spiffe-workload 0.2.0

data/lib/spiffe/workload/client.rb

@@ -0,0 +1,348 @@
+# frozen_string_literal: true
+
+require 'grpc'
+require 'thread'
+require_relative 'x509_svid'
+require_relative 'jwt_svid'
+require_relative '../workload_pb'
+require_relative '../workload_services_pb'
+
+module Spiffe
+  module Workload
+    # Client for SPIFFE Workload API
+    # Connects to SPIRE Agent via Unix domain socket and fetches SVIDs
+    class Client
+      DEFAULT_SOCKET_PATH = '/run/spire/sockets/agent.sock'
+      DEFAULT_TIMEOUT = 5 # seconds
+
+      attr_reader :socket_path
+
+      # @param socket_path [String] Path to SPIRE Agent Unix socket
+      # @param timeout [Integer] Connection timeout in seconds
+      def initialize(socket_path: nil, timeout: DEFAULT_TIMEOUT)
+        @socket_path = socket_path || ENV['SPIFFE_ENDPOINT_SOCKET']&.sub('unix://', '') || DEFAULT_SOCKET_PATH
+        @timeout = timeout
+        @mutex = Mutex.new
+        @x509_svid_cache = nil
+        @x509_bundles_cache = nil
+        @jwt_bundles_cache = nil
+        @rotation_thread = nil
+        @shutdown = false
+
+        validate_socket!
+      end
+
+      # Fetch X.509 SVID (blocking call, returns first response)
+      # @return [X509SVIDWrapper] The default X.509 SVID
+      # @raise [Spiffe::Error] If fetch fails
+      def x509_svid
+        ensure_x509_svid_stream_started
+        
+        @mutex.synchronize do
+          raise Spiffe::Error, 'No X.509 SVID available' unless @x509_svid_cache
+          @x509_svid_cache
+        end
+      end
+
+      # Get the current X.509 SVID without blocking
+      # @return [X509SVIDWrapper, nil]
+      def current_x509_svid
+        @mutex.synchronize { @x509_svid_cache }
+      end
+
+      # Fetch all X.509 SVIDs
+      # @return [Array<X509SVIDWrapper>]
+      def x509_svids
+        ensure_x509_svid_stream_started
+        
+        @mutex.synchronize do
+          @x509_svids_cache || []
+        end
+      end
+
+      # Fetch JWT SVID for the given audience
+      # @param audience [String, Array<String>] Target audience(s)
+      # @param spiffe_id [String, nil] Optional specific SPIFFE ID to request
+      # @return [JWTSVIDWrapper] The JWT SVID
+      # @raise [Spiffe::Error] If fetch fails
+      def jwt_svid(audience:, spiffe_id: nil)
+        audiences = audience.is_a?(Array) ? audience : [audience]
+        
+        request = Spiffe::Workload::JWTSVIDRequest.new(
+          audience: audiences,
+          spiffe_id: spiffe_id || ''
+        )
+
+        metadata = { 'workload.spiffe.io' => '1' }
+        response = stub.fetch_jwtsvid(request, metadata: metadata)
+        
+        raise Spiffe::Error, 'No JWT SVID returned' if response.svids.empty?
