From 77a8a5935fbbebdbbf7f5acdbce65183bc9e3eeb Mon Sep 17 00:00:00 2001 From: Benjamin Leggett Date: Thu, 25 Jul 2024 16:51:13 -0400 Subject: [PATCH 1/8] Proto resync Signed-off-by: Benjamin Leggett --- .../spire.api.agent.delegatedidentity.v1.rs | 43 +++++++++++++++++-- spire-api/src/proto/spire.api.types.rs | 1 + 2 files changed, 41 insertions(+), 3 deletions(-) diff --git a/spire-api/src/proto/spire.api.agent.delegatedidentity.v1.rs b/spire-api/src/proto/spire.api.agent.delegatedidentity.v1.rs index 719732e..4444dd4 100644 --- a/spire-api/src/proto/spire.api.agent.delegatedidentity.v1.rs +++ b/spire-api/src/proto/spire.api.agent.delegatedidentity.v1.rs @@ -1,3 +1,4 @@ +// This file is @generated by prost-build. /// X.509 SPIFFE Verifiable Identity Document with the private key. #[allow(clippy::derive_partial_eq_without_eq)] #[derive(Clone, PartialEq, ::prost::Message)] @@ -11,13 +12,27 @@ pub struct X509svidWithKey { } /// SubscribeToX509SVIDsRequest is used by clients to subscribe the set of SVIDs that /// any given workload is entitled to. Clients subscribe to a workload's SVIDs by providing -/// a set of selectors describing the workload. +/// one-of +/// - a set of selectors describing the workload. +/// - a PID of a workload process. +/// Specifying both at the same time is not allowed. +/// +/// Subscribers are expected to ensure that the PID they use is not recycled +/// for the lifetime of the stream, and in the event that it is, are expected +/// to immediately close the stream. +/// +/// TODO we should use `oneof` here but you currently cannot use `repeated` +/// in a `oneof` without creating and nesting an intermediate `message` type, which would break +/// back compat - so we accept both and check for mutual exclusion in the handler #[allow(clippy::derive_partial_eq_without_eq)] #[derive(Clone, PartialEq, ::prost::Message)] pub struct SubscribeToX509sviDsRequest { - /// Required. Selectors describing the workload to subscribe to. + /// Selectors describing the workload to subscribe to. Mutually exclusive with `pid`. #[prost(message, repeated, tag = "1")] pub selectors: ::prost::alloc::vec::Vec, + /// PID for the workload to subscribe to. Mutually exclusive with `selectors` + #[prost(int32, tag = "2")] + pub pid: i32, } #[allow(clippy::derive_partial_eq_without_eq)] #[derive(Clone, PartialEq, ::prost::Message)] @@ -45,15 +60,31 @@ pub struct SubscribeToX509BundlesResponse { ::prost::bytes::Bytes, >, } +/// FetchJWTSVIDsRequest is used by clients to fetch a JWT-SVID for a workload. +/// Clients may provide one-of +/// - a set of selectors describing the workload. +/// - a PID of a workload process. +/// Specifying both at the same time is not allowed. +/// +/// Callers are expected to ensure that the PID they use is not recycled +/// until obtaining a response, and in the event that it is, are expected +/// to discard the response of this call. +/// +/// TODO we should use `oneof` here but you currently cannot use `repeated` +/// in a `oneof` without creating and nesting an intermediate `message` type, which would break +/// back compat - so we accept both and check for mutual exclusion in the handler #[allow(clippy::derive_partial_eq_without_eq)] #[derive(Clone, PartialEq, ::prost::Message)] pub struct FetchJwtsviDsRequest { /// Required. The audience(s) the workload intends to authenticate against. #[prost(string, repeated, tag = "1")] pub audience: ::prost::alloc::vec::Vec<::prost::alloc::string::String>, - /// Required. Selectors describing the workload to fetch. + /// Selectors describing the workload to subscribe to. Mutually exclusive with `pid` #[prost(message, repeated, tag = "2")] pub selectors: ::prost::alloc::vec::Vec, + /// PID for the workload to subscribe to. Mutually exclusive with `selectors`. + #[prost(int32, tag = "3")] + pub pid: i32, } /// The FetchJWTSVIDsResponse message conveys JWT-SVIDs. #[allow(clippy::derive_partial_eq_without_eq)] @@ -197,6 +228,9 @@ pub mod delegated_identity_client { ); self.inner.server_streaming(req, path, codec).await } + /// Subscribe to get X.509-SVIDs for workloads that match the given selectors. + /// The lifetime of the subscription aligns to the lifetime of the stream. + /// /// Subscribe to get local and all federated bundles. /// The lifetime of the subscription aligns to the lifetime of the stream. pub async fn subscribe_to_x509_bundles( @@ -333,6 +367,9 @@ pub mod delegated_identity_server { > + Send + 'static; + /// Subscribe to get X.509-SVIDs for workloads that match the given selectors. + /// The lifetime of the subscription aligns to the lifetime of the stream. + /// /// Subscribe to get local and all federated bundles. /// The lifetime of the subscription aligns to the lifetime of the stream. async fn subscribe_to_x509_bundles( diff --git a/spire-api/src/proto/spire.api.types.rs b/spire-api/src/proto/spire.api.types.rs index 2a215d1..d686086 100644 --- a/spire-api/src/proto/spire.api.types.rs +++ b/spire-api/src/proto/spire.api.types.rs @@ -1,3 +1,4 @@ +// This file is @generated by prost-build. #[allow(clippy::derive_partial_eq_without_eq)] #[derive(Clone, PartialEq, ::prost::Message)] pub struct Selector { From 5a6ae400fc98f0e969f1464daf8eac551b5ceae4 Mon Sep 17 00:00:00 2001 From: Benjamin Leggett Date: Thu, 25 Jul 2024 17:26:57 -0400 Subject: [PATCH 2/8] Fix impl Signed-off-by: Benjamin Leggett --- spire-api/src/agent/delegated_identity.rs | 67 +++++++++++++++++++---- 1 file changed, 57 insertions(+), 10 deletions(-) diff --git a/spire-api/src/agent/delegated_identity.rs