Proto commits in spiffe/spire

These commits are when the Protocol Buffers files have changed: (only the last 100 relevant commits are shown)

2024-11-04

Spelling and grammar fixes (#5571) Signed-off-by: Keegan Witt <keeganwitt@gmail.com>

The documentation is generated from this commit.

2024-08-16

Add taint upstream authority (#5340) * POC to add taint upstream authority Signed-off-by: Marcos Yacob <marcosyacob@gmail.com> * Propagate taining and revoke into downstream server, updating upstream client Signed-off-by: Marcos Yacob <marcosyacob@gmail.com> * start working in unit tests for 'common/coretypes/jwtkey' Signed-off-by: Marcos Yacob <marcosyacob@gmail.com> * refactor x509certificate package Signed-off-by: Marcos Yacob <marcosyacob@gmail.com> * Add update test in coretypes bundle Signed-off-by: Marcos Yacob <marcosyacob@gmail.com> * Add more tests for api bundle Signed-off-by: Marcos Yacob <marcosyacob@gmail.com> * Add tests for local authority service Signed-off-by: Marcos Yacob <marcosyacob@gmail.com> * more test Signed-off-by: Marcos Yacob <marcosyacob@gmail.com> * more tests Signed-off-by: Marcos Yacob <marcosyacob@gmail.com> * more Signed-off-by: Marcos Yacob <marcosyacob@gmail.com> * more test Signed-off-by: Marcos Yacob <marcosyacob@gmail.com> * resolve some lints Signed-off-by: Marcos Yacob <marcosyacob@gmail.com> * more Signed-off-by: Marcos Yacob <marcosyacob@gmail.com> * upgrade spire-api-sdk, and resolve lint Signed-off-by: Marcos Yacob <marcosyacob@gmail.com> * Resolve lint... Signed-off-by: Marcos Yacob <marcosyacob@gmail.com> * PR changes Signed-off-by: Marcos Yacob <marcosyacob@gmail.com> --------- Signed-off-by: Marcos Yacob <marcosyacob@gmail.com>

2024-01-03

Introduce support to save and load the CA journal from the datastore (#4690) * Save and load the CA journal from datastore Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

2023-07-21

Force Rotation: local authority scaffolding and implements X.509 authority endpoints (#4020) * Create local authority scaffolding, and implements X.509 local authority service Signed-off-by: Marcos Yacob <marcos.yacob@hpe.com>

2023-06-09

Force Rotation: Add status to journal (#4188) * Refactor journal to store an Status field Signed-off-by: Marcos Yacob <marcos.yacob@hpe.com>

2023-04-20

Add support for SPIFFE bundle sequence number (#4061) * Add support for SPIFFE bundle sequence number Signed-off-by: Max Lambrecht <max.lambrecht@hpe.com>

2023-03-16

Include entry's created_at field in service API response (#3975) * Add createdAt field to common.RegistrationEntry type Signed-off-by: Guilherme Carvalho <guilhermbrsp@gmail.com> Signed-off-by: Guilherme Carvalho <guilhermocc@proton.me>

2023-03-14

Add mint and revoke scaffolding to datastore layer (#3956) * Add mint and revoke scaffolding to datastore layer and apply changes to common.Bundle to persist tainted keys Signed-off-by: Marcos Yacob <marcos.yacob@hpe.com>

2023-02-24

Update datastore to persist, update and query registration entries with Hint field (#3787) Signed-off-by: Guilherme Carvalho <guilhermbrsp@gmail.com>

