Expand Mint RPC to cover credential composer capabilities

spiffe / spire

The SPIFFE Runtime Environment

https://spiffe.io

Apache License 2.0

1.72k stars 459 forks source link

Expand Mint RPC to cover credential composer capabilities #4388

Open enj opened 11 months ago

enj commented 11 months ago

Today, one can send a MintJWTSVIDRequest to generate a one-off JWT. This combined with a custom credential composer can be used to set the claims on the resulting JWT. However, there is no good way to directly control the claims set via the MintJWTSVIDRequest RPC call (one could encode the claims in the audience field and then decode them in the credential composer, but that seems hacky).

I would like to expand the MintJWTSVIDRequest RPC (and MintX509SVIDRequest if desired) to cover the existing functionality that is possible via a credential composer. For MintJWTSVIDRequest that would allow setting claims, and for MintX509SVIDRequest that would allow setting extra_extensions.

I am happy to make the changes required for this feature, just looking for guidance on next steps.

Version: all
Platform: all
Subsystem: server

evan2645 commented 10 months ago

Thanks for your patience @enj

I feel this is a pretty reasonable request, and I don't see any issue from maintenance or security perspective in supporting it

@azdagron @amartinezfayo do you see any technical challenges? Particularly around how it might (or might not) integrate with the credential composer flows we introduced?

azdagron commented 10 months ago

I think that is reasonable. There is a potential that we would end up doing more strict validations than we did previously. This probably requires a little investigation.

azdagron commented 10 months ago

I think we're good to go here.

In terms of next steps, we should probably start with gaining consensus on how the arbitrary JWT claims and X.509 extensions are provided over the Mint RPCs. This should happen in a PR opened against the next branch of the SPIRE API SDK.

I think there is some precedence that can be found in the CredentialComposer documentation @enj linked from the plugin SDK. It might be enough to duplicate those messages/types for incorporation into the SVID API and slot them into the Mint RPCs where appropriate.

Once the change has been merged to the next branch of the API SDK, we can update SPIRE's pseudo-version dependency on the API SDK and start the coding work.

The implementation can probably utilize some code from the credbuilder package to convert the fields from the request into types usable by the CA package. We'll probably have to extend the WorkloadX509SVIDParams struct to accommodate the arbitrary claims.

Happy to help guide the implementation if there are questions.

azdagron commented 10 months ago

Thanks for raising your hand to work on this, @enj! Happy to answer any questions you might have either in GH or on the SPIFFE slack. If you decide you aren't in a position to help, let us know and we can add the "help wanted" label.

enj commented 2 months ago

@azdagron I ended up going with an approach that did not use spire so I will not be able to implement this. Feel free to close the issue.