b/spire-api/src/agent/delegated_identity.rs index 930126c..f9cebe6 100644 --- a/spire-api/src/agent/delegated_identity.rs +++ b/spire-api/src/agent/delegated_identity.rs @@ -44,6 +44,16 @@ pub struct DelegatedIdentityClient { client: DelegatedIdentityApiClient, } +/// Represents that a delegate attestation request can have one-of +/// PID (let agent attest PID->selectors) or selectors (delegate has already attested a PID) +#[derive(Debug, Clone)] +pub enum DelegateAttestationRequest { + /// PID (let agent attest PID->selectors) + Pid(i32), + /// selectors (delegate has already attested a PID and generated full set of selectors) + Selectors(Vec), +} + /// Constructors impl DelegatedIdentityClient { const UNIX_PREFIX: &'static str = "unix:"; @@ -135,10 +145,22 @@ impl DelegatedIdentityClient { /// Returns [`GrpcClientError`] if the gRPC call fails or if the SVID could not be parsed from the gRPC response. pub async fn fetch_x509_svid( &mut self, - selectors: Vec, + attest_type: DelegateAttestationRequest, ) -> Result { - let request = SubscribeToX509sviDsRequest { - selectors: selectors.into_iter().map(|s| s.into()).collect(), + + let request = match attest_type { + DelegateAttestationRequest::Selectors(selectors) => { + SubscribeToX509sviDsRequest { + selectors: selectors.into_iter().map(|s| s.into()).collect(), + pid: 0 + } + }, + DelegateAttestationRequest::Pid(pid) => { + SubscribeToX509sviDsRequest { + selectors: Vec::default(), + pid + } + } }; self.client @@ -175,10 +197,22 @@ impl DelegatedIdentityClient { /// Individual stream items might also be errors if there's an issue processing the response for a specific update. pub async fn stream_x509_svids( &mut self, - selectors: Vec, + attest_type: DelegateAttestationRequest, ) -> Result>, GrpcClientError> { - let request = SubscribeToX509sviDsRequest { - selectors: selectors.into_iter().map(|s| s.into()).collect(), + + let request = match attest_type { + DelegateAttestationRequest::Selectors(selectors) => { + SubscribeToX509sviDsRequest { + selectors: selectors.into_iter().map(|s| s.into()).collect(), + pid: 0 + } + }, + DelegateAttestationRequest::Pid(pid) => { + SubscribeToX509sviDsRequest { + selectors: Vec::default(), + pid + } + } }; let response: tonic::Response> = @@ -259,11 +293,24 @@ impl DelegatedIdentityClient { pub async fn fetch_jwt_svids + ToString>( &mut self, audience: &[T], - selectors: Vec, + attest_type: DelegateAttestationRequest, ) -> Result, GrpcClientError> { - let request = FetchJwtsviDsRequest { - audience: audience.iter().map(|s| s.to_string()).collect(), - selectors: selectors.into_iter().map(|s| s.into()).collect(), + + let request = match attest_type { + DelegateAttestationRequest::Selectors(selectors) => { + FetchJwtsviDsRequest { + audience: audience.iter().map(|s| s.to_string()).collect(), + selectors: selectors.into_iter().map(|s| s.into()).collect(), + pid: 0, + } + }, + DelegateAttestationRequest::Pid(pid) => { + FetchJwtsviDsRequest { + audience: audience.iter().map(|s| s.to_string()).collect(), + selectors: Vec::default(), + pid, + } + } }; DelegatedIdentityClient::parse_jwt_svid_from_grpc_response( From 7ba108eb949baea4c65c0829f1f2a8ed105078f9 Mon Sep 17 00:00:00 2001 From: Benjamin Leggett Date: Thu, 25 Jul 2024 17:28:13 -0400 Subject: [PATCH 3/8] lint Signed-off-by: Benjamin Leggett --- spiffe/src/proto/workload.rs | 271 ++++++++-------------- spiffe/src/workload_api/mod.rs | 2 +- spire-api/src/agent/delegated_identity.rs | 61 ++--- 3 files changed, 118 insertions(+), 216 deletions(-) diff --git a/spiffe/src/proto/workload.rs b/spiffe/src/proto/workload.rs index ac7f945..5d7fc33 100644 --- a/spiffe/src/proto/workload.rs +++ b/spiffe/src/proto/workload.rs @@ -21,10 +21,8 @@ pub struct X509svidResponse { /// the workload should trust, keyed by the SPIFFE ID of the foreign trust /// domain. Bundles are ASN.1 DER encoded. #[prost(map = "string, bytes", tag = "3")] - pub federated_bundles: ::std::collections::HashMap< - ::prost::alloc::string::String, - ::prost::bytes::Bytes, - >, + pub federated_bundles: + ::std::collections::HashMap<::prost::alloc::string::String, ::prost::bytes::Bytes>, } /// The X509SVID message carries a single SVID and all associated information, /// including the X.509 bundle for the trust domain. @@ -62,10 +60,7 @@ pub struct X509BundlesResponse { /// workload should trust, keyed by the SPIFFE ID of the trust domain. /// Bundles are ASN.1 DER encoded. #[prost(map = "string, bytes", tag = "2")] - pub bundles: ::std::collections::HashMap< - ::prost::alloc::string::String, - ::prost::bytes::Bytes, - >, + pub bundles: ::std::collections::HashMap<::prost::alloc::string::String, ::prost::bytes::Bytes>, } #[allow(clippy::derive_partial_eq_without_eq)] #[derive(Clone, PartialEq, ::prost::Message)] @@ -109,10 +104,7 @@ pub struct JwtBundlesResponse { /// Required. JWK encoded JWT bundles, keyed by the SPIFFE ID of the trust /// domain. #[prost(map = "string, bytes", tag = "1")] - pub bundles: ::std::collections::HashMap< - ::prost::alloc::string::String, - ::prost::bytes::Bytes, - >, + pub bundles: ::std::collections::HashMap<::prost::alloc::string::String, ::prost::bytes::Bytes>, } /// The ValidateJWTSVIDRequest message conveys request parameters for /// JWT-SVID validation. @@ -144,8 +136,8 @@ pub struct ValidateJwtsvidResponse { /// Generated client implementations. pub mod spiffe_workload_api_client { #![allow(unused_variables, dead_code, missing_docs, clippy::let_unit_value)] - use tonic::codegen::*; use tonic::codegen::http::Uri; + use tonic::codegen::*; #[derive(Debug, Clone)] pub struct SpiffeWorkloadApiClient { inner: tonic::client::Grpc, @@ -178,9 +170,8 @@ pub mod spiffe_workload_api_client { >::ResponseBody, >, >, - , - >>::Error: Into + Send + Sync, + >>::Error: + Into + Send + Sync, { SpiffeWorkloadApiClient::new(InterceptedService::new(inner, interceptor)) } @@ -226,19 +217,14 @@ pub mod spiffe_workload_api_client { tonic::Response>, tonic::Status, > { - self.inner - .ready() - .await - .map_err(|e| { - tonic::Status::new( - tonic::Code::Unknown, - format!