2022-10-26

Issue #2700: Adds support for X509 and JWT specific SVID TTLs (#3445) * Adds support for X509 and JWT specific SVID TTLs Fixes #2700 This change adds support for X509 and JWT specific SVID TTLs in each of the following places * Default values in spire-server configuration. Similar to the existing TTL value, if provided then it must be >= 0. A value of 0 is considered 'unset', meaning there is no default. * Entry records in the database and API During Entry creation and update * If the API call contains a non-zero X509SvidTtl value then that will be stored, else the config default x509SvidTtl value is used * If the API call contains a non-zero JWTSvidTtl value then that will stored, else the config default jwtSvidTtl value is used During X509-SVID creation * If the API call contains a non-zero TTL value then that is used, else * If the stored record contains a non-zero X509SvidTtl value then that will be used, else * If the stored record contains a non-zero TTL value then that will be used, * The hard-coded default X509SvidTTL value will be used During JWT-SVID creation * If the API call contains a non-zero TTL value then that is used, else * If the stored record contains a non-zero JWTSvidTtl value then that will be used, else * If the stored record contains a non-zero TTL value then that will be used, * The hard-coded default JWTSvidTTL value will be used X509SvidTtl and JwtSvidTtl will be considered during the following cases * All must be valid with-respect-to the configured CA TTL - they are all part of the min/max validation checks * Entry sorting now includes each of X509SvidTtl and JwtSvidTtl Signed-off-by: Dennis Gove <dgove1@bloomberg.net>

2022-08-01

remove unofficial svidstore protos (#3288) Signed-off-by: Marcos Yacob <marcos.yacob@hpe.com>

2022-05-02

Add CanReattest flag in datastore and in node attestor plugins (#2646) Signed-off-by: Daniel Feldman <dfeldman.mn@gmail.com>

2022-01-20

Use official SVIDStore V1 interface (#2688) We neglected to publish the SVIDStore V1 interface in the SDK when it was introduced in version SPIRE 1.1.0. This means that for 1.1.x, external plugins, if any, would have been written against the interface checked into the SPIRE repository. Unfortunately, the protobuf package name on the checked in version is does not follow the SDK convention, so even if we fix and publish the interface in the SDK, external plugins written against the "unofficial" interface need to still work. To accommodate this situation and not break existing plugins, this change consumes the newly published interface from the SDK and renames the version checked into SPIRE to v1unofficial. The unofficial version is marked as deprecated in the catalog to guide consumers move to the SDK version. Since the protobuf package name remains the same (i.e. spire.agent.svidstore), existing external plugins will continue to function, though, if they update their SPIRE dependency, they will need to fix up import paths to continue to build. Ideally they switch to the official v1 version published in the SDK. We can remove v1unofficial in the SPIRE 1.3 release. I also fixed a small bug in the catalog code that prevented the preferred version from being logged. Signed-off-by: Andrew Harding <aharding@vmware.com>

2021-09-17

Serverless support: agent changes to identify the entries that indicate externally stored identities (#2176) * Implements a new store cache with an store service Signed-off-by: Marcos Yacob <marcos.yacob@hpe.com>

2021-09-15

Remove v0 Server Notifier (#2528) Signed-off-by: Andrew Harding <aharding@vmware.com>

Remove v0 Agent KeyManager (#2525) Signed-off-by: Andrew Harding <aharding@vmware.com>

2021-09-14

Remove v0 Server KeyManager (#2522) Signed-off-by: Andrew Harding <aharding@vmware.com>

Remove v0 Server NodeAttestor (#2523) Signed-off-by: Andrew Harding <aharding@vmware.com>

2021-09-13

Remove v0 Agent NodeAttestor (#2521) Signed-off-by: Andrew Harding <aharding@vmware.com>

Remove V0 Agent WorkloadAttestor (#2520) Signed-off-by: Andrew Harding <aharding@vmware.com>

Remove v0 Server NodeResolver (#2518) Signed-off-by: Andrew Harding <aharding@vmware.com>

Remove v0 server upstreamauthority (#2517) Signed-off-by: Andrew Harding <aharding@vmware.com>

Remove v0 hostservices (#2516) Signed-off-by: Andrew Harding <aharding@vmware.com>

Remove legacy plugin support (#2490) The new plugin infrastructure was introduced in v1.0 with deprecated support for legacy (i.e. v0) plugins. This PR removes the legacy plugin support from the catalog in preparation for v1.1. To limit the scope of the PR and ease review burden, this PR does not remove any actual v0 plugins or interfaces. That will be done in follow up PRs. Signed-off-by: Andrew Harding <aharding@vmware.com>

2021-09-10

Remove deprecated Registration API (#2487) This API was replaced in 0.11.0 and deprecated in 0.12.0. We have kept it around for a little longer than usual to give folks time to migrate but it is time to remove it for 1.1. Signed-off-by: Andrew Harding <aharding@vmware.com>

