package federation
import "github.com/spiffe/go-spiffe/v2/federation"
Index ¶
- func FetchBundle(ctx context.Context, trustDomain spiffeid.TrustDomain, url string, option ...FetchOption) (*spiffebundle.Bundle, error)
- func Handler(trustDomain spiffeid.TrustDomain, source spiffebundle.Source, log logger.Logger) http.Handler
- func WatchBundle(ctx context.Context, trustDomain spiffeid.TrustDomain, url string, watcher BundleWatcher, options ...FetchOption) error
- type BundleWatcher
- type FetchOption
Examples ¶
- FetchBundle (SPIFFEAuth)
- FetchBundle (WebPKI)
- Handler (SPIFFEAuth)
- Handler (WebPKI)
- WatchBundle (SPIFFEAuth)
- WatchBundle (WebPKI)
Functions ¶
func FetchBundle ¶
func FetchBundle(ctx context.Context, trustDomain spiffeid.TrustDomain, url string, option ...FetchOption) (*spiffebundle.Bundle, error)
FetchBundle retrieves a bundle from a bundle endpoint.
Code:play
Code:play
Example (SPIFFEAuth)¶
package main
import (
"context"
"github.com/spiffe/go-spiffe/v2/bundle/spiffebundle"
"github.com/spiffe/go-spiffe/v2/federation"
"github.com/spiffe/go-spiffe/v2/spiffeid"
)
func main() {
// Obtain a bundle from the example.org trust domain from a server hosted
// at https://example.org/bundle with the
// spiffe://example.org/bundle-server SPIFFE ID.
endpointURL := "https://example.org:8443/bundle"
trustDomain, err := spiffeid.TrustDomainFromString("example.org")
if err != nil {
// TODO: handle error
}
serverID := trustDomain.NewID("bundle-server")
bundle, err := spiffebundle.Load(trustDomain, "bundle.json")
if err != nil {
// TODO: handle error
}
bundleSet := spiffebundle.NewSet(bundle)
bundleSet.Add(bundle)
updatedBundle, err := federation.FetchBundle(context.TODO(), trustDomain, endpointURL,
federation.WithSPIFFEAuth(bundleSet, serverID))
if err != nil {
// TODO: handle error
}
// TODO: use bundle, e.g. replace the bundle in the bundle set so it can
// be used to fetch the next bundle.
bundleSet.Add(updatedBundle)
}
Example (WebPKI)¶
package main
import (
"context"
"github.com/spiffe/go-spiffe/v2/federation"
"github.com/spiffe/go-spiffe/v2/spiffeid"
)
func main() {
endpointURL := "https://example.org:8443/bundle"
trustDomain, err := spiffeid.TrustDomainFromString("example.org")
if err != nil {
// TODO: handle error
}
bundle, err := federation.FetchBundle(context.TODO(), trustDomain, endpointURL)
if err != nil {
// TODO: handle error
}
// TODO: use bundle
bundle = bundle
}
func Handler ¶
func Handler(trustDomain spiffeid.TrustDomain, source spiffebundle.Source, log logger.Logger) http.Handler
Handler is an HTTP handler that returns the JSON encoded bundle for the
given trust domain the SPIFFE Trust Domain and Bundle specification. The
bundle source is used to obtain the bundle on each request. Source
implementations should consider a caching strategy if retrieval is
expensive.
See the specification for more details:
https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md
Code:play
Code:play
Example (SPIFFEAuth)¶
package main
import (
"context"
"net/http"
"github.com/spiffe/go-spiffe/v2/federation"
"github.com/spiffe/go-spiffe/v2/logger"
"github.com/spiffe/go-spiffe/v2/spiffeid"
"github.com/spiffe/go-spiffe/v2/spiffetls/tlsconfig"
"github.com/spiffe/go-spiffe/v2/workloadapi"
)
func main() {
trustDomain, err := spiffeid.TrustDomainFromString("example.org")
if err != nil {
// TODO: handle error
}
// Create an X.509 source for obtaining the server X509-SVID
x509Source, err := workloadapi.NewX509Source(context.TODO())
if err != nil {
// TODO: handle error
}
defer x509Source.Close()
// Create a bundle source for obtaining the bundle for the trust domain
bundleSource, err := workloadapi.NewBundleSource(context.TODO())
if err != nil {
// TODO: handle error
}
defer bundleSource.Close()
server := http.Server{
Addr: ":8443",
Handler: federation.Handler(trustDomain, bundleSource, logger.Null),
TLSConfig: tlsconfig.TLSServerConfig(x509Source),
}
if err := server.ListenAndServeTLS("", ""); err != nil {
// TODO: handle error
}
}
Example (WebPKI)¶
package main
import (
"context"
"net/http"
"github.com/spiffe/go-spiffe/v2/federation"
"github.com/spiffe/go-spiffe/v2/logger"
"github.com/spiffe/go-spiffe/v2/spiffeid"
"github.com/spiffe/go-spiffe/v2/workloadapi"
)
func main() {
trustDomain, err := spiffeid.TrustDomainFromString("example.org")
if err != nil {
// TODO: handle error
}
bundleSource, err := workloadapi.NewBundleSource(context.TODO())
if err != nil {
// TODO: handle error
}
defer bundleSource.Close()
handler := federation.Handler(trustDomain, bundleSource, logger.Null)
if err := http.ListenAndServeTLS(":8443", "cert.pem", "key.pem", handler); err != nil {
// TODO: handle error
}
}
func WatchBundle ¶
func WatchBundle(ctx context.Context, trustDomain spiffeid.TrustDomain, url string, watcher BundleWatcher, options ...FetchOption) error
WatchBundle watches a bundle on a bundle endpoint. It returns when the
context is canceled, returning ctx.Err().