("Service was not ready: {}", e.into()), - ) - })?; + self.inner.ready().await.map_err(|e| { + tonic::Status::new( + tonic::Code::Unknown, + format!("Service was not ready: {}", e.into()), + ) + })?; let codec = tonic::codec::ProstCodec::default(); - let path = http::uri::PathAndQuery::from_static( - "/SpiffeWorkloadAPI/FetchX509SVID", - ); + let path = http::uri::PathAndQuery::from_static("/SpiffeWorkloadAPI/FetchX509SVID"); let mut req = request.into_request(); req.extensions_mut() .insert(GrpcMethod::new("SpiffeWorkloadAPI", "FetchX509SVID")); @@ -255,19 +241,14 @@ pub mod spiffe_workload_api_client { tonic::Response>, tonic::Status, > { - self.inner - .ready() - .await - .map_err(|e| { - tonic::Status::new( - tonic::Code::Unknown, - format!("Service was not ready: {}", e.into()), - ) - })?; + self.inner.ready().await.map_err(|e| { + tonic::Status::new( + tonic::Code::Unknown, + format!("Service was not ready: {}", e.into()), + ) + })?; let codec = tonic::codec::ProstCodec::default(); - let path = http::uri::PathAndQuery::from_static( - "/SpiffeWorkloadAPI/FetchX509Bundles", - ); + let path = http::uri::PathAndQuery::from_static("/SpiffeWorkloadAPI/FetchX509Bundles"); let mut req = request.into_request(); req.extensions_mut() .insert(GrpcMethod::new("SpiffeWorkloadAPI", "FetchX509Bundles")); @@ -279,23 +260,15 @@ pub mod spiffe_workload_api_client { pub async fn fetch_jwtsvid( &mut self, request: impl tonic::IntoRequest, - ) -> std::result::Result< - tonic::Response, - tonic::Status, - > { - self.inner - .ready() - .await - .map_err(|e| { - tonic::Status::new( - tonic::Code::Unknown, - format!("Service was not ready: {}", e.into()), - ) - })?; + ) -> std::result::Result, tonic::Status> { + self.inner.ready().await.map_err(|e| { + tonic::Status::new( + tonic::Code::Unknown, + format!("Service was not ready: {}", e.into()), + ) + })?; let codec = tonic::codec::ProstCodec::default(); - let path = http::uri::PathAndQuery::from_static( - "/SpiffeWorkloadAPI/FetchJWTSVID", - ); + let path = http::uri::PathAndQuery::from_static("/SpiffeWorkloadAPI/FetchJWTSVID"); let mut req = request.into_request(); req.extensions_mut() .insert(GrpcMethod::new("SpiffeWorkloadAPI", "FetchJWTSVID")); @@ -311,19 +284,14 @@ pub mod spiffe_workload_api_client { tonic::Response>, tonic::Status, > { - self.inner - .ready() - .await - .map_err(|e| { - tonic::Status::new( - tonic::Code::Unknown, - format!("Service was not ready: {}", e.into()), - ) - })?; + self.inner.ready().await.map_err(|e| { + tonic::Status::new( + tonic::Code::Unknown, + format!("Service was not ready: {}", e.into()), + ) + })?; let codec = tonic::codec::ProstCodec::default(); - let path = http::uri::PathAndQuery::from_static( - "/SpiffeWorkloadAPI/FetchJWTBundles", - ); + let path = http::uri::PathAndQuery::from_static("/SpiffeWorkloadAPI/FetchJWTBundles"); let mut req = request.into_request(); req.extensions_mut() .insert(GrpcMethod::new("SpiffeWorkloadAPI", "FetchJWTBundles")); @@ -334,23 +302,16 @@ pub mod spiffe_workload_api_client { pub async fn validate_jwtsvid( &mut self, request: impl tonic::IntoRequest, - ) -> std::result::Result< - tonic::Response, - tonic::Status, - > { - self.inner - .ready() - .await - .map_err(|e| { - tonic::Status::new( - tonic::Code::Unknown, - format!("Service was not ready: {}", e.into()), - ) - })?; + ) -> std::result::Result, tonic::Status> + { + self.inner.ready().await.map_err(|e| { + tonic::Status::new( + tonic::Code::Unknown, + format!("Service was not ready: {}", e.into()), + ) + })?; let codec = tonic::codec::ProstCodec::default(); - let path = http::uri::PathAndQuery::from_static( - "/SpiffeWorkloadAPI/ValidateJWTSVID", - ); + let path = http::uri::PathAndQuery::from_static("/SpiffeWorkloadAPI/ValidateJWTSVID"); let mut req = request.into_request(); req.extensions_mut() .insert(GrpcMethod::new("SpiffeWorkloadAPI", "ValidateJWTSVID")); @@ -368,8 +329,7 @@ pub mod spiffe_workload_api_server { /// Server streaming response type for the FetchX509SVID method. type FetchX509SVIDStream: tonic::codegen::tokio_stream::Stream< Item = std::result::Result, - > - + Send + > + Send + 'static; /// Fetch X.509-SVIDs for all SPIFFE identities the workload is entitled to, /// as well as related information like trust bundles and CRLs. As this @@ -378,15 +338,11 @@ pub mod spiffe_workload_api_server { async fn fetch_x509svid( &self, request: tonic::Request, - ) -> std::result::Result< - tonic::Response, - tonic::Status, - >; + ) -> std::result::Result, tonic::Status>; /// Server streaming response type for the FetchX509Bundles method. type FetchX509BundlesStream: tonic::codegen::tokio_stream::Stream< Item = std::result::Result, - > - + Send + > + Send + 'static; /// Fetch trust bundles and CRLs. Useful for clients that only need to /// validate SVIDs without obtaining an SVID for themself. As this @@ -395,10 +351,7 @@ pub mod spiffe_workload_api_server { async fn fetch_x509_bundles( &self, request: tonic::Request, - ) -> std::result::Result< - tonic::Response, - tonic::Status, - >; + ) -> std::result::Result, tonic::Status>; /// Fetch