Add entry SvidStore to SPIRE Server (#2483) Signed-off-by: Marcos Yacob <marcos.yacob@hpe.com>

2021-04-29

New catalog with version support (#2229) - Introduces the idea of plugin and service repositories which advertise their supported versions and available builtins and provide a binder for the catalog to populate the repository with applicable facades. - Generates code for the new SDK interfaces for existing plugins/services. Removes the old spire-plugingen targets and tooling. - Removes the reflect-heavy "fill" code with something a little more explicit. The only use of reflect is to validate that the binder can accept all version facades and wrap it for internal use. - Removes examples and plugin test tools. Conceptually these belong in the plugin SDK repository. - Removes spiretest.LoadPlugin in favor of a new plugintest.Load system tailored to the new catalog. The plugintest package makes for a clean home for plugin test related things. - `make generate` is now very fast, and has always been idempotent, so it just regenerates every time it is called and doesn't try and be smart about only regenerating what is needed. The plugingen and protogen targets have been removed accordingly. This sidesteps problems with tool version change detection that we've had historically. - A few unit-tests were converted to test through the facade interface. The rest were left until the individual plugin is converted to the v1 interface, as the changes would be little more hefty. Signed-off-by: Andrew Harding <aharding@vmware.com>

2021-03-29

Restructure v0 plugin interface layout Aligns the directories with the plugin-sdk. Most of the code changes outside of the import path updates are limited to spots where we missed using the versioned import when introducing the facades. While I was in the position of regenerating all of the gRPC code, I pulled in version 1.1.0 of the protoc-gen-go-grpc tool. Signed-off-by: Andrew Harding <aharding@vmware.com>

2021-03-28

Removing plugin related materials from DataStore Lots of artifacts around DataStore pluggability remain. This is the first step to removing some of those artifacts. Two reasons for doing this now: 1. The plugingen tool is used to generate the DataStore interface from the gRPC service definition. The plugingen tool will be removed very soon as part of the catalog refactor and plugin SDK introduction (#2153) 2. Since all of the scaffolding is in place for the datastore, its easy for test code to load it as a plugin, which is DIFFERENT than SPIRE server loads it. This can lead to an divergence in expected behavior. Cleaning the datastore interface up completely is out of scope for this PR. This PR does not take the change as far as it could, for sake of review simplicity. For example, it maintains the request/response parameters even when those requests/response should eventually be removed in most cases where we have few or no fields in those structs. The SQL plugin also still takes HCL string configuration as input instead of a already populated struct. Most of the changes are scoped to the de-protobuf'ing of the request/response structs. The creation and configuration path was also tweaked to be not be reliant on the plugin loading paradigms (e.g. SetLogger, Configure RPC). The logger was also changed to the logrus logger the rest of SPIRE uses instead of the hclog for plugins. Signed-off-by: Andrew Harding <aharding@vmware.com>

2021-03-19

Remove the proto/spire go module - Updates imports to use the new API SDK - Plugin imports will be changed later with the Plugin SDK Signed-off-by: Andrew Harding <aharding@vmware.com>

2021-03-09

Merge branch 'master' into list-count

Fix duplication of `/bin` in .gitignore and add missing comments * Duplication of `/bin` is removed from .gitignore. * A missing comment was added in `./proto/spire/api/registration/registration.proto` Signed-off-by: Sachin Kumar Singh <sachinkumarsingh092@gmail.com>

2021-03-03

count subcommand for agent, bundle, entry server CLI commands Signed-off-by: Brian Martin <bri365@gmail.com>

stop using types.SPIFFEID on svidstore Signed-off-by: Marcos Yacob <marcos.yacob@hpe.com>

2021-02-23

Use for SVID ID and update certificate and bundle to be a list Signed-off-by: Marcos Yacob <marcos.yacob@hpe.com>

