spiffe
/
java-spiffe
mirror of https://github.com/spiffe/java-spiffe.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update workload.proto with the lastest version from the SPIFFE repo. 

Signed-off-by: Max Lambrecht <maxlambrecht@gmail.com>
This commit is contained in:
Max Lambrecht 2021-05-27 15:55:07 -03:00
parent 060bec6f33
commit 377225ac7b
1 changed files with 104 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

156
java-spiffe-core/src/main/proto/workload.proto
View File

@ -4,100 +4,152 @@ option java_package = "io.spiffe.workloadapi.grpc";
import "google/protobuf/struct.proto"; import "google/protobuf/struct.proto";
service SpiffeWorkloadAPI {
/////////////////////////////////////////////////////////////////////////
// X509-SVID Profile
/////////////////////////////////////////////////////////////////////////
// Fetch X.509-SVIDs for all SPIFFE identities the workload is entitled to,
// as well as related information like trust bundles and CRLs. As this
// information changes, subsequent messages will be streamed from the
// server.
rpc FetchX509SVID(X509SVIDRequest) returns (stream X509SVIDResponse);
// Fetch trust bundles and CRLs. Useful for clients that only need to
// validate SVIDs without obtaining an SVID for themself. As this
// information changes, subsequent messages will be streamed from the
// server.
rpc FetchX509Bundles(X509BundlesRequest) returns (stream X509BundlesResponse);
/////////////////////////////////////////////////////////////////////////
// JWT-SVID Profile
/////////////////////////////////////////////////////////////////////////
// Fetch JWT-SVIDs for all SPIFFE identities the workload is entitled to,
// for the requested audience. If an optional SPIFFE ID is requested, only
// the JWT-SVID for that SPIFFE ID is returned.
rpc FetchJWTSVID(JWTSVIDRequest) returns (JWTSVIDResponse);
// Fetches the JWT bundles, formatted as JWKS documents, keyed by the
// SPIFFE ID of the trust domain. As this information changes, subsequent
// messages will be streamed from the server.
rpc FetchJWTBundles(JWTBundlesRequest) returns (stream JWTBundlesResponse);
// Validates a JWT-SVID against the requested audience. Returns the SPIFFE
// ID of the JWT-SVID and JWT claims.
rpc ValidateJWTSVID(ValidateJWTSVIDRequest) returns (ValidateJWTSVIDResponse);
}
// The X509SVIDRequest message conveys parameters for requesting an X.509-SVID.
// There are currently no request parameters.
message X509SVIDRequest { } message X509SVIDRequest { }
// The X509SVIDResponse message carries a set of X.509 SVIDs and their // The X509SVIDResponse message carries X.509-SVIDs and related information,
// associated information. It also carries a set of global CRLs, and a // including a set of global CRLs and a list of bundles the workload may use
// TTL to inform the workload when it should check back next. // for federating with foreign trust domains.
message X509SVIDResponse { message X509SVIDResponse {
// A list of X509SVID messages, each of which includes a single // Required. A list of X509SVID messages, each of which includes a single
// SPIFFE Verifiable Identity Document, along with its private key // X.509-SVID, its private key, and the bundle for the trust domain.
// and bundle.
repeated X509SVID svids = 1; repeated X509SVID svids = 1;
// ASN.1 DER encoded // Optional. ASN.1 DER encoded certificate revocation lists.
repeated bytes crl = 2; repeated bytes crl = 2;
// CA certificate bundles belonging to foreign Trust Domains that the // Optional. CA certificate bundles belonging to foreign trust domains that
// workload should trust, keyed by the SPIFFE ID of the foreign // the workload should trust, keyed by the SPIFFE ID of the foreign trust
// domain. Bundles are ASN.1 DER encoded. // domain. Bundles are ASN.1 DER encoded.
map<string, bytes> federated_bundles = 3; map<string, bytes> federated_bundles = 3;
} }
// The X509SVID message carries a single SVID and all associated // The X509SVID message carries a single SVID and all associated information,
// information, including CA bundles. // including the X.509 bundle for the trust domain.
message X509SVID { message X509SVID {
// The SPIFFE ID of the SVID in this entry // Required. The SPIFFE ID of the SVID in this entry
string spiffe_id = 1; string spiffe_id = 1;
