249 lines
11 KiB
Protocol Buffer
249 lines
11 KiB
Protocol Buffer
syntax = "proto3";
|
|
package spire.plugin.server.credentialcomposer.v1;
|
|
option go_package = "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/server/credentialcomposer/v1;credentialcomposerv1";
|
|
|
|
import "google/protobuf/struct.proto";
|
|
|
|
// The CredentialComposer plugin influences the attributes of X.509
|
|
// certificates and JWT tokens minted by or on behalf of SPIRE Server.
|
|
service CredentialComposer {
|
|
// Composes the SPIRE Server X509 CA. The server will supply the default
|
|
// attributes it will apply to the CA. If the plugin returns an empty
|
|
// response or NOT_IMPLEMENTED, the server will apply the default
|
|
// attributes. Otherwise the returned attributes are used. If a CA is
|
|
// produced that does not conform to the SPIFFE X509-SVID specification for
|
|
// signing certificates, it will be rejected.
|
|
rpc ComposeServerX509CA(ComposeServerX509CARequest) returns (ComposeServerX509CAResponse);
|
|
|
|
// Composes the SPIRE Server X509-SVID. The server will supply the default
|
|
// attributes it will apply to the server X509-SVID. If the plugin returns
|
|
// an empty response or NOT_IMPLEMENTED, the server will apply the default
|
|
// attributes. Otherwise the returned attributes are used. If an X509-SVID
|
|
// is produced that does not conform to the SPIFFE X509-SVID specification
|
|
// for leaf certificates, it will be rejected. This function cannot be used
|
|
// to modify the SPIFFE ID of the X509-SVID.
|
|
rpc ComposeServerX509SVID(ComposeServerX509SVIDRequest) returns (ComposeServerX509SVIDResponse);
|
|
|
|
// Composes the SPIRE Agent X509-SVID. The server will supply the default
|
|
// attributes it will apply to the agent X509-SVID. If the plugin returns
|
|
// an empty response or NOT_IMPLEMENTED, the server will apply the default
|
|
// attributes. Otherwise the returned attributes are used. If an X509-SVID
|
|
// is produced that does not conform to the SPIFFE X509-SVID specification
|
|
// for leaf certificates, it will be rejected. This function cannot be used
|
|
// to modify the SPIFFE ID of the X509-SVID.
|
|
rpc ComposeAgentX509SVID(ComposeAgentX509SVIDRequest) returns (ComposeAgentX509SVIDResponse);
|
|
|
|
// Composes workload X509-SVIDs. The server will supply the default
|
|
// attributes it will apply to the workload X509-SVID. If the plugin
|
|
// returns an empty response or NOT_IMPLEMENTED, the server will apply the
|
|
// default attributes. Otherwise the returned attributes are used. If an
|
|
// X509-SVID is produced that does not conform to the SPIFFE X509-SVID
|
|
// specification for leaf certificates, it will be rejected. This function
|
|
// cannot be used to modify the SPIFFE ID of the X509-SVID.
|
|
rpc ComposeWorkloadX509SVID(ComposeWorkloadX509SVIDRequest) returns (ComposeWorkloadX509SVIDResponse);
|
|
|
|
// Composes workload JWT-SVIDs. The server will supply the default
|
|
// attributes it will apply to the workload JWT-SVID. If the plugin
|
|
// returns an empty response or NOT_IMPLEMENTED, the server will apply the
|
|
// default attributes. Otherwise the returned attributes are used. If a
|
|
// JWT-SVID is produced that does not conform to the SPIFFE JWT-SVID
|
|
// specification, it will be rejected. This function cannot be used to
|
|
// modify the SPIFFE ID of the JWT-SVID.
|
|
rpc ComposeWorkloadJWTSVID(ComposeWorkloadJWTSVIDRequest) returns (ComposeWorkloadJWTSVIDResponse);
|
|
}
|
|
|
|
message ComposeServerX509CARequest {
|
|
// The attributes for the server X509 CA. To maintain forward compatibility
|
|
// with future attribute field additions, these attributes SHOULD be
|
|
// mutated and used to populate the attributes field in the
|
|
// ComposeServerX509CAResponse.