JWT-SVIDs for all SPIFFE identities the workload is entitled to, /// for the requested audience. If an optional SPIFFE ID is requested, only /// the JWT-SVID for that SPIFFE ID is returned. @@ -409,8 +362,7 @@ pub mod spiffe_workload_api_server { /// Server streaming response type for the FetchJWTBundles method. type FetchJWTBundlesStream: tonic::codegen::tokio_stream::Stream< Item = std::result::Result, - > - + Send + > + Send + 'static; /// Fetches the JWT bundles, formatted as JWKS documents, keyed by the /// SPIFFE ID of the trust domain. As this information changes, subsequent @@ -418,19 +370,13 @@ pub mod spiffe_workload_api_server { async fn fetch_jwt_bundles( &self, request: tonic::Request, - ) -> std::result::Result< - tonic::Response, - tonic::Status, - >; + ) -> std::result::Result, tonic::Status>; /// Validates a JWT-SVID against the requested audience. Returns the SPIFFE /// ID of the JWT-SVID and JWT claims. async fn validate_jwtsvid( &self, request: tonic::Request, - ) -> std::result::Result< - tonic::Response, - tonic::Status, - >; + ) -> std::result::Result, tonic::Status>; } #[derive(Debug)] pub struct SpiffeWorkloadApiServer { @@ -455,10 +401,7 @@ pub mod spiffe_workload_api_server { max_encoding_message_size: None, } } - pub fn with_interceptor( - inner: T, - interceptor: F, - ) -> InterceptedService + pub fn with_interceptor(inner: T, interceptor: F) -> InterceptedService where F: tonic::service::Interceptor, { @@ -514,24 +457,21 @@ pub mod spiffe_workload_api_server { "/SpiffeWorkloadAPI/FetchX509SVID" => { #[allow(non_camel_case_types)] struct FetchX509SVIDSvc(pub Arc); - impl< - T: SpiffeWorkloadApi, - > tonic::server::ServerStreamingService - for FetchX509SVIDSvc { + impl + tonic::server::ServerStreamingService + for FetchX509SVIDSvc + { type Response = super::X509svidResponse; type ResponseStream = T::FetchX509SVIDStream; - type Future = BoxFuture< - tonic::Response, - tonic::Status, - >; + type Future = + BoxFuture, tonic::Status>; fn call( &mut self, request: tonic::Request, ) -> Self::Future { let inner = Arc::clone(&self.0); let fut = async move { - ::fetch_x509svid(&inner, request) - .await + ::fetch_x509svid(&inner, request).await }; Box::pin(fut) } @@ -562,27 +502,21 @@ pub mod spiffe_workload_api_server { "/SpiffeWorkloadAPI/FetchX509Bundles" => { #[allow(non_camel_case_types)] struct FetchX509BundlesSvc(pub Arc); - impl< - T: SpiffeWorkloadApi, - > tonic::server::ServerStreamingService - for FetchX509BundlesSvc { + impl + tonic::server::ServerStreamingService + for FetchX509BundlesSvc + { type Response = super::X509BundlesResponse; type ResponseStream = T::FetchX509BundlesStream; - type Future = BoxFuture< - tonic::Response, - tonic::Status, - >; + type Future = + BoxFuture, tonic::Status>; fn call( &mut self, request: tonic::Request, ) -> Self::Future { let inner = Arc::clone(&self.0); let fut = async move { - ::fetch_x509_bundles( - &inner, - request, - ) - .await + ::fetch_x509_bundles(&inner, request).await }; Box::pin(fut) } @@ -613,23 +547,18 @@ pub mod spiffe_workload_api_server { "/SpiffeWorkloadAPI/FetchJWTSVID" => { #[allow(non_camel_case_types)] struct FetchJWTSVIDSvc(pub Arc); - impl< - T: SpiffeWorkloadApi, - > tonic::server::UnaryService - for FetchJWTSVIDSvc { + impl tonic::server::UnaryService + for FetchJWTSVIDSvc + { type Response = super::JwtsvidResponse; - type Future = BoxFuture< - tonic::Response, - tonic::Status, - >; + type Future = BoxFuture, tonic::Status>; fn call( &mut self, request: tonic::Request, ) -> Self::Future { let inner = Arc::clone(&self.0); let fut = async move { - ::fetch_jwtsvid(&inner, request) - .await + ::fetch_jwtsvid(&inner, request).await }; Box::pin(fut) } @@ -660,24 +589,21 @@ pub mod spiffe_workload_api_server { "/SpiffeWorkloadAPI/FetchJWTBundles" => { #[allow(non_camel_case_types)] struct FetchJWTBundlesSvc(pub Arc); - impl< - T: SpiffeWorkloadApi, - > tonic::server::ServerStreamingService - for FetchJWTBundlesSvc { + impl + tonic::server::ServerStreamingService + for FetchJWTBundlesSvc + { type Response = super::JwtBundlesResponse; type ResponseStream = T::FetchJWTBundlesStream; - type Future = BoxFuture< - tonic::Response, - tonic::Status, - >; + type Future = + BoxFuture, tonic::Status>; fn call( &mut self, request: tonic::Request, ) -> Self::Future { let inner = Arc::clone(&self.0); let fut = async move { - ::fetch_jwt_bundles(&inner, request) - .await + ::fetch_jwt_bundles(&inner, request).await }; Box::pin(fut) } @@ -708,23 +634,19 @@ pub mod spiffe_workload_api_server { "/SpiffeWorkloadAPI/ValidateJWTSVID" => { #[allow(non_camel_case_types)] struct ValidateJWTSVIDSvc(pub Arc); - impl< - T: SpiffeWorkloadApi, - > tonic::server::UnaryService - for ValidateJWTSVIDSvc { + impl + tonic::server::UnaryService + for ValidateJWTSVIDSvc + { type Response = super::ValidateJwtsvidResponse; - type Future = BoxFuture< - tonic::Response, - tonic::Status, - >; + type Future = BoxFuture, tonic::Status>; fn call( &mut self, request: tonic::Request, ) -> Self::Future { let inner = Arc::clone(&self.0); let fut = async move { - ::validate_jwtsvid(&inner, request) - .await + ::validate_jwtsvid(&inner, request).await }; Box::pin(fut) } @@ -752,18 +674,14 @@ pub mod spiffe_workload_api_server { }; Box::pin(fut) } - _ => { - Box::pin(async move { - Ok( - http::Response::builder() - .status(200) - .header("grpc-status", "12") - .header("content-type", "application/grpc") - .body(empty_body()) - .unwrap(), - ) - }) - } + _ => Box::pin(async move { + Ok(http::Response::builder() + .status(200) + .header("grpc-status", "12") + .header("content-type", "application/grpc") + .body(empty_body()) + .unwrap()) + }), } } } @@ -789,8 +707,7 @@ pub mod spiffe_workload_api_server { write!