From c79f6daa69cde0691462d60b98cdd94be2da8e1b Mon Sep 17 00:00:00 2001 From: Adriano Santos Date: Tue, 9 Jul 2024 16:28:01 -0300 Subject: [PATCH 1/4] Initial spiffe implementation --- compile-pb.sh | 56 +- lib/actors/config/persistent_term_config.ex | 3 + lib/actors/security/spiffe/client.ex | 42 + .../security/spiffe/workload/workload.pb.ex | 1014 +++++++++++++++++ priv/protos/spiffe/workload.proto | 167 +++ 5 files changed, 1255 insertions(+), 27 deletions(-) create mode 100644 lib/actors/security/spiffe/client.ex create mode 100644 lib/actors/security/spiffe/workload/workload.pb.ex create mode 100644 priv/protos/spiffe/workload.proto diff --git a/compile-pb.sh b/compile-pb.sh index 787be7f1..2a36fd66 100755 --- a/compile-pb.sh +++ b/compile-pb.sh @@ -4,7 +4,7 @@ set -o nounset set -o errexit set -o pipefail -protoc --elixir_out=gen_descriptors=true,plugins=grpc:./lib/spawn/grpc --proto_path=priv/protos/grpc/ priv/protos/grpc/reflection/v1alpha/reflection.proto +#protoc --elixir_out=gen_descriptors=true,plugins=grpc:./lib/spawn/grpc --proto_path=priv/protos/grpc/ priv/protos/grpc/reflection/v1alpha/reflection.proto # protoc --elixir_out=gen_descriptors=true:./lib/spawn/google/protobuf --proto_path=priv/protos/google/protobuf priv/protos/google/protobuf/any.proto # protoc --elixir_out=gen_descriptors=true:./lib/spawn/google/protobuf --proto_path=priv/protos/google/protobuf priv/protos/google/protobuf/empty.proto @@ -26,29 +26,31 @@ protoc --elixir_out=gen_descriptors=true,plugins=grpc:./lib/spawn/grpc --proto_p #protoc --elixir_out=gen_descriptors=true:./lib/spawn/cloudevents --proto_path=priv/protos/io/cloudevents/v1 priv/protos/io/cloudevents/v1/spec.proto -PROTOS=(" - priv/protos/eigr/functions/protocol/actors/extensions.proto - priv/protos/eigr/functions/protocol/actors/actor.proto - priv/protos/eigr/functions/protocol/actors/protocol.proto - priv/protos/eigr/functions/protocol/actors/state.proto - priv/protos/eigr/functions/protocol/actors/healthcheck.proto -") - -BASE_PATH=`pwd` - -echo "Base protobuf path is: $BASE_PATH/priv/protos" - -for file in $PROTOS; do - echo "Compiling file $BASE_PATH/$file..." - - mix protobuf.generate \ - --output-path=./lib/spawn/actors \ - --include-docs=true \ - --generate-descriptors=true \ - --include-path=$BASE_PATH/priv/protos/ \ - --include-path=./priv/protos/google/protobuf \ - --include-path=./priv/protos/google/api \ - --plugins=ProtobufGenerate.Plugins.GRPCWithOptions \ - --one-file-per-module \ - $BASE_PATH/$file -done \ No newline at end of file +protoc --elixir_out=gen_descriptors=true,plugins=grpc:./lib/actors/security/spiffe/workload --proto_path=priv/protos priv/protos/spiffe/workload.proto + +# PROTOS=(" +# priv/protos/eigr/functions/protocol/actors/extensions.proto +# priv/protos/eigr/functions/protocol/actors/actor.proto +# priv/protos/eigr/functions/protocol/actors/protocol.proto +# priv/protos/eigr/functions/protocol/actors/state.proto +# priv/protos/eigr/functions/protocol/actors/healthcheck.proto +# ") + +# BASE_PATH=`pwd` + +# echo "Base protobuf path is: $BASE_PATH/priv/protos" + +# for file in $PROTOS; do +# echo "Compiling file $BASE_PATH/$file..." + +# mix protobuf.generate \ +# --output-path=./lib/spawn/actors \ +# --include-docs=true \ +# --generate-descriptors=true \ +# --include-path=$BASE_PATH/priv/protos/ \ +# --include-path=./priv/protos/google/protobuf \ +# --include-path=./priv/protos/google/api \ +# --plugins=ProtobufGenerate.Plugins.GRPCWithOptions \ +# --one-file-per-module \ +# $BASE_PATH/$file +# done \ No newline at end of file diff --git a/lib/actors/config/persistent_term_config.ex b/lib/actors/config/persistent_term_config.ex index f19e54ca..4aaa2584 100644 --- a/lib/actors/config/persistent_term_config.ex +++ b/lib/actors/config/persistent_term_config.ex @@ -80,6 +80,9 @@ if Code.ensure_loaded?(:persistent_term) do {:ship_interval, "2"}, {:ship_debounce, "2"}, {:sync_interval, "2"}, + {:security_idp_spire_enabled, "true"}, + {:security_idp_spire_server_address, "spire-server.spire.svc.cluster.local"}, + {:security_idp_spire_server_port, "8081"}, {:state_handoff_controller_adapter, "crdt"}, {:state_handoff_manager_pool_size, "20"}, {:state_handoff_manager_call_timeout, "60000"}, diff --git a/lib/actors/security/spiffe/client.ex b/lib/actors/security/spiffe/client.ex new file mode 100644 index 00000000..e93fc0d4 --- /dev/null +++ b/lib/actors/security/spiffe/client.ex @@ -0,0 +1,42 @@ +defmodule Actors.Security.Spiffe.Client do + use GRPC.Stub, service: Spiffe.Workload.SpiffeWorkloadAPI.Service + + alias Actors.Config.PersistentTermConfig, as: Config + + alias Spiffe.Workload.JWTSVIDRequest + alias Spiffe.Workload.X509SVIDRequest + alias Spiffe.Workload.ValidateJWTSVIDRequest + + alias Spiffe.Workload.SpiffeWorkloadAPI.Stub, as: SpiffeStub + + def fetch_x509_svid() do + # Replace with your SPIRE server address + url = + "#{Config.get(:security_idp_spire_server_address)}:#{Config.get(:security_idp_spire_server_port)}" + + with {:connect, {:ok, channel}} <- {:connect, GRPC.Stub.connect(url)}, + {:build_request, request} <- {:build_request, %X509SVIDRequest{}} do + SpiffeStub.fetch_x509_svid(channel, request) + else + {:connect, error} -> + {:error, error} + + {:build_request, error} -> + {:error, error} + end + end + + def fetch_jwt_svid(audience, spiffe_id \\ nil) do + # Replace with your SPIRE server address + {:ok, channel} = GRPC.Stub.connect("localhost:8081") + request = %JWTSVIDRequest{audience: audience, spiffe_id: spiffe_id} + SpiffeStub.fetch_jwtsvid(channel, request) + end + + def validate_jwt_svid(audience, svid) do + # Replace with your SPIRE server address + {:ok, channel} = GRPC.Stub.connect("localhost:8081") + request = %ValidateJWTSVIDRequest{audience: audience, svid: svid} + SpiffeStub.validate_jwtsvid(channel, request) + end +end diff --git a/lib/actors/security/spiffe/workload/workload.pb.ex b/lib/actors/security/spiffe/workload/workload.pb.ex new file mode 100644 index 00000000..54c9e667 --- /dev/null +++ b/lib/actors/security/spiffe/workload/workload.pb.ex @@ -0,0 +1,1014 @@ +defmodule Spiffe.Workload.X509SVIDRequest do + @moduledoc false + use Protobuf, protoc_gen_elixir_version: "0.10.0", syntax: :proto3 + + def descriptor do + # credo:disable-for-next-line + %Google.Protobuf.DescriptorProto{ + __unknown_fields__: [], + enum_type: [], + extension: [], + extension_range: [], + field: [], + name: "X509SVIDRequest", + nested_type: [], + oneof_decl: [], + options: nil, + reserved_name: [], + reserved_range: [] + } + end +end +defmodule Spiffe.Workload.X509SVIDResponse.FederatedBundlesEntry do + @moduledoc false + use Protobuf, map: true, protoc_gen_elixir_version: "0.10.0", syntax: :proto3 + + def descriptor do + # credo:disable-for-next-line + %Google.Protobuf.DescriptorProto{ + __unknown_fields__: [], + enum_type: [], + extension: [], + extension_range: [], + field: [ + %Google.Protobuf.FieldDescriptorProto{ + __unknown_fields__: [], + default_value: nil, + extendee: nil, + json_name: "key", + label: :LABEL_OPTIONAL, + name: "key", + number: 1, + oneof_index: nil, + options: nil, + proto3_optional: nil, + type: :TYPE_STRING, + type_name: nil + }, + %Google.Protobuf.FieldDescriptorProto{ + __unknown_fields__: [], + default_value: nil, + extendee: nil, + json_name: "value", + label: :LABEL_OPTIONAL, + name: "value", + number: 2, + oneof_index: nil, + options: nil, + proto3_optional: nil, + type: :TYPE_BYTES, + type_name: nil + } + ], + name: "FederatedBundlesEntry", + nested_type: [], + oneof_decl: [], + options: %Google.Protobuf.MessageOptions{ + __pb_extensions__: %{}, + __unknown_fields__: [], + deprecated: false, + map_entry: true, + message_set_wire_format: false, + no_standard_descriptor_accessor: false, + uninterpreted_option: [] + }, + reserved_name: [], + reserved_range: [] + } + end + + field :key, 1, type: :string + field :value, 2, type: :bytes +end +defmodule Spiffe.Workload.X509SVIDResponse do + @moduledoc false + use Protobuf, protoc_gen_elixir_version: "0.10.0", syntax: :proto3 + + def descriptor do + # credo:disable-for-next-line + %Google.Protobuf.DescriptorProto{ + __unknown_fields__: [], + enum_type: [], + extension: [], + extension_range: [], + field: [ + %Google.Protobuf.FieldDescriptorProto{ + __unknown_fields__: [], + default_value: nil, + extendee: nil, + json_name: "svids", + label: :LABEL_REPEATED, + name: "svids", + number: 1, + oneof_index: nil, + options: nil, + proto3_optional: nil, + type: :TYPE_MESSAGE, + type_name: ".spiffe.workload.X509SVID" + }, + %Google.Protobuf.FieldDescriptorProto{ + __unknown_fields__: [], + default_value: nil, + extendee: nil, + json_name: "crl", + label: :LABEL_REPEATED, + name: "crl", + number: 2, + oneof_index: nil, + options: nil, + proto3_optional: nil, + type: :TYPE_BYTES, + type_name: nil + }, + %Google.Protobuf.FieldDescriptorProto{ + __unknown_fields__: [], + default_value: nil, + extendee: nil, + json_name: "federatedBundles", + label: :LABEL_REPEATED, + name: "federated_bundles", + number: 3, + oneof_index: nil, + options: nil, + proto3_optional: nil, + type: :TYPE_MESSAGE, + type_name: ".spiffe.workload.X509SVIDResponse.FederatedBundlesEntry" + } + ], + name: "X509SVIDResponse", + nested_type: [ + %Google.Protobuf.DescriptorProto{ + __unknown_fields__: [], + enum_type: [], + extension: [], + extension_range: [], + field: [ + %Google.Protobuf.FieldDescriptorProto{ + __unknown_fields__: [], + default_value: nil, + extendee: nil, + json_name: "key", + label: :LABEL_OPTIONAL, + name: "key", + number: 1, + oneof_index: nil, + options: nil, + proto3_optional: nil, + type: :TYPE_STRING, + type_name: nil + }, + %Google.Protobuf.FieldDescriptorProto{ + __unknown_fields__: [], + default_value: nil, + extendee: nil, + json_name: "value", + label: :LABEL_OPTIONAL, + name: "value", + number: 2, + oneof_index: nil, + options: nil, + proto3_optional: nil, + type: :TYPE_BYTES, + type_name: nil + } + ], + name: "FederatedBundlesEntry", + nested_type: [], + oneof_decl: [], + options: %Google.Protobuf.MessageOptions{ + __pb_extensions__: %{}, + __unknown_fields__: [], + deprecated: false, + map_entry: true, + message_set_wire_format: false, + no_standard_descriptor_accessor: false, + uninterpreted_option: [] + }, + reserved_name: [], + reserved_range: [] + } + ], + oneof_decl: [], + options: nil, + reserved_name: [], + reserved_range: [] + } + end + + field :svids, 1, repeated: true, type: Spiffe.Workload.X509SVID + field :crl, 2, repeated: true, type: :bytes + + field :federated_bundles, 3, + repeated: true, + type: Spiffe.Workload.X509SVIDResponse.FederatedBundlesEntry, + json_name: "federatedBundles", + map: true +end +defmodule Spiffe.Workload.X509SVID do + @moduledoc false + use Protobuf, protoc_gen_elixir_version: "0.10.0", syntax: :proto3 + + def descriptor do + # credo:disable-for-next-line + %Google.Protobuf.DescriptorProto{ + __unknown_fields__: [], + enum_type: [], + extension: [], + extension_range: [], + field: [ + %Google.Protobuf.FieldDescriptorProto{ + __unknown_fields__: [], + default_value: nil, + extendee: nil, + json_name: "spiffeId", + label: :LABEL_OPTIONAL, + name: "spiffe_id", + number: 1, + oneof_index: nil, + options: nil, + proto3_optional: nil, + type: :TYPE_STRING, + type_name: nil + }, + %Google.Protobuf.FieldDescriptorProto{ + __unknown_fields__: [], + default_value: nil, + extendee: nil, + json_name: "x509Svid", + label: :LABEL_OPTIONAL, + name: "x509_svid", + number: 2, + oneof_index: nil, + options: nil, + proto3_optional: nil, + type: :TYPE_BYTES, + type_name: nil + }, + %Google.Protobuf.FieldDescriptorProto{ + __unknown_fields__: [], + default_value: nil, + extendee: nil, + json_name: "x509SvidKey", + label: :LABEL_OPTIONAL, + name: "x509_svid_key", + number: 3, + oneof_index: nil, + options: nil, + proto3_optional: nil, + type: :TYPE_BYTES, + type_name: nil + }, + %Google.Protobuf.FieldDescriptorProto{ + __unknown_fields__: [], + default_value: nil, + extendee: nil, + json_name: "bundle", + label: :LABEL_OPTIONAL, + name: "bundle", + number: 4, + oneof_index: nil, + options: nil, + proto3_optional: nil, + type: :TYPE_BYTES, + type_name: nil + }, + %Google.Protobuf.FieldDescriptorProto{ + __unknown_fields__: [], + default_value: nil, + extendee: nil, + json_name: "hint", + label: :LABEL_OPTIONAL, + name: "hint", + number: 5, + oneof_index: nil, + options: nil, + proto3_optional: nil, + type: :TYPE_STRING, + type_name: nil + } + ], + name: "X509SVID", + nested_type: [], + oneof_decl: [], + options: nil, + reserved_name: [], + reserved_range: [] + } + end + + field :spiffe_id, 1, type: :string, json_name: "spiffeId" + field :x509_svid, 2, type: :bytes, json_name: "x509Svid" + field :x509_svid_key, 3, type: :bytes, json_name: "x509SvidKey" + field :bundle, 4, type: :bytes + field :hint, 5, type: :string +end +defmodule Spiffe.Workload.X509BundlesRequest do + @moduledoc false + use Protobuf, protoc_gen_elixir_version: "0.10.0", syntax: :proto3 + + def descriptor do + # credo:disable-for-next-line + %Google.Protobuf.DescriptorProto{ + __unknown_fields__: [], + enum_type: [], + extension: [], + extension_range: [], + field: [], + name: "X509BundlesRequest", + nested_type: [], + oneof_decl: [], + options: nil, + reserved_name: [], + reserved_range: [] + } + end +end +defmodule Spiffe.Workload.X509BundlesResponse.BundlesEntry do + @moduledoc false + use Protobuf, map: true, protoc_gen_elixir_version: "0.10.0", syntax: :proto3 + + def descriptor do + # credo:disable-for-next-line + %Google.Protobuf.DescriptorProto{ + __unknown_fields__: [], + enum_type: [], + extension: [], + extension_range: [], + field: [ + %Google.Protobuf.FieldDescriptorProto{ + __unknown_fields__: [], + default_value: nil, + extendee: nil, + json_name: "key", + label: :LABEL_OPTIONAL, + name: "key", + number: 1, + oneof_index: nil, + options: nil, + proto3_optional: nil, + type: :TYPE_STRING, + type_name: nil + }, + %Google.Protobuf.FieldDescriptorProto{ + __unknown_fields__: [], + default_value: nil, + extendee: nil, + json_name: "value", + label: :LABEL_OPTIONAL, + name: "value", + number: 2, + oneof_index: nil, + options: nil, + proto3_optional: nil, + type: :TYPE_BYTES, + type_name: nil + } + ], + name: "BundlesEntry", + nested_type: [], + oneof_decl: [], + options: %Google.Protobuf.MessageOptions{ + __pb_extensions__: %{}, + __unknown_fields__: [], + deprecated: false, + map_entry: true, + message_set_wire_format: false, + no_standard_descriptor_accessor: false, + uninterpreted_option: [] + }, + reserved_name: [], + reserved_range: [] + } + end + + field :key, 1, type: :string + field :value, 2, type: :bytes +end +defmodule Spiffe.Workload.X509BundlesResponse do + @moduledoc false + use Protobuf, protoc_gen_elixir_version: "0.10.0", syntax: :proto3 + + def descriptor do + # credo:disable-for-next-line + %Google.Protobuf.DescriptorProto{ + __unknown_fields__: [], + enum_type: [], + extension: [], + extension_range: [], + field: [ + %Google.Protobuf.FieldDescriptorProto{ + __unknown_fields__: [], + default_value: nil, + extendee: nil, + json_name: "crl", + label: :LABEL_REPEATED, + name: "crl", + number: 1, + oneof_index: nil, + options: nil, + proto3_optional: nil, + type: :TYPE_BYTES, + type_name: nil + }, + %Google.Protobuf.FieldDescriptorProto{ + __unknown_fields__: [], + default_value: nil, + extendee: nil, + json_name: "bundles", + label: :LABEL_REPEATED, + name: "bundles", + number: 2, + oneof_index: nil, + options: nil, + proto3_optional: nil, + type: :TYPE_MESSAGE, + type_name: ".spiffe.workload.X509BundlesResponse.BundlesEntry" + } + ], + name: "X509BundlesResponse", + nested_type: [ + %Google.Protobuf.DescriptorProto{ + __unknown_fields__: [], + enum_type: [], + extension: [], + extension_range: [], + field: [ + %Google.Protobuf.FieldDescriptorProto{ + __unknown_fields__: [], + default_value: nil, + extendee: nil, + json_name: "key", + label: :LABEL_OPTIONAL, + name: "key", + number: 1, + oneof_index: nil, + options: nil, + proto3_optional: nil, + type: :TYPE_STRING, + type_name: nil + }, + %Google.Protobuf.FieldDescriptorProto{ + __unknown_fields__: [], + default_value: nil, + extendee: nil, + json_name: "value", + label: :LABEL_OPTIONAL, + name: "value", + number: 2, + oneof_index: nil, + options: nil, + proto3_optional: nil, + type: :TYPE_BYTES, + type_name: nil + } + ], + name: "BundlesEntry", + nested_type: [], + oneof_decl: [], + options: %Google.Protobuf.MessageOptions{ + __pb_extensions__: %{}, + __unknown_fields__: [], + deprecated: false, + map_entry: true, + message_set_wire_format: false, + no_standard_descriptor_accessor: false, + uninterpreted_option: [] + }, + reserved_name: [], + reserved_range: [] + } + ], + oneof_decl: [], + options: nil, + reserved_name: [], + reserved_range: [] + } + end + + field :crl, 1, repeated: true, type: :bytes + + field :bundles, 2, + repeated: true, + type: Spiffe.Workload.X509BundlesResponse.BundlesEntry, + map: true +end +defmodule Spiffe.Workload.JWTSVIDRequest do + @moduledoc false + use Protobuf, protoc_gen_elixir_version: "0.10.0", syntax: :proto3 + + def descriptor do + # credo:disable-for-next-line + %Google.Protobuf.DescriptorProto{ + __unknown_fields__: [], + enum_type: [], + extension: [], + extension_range: [], + field: [ + %Google.Protobuf.FieldDescriptorProto{ + __unknown_fields__: [], + default_value: nil, + extendee: nil, + json_name: "audience", + label: :LABEL_REPEATED, + name: "audience", + number: 1, + oneof_index: nil, + options: nil, + proto3_optional: nil, + type: :TYPE_STRING, + type_name: nil + }, + %Google.Protobuf.FieldDescriptorProto{ + __unknown_fields__: [], + default_value: nil, + extendee: nil, + json_name: "spiffeId", + label: :LABEL_OPTIONAL, + name: "spiffe_id", + number: 2, + oneof_index: nil, + options: nil, + proto3_optional: nil, + type: :TYPE_STRING, + type_name: nil + } + ], + name: "JWTSVIDRequest", + nested_type: [], + oneof_decl: [], + options: nil, + reserved_name: [], + reserved_range: [] + } + end + + field :audience, 1, repeated: true, type: :string + field :spiffe_id, 2, type: :string, json_name: "spiffeId" +end +defmodule Spiffe.Workload.JWTSVIDResponse do + @moduledoc false + use Protobuf, protoc_gen_elixir_version: "0.10.0", syntax: :proto3 + + def descriptor do + # credo:disable-for-next-line + %Google.Protobuf.DescriptorProto{ + __unknown_fields__: [], + enum_type: [], + extension: [], + extension_range: [], + field: [ + %Google.Protobuf.FieldDescriptorProto{ + __unknown_fields__: [], + default_value: nil, + extendee: nil, + json_name: "svids", + label: :LABEL_REPEATED, + name: "svids", + number: 1, + oneof_index: nil, + options: nil, + proto3_optional: nil, + type: :TYPE_MESSAGE, + type_name: ".spiffe.workload.JWTSVID" + } + ], + name: "JWTSVIDResponse", + nested_type: [], + oneof_decl: [], + options: nil, + reserved_name: [], + reserved_range: [] + } + end + + field :svids, 1, repeated: true, type: Spiffe.Workload.JWTSVID +end +defmodule Spiffe.Workload.JWTSVID do + @moduledoc false + use Protobuf, protoc_gen_elixir_version: "0.10.0", syntax: :proto3 + + def descriptor do + # credo:disable-for-next-line + %Google.Protobuf.DescriptorProto{ + __unknown_fields__: [], + enum_type: [], + extension: [], + extension_range: [], + field: [ + %Google.Protobuf.FieldDescriptorProto{ + __unknown_fields__: [], + default_value: nil, + extendee: nil, + json_name: "spiffeId", + label: :LABEL_OPTIONAL, + name: "spiffe_id", + number: 1, + oneof_index: nil, + options: nil, + proto3_optional: nil, + type: :TYPE_STRING, + type_name: nil + }, + %Google.Protobuf.FieldDescriptorProto{ + __unknown_fields__: [], + default_value: nil, + extendee: nil, + json_name: "svid", + label: :LABEL_OPTIONAL, + name: "svid", + number: 2, + oneof_index: nil, + options: nil, + proto3_optional: nil, + type: :TYPE_STRING, + type_name: nil + }, + %Google.Protobuf.FieldDescriptorProto{ + __unknown_fields__: [], + default_value: nil, + extendee: nil, + json_name: "hint", + label: :LABEL_OPTIONAL, + name: "hint", + number: 3, + oneof_index: nil, + options: nil, + proto3_optional: nil, + type: :TYPE_STRING, + type_name: nil + } + ], + name: "JWTSVID", + nested_type: [], + oneof_decl: [], + options: nil, + reserved_name: [], + reserved_range: [] + } + end + + field :spiffe_id, 1, type: :string, json_name: "spiffeId" + field :svid, 2, type: :string + field :hint, 3, type: :string +end +defmodule Spiffe.Workload.JWTBundlesRequest do + @moduledoc false + use Protobuf, protoc_gen_elixir_version: "0.10.0", syntax: :proto3 + + def descriptor do + # credo:disable-for-next-line + %Google.Protobuf.DescriptorProto{ + __unknown_fields__: [], + enum_type: [], + extension: [], + extension_range: [], + field: [], + name: "JWTBundlesRequest", + nested_type: [], + oneof_decl: [], + options: nil, + reserved_name: [], + reserved_range: [] + } + end +end +defmodule Spiffe.Workload.JWTBundlesResponse.BundlesEntry do + @moduledoc false + use Protobuf, map: true, protoc_gen_elixir_version: "0.10.0", syntax: :proto3 + + def descriptor do + # credo:disable-for-next-line + %Google.Protobuf.DescriptorProto{ + __unknown_fields__: [], + enum_type: [], + extension: [], + extension_range: [], + field: [ + %Google.Protobuf.FieldDescriptorProto{ + __unknown_fields__: [], + default_value: nil, + extendee: nil, + json_name: "key", + label: :LABEL_OPTIONAL, + name: "key", + number: 1, + oneof_index: nil, + options: nil, + proto3_optional: nil, + type: :TYPE_STRING, + type_name: nil + }, + %Google.Protobuf.FieldDescriptorProto{ + __unknown_fields__: [], + default_value: nil, + extendee: nil, + json_name: "value", + label: :LABEL_OPTIONAL, + name: "value", + number: 2, + oneof_index: nil, + options: nil, + proto3_optional: nil, + type: :TYPE_BYTES, + type_name: nil + } + ], + name: "BundlesEntry", + nested_type: [], + oneof_decl: [], + options: %Google.Protobuf.MessageOptions{ + __pb_extensions__: %{}, + __unknown_fields__: [], + deprecated: false, + map_entry: true, + message_set_wire_format: false, + no_standard_descriptor_accessor: false, + uninterpreted_option: [] + }, + reserved_name: [], + reserved_range: [] + } + end + + field :key, 1, type: :string + field :value, 2, type: :bytes +end +defmodule Spiffe.Workload.JWTBundlesResponse do + @moduledoc false + use Protobuf, protoc_gen_elixir_version: "0.10.0", syntax: :proto3 + + def descriptor do + # credo:disable-for-next-line + %Google.Protobuf.DescriptorProto{ + __unknown_fields__: [], + enum_type: [], + extension: [], + extension_range: [], + field: [ + %Google.Protobuf.FieldDescriptorProto{ + __unknown_fields__: [], + default_value: nil, + extendee: nil, + json_name: "bundles", + label: :LABEL_REPEATED, + name: "bundles", + number: 1, + oneof_index: nil, + options: nil, + proto3_optional: nil, + type: :TYPE_MESSAGE, + type_name: ".spiffe.workload.JWTBundlesResponse.BundlesEntry" + } + ], + name: "JWTBundlesResponse", + nested_type: [ + %Google.Protobuf.DescriptorProto{ + __unknown_fields__: [], + enum_type: [], + extension: [], + extension_range: [], + field: [ + %Google.Protobuf.FieldDescriptorProto{ + __unknown_fields__: [], + default_value: nil, + extendee: nil, + json_name: "key", + label: :LABEL_OPTIONAL, + name: "key", + number: 1, + oneof_index: nil, + options: nil, + proto3_optional: nil, + type: :TYPE_STRING, + type_name: nil + }, + %Google.Protobuf.FieldDescriptorProto{ + __unknown_fields__: [], + default_value: nil, + extendee: nil, + json_name: "value", + label: :LABEL_OPTIONAL, + name: "value", + number: 2, + oneof_index: nil, + options: nil, + proto3_optional: nil, + type: :TYPE_BYTES, + type_name: nil + } + ], + name: "BundlesEntry", + nested_type: [], + oneof_decl: [], + options: %Google.Protobuf.MessageOptions{ + __pb_extensions__: %{}, + __unknown_fields__: [], + deprecated: false, + map_entry: true, + message_set_wire_format: false, + no_standard_descriptor_accessor: false, + uninterpreted_option: [] + }, + reserved_name: [], + reserved_range: [] + } + ], + oneof_decl: [], + options: nil, + reserved_name: [], + reserved_range: [] + } + end + + field :bundles, 1, + repeated: true, + type: Spiffe.Workload.JWTBundlesResponse.BundlesEntry, + map: true +end +defmodule Spiffe.Workload.ValidateJWTSVIDRequest do + @moduledoc false + use Protobuf, protoc_gen_elixir_version: "0.10.0", syntax: :proto3 + + def descriptor do + # credo:disable-for-next-line + %Google.Protobuf.DescriptorProto{ + __unknown_fields__: [], + enum_type: [], + extension: [], + extension_range: [], + field: [ + %Google.Protobuf.FieldDescriptorProto{ + __unknown_fields__: [], + default_value: nil, + extendee: nil, + json_name: "audience", + label: :LABEL_OPTIONAL, + name: "audience", + number: 1, + oneof_index: nil, + options: nil, + proto3_optional: nil, + type: :TYPE_STRING, + type_name: nil + }, + %Google.Protobuf.FieldDescriptorProto{ + __unknown_fields__: [], + default_value: nil, + extendee: nil, + json_name: "svid", + label: :LABEL_OPTIONAL, + name: "svid", + number: 2, + oneof_index: nil, + options: nil, + proto3_optional: nil, + type: :TYPE_STRING, + type_name: nil + } + ], + name: "ValidateJWTSVIDRequest", + nested_type: [], + oneof_decl: [], + options: nil, + reserved_name: [], + reserved_range: [] + } + end + + field :audience, 1, type: :string + field :svid, 2, type: :string +end +defmodule Spiffe.Workload.ValidateJWTSVIDResponse do + @moduledoc false + use Protobuf, protoc_gen_elixir_version: "0.10.0", syntax: :proto3 + + def descriptor do + # credo:disable-for-next-line + %Google.Protobuf.DescriptorProto{ + __unknown_fields__: [], + enum_type: [], + extension: [], + extension_range: [], + field: [ + %Google.Protobuf.FieldDescriptorProto{ + __unknown_fields__: [], + default_value: nil, + extendee: nil, + json_name: "spiffeId", + label: :LABEL_OPTIONAL, + name: "spiffe_id", + number: 1, + oneof_index: nil, + options: nil, + proto3_optional: nil, + type: :TYPE_STRING, + type_name: nil + }, + %Google.Protobuf.FieldDescriptorProto{ + __unknown_fields__: [], + default_value: nil, + extendee: nil, + json_name: "claims", + label: :LABEL_OPTIONAL, + name: "claims", + number: 2, + oneof_index: nil, + options: nil, + proto3_optional: nil, + type: :TYPE_MESSAGE, + type_name: ".google.protobuf.Struct" + } + ], + name: "ValidateJWTSVIDResponse", + nested_type: [], + oneof_decl: [], + options: nil, + reserved_name: [], + reserved_range: [] + } + end + + field :spiffe_id, 1, type: :string, json_name: "spiffeId" + field :claims, 2, type: Google.Protobuf.Struct +end +defmodule Spiffe.Workload.SpiffeWorkloadAPI.Service do + @moduledoc false + use GRPC.Service, name: "spiffe.workload.SpiffeWorkloadAPI", protoc_gen_elixir_version: "0.10.0" + + def descriptor do + # credo:disable-for-next-line + %Google.Protobuf.ServiceDescriptorProto{ + __unknown_fields__: [], + method: [ + %Google.Protobuf.MethodDescriptorProto{ + __unknown_fields__: [], + client_streaming: false, + input_type: ".spiffe.workload.X509SVIDRequest", + name: "FetchX509SVID", + options: nil, + output_type: ".spiffe.workload.X509SVIDResponse", + server_streaming: true + }, + %Google.Protobuf.MethodDescriptorProto{ + __unknown_fields__: [], + client_streaming: false, + input_type: ".spiffe.workload.X509BundlesRequest", + name: "FetchX509Bundles", + options: nil, + output_type: ".spiffe.workload.X509BundlesResponse", + server_streaming: true + }, + %Google.Protobuf.MethodDescriptorProto{ + __unknown_fields__: [], + client_streaming: false, + input_type: ".spiffe.workload.JWTSVIDRequest", + name: "FetchJWTSVID", + options: nil, + output_type: ".spiffe.workload.JWTSVIDResponse", + server_streaming: false + }, + %Google.Protobuf.MethodDescriptorProto{ + __unknown_fields__: [], + client_streaming: false, + input_type: ".spiffe.workload.JWTBundlesRequest", + name: "FetchJWTBundles", + options: nil, + output_type: ".spiffe.workload.JWTBundlesResponse", + server_streaming: true + }, + %Google.Protobuf.MethodDescriptorProto{ + __unknown_fields__: [], + client_streaming: false, + input_type: ".spiffe.workload.ValidateJWTSVIDRequest", + name: "ValidateJWTSVID", + options: nil, + output_type: ".spiffe.workload.ValidateJWTSVIDResponse", + server_streaming: false + } + ], + name: "SpiffeWorkloadAPI", + options: nil + } + end + + rpc :FetchX509SVID, Spiffe.Workload.X509SVIDRequest, stream(Spiffe.Workload.X509SVIDResponse) + + rpc :FetchX509Bundles, + Spiffe.Workload.X509BundlesRequest, + stream(Spiffe.Workload.X509BundlesResponse) + + rpc :FetchJWTSVID, Spiffe.Workload.JWTSVIDRequest, Spiffe.Workload.JWTSVIDResponse + + rpc :FetchJWTBundles, + Spiffe.Workload.JWTBundlesRequest, + stream(Spiffe.Workload.JWTBundlesResponse) + + rpc :ValidateJWTSVID, + Spiffe.Workload.ValidateJWTSVIDRequest, + Spiffe.Workload.ValidateJWTSVIDResponse +end + +defmodule Spiffe.Workload.SpiffeWorkloadAPI.Stub do + @moduledoc false + use GRPC.Stub, service: Spiffe.Workload.SpiffeWorkloadAPI.Service +end diff --git a/priv/protos/spiffe/workload.proto b/priv/protos/spiffe/workload.proto new file mode 100644 index 00000000..cf8f2ea9 --- /dev/null +++ b/priv/protos/spiffe/workload.proto @@ -0,0 +1,167 @@ +syntax = "proto3"; + +package spiffe.workload; + +import "google/protobuf/struct.proto"; + +option go_package = "github.com/spiffe/go-spiffe/v2/proto/spiffe/workload;workload"; + +service SpiffeWorkloadAPI { + ///////////////////////////////////////////////////////////////////////// + // X509-SVID Profile + ///////////////////////////////////////////////////////////////////////// + + // Fetch X.509-SVIDs for all SPIFFE identities the workload is entitled to, + // as well as related information like trust bundles and CRLs. As this + // information changes, subsequent messages will be streamed from the + // server. + rpc FetchX509SVID(X509SVIDRequest) returns (stream X509SVIDResponse); + + // Fetch trust bundles and CRLs. Useful for clients that only need to + // validate SVIDs without obtaining an SVID for themself. As this + // information changes, subsequent messages will be streamed from the + // server. + rpc FetchX509Bundles(X509BundlesRequest) returns (stream X509BundlesResponse); + + ///////////////////////////////////////////////////////////////////////// + // JWT-SVID Profile + ///////////////////////////////////////////////////////////////////////// + + // Fetch JWT-SVIDs for all SPIFFE identities the workload is entitled to, + // for the requested audience. If an optional SPIFFE ID is requested, only + // the JWT-SVID for that SPIFFE ID is returned. + rpc FetchJWTSVID(JWTSVIDRequest) returns (JWTSVIDResponse); + + // Fetches the JWT bundles, formatted as JWKS documents, keyed by the + // SPIFFE ID of the trust domain. As this information changes, subsequent + // messages will be streamed from the server. + rpc FetchJWTBundles(JWTBundlesRequest) returns (stream JWTBundlesResponse); + + // Validates a JWT-SVID against the requested audience. Returns the SPIFFE + // ID of the JWT-SVID and JWT claims. + rpc ValidateJWTSVID(ValidateJWTSVIDRequest) returns (ValidateJWTSVIDResponse); +} + +// The X509SVIDRequest message conveys parameters for requesting an X.509-SVID. +// There are currently no request parameters. +message X509SVIDRequest {} + +// The X509SVIDResponse message carries X.509-SVIDs and related information, +// including a set of global CRLs and a list of bundles the workload may use +// for federating with foreign trust domains. +message X509SVIDResponse { + // Required. A list of X509SVID messages, each of which includes a single + // X.509-SVID, its private key, and the bundle for the trust domain. + repeated X509SVID svids = 1; + + // Optional. ASN.1 DER encoded certificate revocation lists. + repeated bytes crl = 2; + + // Optional. CA certificate bundles belonging to foreign trust domains that + // the workload should trust, keyed by the SPIFFE ID of the foreign trust + // domain. Bundles are ASN.1 DER encoded. + map federated_bundles = 3; +} + +// The X509SVID message carries a single SVID and all associated information, +// including the X.509 bundle for the trust domain. +message X509SVID { + // Required. The SPIFFE ID of the SVID in this entry + string spiffe_id = 1; + + // Required. ASN.1 DER encoded certificate chain. MAY include + // intermediates, the leaf certificate (or SVID itself) MUST come first. + bytes x509_svid = 2; + + // Required. ASN.1 DER encoded PKCS#8 private key. MUST be unencrypted. + bytes x509_svid_key = 3; + + // Required. ASN.1 DER encoded X.509 bundle for the trust domain. + bytes bundle = 4; + + // Optional. An operator-specified string used to