|
|
X509CAAttributes attributes = 1;
|
|
}
|
|
|
|
message ComposeServerX509CAResponse {
|
|
// The attributes for the server X509 CA. To maintain forward compatibility
|
|
// with future attribute field additions, these attributes SHOULD be
|
|
// populated with the mutated attributes field in the
|
|
// ComposeServerX509CARequest. If this field is not included in the
|
|
// response, the original attributes sent in the request will be used.
|
|
X509CAAttributes attributes = 1;
|
|
}
|
|
|
|
message ComposeServerX509SVIDRequest {
|
|
// The attributes for the server X509-SVID. To maintain forward
|
|
// compatibility with future attribute field additions, these attributes
|
|
// SHOULD be mutated and used to populate the attributes field in the
|
|
// ComposeServerX509SVIDResponse.
|
|
X509SVIDAttributes attributes = 1;
|
|
}
|
|
|
|
message ComposeServerX509SVIDResponse {
|
|
// The attributes for the server X509-SVID. To maintain forward
|
|
// compatibility with future attribute field additions, these attributes
|
|
// SHOULD be populated with the mutated attributes field in the
|
|
// ComposeServerX509SVIDRequest. If this field is not included in the
|
|
// response, the original attributes sent in the request will be used.
|
|
X509SVIDAttributes attributes = 1;
|
|
}
|
|
|
|
message ComposeAgentX509SVIDRequest {
|
|
// The attributes for the agent X509-SVID. To maintain forward
|
|
// compatibility with future attribute field additions, these attributes
|
|
// SHOULD be mutated and used to populate the attributes field in the
|
|
// ComposeAgentX509SVIDResponse.
|
|
X509SVIDAttributes attributes = 1;
|
|
|
|
// The SPIFFE ID of the agent.
|
|
string spiffe_id = 2;
|
|
|
|
// PKIX encoded public key of the agent.
|
|
bytes public_key = 3;
|
|
}
|
|
|
|
message ComposeAgentX509SVIDResponse {
|
|
// The attributes for the agent X509-SVID. To maintain forward
|
|
// compatibility with future attribute field additions, these attributes
|
|
// SHOULD be populated with the mutated attributes field in the
|
|
// ComposeAgentX509SVIDRequest. If this field is not included in the
|
|
// response, the original attributes sent in the request will be used.
|
|
X509SVIDAttributes attributes = 1;
|
|
}
|
|
|
|
message ComposeWorkloadX509SVIDRequest {
|
|
// The attributes for the workload X509-SVID. To maintain forward
|
|
// compatibility with future attribute field additions, these attributes
|
|
// SHOULD be mutated and used to populate the attributes field in the
|
|
// ComposeWorkloadX509SVIDResponse.
|
|
X509SVIDAttributes attributes = 1;
|
|
|
|
// The SPIFFE ID of the workload.
|
|
string spiffe_id = 2;
|
|
|
|
// PKIX encoded public key of the workload.
|
|
bytes public_key = 3;
|
|
}
|
|
|
|
message ComposeWorkloadX509SVIDResponse {
|
|
// The attributes for the workload X509-SVID. To maintain forward
|
|
// compatibility with future attribute field additions, these attributes
|
|
// SHOULD be populated with the mutated attributes field in the
|
|
// ComposeWorkloadX509SVIDRequest. If this message is not included in the
|
|
// response, the original attributes sent in the request will be used.
|
|
X509SVIDAttributes attributes = 1;
|
|
}
|
|
|
|
message ComposeWorkloadJWTSVIDRequest {
|
|
// The attributes for the workload JWT-SVID. To maintain forward
|
|
// compatibility with future attribute field additions, these attributes
|
|
// SHOULD be mutated and used to populate the attributes field in the
|
|
// ComposeWorkloadJWTSVIDResponse.
|
|
JWTSVIDAttributes attributes = 1;
|
|
|
|
// The SPIFFE ID of the workload.
