionality.

A bundle represents a SPIFFE bundle, a collection authorities for authenticating SVIDs.

You can create a new bundle for a specific trust domain: 

td := spiffeid.RequireTrustDomain("example.org")
bundle := spiffebundle.New(td)

Or you can load it from disk: 

td := spiffeid.RequireTrustDomain("example.org")
bundle := spiffebundle.Load(td, "bundle.json")

The bundle can be initialized with X.509 or JWT authorities: 

td := spiffeid.RequireTrustDomain("example.org")

var x509Authorities []*x509.Certificate = ...
bundle := spiffebundle.FromX509Authorities(td, x509Authorities)
// ... or ...
var jwtAuthorities map[string]crypto.PublicKey = ...
bundle := spiffebundle.FromJWTAuthorities(td, jwtAuthorities)

In addition, you can add authorities to the bundle: 

var x509CA *x509.Certificate = ...
bundle.AddX509Authority(x509CA)
var keyID string = ...
var publicKey crypto.PublicKey = ...
bundle.AddJWTAuthority(keyID, publicKey)

Bundles can be organized into a set, keyed by trust domain: 

set := spiffebundle.NewSet()
set.Add(bundle)

A Source is source of bundles for a trust domain. Both the Bundle and Set types implement Source: 

// Initialize the source from a bundle or set
var source spiffebundle.Source = bundle
// ... or ...
var source spiffebundle.Source = set

// Use the source to query for X.509 bundles by trust domain
bundle, err := source.GetBundleForTrustDomain(td)

Additionally the Bundle and Set types also implement the x509bundle.Source and jwtbundle.Source interfaces: 

// As an x509bundle.Source...
var source x509bundle.Source = bundle // or set
x509Bundle, err := source.GetX509BundleForTrustDomain(td)

// As a jwtbundle.Source...
var source jwtbundle.Source = bundle // or set
jwtBundle, err := source.GetJWTBundleForTrustDomain(td)

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Bundle 

type Bundle struct {
	// contains filtered or unexported fields
}

Bundle is a collection of trusted public key material for a trust domain, conforming to the SPIFFE Bundle Format as part of the SPIFFE Trust Domain and Bundle specification: https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Trust_Domain_and_Bundle.md

func FromJWTAuthorities 

func FromJWTAuthorities(trustDomain spiffeid.TrustDomain, jwtAuthorities map[string]crypto.PublicKey) *Bundle

FromJWTAuthorities creates a new bundle from JWT authorities.

func FromJWTBundle 

func FromJWTBundle(jwtBundle *jwtbundle.Bundle) *Bundle

FromJWTBundle creates a bundle from a JWT bundle. The function panics in case of a nil JWT bundle.

func FromX509Authorities 

func FromX509Authorities(trustDomain spiffeid.TrustDomain, x509Authorities []*x509.Certificate) *Bundle

FromX509Authorities creates a bundle from X.509 certificates.

func FromX509Bundle 

func FromX509Bundle(x509Bundle *x509bundle.Bundle) *Bundle

FromX509Bundle creates a bundle from an X.509 bundle. The function panics in case of a nil X.509 bundle.

func Load 

func Load(trustDomain spiffeid.TrustDomain, path string) (*Bundle, error)

Load loads a bundle from a file on disk. The file must contain a JWKS document following the SPIFFE Trust Domain and Bundle specification.

func New 

func New(trustDomain spiffeid.TrustDomain) *Bundle

New creates a new bundle.

func Parse 

func Parse(trustDomain spiffeid.TrustDomain, bundleBytes []byte) (*Bundle, error)

Parse parses a bundle from bytes. The data must be a JWKS document following the SPIFFE Trust Domain and Bundle specification.

func Read 

func Read(trustDomain spiffeid.TrustDomain, r io.Reader) (*Bundle, error)

Read decodes a bundle from a reader. The contents must contain a JWKS document following the SPIFFE Trust Domain and Bundle specification.