+        
+        JWTSVIDWrapper.from_proto(response.svids.first)
+      rescue GRPC::BadStatus => e
+        raise Spiffe::Error, "Failed to fetch JWT SVID: #{e.message}"
+      end
+
+      # Fetch X.509 trust bundles
+      # @return [Hash<String, OpenSSL::X509::Store>] Map of trust domain to bundle
+      def x509_bundles
+        ensure_x509_bundles_stream_started
+        
+        @mutex.synchronize do
+          @x509_bundles_cache || {}
+        end
+      end
+
+      # Fetch JWT bundles
+      # @return [Hash<String, String>] Map of trust domain to JWKS
+      def jwt_bundles
+        ensure_jwt_bundles_stream_started
+        
+        @mutex.synchronize do
+          @jwt_bundles_cache || {}
+        end
+      end
+
+      # Create an OpenSSL context configured with the current SVID
+      # @return [OpenSSL::SSL::SSLContext]
+      def tls_context
+        svid = x509_svid
+        
+        context = OpenSSL::SSL::SSLContext.new
+        context.cert = svid.leaf_certificate
+        context.key = svid.private_key
+        context.extra_chain_cert = svid.cert_chain[1..-1] if svid.cert_chain.length > 1
+        context.cert_store = svid.trust_bundle
+        context.verify_mode = OpenSSL::SSL::VERIFY_PEER
+        context
+      end
+
+      # Register a callback to be called when X.509 SVID is updated
+      # @yield [X509SVID] The new SVID
+      def on_x509_svid_update(&block)
+        @mutex.synchronize do
+          @x509_update_callbacks ||= []
+          @x509_update_callbacks << block
+        end
+      end
+
+      # Shutdown the client and stop all background threads
+      def shutdown
+        @shutdown = true
+        @rotation_thread&.kill
+        @x509_stream_thread&.kill
+        @x509_bundles_stream_thread&.kill
+        @jwt_bundles_stream_thread&.kill
+      end
+
+      private
+
+      def validate_socket!
+        unless File.exist?(@socket_path)
+          raise Spiffe::SocketError, "Socket does not exist: #{@socket_path}"
+        end
+
+        unless File.socket?(@socket_path)
+          raise Spiffe::SocketError, "Path is not a socket: #{@socket_path}"
+        end
+
+        # Check socket permissions (should be accessible)
+        unless File.readable?(@socket_path) && File.writable?(@socket_path)
+          raise Spiffe::SocketError, "Socket is not accessible: #{@socket_path}"
+        end
+      end
+
+      # Interceptor to add SPIRE security header to all requests
+      class SpireHeaderInterceptor < GRPC::ClientInterceptor
+        def request_response(request:, call:, method:, metadata:)
+          metadata['workload.spiffe.io'] = '1'
+          yield
+        end
+
+        def client_streamer(requests:, call:, method:, metadata:)
+          metadata['workload.spiffe.io'] = '1'
+          yield
+        end
+
+        def server_streamer(request:, call:, method:, metadata:)
+          metadata['workload.spiffe.io'] = '1'
+          yield
+        end
+
+        def bidi_streamer(requests:, call:, method:, metadata:)
+          metadata['workload.spiffe.io'] = '1'
+          yield
+        end
+      end
+
+      def stub
+        @stub ||= begin
+          # Create gRPC channel to Unix socket
+          # Format: unix:///path/to/socket or unix:/path/to/socket
+          socket_uri = "unix://#{@socket_path}"
+          
+          channel = GRPC::Core::Channel.new(
+            socket_uri,
+            {},
+            :this_channel_is_insecure
+          )
+
+          Spiffe::Workload::SpiffeWorkloadAPI::Stub.new(
+            nil, # host (unused with channel)
+            nil, # creds (unused with channel)
+            channel_override: channel,
+            timeout: @timeout
+          )
+        end
+      end
+
+      def ensure_x509_svid_stream_started
+        return if @x509_stream_thread&.alive?
