From 475da92965a2418f1416b49f2ed9cd48c73c4c5c Mon Sep 17 00:00:00 2001 From: Sorin Dumitru Date: Thu, 23 Oct 2025 13:43:26 +0100 Subject: [PATCH 1/5] Add types and RPCs for WIT-SVID This contains the types and RPCs for some basic functionality for WIT-SVIDs to work. Extra functionality is required for UpstreamAuthority spire to function and for tainting and revoking keys. Signed-off-by: Sorin Dumitru --- Makefile | 1 + proto/spire/api/server/bundle/v1/bundle.pb.go | 372 ++++++++----- proto/spire/api/server/bundle/v1/bundle.proto | 24 + .../api/server/bundle/v1/bundle_grpc.pb.go | 54 ++ proto/spire/api/server/svid/v1/svid.pb.go | 497 +++++++++++++++--- proto/spire/api/server/svid/v1/svid.proto | 60 +++ .../spire/api/server/svid/v1/svid_grpc.pb.go | 92 ++++ proto/spire/api/types/bundle.pb.go | 132 ++++- proto/spire/api/types/bundle.proto | 21 + proto/spire/api/types/witsvid.pb.go | 172 ++++++ proto/spire/api/types/witsvid.proto | 28 + 11 files changed, 1233 insertions(+), 220 deletions(-) create mode 100644 proto/spire/api/types/witsvid.pb.go create mode 100644 proto/spire/api/types/witsvid.proto diff --git a/Makefile b/Makefile index 638ce54..e848eb1 100644 --- a/Makefile +++ b/Makefile @@ -28,6 +28,7 @@ protos := \ proto/spire/api/types/spiffeid.proto \ proto/spire/api/types/status.proto \ proto/spire/api/types/x509svid.proto \ + proto/spire/api/types/witsvid.proto \ apiprotos := \ diff --git a/proto/spire/api/server/bundle/v1/bundle.pb.go b/proto/spire/api/server/bundle/v1/bundle.pb.go index cad9c9b..ce6c3b3 100644 --- a/proto/spire/api/server/bundle/v1/bundle.pb.go +++ b/proto/spire/api/server/bundle/v1/bundle.pb.go @@ -73,7 +73,7 @@ func (x BatchDeleteFederatedBundleRequest_Mode) Number() protoreflect.EnumNumber // Deprecated: Use BatchDeleteFederatedBundleRequest_Mode.Descriptor instead. func (BatchDeleteFederatedBundleRequest_Mode) EnumDescriptor() ([]byte, []int) { - return file_spire_api_server_bundle_v1_bundle_proto_rawDescGZIP(), []int{15, 0} + return file_spire_api_server_bundle_v1_bundle_proto_rawDescGZIP(), []int{17, 0} } type CountBundlesRequest struct { @@ -209,9 +209,11 @@ type AppendBundleRequest struct { // JWT authorities to append. JwtAuthorities []*types.JWTKey `protobuf:"bytes,2,rep,name=jwt_authorities,json=jwtAuthorities,proto3" json:"jwt_authorities,omitempty"` // An output mask indicating which bundle fields are set in the response. - OutputMask *types.BundleMask `protobuf:"bytes,3,opt,name=output_mask,json=outputMask,proto3" json:"output_mask,omitempty"` - unknownFields protoimpl.UnknownFields - sizeCache protoimpl.SizeCache + OutputMask *types.BundleMask `protobuf:"bytes,3,opt,name=output_mask,json=outputMask,proto3" json:"output_mask,omitempty"` + // WIT authorities to append. + WitAuthorities []*types.WITKey `protobuf:"bytes,4,rep,name=wit_authorities,json=witAuthorities,proto3" json:"wit_authorities,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache } func (x *AppendBundleRequest) Reset() { @@ -265,6 +267,13 @@ func (x *AppendBundleRequest) GetOutputMask() *types.BundleMask { return nil } +func (x *AppendBundleRequest) GetWitAuthorities() []*types.WITKey { + if x != nil { + return x.WitAuthorities + } + return nil +} + type PublishJWTAuthorityRequest struct { state protoimpl.MessageState `protogen:"open.v1"` // Required. The JWT authority to publish. @@ -355,6 +364,96 @@ func (x *PublishJWTAuthorityResponse) GetJwtAuthorities() []*types.JWTKey { return nil } +type PublishWITAuthorityRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + // Required. The WIT authority to publish. + WitAuthority *types.WITKey `protobuf:"bytes,1,opt,name=wit_authority,json=witAuthority,proto3" json:"wit_authority,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *PublishWITAuthorityRequest) Reset() { + *x = PublishWITAuthorityRequest{} + mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[6] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *PublishWITAuthorityRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*PublishWITAuthorityRequest) ProtoMessage() {} + +func (x *PublishWITAuthorityRequest) ProtoReflect() protoreflect.Message { + mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[6] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use PublishWITAuthorityRequest.ProtoReflect.Descriptor instead. +func (*PublishWITAuthorityRequest) Descriptor() ([]byte, []int) { + return file_spire_api_server_bundle_v1_bundle_proto_rawDescGZIP(), []int{6} +} + +func (x *PublishWITAuthorityRequest) GetWitAuthority() *types.WITKey { + if x != nil { + return x.WitAuthority + } + return nil +} + +type PublishWITAuthorityResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + // The WIT authorities for the trust domain. + WitAuthorities []*types.WITKey `protobuf:"bytes,1,rep,name=wit_authorities,json=witAuthorities,proto3" json:"wit_authorities,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *PublishWITAuthorityResponse) Reset() { + *x = PublishWITAuthorityResponse{} + mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[7] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *PublishWITAuthorityResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*PublishWITAuthorityResponse) ProtoMessage() {} + +func (x *PublishWITAuthorityResponse) ProtoReflect() protoreflect.Message { + mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[7] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use PublishWITAuthorityResponse.ProtoReflect.Descriptor instead. +func (*PublishWITAuthorityResponse) Descriptor() ([]byte, []int) { + return file_spire_api_server_bundle_v1_bundle_proto_rawDescGZIP(), []int{7} +} + +func (x *PublishWITAuthorityResponse) GetWitAuthorities() []*types.WITKey { + if x != nil { + return x.WitAuthorities + } + return nil +} + type ListFederatedBundlesRequest struct { state protoimpl.MessageState `protogen:"open.v1"` // An output mask indicating which bundle fields are set in the response. @@ -370,7 +469,7 @@ type ListFederatedBundlesRequest struct { func (x *ListFederatedBundlesRequest) Reset() { *x = ListFederatedBundlesRequest{} - mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[6] + mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[8] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -382,7 +481,7 @@ func (x *ListFederatedBundlesRequest) String() string { func (*ListFederatedBundlesRequest) ProtoMessage() {} func (x *ListFederatedBundlesRequest) ProtoReflect() protoreflect.Message { - mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[6] + mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[8] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -395,7 +494,7 @@ func (x *ListFederatedBundlesRequest) ProtoReflect() protoreflect.Message { // Deprecated: Use ListFederatedBundlesRequest.ProtoReflect.Descriptor instead. func (*ListFederatedBundlesRequest) Descriptor() ([]byte, []int) { - return file_spire_api_server_bundle_v1_bundle_proto_rawDescGZIP(), []int{6} + return file_spire_api_server_bundle_v1_bundle_proto_rawDescGZIP(), []int{8} } func (x *ListFederatedBundlesRequest) GetOutputMask() *types.BundleMask { @@ -433,7 +532,7 @@ type ListFederatedBundlesResponse struct { func (x *ListFederatedBundlesResponse) Reset() { *x = ListFederatedBundlesResponse{} - mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[7] + mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[9] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -445,7 +544,7 @@ func (x *ListFederatedBundlesResponse) String() string { func (*ListFederatedBundlesResponse) ProtoMessage() {} func (x *ListFederatedBundlesResponse) ProtoReflect() protoreflect.Message { - mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[7] + mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[9] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -458,7 +557,7 @@ func (x *ListFederatedBundlesResponse) ProtoReflect() protoreflect.Message { // Deprecated: Use ListFederatedBundlesResponse.ProtoReflect.Descriptor instead. func (*ListFederatedBundlesResponse) Descriptor() ([]byte, []int) { - return file_spire_api_server_bundle_v1_bundle_proto_rawDescGZIP(), []int{7} + return file_spire_api_server_bundle_v1_bundle_proto_rawDescGZIP(), []int{9} } func (x *ListFederatedBundlesResponse) GetBundles() []*types.Bundle { @@ -487,7 +586,7 @@ type GetFederatedBundleRequest struct { func (x *GetFederatedBundleRequest) Reset() { *x = GetFederatedBundleRequest{} - mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[8] + mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[10] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -499,7 +598,7 @@ func (x *GetFederatedBundleRequest) String() string { func (*GetFederatedBundleRequest) ProtoMessage() {} func (x *GetFederatedBundleRequest) ProtoReflect() protoreflect.Message { - mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[8] + mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[10] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -512,7 +611,7 @@ func (x *GetFederatedBundleRequest) ProtoReflect() protoreflect.Message { // Deprecated: Use GetFederatedBundleRequest.ProtoReflect.Descriptor instead. func (*GetFederatedBundleRequest) Descriptor() ([]byte, []int) { - return file_spire_api_server_bundle_v1_bundle_proto_rawDescGZIP(), []int{8} + return file_spire_api_server_bundle_v1_bundle_proto_rawDescGZIP(), []int{10} } func (x *GetFederatedBundleRequest) GetTrustDomain() string { @@ -541,7 +640,7 @@ type BatchCreateFederatedBundleRequest struct { func (x *BatchCreateFederatedBundleRequest) Reset() { *x = BatchCreateFederatedBundleRequest{} - mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[9] + mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[11] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -553,7 +652,7 @@ func (x *BatchCreateFederatedBundleRequest) String() string { func (*BatchCreateFederatedBundleRequest) ProtoMessage() {} func (x *BatchCreateFederatedBundleRequest) ProtoReflect() protoreflect.Message { - mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[9] + mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[11] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -566,7 +665,7 @@ func (x *BatchCreateFederatedBundleRequest) ProtoReflect() protoreflect.Message // Deprecated: Use BatchCreateFederatedBundleRequest.ProtoReflect.Descriptor instead. func (*BatchCreateFederatedBundleRequest) Descriptor() ([]byte, []int) { - return file_spire_api_server_bundle_v1_bundle_proto_rawDescGZIP(), []int{9} + return file_spire_api_server_bundle_v1_bundle_proto_rawDescGZIP(), []int{11} } func (x *BatchCreateFederatedBundleRequest) GetBundle() []*types.Bundle { @@ -593,7 +692,7 @@ type BatchCreateFederatedBundleResponse struct { func (x *BatchCreateFederatedBundleResponse) Reset() { *x = BatchCreateFederatedBundleResponse{} - mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[10] + mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[12] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -605,7 +704,7 @@ func (x *BatchCreateFederatedBundleResponse) String() string { func (*BatchCreateFederatedBundleResponse) ProtoMessage() {} func (x *BatchCreateFederatedBundleResponse) ProtoReflect() protoreflect.Message { - mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[10] + mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[12] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -618,7 +717,7 @@ func (x *BatchCreateFederatedBundleResponse) ProtoReflect() protoreflect.Message // Deprecated: Use BatchCreateFederatedBundleResponse.ProtoReflect.Descriptor instead. func (*BatchCreateFederatedBundleResponse) Descriptor() ([]byte, []int) { - return file_spire_api_server_bundle_v1_bundle_proto_rawDescGZIP(), []int{10} + return file_spire_api_server_bundle_v1_bundle_proto_rawDescGZIP(), []int{12} } func (x *BatchCreateFederatedBundleResponse) GetResults() []*BatchCreateFederatedBundleResponse_Result { @@ -642,7 +741,7 @@ type BatchUpdateFederatedBundleRequest struct { func (x *BatchUpdateFederatedBundleRequest) Reset() { *x = BatchUpdateFederatedBundleRequest{} - mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[11] + mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[13] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -654,7 +753,7 @@ func (x *BatchUpdateFederatedBundleRequest) String() string { func (*BatchUpdateFederatedBundleRequest) ProtoMessage() {} func (x *BatchUpdateFederatedBundleRequest) ProtoReflect() protoreflect.Message { - mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[11] + mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[13] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -667,7 +766,7 @@ func (x *BatchUpdateFederatedBundleRequest) ProtoReflect() protoreflect.Message // Deprecated: Use BatchUpdateFederatedBundleRequest.ProtoReflect.Descriptor instead. func (*BatchUpdateFederatedBundleRequest) Descriptor() ([]byte, []int) { - return file_spire_api_server_bundle_v1_bundle_proto_rawDescGZIP(), []int{11} + return file_spire_api_server_bundle_v1_bundle_proto_rawDescGZIP(), []int{13} } func (x *BatchUpdateFederatedBundleRequest) GetBundle() []*types.Bundle { @@ -701,7 +800,7 @@ type BatchUpdateFederatedBundleResponse struct { func (x *BatchUpdateFederatedBundleResponse) Reset() { *x = BatchUpdateFederatedBundleResponse{} - mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[12] + mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[14] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -713,7 +812,7 @@ func (x *BatchUpdateFederatedBundleResponse) String() string { func (*BatchUpdateFederatedBundleResponse) ProtoMessage() {} func (x *BatchUpdateFederatedBundleResponse) ProtoReflect() protoreflect.Message { - mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[12] + mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[14] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -726,7 +825,7 @@ func (x *BatchUpdateFederatedBundleResponse) ProtoReflect() protoreflect.Message // Deprecated: Use BatchUpdateFederatedBundleResponse.ProtoReflect.Descriptor instead. func (*BatchUpdateFederatedBundleResponse) Descriptor() ([]byte, []int) { - return file_spire_api_server_bundle_v1_bundle_proto_rawDescGZIP(), []int{12} + return file_spire_api_server_bundle_v1_bundle_proto_rawDescGZIP(), []int{14} } func (x *BatchUpdateFederatedBundleResponse) GetResults() []*BatchUpdateFederatedBundleResponse_Result { @@ -748,7 +847,7 @@ type BatchSetFederatedBundleRequest struct { func (x *BatchSetFederatedBundleRequest) Reset() { *x = BatchSetFederatedBundleRequest{} - mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[13] + mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[15] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -760,7 +859,7 @@ func (x *BatchSetFederatedBundleRequest) String() string { func (*BatchSetFederatedBundleRequest) ProtoMessage() {} func (x *BatchSetFederatedBundleRequest) ProtoReflect() protoreflect.Message { - mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[13] + mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[15] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -773,7 +872,7 @@ func (x *BatchSetFederatedBundleRequest) ProtoReflect() protoreflect.Message { // Deprecated: Use BatchSetFederatedBundleRequest.ProtoReflect.Descriptor instead. func (*BatchSetFederatedBundleRequest) Descriptor() ([]byte, []int) { - return file_spire_api_server_bundle_v1_bundle_proto_rawDescGZIP(), []int{13} + return file_spire_api_server_bundle_v1_bundle_proto_rawDescGZIP(), []int{15} } func (x *BatchSetFederatedBundleRequest) GetBundle() []*types.Bundle { @@ -800,7 +899,7 @@ type BatchSetFederatedBundleResponse struct { func (x *BatchSetFederatedBundleResponse) Reset() { *x = BatchSetFederatedBundleResponse{} - mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[14] + mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[16] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -812,7 +911,7 @@ func (x *BatchSetFederatedBundleResponse) String() string { func (*BatchSetFederatedBundleResponse) ProtoMessage() {} func (x *BatchSetFederatedBundleResponse) ProtoReflect() protoreflect.Message { - mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[14] + mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[16] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -825,7 +924,7 @@ func (x *BatchSetFederatedBundleResponse) ProtoReflect() protoreflect.Message { // Deprecated: Use BatchSetFederatedBundleResponse.ProtoReflect.Descriptor instead. func (*BatchSetFederatedBundleResponse) Descriptor() ([]byte, []int) { - return file_spire_api_server_bundle_v1_bundle_proto_rawDescGZIP(), []int{14} + return file_spire_api_server_bundle_v1_bundle_proto_rawDescGZIP(), []int{16} } func (x *BatchSetFederatedBundleResponse) GetResults() []*BatchSetFederatedBundleResponse_Result { @@ -847,7 +946,7 @@ type BatchDeleteFederatedBundleRequest struct { func (x *BatchDeleteFederatedBundleRequest) Reset() { *x = BatchDeleteFederatedBundleRequest{} - mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[15] + mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[17] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -859,7 +958,7 @@ func (x *BatchDeleteFederatedBundleRequest) String() string { func (*BatchDeleteFederatedBundleRequest) ProtoMessage() {} func (x *BatchDeleteFederatedBundleRequest) ProtoReflect() protoreflect.Message { - mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[15] + mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[17] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -872,7 +971,7 @@ func (x *BatchDeleteFederatedBundleRequest) ProtoReflect() protoreflect.Message // Deprecated: Use BatchDeleteFederatedBundleRequest.ProtoReflect.Descriptor instead. func (*BatchDeleteFederatedBundleRequest) Descriptor() ([]byte, []int) { - return file_spire_api_server_bundle_v1_bundle_proto_rawDescGZIP(), []int{15} + return file_spire_api_server_bundle_v1_bundle_proto_rawDescGZIP(), []int{17} } func (x *BatchDeleteFederatedBundleRequest) GetTrustDomains() []string { @@ -899,7 +998,7 @@ type BatchDeleteFederatedBundleResponse struct { func (x *BatchDeleteFederatedBundleResponse) Reset() { *x = BatchDeleteFederatedBundleResponse{} - mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[16] + mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[18] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -911,7 +1010,7 @@ func (x *BatchDeleteFederatedBundleResponse) String() string { func (*BatchDeleteFederatedBundleResponse) ProtoMessage() {} func (x *BatchDeleteFederatedBundleResponse) ProtoReflect() protoreflect.Message { - mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[16] + mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[18] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -924,7 +1023,7 @@ func (x *BatchDeleteFederatedBundleResponse) ProtoReflect() protoreflect.Message // Deprecated: Use BatchDeleteFederatedBundleResponse.ProtoReflect.Descriptor instead. func (*BatchDeleteFederatedBundleResponse) Descriptor() ([]byte, []int) { - return file_spire_api_server_bundle_v1_bundle_proto_rawDescGZIP(), []int{16} + return file_spire_api_server_bundle_v1_bundle_proto_rawDescGZIP(), []int{18} } func (x *BatchDeleteFederatedBundleResponse) GetResults() []*BatchDeleteFederatedBundleResponse_Result { @@ -946,7 +1045,7 @@ type BatchCreateFederatedBundleResponse_Result struct { func (x *BatchCreateFederatedBundleResponse_Result) Reset() { *x = BatchCreateFederatedBundleResponse_Result{} - mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[17] + mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[19] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -958,7 +1057,7 @@ func (x *BatchCreateFederatedBundleResponse_Result) String() string { func (*BatchCreateFederatedBundleResponse_Result) ProtoMessage() {} func (x *BatchCreateFederatedBundleResponse_Result) ProtoReflect() protoreflect.Message { - mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[17] + mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[19] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -971,7 +1070,7 @@ func (x *BatchCreateFederatedBundleResponse_Result) ProtoReflect() protoreflect. // Deprecated: Use BatchCreateFederatedBundleResponse_Result.ProtoReflect.Descriptor instead. func (*BatchCreateFederatedBundleResponse_Result) Descriptor() ([]byte, []int) { - return file_spire_api_server_bundle_v1_bundle_proto_rawDescGZIP(), []int{10, 0} + return file_spire_api_server_bundle_v1_bundle_proto_rawDescGZIP(), []int{12, 0} } func (x *BatchCreateFederatedBundleResponse_Result) GetStatus() *types.Status { @@ -1000,7 +1099,7 @@ type BatchUpdateFederatedBundleResponse_Result struct { func (x *BatchUpdateFederatedBundleResponse_Result) Reset() { *x = BatchUpdateFederatedBundleResponse_Result{} - mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[18] + mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[20] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1012,7 +1111,7 @@ func (x *BatchUpdateFederatedBundleResponse_Result) String() string { func (*BatchUpdateFederatedBundleResponse_Result) ProtoMessage() {} func (x *BatchUpdateFederatedBundleResponse_Result) ProtoReflect() protoreflect.Message { - mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[18] + mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[20] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1025,7 +1124,7 @@ func (x *BatchUpdateFederatedBundleResponse_Result) ProtoReflect() protoreflect. // Deprecated: Use BatchUpdateFederatedBundleResponse_Result.ProtoReflect.Descriptor instead. func (*BatchUpdateFederatedBundleResponse_Result) Descriptor() ([]byte, []int) { - return file_spire_api_server_bundle_v1_bundle_proto_rawDescGZIP(), []int{12, 0} + return file_spire_api_server_bundle_v1_bundle_proto_rawDescGZIP(), []int{14, 0} } func (x *BatchUpdateFederatedBundleResponse_Result) GetStatus() *types.Status { @@ -1054,7 +1153,7 @@ type BatchSetFederatedBundleResponse_Result struct { func (x *BatchSetFederatedBundleResponse_Result) Reset() { *x = BatchSetFederatedBundleResponse_Result{} - mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[19] + mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[21] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1066,7 +1165,7 @@ func (x *BatchSetFederatedBundleResponse_Result) String() string { func (*BatchSetFederatedBundleResponse_Result) ProtoMessage() {} func (x *BatchSetFederatedBundleResponse_Result) ProtoReflect() protoreflect.Message { - mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[19] + mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[21] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1079,7 +1178,7 @@ func (x *BatchSetFederatedBundleResponse_Result) ProtoReflect() protoreflect.Mes // Deprecated: Use BatchSetFederatedBundleResponse_Result.ProtoReflect.Descriptor instead. func (*BatchSetFederatedBundleResponse_Result) Descriptor() ([]byte, []int) { - return file_spire_api_server_bundle_v1_bundle_proto_rawDescGZIP(), []int{14, 0} + return file_spire_api_server_bundle_v1_bundle_proto_rawDescGZIP(), []int{16, 0} } func (x *BatchSetFederatedBundleResponse_Result) GetStatus() *types.Status { @@ -1109,7 +1208,7 @@ type BatchDeleteFederatedBundleResponse_Result struct { func (x *BatchDeleteFederatedBundleResponse_Result) Reset() { *x = BatchDeleteFederatedBundleResponse_Result{} - mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[20] + mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[22] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1121,7 +1220,7 @@ func (x *BatchDeleteFederatedBundleResponse_Result) String() string { func (*BatchDeleteFederatedBundleResponse_Result) ProtoMessage() {} func (x *BatchDeleteFederatedBundleResponse_Result) ProtoReflect() protoreflect.Message { - mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[20] + mi := &file_spire_api_server_bundle_v1_bundle_proto_msgTypes[22] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1134,7 +1233,7 @@ func (x *BatchDeleteFederatedBundleResponse_Result) ProtoReflect() protoreflect. // Deprecated: Use BatchDeleteFederatedBundleResponse_Result.ProtoReflect.Descriptor instead. func (*BatchDeleteFederatedBundleResponse_Result) Descriptor() ([]byte, []int) { - return file_spire_api_server_bundle_v1_bundle_proto_rawDescGZIP(), []int{16, 