diff --git a/README.md b/README.md index 312e4e9d..8f3d8943 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,36 @@ # SPIRE Sidecar -The SPIRE sidecar is a simple utility for fetching certificates from the SPIRE Workload API and signaling Ghostunnel to reload them. +The SPIRE Sidecar is a simple utility for fetching X.509 SVID certificates from the SPIRE Workload API, launch a process that makes use of the certificates and continuosly get new certificates before they expire. The launched process is signaled to reload the certificates when is needed. + +### Usage +`$ sidecar -config ` + +``: file path to the configuration file. + +If `-config` is not specified, the default value `sidecar_config.hcl` is assumed. + +### Configuration +The configuration file is an [HCL](https://github.com/hashicorp/hcl) formatted file that defines the following configurations: + + |Configuration | Description | Example Value | + |---------------------|------------------------------------------------------------------------------------------------| ------------- | + |`agentAddress` | Socket address of SPIRE Agent. | `"/tmp/agent.sock"` | + |`cmd` | The path to the process to launch. | `"ghostunnel"` | + |`cmdArgs` | The arguments of the process to launch. | `"server --listen localhost:8002 --target localhost:8001--keystore certs/svid_key.pem --cacert certs/svid_bundle.pem --allow-uri-san spiffe://example.org/Database"` | + |`certDir` | Directory name to store the fetched certificates. This directory must be created previously. | `"certs"` | + |`renewSignal` | The signal that the process to be launched expects to reload the certificates. | `"SIGUSR1"` | + |`svidFileName` | File name to be used to store the X.509 SVID public certificate in PEM format. | `"svid.pem"` | + |`svidKeyFileName` | File name to be used to store the X.509 SVID private key and public certificate in PEM format. | `"svid_key.pem"` | + |`svidBundleFileName` | File name to be used to store the X.509 SVID Bundle in PEM format. | `"svid_bundle.pem"` | + +#### Configuration example +``` +agentAddress = "/tmp/agent.sock" +cmd = "ghostunnel" +cmdArgs = "server --listen localhost:8002 --target localhost:8001 --keystore certs/svid_key.pem --cacert certs/svid_bundle.pem --allow-uri-san spiffe://example.org/Database" +certDir = "certs" +renewSignal = "SIGUSR1" +svidFileName = "svid.pem" +svidKeyFileName = "svid_key.pem" +svidBundleFileName = "svid_bundle.pem" +``` diff --git a/config.go b/config.go index c45231b7..c833705b 100644 --- a/config.go +++ b/config.go @@ -8,10 +8,14 @@ import ( // SidecarConfig is HCL config data type SidecarConfig struct { - AgentAddress string `hcl:"agentAddress"` - GhostunnelCmd string `hcl:"ghostunnelCmd"` - GhostunnelArgs string `hcl:"ghostunnelArgs"` - CertDir string `hcl:"certDir"` + AgentAddress string `hcl:"agentAddress"` + Cmd string `hcl:"cmd"` + CmdArgs string `hcl:"cmdArgs"` + CertDir string `hcl:"certDir"` + SvidFileName string `hcl:"svidFileName"` + SvidKeyFileName string `hcl:"svidKeyFileName"` + SvidBundleFileName string `hcl:"svidBundleFileName"` + RenewSignal string `hcl:"renewSignal"` } // ParseConfig parses the given HCL file into a SidecarConfig struct @@ -36,5 +40,5 @@ func ParseConfig(file string) (sidecarConfig *SidecarConfig, err error) { return nil, err } - return + return sidecarConfig, nil } diff --git a/glide.lock b/glide.lock index 752d3b7e..fb3ba98a 100644 --- a/glide.lock +++ b/glide.lock @@ -1,5 +1,5 @@ -hash: 09b1e69982af8cdd1f51f77967bfa7ea2ec131f8bab0e4c010112fef554bb3c5 -updated: 2017-10-05T19:51:10.476533717-07:00 +hash: 349eda423729475b952e36f6f33329bbec2627ffb76c13753335b970a6ea1f3f +updated: 2017-11-28T00:22:22.452119-03:00 imports: - name: github.com/golang/protobuf version: 0a4f71a498b7c4812f64969510bcb4eca251e33a @@ -20,6 +20,10 @@ imports: - json/parser - json/scanner - json/token +- name: github.com/spiffe/spire + version: a52337e05017a8dc85ccec7b0049e18e215e7b20 + subpackages: + - proto/api/workload - name: golang.org/x/net version: f5079bd7f6f74e23c4d65efa0f4ce14cbd6a3c0f subpackages: @@ -42,11 +46,14 @@ imports: subpackages: - googleapis/rpc/status - name: google.golang.org/grpc - version: f92cdcd7dcdc69e81b2d7b338479a19a8723cfa3 + version: 5a9f7b402fe85096d2e1d0383435ee1876e863d0 subpackages: + - balancer + - balancer/roundrobin - codes - connectivity - credentials + - encoding - grpclb/grpc_lb_v1/messages - grpclog - internal @@ -54,12 +61,11 @@ imports: - metadata - naming - peer + - resolver + - resolver/dns + - resolver/passthrough - stats - status - tap - transport -testImports: -- name: github.com/spiffe/spiffe-example - version: a8af8c00b8211ee05fb5d6a4d5d874d59e3c6585 - subpackages: - - rosemary/build/tools/sidecar/wlapi +testImports: [] diff --git a/glide.yaml b/glide.yaml index 36b37eab..4bf49fb3 100644 --- a/glide.yaml +++ b/glide.yaml @@ -1,15 +1,6 @@ package: github.com/spiffe/sidecar import: -- package: github.com/golang/protobuf - subpackages: - - proto - package: github.com/hashicorp/hcl -- package: golang.org/x/net - subpackages: - - context - package: google.golang.org/grpc version: ^1.6.0 -testImport: -- package: github.com/spiffe/spiffe-example - subpackages: - - rosemary/build/tools/sidecar/wlapi +- package: github.com/spiffe/spire/proto/api/workload diff --git a/main.go b/main.go index d56a8f69..8ea18f08 100644 --- a/main.go +++ b/main.go @@ -2,35 +2,40 @@ package main import ( "context" + "flag" + "fmt" "net" "time" - workload "github.com/spiffe/sidecar/wlapi" + "github.com/spiffe/spire/proto/api/workload" "google.golang.org/grpc" ) -const ( - configFile = "sidecar_config.hcl" -) - func main() { // 0. Load configuration // 1. Request certs using Workload API // 2. Put cert on disk - // 3. Start ghostunnel if not running, otherwise send SIGUSR1 to reload cert - // 4. Wait until TTL expires + // 3. Start the specified process if it is not running, otherwise send the configured signal to renew the certificates + // 4. Wait until TTL/2 // 5. Goto 1 - config, err := ParseConfig(configFile) + configFile := flag.String("config", "sidecar_config.hcl", " Configuration file path") + flag.Parse() + + config, err := ParseConfig(*configFile) if err != nil { - panic(err) + panic(fmt.Errorf("error parsing configuration file: %v\n%v", *configFile, err)) } log("Sidecar is up! Will use agent at %s\n\n", config.AgentAddress) + if config.Cmd == "" { + log("Warning: no cmd defined to execute.\n") + } + log("Using configuration file: %v\n", *configFile) workloadClient, ctx, cancel, err := createGrpcClient(config) defer cancel() if err != nil { - panic(err) + panic(fmt.Errorf("error creating GRPC client.\n%v", err)) } sidecar := NewSidecar(ctx, config, workloadClient) @@ -53,5 +58,5 @@ func createGrpcClient(config *SidecarConfig) (workloadClient workload.WorkloadCl workloadClient = workload.NewWorkloadClient(conn) - return + return workloadClient, ctx, cancel, err } diff --git a/sidecar.go b/sidecar.go index 4c02de61..a764cd26 100644 --- a/sidecar.go +++ b/sidecar.go @@ -2,18 +2,19 @@ package main import ( "context" + "encoding/pem" "errors" "fmt" "io/ioutil" "os" "os/exec" "os/signal" + "path" "strings" "syscall" "time" - workload "github.com/spiffe/sidecar/wlapi" - //workload "github.com/spiffe/spire/pkg/api/workload" + "github.com/spiffe/spire/proto/api/workload" ) // Sidecar is the component that consumes Workload API and renews certs @@ -43,11 +44,11 @@ func (s *Sidecar) RunDaemon() error { // Main loop for { // Fetch and dump certificates - pk, crt, ttl, err := s.dumpBundles() + ttl, err := s.dumpBundles() if err != nil { return err } - err = s.signalProcess(pk, crt) + err = s.signalProcess() if err != nil { return err } @@ -68,29 +69,31 @@ func (s *Sidecar) RunDaemon() error { } } -func (s *Sidecar) signalProcess(pk, crt string) (err error) { - // TODO: generalize this for any process, not just Ghostunnel +func (s *Sidecar) signalProcess() (err error) { if !s.processRunning { - // Start Ghostunnel - args := fmt.Sprintf("%s --keystore %s --cacert %s", s.config.GhostunnelArgs, pk, crt) - cmd := exec.Command(s.config.GhostunnelCmd, strings.Split(args, " ")...) + cmd := exec.Command(s.config.Cmd, strings.Split(s.config.CmdArgs, " ")...) cmd.Stdout = os.Stdout cmd.Stderr = os.Stderr err = cmd.Start() if err != nil { - return + return fmt.Errorf("error executing process: %v\n%v", s.config.Cmd, err) } s.process = cmd.Process go s.checkProcessExit() } else { - // Signal Ghostunnel to reload certs - err = s.process.Signal(syscall.SIGUSR1) + // Signal to reload certs + sig, err := getSignal(s.config.RenewSignal) if err != nil { - return + return fmt.Errorf("error getting signal: %v\n%v", s.config.RenewSignal, err) + } + + err = s.process.Signal(sig) + if err != nil { + return fmt.Errorf("error signaling process with signal: %v\n%v", sig, err) } } - return + return nil } func (s *Sidecar) checkProcessExit() { @@ -99,84 +102,133 @@ func (s *Sidecar) checkProcessExit() { s.processRunning = false } -func convertToPem(format string, in []byte) (out []byte, err error) { - // TODO: Use Golang library to make this conversion - fin, err := ioutil.TempFile("", "") +func (s *Sidecar) dumpBundles() (ttl int32, err error) { + bundles, err := s.workloadClient.FetchAllBundles(s.workloadClientContext, &workload.Empty{}) if err != nil { - return + return ttl, err } - defer os.Remove(fin.Name()) - fin.Write(in) - fin.Close() - fout, err := ioutil.TempFile("", "") - if err != nil { - return + if len(bundles.Bundles) == 0 { + return ttl, errors.New("fetched zero bundles") } - defer os.Remove(fout.Name()) - fin.Close() - cmd := exec.Command("openssl", format, "-inform", "der", "-in", fin.Name(), "-out", fout.Name()) - cmd.Stdout = os.Stdout - cmd.Stderr = os.Stderr - err = cmd.Start() - if err != nil { - return + ttl = bundles.Ttl + log("TTL is: %v seconds\n", ttl) + log("Bundles found: %d\n", len(bundles.Bundles)) + + if len(bundles.Bundles) > 1 { + log("Only certificates from the first bundle will be written") } - cmd.Wait() - out, err = ioutil.ReadFile(fout.Name()) - return -} -func (s *Sidecar) dumpBundles() (pk, crt string, ttl int32, err error) { - bundles, err := s.workloadClient.FetchAllBundles(s.workloadClientContext, &workload.Empty{}) + // There may be more than one bundle, but we are interested in the first one only + bundle := bundles.Bundles[0] + + svidKeyFile := path.Join(s.config.CertDir, s.config.SvidKeyFileName) + svidFile := path.Join(s.config.CertDir, s.config.SvidFileName) + svidBundleFile := path.Join(s.config.CertDir, s.config.SvidBundleFileName) + + svidPrivateKey := pem.EncodeToMemory( + &pem.Block{ + Type: "EC PRIVATE KEY", + Bytes: bundle.SvidPrivateKey}) + + svid := pem.EncodeToMemory( + &pem.Block{ + Type: "CERTIFICATE", + Bytes: bundle.Svid}) + + log("Writing: %v\n", svidKeyFile) + err = ioutil.WriteFile(svidKeyFile, append(svidPrivateKey, svid...), os.ModePerm) if err != nil { - return + return ttl, fmt.Errorf("error writing file: %v\n%v", svidKeyFile, err) } - if len(bundles.Bundles) == 0 { - err = errors.New("Fetched zero bundles") - return + log("Writing: %v\n", svidFile) + err = ioutil.WriteFile(svidFile, svid, os.ModePerm) + if err != nil { + return ttl, fmt.Errorf("error writing file: %v\n%v", svidFile, err) } - ttl = bundles.Ttl + svidBundle := pem.EncodeToMemory( + &pem.Block{ + Type: "CERTIFICATE", + Bytes: bundle.SvidBundle, + }) - log("Writing %d bundles!\n", len(bundles.Bundles)) - for index, bundle := range bundles.Bundles { - pkFilename := fmt.Sprintf("%s/%d.key", s.config.CertDir, index) - certFilename := fmt.Sprintf("%s/%d.cert", s.config.CertDir, index) - if index == 0 { - pk = pkFilename - crt = certFilename - } + log("Writing: %v\n", svidBundleFile) + err = ioutil.WriteFile(svidBundleFile, svidBundle, os.ModePerm) + if err != nil { + return ttl, fmt.Errorf("error writing file: %v\n%v", svidBundleFile, err) + } - log("Writing keystore #%d...\n", index+1) - var svidPrivateKey, svid, svidBundle []byte - svidPrivateKey, err = convertToPem("ec", bundle.SvidPrivateKey) - if err != nil { - return - } - svid, err = convertToPem("x509", bundle.Svid) - if err != nil { - return - } - keystore := append(svidPrivateKey, svid...) - err = ioutil.WriteFile(pkFilename, keystore, os.ModePerm) - if err != nil { - return - } + return ttl, nil +} - log("Writing CA certs #%d...\n", index+1) - svidBundle, err = convertToPem("x509", bundle.SvidBundle) - if err != nil { - return - } - err = ioutil.WriteFile(certFilename, svidBundle, os.ModePerm) - if err != nil { - return - } +func getSignal(s string) (sig syscall.Signal, err error) { + switch s { + case "SIGABRT": + sig = syscall.SIGABRT + case "SIGALRM": + sig = syscall.SIGALRM + case "SIGBUS": + sig = syscall.SIGBUS + case "SIGCHLD": + sig = syscall.SIGCHLD + case "SIGCONT": + sig = syscall.SIGCONT + case "SIGFPE": + sig = syscall.SIGFPE + case "SIGHUP": + sig = syscall.SIGHUP + case "SIGILL": + sig = syscall.SIGILL + case "SIGIO": + sig = syscall.SIGIO + case "SIGIOT": + sig = syscall.SIGIOT + case "SIGKILL": + sig = syscall.SIGKILL + case "SIGPIPE": + sig = syscall.SIGPIPE + case "SIGPROF": + sig = syscall.SIGPROF + case "SIGQUIT": + sig = syscall.SIGQUIT + case "SIGSEGV": + sig = syscall.SIGSEGV + case "SIGSTOP": + sig = syscall.SIGSTOP + case "SIGSYS": + sig = syscall.SIGSYS + case "SIGTERM": + sig = syscall.SIGTERM + case "SIGTRAP": + sig = syscall.SIGTRAP + case "SIGTSTP": + sig = syscall.SIGTSTP + case "SIGTTIN": + sig = syscall.SIGTTIN + case "SIGTTOU": + sig = syscall.SIGTTOU + case "SIGURG": + sig = syscall.SIGURG + case "SIGUSR1": + sig = syscall.SIGUSR1 + case "SIGUSR2": + sig = syscall.SIGUSR2 + case "SIGVTALRM": + sig = syscall.SIGVTALRM + case "SIGWINCH": + sig = syscall.SIGWINCH + case "SIGXCPU": + sig = syscall.SIGXCPU + case "SIGXFSZ": + sig = syscall.SIGXFSZ + default: + err = fmt.Errorf("unrecognized signal: %v", s) } - return + + return sig, err } func log(format string, a ...interface{}) { diff --git a/sidecar_config.hcl b/sidecar_config.hcl index 7f3fa267..f445b9d8 100644 --- a/sidecar_config.hcl +++ b/sidecar_config.hcl @@ -1,3 +1,8 @@ -agentAddress = "8080" -ghostunnelCmd = "ghostunnel client --listen localhost:8003 --target database:8002" -certDir = "certs" \ No newline at end of file +agentAddress = "/tmp/agent.sock" +cmd = "" +cmdArgs = "" +certDir = "certs" +renewSignal = "SIGUSR1" +svidFileName = "svid.pem" +svidKeyFileName = "svid_key.pem" +svidBundleFileName = "svid_bundle.pem" diff --git a/sidecar_config_envoy.hcl b/sidecar_config_envoy.hcl new file mode 100644 index 00000000..ac08c9eb --- /dev/null +++ b/sidecar_config_envoy.hcl @@ -0,0 +1,8 @@ +agentAddress = "/tmp/agent.sock" +cmd = "hot-restarter.py" +cmdArgs = "start_envoy.sh" +certDir = "certs" +renewSignal = "SIGHUP" +svidFileName = "svid.pem" +svidKeyFileName = "svid_key.pem" +svidBundleFileName = "svid_bundle.pem" diff --git a/sidecar_config_ghostunnel.hcl b/sidecar_config_ghostunnel.hcl new file mode 100644 index 00000000..f56be357 --- /dev/null +++ b/sidecar_config_ghostunnel.hcl @@ -0,0 +1,8 @@ +agentAddress = "/tmp/agent.sock" +cmd = "ghostunnel" +cmdArgs = "server --listen localhost:8002 --target localhost:8001 --keystore certs/svid_key.pem --cacert certs/svid_bundle.pem --allow-uri-san spiffe://example.org/Database" +certDir = "certs" +renewSignal = "SIGUSR1" +svidFileName = "svid.pem" +svidKeyFileName = "svid_key.pem" +svidBundleFileName = "svid_bundle.pem" diff --git a/sidecar_test.go b/sidecar_test.go index 25983bf5..4289007d 100644 --- a/sidecar_test.go +++ b/sidecar_test.go @@ -7,8 +7,7 @@ import ( "testing" "time" - workload "github.com/spiffe/sidecar/wlapi" - //workload "github.com/spiffe/spire/pkg/api/workload" + "github.com/spiffe/spire/proto/api/workload" "golang.org/x/net/context" "google.golang.org/grpc" ) @@ -18,10 +17,10 @@ const ( testTTL = 10 ) -// TestSidecar_Integration will run the sidecar with an 'echo' command simulating ghostunnel +// TestSidecar_Integration will run the sidecar with an 'echo' command // and a simple webserver to mock the Workload API to the sidecar. // The objetive is to make sure sidecar is requesting certs and invoking command successfully. -// TODO: 'echo' command exits immediately so we cannot test SIGUSR1 signalling. Improve this. +// TODO: 'echo' command exits immediately so we cannot test signalling. Improve this. func TestSidecar_Integration(t *testing.T) { tmpdir, err := ioutil.TempDir("", "test-certs") if err != nil { @@ -30,8 +29,11 @@ func TestSidecar_Integration(t *testing.T) { defer os.RemoveAll(tmpdir) config := &SidecarConfig{ - GhostunnelCmd: "echo", - CertDir: tmpdir, + Cmd: "echo", + CertDir: tmpdir, + SvidFileName: "svid.pem", + SvidKeyFileName: "svid_key.pem", + SvidBundleFileName: "svid_bundle.pem", } fmt.Printf("Will test for %d seconds.\n", testTimeSeconds) diff --git a/wlapi/common/common.pb.go b/wlapi/common/common.pb.go deleted file mode 100644 index aa51c855..00000000 --- a/wlapi/common/common.pb.go +++ /dev/null @@ -1,226 +0,0 @@ -// Code generated by protoc-gen-go. DO NOT EDIT. -// source: common.proto - -/* -Package common is a generated protocol buffer package. - -It is generated from these files: - common.proto - -It has these top-level messages: - Empty - AttestedData - Selector - Selectors - RegistrationEntry - RegistrationEntries -*/ -package common - -import proto "github.com/golang/protobuf/proto" -import fmt "fmt" -import math "math" - -// Reference imports to suppress errors if they are not otherwise used. -var _ = proto.Marshal -var _ = fmt.Errorf -var _ = math.Inf - -// This is a compile-time assertion to ensure that this generated file -// is compatible with the proto package it is being compiled against. -// A compilation error at this line likely means