+
+        @x509_stream_thread = Thread.new do
+          loop do
+            begin
+              stream_x509_svids
+            rescue StandardError => e
+              warn "X.509 SVID stream error: #{e.message}"
+              sleep 5 # Retry after delay
+            end
+            break if @shutdown
+          end
+        end
+
+        # Wait for first SVID
+        deadline = Time.now + @timeout
+        until @x509_svid_cache || Time.now > deadline
+          sleep 0.1
+        end
+
+        raise Spiffe::Error, 'Timeout waiting for X.509 SVID' unless @x509_svid_cache
+      end
+
+      def stream_x509_svids
+        request = Spiffe::Workload::X509SVIDRequest.new
+        metadata = { 'workload.spiffe.io' => '1' }
+        
+        stub.fetch_x509_svid(request, metadata: metadata).each do |response|
+          process_x509_response(response)
+          break if @shutdown
+        end
+      rescue GRPC::BadStatus => e
+        raise Spiffe::Error, "Failed to fetch X.509 SVID: #{e.message}"
+      end
+
+      def process_x509_response(response)
+        svids = response.svids.map { |svid_proto| X509SVIDWrapper.from_proto(svid_proto) }
+        
+        @mutex.synchronize do
+          @x509_svids_cache = svids
+          @x509_svid_cache = svids.first # Default SVID
+          
+          # Notify callbacks
+          @x509_update_callbacks&.each do |callback|
+            callback.call(@x509_svid_cache)
+          rescue StandardError => e
+            warn "X.509 SVID update callback error: #{e.message}"
+          end
+        end
+      end
+
+      def ensure_x509_bundles_stream_started
+        return if @x509_bundles_stream_thread&.alive?
+
+        @x509_bundles_stream_thread = Thread.new do
+          loop do
+            begin
+              stream_x509_bundles
+            rescue StandardError => e
+              warn "X.509 bundles stream error: #{e.message}"
+              sleep 5
+            end
+            break if @shutdown
+          end
+        end
+
+        # Wait for first bundle
+        deadline = Time.now + @timeout
+        until @x509_bundles_cache || Time.now > deadline
+          sleep 0.1
+        end
+      end
+
+      def stream_x509_bundles
+        request = Spiffe::Workload::X509BundlesRequest.new
+        metadata = { 'workload.spiffe.io' => '1' }
+        
+        stub.fetch_x509_bundles(request, metadata: metadata).each do |response|
+          process_x509_bundles_response(response)
+          break if @shutdown
+        end
+      rescue GRPC::BadStatus => e
+        raise Spiffe::Error, "Failed to fetch X.509 bundles: #{e.message}"
+      end
+
+      def process_x509_bundles_response(response)
+        bundles = {}
+        
+        response.bundles.to_h.each do |trust_domain, bundle_data|
+          store = OpenSSL::X509::Store.new
+          
+          # Parse all certificates in the bundle
+          offset = 0
+          while offset < bundle_data.bytesize
+            begin
+              cert = OpenSSL::X509::Certificate.new(bundle_data[offset..-1])
+              store.add_cert(cert)
+              offset += cert.to_der.bytesize
+            rescue OpenSSL::X509::CertificateError
+              break
+            end
+          end
+          
+          bundles[trust_domain] = store
+        end
+        
+        @mutex.synchronize do
+          @x509_bundles_cache = bundles
+        end
+      end
+
+      def ensure_jwt_bundles_stream_started
+        return if @jwt_bundles_stream_thread&.alive?
+
+        @jwt_bundles_stream_thread = Thread.new do
+          loop do
+            begin
+              stream_jwt_bundles
+            rescue StandardError => e
+              warn "JWT bundles stream error: #{e.message}"
+              sleep 5
+            end
+            break if @shutdown
+          end
+        end
+
+        # Wait for first bundle
+        deadline = Time.now + @timeout
+        until @jwt_bundles_cache || Time.now > deadline
+          sleep 0.1
+        end
+      end
+
+      def stream_jwt_bundles
+        request = Spiffe::Workload::JWTBundlesRequest.new
+        
+        stub.fetch_jwt_bundles(request).each do |response|
+          @mutex.synchronize do
+            # Bundles are already in JWKS format
+            @jwt_bundles_cache = response.bundles.to_h
+          end
+          break if @shutdown
+        end
+      rescue GRPC::BadStatus => e
+        raise Spiffe::Error, "Failed to fetch JWT bundles: #{e.message}"