0} + return file_spire_api_server_bundle_v1_bundle_proto_rawDescGZIP(), []int{18, 0} } func (x *BatchDeleteFederatedBundleResponse_Result) GetStatus() *types.Status { @@ -1161,16 +1260,21 @@ const file_spire_api_server_bundle_v1_bundle_proto_rawDesc = "" + "\x05count\x18\x01 \x01(\x05R\x05count\"P\n" + "\x10GetBundleRequest\x12<\n" + "\voutput_mask\x18\x01 \x01(\v2\x1b.spire.api.types.BundleMaskR\n" + - "outputMask\"\xe2\x01\n" + + "outputMask\"\xa4\x02\n" + "\x13AppendBundleRequest\x12K\n" + "\x10x509_authorities\x18\x01 \x03(\v2 .spire.api.types.X509CertificateR\x0fx509Authorities\x12@\n" + "\x0fjwt_authorities\x18\x02 \x03(\v2\x17.spire.api.types.JWTKeyR\x0ejwtAuthorities\x12<\n" + "\voutput_mask\x18\x03 \x01(\v2\x1b.spire.api.types.BundleMaskR\n" + - "outputMask\"Z\n" + + "outputMask\x12@\n" + + "\x0fwit_authorities\x18\x04 \x03(\v2\x17.spire.api.types.WITKeyR\x0ewitAuthorities\"Z\n" + "\x1aPublishJWTAuthorityRequest\x12<\n" + "\rjwt_authority\x18\x01 \x01(\v2\x17.spire.api.types.JWTKeyR\fjwtAuthority\"_\n" + "\x1bPublishJWTAuthorityResponse\x12@\n" + - "\x0fjwt_authorities\x18\x01 \x03(\v2\x17.spire.api.types.JWTKeyR\x0ejwtAuthorities\"\x97\x01\n" + + "\x0fjwt_authorities\x18\x01 \x03(\v2\x17.spire.api.types.JWTKeyR\x0ejwtAuthorities\"Z\n" + + "\x1aPublishWITAuthorityRequest\x12<\n" + + "\rwit_authority\x18\x01 \x01(\v2\x17.spire.api.types.WITKeyR\fwitAuthority\"_\n" + + "\x1bPublishWITAuthorityResponse\x12@\n" + + "\x0fwit_authorities\x18\x01 \x03(\v2\x17.spire.api.types.WITKeyR\x0ewitAuthorities\"\x97\x01\n" + "\x1bListFederatedBundlesRequest\x12<\n" + "\voutput_mask\x18\x01 \x01(\v2\x1b.spire.api.types.BundleMaskR\n" + "outputMask\x12\x1b\n" + @@ -1226,13 +1330,13 @@ const file_spire_api_server_bundle_v1_bundle_proto_rawDesc = "" + "\aresults\x18\x01 \x03(\v2E.spire.api.server.bundle.v1.BatchDeleteFederatedBundleResponse.ResultR\aresults\x1a\\\n" + "\x06Result\x12/\n" + "\x06status\x18\x01 \x01(\v2\x17.spire.api.types.StatusR\x06status\x12!\n" + - "\ftrust_domain\x18\x02 \x01(\tR\vtrustDomain2\x93\n" + - "\n" + + "\ftrust_domain\x18\x02 \x01(\tR\vtrustDomain2\x9c\v\n" + "\x06Bundle\x12q\n" + "\fCountBundles\x12/.spire.api.server.bundle.v1.CountBundlesRequest\x1a0.spire.api.server.bundle.v1.CountBundlesResponse\x12R\n" + "\tGetBundle\x12,.spire.api.server.bundle.v1.GetBundleRequest\x1a\x17.spire.api.types.Bundle\x12X\n" + "\fAppendBundle\x12/.spire.api.server.bundle.v1.AppendBundleRequest\x1a\x17.spire.api.types.Bundle\x12\x86\x01\n" + - "\x13PublishJWTAuthority\x126.spire.api.server.bundle.v1.PublishJWTAuthorityRequest\x1a7.spire.api.server.bundle.v1.PublishJWTAuthorityResponse\x12\x89\x01\n" + + "\x13PublishJWTAuthority\x126.spire.api.server.bundle.v1.PublishJWTAuthorityRequest\x1a7.spire.api.server.bundle.v1.PublishJWTAuthorityResponse\x12\x86\x01\n" + + "\x13PublisWITTAuthority\x126.spire.api.server.bundle.v1.PublishWITAuthorityRequest\x1a7.spire.api.server.bundle.v1.PublishWITAuthorityResponse\x12\x89\x01\n" + "\x14ListFederatedBundles\x127.spire.api.server.bundle.v1.ListFederatedBundlesRequest\x1a8.spire.api.server.bundle.v1.ListFederatedBundlesResponse\x12d\n" + "\x12GetFederatedBundle\x125.spire.api.server.bundle.v1.GetFederatedBundleRequest\x1a\x17.spire.api.types.Bundle\x12\x9b\x01\n" + "\x1aBatchCreateFederatedBundle\x12=.spire.api.server.bundle.v1.BatchCreateFederatedBundleRequest\x1a>.spire.api.server.bundle.v1.BatchCreateFederatedBundleResponse\x12\x9b\x01\n" + @@ -1253,7 +1357,7 @@ func file_spire_api_server_bundle_v1_bundle_proto_rawDescGZIP() []byte { } var file_spire_api_server_bundle_v1_bundle_proto_enumTypes = make([]protoimpl.EnumInfo, 1) -var file_spire_api_server_bundle_v1_bundle_proto_msgTypes = make([]protoimpl.MessageInfo, 21) +var file_spire_api_server_bundle_v1_bundle_proto_msgTypes = make([]protoimpl.MessageInfo, 23) var file_spire_api_server_bundle_v1_bundle_proto_goTypes = []any{ (BatchDeleteFederatedBundleRequest_Mode)(0), // 0: spire.api.server.bundle.v1.BatchDeleteFederatedBundleRequest.Mode (*CountBundlesRequest)(nil), // 1: spire.api.server.bundle.v1.CountBundlesRequest @@ -1262,81 +1366,89 @@ var file_spire_api_server_bundle_v1_bundle_proto_goTypes = []any{ (*AppendBundleRequest)(nil), // 4: spire.api.server.bundle.v1.AppendBundleRequest (*PublishJWTAuthorityRequest)(nil), // 5: spire.api.server.bundle.v1.PublishJWTAuthorityRequest (*PublishJWTAuthorityResponse)(nil), // 6: spire.api.server.bundle.v1.PublishJWTAuthorityResponse - (*ListFederatedBundlesRequest)(nil), // 7: spire.api.server.bundle.v1.ListFederatedBundlesRequest - (*ListFederatedBundlesResponse)(nil), // 8: spire.api.server.bundle.v1.ListFederatedBundlesResponse - (*GetFederatedBundleRequest)(nil), // 9: spire.api.server.bundle.v1.GetFederatedBundleRequest - (*BatchCreateFederatedBundleRequest)(nil), // 10: spire.api.server.bundle.v1.BatchCreateFederatedBundleRequest - (*BatchCreateFederatedBundleResponse)(nil), // 11: spire.api.server.bundle.v1.BatchCreateFederatedBundleResponse - (*BatchUpdateFederatedBundleRequest)(nil), // 12: spire.api.server.bundle.v1.BatchUpdateFederatedBundleRequest - (*BatchUpdateFederatedBundleResponse)(nil), // 13: spire.api.server.bundle.v1.BatchUpdateFederatedBundleResponse - (*BatchSetFederatedBundleRequest)(nil), // 14: spire.api.server.bundle.v1.BatchSetFederatedBundleRequest - (*BatchSetFederatedBundleResponse)(nil), // 15: spire.api.server.bundle.v1.BatchSetFederatedBundleResponse - (*BatchDeleteFederatedBundleRequest)(nil), // 16: spire.api.server.bundle.v1.BatchDeleteFederatedBundleRequest - (*BatchDeleteFederatedBundleResponse)(nil), // 17: spire.api.server.bundle.v1.BatchDeleteFederatedBundleResponse - (*BatchCreateFederatedBundleResponse_Result)(nil), // 18: spire.api.server.bundle.v1.BatchCreateFederatedBundleResponse.Result - (*BatchUpdateFederatedBundleResponse_Result)(nil), // 19: spire.api.server.bundle.v1.BatchUpdateFederatedBundleResponse.Result - (*BatchSetFederatedBundleResponse_Result)(nil), // 20: spire.api.server.bundle.v1.BatchSetFederatedBundleResponse.Result - (*BatchDeleteFederatedBundleResponse_Result)(nil), // 21: spire.api.server.bundle.v1.BatchDeleteFederatedBundleResponse.Result - (*types.BundleMask)(nil), // 22: spire.api.types.BundleMask - (*types.X509Certificate)(nil), // 23: spire.api.types.X509Certificate - (*types.JWTKey)(nil), // 24: spire.api.types.JWTKey - (*types.Bundle)(nil), // 25: spire.api.types.Bundle - (*types.Status)(nil), // 26: spire.api.types.Status + (*PublishWITAuthorityRequest)(nil), // 7: spire.api.server.bundle.v1.PublishWITAuthorityRequest + (*PublishWITAuthorityResponse)(nil), // 8: spire.api.server.bundle.v1.PublishWITAuthorityResponse + (*ListFederatedBundlesRequest)(nil), // 9: spire.api.server.bundle.v1.ListFederatedBundlesRequest + (*ListFederatedBundlesResponse)(nil), // 10: spire.api.server.bundle.v1.ListFederatedBundlesResponse + (*GetFederatedBundleRequest)(nil), // 11: spire.api.server.bundle.v1.GetFederatedBundleRequest + (*BatchCreateFederatedBundleRequest)(nil), // 12: spire.api.server.bundle.v1.BatchCreateFederatedBundleRequest + (*BatchCreateFederatedBundleResponse)(nil), // 13: spire.api.server.bundle.v1.BatchCreateFederatedBundleResponse + (*BatchUpdateFederatedBundleRequest)(nil), // 14: spire.api.server.bundle.v1.BatchUpdateFederatedBundleRequest + (*BatchUpdateFederatedBundleResponse)(nil), // 15: spire.api.server.bundle.v1.BatchUpdateFederatedBundleResponse + (*BatchSetFederatedBundleRequest)(nil), // 16: spire.api.server.bundle.v1.BatchSetFederatedBundleRequest + (*BatchSetFederatedBundleResponse)(nil), // 17: spire.api.server.bundle.v1.BatchSetFederatedBundleResponse + (*BatchDeleteFederatedBundleRequest)(nil), // 18: spire.api.server.bundle.v1.BatchDeleteFederatedBundleRequest + (*BatchDeleteFederatedBundleResponse)(nil), // 19: spire.api.server.bundle.v1.BatchDeleteFederatedBundleResponse + (*BatchCreateFederatedBundleResponse_Result)(nil), // 20: spire.api.server.bundle.v1.BatchCreateFederatedBundleResponse.Result + (*BatchUpdateFederatedBundleResponse_Result)(nil), // 21: spire.api.server.bundle.v1.BatchUpdateFederatedBundleResponse.Result + (*BatchSetFederatedBundleResponse_Result)(nil), // 22: spire.api.server.bundle.v1.BatchSetFederatedBundleResponse.Result + (*BatchDeleteFederatedBundleResponse_Result)(nil), // 23: spire.api.server.bundle.v1.BatchDeleteFederatedBundleResponse.Result + (*types.BundleMask)(nil), // 24: spire.api.types.BundleMask + (*types.X509Certificate)(nil), // 25: spire.api.types.X509Certificate + (*types.JWTKey)(nil), // 26: spire.api.types.JWTKey + (*types.WITKey)(nil), // 27: spire.api.types.WITKey + (*types.Bundle)(nil), // 28: spire.api.types.Bundle + (*types.Status)(nil), // 29: spire.api.types.Status } var file_spire_api_server_bundle_v1_bundle_proto_depIdxs = []int32{ - 22, // 0: spire.api.server.bundle.v1.GetBundleRequest.output_mask:type_name -> spire.api.types.BundleMask - 23, // 1: spire.api.server.bundle.v1.AppendBundleRequest.x509_authorities:type_name -> spire.api.types.X509Certificate - 24, // 2: spire.api.server.bundle.v1.AppendBundleRequest.jwt_authorities:type_name -> spire.api.types.JWTKey - 22, // 3: spire.api.server.bundle.v1.AppendBundleRequest.output_mask:type_name -> spire.api.types.BundleMask - 24, // 4: spire.api.server.bundle.v1.PublishJWTAuthorityRequest.jwt_authority:type_name -> spire.api.types.JWTKey - 24, // 5: spire.api.server.bundle.v1.PublishJWTAuthorityResponse.jwt_authorities:type_name -> spire.api.types.JWTKey - 22, // 6: spire.api.server.bundle.v1.ListFederatedBundlesRequest.output_mask:type_name -> spire.api.types.BundleMask - 25, // 7: spire.api.server.bundle.v1.ListFederatedBundlesResponse.bundles:type_name -> spire.api.types.Bundle - 22, // 8: spire.api.server.bundle.v1.GetFederatedBundleRequest.output_mask:type_name -> spire.api.types.BundleMask - 25, // 9: spire.api.server.bundle.v1.BatchCreateFederatedBundleRequest.bundle:type_name -> spire.api.types.Bundle - 22, // 10: spire.api.server.bundle.v1.BatchCreateFederatedBundleRequest.output_mask:type_name -> spire.api.types.BundleMask - 18, // 11: spire.api.server.bundle.v1.BatchCreateFederatedBundleResponse.results:type_name -> spire.api.server.bundle.v1.BatchCreateFederatedBundleResponse.Result - 25, // 12: spire.api.server.bundle.v1.BatchUpdateFederatedBundleRequest.bundle:type_name -> spire.api.types.Bundle - 22, // 13: spire.api.server.bundle.v1.BatchUpdateFederatedBundleRequest.input_mask:type_name -> spire.api.types.BundleMask - 22, // 14: spire.api.server.bundle.v1.BatchUpdateFederatedBundleRequest.output_mask:type_name -> spire.api.types.BundleMask - 19, // 15: spire.api.server.bundle.v1.BatchUpdateFederatedBundleResponse.results:type_name -> spire.api.server.bundle.v1.BatchUpdateFederatedBundleResponse.Result - 25, // 16: spire.api.server.bundle.v1.BatchSetFederatedBundleRequest.bundle:type_name -> spire.api.types.Bundle - 22, // 17: spire.api.server.bundle.v1.BatchSetFederatedBundleRequest.output_mask:type_name -> spire.api.types.BundleMask - 20, // 18: spire.api.server.bundle.v1.BatchSetFederatedBundleResponse.results:type_name -> spire.api.server.bundle.v1.BatchSetFederatedBundleResponse.Result - 0, // 19: spire.api.server.bundle.v1.BatchDeleteFederatedBundleRequest.mode:type_name -> spire.api.server.bundle.v1.BatchDeleteFederatedBundleRequest.Mode - 21, // 20: spire.api.server.bundle.v1.BatchDeleteFederatedBundleResponse.results:type_name -> spire.api.server.bundle.v1.BatchDeleteFederatedBundleResponse.Result - 26, // 21: spire.api.server.bundle.v1.BatchCreateFederatedBundleResponse.Result.status:type_name -> spire.api.types.Status - 25, // 22: spire.api.server.bundle.v1.BatchCreateFederatedBundleResponse.Result.bundle:type_name -> spire.api.types.Bundle - 26, // 23: spire.api.server.bundle.v1.BatchUpdateFederatedBundleResponse.Result.status:type_name -> spire.api.types.Status - 25, // 24: spire.api.server.bundle.v1.BatchUpdateFederatedBundleResponse.Result.bundle:type_name -> spire.api.types.Bundle - 26, // 25: spire.api.server.bundle.v1.BatchSetFederatedBundleResponse.Result.status:type_name -> spire.api.types.Status - 25, // 26: spire.api.server.bundle.v1.BatchSetFederatedBundleResponse.Result.bundle:type_name -> spire.api.types.Bundle - 26, // 27: spire.api.server.bundle.v1.BatchDeleteFederatedBundleResponse.Result.status:type_name -> spire.api.types.Status - 1, // 28: spire.api.server.bundle.v1.Bundle.CountBundles:input_type -> spire.api.server.bundle.v1.CountBundlesRequest - 3, // 29: spire.api.server.bundle.v1.Bundle.GetBundle:input_type -> spire.api.server.bundle.v1.GetBundleRequest - 4, // 30: spire.api.server.bundle.v1.Bundle.AppendBundle:input_type -> spire.api.server.bundle.v1.AppendBundleRequest - 5, // 31: spire.api.server.bundle.v1.Bundle.PublishJWTAuthority:input_type -> spire.api.server.bundle.v1.PublishJWTAuthorityRequest - 7, // 32: spire.api.server.bundle.v1.Bundle.ListFederatedBundles:input_type -> spire.api.server.bundle.v1.ListFederatedBundlesRequest - 9, // 33: spire.api.server.bundle.v1.Bundle.GetFederatedBundle:input_type -> spire.api.server.bundle.v1.GetFederatedBundleRequest - 10, // 34: spire.api.server.bundle.v1.Bundle.BatchCreateFederatedBundle:input_type -> spire.api.server.bundle.v1.BatchCreateFederatedBundleRequest - 12, // 35: spire.api.server.bundle.v1.Bundle.BatchUpdateFederatedBundle:input_type -> spire.api.server.bundle.v1.BatchUpdateFederatedBundleRequest - 14, // 36: spire.api.server.bundle.v1.Bundle.BatchSetFederatedBundle:input_type -> spire.api.server.bundle.v1.BatchSetFederatedBundleRequest - 16, // 37: spire.api.server.bundle.v1.Bundle.BatchDeleteFederatedBundle:input_type -> spire.api.server.bundle.v1.BatchDeleteFederatedBundleRequest - 2, // 38: spire.api.server.bundle.v1.Bundle.CountBundles:output_type -> spire.api.server.bundle.v1.CountBundlesResponse - 25, // 39: spire.api.server.bundle.v1.Bundle.GetBundle:output_type -> spire.api.types.Bundle - 25, // 40: spire.api.server.bundle.v1.Bundle.AppendBundle:output_type -> spire.api.types.Bundle - 6, // 41: spire.api.server.bundle.v1.Bundle.PublishJWTAuthority:output_type -> spire.api.server.bundle.v1.PublishJWTAuthorityResponse - 8, // 42: spire.api.server.bundle.v1.Bundle.ListFederatedBundles:output_type -> spire.api.server.bundle.v1.ListFederatedBundlesResponse - 25, // 43: spire.api.server.bundle.v1.Bundle.GetFederatedBundle:output_type -> spire.api.types.Bundle - 11, // 44: spire.api.server.bundle.v1.Bundle.BatchCreateFederatedBundle:output_type -> spire.api.server.bundle.v1.BatchCreateFederatedBundleResponse - 13, // 45: spire.api.server.bundle.v1.Bundle.BatchUpdateFederatedBundle:output_type -> spire.api.server.bundle.v1.BatchUpdateFederatedBundleResponse - 15, // 46: spire.api.server.bundle.v1.Bundle.BatchSetFederatedBundle:output_type -> spire.api.server.bundle.v1.BatchSetFederatedBundleResponse - 17, // 47: spire.api.server.bundle.v1.Bundle.BatchDeleteFederatedBundle:output_type -> spire.api.server.bundle.v1.BatchDeleteFederatedBundleResponse - 38, // [38:48] is the sub-list for method output_type - 28, // [28:38] is the sub-list for method input_type - 28, // [28:28] is the sub-list for extension type_name - 28, // [28:28] is the sub-list for extension extendee - 0, // [0:28] is the sub-list for field type_name + 24, // 0: spire.api.server.bundle.v1.GetBundleRequest.output_mask:type_name -> spire.api.types.BundleMask + 25, // 1: spire.api.server.bundle.v1.AppendBundleRequest.x509_authorities:type_name -> spire.api.types.X509Certificate + 26, // 2: spire.api.server.bundle.v1.AppendBundleRequest.jwt_authorities:type_name -> spire.api.types.JWTKey + 24, // 3: spire.api.server.bundle.v1.AppendBundleRequest.output_mask:type_name -> spire.api.types.BundleMask + 27, // 4: spire.api.server.bundle.v1.AppendBundleRequest.wit_authorities:type_name -> spire.api.types.WITKey + 26, // 5: spire.api.server.bundle.v1.PublishJWTAuthorityRequest.jwt_authority:type_name -> spire.api.types.JWTKey + 26, // 6: spire.api.server.bundle.v1.PublishJWTAuthorityResponse.jwt_authorities:type_name -> spire.api.types.JWTKey + 27, // 7: spire.api.server.bundle.v1.PublishWITAuthorityRequest.wit_authority:type_name -> spire.api.types.WITKey + 27, // 8: spire.api.server.bundle.v1.PublishWITAuthorityResponse.wit_authorities:type_name -> spire.api.types.WITKey + 24, // 9: spire.api.server.bundle.v1.ListFederatedBundlesRequest.output_mask:type_name -> spire.api.types.BundleMask + 28, // 10: spire.api.server.bundle.v1.ListFederatedBundlesResponse.bundles:type_name -> spire.api.types.Bundle + 24, // 11: spire.api.server.bundle.v1.GetFederatedBundleRequest.output_mask:type_name -> spire.api.types.BundleMask + 28, // 12: spire.api.server.bundle.v1.BatchCreateFederatedBundleRequest.bundle:type_name -> spire.api.types.Bundle + 24, // 13: spire.api.server.bundle.v1.BatchCreateFederatedBundleRequest.output_mask:type_name -> spire.api.types.BundleMask + 20, // 14: spire.api.server.bundle.v1.BatchCreateFederatedBundleResponse.results:type_name -> spire.api.server.bundle.v1.BatchCreateFederatedBundleResponse.Result + 28, // 15: spire.api.server.bundle.v1.BatchUpdateFederatedBundleRequest.bundle:type_name -> spire.api.types.Bundle + 24, // 16: spire.api.server.bundle.v1.BatchUpdateFederatedBundleRequest.input_mask:type_name -> spire.api.types.BundleMask + 24, // 17: spire.api.server.bundle.v1.BatchUpdateFederatedBundleRequest.output_mask:type_name -> spire.api.types.BundleMask + 21, // 18: spire.api.server.bundle.v1.BatchUpdateFederatedBundleResponse.results:type_name -> spire.api.server.bundle.v1.BatchUpdateFederatedBundleResponse.Result + 28, // 19: spire.api.server.bundle.v1.BatchSetFederatedBundleRequest.bundle:type_name -> spire.api.types.Bundle + 24, // 20: spire.api.server.bundle.v1.BatchSetFederatedBundleRequest.output_mask:type_name -> spire.api.types.BundleMask + 22, // 21: spire.api.server.bundle.v1.BatchSetFederatedBundleResponse.results:type_name -> spire.api.server.bundle.v1.BatchSetFederatedBundleResponse.Result + 0, // 22: spire.api.server.bundle.v1.BatchDeleteFederatedBundleRequest.mode:type_name -> spire.api.server.bundle.v1.BatchDeleteFederatedBundleRequest.Mode + 23, // 23: spire.api.server.bundle.v1.BatchDeleteFederatedBundleResponse.results:type_name -> spire.api.server.bundle.v1.BatchDeleteFederatedBundleResponse.Result + 29, // 24: spire.api.server.bundle.v1.BatchCreateFederatedBundleResponse.Result.status:type_name -> spire.api.types.Status + 28, // 25: spire.api.server.bundle.v1.BatchCreateFederatedBundleResponse.Result.bundle:type_name -> spire.api.types.Bundle + 29, // 26: spire.api.server.bundle.v1.BatchUpdateFederatedBundleResponse.Result.status:type_name -> spire.api.types.Status + 28, // 27: spire.api.server.bundle.v1.BatchUpdateFederatedBundleResponse.Result.bundle:type_name -> spire.api.types.Bundle + 29, // 28: spire.api.server.bundle.v1.BatchSetFederatedBundleResponse.Result.status:type_name -> spire.api.types.Status + 28, // 29: spire.api.server.bundle.v1.BatchSetFederatedBundleResponse.Result.bundle:type_name -> spire.api.types.Bundle + 29, // 30: spire.api.server.bundle.v1.BatchDeleteFederatedBundleResponse.Result.status:type_name -> spire.api.types.Status + 1, // 31: spire.api.server.bundle.v1.Bundle.CountBundles:input_type -> spire.api.server.bundle.v1.CountBundlesRequest + 3, // 32: spire.api.server.bundle.v1.Bundle.GetBundle:input_type -> spire.api.server.bundle.v1.GetBundleRequest + 4, // 33: spire.api.server.bundle.v1.Bundle.AppendBundle:input_type -> spire.api.server.bundle.v1.AppendBundleRequest + 5, // 34: spire.api.server.bundle.v1.Bundle.PublishJWTAuthority:input_type -> spire.api.server.bundle.v1.PublishJWTAuthorityRequest + 7, // 35: spire.api.server.bundle.v1.Bundle.PublisWITTAuthority:input_type -> spire.api.server.bundle.v1.PublishWITAuthorityRequest + 9, // 36: spire.api.server.bundle.v1.Bundle.ListFederatedBundles:input_type -> spire.api.server.bundle.v1.ListFederatedBundlesRequest + 11, // 37: spire.api.server.bundle.v1.Bundle.GetFederatedBundle:input_type -> spire.api.server.bundle.v1.GetFederatedBundleRequest + 12, // 38: spire.api.server.bundle.v1.Bundle.BatchCreateFederatedBundle:input_type -> spire.api.server.bundle.v1.BatchCreateFederatedBundleRequest + 14, // 39: spire.api.server.bundle.v1.Bundle.BatchUpdateFederatedBundle:input_type -> spire.api.server.bundle.v1.BatchUpdateFederatedBundleRequest + 16, // 40: spire.api.server.bundle.v1.Bundle.BatchSetFederatedBundle:input_type -> spire.api.server.bundle.v1.BatchSetFederatedBundleRequest + 18, // 41: spire.api.server.bundle.v1.Bundle.BatchDeleteFederatedBundle:input_type -> spire.api.server.bundle.v1.BatchDeleteFederatedBundleRequest + 2, // 42: spire.api.server.bundle.v1.Bundle.CountBundles:output_type -> spire.api.server.bundle.v1.CountBundlesResponse + 28, // 43: spire.api.server.bundle.v1.Bundle.GetBundle:output_type -> spire.api.types.Bundle + 28, // 44: spire.api.server.bundle.v1.Bundle.AppendBundle:output_type -> spire.api.types.Bundle + 6, // 45: spire.api.server.bundle.v1.Bundle.PublishJWTAuthority:output_type -> spire.api.server.bundle.v1.PublishJWTAuthorityResponse + 8, // 46: spire.api.server.bundle.v1.Bundle.PublisWITTAuthority:output_type -> spire.api.server.bundle.v1.PublishWITAuthorityResponse + 10, // 47: spire.api.server.bundle.v1.Bundle.ListFederatedBundles:output_type -> spire.api.server.bundle.v1.ListFederatedBundlesResponse + 28, // 48: spire.api.server.bundle.v1.Bundle.GetFederatedBundle:output_type -> spire.api.types.Bundle + 13, // 49: spire.api.server.bundle.v1.Bundle.BatchCreateFederatedBundle:output_type -> spire.api.server.bundle.v1.BatchCreateFederatedBundleResponse + 15, // 50: spire.api.server.bundle.v1.Bundle.BatchUpdateFederatedBundle:output_type -> spire.api.server.bundle.v1.BatchUpdateFederatedBundleResponse + 17, // 51: spire.api.server.bundle.v1.Bundle.BatchSetFederatedBundle:output_type -> spire.api.server.bundle.v1.BatchSetFederatedBundleResponse + 19, // 52: spire.api.server.bundle.v1.Bundle.BatchDeleteFederatedBundle:output_type -> spire.api.server.bundle.v1.BatchDeleteFederatedBundleResponse + 42, // [42:53] is the sub-list for method output_type + 31, // [31:42] is the sub-list for method input_type + 31, // [31:31] is the sub-list for extension type_name + 31, // [31:31] is the sub-list for extension extendee + 0, // [0:31] is the sub-list for field type_name } func init() { file_spire_api_server_bundle_v1_bundle_proto_init() } @@ -1350,7 +1462,7 @@ func file_spire_api_server_bundle_v1_bundle_proto_init() { GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: unsafe.Slice(unsafe.StringData(file_spire_api_server_bundle_v1_bundle_proto_rawDesc), len(file_spire_api_server_bundle_v1_bundle_proto_rawDesc)), NumEnums: 1, - NumMessages: 21, + NumMessages: 23, NumExtensions: 0, NumServices: 1, }, diff --git a/proto/spire/api/server/bundle/v1/bundle.proto b/proto/spire/api/server/bundle/v1/bundle.proto index e7d5b6e..62e595f 100644 --- a/proto/spire/api/server/bundle/v1/bundle.proto +++ b/proto/spire/api/server/bundle/v1/bundle.proto @@ -34,6 +34,16 @@ service Bundle { // The caller must present a downstream X509-SVID. rpc PublishJWTAuthority(PublishJWTAuthorityRequest) returns (PublishJWTAuthorityResponse); + // Publishes a downstream WIT authority to the SPIRE server. If the server + // is itself a downstream server (i.e. configured with an UpstreamAuthority + // plugin), the WIT authority is published further upstream using the + // UpstreamAuthority plugin. If the server is not a downstream server, or + // if the UpstreamAuthority does not support publishing WIT authorities, + // the server appends the WIT authority to its own bundle. + // + // The caller must present a downstream X509-SVID. + rpc PublisWITTAuthority(PublishWITAuthorityRequest) returns (PublishWITAuthorityResponse); + // Lists federated bundles. // // The caller must be local or present an admin X509-SVID. @@ -87,6 +97,9 @@ message AppendBundleRequest { // An output mask indicating which bundle fields are set in the response. spire.api.types.BundleMask output_mask = 3; + + // WIT authorities to append. + repeated spire.api.types.WITKey wit_authorities = 4; } message PublishJWTAuthorityRequest { @@ -99,6 +112,17 @@ message PublishJWTAuthorityResponse { repeated