2021-02-09

Add SVID store proto Signed-off-by: Marcos Yacob <marcos.yacob@hpe.com>

2021-01-30

Remove deprecated Node API The Node API was officially deprecated in v0.12.0. However, the SPIRE agent has not consumed it for since before 0.11.0. The handler code is some of the hardest code to follow, maintain, and test. It is also a "private" API, and was never designed for public consumption. Considering these points and in preparation for v1.0.0, this change removes the Node API. This change does NOT impact the Registration API, which is public and still in use by many organizations and will continue to be present for the v1.0.x release cycle. However, it will likely be deprecated with the v1.1.0 release. Signed-off-by: Andrew Harding <aharding@vmware.com>

2021-01-25

Change default socket paths and server CLI flag This change updates the default socket paths. The agent socket path changed from `/tmp/agent.sock` to `/tmp/spire-agent/public/api.sock`. The server socket path changed from `/tmp/spire-registration.sock` to `/tmp/spire-server/private/api.sock`. In addition, the server CLI flag and configurable to set the socket path has been changed from `registrationUDSPath`/`registration_uds_path` to `socketPath`/`socket_path` to mimic the agent and more accurately reflect the use of the socket. The previous configurables are deprecated and warn on use. A bulk of the change is updating tests that show the CLI help and configuration files used in integration tests. The integration tests have been changed to use the default socket path where possible (the upgrade test needs the old configuration until registrationUDSPath has been fully removed. Signed-off-by: Andrew Harding <aharding@vmware.com>

2020-12-10

Change some names and comments Signed-off-by: Luis Santiago Re <lsantire2@gmail.com>

2020-11-16

Fix typos in the code Signed-off-by: Luis Santiago Re <lsantire2@gmail.com>

Add by_federates_with field to datastore proto Signed-off-by: Luis Santiago Re <lsantire2@gmail.com>

Add by_federates_with field to entry proto Signed-off-by: Luis Santiago Re <lsantire2@gmail.com>

Add FederatesWithMatch proto Signed-off-by: lsantire <lsantire2@gmail.com>

2020-10-27

Remove broken paging from ListNodeSelectors It is no longer needed since the only consumer was the full entry cache which only paged to get past gRPC response size limits. Now that the datastore isn't sitting behind gRPC machinery, the paging is unnecessary. Signed-off-by: Andrew Harding <aharding@vmware.com>

2020-10-15

Clarify batch RPC result ordering It wasn't immediately clear that results from batch operations were in the same order as the batched items in the request. This PR adds some clarifying language to the result comments. Signed-off-by: Andrew Harding <aharding@vmware.com>

2020-10-07

add mode to delete bundle in bundle api Signed-off-by: Marcos Yacob <marcos.yacob@hpe.com>

2020-10-02

Add debug endpoints for agent and server Signed-off-by: Marcos Yacob <marcos.yacob@hpe.com>

2020-10-01

In-mem cache pagination, perf improvements, and tests - Added pagination to ListNodeSelectors requests - Added valid_at filter parameter to ListNodeSelectors to avoid storing expired Agent selectors in the cache - Covered in-memory cache code with unit tests Signed-off-by: Ryan Turner <turner@uber.com>

Full in-memory cache of entry authorization data Signed-off-by: Andrew Harding <andrew.harding@hpe.com>

2020-09-24

Use bytes instead of string in payload proto Signed-off-by: Marcos Yedro <marcosyedro@gmail.com>

Use bytes instead of string in payload proto Signed-off-by: Marcos Yedro <marcosyedro@gmail.com>

2020-08-11

API Refactor: rename field in BatchNewX509SVID response The result type has a field named "bundle" that should be named "svid". Signed-off-by: Andrew Harding <andrew.harding@hpe.com>

2020-07-29

Make error reporting consistent across new API This commit improves the consistency for the returned and logged errors in the new API. In addition, the AppendBundle RPC is slightly modified to not require a full bundle but only the Root CAs and JWT keys instead. Signed-off-by: Marcos Yedro <marcosyedro@gmail.com>

2020-07-24

merges proto/spire-next into proto/spire (#1742) Signed-off-by: Mariano Kunzi <kunzi.mariano@gmail.com>

2020-07-17

Address PR comments Signed-off-by: Marcos Yedro <marcosyedro@gmail.com>

2020-07-15

Changes RenewAgent to unary RPC Signed-off-by: Marcos Yedro <marcosyedro@gmail.com>