// ASN.1 DER encoded certificate chain. MAY include intermediates, // Required. ASN.1 DER encoded certificate chain. MAY include
// the leaf certificate (or SVID itself) MUST come first. // intermediates, the leaf certificate (or SVID itself) MUST come first.
bytes x509_svid = 2; bytes x509_svid = 2;
// ASN.1 DER encoded PKCS#8 private key. MUST be unencrypted. // Required. ASN.1 DER encoded PKCS#8 private key. MUST be unencrypted.
bytes x509_svid_key = 3; bytes x509_svid_key = 3;
// CA certificates belonging to the Trust Domain // Required. ASN.1 DER encoded X.509 bundle for the trust domain.
// ASN.1 DER encoded
bytes bundle = 4; bytes bundle = 4;
} }
message X509BundlesRequest {} // The X509BundlesRequest message conveys parameters for requesting X.509
// bundles. There are currently no such parameters.
message X509BundlesResponse { message X509BundlesRequest {
// x509 certificates, keyed by trust domain URI
map<string, bytes> bundles = 1;
} }
message JWTSVID { // The X509BundlesResponse message carries a set of global CRLs and a map of
string spiffe_id = 1; // trust bundles the workload should trust.
message X509BundlesResponse {
// Optional. ASN.1 DER encoded certificate revocation lists.
repeated bytes crl = 1;
// Encoded using JWS Compact Serialization // Required. CA certificate bundles belonging to trust domains that the
string svid = 2; // workload should trust, keyed by the SPIFFE ID of the trust domain.
// Bundles are ASN.1 DER encoded.
map<string, bytes> bundles = 2;
} }
message JWTSVIDRequest { message JWTSVIDRequest {
// Required. The audience(s) the workload intends to authenticate against.
repeated string audience = 1; repeated string audience = 1;
// SPIFFE ID of the JWT being requested // Optional. The requested SPIFFE ID for the JWT-SVID. If unset, all
// If not set, all IDs will be returned // JWT-SVIDs to which the workload is entitled are requested.
string spiffe_id = 2; string spiffe_id = 2;
} }
// The JWTSVIDResponse message conveys JWT-SVIDs.
message JWTSVIDResponse { message JWTSVIDResponse {
// Required. The list of returned JWT-SVIDs.
repeated JWTSVID svids = 1; repeated JWTSVID svids = 1;
} }
message JWTBundlesRequest { } // The JWTSVID message carries the JWT-SVID token and associated metadata.
message JWTSVID {
// Required. The SPIFFE ID of the JWT-SVID.
string spiffe_id = 1;
message JWTBundlesResponse { // Required. Encoded JWT using JWS Compact Serialization.
// JWK sets, keyed by trust domain URI
map<string, bytes> bundles = 1;
}
message ValidateJWTSVIDRequest {
string audience = 1;
// Encoded using JWS Compact Serialization
string svid = 2; string svid = 2;
} }
// The JWTBundlesRequest message conveys parameters for requesting JWT bundles.
// There are currently no such parameters.
message JWTBundlesRequest { }
// The JWTBundlesReponse conveys JWT bundles.
message JWTBundlesResponse {
// Required. JWK encoded JWT bundles, keyed by the SPIFFE ID of the trust
// domain.
map<string, bytes> bundles = 1;
}
// The ValidateJWTSVIDRequest message conveys request parameters for
// JWT-SVID validation.
message ValidateJWTSVIDRequest {
// Required. The audience of the validating party. The JWT-SVID must
// contain an audience claim which contains this value in order to
// succesfully validate.
string audience = 1;
// Required. The JWT-SVID to validate, encoded using JWS Compact
// Serialization.
string svid = 2;
}
// The ValidateJWTSVIDReponse message conveys the JWT-SVID validation results.
message ValidateJWTSVIDResponse { message ValidateJWTSVIDResponse {
// Required. The SPIFFE ID of the validated JWT-SVID.
string spiffe_id = 1; string spiffe_id = 1;
// Optional. Arbitrary claims contained within the payload of the validated
// JWT-SVID.
google.protobuf.Struct claims = 2; google.protobuf.Struct claims = 2;
} }
service SpiffeWorkloadAPI {
// JWT-SVID Profile
rpc FetchJWTSVID(JWTSVIDRequest) returns (JWTSVIDResponse);
rpc FetchJWTBundles(JWTBundlesRequest) returns (stream JWTBundlesResponse);
rpc ValidateJWTSVID(ValidateJWTSVIDRequest) returns (ValidateJWTSVIDResponse);
// X.509-SVID Profile
// Fetch all SPIFFE identities the workload is entitled to, as
// well as related information like trust bundles and CRLs. As
// this information changes, subsequent messages will be sent.
rpc FetchX509SVID(X509SVIDRequest) returns (stream X509SVIDResponse);
rpc FetchX509Bundles(X509BundlesRequest) returns (stream X509BundlesResponse);
}