spire.api.types.JWTKey jwt_authorities = 1; } +message PublishWITAuthorityRequest { + // Required. The WIT authority to publish. + spire.api.types.WITKey wit_authority = 1; +} + +message PublishWITAuthorityResponse { + // The WIT authorities for the trust domain. + repeated spire.api.types.WITKey wit_authorities = 1; +} + + message ListFederatedBundlesRequest { // An output mask indicating which bundle fields are set in the response. spire.api.types.BundleMask output_mask = 1; diff --git a/proto/spire/api/server/bundle/v1/bundle_grpc.pb.go b/proto/spire/api/server/bundle/v1/bundle_grpc.pb.go index d8b9483..0d9bd21 100644 --- a/proto/spire/api/server/bundle/v1/bundle_grpc.pb.go +++ b/proto/spire/api/server/bundle/v1/bundle_grpc.pb.go @@ -24,6 +24,7 @@ const ( Bundle_GetBundle_FullMethodName = "/spire.api.server.bundle.v1.Bundle/GetBundle" Bundle_AppendBundle_FullMethodName = "/spire.api.server.bundle.v1.Bundle/AppendBundle" Bundle_PublishJWTAuthority_FullMethodName = "/spire.api.server.bundle.v1.Bundle/PublishJWTAuthority" + Bundle_PublisWITTAuthority_FullMethodName = "/spire.api.server.bundle.v1.Bundle/PublisWITTAuthority" Bundle_ListFederatedBundles_FullMethodName = "/spire.api.server.bundle.v1.Bundle/ListFederatedBundles" Bundle_GetFederatedBundle_FullMethodName = "/spire.api.server.bundle.v1.Bundle/GetFederatedBundle" Bundle_BatchCreateFederatedBundle_FullMethodName = "/spire.api.server.bundle.v1.Bundle/BatchCreateFederatedBundle" @@ -60,6 +61,15 @@ type BundleClient interface { // // The caller must present a downstream X509-SVID. PublishJWTAuthority(ctx context.Context, in *PublishJWTAuthorityRequest, opts ...grpc.CallOption) (*PublishJWTAuthorityResponse, error) + // Publishes a downstream WIT authority to the SPIRE server. If the server + // is itself a downstream server (i.e. configured with an UpstreamAuthority + // plugin), the WIT authority is published further upstream using the + // UpstreamAuthority plugin. If the server is not a downstream server, or + // if the UpstreamAuthority does not support publishing WIT authorities, + // the server appends the WIT authority to its own bundle. + // + // The caller must present a downstream X509-SVID. + PublisWITTAuthority(ctx context.Context, in *PublishWITAuthorityRequest, opts ...grpc.CallOption) (*PublishWITAuthorityResponse, error) // Lists federated bundles. // // The caller must be local or present an admin X509-SVID. @@ -134,6 +144,16 @@ func (c *bundleClient) PublishJWTAuthority(ctx context.Context, in *PublishJWTAu return out, nil } +func (c *bundleClient) PublisWITTAuthority(ctx context.Context, in *PublishWITAuthorityRequest, opts ...grpc.CallOption) (*PublishWITAuthorityResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(PublishWITAuthorityResponse) + err := c.cc.Invoke(ctx, Bundle_PublisWITTAuthority_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + func (c *bundleClient) ListFederatedBundles(ctx context.Context, in *ListFederatedBundlesRequest, opts ...grpc.CallOption) (*ListFederatedBundlesResponse, error) { cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) out := new(ListFederatedBundlesResponse) @@ -222,6 +242,15 @@ type BundleServer interface { // // The caller must present a downstream X509-SVID. PublishJWTAuthority(context.Context, *PublishJWTAuthorityRequest) (*PublishJWTAuthorityResponse, error) + // Publishes a downstream WIT authority to the SPIRE server. If the server + // is itself a downstream server (i.e. configured with an UpstreamAuthority + // plugin), the WIT authority is published further upstream using the + // UpstreamAuthority plugin. If the server is not a downstream server, or + // if the UpstreamAuthority does not support publishing WIT authorities, + // the server appends the WIT authority to its own bundle. + // + // The caller must present a downstream X509-SVID. + PublisWITTAuthority(context.Context, *PublishWITAuthorityRequest) (*PublishWITAuthorityResponse, error) // Lists federated bundles. // // The caller must be local or present an admin X509-SVID. @@ -268,6 +297,9 @@ func (UnimplementedBundleServer) AppendBundle(context.Context, *AppendBundleRequ func (UnimplementedBundleServer) PublishJWTAuthority(context.Context, *PublishJWTAuthorityRequest) (*PublishJWTAuthorityResponse, error) { return nil, status.Errorf(codes.Unimplemented, "method PublishJWTAuthority not implemented") } +func (UnimplementedBundleServer) PublisWITTAuthority(context.Context, *PublishWITAuthorityRequest) (*PublishWITAuthorityResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method PublisWITTAuthority not implemented") +} func (UnimplementedBundleServer) ListFederatedBundles(context.Context, *ListFederatedBundlesRequest) (*ListFederatedBundlesResponse, error) { return nil, status.Errorf(codes.Unimplemented, "method ListFederatedBundles not implemented") } @@ -379,6 +411,24 @@ func _Bundle_PublishJWTAuthority_Handler(srv interface{}, ctx context.Context, d return interceptor(ctx, in, info, handler) } +func _Bundle_PublisWITTAuthority_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(PublishWITAuthorityRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(BundleServer).PublisWITTAuthority(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: Bundle_PublisWITTAuthority_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(BundleServer).PublisWITTAuthority(ctx, req.(*PublishWITAuthorityRequest)) + } + return interceptor(ctx, in, info, handler) +} + func _Bundle_ListFederatedBundles_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { in := new(ListFederatedBundlesRequest) if err := dec(in); err != nil { @@ -510,6 +560,10 @@ var Bundle_ServiceDesc = grpc.ServiceDesc{ MethodName: "PublishJWTAuthority", Handler: _Bundle_PublishJWTAuthority_Handler, }, + { + MethodName: "PublisWITTAuthority", + Handler: _Bundle_PublisWITTAuthority_Handler, + }, { MethodName: "ListFederatedBundles", Handler: _Bundle_ListFederatedBundles_Handler, diff --git a/proto/spire/api/server/svid/v1/svid.pb.go b/proto/spire/api/server/svid/v1/svid.pb.go index b7aa362..95153b2 100644 --- a/proto/spire/api/server/svid/v1/svid.pb.go +++ b/proto/spire/api/server/svid/v1/svid.pb.go @@ -126,6 +126,117 @@ func (x *MintX509SVIDResponse) GetSvid() *types.X509SVID { return nil } +type MintWITSVIDRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + // Required. SPIFFE ID of the WIT-SVID. + Id *types.SPIFFEID `protobuf:"bytes,1,opt,name=id,proto3" json:"id,omitempty"` + // Required. The ASN.1 DER encoded public key. + PublicKey []byte `protobuf:"bytes,2,opt,name=public_key,json=publicKey,proto3" json:"public_key,omitempty"` + // Desired TTL of the WIT-SVID, in seconds. The server default will be used + // if unset. The TTL is advisory only. The actual lifetime of the WIT-SVID + // may be lower depending on the remaining lifetime of the active SPIRE + // Server CA. + Ttl int32 `protobuf:"varint,3,opt,name=ttl,proto3" json:"ttl,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *MintWITSVIDRequest) Reset() { + *x = MintWITSVIDRequest{} + mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *MintWITSVIDRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*MintWITSVIDRequest) ProtoMessage() {} + +func (x *MintWITSVIDRequest) ProtoReflect() protoreflect.Message { + mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[2] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use MintWITSVIDRequest.ProtoReflect.Descriptor instead. +func (*MintWITSVIDRequest) Descriptor() ([]byte, []int) { + return file_spire_api_server_svid_v1_svid_proto_rawDescGZIP(), []int{2} +} + +func (x *MintWITSVIDRequest) GetId() *types.SPIFFEID { + if x != nil { + return x.Id + } + return nil +} + +func (x *MintWITSVIDRequest) GetPublicKey() []byte { + if x != nil { + return x.PublicKey + } + return nil +} + +func (x *MintWITSVIDRequest) GetTtl() int32 { + if x != nil { + return x.Ttl + } + return 0 +} + +type MintWITSVIDResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + // The newly issued WIT-SVID. + Svid *types.WITSVID `protobuf:"bytes,1,opt,name=svid,proto3" json:"svid,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *MintWITSVIDResponse) Reset() { + *x = MintWITSVIDResponse{} + mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[3] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *MintWITSVIDResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*MintWITSVIDResponse) ProtoMessage() {} + +func (x *MintWITSVIDResponse) ProtoReflect() protoreflect.Message { + mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[3] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use MintWITSVIDResponse.ProtoReflect.Descriptor instead. +func (*MintWITSVIDResponse) Descriptor() ([]byte, []int) { + return file_spire_api_server_svid_v1_svid_proto_rawDescGZIP(), []int{3} +} + +func (x *MintWITSVIDResponse) GetSvid() *types.WITSVID { + if x != nil { + return x.Svid + } + return nil +} + type MintJWTSVIDRequest struct { state protoimpl.MessageState `protogen:"open.v1"` // Required. SPIFFE ID of the JWT-SVID. @@ -144,7 +255,7 @@ type MintJWTSVIDRequest struct { func (x *MintJWTSVIDRequest) Reset() { *x = MintJWTSVIDRequest{} - mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[2] + mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[4] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -156,7 +267,7 @@ func (x *MintJWTSVIDRequest) String() string { func (*MintJWTSVIDRequest) ProtoMessage() {} func (x *MintJWTSVIDRequest) ProtoReflect() protoreflect.Message { - mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[2] + mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[4] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -169,7 +280,7 @@ func (x *MintJWTSVIDRequest) ProtoReflect() protoreflect.Message { // Deprecated: Use MintJWTSVIDRequest.ProtoReflect.Descriptor instead. func (*MintJWTSVIDRequest) Descriptor() ([]byte, []int) { - return file_spire_api_server_svid_v1_svid_proto_rawDescGZIP(), []int{2} + return file_spire_api_server_svid_v1_svid_proto_rawDescGZIP(), []int{4} } func (x *MintJWTSVIDRequest) GetId() *types.SPIFFEID { @@ -203,7 +314,7 @@ type MintJWTSVIDResponse struct { func (x *MintJWTSVIDResponse) Reset() { *x = MintJWTSVIDResponse{} - mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[3] + mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[5] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -215,7 +326,7 @@ func (x *MintJWTSVIDResponse) String() string { func (*MintJWTSVIDResponse) ProtoMessage() {} func (x *MintJWTSVIDResponse) ProtoReflect() protoreflect.Message { - mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[3] + mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[5] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -228,7 +339,7 @@ func (x *MintJWTSVIDResponse) ProtoReflect() protoreflect.Message { // Deprecated: Use MintJWTSVIDResponse.ProtoReflect.Descriptor instead. func (*MintJWTSVIDResponse) Descriptor() ([]byte, []int) { - return file_spire_api_server_svid_v1_svid_proto_rawDescGZIP(), []int{3} + return file_spire_api_server_svid_v1_svid_proto_rawDescGZIP(), []int{5} } func (x *MintJWTSVIDResponse) GetSvid() *types.JWTSVID { @@ -249,7 +360,7 @@ type BatchNewX509SVIDRequest struct { func (x *BatchNewX509SVIDRequest) Reset() { *x = BatchNewX509SVIDRequest{} - mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[4] + mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[6] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -261,7 +372,7 @@ func (x *BatchNewX509SVIDRequest) String() string { func (*BatchNewX509SVIDRequest) ProtoMessage() {} func (x *BatchNewX509SVIDRequest) ProtoReflect() protoreflect.Message { - mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[4] + mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[6] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -274,7 +385,7 @@ func (x *BatchNewX509SVIDRequest) ProtoReflect() protoreflect.Message { // Deprecated: Use BatchNewX509SVIDRequest.ProtoReflect.Descriptor instead. func (*BatchNewX509SVIDRequest) Descriptor() ([]byte, []int) { - return file_spire_api_server_svid_v1_svid_proto_rawDescGZIP(), []int{4} + return