-
Notifications
You must be signed in to change notification settings - Fork 21
/
credentialcomposer.proto
248 lines (205 loc) · 10.6 KB
/
credentialcomposer.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
syntax = "proto3";
package spire.plugin.server.credentialcomposer.v1;
option go_package = "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/server/credentialcomposer/v1;credentialcomposerv1";
import "google/protobuf/struct.proto";
// The CredentialComposer plugin influences the attributes of X.509
// certificates and JWT tokens minted by or on behalf of SPIRE Server.
service CredentialComposer {
// Composes the SPIRE Server X509 CA. The server will supply the default
// attributes it will apply to the CA. If the plugin returns an empty
// response or NOT_IMPLEMENTED, the server will apply the default
// attributes. Otherwise the returned attributes are used. If a CA is
// produced that does not conform to the SPIFFE X509-SVID specification for
// signing certificates, it will be rejected.
rpc ComposeServerX509CA(ComposeServerX509CARequest) returns (ComposeServerX509CAResponse);
// Composes the SPIRE Server X509-SVID. The server will supply the default
// attributes it will apply to the server X509-SVID. If the plugin returns
// an empty response or NOT_IMPLEMENTED, the server will apply the default
// attributes. Otherwise the returned attributes are used. If an X509-SVID
// is produced that does not conform to the SPIFFE X509-SVID specification
// for leaf certificates, it will be rejected. This function cannot be used
// to modify the SPIFFE ID of the X509-SVID.
rpc ComposeServerX509SVID(ComposeServerX509SVIDRequest) returns (ComposeServerX509SVIDResponse);
// Composes the SPIRE Agent X509-SVID. The server will supply the default
// attributes it will apply to the agent X509-SVID. If the plugin returns
// an empty response or NOT_IMPLEMENTED, the server will apply the default
// attributes. Otherwise the returned attributes are used. If an X509-SVID
// is produced that does not conform to the SPIFFE X509-SVID specification
// for leaf certificates, it will be rejected. This function cannot be used
// to modify the SPIFFE ID of the X509-SVID.
rpc ComposeAgentX509SVID(ComposeAgentX509SVIDRequest) returns (ComposeAgentX509SVIDResponse);
// Composes workload X509-SVIDs. The server will supply the default
// attributes it will apply to the workload X509-SVID. If the plugin
// returns an empty response or NOT_IMPLEMENTED, the server will apply the
// default attributes. Otherwise the returned attributes are used. If an
// X509-SVID is produced that does not conform to the SPIFFE X509-SVID
// specification for leaf certificates, it will be rejected. This function
// cannot be used to modify the SPIFFE ID of the X509-SVID.
rpc ComposeWorkloadX509SVID(ComposeWorkloadX509SVIDRequest) returns (ComposeWorkloadX509SVIDResponse);
// Composes workload JWT-SVIDs. The server will supply the default
// attributes it will apply to the workload JWT-SVID. If the plugin
// returns an empty response or NOT_IMPLEMENTED, the server will apply the
// default attributes. Otherwise the returned attributes are used. If a
// JWT-SVID is produced that does not conform to the SPIFFE JWT-SVID
// specification, it will be rejected. This function cannot be used to
// modify the SPIFFE ID of the JWT-SVID.
rpc ComposeWorkloadJWTSVID(ComposeWorkloadJWTSVIDRequest) returns (ComposeWorkloadJWTSVIDResponse);
}
message ComposeServerX509CARequest {
// The attributes for the server X509 CA. To maintain forward compatibility
// with future attribute field additions, these attributes SHOULD be
// mutated and used to populate the attributes field in the
// ComposeServerX509CAResponse.
X509CAAttributes attributes = 1;
}
message ComposeServerX509CAResponse {
// The attributes for the server X509 CA. To maintain forward compatibility
// with future attribute field additions, these attributes SHOULD be
// populated with the mutated attributes field in the
// ComposeServerX509CARequest. If this field is not included in the
// response, the original attributes sent in the request will be used.
X509CAAttributes attributes = 1;
}
message ComposeServerX509SVIDRequest {
// The attributes for the server X509-SVID. To maintain forward
// compatibility with future attribute field additions, these attributes
// SHOULD be mutated and used to populate the attributes field in the
// ComposeServerX509SVIDResponse.
X509SVIDAttributes attributes = 1;
}
message ComposeServerX509SVIDResponse {
// The attributes for the server X509-SVID. To maintain forward
// compatibility with future attribute field additions, these attributes
// SHOULD be populated with the mutated attributes field in the
// ComposeServerX509SVIDRequest. If this field is not included in the
// response, the original attributes sent in the request will be used.
X509SVIDAttributes attributes = 1;
}
message ComposeAgentX509SVIDRequest {
// The attributes for the agent X509-SVID. To maintain forward
// compatibility with future attribute field additions, these attributes
// SHOULD be mutated and used to populate the attributes field in the
// ComposeAgentX509SVIDResponse.