(f, "{:?}", self.0) } } - impl tonic::server::NamedService - for SpiffeWorkloadApiServer { + impl tonic::server::NamedService for SpiffeWorkloadApiServer { const NAME: &'static str = "SpiffeWorkloadAPI"; } } diff --git a/spiffe/src/workload_api/mod.rs b/spiffe/src/workload_api/mod.rs index 8a25f6b..a62a50b 100644 --- a/spiffe/src/workload_api/mod.rs +++ b/spiffe/src/workload_api/mod.rs @@ -3,7 +3,7 @@ //! # Examples //! //! ```no_run -//! +//! //! use std::error::Error; //! use spiffe::WorkloadApiClient; //! diff --git a/spire-api/src/agent/delegated_identity.rs b/spire-api/src/agent/delegated_identity.rs index f9cebe6..7df2a39 100644 --- a/spire-api/src/agent/delegated_identity.rs +++ b/spire-api/src/agent/delegated_identity.rs @@ -147,20 +147,15 @@ impl DelegatedIdentityClient { &mut self, attest_type: DelegateAttestationRequest, ) -> Result { - let request = match attest_type { - DelegateAttestationRequest::Selectors(selectors) => { - SubscribeToX509sviDsRequest { - selectors: selectors.into_iter().map(|s| s.into()).collect(), - pid: 0 - } + DelegateAttestationRequest::Selectors(selectors) => SubscribeToX509sviDsRequest { + selectors: selectors.into_iter().map(|s| s.into()).collect(), + pid: 0, + }, + DelegateAttestationRequest::Pid(pid) => SubscribeToX509sviDsRequest { + selectors: Vec::default(), + pid, }, - DelegateAttestationRequest::Pid(pid) => { - SubscribeToX509sviDsRequest { - selectors: Vec::default(), - pid - } - } }; self.client @@ -199,20 +194,15 @@ impl DelegatedIdentityClient { &mut self, attest_type: DelegateAttestationRequest, ) -> Result>, GrpcClientError> { - let request = match attest_type { - DelegateAttestationRequest::Selectors(selectors) => { - SubscribeToX509sviDsRequest { - selectors: selectors.into_iter().map(|s| s.into()).collect(), - pid: 0 - } + DelegateAttestationRequest::Selectors(selectors) => SubscribeToX509sviDsRequest { + selectors: selectors.into_iter().map(|s| s.into()).collect(), + pid: 0, + }, + DelegateAttestationRequest::Pid(pid) => SubscribeToX509sviDsRequest { + selectors: Vec::default(), + pid, }, - DelegateAttestationRequest::Pid(pid) => { - SubscribeToX509sviDsRequest { - selectors: Vec::default(), - pid - } - } }; let response: tonic::Response> = @@ -295,22 +285,17 @@ impl DelegatedIdentityClient { audience: &[T], attest_type: DelegateAttestationRequest, ) -> Result, GrpcClientError> { - let request = match attest_type { - DelegateAttestationRequest::Selectors(selectors) => { - FetchJwtsviDsRequest { - audience: audience.iter().map(|s| s.to_string()).collect(), - selectors: selectors.into_iter().map(|s| s.into()).collect(), - pid: 0, - } + DelegateAttestationRequest::Selectors(selectors) => FetchJwtsviDsRequest { + audience: audience.iter().map(|s| s.to_string()).collect(), + selectors: selectors.into_iter().map(|s| s.into()).collect(), + pid: 0, + }, + DelegateAttestationRequest::Pid(pid) => FetchJwtsviDsRequest { + audience: audience.iter().map(|s| s.to_string()).collect(), + selectors: Vec::default(), + pid, }, - DelegateAttestationRequest::Pid(pid) => { - FetchJwtsviDsRequest { - audience: audience.iter().map(|s| s.to_string()).collect(), - selectors: Vec::default(), - pid, - } - } }; DelegatedIdentityClient::parse_jwt_svid_from_grpc_response( From 09052a2f52d95e86c6802d89ee4b1e6447183f0c Mon Sep 17 00:00:00 2001 From: Benjamin Leggett Date: Thu, 25 Jul 2024 17:31:30 -0400 Subject: [PATCH 4/8] Lint Signed-off-by: Benjamin Leggett --- spiffe/src/proto/workload.rs | 271 +++++++++++++++++++++++------------ 1 file changed, 177 insertions(+), 94 deletions(-) diff --git a/spiffe/src/proto/workload.rs b/spiffe/src/proto/workload.rs index 5d7fc33..ac7f945 100644 --- a/spiffe/src/proto/workload.rs +++ b/spiffe/src/proto/workload.rs @@ -21,8 +21,10 @@ pub struct X509svidResponse { /// the workload should trust, keyed by the SPIFFE ID of the foreign trust /// domain. Bundles are ASN.1 DER encoded. #[prost(map = "string, bytes", tag = "3")] - pub federated_bundles: - ::std::collections::HashMap<::prost::alloc::string::String, ::prost::bytes::Bytes>, + pub federated_bundles: ::std::collections::HashMap< + ::prost::alloc::string::String, + ::prost::bytes::Bytes, + >, } /// The X509SVID message carries a single SVID and all associated information, /// including the X.509 bundle for the trust domain. @@ -60,7 +62,10 @@ pub struct X509BundlesResponse { /// workload should trust, keyed by the SPIFFE ID of the trust domain. /// Bundles are ASN.1 DER encoded. #[prost(map = "string, bytes", tag = "2")] - pub bundles: ::std::collections::HashMap<::prost::alloc::string::String, ::prost::bytes::Bytes>, + pub bundles: ::std::collections::HashMap< + ::prost::alloc::string::String, + ::prost::bytes::Bytes, + >, } #[allow(clippy::derive_partial_eq_without_eq)] #[derive(Clone, PartialEq, ::prost::Message)] @@ -104,7 +109,10 @@ pub struct JwtBundlesResponse { /// Required. JWK encoded JWT bundles, keyed by the SPIFFE ID of the trust /// domain. #[prost(map = "string, bytes", tag = "1")] - pub bundles: ::std::collections::HashMap<::prost::alloc::string::String, ::prost::bytes::Bytes>, + pub bundles: ::std::collections::HashMap< + ::prost::alloc::string::String, + ::prost::bytes::Bytes, + >, } /// The ValidateJWTSVIDRequest message conveys request parameters for /// JWT-SVID validation. @@ -136,8 +144,8 @@ pub struct ValidateJwtsvidResponse { /// Generated client implementations. pub mod spiffe_workload_api_client { #![allow(unused_variables, dead_code, missing_docs, clippy::let_unit_value)] - use tonic::codegen::http::Uri; use tonic::codegen::*; + use tonic::codegen::http::Uri; #[derive(Debug, Clone)] pub struct SpiffeWorkloadApiClient { inner: tonic::client::Grpc, @@ -170,8 +178,9 @@ pub mod spiffe_workload_api_client { >::ResponseBody, >, >, - >>::Error: - Into + Send + Sync, + , + >>::Error: Into + Send + Sync, { SpiffeWorkloadApiClient::new(InterceptedService::new(inner, interceptor)) } @@ -217,14 +226,19 @@ pub mod spiffe_workload_api_client { tonic::Response>, tonic::Status, > { - self.inner.ready().await.map_err(|e| { - tonic::Status::new( - tonic::Code::Unknown, - format!