|
|
string spiffe_id = 2;
|
|
}
|
|
|
|
message ComposeWorkloadJWTSVIDResponse {
|
|
// The attributes for the workload JWT-SVID. To maintain forward
|
|
// compatibility with future attribute field additions, these attributes
|
|
// SHOULD be populated with the mutated attributes field in the
|
|
// ComposeWorkloadJWTSVIDRequest. If this field is not included in the
|
|
// response, the original attributes sent in the request will be used.
|
|
JWTSVIDAttributes attributes = 1;
|
|
}
|
|
|
|
message X509CAAttributes {
|
|
// The subject of the X509 CA.
|
|
DistinguishedName subject = 1;
|
|
|
|
// Zero or more policy identifiers (OIDs) to apply to the CA.
|
|
repeated string policy_identifiers = 2;
|
|
|
|
// Zero or more extensions to apply to the X509 CA. These will override
|
|
// any extensions otherwise added by the other fields.
|
|
repeated X509Extension extra_extensions = 3;
|
|
}
|
|
|
|
message X509SVIDAttributes {
|
|
// The subject of the X509-SVID.
|
|
DistinguishedName subject = 1;
|
|
|
|
// Zero or more DNS SANs to apply to the X509-SVID.
|
|
repeated string dns_sans = 2;
|
|
|
|
// Zero or more extensions to apply to the X509-SVID . These will override
|
|
// any extensions otherwise added by the other fields. This field cannot
|
|
// be used to change the URI SAN of the X509-SVID (i.e. the SPIFFE ID).
|
|
repeated X509Extension extra_extensions = 3;
|
|
}
|
|
|
|
message X509Extension {
|
|
// The OID of the X.509 extension (e.g. "1.2.3.4")
|
|
string oid = 1;
|
|
|
|
// Opaque value of the extension. No validity checking is performed on
|
|
// this value. Plugin implementors must ensure they are providing well
|
|
// formed values for the given extension OID.
|
|
bytes value = 2;
|
|
|
|
// Whether or not the extension is critical, i.e., must be
|
|
// handled/understood by verifiers or not.
|
|
bool critical = 3;
|
|
}
|
|
|
|
message DistinguishedName {
|
|
// Zero or more country designations.
|
|
repeated string country = 1;
|
|
|
|
// Zero or more organization designations.
|
|
repeated string organization = 2;
|
|
|
|
// Zero or more organizational unit designations.
|
|
repeated string organizational_unit = 3;
|
|
|
|
// Zero or more locality designations.
|
|
repeated string locality = 4;
|
|
|
|
// Zero or more province designations.
|
|
repeated string province = 5;
|
|
|
|
// Zero or more street address designations.
|
|
repeated string street_address = 6;
|
|
|
|
// Zero or more postal code designations.
|
|
repeated string postal_code = 7;
|
|
|
|
// The serial number designation. The attribute is only set if this field
|
|
// is non-empty.
|
|
string serial_number = 8;
|
|
|
|
// The common name designation. The attribute is only set if this field is
|
|
// non-empty.
|
|
string common_name = 9;
|
|
|
|
// Extra names, determined by oid and value, to be added to the
|
|
// distinguished names. This field is to support names not covered by the
|
|
// DistinguishedName message. It will override values specified in other
|
|
// fields in the DistinguishedName if the attributes overlap.
|
|
repeated AttributeTypeAndValue extra_names = 10;
|
|
}
|
|
|
|
message AttributeTypeAndValue {
|
|
// The OID of the attribute (e.g. "1.2.3.4").
|
|
string oid = 1;
|
|
|
|
// The value of the attribute. Only UTF-8 strings are currently supported.
|
|
// this field may be encapsulated in a oneof at a later point.
|
|
string string_value = 2;
|
|
}
|
|
|
|
message JWTSVIDAttributes {
|
|
// The JWT-SVID claims. Returned attributes must contain all of the
|
|
// claims required by the JWT-SVID specification:
|
|
//
|
|
// https://github.com/spiffe/spiffe/blob/main/standards/JWT-SVID.md
|
|
//
|
|
// The subject claim (i.e. SPIFFE ID) cannot be overriden.
|
|
google.protobuf.Struct claims = 1;
|
|
}
|