provide guidance on how this + // identity should be used by a workload when more than one SVID is returned. + // For example, `internal` and `external` to indicate an SVID for internal or + // external use, respectively. + string hint = 5; +} + +// The X509BundlesRequest message conveys parameters for requesting X.509 +// bundles. There are currently no such parameters. +message X509BundlesRequest {} + +// The X509BundlesResponse message carries a set of global CRLs and a map of +// trust bundles the workload should trust. +message X509BundlesResponse { + // Optional. ASN.1 DER encoded certificate revocation lists. + repeated bytes crl = 1; + + // Required. CA certificate bundles belonging to trust domains that the + // workload should trust, keyed by the SPIFFE ID of the trust domain. + // Bundles are ASN.1 DER encoded. + map bundles = 2; +} + +message JWTSVIDRequest { + // Required. The audience(s) the workload intends to authenticate against. + repeated string audience = 1; + + // Optional. The requested SPIFFE ID for the JWT-SVID. If unset, all + // JWT-SVIDs to which the workload is entitled are requested. + string spiffe_id = 2; +} + +// The JWTSVIDResponse message conveys JWT-SVIDs. +message JWTSVIDResponse { + // Required. The list of returned JWT-SVIDs. + repeated JWTSVID svids = 1; +} + +// The JWTSVID message carries the JWT-SVID token and associated metadata. +message JWTSVID { + // Required. The SPIFFE ID of the JWT-SVID. + string spiffe_id = 1; + + // Required. Encoded JWT using JWS Compact Serialization. + string svid = 2; + + // Optional. An operator-specified string used to provide guidance on how this + // identity should be used by a workload when more than one SVID is returned. + // For example, `internal` and `external` to indicate an SVID for internal or + // external use, respectively. + string hint = 3; +} + +// The JWTBundlesRequest message conveys parameters for requesting JWT bundles. +// There are currently no such parameters. +message JWTBundlesRequest {} + +// The JWTBundlesReponse conveys JWT bundles. +message JWTBundlesResponse { + // Required. JWK encoded JWT bundles, keyed by the SPIFFE ID of the trust + // domain. + map bundles = 1; +} + +// The ValidateJWTSVIDRequest message conveys request parameters for +// JWT-SVID validation. +message ValidateJWTSVIDRequest { + // Required. The audience of the validating party. The JWT-SVID must + // contain an audience claim which contains this value in order to + // succesfully validate. + string audience = 1; + + // Required. The JWT-SVID to validate, encoded using JWS Compact + // Serialization. + string svid = 2; +} + +// The ValidateJWTSVIDReponse message conveys the JWT-SVID validation results. +message ValidateJWTSVIDResponse { + // Required. The SPIFFE ID of the validated JWT-SVID. + string spiffe_id = 1; + + // Optional. Arbitrary claims contained within the payload of the validated + // JWT-SVID. + google.protobuf.Struct claims = 2; +} From f63e5c6237ff801aee755ba1769425ef6cd7a926 Mon Sep 17 00:00:00 2001 From: Adriano Santos Date: Tue, 9 Jul 2024 17:18:36 -0300 Subject: [PATCH 2/4] Adjusts in error handler --- .../adapters/native/custom_mnesiac_supervisor.ex | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/spawn_statestores/statestores_native/lib/statestores/adapters/native/custom_mnesiac_supervisor.ex b/spawn_statestores/statestores_native/lib/statestores/adapters/native/custom_mnesiac_supervisor.ex index 4bfabd5f..55a9a661 100644 --- a/spawn_statestores/statestores_native/lib/statestores/adapters/native/custom_mnesiac_supervisor.ex +++ b/spawn_statestores/statestores_native/lib/statestores/adapters/native/custom_mnesiac_supervisor.ex @@ -21,6 +21,14 @@ defmodule Statestores.Adapters.Native.CustomMnesiacSupervisor do {:error, {:failed_to_connect_node, node}} -> Logger.warning("Failed to connect node: #{node}") + + {:error, :enoent} -> + Logger.error( + "Failed to initialize Native Statestore. ENOENT The current working directory has been unlinked." + ) + + error -> + Logger.error("Failed to initialize Native Statestore. Details: #{inspect(error)}") end _ = Logger.info("[mnesiac:#{node()}] mnesiac started") From c2dc365cffe28710ce85578b7523cd579030e6e1 Mon Sep 17 00:00:00 2001 From: Adriano Santos Date: Tue, 9 Jul 2024 23:20:32 -0300 Subject: [PATCH 3/4] Refactor rename folder --- .../certmanager/certificatefile.pub.cer | 0 .../certmanager/selfsigned-issuer.yaml | 0 .../certmanager/test-certificate.yaml | 0 .../certmanager/tls.crt | 0 .../certmanager/tls.key | 0 .../spire-spiffe/README.md | 0 .../spire-spiffe/kustomization.yaml | 0 .../spire-spiffe/manifests/agent-account.yaml | 0 .../manifests/agent-cluster-role.yaml | 0 .../manifests/agent-configmap.yaml | 0 .../manifests/agent-daemonset.yaml | 0 .../manifests/server-account.yaml | 0 .../manifests/server-cluster-role.yaml | 0 .../manifests/server-configmap.yaml | 0 .../manifests/server-service.yaml | 0 .../manifests/server-statefulset.yaml | 0 .../manifests/spire-bundle-configmap.yaml | 0 .../manifests/spire-namespace.yaml | 0 lib/actors/config/persistent_term_config.ex | 27 ++++++++++ lib/actors/security/spiffe/client.ex | 53 ++++++++++++++----- 20 files changed, 67 insertions(+), 13 deletions(-) rename k8s/{componentes => components}/certmanager/certificatefile.pub.cer (100%) rename k8s/{componentes => components}/certmanager/selfsigned-issuer.yaml (100%) rename k8s/{componentes => components}/certmanager/test-certificate.yaml (100%) rename k8s/{componentes => components}/certmanager/tls.crt (100%) rename k8s/{componentes => components}/certmanager/tls.key (100%) rename k8s/{componentes => components}/spire-spiffe/README.md (100%) rename k8s/{componentes => components}/spire-spiffe/kustomization.yaml (100%) rename k8s/{componentes => components}/spire-spiffe/manifests/agent-account.yaml (100%) rename k8s/{componentes => components}/spire-spiffe/manifests/agent-cluster-role.yaml (100%) rename k8s/{componentes => components}/spire-spiffe/manifests/agent-configmap.yaml (100%) rename k8s/{componentes => components}/spire-spiffe/manifests/agent-daemonset.yaml (100%) rename k8s/{componentes => components}/spire-spiffe/manifests/server-account.yaml (100%) rename k8s/{componentes => components}/spire-spiffe/manifests/server-cluster-role.yaml (100%) rename k8s/{componentes => components}/spire-spiffe/manifests/server-configmap.yaml (100%) rename k8s/{componentes => components}/spire-spiffe/manifests/server-service.yaml (100%) rename k8s/{componentes => components}/spire-spiffe/manifests/server-statefulset.yaml (100%) rename k8s/{componentes => components}/spire-spiffe/manifests/spire-bundle-configmap.yaml (100%) rename k8s/{componentes => components}/spire-spiffe/manifests/spire-namespace.yaml (100%) diff --git a/k8s/componentes/certmanager/certificatefile.pub.cer b/k8s/components/certmanager/certificatefile.pub.cer similarity index 100% rename from k8s/componentes/certmanager/certificatefile.pub.cer rename to k8s/components/certmanager/certificatefile.pub.cer diff --git a/k8s/componentes/certmanager/selfsigned-issuer.yaml b/k8s/components/certmanager/selfsigned-issuer.yaml similarity index 100% rename from k8s/componentes/certmanager/selfsigned-issuer.yaml rename to k8s/components/certmanager/selfsigned-issuer.yaml diff --git a/k8s/componentes/certmanager/test-certificate.yaml b/k8s/components/certmanager/test-certificate.yaml similarity index 100% rename from k8s/componentes/certmanager/test-certificate.yaml rename to k8s/components/certmanager/test-certificate.yaml diff --git a/k8s/componentes/certmanager/tls.crt b/k8s/components/certmanager/tls.crt similarity index 100% rename from k8s/componentes/certmanager/tls.crt rename to k8s/components/certmanager/tls.crt diff --git a/k8s/componentes/certmanager/tls.key b/k8s/components/certmanager/tls.key similarity index 100% rename from k8s/componentes/certmanager/tls.key rename to k8s/components/certmanager/tls.key diff --git a/k8s/componentes/spire-spiffe/README.md b/k8s/components/spire-spiffe/README.md similarity index 100% rename from k8s/componentes/spire-spiffe/README.md rename to