your copy of the -// proto package needs to be updated. -const _ = proto.ProtoPackageIsVersion2 // please upgrade the proto package - -// * Represents an empty message -type Empty struct { -} - -func (m *Empty) Reset() { *m = Empty{} } -func (m *Empty) String() string { return proto.CompactTextString(m) } -func (*Empty) ProtoMessage() {} -func (*Empty) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{0} } - -// * A type which contains attestation data for specific platform. -type AttestedData struct { - // * Type of attestation to perform. - Type string `protobuf:"bytes,1,opt,name=type" json:"type,omitempty"` - // * The attestetion data. - Data []byte `protobuf:"bytes,2,opt,name=data,proto3" json:"data,omitempty"` -} - -func (m *AttestedData) Reset() { *m = AttestedData{} } -func (m *AttestedData) String() string { return proto.CompactTextString(m) } -func (*AttestedData) ProtoMessage() {} -func (*AttestedData) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{1} } - -func (m *AttestedData) GetType() string { - if m != nil { - return m.Type - } - return "" -} - -func (m *AttestedData) GetData() []byte { - if m != nil { - return m.Data - } - return nil -} - -// * A type which describes the conditions under which a registration -// entry is matched. -type Selector struct { - // * A selector type represents the type of attestation used in attesting - // the entity (Eg: AWS, K8). - Type string `protobuf:"bytes,1,opt,name=type" json:"type,omitempty"` - // * The value to be attested. - Value string `protobuf:"bytes,2,opt,name=value" json:"value,omitempty"` -} - -func (m *Selector) Reset() { *m = Selector{} } -func (m *Selector) String() string { return proto.CompactTextString(m) } -func (*Selector) ProtoMessage() {} -func (*Selector) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{2} } - -func (m *Selector) GetType() string { - if m != nil { - return m.Type - } - return "" -} - -func (m *Selector) GetValue() string { - if m != nil { - return m.Value - } - return "" -} - -// * Represents a type with a list of NodeResolution. -type Selectors struct { - // * A list of NodeResolution. - Entries []*Selector `protobuf:"bytes,1,rep,name=entries" json:"entries,omitempty"` -} - -func (m *Selectors) Reset() { *m = Selectors{} } -func (m *Selectors) String() string { return proto.CompactTextString(m) } -func (*Selectors) ProtoMessage() {} -func (*Selectors) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{3} } - -func (m *Selectors) GetEntries() []*Selector { - if m != nil { - return m.Entries - } - return nil -} - -// * This is a curated record that the Control Plane uses to set up and -// manage the various registered nodes and workloads that are controlled by it. -type RegistrationEntry struct { - // * A list of selectors. - Selectors []*Selector `protobuf:"bytes,1,rep,name=selectors" json:"selectors,omitempty"` - // * The SPIFFE ID of an entity that is authorized to attest the validity - // of a selector - ParentId string `protobuf:"bytes,2,opt,name=parent_id,json=parentId" json:"parent_id,omitempty"` - // * The SPIFFE ID is a structured string used to identify a resource or - // caller. It is defined as a URI comprising a “trust domain” and an - // associated path. - SpiffeId string `protobuf:"bytes,3,opt,name=spiffe_id,json=spiffeId" json:"spiffe_id,omitempty"` - // * Time to live. - Ttl int32 `protobuf:"varint,4,opt,name=ttl" json:"ttl,omitempty"` - // * A list of federated bundle spiffe ids. - FbSpiffeIds []string `protobuf:"bytes,5,rep,name=fb_spiffe_ids,json=fbSpiffeIds" json:"fb_spiffe_ids,omitempty"` -} - -func (m *RegistrationEntry) Reset() { *m = RegistrationEntry{} } -func (m *RegistrationEntry) String() string { return proto.CompactTextString(m) } -func (*RegistrationEntry) ProtoMessage() {} -func (*RegistrationEntry) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{4} } - -func (m *RegistrationEntry) GetSelectors() []*Selector { - if m != nil { - return m.Selectors - } - return nil -} - -func (m *RegistrationEntry) GetParentId() string { - if m != nil { - return m.ParentId - } - return "" -} - -func (m *RegistrationEntry) GetSpiffeId() string { - if m != nil { - return m.SpiffeId - } - return "" -} - -func (m *RegistrationEntry) GetTtl() int32 { - if m != nil { - return m.Ttl - } - return 0 -} - -func (m *RegistrationEntry) GetFbSpiffeIds() []string { - if m != nil { - return m.FbSpiffeIds - } - return nil -} - -// * A list of registration