("Service was not ready: {}", e.into()), - ) - })?; + self.inner + .ready() + .await + .map_err(|e| { + tonic::Status::new( + tonic::Code::Unknown, + format!("Service was not ready: {}", e.into()), + ) + })?; let codec = tonic::codec::ProstCodec::default(); - let path = http::uri::PathAndQuery::from_static("/SpiffeWorkloadAPI/FetchX509SVID"); + let path = http::uri::PathAndQuery::from_static( + "/SpiffeWorkloadAPI/FetchX509SVID", + ); let mut req = request.into_request(); req.extensions_mut() .insert(GrpcMethod::new("SpiffeWorkloadAPI", "FetchX509SVID")); @@ -241,14 +255,19 @@ pub mod spiffe_workload_api_client { tonic::Response>, tonic::Status, > { - self.inner.ready().await.map_err(|e| { - tonic::Status::new( - tonic::Code::Unknown, - format!("Service was not ready: {}", e.into()), - ) - })?; + self.inner + .ready() + .await + .map_err(|e| { + tonic::Status::new( + tonic::Code::Unknown, + format!("Service was not ready: {}", e.into()), + ) + })?; let codec = tonic::codec::ProstCodec::default(); - let path = http::uri::PathAndQuery::from_static("/SpiffeWorkloadAPI/FetchX509Bundles"); + let path = http::uri::PathAndQuery::from_static( + "/SpiffeWorkloadAPI/FetchX509Bundles", + ); let mut req = request.into_request(); req.extensions_mut() .insert(GrpcMethod::new("SpiffeWorkloadAPI", "FetchX509Bundles")); @@ -260,15 +279,23 @@ pub mod spiffe_workload_api_client { pub async fn fetch_jwtsvid( &mut self, request: impl tonic::IntoRequest, - ) -> std::result::Result, tonic::Status> { - self.inner.ready().await.map_err(|e| { - tonic::Status::new( - tonic::Code::Unknown, - format!("Service was not ready: {}", e.into()), - ) - })?; + ) -> std::result::Result< + tonic::Response, + tonic::Status, + > { + self.inner + .ready() + .await + .map_err(|e| { + tonic::Status::new( + tonic::Code::Unknown, + format!("Service was not ready: {}", e.into()), + ) + })?; let codec = tonic::codec::ProstCodec::default(); - let path = http::uri::PathAndQuery::from_static("/SpiffeWorkloadAPI/FetchJWTSVID"); + let path = http::uri::PathAndQuery::from_static( + "/SpiffeWorkloadAPI/FetchJWTSVID", + ); let mut req = request.into_request(); req.extensions_mut() .insert(GrpcMethod::new("SpiffeWorkloadAPI", "FetchJWTSVID")); @@ -284,14 +311,19 @@ pub mod spiffe_workload_api_client { tonic::Response>, tonic::Status, > { - self.inner.ready().await.map_err(|e| { - tonic::Status::new( - tonic::Code::Unknown, - format!("Service was not ready: {}", e.into()), - ) - })?; + self.inner + .ready() + .await + .map_err(|e| { + tonic::Status::new( + tonic::Code::Unknown, + format!("Service was not ready: {}", e.into()), + ) + })?; let codec = tonic::codec::ProstCodec::default(); - let path = http::uri::PathAndQuery::from_static("/SpiffeWorkloadAPI/FetchJWTBundles"); + let path = http::uri::PathAndQuery::from_static( + "/SpiffeWorkloadAPI/FetchJWTBundles", + ); let mut req = request.into_request(); req.extensions_mut() .insert(GrpcMethod::new("SpiffeWorkloadAPI", "FetchJWTBundles")); @@ -302,16 +334,23 @@ pub mod spiffe_workload_api_client { pub async fn validate_jwtsvid( &mut self, request: impl tonic::IntoRequest, - ) -> std::result::Result, tonic::Status> - { - self.inner.ready().await.map_err(|e| { - tonic::Status::new( - tonic::Code::Unknown, - format!("Service was not ready: {}", e.into()), - ) - })?; + ) -> std::result::Result< + tonic::Response, + tonic::Status, + > { + self.inner + .ready() + .await + .map_err(|e| { + tonic::Status::new( + tonic::Code::Unknown, + format!("Service was not ready: {}", e.into()), + ) + })?; let codec = tonic::codec::ProstCodec::default(); - let path = http::uri::PathAndQuery::from_static("/SpiffeWorkloadAPI/ValidateJWTSVID"); + let path = http::uri::PathAndQuery::from_static( + "/SpiffeWorkloadAPI/ValidateJWTSVID", + ); let mut req = request.into_request(); req.extensions_mut() .insert(GrpcMethod::new("SpiffeWorkloadAPI", "ValidateJWTSVID")); @@ -329,7 +368,8 @@ pub mod spiffe_workload_api_server { /// Server streaming response type for the FetchX509SVID method. type FetchX509SVIDStream: tonic::codegen::tokio_stream::Stream< Item = std::result::Result, - > + Send + > + + Send + 'static; /// Fetch X.509-SVIDs for all SPIFFE identities the workload is entitled to, /// as well as related information like trust bundles and CRLs. As this @@ -338,11 +378,15 @@ pub mod spiffe_workload_api_server { async fn fetch_x509svid( &self, request: tonic::Request, - ) -> std::result::Result, tonic::Status>; + ) -> std::result::Result< + tonic::Response, + tonic::Status, + >; /// Server streaming response type for the FetchX509Bundles method. type FetchX509BundlesStream: tonic::codegen::tokio_stream::Stream< Item = std::result::Result, - > + Send + > + + Send + 'static; /// Fetch trust bundles and CRLs. Useful for clients that only need to /// validate SVIDs without obtaining an SVID for themself. As