2020-07-09

Merge branch 'master' into provide-agent-permission-denied-details

Implement revision_number functionality for registration entries Signed-off-by: Marcos Yedro <marcosyedro@gmail.com>

2020-07-07

Provide details on why agent was denied permission Agents can receive PermissionDenied for a variety of reasons. Current feature requests (e.g. #1257, #1644) rely on the agent doing special behavior based on why it was denied, for example, attempting re-attestation if evicted (but not if banned). This change introduces a new PermissionDeniedDetails message that contains a reason enumeration that agents can use to determine why permission was denied in order to respond appropriately. It also fixes a missing agent authorization check in the new middleware when an agent SVID has expired. Checking expiry at TLS handshake time is insufficient because the SVID can expire after the handshake on long lived connections that are still making requests. Signed-off-by: Andrew Harding <andrew.harding@hpe.com>

2020-07-06

API Refactor: Initial implementation of BatchUpdateEntry Signed-off-by: Daniel Feldman <daniel@scytale.io>

2020-07-02

Merge branch 'master' into remove-deprecated-upstreamca

fix up comments Signed-off-by: Andrew Harding <andrew.harding@hpe.com>

Remove support for UpstreamCA Removes support for the UpstreamCA plugin, which was deprecated in favor of the UpstreamAuthority plugin in 0.10.0. Also removes the server catalog unit-test which only tested deprecation behavior for UpstreamCA. A new unit-test that covers the catalog behavior will be added separately. Signed-off-by: Andrew Harding <andrew.harding@hpe.com>

Remove deprecated CSRs field in node API This change removes the SPIFFE ID mapped CSRs field that was deprecated before the 0.9.0 release. Also added/updated a few `reserved` fields for messages that had previous deprecations and removed a now-stale comment around a deprecated bundle field. Signed-off-by: Andrew Harding <andrew.harding@hpe.com>

2020-07-01

Remove deprecated attestation behavior The ability for agent-side node attestor plugins to provide the SPIFFE ID to the server was removed back in 0.9.0. Removing the agent-side warnings and the node handler code to accomodate "attested before" checks for old plugins. Also removes the deprecated IsValid field. Signed-off-by: Andrew Harding <andrew.harding@hpe.com>

API Refactor: Implements BanAgent RPC Signed-off-by: Marcos Yedro <marcosyedro@gmail.com>

2020-06-26

Api Refactor: Implement List Agents (#1674) - Implement list agent - Refactor datastore.ListAttestedNodes to allow filtering and return selectors on demand. Signed-off-by: Marcos Yacob <marcos@scytale.io> Co-authored-by: Andrew Harding <andrew.harding@hpe.com>

2020-06-16

Merge remote-tracking branch 'origin/master' Signed-off-by: Andrew Harding <andrew.harding@hpe.com>

Move internal proto's back under proto/ Only two are the CA journal and service definitions for testing the catalog. Moving them back under proto simplifies Makefile invocations involving protoc-gen-go, which has inflexible output semantics. Signed-off-by: Andrew Harding <andrew.harding@hpe.com>

2020-06-10

Implement BatchUpdateFederatedBundle RPC Signed-off-by: Marcos Yedro <marcosyedro@gmail.com>

2020-06-09

remove primary key fields from masks Signed-off-by: Andrew Harding <andrew.harding@hpe.com>

API Refactor: Initial implementation of NewDownstreamX509CA Signed-off-by: Daniel Feldman <daniel@scytale.io>

2020-05-29

Merge branch 'master' into clarify-paging-semantics

API Refactor: implement list federated bundles Signed-off-by: Marcos Yacob <marcos@scytale.io>

Clarify API paging semantics Signed-off-by: Andrew Harding <andrew.harding@hpe.com>

2020-05-27

Add Bundle.PublishJWTAuthority RPC stub Signed-off-by: Andrew Harding <andrew.harding@hpe.com>

2020-05-22

clarify more trust domain docs Signed-off-by: Andrew Harding <andrew.harding@hpe.com>

Consistently use trust domain name instead of ID Signed-off-by: Andrew Harding <andrew.harding@hpe.com>

