Add delegated identity API support to spire-api package (#43)

Signed-off-by: Eitan Yarmush <eitan.yarmush@solo.io>

.github/workflows/ci.yml

@@ -37,6 +37,7 @@ jobs:
     runs-on: ubuntu-latest
     env:
       SPIFFE_ENDPOINT_SOCKET: unix:/tmp/spire-agent/public/api.sock
+      SPIRE_ADMIN_ENDPOINT_SOCKET: unix:/tmp/spire-agent/admin/api.sock
     needs: build
     steps:
       - name: Check out code

scripts/agent.conf

@@ -0,0 +1,32 @@
+agent {
+    data_dir = "./data/agent"
+    log_level = "DEBUG"
+    trust_domain = "example.org"
+    server_address = "localhost"
+    server_port = 8081
+
+    # Insecure bootstrap is NOT appropriate for production use but is ok for 
+    # simple testing/evaluation purposes.
+    insecure_bootstrap = true
+
+    admin_socket_path = "$STRIPPED_SPIRE_ADMIN_ENDPOINT_SOCKET"
+    authorized_delegates = [
+      "spiffe://example.org/myservice",
+    ]
+}
+
+plugins {
+   KeyManager "disk" {
+        plugin_data {
+            directory = "./data/agent"
+        }
+    }
+
+    NodeAttestor "join_token" {
+        plugin_data {}
+    }
+
+    WorkloadAttestor "unix" {
+        plugin_data {}
+    }
+}

scripts/run-spire.sh

@@ -1,5 +1,7 @@
 #!/usr/bin/env bash
 
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
 # Constants
 spire_version="1.7.1"
 spire_folder="spire-${spire_version}"
@@ -35,6 +37,9 @@ mkdir -p /tmp/spire-server
 bin/spire-server run -config conf/server/server.conf > "${spire_server_log_file}" 2>&1 &
 wait_for_service "bin/spire-server healthcheck" "SPIRE Server" "${spire_server_log_file}"
 
+export STRIPPED_SPIRE_ADMIN_ENDPOINT_SOCKET=$(echo $SPIRE_ADMIN_ENDPOINT_SOCKET| cut -c6-)
+cat $SCRIPT_DIR/agent.conf | envsubst > "conf/agent/agent.conf"
+
 # Run the SPIRE agent with the joint token
 bin/spire-server token generate -spiffeID ${agent_id} > token
 cut -d ' ' -f 2 token > token_stripped
@@ -48,4 +53,13 @@ for service in "myservice" "myservice2"; do
   sleep 10  # Derived from the default Agent sync interval
 done
 
+
+uid=$(id -u)
+# The UID in the test has to match this, so take the current UID and add 1
+uid_plus_one=$((uid + 1))
+# Register a different UID with the SPIFFE ID "spiffe://example.org/different-process" with a TTL of 5 seconds
+bin/spire-server entry create -parentID ${agent_id} -spiffeID spiffe://example.org/different-process -selector unix:uid:${uid_plus_one} -ttl 5
+sleep 10
+
+
 popd

spiffe/src/workload_api/client.rs

@@ -366,7 +366,7 @@ impl WorkloadApiClient {
             .get(DEFAULT_SVID)
             .ok_or(ClientError::EmptyResponse)
             .and_then(|r| {
-                JwtSvid::from_str(&r.svid).map_err(|err| ClientError::InvalidJwtSvid(err))
+                JwtSvid::from_str(&r.svid).map_err(ClientError::InvalidJwtSvid)
             })
     }
 

spire-api/Cargo.toml

@@ -15,12 +15,17 @@ categories = ["cryptography"]
 keywords = ["SPIFFE", "SPIRE"]
 
 [dependencies]
-spiffe = { version = "0.3.1", path = "../spiffe" }
+bytes = { version = "1", features = ["serde"] }
+spiffe = { path = "../spiffe" }
 tonic = { version = "0.9", default-features = false, features = ["prost", "codegen", "transport"]}
 prost = { version = "0.11"}
 prost-types = {version = "0.11"}
+tokio = { "version" = "1", features = ["net", "test-util"]}
+tokio-stream = "0.1"
+tower = { version = "0.4", features = ["util"] }
 
 [dev-dependencies]
+once_cell = "1.18"
 
 [build-dependencies]
 tonic-build = { version = "0.9", default-features = false, features = ["prost"] }