+      end
+    end
+  end
+end

data/lib/spiffe/workload/grpc_stub.rb

@@ -0,0 +1,122 @@
+# frozen_string_literal: true
+
+require 'grpc'
+
+module Spiffe
+  module Workload
+    # gRPC stub for SPIFFE Workload API
+    # This is a simplified stub. Run 'rake generate_protos' to generate
+    # the full proto definitions from workload.proto
+    
+    class SpiffeWorkloadAPIStub < GRPC::ClientStub
+      # Fetch X.509 SVIDs (streaming RPC)
+      # @param request [Hash] Empty request
+      # @return [Enumerator] Stream of X509SVIDResponse
+      def fetch_x509_svid(request, metadata: {})
+        request_marshal = lambda { |req| '' } # Empty request
+        response_unmarshal = lambda { |bytes| parse_x509_svid_response(bytes) }
+        
+        request_response_call(
+          '/SpiffeWorkloadAPI/FetchX509SVID',
+          request,
+          request_marshal,
+          response_unmarshal,
+          return_op: true,
+          metadata: metadata
+        )
+      end
+
+      # Fetch X.509 bundles (streaming RPC)
+      # @param request [Hash] Empty request
+      # @return [Enumerator] Stream of X509BundlesResponse
+      def fetch_x509_bundles(request, metadata: {})
+        request_marshal = lambda { |req| '' }
+        response_unmarshal = lambda { |bytes| parse_x509_bundles_response(bytes) }
+        
+        request_response_call(
+          '/SpiffeWorkloadAPI/FetchX509Bundles',
+          request,
+          request_marshal,
+          response_unmarshal,
+          return_op: true,
+          metadata: metadata
+        )
+      end
+
+      # Fetch JWT SVID (unary RPC)
+      # @param request [Hash] JWTSVIDRequest with audience and optional spiffe_id
+      # @return [Hash] JWTSVIDResponse
+      def fetch_jwt_svid(request, metadata: {})
+        request_marshal = lambda { |req| encode_jwt_svid_request(req) }
+        response_unmarshal = lambda { |bytes| parse_jwt_svid_response(bytes) }
+        
+        request_response_call(
+          '/SpiffeWorkloadAPI/FetchJWTSVID',
+          request,
+          request_marshal,
+          response_unmarshal,
+          return_op: false,
+          metadata: metadata
+        )
+      end
+
+      # Fetch JWT bundles (streaming RPC)
+      # @param request [Hash] Empty request
+      # @return [Enumerator] Stream of JWTBundlesResponse
+      def fetch_jwt_bundles(request, metadata: {})
+        request_marshal = lambda { |req| '' }
+        response_unmarshal = lambda { |bytes| parse_jwt_bundles_response(bytes) }
+        
+        request_response_call(
+          '/SpiffeWorkloadAPI/FetchJWTBundles',
+          request,
+          request_marshal,
+          response_unmarshal,
+          return_op: true,
+          metadata: metadata
+        )
+      end
+
+      private
+
+      # Note: These are simplified parsers
+      # For production use, replace this file with generated proto stubs
+      # by running: rake generate_protos
+      
+      def parse_x509_svid_response(bytes)
+        # This is a placeholder that returns a mock structure
+        # In reality, this should use google-protobuf to decode
+        OpenStruct.new(
+          svids: [],
+          crl: [],
+          federated_bundles: {}
+        )
+      end
+
+      def parse_x509_bundles_response(bytes)
+        OpenStruct.new(
+          crl: [],
+          bundles: {}
+        )
+      end
+
+      def encode_jwt_svid_request(request)
+        # Placeholder encoding
+        # Should use google-protobuf to encode
+        ''
+      end
+
+      def parse_jwt_svid_response(bytes)
+        OpenStruct.new(
+          svids: []
+        )
+      end
+
+      def parse_jwt_bundles_response(bytes)
+        OpenStruct.new(
+          bundles: {}
+        )
+      end
+    end
+  end
+end

data/lib/spiffe/workload/http_client.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+require 'net/http'
+require 'uri'
+require_relative 'tls_config'
+
+module Spiffe
+  module Workload
+    # HTTP client with automatic SPIFFE authentication
+    class HTTPClient
+      attr_reader :client
+
+      # @param client [Spiffe::Workload::Client] The workload API client
+      def initialize(client)
+        @client = client
+        @tls_context = TLSConfig.create_auto_updating_context(client)
+      end
+
+      # Make an HTTPS request with SPIFFE mTLS
+      # @param uri [String, URI] The target URI
+      # @param method [Symbol] HTTP method (:get, :post, :put, :delete, etc.)