2020-05-15

update agent proto - rename `identity` field to `svid` in the AttestAgent response - remove language around "canonical identity" - fix field ordering on CreateJoinTokenRequest Signed-off-by: Andrew Harding <andrew.harding@hpe.com>

more spire-next protos Signed-off-by: Andrew Harding <andrew.harding@hpe.com>

2020-05-07

address comments and build failures Signed-off-by: Andrew Harding <andrew.harding@hpe.com>

SVID API scaffolding Signed-off-by: Andrew Harding <andrew.harding@hpe.com>

2020-05-06

api-refactor: SVID API service definition This is the definition for the SVID API in the Server API refactor. This is not set in stone and some decisions actively in discussion are sure to change this, albeit superficially. I'm introducing this now so we can kick off development. This API was a good candidate since it was 1) very small and focused, 2) not likely to change much as the API solidifies, 3) uses a broad range of SPIRE internals to do its job. Developing this API will help establish patterns and practices that should be applicable to other API development. Signed-off-by: Andrew Harding <andrew.harding@hpe.com>

2020-04-01

Addressed PR comments Signed-off-by: Andrew Harding <azdagron@gmail.com>

2020-03-26

Merge branch 'master' into add-rpc-for-entry-creation

Add CreateEntryIfNotExists RPC to Registration API It is often the case that registrars want to create an entry, or assert the presence of an entry, knowing that it may already exist. One example is if multiple registrar instances race against each other to create an entry. Another example is if a registrar loses track of what has or hasn't been registered, and wants to simply re-register everything. This is mostly OK today, however it can be a bit noisy because we log an error message whenever an error is returned via API, which the existing CreateEntry call does. As we are currently looking to adopt this pattern for our own k8s-workload-registrar code, it's important to make sure that it (at the very least) _appears_ to be well supported! The existing CreateEntry call does not have a dedicated request message, making a new RPC required in order to address the problem. This commit introduces the `CreateEntryIfNotExists` RPC, which behaves similarly to the `CreateEntry` RPC with the exception that if the entry already exists, the call will succeed. A boolean in the response message is flipped when this is the case. Signed-off-by: Evan Gilman <evan@scytale.io>

2020-03-23

Add FetchBundle RPC to the Node API Signed-off-by: Agustín Martínez Fayó <amartinezfayo@gmail.com>

2020-03-20

refactor upstream authority proto to return stream Signed-off-by: Marcos Yacob <marcos@scytale.io>

2020-02-28

Add pagination in ListAllEntriesRequest Signed-off-by: Prasad Borole <prasadb@uber.com>

Implement ListAllEntriesWithPages API Signed-off-by: Prasad Borole <prasadb@uber.com>

Update proto/spire/api/node/node.proto Fixed comments style Co-Authored-By: Andrew Harding <azdagron@gmail.com> Signed-off-by: martincapello <m.a.capello@gmail.com>

Merge branch 'master' into issue-1372-service-definition

Remove PublishX509CA RPC The UpstreamAuthority plugin was introduced as a solution to supported JWT-SVID in nested SPIRE deployments. The intention of this RPC was to support self-signed X.509 CAs in nested SPIRE architecture but that is a change of much larger scope. This change removes the PublishX509CA RPC to pare down amount of changes needed in the core to adopt UpstreamAuthority. We can always add it back later in a backwards compatible way. Signed-off-by: Andrew Harding <azdagron@gmail.com>

2020-02-27

Added new rpc to the node api. Signed-off-by: martincapello <m.a.capello@gmail.com>

2020-02-21

Merge branch 'master' into listEntries

2020-02-20

Add pagination in ListAllEntriesRequest Signed-off-by: Prasad Borole <prasadb@uber.com>

2020-02-14

fix typos Signed-off-by: Andrew Harding <azdagron@gmail.com>

2020-02-13

Implement ListAllEntriesWithPages API Signed-off-by: Prasad Borole <prasadb@uber.com>

UpstreamAuthority plugin definition Used in the upcoming support for JWT-SVID in nested SPIRE. Fixes #1370 Signed-off-by: Andrew Harding <azdagron@gmail.com>

2020-02-06

Updated the proto documentation for tolerate_stale. Signed-off-by: Kirutthika Raja <kirutthika.raja@uber.com>