diff --git a/Makefile b/Makefile index eb2c8b2..1fe7f4e 100644 --- a/Makefile +++ b/Makefile @@ -64,6 +64,7 @@ protos := \ proto/spire/plugin/types/bundle.proto \ proto/spire/plugin/types/jwtkey.proto \ proto/spire/plugin/types/x509certificate.proto \ + proto/spire/plugin/types/witkey.proto \ ############################################################################ # OS/ARCH detection diff --git a/proto/spire/plugin/types/bundle.pb.go b/proto/spire/plugin/types/bundle.pb.go index 184f247..83076f5 100644 --- a/proto/spire/plugin/types/bundle.pb.go +++ b/proto/spire/plugin/types/bundle.pb.go @@ -34,6 +34,8 @@ type Bundle struct { RefreshHint int64 `protobuf:"varint,4,opt,name=refresh_hint,json=refreshHint,proto3" json:"refresh_hint,omitempty"` // The sequence number of the bundle. SequenceNumber uint64 `protobuf:"varint,5,opt,name=sequence_number,json=sequenceNumber,proto3" json:"sequence_number,omitempty"` + // WIT authorities for authenticating WIT-SVIDs. + WitAuthorities []*WITKey `protobuf:"bytes,6,rep,name=wit_authorities,json=witAuthorities,proto3" json:"wit_authorities,omitempty"` unknownFields protoimpl.UnknownFields sizeCache protoimpl.SizeCache } @@ -103,17 +105,25 @@ func (x *Bundle) GetSequenceNumber() uint64 { return 0 } +func (x *Bundle) GetWitAuthorities() []*WITKey { + if x != nil { + return x.WitAuthorities + } + return nil +} + var File_spire_plugin_types_bundle_proto protoreflect.FileDescriptor const file_spire_plugin_types_bundle_proto_rawDesc = "" + "\n" + - "\x1fspire/plugin/types/bundle.proto\x12\x12spire.plugin.types\x1a\x1fspire/plugin/types/jwtkey.proto\x1a(spire/plugin/types/x509certificate.proto\"\x8c\x02\n" + + "\x1fspire/plugin/types/bundle.proto\x12\x12spire.plugin.types\x1a\x1fspire/plugin/types/jwtkey.proto\x1a(spire/plugin/types/x509certificate.proto\x1a\x1fspire/plugin/types/witkey.proto\"\xd1\x02\n" + "\x06Bundle\x12!\n" + "\ftrust_domain\x18\x01 \x01(\tR\vtrustDomain\x12N\n" + "\x10x509_authorities\x18\x02 \x03(\v2#.spire.plugin.types.X509CertificateR\x0fx509Authorities\x12C\n" + "\x0fjwt_authorities\x18\x03 \x03(\v2\x1a.spire.plugin.types.JWTKeyR\x0ejwtAuthorities\x12!\n" + "\frefresh_hint\x18\x04 \x01(\x03R\vrefreshHint\x12'\n" + - "\x0fsequence_number\x18\x05 \x01(\x04R\x0esequenceNumberB=Z;github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/typesb\x06proto3" + "\x0fsequence_number\x18\x05 \x01(\x04R\x0esequenceNumber\x12C\n" + + "\x0fwit_authorities\x18\x06 \x03(\v2\x1a.spire.plugin.types.WITKeyR\x0ewitAuthoritiesB=Z;github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/typesb\x06proto3" var ( file_spire_plugin_types_bundle_proto_rawDescOnce sync.Once @@ -132,15 +142,17 @@ var file_spire_plugin_types_bundle_proto_goTypes = []any{ (*Bundle)(nil), // 0: spire.plugin.types.Bundle (*X509Certificate)(nil), // 1: spire.plugin.types.X509Certificate (*JWTKey)(nil), // 2: spire.plugin.types.JWTKey + (*WITKey)(nil), // 3: spire.plugin.types.WITKey } var file_spire_plugin_types_bundle_proto_depIdxs = []int32{ 1, // 0: spire.plugin.types.Bundle.x509_authorities:type_name -> spire.plugin.types.X509Certificate 2, // 1: spire.plugin.types.Bundle.jwt_authorities:type_name -> spire.plugin.types.JWTKey - 2, // [2:2] is the sub-list for method output_type - 2, // [2:2] is the sub-list for method input_type - 2, // [2:2] is the sub-list for extension type_name - 2, // [2:2] is