From c46009f360b08048088527b7b3efa8bce3ea91f1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luis=20Rasc=C3=A3o?= Date: Tue, 28 Jan 2025 21:07:41 -0800 Subject: [PATCH] crypto/spiffe: adds a multi trust anchor selector (#113) * crypto/spiffe: adds a multi trust anchor selector Adds a new trust anchors provider that returns different trust anchors depending on the requested trust domain out of a pre-loaded set. Signed-off-by: Luis Rascao * fixup! crypto/spiffe: adds a multi trust anchor selector Signed-off-by: Luis Rascao --------- Signed-off-by: Luis Rascao --- crypto/spiffe/trustanchors/multi.go | 74 +++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 crypto/spiffe/trustanchors/multi.go diff --git a/crypto/spiffe/trustanchors/multi.go b/crypto/spiffe/trustanchors/multi.go new file mode 100644 index 0000000..dd8a212 --- /dev/null +++ b/crypto/spiffe/trustanchors/multi.go @@ -0,0 +1,74 @@ +/* +Copyright 2025 The Dapr Authors +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package trustanchors + +import ( + "context" + "errors" + + "github.com/spiffe/go-spiffe/v2/bundle/x509bundle" + "github.com/spiffe/go-spiffe/v2/spiffeid" + + "github.com/dapr/kit/concurrency" +) + +var ( + ErrNotImplemented = errors.New("not implemented") + ErrTrustDomainNotFound = errors.New("trust domain not found") +) + +type OptionsMulti struct { + TrustAnchors map[spiffeid.TrustDomain]Interface +} + +// multi is a TrustAnchors implementation which uses multiple trust anchors +// which are indexed by trust domain. +type multi struct { + trustAnchors map[spiffeid.TrustDomain]Interface +} + +func FromMulti(opts OptionsMulti) Interface { + return &multi{ + trustAnchors: opts.TrustAnchors, + } +} + +func (m *multi) Run(ctx context.Context) error { + r := concurrency.NewRunnerManager() + for _, ta := range m.trustAnchors { + if err := r.Add(ta.Run); err != nil { + return err + } + } + + return r.Run(ctx) +} + +func (m *multi) CurrentTrustAnchors(context.Context) ([]byte, error) { + return nil, ErrNotImplemented +} + +func (m *multi) GetX509BundleForTrustDomain(td spiffeid.TrustDomain) (*x509bundle.Bundle, error) { + for tad, ta := range m.trustAnchors { + if td.Compare(tad) == 0 { + return ta.GetX509BundleForTrustDomain(td) + } + } + + return nil, ErrTrustDomainNotFound +} + +func (m *multi) Watch(context.Context, chan<- []byte) { + return +}