func (*Bundle) AddJWTAuthority 

func (b *Bundle) AddJWTAuthority(keyID string, jwtAuthority crypto.PublicKey) error

AddJWTAuthority adds a JWT authority to the bundle. If a JWT authority already exists under the given key ID, it is replaced. A key ID must be specified.

func (*Bundle) AddX509Authority 

func (b *Bundle) AddX509Authority(x509Authority *x509.Certificate)

AddX509Authority adds an X.509 authority to the bundle. If the authority already exists in the bundle, the contents of the bundle will remain unchanged.

func (*Bundle) ClearRefreshHint 

func (b *Bundle) ClearRefreshHint()

ClearRefreshHint clears the refresh hint.

func (*Bundle) ClearSequenceNumber 

func (b *Bundle) ClearSequenceNumber()

ClearSequenceNumber clears the sequence number.

func (*Bundle) Clone 

func (b *Bundle) Clone() *Bundle

Clone clones the bundle.

func (*Bundle) Empty 

func (b *Bundle) Empty() bool

Empty returns true if the bundle has no X.509 and JWT authorities.

func (*Bundle) Equal 

func (b *Bundle) Equal(other *Bundle) bool

Equal compares the bundle for equality against the given bundle.

func (*Bundle) FindJWTAuthority 

func (b *Bundle) FindJWTAuthority(keyID string) (crypto.PublicKey, bool)

FindJWTAuthority finds the JWT authority with the given key ID from the bundle. If the authority is found, it is returned and the boolean is true. Otherwise, the returned value is nil and the boolean is false.

func (*Bundle) GetBundleForTrustDomain 

func (b *Bundle) GetBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*Bundle, error)

GetBundleForTrustDomain returns the SPIFFE bundle for the given trust domain. It implements the Source interface. An error will be returned if the trust domain does not match that of the bundle.

func (*Bundle) GetJWTBundleForTrustDomain 

func (b *Bundle) GetJWTBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*jwtbundle.Bundle, error)

GetJWTBundleForTrustDomain returns the JWT bundle of the given trust domain. It implements the jwtbundle.Source interface. An error will be returned if the trust domain does not match that of the bundle.

func (*Bundle) GetX509BundleForTrustDomain 

func (b *Bundle) GetX509BundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*x509bundle.Bundle, error)

GetX509BundleForTrustDomain returns the X.509 bundle for the given trust domain. It implements the x509bundle.Source interface. An error will be returned if the trust domain does not match that of the bundle.

func (*Bundle) HasJWTAuthority 

func (b *Bundle) HasJWTAuthority(keyID string) bool

HasJWTAuthority returns true if the bundle has a JWT authority with the given key ID.

func (*Bundle) HasX509Authority 

func (b *Bundle) HasX509Authority(x509Authority *x509.Certificate) bool

HasX509Authority checks if the given X.509 authority exists in the bundle.

func (*Bundle) JWTAuthorities 

func (b *Bundle) JWTAuthorities() map[string]crypto.PublicKey

JWTAuthorities returns the JWT authorities in the bundle, keyed by key ID.

func (*Bundle) JWTBundle 

func (b *Bundle) JWTBundle() *jwtbundle.Bundle

JWTBundle returns a JWT bundle containing the JWT authorities in the SPIFFE bundle.

func (*Bundle) Marshal 

func (b *Bundle) Marshal() ([]byte, error)

Marshal marshals the bundle according to the SPIFFE Trust Domain and Bundle specification. The trust domain is not marshaled as part of the bundle and must be conveyed separately. See the specification for details.

func (*Bundle) RefreshHint 

func (b *Bundle) RefreshHint() (refreshHint time.Duration, ok bool)

RefreshHint returns the refresh hint. If the refresh hint is set in the bundle, it is returned and the boolean is true. Otherwise, the returned value is zero and the boolean is false.

func (*Bundle) RemoveJWTAuthority 

func (b *Bundle) RemoveJWTAuthority(keyID string)

RemoveJWTAuthority removes the JWT authority identified by the key ID from the bundle.