entries. -type RegistrationEntries struct { - // * A list of RegistrationEntry. - Entries []*RegistrationEntry `protobuf:"bytes,1,rep,name=entries" json:"entries,omitempty"` -} - -func (m *RegistrationEntries) Reset() { *m = RegistrationEntries{} } -func (m *RegistrationEntries) String() string { return proto.CompactTextString(m) } -func (*RegistrationEntries) ProtoMessage() {} -func (*RegistrationEntries) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{5} } - -func (m *RegistrationEntries) GetEntries() []*RegistrationEntry { - if m != nil { - return m.Entries - } - return nil -} - -func init() { - proto.RegisterType((*Empty)(nil), "spire.common.Empty") - proto.RegisterType((*AttestedData)(nil), "spire.common.AttestedData") - proto.RegisterType((*Selector)(nil), "spire.common.Selector") - proto.RegisterType((*Selectors)(nil), "spire.common.Selectors") - proto.RegisterType((*RegistrationEntry)(nil), "spire.common.RegistrationEntry") - proto.RegisterType((*RegistrationEntries)(nil), "spire.common.RegistrationEntries") -} - -func init() { proto.RegisterFile("common.proto", fileDescriptor0) } - -var fileDescriptor0 = []byte{ - // 296 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x84, 0x51, 0x4f, 0x4b, 0xfb, 0x40, - 0x10, 0x25, 0xbf, 0x34, 0x6d, 0x33, 0xcd, 0x0f, 0x74, 0x15, 0x09, 0x78, 0x30, 0xec, 0x29, 0xa7, - 0x20, 0x5a, 0x04, 0x0f, 0x1e, 0x14, 0x7b, 0xe8, 0x4d, 0xb6, 0x37, 0x2f, 0x65, 0xdb, 0x4c, 0x64, - 0xa1, 0xcd, 0x2e, 0xbb, 0xa3, 0x90, 0x8f, 0xe6, 0xb7, 0x93, 0x64, 0x9b, 0xaa, 0x55, 0xf0, 0xf6, - 0xf6, 0xfd, 0x19, 0xde, 0xce, 0x40, 0xb2, 0xd6, 0xdb, 0xad, 0xae, 0x0b, 0x63, 0x35, 0x69, 0x96, - 0x38, 0xa3, 0x2c, 0x16, 0x9e, 0xe3, 0x23, 0x88, 0x66, 0x5b, 0x43, 0x0d, 0xbf, 0x81, 0xe4, 0x9e, - 0x08, 0x1d, 0x61, 0xf9, 0x28, 0x49, 0x32, 0x06, 0x03, 0x6a, 0x0c, 0xa6, 0x41, 0x16, 0xe4, 0xb1, - 0xe8, 0x70, 0xcb, 0x95, 0x92, 0x64, 0xfa, 0x2f, 0x0b, 0xf2, 0x44, 0x74, 0x98, 0x4f, 0x61, 0xbc, - 0xc0, 0x0d, 0xae, 0x49, 0xdb, 0x5f, 0x33, 0xa7, 0x10, 0xbd, 0xc9, 0xcd, 0x2b, 0x76, 0xa1, 0x58, - 0xf8, 0x07, 0xbf, 0x83, 0xb8, 0x4f, 0x39, 0x76, 0x09, 0x23, 0xac, 0xc9, 0x2a, 0x74, 0x69, 0x90, - 0x85, 0xf9, 0xe4, 0xea, 0xac, 0xf8, 0xda, 0xb1, 0xe8, 0x9d, 0xa2, 0xb7, 0xf1, 0xf7, 0x00, 0x8e, - 0x05, 0xbe, 0x28, 0x47, 0x56, 0x92, 0xd2, 0xf5, 0xac, 0x26, 0xdb, 0xb0, 0x29, 0xc4, 0xae, 0x1f, - 0xfa, 0xc7, 0xa4, 0x4f, 0x23, 0x3b, 0x87, 0xd8, 0x48, 0x8b, 0x35, 0x2d, 0x55, 0xb9, 0x2b, 0x39, - 0xf6, 0xc4, 0xbc, 0x6c, 0x45, 0x67, 0x54, 0x55, 0x61, 0x2b, 0x86, 0x5e, 0xf4, 0xc4, 0xbc, 0x64, - 0x47, 0x10, 0x12, 0x6d, 0xd2, 0x41, 0x16, 0xe4, 0x91, 0x68, 0x21, 0xe3, 0xf0, 0xbf, 0x5a, 0x2d, - 0xf7, 0x09, 0x97, 0x46, 0x59, 0x98, 0xc7, 0x62, 0x52, 0xad, 0x16, 0xbb, 0x90, 0xe3, 0x4f, 0x70, - 0x72, 0x58, 0x5d, 0xa1, 0x63, 0xb7, 0x87, 0x4b, 0xb8, 0xf8, 0x5e, 0xfd, 0xc7, 0x77, 0xf7, 0xdb, - 0x78, 0x18, 0x3f, 0x0f, 0xbd, 0x69, 0x35, 0xec, 0x4e, 0x7c, 0xfd, 0x11, 0x00, 0x00, 0xff, 0xff, - 0x5e, 0x49, 0x69, 0x0f, 0xf2, 0x01, 0x00, 0x00, -} diff --git a/wlapi/workload.pb.go b/wlapi/workload.pb.go deleted file mode 100644 index 4c70689b..00000000 --- a/wlapi/workload.pb.go +++ /dev/null @@ -1,289 +0,0 @@ -// Code generated by protoc-gen-go. DO NOT EDIT. -// source: workload.proto - -/* -Package workload is a generated protocol buffer package. - -It is generated from these files: - workload.proto - -It has these top-level messages: - Bundles - WorkloadEntry - SpiffeID - Empty -*/ -package workload - -import proto "github.com/golang/protobuf/proto" -import fmt "fmt" -import math "math" - -import ( - context "golang.org/x/net/context" - grpc "google.golang.org/grpc" -) - -// Reference imports to suppress errors if they are not otherwise used. -var _ = proto.Marshal -var _ = fmt.Errorf -var _ = math.Inf - -// This is a compile-time assertion to ensure that this generated file -// is compatible with the proto package it is being compiled against. -// A compilation error at this line likely means your copy of the -// proto package needs to be updated. -const _ = proto.ProtoPackageIsVersion2 // please upgrade the proto package - -// The Bundles message carries a group of workload SVIDs and their -// associated information. It also carries a TTL to inform the workload -// when it should check back next. -type Bundles struct { - Bundles []*WorkloadEntry `protobuf:"bytes,1,rep,name=bundles" json:"bundles,omitempty"` - Ttl int32 `protobuf:"varint,2,opt,name=ttl" json:"ttl,omitempty"` -} - -func (m *Bundles) Reset() { *m = Bundles{} } -func (m *Bundles) String() string { return proto.CompactTextString(m) } -func (*Bundles) ProtoMessage() {} -func (*Bundles) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{0} } - -func (m *Bundles) GetBundles() []*WorkloadEntry { - if m != nil { - return m.Bundles - } - return nil -} - -func (m *Bundles) GetTtl() int32 { - if m != nil { - return m.Ttl - } - return 0 -} - -// The WorkloadEntry message carries a single SVID and all associated -// information, including CA bundles. All `bytes` types are ASN.1 DER encoded -type WorkloadEntry struct { - // The SPIFFE ID of the SVID in this entry - SpiffeId string `protobuf:"bytes,1,opt,name=spiffe_id,json=spiffeId" json:"spiffe_id,omitempty"` - // The SVID itself - Svid []byte `protobuf:"bytes,2,opt,name=svid,proto3" json:"svid,omitempty"` - // The SVID private key - SvidPrivateKey []byte `protobuf:"bytes,3,opt,name=svid_private_key,json=svidPrivateKey,proto3" json:"svid_private_key,omitempty"` - // CA certificates belonging to the SVID - SvidBundle []byte `protobuf:"bytes,4,opt,name=svid_bundle,json=svidBundle,proto3" json:"svid_bundle,omitempty"` - // CA certificates that the workload should trust, mapped - // by the trust domain of the external authority - FederatedBundles map[string][]byte `protobuf:"bytes,5,rep,name=federated_bundles,json=federatedBundles" json:"federated_bundles,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value,proto3"` -} - -func (m *WorkloadEntry) Reset() { *m = WorkloadEntry{} } -func (m *WorkloadEntry) String() string { return proto.CompactTextString(m) } -func (*WorkloadEntry) ProtoMessage() {} -func (*WorkloadEntry) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{1} } - -func (m *WorkloadEntry) GetSpiffeId() string { - if m != nil { - return m.SpiffeId - } - return "" -} - -func (m *WorkloadEntry) GetSvid() []byte { - if m != nil { - return m.Svid - } - return nil -} - -func (m *WorkloadEntry) GetSvidPrivateKey() []byte { - if m != nil { - return m.SvidPrivateKey - } - return nil -} - -func (m *WorkloadEntry) GetSvidBundle() []byte { - if m != nil { - return m.SvidBundle - } - return nil -} - -func (m *WorkloadEntry) GetFederatedBundles() map[string][]byte { - if m != nil { - return m.FederatedBundles - } - return nil -} - -// The SpiffeID message carries only a SPIFFE ID -type SpiffeID struct { - Id string `protobuf:"bytes,1,opt,name=id" json:"id,omitempty"` -} - -func (m *SpiffeID) Reset() { *m = SpiffeID{} } -func (m *SpiffeID) String() string { return proto.CompactTextString(m) } -func (*SpiffeID) ProtoMessage() {} -func (*SpiffeID) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{2} } - -func (m *SpiffeID) GetId() string { - if m != nil { - return m.Id - } - return "" -} - -// Represents a message with no fields -type Empty struct { -} - -func (m *Empty) Reset() { *m = Empty{} } -func (m *Empty) String() string { return proto.CompactTextString(m) } -func (*Empty) ProtoMessage() {} -func (*Empty) Descriptor() ([]byte, []int) { return fileDescriptor0, []int{3} } - -func init() { - proto.RegisterType((*Bundles)(nil), "spire.api.workload.Bundles") - proto.RegisterType((*WorkloadEntry)(nil), "spire.api.workload.WorkloadEntry") - proto.RegisterType((*SpiffeID)(nil), "spire.api.workload.SpiffeID") - proto.RegisterType((*Empty)(nil), "spire.api.workload.Empty") -} - -// Reference imports to suppress errors if they are not otherwise used. -var _ context.Context -var _ grpc.ClientConn - -// This is a compile-time assertion to ensure that this generated file -// is compatible with the grpc package it is being compiled against. -const _ = grpc.SupportPackageIsVersion4 - -// Client API for Workload service - -type WorkloadClient interface { - // Fetch bundles for the SVID with the given SPIFFE ID - FetchBundles(ctx context.Context, in *SpiffeID, opts ...grpc.CallOption) (*Bundles, error) - // Fetch all bundles the workload is entitled to - FetchAllBundles(ctx context.Context, in *Empty, opts ...grpc.CallOption) (*Bundles, error) -} - -type workloadClient struct { - cc *grpc.ClientConn -} - -func NewWorkloadClient(cc *grpc.ClientConn) WorkloadClient { - return &workloadClient{cc} -} - -func (c *workloadClient) FetchBundles(ctx context.Context, in *SpiffeID, opts ...grpc.CallOption) (*Bundles, error) { - out := new(Bundles) - err := grpc.Invoke(ctx, "/spire.api.workload.Workload/FetchBundles", in, out, c.cc, opts...) - if err != nil { - return nil, err - } - return out, nil -} - -func (c *workloadClient) FetchAllBundles(ctx context.Context, in *Empty, opts ...grpc.CallOption) (*Bundles, error) { - out := new(Bundles) - err := grpc.Invoke(ctx, "/spire.api.workload.Workload/FetchAllBundles", in, out, c.cc, opts...) - if err != nil { - return nil, err - } - return out, nil -} - -// Server API for Workload service - -type WorkloadServer interface { - // Fetch bundles for the SVID with the given SPIFFE ID - FetchBundles(context.Context, *SpiffeID) (*Bundles, error) - // Fetch all bundles the workload is entitled to - FetchAllBundles(context.Context, *Empty) (*Bundles, error) -} - -func RegisterWorkloadServer(s *grpc.Server, srv WorkloadServer) { - s.RegisterService(&_Workload_serviceDesc, srv) -} - -func _Workload_FetchBundles_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(SpiffeID) - if err := dec(in); err != nil { - return nil, err - } - if interceptor == nil { - return srv.(WorkloadServer).FetchBundles(ctx, in) - } - info := &grpc.UnaryServerInfo{ - Server: srv, - FullMethod: "/spire.api.workload.Workload/FetchBundles", - } - handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(WorkloadServer).FetchBundles(ctx, req.(*SpiffeID)) - } - return interceptor(ctx, in, info, handler) -} - -func _Workload_FetchAllBundles_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { - in := new(Empty) - if err := dec(in); err != nil { - return nil, err - } - if interceptor == nil { - return srv.(WorkloadServer).FetchAllBundles(ctx, in) - } - info := &grpc.UnaryServerInfo{ - Server: srv, - FullMethod: "/spire.api.workload.Workload/FetchAllBundles", - } - handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(WorkloadServer).FetchAllBundles(ctx, req.(*Empty)) - } - return interceptor(ctx, in, info, handler) -} - -var _Workload_serviceDesc = grpc.ServiceDesc{ - ServiceName: "spire.api.workload.Workload", - HandlerType: (*WorkloadServer)(nil), - Methods: []grpc.MethodDesc{ - { - MethodName: "FetchBundles", - Handler: _Workload_FetchBundles_Handler, - }, - { - MethodName: "FetchAllBundles", - Handler: _Workload_FetchAllBundles_Handler, - }, - }, - Streams: []grpc.StreamDesc{}, - Metadata: "workload.proto", -} - -func init() { proto.RegisterFile("workload.proto", fileDescriptor0) } - -var fileDescriptor0 = []byte{ - // 345 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x84, 0x52, 0x41, 0x4f, 0xf2, 0x40, - 0x14, 0x4c, 0x0b, 0xfd, 0x28, 0x0f, 0x3e, 0xc4, 0x17, 0x4d, 0x2a, 0x98, 0x88, 0x3d, 0xf5, 0xd4, - 0x03, 0x1e, 0x34, 0x7a, 0x12, 0x85, 0x84, 0x78, 0x31, 0xf5, 0xa0, 0xf1, 0x42, 0x8a, 0xbb, 0x8d, - 0x1b, 0x2a, 0x6d, 0xb6, 0x0b, 0xa6, 0xff, 0xc6, 0x5f, 0xe1, 0xef, 0x33, 0xbb, 0xdb, 0x35, 0x51, - 0x1b, 0x3d, 0x75, 0x3a, 0x6f, 0xde, 0xcb, 0xcc, 0xb4, 0xd0, 0x7b, 0xcd, 0xf8, 0x2a, 0xcd, 0x62, - 0x12, 0xe6, 0x3c, 0x13, 0x19, 0x62, 0x91, 0x33, 0x4e, 0xc3, 0x38, 0x67, 0xa1, 0x99, 0xf8, 0x0f, - 0xd0, 0x9a, 0x6c, 0xd6, 0x24, 0xa5, 0x05, 0x5e, 0x40, 0x6b, 0xa9, 0xa1, 0x67, 0x8d, 0x1a, 0x41, - 0x67, 0x7c, 0x1c, 0xfe, 0x5c, 0x08, 0xef, 0x2b, 0x30, 0x5d, 0x0b, 0x5e, 0x46, 0x66, 0x03, 0xfb, - 0xd0, 0x10, 0x22, 0xf5, 0xec, 0x91, 0x15, 0x38, 0x91, 0x84, 0xfe, 0xbb, 0x0d, 0xff, 0xbf, 0x88, - 0x71, 0x08, 0xed, 0x22, 0x67, 0x49, 0x42, 0x17, 0x8c, 0x78, 0xd6, 0xc8, 0x0a, 0xda, 0x91, 0xab, - 0x89, 0x39, 0x41, 0x84, 0x66, 0xb1, 0x65, 0x44, 0x5d, 0xe8, 0x46, 0x0a, 0x63, 0x00, 0x7d, 0xf9, - 0x5c, 0xe4, 0x9c, 0x6d, 0x63, 0x41, 0x17, 0x2b, 0x5a, 0x7a, 0x0d, 0x35, 0xef, 0x49, 0xfe, 0x56, - 0xd3, 0x37, 0xb4, 0xc4, 0x23, 0xe8, 0x28, 0xa5, 0xb6, 0xe3, 0x35, 0x95, 0x08, 0x24, 0xa5, 0xd3, - 0x21, 0x81, 0xdd, 0x84, 0x12, 0xca, 0x63, 0x41, 0x8d, 0xaa, 0xf0, 0x1c, 0x15, 0xf3, 0xf4, 0xcf, - 0x98, 0xe1, 0xcc, 0xac, 0x56, 0x5d, 0xe9, 0xf0, 0xfd, 0xe4, 0x1b, 0x3d, 0xb8, 0x82, 0xfd, 0x5a, - 0xa9, 0xac, 0x47, 0x9a, 0xd7, 0xa1, 0x25, 0xc4, 0x3d, 0x70, 0xb6, 0x71, 0xba, 0xa1, 0x55, 0x60, - 0xfd, 0x72, 0x6e, 0x9f, 0x59, 0xfe, 0x00, 0xdc, 0x3b, 0xdd, 0xca, 0x35, 0xf6, 0xc0, 0xfe, 0xec, - 0xca, 0x66, 0xc4, 0x6f, 0x81, 0x33, 0x7d, 0xc9, 0x45, 0x39, 0x7e, 0xb3, 0xc0, 0x35, 0x1e, 0x71, - 0x0e, 0xdd, 0x19, 0x15, 0x4f, 0xcf, 0xe6, 0x4b, 0x1e, 0xd6, 0x25, 0x32, 0x37, 0x07, 0xc3, 0xba, - 0xa9, 0x59, 0x9d, 0xc3, 0x8e, 0x3a, 0x75, 0x99, 0xa6, 0x86, 0x3a, 0xa8, 0xd3, 0x2b, 0x17, 0xbf, - 0x9e, 0x9a, 0xc0, 0xa3, 0x6b, 0xb8, 0xe5, 0x3f, 0xf5, 0x07, 0x9e, 0x7c, 0x04, 0x00, 0x00, 0xff, - 0xff, 0xf4, 0xb1, 0x0c, 0xd1, 0x93, 0x02, 0x00, 0x00, -}