Merge pull request #85 from hug-dev/new-spiffe

Add SPIFFE authentication via the new crate

Author: hug-dev

Cargo.toml

@@ -19,10 +19,12 @@ derivative = "2.1.1"
 zeroize = "1.1.0"
 users = "0.10.0"
 url = "2.2.0"
+spiffe = { version = "0.1.1", optional = true }
 
 [dev-dependencies]
 mockstream = "0.0.3"
 
 [features]
 default = []
+spiffe-auth = ["spiffe"]
 testing = ["parsec-interface/testing"]

README.md

@@ -9,7 +9,8 @@
 This repository contains a Rust client for consuming the API provided by the [Parsec service](https://github.com/parallaxsecond/parsec).
 The low-level functionality that this library uses for IPC is implemented in the [interface crate](https://github.com/parallaxsecond/parsec-interface-rs).
 
-Check out the `spiffe` branch for JWT SVID authentication feature.
+When using the JWT-SVID authentication method, the client will expect the `SPIFFE_ENDPOINT_SOCKET` environment variable to contain the path of the Workload API endpoint.
+See the [SPIFFE Workload Endpoint](https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Workload_Endpoint.md#4-locating-the-endpoint) for more information.
 
 ## Locating the Parsec endpoint
 

src/auth.rs

@@ -21,6 +21,11 @@ pub enum Authentication {
     /// Used for authentication via Peer Credentials provided by Unix
     /// operating systems for Domain Socket connections.
     UnixPeerCredentials,
+    /// Authentication using JWT SVID tokens. The will fetch its JWT-SVID and pass it in the
+    /// Authentication field. The socket endpoint is found through the SPIFFE_ENDPOINT_SOCKET
+    /// environment variable.
+    #[cfg(feature = "spiffe-auth")]
+    JwtSvid,
 }
 
 impl Authentication {
@@ -30,6 +35,8 @@ impl Authentication {
             Authentication::None => AuthType::NoAuth,
             Authentication::Direct(_) => AuthType::Direct,
             Authentication::UnixPeerCredentials => AuthType::UnixPeerCredentials,
+            #[cfg(feature = "spiffe-auth")]
+            Authentication::JwtSvid => AuthType::JwtSvid,
         }
     }
 }
@@ -45,6 +52,20 @@ impl TryFrom<&Authentication> for RequestAuth {
                 let current_uid = users::get_current_uid();
                 Ok(RequestAuth::new(current_uid.to_le_bytes().to_vec()))
             }
+            #[cfg(feature = "spiffe-auth")]
+            Authentication::JwtSvid => {
+                use crate::error::ClientErrorKind;
+                use log::error;
+                use spiffe::workload_api::client::WorkloadApiClient;
+
+                let client = WorkloadApiClient::default().unwrap();
+                let token = client.fetch_jwt_token(&["parsec"], None).map_err(|e| {
+                    error!("Error while fetching the JWT-SVID ({}).", e);
+                    Error::Client(ClientErrorKind::Spiffe(e))
+                })?;
+
+                Ok(RequestAuth::new(token.as_bytes().into()))
+            }
         }
     }
 }
@@ -57,6 +78,8 @@ impl PartialEq for Authentication {
             (Authentication::Direct(app_name), Authentication::Direct(other_app_name)) => {
                 app_name == other_app_name
             }
+            #[cfg(feature = "spiffe-auth")]
+            (Authentication::JwtSvid, Authentication::JwtSvid) => true,
             _ => false,
         }
     }

src/core/basic_client.rs

@@ -263,6 +263,8 @@ impl BasicClient {
                 AuthType::UnixPeerCredentials => {
                     self.auth_data = Authentication::UnixPeerCredentials
                 }
+                #[cfg(feature = "spiffe-auth")]
+                AuthType::JwtSvid => self.auth_data = Authentication::JwtSvid,
                 auth => {
                     warn!(
                         "Authenticator of type \"{:?}\" not supported by this client library",

src/error.rs

@@ -48,6 +48,9 @@ pub enum ClientErrorKind {
     InvalidSocketAddress,
     /// The socket URL is invalid
     InvalidSocketUrl,
+    /// Error while using the SPIFFE Workload API
+    #[cfg(feature = "spiffe-auth")]
+    Spiffe(spiffe::workload_api::client::ClientError),
 }
 
 impl From<ClientErrorKind> for Error {
@@ -80,6 +83,8 @@ impl fmt::Display for ClientErrorKind {
             ClientErrorKind::NotFound => write!(f, "one of the resources required in the operation was not found"),
             ClientErrorKind::InvalidSocketAddress => write!(f, "the socket address provided in the URL is not valid"),
             ClientErrorKind::InvalidSocketUrl => write!(f, "the socket URL is invalid"),
+            #[cfg(feature = "spiffe-auth")]
+            ClientErrorKind::Spiffe(error) => error.fmt(f),
         }
     }
 }

tests/ci.sh

@@ -13,6 +13,7 @@ set -euf -o pipefail
 ################
 RUST_BACKTRACE=1 cargo build
 RUST_BACKTRACE=1 cargo build --features testing
+RUST_BACKTRACE=1 cargo build --features spiffe-auth
 RUST_BACKTRACE=1 cargo build --no-default-features
 
 #################