this @@ -351,7 +395,10 @@ pub mod spiffe_workload_api_server { async fn fetch_x509_bundles( &self, request: tonic::Request, - ) -> std::result::Result, tonic::Status>; + ) -> std::result::Result< + tonic::Response, + tonic::Status, + >; /// Fetch JWT-SVIDs for all SPIFFE identities the workload is entitled to, /// for the requested audience. If an optional SPIFFE ID is requested, only /// the JWT-SVID for that SPIFFE ID is returned. @@ -362,7 +409,8 @@ pub mod spiffe_workload_api_server { /// Server streaming response type for the FetchJWTBundles method. type FetchJWTBundlesStream: tonic::codegen::tokio_stream::Stream< Item = std::result::Result, - > + Send + > + + Send + 'static; /// Fetches the JWT bundles, formatted as JWKS documents, keyed by the /// SPIFFE ID of the trust domain. As this information changes, subsequent @@ -370,13 +418,19 @@ pub mod spiffe_workload_api_server { async fn fetch_jwt_bundles( &self, request: tonic::Request, - ) -> std::result::Result, tonic::Status>; + ) -> std::result::Result< + tonic::Response, + tonic::Status, + >; /// Validates a JWT-SVID against the requested audience. Returns the SPIFFE /// ID of the JWT-SVID and JWT claims. async fn validate_jwtsvid( &self, request: tonic::Request, - ) -> std::result::Result, tonic::Status>; + ) -> std::result::Result< + tonic::Response, + tonic::Status, + >; } #[derive(Debug)] pub struct SpiffeWorkloadApiServer { @@ -401,7 +455,10 @@ pub mod spiffe_workload_api_server { max_encoding_message_size: None, } } - pub fn with_interceptor(inner: T, interceptor: F) -> InterceptedService + pub fn with_interceptor( + inner: T, + interceptor: F, + ) -> InterceptedService where F: tonic::service::Interceptor, { @@ -457,21 +514,24 @@ pub mod spiffe_workload_api_server { "/SpiffeWorkloadAPI/FetchX509SVID" => { #[allow(non_camel_case_types)] struct FetchX509SVIDSvc(pub Arc); - impl - tonic::server::ServerStreamingService - for FetchX509SVIDSvc - { + impl< + T: SpiffeWorkloadApi, + > tonic::server::ServerStreamingService + for FetchX509SVIDSvc { type Response = super::X509svidResponse; type ResponseStream = T::FetchX509SVIDStream; - type Future = - BoxFuture, tonic::Status>; + type Future = BoxFuture< + tonic::Response, + tonic::Status, + >; fn call( &mut self, request: tonic::Request, ) -> Self::Future { let inner = Arc::clone(&self.0); let fut = async move { - ::fetch_x509svid(&inner, request).await + ::fetch_x509svid(&inner, request) + .await }; Box::pin(fut) } @@ -502,21 +562,27 @@ pub mod spiffe_workload_api_server { "/SpiffeWorkloadAPI/FetchX509Bundles" => { #[allow(non_camel_case_types)] struct FetchX509BundlesSvc(pub Arc); - impl - tonic::server::ServerStreamingService - for FetchX509BundlesSvc - { + impl< + T: SpiffeWorkloadApi, + > tonic::server::ServerStreamingService + for FetchX509BundlesSvc { type Response = super::X509BundlesResponse; type ResponseStream = T::FetchX509BundlesStream; - type Future = - BoxFuture, tonic::Status>; + type Future = BoxFuture< + tonic::Response, + tonic::Status, + >; fn call( &mut self, request: tonic::Request, ) -> Self::Future { let inner = Arc::clone(&self.0); let fut = async move { - ::fetch_x509_bundles(&inner, request).await + ::fetch_x509_bundles( + &inner, + request, + ) + .await }; Box::pin(fut) } @@ -547,18 +613,23 @@ pub mod spiffe_workload_api_server { "/SpiffeWorkloadAPI/FetchJWTSVID" => { #[allow(non_camel_case_types)] struct FetchJWTSVIDSvc(pub Arc); - impl tonic::server::UnaryService - for FetchJWTSVIDSvc - { + impl< + T: SpiffeWorkloadApi, + > tonic::server::UnaryService + for FetchJWTSVIDSvc { type Response = super::JwtsvidResponse; - type Future = BoxFuture, tonic::Status>; + type Future = BoxFuture< + tonic::Response, + tonic::Status, + >; fn call( &mut self, request: tonic::Request, ) -> Self::Future { let inner = Arc::clone(&self.0); let fut = async move { - ::fetch_jwtsvid(&inner, request).await + ::fetch_jwtsvid(&inner, request) + .await }; Box::pin(fut) } @@ -589,21 +660,24 @@ pub mod spiffe_workload_api_server { "/SpiffeWorkloadAPI/FetchJWTBundles" => { #[allow(non_camel_case_types)] struct FetchJWTBundlesSvc(pub Arc); - impl - tonic::server::ServerStreamingService - for FetchJWTBundlesSvc - { + impl< + T: SpiffeWorkloadApi, + > tonic::server::ServerStreamingService + for FetchJWTBundlesSvc { type Response = super::JwtBundlesResponse; type ResponseStream = T::FetchJWTBundlesStream; - type Future = - BoxFuture, tonic::Status>; + type Future = BoxFuture< + tonic::Response, + tonic::Status, + >; fn call( &mut self, request: tonic::Request, ) -> Self::Future { let inner = Arc::clone(&self.0); let fut = async move { - ::fetch_jwt_bundles(&inner, request).await + ::fetch_jwt_bundles(&inner, request) + .await }; Box::pin(fut) } @@ -634,19 +708,23 @@ pub mod spiffe_workload_api_server { "/SpiffeWorkloadAPI/ValidateJWTSVID" => { #[allow(non_camel_case_types)] struct ValidateJWTSVIDSvc(pub Arc); - impl - tonic::server::UnaryService - for ValidateJWTSVIDSvc - { + impl< + T: SpiffeWorkloadApi, + > tonic::server::UnaryService + for ValidateJWTSVIDSvc { type Response = super::ValidateJwtsvidResponse; - type Future = BoxFuture, tonic::Status>; + type Future = BoxFuture< + tonic::Response, + tonic::Status, + >; fn call( &mut self, request: tonic::Request, ) -> Self::Future { let inner = Arc::clone(&self.0); let fut = async move { - ::validate_jwtsvid(&inner, request).await + ::validate_jwtsvid(&inner, request) + .await }; Box::pin(fut) } @@ -674,14 +752,18 @@ pub mod spiffe_workload_api_server { }; Box::pin(fut) } - _ => Box::pin(async move { - Ok(http::Response::builder() - .status(200) - .header("grpc-status", "12") - .header("content-type", "application/grpc") - .body(empty_body()) - .unwrap()) - }), + _ => { + Box::pin(async move { + Ok( + http::Response::builder() + .status(200) + .header("grpc-status", "12") + .header("content-type", "application/grpc") + .body(empty_body()) + .unwrap(), + ) + }) + } } } } @@ -707,7 +789,8 @@ pub mod spiffe_workload_api_server { write!