+      # @param body [String, nil] Request body
+      # @param headers [Hash] Additional headers
+      # @return [Net::HTTPResponse]
+      def request(uri, method: :get, body: nil, headers: {})
+        uri = URI.parse(uri) if uri.is_a?(String)
+        
+        http = Net::HTTP.new(uri.host, uri.port)
+        http.use_ssl = true
+        http.ssl_context = @tls_context
+        
+        request_class = case method
+                        when :get then Net::HTTP::Get
+                        when :post then Net::HTTP::Post
+                        when :put then Net::HTTP::Put
+                        when :delete then Net::HTTP::Delete
+                        when :head then Net::HTTP::Head
+                        when :patch then Net::HTTP::Patch
+                        else raise ArgumentError, "Unsupported method: #{method}"
+                        end
+        
+        request = request_class.new(uri)
+        headers.each { |key, value| request[key] = value }
+        request.body = body if body
+        
+        http.request(request)
+      end
+
+      # Convenience methods for common HTTP verbs
+      def get(uri, headers: {})
+        request(uri, method: :get, headers: headers)
+      end
+
+      def post(uri, body:, headers: {})
+        request(uri, method: :post, body: body, headers: headers)
+      end
+
+      def put(uri, body:, headers: {})
+        request(uri, method: :put, body: body, headers: headers)
+      end
+
+      def delete(uri, headers: {})
+        request(uri, method: :delete, headers: headers)
+      end
+    end
+  end
+end

data/lib/spiffe/workload/jwt_svid.rb

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+require 'json'
+require 'base64'
+
+module Spiffe
+  module Workload
+    # Represents a JWT SVID
+    class JWTSVIDWrapper
+      attr_reader :spiffe_id, :token, :hint, :claims
+
+      # @param spiffe_id [String] The SPIFFE ID
+      # @param token [String] The JWT token
+      # @param hint [String, nil] Optional hint
+      def initialize(spiffe_id:, token:, hint: nil)
+        @spiffe_id = spiffe_id
+        @token = token
+        @hint = hint
+        @claims = parse_claims
+      end
+
+      # Parse JWT claims without validation
+      # @return [Hash] The JWT claims
+      def parse_claims
+        # JWT format: header.payload.signature
+        parts = @token.split('.')
+        raise Error, 'Invalid JWT format' unless parts.length == 3
+
+        # Decode payload (base64url)
+        payload = parts[1]
+        # Add padding if necessary
+        payload += '=' * (4 - payload.length % 4) if payload.length % 4 != 0
+        
+        decoded = Base64.urlsafe_decode64(payload)
+        JSON.parse(decoded)
+      rescue StandardError => e
+        raise Error, "Failed to parse JWT claims: #{e.message}"
+      end
+
+      # Get the expiration time
+      # @return [Time, nil]
+      def expiration
+        return nil unless @claims['exp']
+        Time.at(@claims['exp'])
+      end
+
+      # Check if the JWT is expired
+      # @return [Boolean]
+      def expired?
+        exp = expiration
+        return false unless exp
+        exp < Time.now
+      end
+
+      # Get audience claims
+      # @return [Array<String>]
+      def audience
+        aud = @claims['aud']
+        return [] unless aud
+        aud.is_a?(Array) ? aud : [aud]
+      end
+
+      # Parse JWT SVID from proto response
+      # @param proto_jwt [Spiffe::Workload::JWTSVID] Proto message
+      # @return [JWTSVID]
+      def self.from_proto(proto_jwt)
+        new(
+          spiffe_id: proto_jwt.spiffe_id,
+          token: proto_jwt.svid,
+          hint: proto_jwt.hint.empty? ? nil : proto_jwt.hint
+        )
+      end
+    end
+  end
+end