Incorperate feedback

Signed-off-by: Kevin Fox <[email protected]>
spiffe · Nov 6, 2024 · 2f1166d · 2f1166d
1 parent 037ac50
commit 2f1166d
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 15 deletions.
diff --git a/doc/plugin_server_nodeattestor_x509pop.md b/doc/plugin_server_nodeattestor_x509pop.md
@@ -17,11 +17,11 @@ spiffe://<trust_domain>/spire/agent/x509pop/<fingerprint>
 ```
 
 | Configuration         | Description                                                                                                                                                                                                                                    | Default                                 |
-|-----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------|
-| `spire_trust_bundle`     | If true, use the spire servers own trust bundle to use for validation.                                                                                                                                                                      |                                         |
-| `svid_prefix`            | The prefix of the SVID to use for matching valid SVIDS and exchanging them for Node SVIDs                                                                                                                                                    | /spire-exchange                         |
-| `ca_bundle_path`      | The path to the trusted CA bundle on disk. The file must contain one or more PEM blocks forming the set of trusted root CA's for chain-of-trust verification. If the CA certificates are in more than one file, use `ca_bundle_paths` instead. |                                         |
-| `ca_bundle_paths`     | A list of paths to trusted CA bundles on disk. The files must contain one or more PEM blocks forming the set of trusted root CA's for chain-of-trust verification.                                                                             |                                         |
+|-----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------|
+| `mode`                | If `spiffe`, use the spire servers own trust bundle to use for validation. If `external_pki`, use the specified CA(s).                                                                                                                         | external_pki                                                    |
+| `svid_prefix`            | The prefix of the SVID to use for matching valid SVIDS and exchanging them for Node SVIDs                                                                                                                                                   | /spire-exchange                                                 |
+| `ca_bundle_path`      | The path to the trusted CA bundle on disk. The file must contain one or more PEM blocks forming the set of trusted root CA's for chain-of-trust verification. If the CA certificates are in more than one file, use `ca_bundle_paths` instead. |                                                                 |
+| `ca_bundle_paths`     | A list of paths to trusted CA bundles on disk. The files must contain one or more PEM blocks forming the set of trusted root CA's for chain-of-trust verification.                                                                             |                                                                 |
 | `agent_path_template` | A URL path portion format of Agent's SPIFFE ID. Describe in text/template format.                                                                                                                                                              | `See [Agent Path Template](#agent-path-template) for details`   |
 
 A sample configuration:
@@ -47,7 +47,7 @@ A sample configuration:
 
 ## SVID Path Prefix
 
-When spire_trust_bundle is used, the SPIFFE ID being exchanged must be prefixed by the specified svid_prefix. The prefix will be removed from the .SVIDPath before sending to the
+When mode="spiffe", the SPIFFE ID being exchanged must be prefixed by the specified svid_prefix. The prefix will be removed from the .SVIDPathTrimmed property before sending to the
 agent path template. If set to "", all prefixes are allowed and you will want to do limiting logic in in the agent_path_template.
 
 Example: if your trust domain is example.com and svid_prefix = the default of /spire-exchange, and agent path template is the default,

diff --git a/pkg/server/plugin/nodeattestor/x509pop/x509pop.go b/pkg/server/plugin/nodeattestor/x509pop/x509pop.go
@@ -38,15 +38,15 @@ func builtin(p *Plugin) catalog.BuiltIn {
 }
 
 type Config struct {
-	SPIRETrustBundle  bool     `hcl:"spire_trust_bundle"`
+	Mode              string   `hcl:"mode"`
 	SVIDPrefix        *string  `hcl:"spiffe_prefix"`
 	CABundlePath      string   `hcl:"ca_bundle_path"`
 	CABundlePaths     []string `hcl:"ca_bundle_paths"`
 	AgentPathTemplate string   `hcl:"agent_path_template"`
 }
 
 type configuration struct {
-	spireTrustBundle bool
+	mode             string
 	svidPrefix       string
 	trustDomain      spiffeid.TrustDomain
 	trustBundle      *x509.CertPool
@@ -60,8 +60,14 @@ func buildConfig(coreConfig catalog.CoreConfig, hclText string, status *pluginco
 		return nil
 	}
 
+	if hclConfig.Mode == "" {
+		hclConfig.Mode = "external_pki"
+	}
+	if hclConfig.Mode != "external_pki" && hclConfig.Mode != "spiffe" {
+		status.ReportError("mode can only be either spiffe or external_pki")
+	}
 	var trustBundles []*x509.Certificate
-	if !hclConfig.SPIRETrustBundle {
+	if hclConfig.Mode == "external_pki" {
 		var caPaths []string
 		if hclConfig.CABundlePath != "" && len(hclConfig.CABundlePaths) > 0 {
 			status.ReportError("only one of ca_bundle_path or ca_bundle_paths can be configured, not both")
@@ -84,12 +90,12 @@ func buildConfig(coreConfig catalog.CoreConfig, hclText string, status *pluginco
 		}
 	}
 
-	if hclConfig.SPIRETrustBundle && (hclConfig.CABundlePath != "" || len(hclConfig.CABundlePaths) > 0) {
-		status.ReportError("you can not use spire_trust_bundle along with either ca_bundle_path or ca_bundle_paths")
+	if hclConfig.Mode == "spiffe" && (hclConfig.CABundlePath != "" || len(hclConfig.CABundlePaths) > 0) {
+		status.ReportError("you can not use ca_bundle_path or ca_bundle_paths in spiffe mode")
 	}
 
 	pathTemplate := x509pop.DefaultAgentPathTemplateCN
-	if hclConfig.SPIRETrustBundle {
+	if hclConfig.Mode == "spiffe" {
 		pathTemplate = x509pop.DefaultAgentPathTemplateSVID
 	}
 	if len(hclConfig.AgentPathTemplate) > 0 {
@@ -114,7 +120,7 @@ func buildConfig(coreConfig catalog.CoreConfig, hclText string, status *pluginco
 		trustDomain:      coreConfig.TrustDomain,
 		trustBundle:      util.NewCertPool(trustBundles...),
 		pathTemplate:     pathTemplate,
-		spireTrustBundle: hclConfig.SPIRETrustBundle,
+		mode:             hclConfig.Mode,
 		svidPrefix:       svidPrefix,
 	}
 
@@ -180,7 +186,7 @@ func (p *Plugin) Attest(stream nodeattestorv1.NodeAttestor_AttestServer) error {
 	}
 
 	trustBundle := config.trustBundle
-	if config.spireTrustBundle {
+	if config.mode == "spiffe" {
 		trustBundle, err = p.getTrustBundle(stream.Context())
 		if err != nil {
 			return status.Errorf(codes.Internal, "failed to get trust bundle: %v", err)
@@ -233,7 +239,7 @@ func (p *Plugin) Attest(stream nodeattestorv1.NodeAttestor_AttestServer) error {
 	}
 
 	svidPath := ""
-	if config.spireTrustBundle {
+	if config.mode == "spiffe" {
 		if len(leaf.URIs) == 0 {
 			return status.Errorf(codes.PermissionDenied, "valid SVID x509 cert not found")
 		}