(f, "{:?}", self.0) } } - impl tonic::server::NamedService for SpiffeWorkloadApiServer { + impl tonic::server::NamedService + for SpiffeWorkloadApiServer { const NAME: &'static str = "SpiffeWorkloadAPI"; } } From 06614a64029c06f16afec57c69ca6569e2740d55 Mon Sep 17 00:00:00 2001 From: Benjamin Leggett Date: Thu, 25 Jul 2024 18:40:21 -0400 Subject: [PATCH 5/8] Reexport Signed-off-by: Benjamin Leggett --- spire-api/src/lib.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spire-api/src/lib.rs b/spire-api/src/lib.rs index ee9f0a3..05f4fb3 100644 --- a/spire-api/src/lib.rs +++ b/spire-api/src/lib.rs @@ -9,4 +9,4 @@ pub mod agent; pub mod selectors; // Core spire-api crate type re-exported for simplified access. -pub use agent::delegated_identity::DelegatedIdentityClient; +pub use agent::delegated_identity::{DelegatedIdentityClient, DelegateAttestationRequest}; From 103a752ae035bb8688f078e89f681e05e775017f Mon Sep 17 00:00:00 2001 From: Benjamin Leggett Date: Fri, 16 Aug 2024 13:21:49 -0400 Subject: [PATCH 6/8] Lints Signed-off-by: Benjamin Leggett --- spiffe/src/workload_api/mod.rs | 2 +- spire-api/src/lib.rs | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/spiffe/src/workload_api/mod.rs b/spiffe/src/workload_api/mod.rs index a62a50b..8a25f6b 100644 --- a/spiffe/src/workload_api/mod.rs +++ b/spiffe/src/workload_api/mod.rs @@ -3,7 +3,7 @@ //! # Examples //! //! ```no_run -//! +//! //! use std::error::Error; //! use spiffe::WorkloadApiClient; //! diff --git a/spire-api/src/lib.rs b/spire-api/src/lib.rs index 05f4fb3..d8b3eed 100644 --- a/spire-api/src/lib.rs +++ b/spire-api/src/lib.rs @@ -9,4 +9,4 @@ pub mod agent; pub mod selectors; // Core spire-api crate type re-exported for simplified access. -pub use agent::delegated_identity::{DelegatedIdentityClient, DelegateAttestationRequest}; +pub use agent::delegated_identity::{DelegateAttestationRequest, DelegatedIdentityClient}; From 952df6e24fb0afa5d4cbe9341edb5fe3e0a58cfb Mon Sep 17 00:00:00 2001 From: Benjamin Leggett Date: Tue, 3 Sep 2024 14:11:47 -0400 Subject: [PATCH 7/8] Use official 1.10.2 SHA Signed-off-by: Benjamin Leggett --- spire-api/spire-api-sdk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spire-api/spire-api-sdk b/spire-api/spire-api-sdk index 2523933..9701b78 160000 --- a/spire-api/spire-api-sdk +++ b/spire-api/spire-api-sdk @@ -1 +1 @@ -Subproject commit 2523933d05a856488d88c3d54237a384be0aa883 +Subproject commit 9701b78b4c3c2e22d866220ba16eb9e8da6eea96 From 516857b29b756fcb8f91e969765a9b52841125e0 Mon Sep 17 00:00:00 2001 From: Benjamin Leggett Date: Tue, 3 Sep 2024 15:32:01 -0400 Subject: [PATCH 8/8] Fixup existing tests Signed-off-by: Benjamin Leggett --- .../delegated_identity_api_client_test.rs | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/spire-api/tests/delegated_identity_api_client_test.rs b/spire-api/tests/delegated_identity_api_client_test.rs index fc673f7..2f7da93 100644 --- a/spire-api/tests/delegated_identity_api_client_test.rs +++ b/spire-api/tests/delegated_identity_api_client_test.rs @@ -7,7 +7,7 @@ mod integration_tests_delegate_identity_api_client { use once_cell::sync::Lazy; use spiffe::bundle::BundleRefSource; use spiffe::{JwtBundleSet, TrustDomain}; - use spire_api::{selectors, DelegatedIdentityClient}; + use spire_api::{selectors, DelegateAttestationRequest, DelegatedIdentityClient}; use std::process::Command; use tokio_stream::StreamExt; @@ -38,9 +38,9 @@ mod integration_tests_delegate_identity_api_client { let svid = client .fetch_jwt_svids( &["my_audience"], - vec![selectors::Selector::Unix(selectors::Unix::Uid( - get_uid() + 1, - ))], + DelegateAttestationRequest::Selectors(vec![selectors::Selector::Unix( + selectors::Unix::Uid(get_uid() + 1), + )]), ) .await .expect("Failed to fetch JWT SVID"); @@ -52,9 +52,9 @@ mod integration_tests_delegate_identity_api_client { async fn fetch_delegate_x509_svid() { let mut client = get_client().await; let response: spiffe::svid::x509::X509Svid = client - .fetch_x509_svid(vec![selectors::Selector::Unix(selectors::Unix::Uid( - get_uid() + 1, - ))]) + .fetch_x509_svid(DelegateAttestationRequest::Selectors(vec![ + selectors::Selector::Unix(selectors::Unix::Uid(get_uid() + 1)), + ])) .await .expect("Failed to fetch delegate SVID"); // Not checking the chain as the root is generated by spire. @@ -71,9 +71,9 @@ mod integration_tests_delegate_identity_api_client { let test_duration = std::time::Duration::from_secs(60); let mut client = get_client().await; let mut stream = client - .stream_x509_svids(vec![selectors::Selector::Unix(selectors::Unix::Uid( - get_uid() + 1, - ))]) + .stream_x509_svids(DelegateAttestationRequest::Selectors(vec![ + selectors::Selector::Unix(selectors::Unix::Uid(get_uid() + 1)), + ])) .await .expect("Failed to fetch delegate SVID"); @@ -124,9 +124,9 @@ mod integration_tests_delegate_identity_api_client { let svids = client .fetch_jwt_svids( &["my_audience"], - vec![selectors::Selector::Unix(selectors::Unix::Uid( - get_uid() + 1, - ))], + DelegateAttestationRequest::Selectors(vec![selectors::Selector::Unix( + selectors::Unix::Uid(get_uid() + 1), + )]), ) .await .expect("Failed to fetch JWT SVID");