the sub-list for extension extendee - 0, // [0:2] is the sub-list for field type_name + 3, // 2: spire.plugin.types.Bundle.wit_authorities:type_name -> spire.plugin.types.WITKey + 3, // [3:3] is the sub-list for method output_type + 3, // [3:3] is the sub-list for method input_type + 3, // [3:3] is the sub-list for extension type_name + 3, // [3:3] is the sub-list for extension extendee + 0, // [0:3] is the sub-list for field type_name } func init() { file_spire_plugin_types_bundle_proto_init() } @@ -150,6 +162,7 @@ func file_spire_plugin_types_bundle_proto_init() { } file_spire_plugin_types_jwtkey_proto_init() file_spire_plugin_types_x509certificate_proto_init() + file_spire_plugin_types_witkey_proto_init() type x struct{} out := protoimpl.TypeBuilder{ File: protoimpl.DescBuilder{ diff --git a/proto/spire/plugin/types/bundle.proto b/proto/spire/plugin/types/bundle.proto index 7ce9492..235c6d9 100644 --- a/proto/spire/plugin/types/bundle.proto +++ b/proto/spire/plugin/types/bundle.proto @@ -4,6 +4,7 @@ option go_package = "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/types import "spire/plugin/types/jwtkey.proto"; import "spire/plugin/types/x509certificate.proto"; +import "spire/plugin/types/witkey.proto"; message Bundle { // The name of the trust domain the bundle belongs to (e.g., "example.org"). @@ -21,4 +22,7 @@ message Bundle { // The sequence number of the bundle. uint64 sequence_number = 5; + + // WIT authorities for authenticating WIT-SVIDs. + repeated WITKey wit_authorities = 6; } diff --git a/proto/spire/plugin/types/witkey.pb.go b/proto/spire/plugin/types/witkey.pb.go new file mode 100644 index 0000000..b6fde2d --- /dev/null +++ b/proto/spire/plugin/types/witkey.pb.go @@ -0,0 +1,156 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.36.6 +// protoc v6.30.2 +// source: spire/plugin/types/witkey.proto + +package types + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" + unsafe "unsafe" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +type WITKey struct { + state protoimpl.MessageState `protogen:"open.v1"` + // The PKIX encoded public key. + PublicKey []byte `protobuf:"bytes,1,opt,name=public_key,json=publicKey,proto3" json:"public_key,omitempty"` + // The key identifier. + KeyId string `protobuf:"bytes,2,opt,name=key_id,json=keyId,proto3" json:"key_id,omitempty"` + // When the key expires (seconds since Unix epoch). If zero, the key does + // not expire. + ExpiresAt int64 `protobuf:"varint,3,opt,name=expires_at,json=expiresAt,proto3" json:"expires_at,omitempty"` + // Indicates if the key has been tainted. A tainted key is not safe to be used anymore. + Tainted bool `protobuf:"varint,4,opt,name=tainted,proto3" json:"tainted,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *WITKey) Reset() { + *x = WITKey{} + mi := &file_spire_plugin_types_witkey_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *WITKey) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*WITKey) ProtoMessage() {} + +func (x *WITKey) ProtoReflect() protoreflect.Message { + mi := &file_spire_plugin_types_witkey_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use WITKey.ProtoReflect.Descriptor instead. +func (*WITKey) Descriptor() ([]byte, []int) { + return file_spire_plugin_types_witkey_proto_rawDescGZIP(), []int{0} +} + +func (x *WITKey) GetPublicKey() []byte { + if x != nil { + return x.PublicKey + } + return