k8s/components/spire-spiffe/README.md diff --git a/k8s/componentes/spire-spiffe/kustomization.yaml b/k8s/components/spire-spiffe/kustomization.yaml similarity index 100% rename from k8s/componentes/spire-spiffe/kustomization.yaml rename to k8s/components/spire-spiffe/kustomization.yaml diff --git a/k8s/componentes/spire-spiffe/manifests/agent-account.yaml b/k8s/components/spire-spiffe/manifests/agent-account.yaml similarity index 100% rename from k8s/componentes/spire-spiffe/manifests/agent-account.yaml rename to k8s/components/spire-spiffe/manifests/agent-account.yaml diff --git a/k8s/componentes/spire-spiffe/manifests/agent-cluster-role.yaml b/k8s/components/spire-spiffe/manifests/agent-cluster-role.yaml similarity index 100% rename from k8s/componentes/spire-spiffe/manifests/agent-cluster-role.yaml rename to k8s/components/spire-spiffe/manifests/agent-cluster-role.yaml diff --git a/k8s/componentes/spire-spiffe/manifests/agent-configmap.yaml b/k8s/components/spire-spiffe/manifests/agent-configmap.yaml similarity index 100% rename from k8s/componentes/spire-spiffe/manifests/agent-configmap.yaml rename to k8s/components/spire-spiffe/manifests/agent-configmap.yaml diff --git a/k8s/componentes/spire-spiffe/manifests/agent-daemonset.yaml b/k8s/components/spire-spiffe/manifests/agent-daemonset.yaml similarity index 100% rename from k8s/componentes/spire-spiffe/manifests/agent-daemonset.yaml rename to k8s/components/spire-spiffe/manifests/agent-daemonset.yaml diff --git a/k8s/componentes/spire-spiffe/manifests/server-account.yaml b/k8s/components/spire-spiffe/manifests/server-account.yaml similarity index 100% rename from k8s/componentes/spire-spiffe/manifests/server-account.yaml rename to k8s/components/spire-spiffe/manifests/server-account.yaml diff --git a/k8s/componentes/spire-spiffe/manifests/server-cluster-role.yaml b/k8s/components/spire-spiffe/manifests/server-cluster-role.yaml similarity index 100% rename from k8s/componentes/spire-spiffe/manifests/server-cluster-role.yaml rename to k8s/components/spire-spiffe/manifests/server-cluster-role.yaml diff --git a/k8s/componentes/spire-spiffe/manifests/server-configmap.yaml b/k8s/components/spire-spiffe/manifests/server-configmap.yaml similarity index 100% rename from k8s/componentes/spire-spiffe/manifests/server-configmap.yaml rename to k8s/components/spire-spiffe/manifests/server-configmap.yaml diff --git a/k8s/componentes/spire-spiffe/manifests/server-service.yaml b/k8s/components/spire-spiffe/manifests/server-service.yaml similarity index 100% rename from k8s/componentes/spire-spiffe/manifests/server-service.yaml rename to k8s/components/spire-spiffe/manifests/server-service.yaml diff --git a/k8s/componentes/spire-spiffe/manifests/server-statefulset.yaml b/k8s/components/spire-spiffe/manifests/server-statefulset.yaml similarity index 100% rename from k8s/componentes/spire-spiffe/manifests/server-statefulset.yaml rename to k8s/components/spire-spiffe/manifests/server-statefulset.yaml diff --git a/k8s/componentes/spire-spiffe/manifests/spire-bundle-configmap.yaml b/k8s/components/spire-spiffe/manifests/spire-bundle-configmap.yaml similarity index 100% rename from k8s/componentes/spire-spiffe/manifests/spire-bundle-configmap.yaml rename to k8s/components/spire-spiffe/manifests/spire-bundle-configmap.yaml diff --git a/k8s/componentes/spire-spiffe/manifests/spire-namespace.yaml b/k8s/components/spire-spiffe/manifests/spire-namespace.yaml similarity index 100% rename from k8s/componentes/spire-spiffe/manifests/spire-namespace.yaml rename to k8s/components/spire-spiffe/manifests/spire-namespace.yaml diff --git a/lib/actors/config/persistent_term_config.ex b/lib/actors/config/persistent_term_config.ex index 4aaa2584..77616816 100644 --- a/lib/actors/config/persistent_term_config.ex +++ b/lib/actors/config/persistent_term_config.ex @@ -677,6 +677,33 @@ if Code.ensure_loaded?(:persistent_term) do value end + defp load_env({:security_idp_spire_enabled, default}) do + value = + env("SPAWN_IDP_SPIRE_ENABLED", default) + |> to_bool() + + :persistent_term.put({__MODULE__, :security_idp_spire_enabled}, value) + + value + end + + defp load_env({:security_idp_spire_server_address, default}) do + value = env("SPAWN_IDP_SPIRE_ADDRESS", default) + :persistent_term.put({__MODULE__, :security_idp_spire_server_address}, value) + + value + end + + defp load_env({:security_idp_spire_server_port, default}) do + value = + env("SPAWN_IDP_SPIRE_PORT", default) + |> String.to_integer() + + :persistent_term.put({__MODULE__, :security_idp_spire_server_port}, value) + + value + end + defp load_env({:ship_interval, default}) do value = env("SPAWN_CRDT_SHIP_INTERVAL", default) diff --git a/lib/actors/security/spiffe/client.ex b/lib/actors/security/spiffe/client.ex index e93fc0d4..9ba076cb 100644 --- a/lib/actors/security/spiffe/client.ex +++ b/lib/actors/security/spiffe/client.ex @@ -10,11 +10,16 @@ defmodule Actors.Security.Spiffe.Client do alias Spiffe.Workload.SpiffeWorkloadAPI.Stub, as: SpiffeStub def fetch_x509_svid() do - # Replace with your SPIRE server address - url = - "#{Config.get(:security_idp_spire_server_address)}:#{Config.get(:security_idp_spire_server_port)}" - - with {:connect, {:ok, channel}} <- {:connect, GRPC.Stub.connect(url)}, + with {:connect, {:ok, channel}} <- + {:connect, + GRPC.Stub.connect(build_url(), + headers: [{"workload.spiffe.io", "true"}], + adapter_opts: [ + http2_opts: %{settings_timeout: 10_000}, + retry: 5, + retry_fun: &retry_fun/2 + ] + )}, {:build_request, request} <- {:build_request, %X509SVIDRequest{}} do SpiffeStub.fetch_x509_svid(channel, request) else @@ -27,16 +32,38 @@ defmodule Actors.Security.Spiffe.Client do end def fetch_jwt_svid(audience, spiffe_id \\ nil) do - # Replace with your SPIRE server address - {:ok, channel} = GRPC.Stub.connect("localhost:8081") - request = %JWTSVIDRequest{audience: audience, spiffe_id: spiffe_id} - SpiffeStub.fetch_jwtsvid(channel, request) + with {:connect, {:ok, channel}} <- {:connect, GRPC.Stub.connect(build_url())}, + {:build_request, request} <- + {:build_request, %JWTSVIDRequest{audience: audience, spiffe_id: spiffe_id}} do + SpiffeStub.fetch_jwtsvid(channel, request) + else + {:connect, error} -> + {:error, error} + + {:build_request, error} -> + {:error, error} + end end def validate_jwt_svid(audience, svid) do - # Replace with your SPIRE server address - {:ok, channel} = GRPC.Stub.connect("localhost:8081") - request = %ValidateJWTSVIDRequest{audience: audience, svid: svid} - SpiffeStub.validate_jwtsvid(channel, request) + with {:connect, {:ok, channel}} <- {:connect, GRPC.Stub.connect(build_url())}, + {:build_request, request} <- + {:build_request, %ValidateJWTSVIDRequest{audience: audience, svid: svid}} do + SpiffeStub.validate_jwtsvid(channel, request) + else + {:connect, error} -> + {:error, error} + + {:build_request, error} -> + {:error, error} + end + end + + defp build_url(), + do: + "#{Config.get(:security_idp_spire_server_address)}:#{Config.get(:security_idp_spire_server_port)}" + + defp retry_fun(_reason, _attempt) do + :ok end end From f45f54ed0c602083e2394138a72464d90021cbb5 Mon Sep 17 00:00:00 2001 From: Adriano Santos Date: Thu, 11 Jul 2024 19:29:49 -0300 Subject: [PATCH 4/4] Some adjusts --- .../manifests/agent-configmap.yaml | 2 +- .../manifests/server-configmap.yaml | 2 +- lib/actors/security/spiffe/client.ex | 62 +++++++---- .../security/spiffe/logger_interceptor.ex | 66 +++++++++++ .../security/spiffe/workload/workload.pb.ex | 104 ++++++++---------- priv/protos/spiffe/workload.proto | 2 +- .../security/policies}/default.policy | 0 7 files changed, 157 insertions(+), 81 deletions(-) create mode 100644 lib/actors/security/spiffe/logger_interceptor.ex rename {policies => priv/security/policies}/default.policy (100%) diff --git a/k8s/components/spire-spiffe/manifests/agent-configmap.yaml b/k8s/components/spire-spiffe/manifests/agent-configmap.yaml index 13e286c8..0391dc72 100644 --- a/k8s/components/spire-spiffe/manifests/agent-configmap.yaml +++ b/k8s/components/spire-spiffe/manifests/agent-configmap.yaml @@ -19,7 +19,7 @@ data: NodeAttestor "k8s_sat" { plugin_data { # NOTE: Change this to your cluster name - cluster = "demo-cluster" + cluster = "k3d-eigr-spawn" } } diff --git a/k8s/components/spire-spiffe/manifests/server-configmap.yaml b/k8s/components/spire-spiffe/manifests/server-configmap.yaml index 0c85e092..79874be1 100644 --- a/k8s/components/spire-spiffe/manifests/server-configmap.yaml +++ b/k8s/components/spire-spiffe/manifests/server-configmap.yaml @@ -34,7 +34,7 @@ data: plugin_data { clusters = { # NOTE: Change this to your cluster name - "demo-cluster" = { + "k3d-eigr-spawn" = { use_token_review_api_validation = true service_account_allow_list = ["spire:spire-agent"] } diff --git a/lib/actors/security/spiffe/client.ex b/lib/actors/security/spiffe/client.ex index 9ba076cb..ccc3a377 100644 --- a/lib/actors/security/spiffe/client.ex +++ b/lib/actors/security/spiffe/client.ex @@ -1,38 +1,43 @@ defmodule Actors.Security.Spiffe.Client do - use GRPC.Stub, service: Spiffe.Workload.SpiffeWorkloadAPI.Service + use GRPC.Stub, service: SpiffeWorkloadAPI.Service + require Logger alias Actors.Config.PersistentTermConfig, as: Config - alias Spiffe.Workload.JWTSVIDRequest - alias Spiffe.Workload.X509SVIDRequest - alias Spiffe.Workload.ValidateJWTSVIDRequest + alias JWTSVIDRequest + alias X509SVIDRequest + alias ValidateJWTSVIDRequest - alias Spiffe.Workload.SpiffeWorkloadAPI.Stub, as: SpiffeStub + alias SpiffeWorkloadAPI.Stub, as: SpiffeStub def fetch_x509_svid() do - with {:connect, {:ok, channel}} <- - {:connect, - GRPC.Stub.connect(build_url(), - headers: [{"workload.spiffe.io", "true"}], - adapter_opts: [ - http2_opts: %{settings_timeout: 10_000}, - retry: 5, - retry_fun: &retry_fun/2 - ] - )}, + with {:build_url, url} <- {:build_url, build_url()}, + {:connect, {:ok, channel}} <- {:connect, connect(url)}, {:build_request, request} <- {:build_request, %X509SVIDRequest{}} do - SpiffeStub.fetch_x509_svid(channel, request) + case SpiffeStub.fetch_x509_svid(channel, request) do + {:ok, res_stream} -> + Enum.map(res_stream, fn item -> + IO.inspect(item) + end) + + {:error, error} -> + Logger.error("Error during request. Detail: #{inspect(error)}") + {:error, error} + end else {:connect, error} -> + Logger.error("Error to obtain a connection. Detail: #{inspect(error)}") {:error, error} {:build_request, error} -> + Logger.error("Error during request. Detail: #{inspect(error)}") {:error, error} end end def fetch_jwt_svid(audience, spiffe_id \\ nil) do - with {:connect, {:ok, channel}} <- {:connect, GRPC.Stub.connect(build_url())}, + with {:build_url, url} <- {:build_url, build_url()}, + {:connect, {:ok, channel}} <- {:connect, connect(url)}, {:build_request, request} <- {:build_request, %JWTSVIDRequest{audience: audience, spiffe_id: spiffe_id}} do SpiffeStub.fetch_jwtsvid(channel, request) @@ -46,7 +51,8 @@ defmodule Actors.Security.Spiffe.Client do end def validate_jwt_svid(audience, svid) do - with {:connect, {:ok, channel}} <- {:connect, GRPC.Stub.connect(build_url())}, + with {:build_url, url} <- {:build_url, build_url()}, + {:connect, {:ok, channel}} <- {:connect, connect(url)}, {:build_request, request} <- {:build_request, %ValidateJWTSVIDRequest{audience: audience, svid: svid}} do SpiffeStub.validate_jwtsvid(channel, request) @@ -59,9 +65,27 @@ defmodule Actors.Security.Spiffe.Client do end end + defp connect(url) do + GRPC.Stub.connect(url, + adapter: GRPC.Client.Adapters.Mint, + headers: [{"workload.spiffe.io", "true"}], + adapter_opts: [ + http2_opts: %{settings_timeout: :infinity}, + retry: 5, + retry_fun: &retry_fun/2 + ], + client_settings: [ + initial_window_size: 8_000_000, + max_frame_size: 8_000_000 + ], + transport_opts: [timeout: :infinity], + interceptors: [{Actors.Security.Spiffe.LoggerInterceptor, level: :debug}] + ) + end + defp build_url(), do: - "#{Config.get(:security_idp_spire_server_address)}:#{Config.get(:security_idp_spire_server_port)}" + "http://#{Config.get(:security_idp_spire_server_address)}:#{Config.get(:security_idp_spire_server_port)}" defp retry_fun(_reason, _attempt) do :ok diff --git a/lib/actors/security/spiffe/logger_interceptor.ex b/lib/actors/security/spiffe/logger_interceptor.ex new file mode 100644 index 00000000..65d8ef47 --- /dev/null +++ b/lib/actors/security/spiffe/logger_interceptor.ex @@ -0,0 +1,66 @@ +defmodule Actors.Security.Spiffe.LoggerInterceptor do + @moduledoc """ + Print log around client rpc calls, like + + 17:13:33.021 [info] Call say_hello of helloworld.Greeter + 17:13:33.079 [info] Got :ok in 58ms + + ## Options + + * `:level` - the desired log level. Defaults to `:info` + + ## Usage + + {:ok, channel} = GRPC.Stub.connect("localhost:50051", interceptors: [GRPC.Client.Interceptors.Logger]) + + ## Usage with custom level + + {:ok, channel} = GRPC.Stub.connect("localhost:50051", interceptors: [{GRPC.Client.Interceptors.Logger, level: :warning}]) + """ + + require Logger + + @behaviour GRPC.Client.Interceptor + + @impl true + def init(opts) do + level = Keyword.get(opts, :level) || :info + [level: level] + end + + @impl true + def call(%{grpc_type: grpc_type} = stream, req, next, opts) do + level = Keyword.fetch!(opts, :level) + + if Logger.compare_levels(level, Logger.level()) != :lt do + Logger.log(level, fn -> + [ + "Call ", + to_string(elem(stream.rpc, 0)), + " of ", + stream.service_name, + " with request: ", + inspect(req) + ] + end) + + start = System.monotonic_time() + result = next.(stream, req) + stop = System.monotonic_time() + + if grpc_type == :unary do + status = elem(result, 0) + + Logger.log(level, fn -> + diff = System.convert_time_unit(stop - start, :native, :microsecond) + + ["Got ", inspect(status), " in ", GRPC.Server.Interceptors.Logger.formatted_diff(diff)] + end) + end + + result + else + next.(stream, req) + end + end +end diff --git a/lib/actors/security/spiffe/workload/workload.pb.ex b/lib/actors/security/spiffe/workload/workload.pb.ex index 54c9e667..f23c1367 100644 --- a/lib/actors/security/spiffe/workload/workload.pb.ex +++ b/lib/actors/security/spiffe/workload/workload.pb.ex @@ -1,4 +1,4 @@ -defmodule Spiffe.Workload.X509SVIDRequest do +defmodule X509SVIDRequest do @moduledoc false use Protobuf, protoc_gen_elixir_version: "0.10.0", syntax: :proto3 @@ -19,7 +19,7 @@ defmodule Spiffe.Workload.X509SVIDRequest do } end end -defmodule Spiffe.Workload.X509SVIDResponse.FederatedBundlesEntry do +defmodule X509SVIDResponse.FederatedBundlesEntry do @moduledoc false use Protobuf, map: true, protoc_gen_elixir_version: "0.10.0", syntax: :proto3 @@ -80,7 +80,7 @@ defmodule Spiffe.Workload.X509SVIDResponse.FederatedBundlesEntry do field :key, 1, type: :string field :value, 2, type: :bytes end -defmodule Spiffe.Workload.X509SVIDResponse do +defmodule X509SVIDResponse do @moduledoc false use Protobuf, protoc_gen_elixir_version: "0.10.0", syntax: :proto3 @@ -104,7 +104,7 @@ defmodule Spiffe.Workload.X509SVIDResponse do options: nil, proto3_optional: nil, type: :TYPE_MESSAGE, - type_name: ".spiffe.workload.X509SVID" + type_name: ".X509SVID" }, %Google.Protobuf.FieldDescriptorProto{ __unknown_fields__: [], @@ -132,7 +132,7 @@ defmodule Spiffe.Workload.X509SVIDResponse do options: nil, proto3_optional: nil, type: :TYPE_MESSAGE, - type_name: ".spiffe.workload.X509SVIDResponse.FederatedBundlesEntry" + type_name: ".X509SVIDResponse.FederatedBundlesEntry" } ], name: "X509SVIDResponse", @@ -195,16 +195,15 @@ defmodule Spiffe.Workload.X509SVIDResponse do } end - field :svids, 1, repeated: true, type: Spiffe.Workload.X509SVID + field :svids, 1, repeated: true, type: X509SVID field :crl, 2, repeated: true, type: :bytes field :federated_bundles, 3, repeated: true, - type: Spiffe.Workload.X509SVIDResponse.FederatedBundlesEntry, - json_name: "federatedBundles", - map: true + type: X509SVIDResponse.FederatedBundlesEntry, + json_name: "federatedBundles" end -defmodule Spiffe.Workload.X509SVID do +defmodule X509SVID do @moduledoc false use Protobuf, protoc_gen_elixir_version: "0.10.0", syntax: :proto3 @@ -302,7 +301,7 @@ defmodule Spiffe.Workload.X509SVID do field :bundle, 4, type: :bytes field :hint, 5, type: :string end -defmodule Spiffe.Workload.X509BundlesRequest do +defmodule X509BundlesRequest do @moduledoc false use Protobuf, protoc_gen_elixir_version: "0.10.0", syntax: :proto3 @@ -323,7 +322,7 @@ defmodule Spiffe.Workload.X509BundlesRequest do } end end -defmodule Spiffe.Workload.X509BundlesResponse.BundlesEntry do +defmodule X509BundlesResponse.BundlesEntry do @moduledoc false use Protobuf, map: true, protoc_gen_elixir_version: "0.10.0", syntax: :proto3 @@ -384,7 +383,7 @@ defmodule Spiffe.Workload.X509BundlesResponse.BundlesEntry do field :key, 1, type: :string field :value, 2, type: :bytes end -defmodule Spiffe.Workload.X509BundlesResponse do +defmodule X509BundlesResponse do @moduledoc false use Protobuf, protoc_gen_elixir_version: "0.10.0", syntax: :proto3 @@ -422,7 +421,7 @@ defmodule Spiffe.Workload.X509BundlesResponse do options: nil, proto3_optional: nil, type: :TYPE_MESSAGE, - type_name: ".spiffe.workload.X509BundlesResponse.BundlesEntry" + type_name: ".X509BundlesResponse.BundlesEntry" } ], name: "X509BundlesResponse", @@ -486,13 +485,9 @@ defmodule Spiffe.Workload.X509BundlesResponse do end field :crl, 1, repeated: true, type: :bytes - - field :bundles, 2, - repeated: true, - type: Spiffe.Workload.X509BundlesResponse.BundlesEntry, - map: true + field :bundles, 2, repeated: true, type: X509BundlesResponse.BundlesEntry end -defmodule Spiffe.Workload.JWTSVIDRequest do +defmodule JWTSVIDRequest do @moduledoc false use Protobuf, protoc_gen_elixir_version: "0.10.0", syntax: :proto3 @@ -545,7 +540,7 @@ defmodule Spiffe.Workload.JWTSVIDRequest do field :audience, 1, repeated: true, type: :string field :spiffe_id, 2, type: :string, json_name: "spiffeId" end -defmodule Spiffe.Workload.JWTSVIDResponse do +defmodule JWTSVIDResponse do @moduledoc false use Protobuf, protoc_gen_elixir_version: "0.10.0", syntax: :proto3 @@ -569,7 +564,7 @@ defmodule Spiffe.Workload.JWTSVIDResponse do options: nil, proto3_optional: nil, type: :TYPE_MESSAGE, - type_name: ".spiffe.workload.JWTSVID" + type_name: ".JWTSVID" } ], name: "JWTSVIDResponse", @@ -581,9 +576,9 @@ defmodule Spiffe.Workload.JWTSVIDResponse do } end - field :svids, 1, repeated: true, type: Spiffe.Workload.JWTSVID + field :svids, 1, repeated: true, type: JWTSVID end -defmodule Spiffe.Workload.JWTSVID do +defmodule JWTSVID do @moduledoc false use Protobuf, protoc_gen_elixir_version: "0.10.0", syntax: :proto3 @@ -651,7 +646,7 @@ defmodule Spiffe.Workload.JWTSVID do field :svid, 2, type: :string field :hint, 3, type: :string end -defmodule Spiffe.Workload.JWTBundlesRequest do +defmodule JWTBundlesRequest do @moduledoc false use Protobuf, protoc_gen_elixir_version: "0.10.0", syntax: :proto3 @@ -672,7 +667,7 @@ defmodule Spiffe.Workload.JWTBundlesRequest do } end end -defmodule Spiffe.Workload.JWTBundlesResponse.BundlesEntry do +defmodule JWTBundlesResponse.BundlesEntry do @moduledoc false use Protobuf, map: true, protoc_gen_elixir_version: "0.10.0", syntax: :proto3 @@ -733,7 +728,7 @@ defmodule Spiffe.Workload.JWTBundlesResponse.BundlesEntry do field :key, 1, type: :string field :value, 2, type: :bytes end -defmodule Spiffe.Workload.JWTBundlesResponse do +defmodule JWTBundlesResponse do @moduledoc false use Protobuf, protoc_gen_elixir_version: "0.10.0", syntax: :proto3 @@ -757,7 +752,7 @@ defmodule Spiffe.Workload.JWTBundlesResponse do options: nil, proto3_optional: nil, type: :TYPE_MESSAGE, - type_name: ".spiffe.workload.JWTBundlesResponse.BundlesEntry" + type_name: ".JWTBundlesResponse.BundlesEntry" } ], name: "JWTBundlesResponse", @@ -820,12 +815,9 @@ defmodule Spiffe.Workload.JWTBundlesResponse do } end - field :bundles, 1, - repeated: true, - type: Spiffe.Workload.JWTBundlesResponse.BundlesEntry, - map: true + field :bundles, 1, repeated: true, type: JWTBundlesResponse.BundlesEntry end -defmodule Spiffe.Workload.ValidateJWTSVIDRequest do +defmodule ValidateJWTSVIDRequest do @moduledoc false use Protobuf, protoc_gen_elixir_version: "0.10.0", syntax: :proto3 @@ -878,7 +870,7 @@ defmodule Spiffe.Workload.ValidateJWTSVIDRequest do field :audience, 1, type: :string field :svid, 2, type: :string end -defmodule Spiffe.Workload.ValidateJWTSVIDResponse do +defmodule ValidateJWTSVIDResponse do @moduledoc false use Protobuf, protoc_gen_elixir_version: "0.10.0", syntax: :proto3 @@ -931,9 +923,9 @@ defmodule Spiffe.Workload.ValidateJWTSVIDResponse do field :spiffe_id, 1, type: :string, json_name: "spiffeId" field :claims, 2, type: Google.Protobuf.Struct end -defmodule Spiffe.Workload.SpiffeWorkloadAPI.Service do +defmodule SpiffeWorkloadAPI.Service do @moduledoc false - use GRPC.Service, name: "spiffe.workload.SpiffeWorkloadAPI", protoc_gen_elixir_version: "0.10.0" + use GRPC.Service, name: "SpiffeWorkloadAPI", protoc_gen_elixir_version: "0.10.0" def descriptor do # credo:disable-for-next-line @@ -943,46 +935,46 @@ defmodule Spiffe.Workload.SpiffeWorkloadAPI.Service do %Google.Protobuf.MethodDescriptorProto{ __unknown_fields__: [], client_streaming: false, - input_type: ".spiffe.workload.X509SVIDRequest", + input_type: ".X509SVIDRequest", name: "FetchX509SVID", options: nil, - output_type: ".spiffe.workload.X509SVIDResponse", + output_type: ".X509SVIDResponse", server_streaming: true }, %Google.Protobuf.MethodDescriptorProto{ __unknown_fields__: [], client_streaming: false, - input_type: ".spiffe.workload.X509BundlesRequest", + input_type: ".X509BundlesRequest", name: "FetchX509Bundles", options: nil, - output_type: ".spiffe.workload.X509BundlesResponse", + output_type: ".X509BundlesResponse", server_streaming: true }, %Google.Protobuf.MethodDescriptorProto{ __unknown_fields__: [], client_streaming: false, - input_type: ".spiffe.workload.JWTSVIDRequest", + input_type: ".JWTSVIDRequest", name: "FetchJWTSVID", options: nil, - output_type: ".spiffe.workload.JWTSVIDResponse", + output_type: ".JWTSVIDResponse", server_streaming: false }, %Google.Protobuf.MethodDescriptorProto{ __unknown_fields__: [], client_streaming: false, - input_type: ".spiffe.workload.JWTBundlesRequest", + input_type: ".JWTBundlesRequest", name: "FetchJWTBundles", options: nil, - output_type: ".spiffe.workload.JWTBundlesResponse", + output_type: ".JWTBundlesResponse", server_streaming: true }, %Google.Protobuf.MethodDescriptorProto{ __unknown_fields__: [], client_streaming: false, - input_type: ".spiffe.workload.ValidateJWTSVIDRequest", + input_type: ".ValidateJWTSVIDRequest", name: "ValidateJWTSVID", options: nil, - output_type: ".spiffe.workload.ValidateJWTSVIDResponse", + output_type: ".ValidateJWTSVIDResponse", server_streaming: false } ], @@ -991,24 +983,18 @@ defmodule Spiffe.Workload.SpiffeWorkloadAPI.Service do } end - rpc :FetchX509SVID, Spiffe.Workload.X509SVIDRequest, stream(Spiffe.Workload.X509SVIDResponse) + rpc :FetchX509SVID, X509SVIDRequest, stream(X509SVIDResponse) - rpc :FetchX509Bundles, - Spiffe.Workload.X509BundlesRequest, - stream(Spiffe.Workload.X509BundlesResponse) + rpc :FetchX509Bundles, X509BundlesRequest, stream(X509BundlesResponse) - rpc :FetchJWTSVID, Spiffe.Workload.JWTSVIDRequest, Spiffe.Workload.JWTSVIDResponse + rpc :FetchJWTSVID, JWTSVIDRequest, JWTSVIDResponse - rpc :FetchJWTBundles, - Spiffe.Workload.JWTBundlesRequest, - stream(Spiffe.Workload.JWTBundlesResponse) + rpc :FetchJWTBundles, JWTBundlesRequest, stream(JWTBundlesResponse) - rpc :ValidateJWTSVID, - Spiffe.Workload.ValidateJWTSVIDRequest, - Spiffe.Workload.ValidateJWTSVIDResponse + rpc :ValidateJWTSVID, ValidateJWTSVIDRequest, ValidateJWTSVIDResponse end -defmodule Spiffe.Workload.SpiffeWorkloadAPI.Stub do +defmodule SpiffeWorkloadAPI.Stub do @moduledoc false - use GRPC.Stub, service: Spiffe.Workload.SpiffeWorkloadAPI.Service + use GRPC.Stub, service: SpiffeWorkloadAPI.Service end diff --git a/priv/protos/spiffe/workload.proto b/priv/protos/spiffe/workload.proto index cf8f2ea9..ad360166 100644 --- a/priv/protos/spiffe/workload.proto +++ b/priv/protos/spiffe/workload.proto @@ -1,6 +1,6 @@ syntax = "proto3"; -package spiffe.workload; +// package spiffe.workload; import "google/protobuf/struct.proto"; diff --git a/policies/default.policy b/priv/security/policies/default.policy similarity index 100% rename from policies/default.policy rename to priv/security/policies/default.policy