func (*Bundle) RemoveX509Authority 

func (b *Bundle) RemoveX509Authority(x509Authority *x509.Certificate)

RemoveX509Authority removes an X.509 authority from the bundle.

func (*Bundle) SequenceNumber 

func (b *Bundle) SequenceNumber() (uint64, bool)

SequenceNumber returns the sequence number. If the sequence number is set in the bundle, it is returned and the boolean is true. Otherwise, the returned value is zero and the boolean is false.

func (*Bundle) SetJWTAuthorities 

func (b *Bundle) SetJWTAuthorities(jwtAuthorities map[string]crypto.PublicKey)

SetJWTAuthorities sets the JWT authorities in the bundle.

func (*Bundle) SetRefreshHint 

func (b *Bundle) SetRefreshHint(refreshHint time.Duration)

SetRefreshHint sets the refresh hint. The refresh hint value will be truncated to time.Second.

func (*Bundle) SetSequenceNumber 

func (b *Bundle) SetSequenceNumber(sequenceNumber uint64)

SetSequenceNumber sets the sequence number.

func (*Bundle) SetX509Authorities 

func (b *Bundle) SetX509Authorities(authorities []*x509.Certificate)

SetX509Authorities sets the X.509 authorities in the bundle.

func (*Bundle) TrustDomain 

func (b *Bundle) TrustDomain() spiffeid.TrustDomain

TrustDomain returns the trust domain that the bundle belongs to.

func (*Bundle) X509Authorities 

func (b *Bundle) X509Authorities() []*x509.Certificate

X509Authorities returns the X.509 authorities in the bundle.

func (*Bundle) X509Bundle 

func (b *Bundle) X509Bundle() *x509bundle.Bundle

X509Bundle returns an X.509 bundle containing the X.509 authorities in the SPIFFE bundle.

type Set 

type Set struct {
	// contains filtered or unexported fields
}

Set is a set of bundles, keyed by trust domain.

func NewSet 

func NewSet(bundles ...*Bundle) *Set

NewSet creates a new set initialized with the given bundles.

func (*Set) Add 

func (s *Set) Add(bundle *Bundle)

Add adds a new bundle into the set. If a bundle already exists for the trust domain, the existing bundle is replaced.

func (*Set) Bundles 

func (s *Set) Bundles() []*Bundle

Bundles returns the bundles in the set sorted by trust domain.

func (*Set) Get 

func (s *Set) Get(trustDomain spiffeid.TrustDomain) (*Bundle, bool)

Get returns a bundle for the given trust domain. If the bundle is in the set it is returned and the boolean is true. Otherwise, the returned value is nil and the boolean is false.

func (*Set) GetBundleForTrustDomain 

func (s *Set) GetBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*Bundle, error)

GetBundleForTrustDomain returns the SPIFFE bundle for the given trust domain. It implements the Source interface.

func (*Set) GetJWTBundleForTrustDomain 

func (s *Set) GetJWTBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*jwtbundle.Bundle, error)

GetJWTBundleForTrustDomain returns the JWT bundle for the given trust domain. It implements the jwtbundle.Source interface.

func (*Set) GetX509BundleForTrustDomain 

func (s *Set) GetX509BundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*x509bundle.Bundle, error)

GetX509BundleForTrustDomain returns the X.509 bundle for the given trust domain. It implements the x509bundle.Source interface.

func (*Set) Has 

func (s *Set) Has(trustDomain spiffeid.TrustDomain) bool

Has returns true if there is a bundle for the given trust domain.

func (*Set) Len 

func (s *Set) Len() int

Len returns the number of bundles in the set.

func (*Set) Remove 

func (s *Set) Remove(trustDomain spiffeid.TrustDomain)

Remove removes the bundle for the given trust domain.

type Source 

type Source interface {
	// GetBundleForTrustDomain returns the SPIFFE bundle for the given trust
	// domain.
	GetBundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*Bundle, error)
}

Source represents a source of SPIFFE bundles keyed by trust domain.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.