Code:play
Code:play
Example (SPIFFEAuth)¶
package main
import (
"context"
"github.com/spiffe/go-spiffe/v2/bundle/spiffebundle"
"github.com/spiffe/go-spiffe/v2/federation"
"github.com/spiffe/go-spiffe/v2/spiffeid"
)
func main() {
// Watch for bundle updates from the example.org trust domain from a server
// hosted at https://example.org/bundle with the
// spiffe://example.org/bundle-server SPIFFE ID.
endpointURL := "https://example.org:8443/bundle"
trustDomain, err := spiffeid.TrustDomainFromString("example.org")
if err != nil {
// TODO: handle error
}
serverID := trustDomain.NewID("bundle-server")
bundle, err := spiffebundle.Load(trustDomain, "bundle.json")
if err != nil {
// TODO: handle error
}
bundleSet := spiffebundle.NewSet(bundle)
bundleSet.Add(bundle)
// TODO: When implementing the watcher's OnUpdate, replace the bundle for
// the trust domain in the bundle set so the next connection uses the
// updated bundle.
var watcher federation.BundleWatcher
err = federation.WatchBundle(context.TODO(), trustDomain, endpointURL,
watcher, federation.WithSPIFFEAuth(bundleSet, serverID))
if err != nil {
// TODO: handle error
}
}
Example (WebPKI)¶
package main
import (
"context"
"github.com/spiffe/go-spiffe/v2/federation"
"github.com/spiffe/go-spiffe/v2/spiffeid"
)
func main() {
endpointURL := "https://example.org:8443/bundle"
trustDomain, err := spiffeid.TrustDomainFromString("example.org")
if err != nil {
// TODO: handle error
}
var watcher federation.BundleWatcher
err = federation.WatchBundle(context.TODO(), trustDomain, endpointURL, watcher)
if err != nil {
// TODO: handle error
}
}
Types ¶
type BundleWatcher ¶
type BundleWatcher interface {
// NextRefresh is called by WatchBundle to determine when the next refresh
// should take place. A refresh hint is provided, which can be zero, meaning
// the watcher is free to choose its own refresh cadence. If the refresh hint
// is greater than zero, the watcher SHOULD return a next refresh time at or
// below that to ensure the bundle stays up-to-date.
NextRefresh(refreshHint time.Duration) time.Duration
// OnUpdate is called when a bundle has been updated. If a bundle is
// fetched but has not changed from the previously fetched bundle, OnUpdate
// will not be called. This function is called synchronously by WatchBundle
// and therefore should have a short execution time to prevent blocking the
// watch.
OnUpdate(*spiffebundle.Bundle)
// OnError is called if there is an error fetching the bundle from the
// endpoint. This function is called synchronously by WatchBundle
// and therefore should have a short execution time to prevent blocking the
// watch.
OnError(err error)
}
BundleWatcher is used by WatchBundle to provide the caller with bundle updates and control the next refresh time.
type FetchOption ¶
type FetchOption interface {
// contains filtered or unexported methods
}
FetchOption is an option used when dialing the bundle endpoint.
func WithSPIFFEAuth ¶
func WithSPIFFEAuth(bundleSource x509bundle.Source, endpointID spiffeid.ID) FetchOption
WithSPIFFEAuth authenticates the bundle endpoint with SPIFFE authentication using the provided root store. It validates that the endpoint presents the expected SPIFFE ID. This option cannot be used in conjuntion with WithWebPKIRoots option.
func WithWebPKIRoots ¶
func WithWebPKIRoots(rootCAs *x509.CertPool) FetchOption
WithWebPKIRoots authenticates the bundle endpoint using Web PKI authentication using the provided X.509 root certificates instead of the system ones. This option cannot be used in conjuntion with WithSPIFFEAuth option.
Source Files ¶
- Version
- v2.0.0-beta.1
- Published
- Aug 27, 2020
- Platform
- js/wasm
- Imports
- 12 packages
- Last checked
- 12 hours ago –
Tools for package owners.