nil +} + +func (x *WITKey) GetKeyId() string { + if x != nil { + return x.KeyId + } + return "" +} + +func (x *WITKey) GetExpiresAt() int64 { + if x != nil { + return x.ExpiresAt + } + return 0 +} + +func (x *WITKey) GetTainted() bool { + if x != nil { + return x.Tainted + } + return false +} + +var File_spire_plugin_types_witkey_proto protoreflect.FileDescriptor + +const file_spire_plugin_types_witkey_proto_rawDesc = "" + + "\n" + + "\x1fspire/plugin/types/witkey.proto\x12\x12spire.plugin.types\"w\n" + + "\x06WITKey\x12\x1d\n" + + "\n" + + "public_key\x18\x01 \x01(\fR\tpublicKey\x12\x15\n" + + "\x06key_id\x18\x02 \x01(\tR\x05keyId\x12\x1d\n" + + "\n" + + "expires_at\x18\x03 \x01(\x03R\texpiresAt\x12\x18\n" + + "\atainted\x18\x04 \x01(\bR\ataintedB=Z;github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/typesb\x06proto3" + +var ( + file_spire_plugin_types_witkey_proto_rawDescOnce sync.Once + file_spire_plugin_types_witkey_proto_rawDescData []byte +) + +func file_spire_plugin_types_witkey_proto_rawDescGZIP() []byte { + file_spire_plugin_types_witkey_proto_rawDescOnce.Do(func() { + file_spire_plugin_types_witkey_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_spire_plugin_types_witkey_proto_rawDesc), len(file_spire_plugin_types_witkey_proto_rawDesc))) + }) + return file_spire_plugin_types_witkey_proto_rawDescData +} + +var file_spire_plugin_types_witkey_proto_msgTypes = make([]protoimpl.MessageInfo, 1) +var file_spire_plugin_types_witkey_proto_goTypes = []any{ + (*WITKey)(nil), // 0: spire.plugin.types.WITKey +} +var file_spire_plugin_types_witkey_proto_depIdxs = []int32{ + 0, // [0:0] is the sub-list for method output_type + 0, // [0:0] is the sub-list for method input_type + 0, // [0:0] is the sub-list for extension type_name + 0, // [0:0] is the sub-list for extension extendee + 0, // [0:0] is the sub-list for field type_name +} + +func init() { file_spire_plugin_types_witkey_proto_init() } +func file_spire_plugin_types_witkey_proto_init() { + if File_spire_plugin_types_witkey_proto != nil { + return + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: unsafe.Slice(unsafe.StringData(file_spire_plugin_types_witkey_proto_rawDesc), len(file_spire_plugin_types_witkey_proto_rawDesc)), + NumEnums: 0, + NumMessages: 1, + NumExtensions: 0, + NumServices: 0, + }, + GoTypes: file_spire_plugin_types_witkey_proto_goTypes, + DependencyIndexes: file_spire_plugin_types_witkey_proto_depIdxs, + MessageInfos: file_spire_plugin_types_witkey_proto_msgTypes, + }.Build() + File_spire_plugin_types_witkey_proto = out.File + file_spire_plugin_types_witkey_proto_goTypes = nil + file_spire_plugin_types_witkey_proto_depIdxs = nil +} diff --git a/proto/spire/plugin/types/witkey.proto b/proto/spire/plugin/types/witkey.proto new file mode 100644 index 0000000..7af453a --- /dev/null +++ b/proto/spire/plugin/types/witkey.proto @@ -0,0 +1,18 @@ +syntax = "proto3"; +package spire.plugin.types; +option go_package = "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/types"; + +message WITKey { + // The PKIX encoded public key. + bytes public_key = 1; + + // The key identifier. + string key_id = 2; + + // When the key expires (seconds since Unix epoch). If zero, the key does + // not expire. + int64 expires_at = 3; + + // Indicates if the key has been tainted. A tainted key is not safe to be used anymore. + bool tainted = 4; +}