X509SVIDAttributes attributes = 1;
// The SPIFFE ID of the agent.
string spiffe_id = 2;
// PKIX encoded public key of the agent.
bytes public_key = 3;
}
message ComposeAgentX509SVIDResponse {
// The attributes for the agent X509-SVID. To maintain forward
// compatibility with future attribute field additions, these attributes
// SHOULD be populated with the mutated attributes field in the
// ComposeAgentX509SVIDRequest. If this field is not included in the
// response, the original attributes sent in the request will be used.
X509SVIDAttributes attributes = 1;
}
message ComposeWorkloadX509SVIDRequest {
// The attributes for the workload X509-SVID. To maintain forward
// compatibility with future attribute field additions, these attributes
// SHOULD be mutated and used to populate the attributes field in the
// ComposeWorkloadX509SVIDResponse.
X509SVIDAttributes attributes = 1;
// The SPIFFE ID of the workload.
string spiffe_id = 2;
// PKIX encoded public key of the workload.
bytes public_key = 3;
}
message ComposeWorkloadX509SVIDResponse {
// The attributes for the workload X509-SVID. To maintain forward
// compatibility with future attribute field additions, these attributes
// SHOULD be populated with the mutated attributes field in the
// ComposeWorkloadX509SVIDRequest. If this message is not included in the
// response, the original attributes sent in the request will be used.
X509SVIDAttributes attributes = 1;
}
message ComposeWorkloadJWTSVIDRequest {
// The attributes for the workload JWT-SVID. To maintain forward
// compatibility with future attribute field additions, these attributes
// SHOULD be mutated and used to populate the attributes field in the
// ComposeWorkloadJWTSVIDResponse.
JWTSVIDAttributes attributes = 1;
// The SPIFFE ID of the workload.
string spiffe_id = 2;
}
message ComposeWorkloadJWTSVIDResponse {
// The attributes for the workload JWT-SVID. To maintain forward
// compatibility with future attribute field additions, these attributes
// SHOULD be populated with the mutated attributes field in the
// ComposeWorkloadJWTSVIDRequest. If this field is not included in the
// response, the original attributes sent in the request will be used.
JWTSVIDAttributes attributes = 1;
}
message X509CAAttributes {
// The subject of the X509 CA.
DistinguishedName subject = 1;
// Zero or more policy identifiers (OIDs) to apply to the CA.
repeated string policy_identifiers = 2;
// Zero or more extensions to apply to the X509 CA. These will override
// any extensions otherwise added by the other fields.
repeated X509Extension extra_extensions = 3;
}
message X509SVIDAttributes {
// The subject of the X509-SVID.
DistinguishedName subject = 1;
// Zero or more DNS SANs to apply to the X509-SVID.
repeated string dns_sans = 2;
// Zero or more extensions to apply to the X509-SVID . These will override
// any extensions otherwise added by the other fields. This field cannot
// be used to change the URI SAN of the X509-SVID (i.e. the SPIFFE ID).
repeated X509Extension extra_extensions = 3;
}
message X509Extension {
// The OID of the X.509 extension (e.g. "1.2.3.4")
string oid = 1;
// Opaque value of the extension. No validity checking is performed on
// this value. Plugin implementors must ensure they are providing well
// formed values for the given extension OID.
bytes value = 2;
// Whether or not the extension is critical, i.e., must be
// handled/understood by verifiers or not.
bool critical = 3;
}
message DistinguishedName {
// Zero or more country designations.
repeated string country = 1;
// Zero or more organization designations.
repeated string organization = 2;
// Zero or more organizational unit designations.
repeated string organizational_unit = 3;
// Zero or more locality designations.
repeated string locality = 4;
// Zero or more province designations.
repeated string province = 5;
// Zero or more street address designations.
repeated string street_address = 6;
// Zero or more postal code designations.
repeated string postal_code = 7;
// The serial number designation. The attribute is only set if this field
// is non-empty.
string serial_number = 8;
// The common name designation. The attribute is only set if this field is
// non-empty.
string common_name = 9;
// Extra names, determined by oid and value, to be added to the
// distinguished names. This field is to support names not covered by the
// DistinguishedName message. It will override values specified in other
// fields in the DistinguishedName if the attributes overlap.
repeated AttributeTypeAndValue extra_names = 10;
}
message AttributeTypeAndValue {
// The OID of the attribute (e.g. "1.2.3.4").
string oid = 1;
// The value of the attribute. Only UTF-8 strings are currently supported.
// this field may be encapsulated in a oneof at a later point.
string string_value = 2;
}
message JWTSVIDAttributes {
// The JWT-SVID claims. Returned attributes must contain all of the
// claims required by the JWT-SVID specification:
//
// https://github.com/spiffe/spiffe/blob/main/standards/JWT-SVID.md
//
// The subject claim (i.e. SPIFFE ID) cannot be overriden.
google.protobuf.Struct claims = 1;
}