Lib.rs

加密学
#jwt #x509 #workload #bundles #update #client #svid

spiffe

Rust客户端库实现SPIFFE

Max Lambrecht 3位贡献者

9个不稳定版本 (4个破坏性更新)

0.5.0 2024年3月7日
0.4.0 2023年8月23日
0.3.1 2023年8月12日
0.2.2 2023年8月5日
0.1.1 2021年6月19日

#1 in #bundles

Download history 218/week @ 2024-04-08 136/week @ 2024-04-15 150/week @ 2024-04-22 231/week @ 2024-04-29 954/week @ 2024-05-06 270/week @ 2024-05-13 125/week @ 2024-05-20 156/week @ 2024-05-27 194/week @ 2024-06-03 274/week @ 2024-06-10 215/week @ 2024-06-17 303/week @ 2024-06-24 222/week @ 2024-07-01 186/week @ 2024-07-08 186/week @ 2024-07-15 189/week @ 2024-07-22

每月796次下载
4个crate中使用(直接使用3个)

Apache-2.0

175KB
3K SLoC

Rust SPIFFE库

此实用库允许与SPIFFE工作负载API交互。它允许获取X.509和JWT SVID、捆绑包,并支持监听/流更新。库中的类型符合SPIFFE标准。更多关于SPIFFE的信息可以在spiffe.io找到。

crates.io docs.rs CI License

入门

spiffe包含在您的Cargo.toml依赖关系中,默认获取SPIFFE类型(spiffe-types)和工作负载API客户端(workload-api

[dependencies]
spiffe = "0.5.0"

用法示例

创建一个WorkloadApiClient

使用端点套接字路径创建客户端

let mut client = WorkloadApiClient::new_from_path("unix:/tmp/spire-agent/public/api.sock").await?;

或使用SPIFFE_ENDPOINT_SOCKET环境变量

let mut client = WorkloadApiClient::default().await?;

获取X.509材料

获取默认X.509 SVID、一组X.509捆绑包、所有X.509材料,或监视X.509上下文和捆绑包的更新。

// fetch the default X.509 SVID
let x509_svid: X509Svid = client.fetch_x509_svid().await?;

// fetch a set of X.509 bundles (X.509 public key authorities)
let x509_bundles: X509BundleSet = client.fetch_x509_bundles().await?;

// fetch all the X.509 materials (SVIDs and bundles)
let x509_context: X509Context = client.fetch_x509_context().await?;

// get the X.509 chain of certificates from the SVID
let cert_chain: &Vec<Certificate> = x509_svid.cert_chain();

// get the private key from the SVID
let private_key: &PrivateKey = x509_svid.private_key();

// parse a SPIFFE trust domain
let trust_domain = TrustDomain::try_from("example.org")?;

// get the X.509 bundle associated to the trust domain
let x509_bundle: &X509Bundle = x509_bundles.get_bundle(&trust_domain)?;

// get the X.509 authorities (public keys) in the bundle
let x509_authorities: &Vec<Certificate> = x509_bundle.authorities();

// watch for updates on the X.509 context
let mut x509_context_stream = client.stream_x509_contexts().await?;
while let Some(x509_context_update) = x509_context_stream.next().await {
    match x509_context_update {
        Ok(update) => {
            // handle the updated X509Context
        }
        Err(e) => {
            // handle the error
        }
    }
}

// watch for updates on the X.509 bundles 
let mut x509_bundle_stream = client.stream_x509_bundles().await?;
while let Some(x509_bundle_update) = x509_bundle_stream.next().await {
    match x509_bundle_update {
        Ok(update) => {
            // handle the updated X509 bundle
        }
        Err(e) => {
            // handle the error
        }
    }
}

使用X509Source获取X.509材料

使用X509Source获取X.509材料是一种方便的方法

use spiffe::workload_api::x509_source::X509Source;
use spiffe::bundle::BundleSource;
use spiffe::spiffe_id::TrustDomain;
use spiffe::svid::x509::X509Svid;
use spiffe::svid::SvidSource;

async fn fetch_x509_materials() -> Result<(), Box<dyn std::error::Error>> {
    // Create a new X509Source
    let x509_source = X509Source::default().await?;

    // Fetch the SVID
    let svid = x509_source.get_svid()?.ok_or("No X509Svid found")?;

    // Fetch the bundle for a specific trust domain
    let trust_domain = spiffe::TrustDomain::new("example.org"); // Replace with the appropriate trust domain
    let bundle = x509_source.get_bundle_for_trust_domain(&trust_domain)?.ok_or("No bundle found for trust domain")?;

    Ok(())
}

获取和验证JWT令牌和捆绑包

获取JWT令牌、解析和验证它们、获取JWT捆绑包或监视JWT捆绑包的更新。

// parse a SPIFFE ID to ask a token for
let spiffe_id = SpiffeId::try_from("spiffe://example.org/my-service")?;

// fetch a jwt token for the provided SPIFFE-ID and with the target audience `service1.com`
let jwt_token = client.fetch_jwt_token(&["audience1", "audience2"], Some(&spiffe_id)).await?;

// fetch the jwt token and parses it as a `JwtSvid`
let jwt_svid = client.fetch_jwt_svid(&["audience1", "audience2"], Some(&spiffe_id)).await?;

// fetch a set of jwt bundles (public keys for validating jwt token)
let jwt_bundles = client.fetch_jwt_bundles().await?;

// parse a SPIFFE trust domain
let trust_domain = TrustDomain::try_from("example.org")?;

// get the JWT bundle associated to the trust domain
let jwt_bundle: &JwtBundle = jwt_bundles.get_bundle(&trust_domain)?;

// get the JWT authorities (public keys) in the bundle
let jwt_authority: &JwtAuthority = jwt_bundle.find_jwt_authority("a_key_id")?;

// parse a `JwtSvid` validating the token signature with a JWT bundle source.
let validated_jwt_svid = JwtSvid::parse_and_validate(&jwt_token, &jwt_bundles_set, &["service1.com"])?;

// watch for updates on the JWT bundles 
let mut jwt_bundle_stream = client.stream_jwt_bundles().await?;
while let Some(jwt_bundle_update) = jwt_bundle_stream.next().await {
    match jwt_bundle_update {
        Ok(update) => {
            // handle the updated JWT bundle
        }
        Err(e) => {
            // handle the error
        }
    }
}

有关更详细的示例和附加功能,请参阅文档

许可

此库受Apache许可证的许可。有关详细信息,请参阅LICENSE.md文件。

依赖关系

~15–28MB
~531K SLoC