Adds check for SPIFFEID of client (#125)

Author: jsnctl

workloads/ping-pong/ping-pong-server/main.go

@@ -12,6 +12,7 @@ import (
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/prometheus/client_golang/prometheus/promauto"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
+	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	"github.com/spiffe/go-spiffe/v2/spiffetls/tlsconfig"
 	"github.com/spiffe/go-spiffe/v2/workloadapi"
 )
@@ -70,6 +71,18 @@ type Env struct {
 	MetricsPort      string
 	SpiffeSocketPath string
 	MetricsEnabled   bool
+	// ClientSPIFFEID is the expected SPIFFEID of the
+	// client making inbound requests to this server
+	ClientSPIFFEID string
+}
+
+func mustGetEnv(variable string) string {
+	v, ok := os.LookupEnv(variable)
+	if !ok {
+		slog.Error("Unset environment variable", "variable", variable)
+		os.Exit(1)
+	}
+	return v
 }
 
 func getEnvWithDefault(variable string, defaultValue string) string {
@@ -99,6 +112,7 @@ func getEnv() *Env {
 		MetricsPort:      getEnvWithDefault("METRICS_PORT", ":8080"),
 		SpiffeSocketPath: getEnvWithDefault("SPIFFE_ENDPOINT_SOCKET", "unix:///spiffe-workload-api/spire-agent.sock"),
 		MetricsEnabled:   getEnvBooleanWithDefault("METRICS_ENABLED", true),
+		ClientSPIFFEID:   mustGetEnv("CLIENT_SPIFFE_ID"),
 	}
 }
 
@@ -132,7 +146,16 @@ func run(ctx context.Context, env *Env) error {
 		svidURISAN.WithLabelValues(svid.ID.String()).Set(1)
 	}
 
-	tlsConfig := tlsconfig.MTLSServerConfig(source, source, tlsconfig.AuthorizeAny())
+	// Only authorize inbound calls from the expected client SPIFFE IDs
+	clientSPIFFEID, err := spiffeid.FromString(env.ClientSPIFFEID)
+	if err != nil {
+		return fmt.Errorf("failed to parse client SPIFFE ID: %w", err)
+	}
+	tlsConfig := tlsconfig.MTLSServerConfig(
+		source,
+		source,
+		tlsconfig.AuthorizeID(clientSPIFFEID),
+	)
 	server := &http.Server{
 		Addr:              env.Port,
 		TLSConfig:         tlsConfig,