file_spire_api_server_svid_v1_svid_proto_rawDescGZIP(), []int{6} } func (x *BatchNewX509SVIDRequest) GetParams() []*NewX509SVIDParams { @@ -294,7 +405,7 @@ type BatchNewX509SVIDResponse struct { func (x *BatchNewX509SVIDResponse) Reset() { *x = BatchNewX509SVIDResponse{} - mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[5] + mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[7] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -306,7 +417,7 @@ func (x *BatchNewX509SVIDResponse) String() string { func (*BatchNewX509SVIDResponse) ProtoMessage() {} func (x *BatchNewX509SVIDResponse) ProtoReflect() protoreflect.Message { - mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[5] + mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[7] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -319,7 +430,7 @@ func (x *BatchNewX509SVIDResponse) ProtoReflect() protoreflect.Message { // Deprecated: Use BatchNewX509SVIDResponse.ProtoReflect.Descriptor instead. func (*BatchNewX509SVIDResponse) Descriptor() ([]byte, []int) { - return file_spire_api_server_svid_v1_svid_proto_rawDescGZIP(), []int{5} + return file_spire_api_server_svid_v1_svid_proto_rawDescGZIP(), []int{7} } func (x *BatchNewX509SVIDResponse) GetResults() []*BatchNewX509SVIDResponse_Result { @@ -342,7 +453,7 @@ type NewJWTSVIDRequest struct { func (x *NewJWTSVIDRequest) Reset() { *x = NewJWTSVIDRequest{} - mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[6] + mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[8] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -354,7 +465,7 @@ func (x *NewJWTSVIDRequest) String() string { func (*NewJWTSVIDRequest) ProtoMessage() {} func (x *NewJWTSVIDRequest) ProtoReflect() protoreflect.Message { - mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[6] + mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[8] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -367,7 +478,7 @@ func (x *NewJWTSVIDRequest) ProtoReflect() protoreflect.Message { // Deprecated: Use NewJWTSVIDRequest.ProtoReflect.Descriptor instead. func (*NewJWTSVIDRequest) Descriptor() ([]byte, []int) { - return file_spire_api_server_svid_v1_svid_proto_rawDescGZIP(), []int{6} + return file_spire_api_server_svid_v1_svid_proto_rawDescGZIP(), []int{8} } func (x *NewJWTSVIDRequest) GetEntryId() string { @@ -384,6 +495,97 @@ func (x *NewJWTSVIDRequest) GetAudience() []string { return nil } +type BatchNewWITSVIDRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + // Required. One or more X509-SVID parameters for X509-SVID entries to + // be signed. + Params []*NewWITSVIDParams `protobuf:"bytes,1,rep,name=params,proto3" json:"params,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *BatchNewWITSVIDRequest) Reset() { + *x = BatchNewWITSVIDRequest{} + mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[9] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *BatchNewWITSVIDRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*BatchNewWITSVIDRequest) ProtoMessage() {} + +func (x *BatchNewWITSVIDRequest) ProtoReflect() protoreflect.Message { + mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[9] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use BatchNewWITSVIDRequest.ProtoReflect.Descriptor instead. +func (*BatchNewWITSVIDRequest) Descriptor() ([]byte, []int) { + return file_spire_api_server_svid_v1_svid_proto_rawDescGZIP(), []int{9} +} + +func (x *BatchNewWITSVIDRequest) GetParams() []*NewWITSVIDParams { + if x != nil { + return x.Params + } + return nil +} + +type BatchNewWITSVIDResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + // Result for each X509-SVID requested (order is maintained). + Results []*BatchNewWITSVIDResponse_Result `protobuf:"bytes,1,rep,name=results,proto3" json:"results,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *BatchNewWITSVIDResponse) Reset() { + *x = BatchNewWITSVIDResponse{} + mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[10] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *BatchNewWITSVIDResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*BatchNewWITSVIDResponse) ProtoMessage() {} + +func (x *BatchNewWITSVIDResponse) ProtoReflect() protoreflect.Message { + mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[10] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use BatchNewWITSVIDResponse.ProtoReflect.Descriptor instead. +func (*BatchNewWITSVIDResponse) Descriptor() ([]byte, []int) { + return file_spire_api_server_svid_v1_svid_proto_rawDescGZIP(), []int{10} +} + +func (x *BatchNewWITSVIDResponse) GetResults() []*BatchNewWITSVIDResponse_Result { + if x != nil { + return x.Results + } + return nil +} + type NewJWTSVIDResponse struct { state protoimpl.MessageState `protogen:"open.v1"` // The newly issued JWT-SVID @@ -394,7 +596,7 @@ type NewJWTSVIDResponse struct { func (x *NewJWTSVIDResponse) Reset() { *x = NewJWTSVIDResponse{} - mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[7] + mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[11] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -406,7 +608,7 @@ func (x *NewJWTSVIDResponse) String() string { func (*NewJWTSVIDResponse) ProtoMessage() {} func (x *NewJWTSVIDResponse) ProtoReflect() protoreflect.Message { - mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[7] + mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[11] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -419,7 +621,7 @@ func (x *NewJWTSVIDResponse) ProtoReflect() protoreflect.Message { // Deprecated: Use NewJWTSVIDResponse.ProtoReflect.Descriptor instead. func (*NewJWTSVIDResponse) Descriptor() ([]byte, []int) { - return file_spire_api_server_svid_v1_svid_proto_rawDescGZIP(), []int{7} + return file_spire_api_server_svid_v1_svid_proto_rawDescGZIP(), []int{11} } func (x *NewJWTSVIDResponse) GetSvid() *types.JWTSVID { @@ -445,7 +647,7 @@ type NewDownstreamX509CARequest struct { func (x *NewDownstreamX509CARequest) Reset() { *x = NewDownstreamX509CARequest{} - mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[8] + mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[12] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -457,7 +659,7 @@ func (x *NewDownstreamX509CARequest) String() string { func (*NewDownstreamX509CARequest) ProtoMessage() {} func (x *NewDownstreamX509CARequest) ProtoReflect() protoreflect.Message { - mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[8] + mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[12] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -470,7 +672,7 @@ func (x *NewDownstreamX509CARequest) ProtoReflect() protoreflect.Message { // Deprecated: Use NewDownstreamX509CARequest.ProtoReflect.Descriptor instead. func (*NewDownstreamX509CARequest) Descriptor() ([]byte, []int) { - return file_spire_api_server_svid_v1_svid_proto_rawDescGZIP(), []int{8} + return file_spire_api_server_svid_v1_svid_proto_rawDescGZIP(), []int{12} } func (x *NewDownstreamX509CARequest) GetCsr() []byte { @@ -501,7 +703,7 @@ type NewDownstreamX509CAResponse struct { func (x *NewDownstreamX509CAResponse) Reset() { *x = NewDownstreamX509CAResponse{} - mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[9] + mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[13] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -513,7 +715,7 @@ func (x *NewDownstreamX509CAResponse) String() string { func (*NewDownstreamX509CAResponse) ProtoMessage() {} func (x *NewDownstreamX509CAResponse) ProtoReflect() protoreflect.Message { - mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[9] + mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[13] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -526,7 +728,7 @@ func (x *NewDownstreamX509CAResponse) ProtoReflect() protoreflect.Message { // Deprecated: Use NewDownstreamX509CAResponse.ProtoReflect.Descriptor instead. func (*NewDownstreamX509CAResponse) Descriptor() ([]byte, []int) { - return file_spire_api_server_svid_v1_svid_proto_rawDescGZIP(), []int{9} + return file_spire_api_server_svid_v1_svid_proto_rawDescGZIP(), []int{13} } func (x *NewDownstreamX509CAResponse) GetCaCertChain() [][]byte { @@ -557,7 +759,7 @@ type NewX509SVIDParams struct { func (x *NewX509SVIDParams) Reset() { *x = NewX509SVIDParams{} - mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[10] + mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[14] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -569,7 +771,7 @@ func (x *NewX509SVIDParams) String() string { func (*NewX509SVIDParams) ProtoMessage() {} func (x *NewX509SVIDParams) ProtoReflect() protoreflect.Message { - mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[10] + mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[14] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -582,7 +784,7 @@ func (x *NewX509SVIDParams) ProtoReflect() protoreflect.Message { // Deprecated: Use NewX509SVIDParams.ProtoReflect.Descriptor instead. func (*NewX509SVIDParams) Descriptor() ([]byte, []int) { - return file_spire_api_server_svid_v1_svid_proto_rawDescGZIP(), []int{10} + return file_spire_api_server_svid_v1_svid_proto_rawDescGZIP(), []int{14} } func (x *NewX509SVIDParams) GetEntryId() string { @@ -599,6 +801,60 @@ func (x *NewX509SVIDParams) GetCsr() []byte { return nil } +type NewWITSVIDParams struct { + state protoimpl.MessageState `protogen:"open.v1"` + // Required. The entry ID for the identity being requested. + EntryId string `protobuf:"bytes,1,opt,name=entry_id,json=entryId,proto3" json:"entry_id,omitempty"` + // Required. The ASN.1 DER encoded public key. + PublicKey []byte `protobuf:"bytes,2,opt,name=public_key,json=publicKey,proto3" json:"public_key,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *NewWITSVIDParams) Reset() { + *x = NewWITSVIDParams{} + mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[15] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *NewWITSVIDParams) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*NewWITSVIDParams) ProtoMessage() {} + +func (x *NewWITSVIDParams) ProtoReflect() protoreflect.Message { + mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[15] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use NewWITSVIDParams.ProtoReflect.Descriptor instead. +func (*NewWITSVIDParams) Descriptor() ([]byte, []int) { + return file_spire_api_server_svid_v1_svid_proto_rawDescGZIP(), []int{15} +} + +func (x *NewWITSVIDParams) GetEntryId() string { + if x != nil { + return x.EntryId + } + return "" +} + +func (x *NewWITSVIDParams) GetPublicKey() []byte { + if x != nil { + return x.PublicKey + } + return nil +} + type BatchNewX509SVIDResponse_Result struct { state protoimpl.MessageState `protogen:"open.v1"` // The status of creating the X509-SVID. @@ -611,7 +867,7 @@ type BatchNewX509SVIDResponse_Result struct { func (x *BatchNewX509SVIDResponse_Result) Reset() { *x = BatchNewX509SVIDResponse_Result{} - mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[11] + mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[16] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -623,7 +879,7 @@ func (x *BatchNewX509SVIDResponse_Result) String() string { func (*BatchNewX509SVIDResponse_Result) ProtoMessage() {} func (x *BatchNewX509SVIDResponse_Result) ProtoReflect() protoreflect.Message { - mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[11] + mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[16] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -636,7 +892,7 @@ func (x *BatchNewX509SVIDResponse_Result) ProtoReflect() protoreflect.Message { // Deprecated: Use BatchNewX509SVIDResponse_Result.ProtoReflect.Descriptor instead. func (*BatchNewX509SVIDResponse_Result) Descriptor() ([]byte, []int) { - return file_spire_api_server_svid_v1_svid_proto_rawDescGZIP(), []int{5, 0} + return file_spire_api_server_svid_v1_svid_proto_rawDescGZIP(), []int{7, 0} } func (x *BatchNewX509SVIDResponse_Result) GetStatus() *types.Status { @@ -653,16 +909,77 @@ func (x *BatchNewX509SVIDResponse_Result) GetSvid() *types.X509SVID { return nil } +type BatchNewWITSVIDResponse_Result struct { + state protoimpl.MessageState `protogen:"open.v1"` + // The status of creating the WIT-SVID. + Status *types.Status `protobuf:"bytes,1,opt,name=status,proto3" json:"status,omitempty"` + // The newly created X509-SVID. This will be set if the status is OK. + Svid *types.WITSVID `protobuf:"bytes,2,opt,name=svid,proto3" json:"svid,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *BatchNewWITSVIDResponse_Result) Reset() { + *x = BatchNewWITSVIDResponse_Result{} + mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[17] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *BatchNewWITSVIDResponse_Result) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*BatchNewWITSVIDResponse_Result) ProtoMessage() {} + +func (x *BatchNewWITSVIDResponse_Result) ProtoReflect() protoreflect.Message { + mi := &file_spire_api_server_svid_v1_svid_proto_msgTypes[17] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use BatchNewWITSVIDResponse_Result.ProtoReflect.Descriptor instead. +func (*BatchNewWITSVIDResponse_Result) Descriptor() ([]byte, []int) { + return file_spire_api_server_svid_v1_svid_proto_rawDescGZIP(), []int{10, 0} +} + +func (x *BatchNewWITSVIDResponse_Result) GetStatus() *types.Status { + if x != nil { + return x.Status + } + return nil +} + +func (x *BatchNewWITSVIDResponse_Result) GetSvid() *types.WITSVID { + if x != nil { + return x.Svid + } + return nil +} + var File_spire_api_server_svid_v1_svid_proto protoreflect.FileDescriptor const file_spire_api_server_svid_v1_svid_proto_rawDesc = "" + "\n" + - "#spire/api/server/svid/v1/svid.proto\x12\x18spire.api.server.svid.v1\x1a\x1dspire/api/types/jwtsvid.proto\x1a\x1espire/api/types/spiffeid.proto\x1a\x1cspire/api/types/status.proto\x1a\x1espire/api/types/x509svid.proto\"9\n" + + "#spire/api/server/svid/v1/svid.proto\x12\x18spire.api.server.svid.v1\x1a\x1dspire/api/types/jwtsvid.proto\x1a\x1espire/api/types/spiffeid.proto\x1a\x1cspire/api/types/status.proto\x1a\x1espire/api/types/x509svid.proto\x1a\x1dspire/api/types/witsvid.proto\"9\n" + "\x13MintX509SVIDRequest\x12\x10\n" + "\x03csr\x18\x01 \x01(\fR\x03csr\x12\x10\n" + "\x03ttl\x18\x02 \x01(\x05R\x03ttl\"E\n" + "\x14MintX509SVIDResponse\x12-\n" + - "\x04svid\x18\x01 \x01(\v2\x19.spire.api.types.X509SVIDR\x04svid\"m\n" + + "\x04svid\x18\x01 \x01(\v2\x19.spire.api.types.X509SVIDR\x04svid\"p\n" + + "\x12MintWITSVIDRequest\x12)\n" + + "\x02id\x18\x01 \x01(\v2\x19.spire.api.types.SPIFFEIDR\x02id\x12\x1d\n" + + "\n" + + "public_key\x18\x02 \x01(\fR\tpublicKey\x12\x10\n" + + "\x03ttl\x18\x03 \x01(\x05R\x03ttl\"C\n" + + "\x13MintWITSVIDResponse\x12,\n" + + "\x04svid\x18\x01 \x01(\v2\x18.spire.api.types.WITSVIDR\x04svid\"m\n" + "\x12MintJWTSVIDRequest\x12)\n" + "\x02id\x18\x01 \x01(\v2\x19.spire.api.types.SPIFFEIDR\x02id\x12\x1a\n" + "\baudience\x18\x02 \x03(\tR\baudience\x12\x10\n" + @@ -678,7 +995,14 @@ const file_spire_api_server_svid_v1_svid_proto_rawDesc = "" + "\x04svid\x18\x02 \x01(\v2\x19.spire.api.types.X509SVIDR\x04svid\"J\n" + "\x11NewJWTSVIDRequest\x12\x19\n" + "\bentry_id\x18\x01 \x01(\tR\aentryId\x12\x1a\n" + - "\baudience\x18\x02 \x03(\tR\baudience\"B\n" + + "\baudience\x18\x02 \x03(\tR\baudience\"\\\n" + + "\x16BatchNewWITSVIDRequest\x12B\n" + + "\x06params\x18\x01 \x03(\v2*.spire.api.server.svid.v1.NewWITSVIDParamsR\x06params\"\xd6\x01\n" + + "\x17BatchNewWITSVIDResponse\x12R\n" + + "\aresults\x18\x01 \x03(\v28.spire.api.server.svid.v1.BatchNewWITSVIDResponse.ResultR\aresults\x1ag\n" + + "\x06Result\x12/\n" + + "\x06status\x18\x01 \x01(\v2\x17.spire.api.types.StatusR\x06status\x12,\n" + + "\x04svid\x18\x02 \x01(\v2\x18.spire.api.types.WITSVIDR\x04svid\"B\n" + "\x12NewJWTSVIDResponse\x12,\n" + "\x04svid\x18\x01 \x01(\v2\x18.spire.api.types.JWTSVIDR\x04svid\"S\n" + "\x1aNewDownstreamX509CARequest\x12\x10\n" + @@ -689,13 +1013,19 @@ const file_spire_api_server_svid_v1_svid_proto_rawDesc = "" + "\x10x509_authorities\x18\x02 \x03(\fR\x0fx509Authorities\"@\n" + "\x11NewX509SVIDParams\x12\x19\n" + "\bentry_id\x18\x01 \x01(\tR\aentryId\x12\x10\n" + - "\x03csr\x18\x02 \x01(\fR\x03csr2\xca\x04\n" + + "\x03csr\x18\x02 \x01(\fR\x03csr\"L\n" + + "\x10NewWITSVIDParams\x12\x19\n" + + "\bentry_id\x18\x01 \x01(\tR\aentryId\x12\x1d\n" + + "\n" + + "public_key\x18\x02 \x01(\fR\tpublicKey2\xae\x06\n" + "\x04SVID\x12m\n" + "\fMintX509SVID\x12-.spire.api.server.svid.v1.MintX509SVIDRequest\x1a..spire.api.server.svid.v1.MintX509SVIDResponse\x12j\n" + - "\vMintJWTSVID\x12,.spire.api.server.svid.v1.MintJWTSVIDRequest\x1a-.spire.api.server.svid.v1.MintJWTSVIDResponse\x12y\n" + + "\vMintJWTSVID\x12,.spire.api.server.svid.v1.MintJWTSVIDRequest\x1a-.spire.api.server.svid.v1.MintJWTSVIDResponse\x12j\n" + + "\vMintWITSVID\x12,.spire.api.server.svid.v1.MintWITSVIDRequest\x1a-.spire.api.server.svid.v1.MintWITSVIDResponse\x12y\n" + "\x10BatchNewX509SVID\x121.spire.api.server.svid.v1.BatchNewX509SVIDRequest\x1a2.spire.api.server.svid.v1.BatchNewX509SVIDResponse\x12g\n" + "\n" + - "NewJWTSVID\x12+.spire.api.server.svid.v1.NewJWTSVIDRequest\x1a,.spire.api.server.svid.v1.NewJWTSVIDResponse\x12\x82\x01\n" + + "NewJWTSVID\x12+.spire.api.server.svid.v1.NewJWTSVIDRequest\x1a,.spire.api.server.svid.v1.NewJWTSVIDResponse\x12v\n" + + "\x0fBatchNewWITSVID\x120.spire.api.server.svid.v1.BatchNewWITSVIDRequest\x1a1.spire.api.server.svid.v1.BatchNewWITSVIDResponse\x12\x82\x01\n" + "\x13NewDownstreamX509CA\x124.spire.api.server.svid.v1.NewDownstreamX509CARequest\x1a5.spire.api.server.svid.v1.NewDownstreamX509CAResponseBGZEgithub.com/spiffe/spire-api-sdk/proto/spire/api/server/svid/v1;svidv1b\x06proto3" var ( @@ -710,49 +1040,66 @@ func file_spire_api_server_svid_v1_svid_proto_rawDescGZIP() []byte { return file_spire_api_server_svid_v1_svid_proto_rawDescData } -var file_spire_api_server_svid_v1_svid_proto_msgTypes = make([]protoimpl.MessageInfo, 12) +var file_spire_api_server_svid_v1_svid_proto_msgTypes = make([]protoimpl.MessageInfo, 18) var file_spire_api_server_svid_v1_svid_proto_goTypes = []any{ (*MintX509SVIDRequest)(nil), // 0: spire.api.server.svid.v1.MintX509SVIDRequest (*MintX509SVIDResponse)(nil), // 1: spire.api.server.svid.v1.MintX509SVIDResponse - (*MintJWTSVIDRequest)(nil), // 2: spire.api.server.svid.v1.MintJWTSVIDRequest - (*MintJWTSVIDResponse)(nil), // 3: spire.api.server.svid.v1.MintJWTSVIDResponse - (*BatchNewX509SVIDRequest)(nil), // 4: spire.api.server.svid.v1.BatchNewX509SVIDRequest - (*BatchNewX509SVIDResponse)(nil), // 5: spire.api.server.svid.v1.BatchNewX509SVIDResponse - (*NewJWTSVIDRequest)(nil), // 6: spire.api.server.svid.v1.NewJWTSVIDRequest - (*NewJWTSVIDResponse)(nil), // 7: spire.api.server.svid.v1.NewJWTSVIDResponse - (*NewDownstreamX509CARequest)(nil), // 8: spire.api.server.svid.v1.NewDownstreamX509CARequest - (*NewDownstreamX509CAResponse)(nil), // 9: spire.api.server.svid.v1.NewDownstreamX509CAResponse - (*NewX509SVIDParams)(nil), // 10: spire.api.server.svid.v1.NewX509SVIDParams - (*BatchNewX509SVIDResponse_Result)(nil), // 11: spire.api.server.svid.v1.BatchNewX509SVIDResponse.Result - (*types.X509SVID)(nil), // 12: spire.api.types.X509SVID - (*types.SPIFFEID)(nil), // 13: spire.api.types.SPIFFEID - (*types.JWTSVID)(nil), // 14: spire.api.types.JWTSVID - (*types.Status)(nil), // 15: spire.api.types.Status + (*MintWITSVIDRequest)(nil), // 2: spire.api.server.svid.v1.MintWITSVIDRequest + (*MintWITSVIDResponse)(nil), // 3: spire.api.server.svid.v1.MintWITSVIDResponse + (*MintJWTSVIDRequest)(nil), // 4: spire.api.server.svid.v1.MintJWTSVIDRequest + (*MintJWTSVIDResponse)(nil), // 5: spire.api.server.svid.v1.MintJWTSVIDResponse + (*BatchNewX509SVIDRequest)(nil), // 6: spire.api.server.svid.v1.BatchNewX509SVIDRequest + (*BatchNewX509SVIDResponse)(nil), // 7: spire.api.server.svid.v1.BatchNewX509SVIDResponse + (*NewJWTSVIDRequest)(nil), // 8: spire.api.server.svid.v1.NewJWTSVIDRequest + (*BatchNewWITSVIDRequest)(nil), // 9: spire.api.server.svid.v1.BatchNewWITSVIDRequest + (*BatchNewWITSVIDResponse)(nil), // 10: spire.api.server.svid.v1.BatchNewWITSVIDResponse + (*NewJWTSVIDResponse)(nil), // 11: spire.api.server.svid.v1.NewJWTSVIDResponse + (*NewDownstreamX509CARequest)(nil), // 12: spire.api.server.svid.v1.NewDownstreamX509CARequest + (*NewDownstreamX509CAResponse)(nil), // 13: spire.api.server.svid.v1.NewDownstreamX509CAResponse + (*NewX509SVIDParams)(nil), // 14: spire.api.server.svid.v1.NewX509SVIDParams + (*NewWITSVIDParams)(nil), // 15: spire.api.server.svid.v1.NewWITSVIDParams + (*BatchNewX509SVIDResponse_Result)(nil), // 16: spire.api.server.svid.v1.BatchNewX509SVIDResponse.Result + (*BatchNewWITSVIDResponse_Result)(nil), // 17: spire.api.server.svid.v1.BatchNewWITSVIDResponse.Result + (*types.X509SVID)(nil), // 18: spire.api.types.X509SVID + (*types.SPIFFEID)(nil), // 19: spire.api.types.SPIFFEID + (*types.WITSVID)(nil), // 20: spire.api.types.WITSVID + (*types.JWTSVID)(nil), // 21: spire.api.types.JWTSVID + (*types.Status)(nil), // 22: spire.api.types.Status } var file_spire_api_server_svid_v1_svid_proto_depIdxs = []int32{ - 12, // 0: spire.api.server.svid.v1.MintX509SVIDResponse.svid:type_name -> spire.api.types.X509SVID - 13, // 1: spire.api.server.svid.v1.MintJWTSVIDRequest.id:type_name -> spire.api.types.SPIFFEID - 14, // 2: spire.api.server.svid.v1.MintJWTSVIDResponse.svid:type_name -> spire.api.types.JWTSVID - 10, // 3: spire.api.server.svid.v1.BatchNewX509SVIDRequest.params:type_name -> spire.api.server.svid.v1.NewX509SVIDParams - 11, // 4: spire.api.server.svid.v1.BatchNewX509SVIDResponse.results:type_name -> spire.api.server.svid.v1.BatchNewX509SVIDResponse.Result - 14, // 5: spire.api.server.svid.v1.NewJWTSVIDResponse.svid:type_name -> spire.api.types.JWTSVID - 15, // 6: spire.api.server.svid.v1.BatchNewX509SVIDResponse.Result.status:type_name -> spire.api.types.Status - 12, // 7: spire.api.server.svid.v1.BatchNewX509SVIDResponse.Result.svid:type_name -> spire.api.types.X509SVID - 0, // 8: spire.api.server.svid.v1.SVID.MintX509SVID:input_type -> spire.api.server.svid.v1.MintX509SVIDRequest - 2, // 9: spire.api.server.svid.v1.SVID.MintJWTSVID:input_type -> spire.api.server.svid.v1.MintJWTSVIDRequest - 4, // 10: spire.api.server.svid.v1.SVID.BatchNewX509SVID:input_type -> spire.api.server.svid.v1.BatchNewX509SVIDRequest - 6, // 11: spire.api.server.svid.v1.SVID.NewJWTSVID:input_type -> spire.api.server.svid.v1.NewJWTSVIDRequest - 8, // 12: spire.api.server.svid.v1.SVID.NewDownstreamX509CA:input_type -> spire.api.server.svid.v1.NewDownstreamX509CARequest - 1, // 13: spire.api.server.svid.v1.SVID.MintX509SVID:output_type -> spire.api.server.svid.v1.MintX509SVIDResponse - 3, // 14: spire.api.server.svid.v1.SVID.MintJWTSVID:output_type -> spire.api.server.svid.v1.MintJWTSVIDResponse - 5, // 15: spire.api.server.svid.v1.SVID.BatchNewX509SVID:output_type -> spire.api.server.svid.v1.BatchNewX509SVIDResponse - 7, // 16: spire.api.server.svid.v1.SVID.NewJWTSVID:output_type -> spire.api.server.svid.v1.NewJWTSVIDResponse - 9, // 17: spire.api.server.svid.v1.SVID.NewDownstreamX509CA:output_type -> spire.api.server.svid.v1.NewDownstreamX509CAResponse - 13, // [13:18] is the sub-list for method output_type - 8, // [8:13] is the sub-list for method input_type - 8, // [8:8] is the sub-list for extension type_name - 8, // [8:8] is the sub-list for extension extendee - 0, // [0:8] is the sub-list for field type_name + 18, // 0: spire.api.server.svid.v1.MintX509SVIDResponse.svid:type_name -> spire.api.types.X509SVID + 19, // 1: spire.api.server.svid.v1.MintWITSVIDRequest.id:type_name -> spire.api.types.SPIFFEID + 20, // 2: spire.api.server.svid.v1.MintWITSVIDResponse.svid:type_name -> spire.api.types.WITSVID + 19, // 3: spire.api.server.svid.v1.MintJWTSVIDRequest.id:type_name -> spire.api.types.SPIFFEID + 21, // 4: spire.api.server.svid.v1.MintJWTSVIDResponse.svid:type_name -> spire.api.types.JWTSVID + 14, // 5: spire.api.server.svid.v1.BatchNewX509SVIDRequest.params:type_name -> spire.api.server.svid.v1.NewX509SVIDParams + 16, // 6: spire.api.server.svid.v1.BatchNewX509SVIDResponse.results:type_name -> spire.api.server.svid.v1.BatchNewX509SVIDResponse.Result + 15, // 7: spire.api.server.svid.v1.BatchNewWITSVIDRequest.params:type_name -> spire.api.server.svid.v1.NewWITSVIDParams + 17, // 8: spire.api.server.svid.v1.BatchNewWITSVIDResponse.results:type_name -> spire.api.server.svid.v1.BatchNewWITSVIDResponse.Result + 21, // 9: spire.api.server.svid.v1.NewJWTSVIDResponse.svid:type_name -> spire.api.types.JWTSVID + 22, // 10: spire.api.server.svid.v1.BatchNewX509SVIDResponse.Result.status:type_name -> spire.api.types.Status + 18, // 11: spire.api.server.svid.v1.BatchNewX509SVIDResponse.Result.svid:type_name -> spire.api.types.X509SVID + 22, // 12: spire.api.server.svid.v1.BatchNewWITSVIDResponse.Result.status:type_name -> spire.api.types.Status + 20, // 13: spire.api.server.svid.v1.BatchNewWITSVIDResponse.Result.svid:type_name -> spire.api.types.WITSVID + 0, // 14: spire.api.server.svid.v1.SVID.MintX509SVID:input_type -> spire.api.server.svid.v1.MintX509SVIDRequest + 4, // 15: spire.api.server.svid.v1.SVID.MintJWTSVID:input_type -> spire.api.server.svid.v1.MintJWTSVIDRequest + 2, // 16: spire.api.server.svid.v1.SVID.MintWITSVID:input_type -> spire.api.server.svid.v1.MintWITSVIDRequest + 6, // 17: spire.api.server.svid.v1.SVID.BatchNewX509SVID:input_type -> spire.api.server.svid.v1.BatchNewX509SVIDRequest + 8, // 18: spire.api.server.svid.v1.SVID.NewJWTSVID:input_type -> spire.api.server.svid.v1.NewJWTSVIDRequest + 9, // 19: spire.api.server.svid.v1.SVID.BatchNewWITSVID:input_type -> spire.api.server.svid.v1.BatchNewWITSVIDRequest + 12, // 20: spire.api.server.svid.v1.SVID.NewDownstreamX509CA:input_type -> spire.api.server.svid.v1.NewDownstreamX509CARequest + 1, // 21: spire.api.server.svid.v1.SVID.MintX509SVID:output_type -> spire.api.server.svid.v1.MintX509SVIDResponse + 5, // 22: spire.api.server.svid.v1.SVID.MintJWTSVID:output_type -> spire.api.server.svid.v1.MintJWTSVIDResponse + 3, // 23: spire.api.server.svid.v1.SVID.MintWITSVID:output_type -> spire.api.server.svid.v1.MintWITSVIDResponse + 7, // 24: spire.api.server.svid.v1.SVID.BatchNewX509SVID:output_type -> spire.api.server.svid.v1.BatchNewX509SVIDResponse + 11, // 25: spire.api.server.svid.v1.SVID.NewJWTSVID:output_type -> spire.api.server.svid.v1.NewJWTSVIDResponse + 10, // 26: spire.api.server.svid.v1.SVID.BatchNewWITSVID:output_type -> spire.api.server.svid.v1.BatchNewWITSVIDResponse + 13, // 27: spire.api.server.svid.v1.SVID.NewDownstreamX509CA:output_type -> spire.api.server.svid.v1.NewDownstreamX509CAResponse + 21, // [21:28] is the sub-list for method output_type + 14, // [14:21] is the sub-list for method input_type + 14, // [14:14] is the sub-list for extension type_name + 14, // [14:14] is the sub-list for extension extendee + 0, // [0:14] is the sub-list for field type_name } func init() { file_spire_api_server_svid_v1_svid_proto_init() } @@ -766,7 +1113,7 @@ func file_spire_api_server_svid_v1_svid_proto_init() { GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: unsafe.Slice(unsafe.StringData(file_spire_api_server_svid_v1_svid_proto_rawDesc), len(file_spire_api_server_svid_v1_svid_proto_rawDesc)), NumEnums: 0, - NumMessages: 12, + NumMessages: 18, NumExtensions: 0, NumServices: 1, }, diff --git a/proto/spire/api/server/svid/v1/svid.proto b/proto/spire/api/server/svid/v1/svid.proto index 1744e39..c27d1c3 100644 --- a/proto/spire/api/server/svid/v1/svid.proto +++ b/proto/spire/api/server/svid/v1/svid.proto @@ -6,6 +6,7 @@ import "spire/api/types/jwtsvid.proto"; import "spire/api/types/spiffeid.proto"; import "spire/api/types/status.proto"; import "spire/api/types/x509svid.proto"; +import "spire/api/types/witsvid.proto"; service SVID { // Mints a one-off X509-SVID outside of the normal node/workload @@ -20,6 +21,12 @@ service SVID { // The caller must be local or present an admin X509-SVID. rpc MintJWTSVID(MintJWTSVIDRequest) returns (MintJWTSVIDResponse); + // Mints a one-off WIT-SVID outside of the normal node/workload + // registration process. + // + // The caller must be local or present an admin X509-SVID. + rpc MintWITSVID(MintWITSVIDRequest) returns (MintWITSVIDResponse); + // Creates one or more X509-SVIDs from registration entries. // // The caller must present an active agent X509-SVID that is authorized @@ -32,6 +39,12 @@ service SVID { // to mint the requested entry. See the Entry GetAuthorizedEntries RPC. rpc NewJWTSVID(NewJWTSVIDRequest) returns (NewJWTSVIDResponse); + // Creates one or more WIT-SVIDs from registration entries. + // + // The caller must present an active agent X509-SVID that is authorized + // to mint the requested entries. See the Entry GetAuthorizedEntries/SyncA RPC. + rpc BatchNewWITSVID(BatchNewWITSVIDRequest) returns (BatchNewWITSVIDResponse); + // Creates an X509 CA certificate appropriate for use by a downstream // entity to mint X509-SVIDs. // @@ -57,6 +70,25 @@ message MintX509SVIDResponse { spire.api.types.X509SVID svid = 1; } +message MintWITSVIDRequest { + // Required. SPIFFE ID of the WIT-SVID. + spire.api.types.SPIFFEID id = 1; + + // Required. The ASN.1 DER encoded public key. + bytes public_key = 2; + + // Desired TTL of the WIT-SVID, in seconds. The server default will be used + // if unset. The TTL is advisory only. The actual lifetime of the WIT-SVID + // may be lower depending on the remaining lifetime of the active SPIRE + // Server CA. + int32 ttl = 3; +} + +message MintWITSVIDResponse { + // The newly issued WIT-SVID. + spire.api.types.WITSVID svid = 1; +} + message MintJWTSVIDRequest { // Required. SPIFFE ID of the JWT-SVID. spire.api.types.SPIFFEID id = 1; @@ -105,6 +137,26 @@ message NewJWTSVIDRequest { repeated string audience = 2; } + +message BatchNewWITSVIDRequest { + // Required. One or more X509-SVID parameters for X509-SVID entries to + // be signed. + repeated NewWITSVIDParams params = 1; +} + +message BatchNewWITSVIDResponse { + message Result { + // The status of creating the WIT-SVID. + spire.api.types.Status status = 1; + + // The newly created X509-SVID. This will be set if the status is OK. + spire.api.types.WITSVID svid = 2; + } + + // Result for each X509-SVID requested (order is maintained). + repeated Result results = 1; +} + message NewJWTSVIDResponse { // The newly issued JWT-SVID spire.api.types.JWTSVID svid = 1; @@ -141,3 +193,11 @@ message NewX509SVIDParams { // ignored. The X509-SVID attributes are determined by the entry. bytes csr = 2; } + +message NewWITSVIDParams { + // Required. The entry ID for the identity being requested. + string entry_id = 1; + + // Required. The ASN.1 DER encoded public key. + bytes public_key = 2; +} diff --git a/proto/spire/api/server/svid/v1/svid_grpc.pb.go b/proto/spire/api/server/svid/v1/svid_grpc.pb.go index cc2b986..7ae067f 100644 --- a/proto/spire/api/server/svid/v1/svid_grpc.pb.go +++ b/proto/spire/api/server/svid/v1/svid_grpc.pb.go @@ -21,8 +21,10 @@ const _ = grpc.SupportPackageIsVersion9 const ( SVID_MintX509SVID_FullMethodName = "/spire.api.server.svid.v1.SVID/MintX509SVID" SVID_MintJWTSVID_FullMethodName = "/spire.api.server.svid.v1.SVID/MintJWTSVID" + SVID_MintWITSVID_FullMethodName = "/spire.api.server.svid.v1.SVID/MintWITSVID" SVID_BatchNewX509SVID_FullMethodName = "/spire.api.server.svid.v1.SVID/BatchNewX509SVID" SVID_NewJWTSVID_FullMethodName = "/spire.api.server.svid.v1.SVID/NewJWTSVID" + SVID_BatchNewWITSVID_FullMethodName = "/spire.api.server.svid.v1.SVID/BatchNewWITSVID" SVID_NewDownstreamX509CA_FullMethodName = "/spire.api.server.svid.v1.SVID/NewDownstreamX509CA" ) @@ -40,6 +42,11 @@ type SVIDClient interface { // // The caller must be local or present an admin X509-SVID. MintJWTSVID(ctx context.Context, in *MintJWTSVIDRequest, opts ...grpc.CallOption) (*MintJWTSVIDResponse, error) + // Mints a one-off WIT-SVID outside of the normal node/workload + // registration process. + // + // The caller must be local or present an admin X509-SVID. + MintWITSVID(ctx context.Context, in *MintWITSVIDRequest, opts ...grpc.CallOption) (*MintWITSVIDResponse, error) // Creates one or more X509-SVIDs from registration entries. // // The caller must present an active agent X509-SVID that is authorized @@ -50,6 +57,11 @@ type SVIDClient interface { // The caller must present an active agent X509-SVID that is authorized // to mint the requested entry. See the Entry GetAuthorizedEntries RPC. NewJWTSVID(ctx context.Context, in *NewJWTSVIDRequest, opts ...grpc.CallOption) (*NewJWTSVIDResponse, error) + // Creates one or more WIT-SVIDs from registration entries. + // + // The caller must present an active agent X509-SVID that is authorized + // to mint the requested entries. See the Entry GetAuthorizedEntries/SyncA RPC. + BatchNewWITSVID(ctx context.Context, in *BatchNewWITSVIDRequest, opts ...grpc.CallOption) (*BatchNewWITSVIDResponse, error) // Creates an X509 CA certificate appropriate for use by a downstream // entity to mint X509-SVIDs. // @@ -85,6 +97,16 @@ func (c *sVIDClient) MintJWTSVID(ctx context.Context, in *MintJWTSVIDRequest, op return out, nil } +func (c *sVIDClient) MintWITSVID(ctx context.Context, in *MintWITSVIDRequest, opts ...grpc.CallOption) (*MintWITSVIDResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(MintWITSVIDResponse) + err := c.cc.Invoke(ctx, SVID_MintWITSVID_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + func (c *sVIDClient) BatchNewX509SVID(ctx context.Context, in *BatchNewX509SVIDRequest, opts ...grpc.CallOption) (*BatchNewX509SVIDResponse, error) { cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) out := new(BatchNewX509SVIDResponse) @@ -105,6 +127,16 @@ func (c *sVIDClient) NewJWTSVID(ctx context.Context, in *NewJWTSVIDRequest, opts return out, nil } +func (c *sVIDClient) BatchNewWITSVID(ctx context.Context, in *BatchNewWITSVIDRequest, opts ...grpc.CallOption) (*BatchNewWITSVIDResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(BatchNewWITSVIDResponse) + err := c.cc.Invoke(ctx, SVID_BatchNewWITSVID_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + func (c *sVIDClient) NewDownstreamX509CA(ctx context.Context, in *NewDownstreamX509CARequest, opts ...grpc.CallOption) (*NewDownstreamX509CAResponse, error) { cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) out := new(NewDownstreamX509CAResponse) @@ -129,6 +161,11 @@ type SVIDServer interface { // // The caller must be local or present an admin X509-SVID. MintJWTSVID(context.Context, *MintJWTSVIDRequest) (*MintJWTSVIDResponse, error) + // Mints a one-off WIT-SVID outside of the normal node/workload + // registration process. + // + // The caller must be local or present an admin X509-SVID. + MintWITSVID(context.Context, *MintWITSVIDRequest) (*MintWITSVIDResponse, error) // Creates one or more X509-SVIDs from registration entries. // // The caller must present an active agent X509-SVID that is authorized @@ -139,6 +176,11 @@ type SVIDServer interface { // The caller must present an active agent X509-SVID that is authorized // to mint the requested entry. See the Entry GetAuthorizedEntries RPC. NewJWTSVID(context.Context, *NewJWTSVIDRequest) (*NewJWTSVIDResponse, error) + // Creates one or more WIT-SVIDs from registration entries. + // + // The caller must present an active agent X509-SVID that is authorized + // to mint the requested entries. See the Entry GetAuthorizedEntries/SyncA RPC. + BatchNewWITSVID(context.Context, *BatchNewWITSVIDRequest) (*BatchNewWITSVIDResponse, error) // Creates an X509 CA certificate appropriate for use by a downstream // entity to mint X509-SVIDs. // @@ -160,12 +202,18 @@ func (UnimplementedSVIDServer) MintX509SVID(context.Context, *MintX509SVIDReques func (UnimplementedSVIDServer) MintJWTSVID(context.Context, *MintJWTSVIDRequest) (*MintJWTSVIDResponse, error) { return nil, status.Errorf(codes.Unimplemented, "method MintJWTSVID not implemented") } +func (UnimplementedSVIDServer) MintWITSVID(context.Context, *MintWITSVIDRequest) (*MintWITSVIDResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method MintWITSVID not implemented") +} func (UnimplementedSVIDServer) BatchNewX509SVID(context.Context, *BatchNewX509SVIDRequest) (*BatchNewX509SVIDResponse, error) { return nil, status.Errorf(codes.Unimplemented, "method BatchNewX509SVID not implemented") } func (UnimplementedSVIDServer) NewJWTSVID(context.Context, *NewJWTSVIDRequest) (*NewJWTSVIDResponse, error) { return nil, status.Errorf(codes.Unimplemented, "method NewJWTSVID not implemented") } +func (UnimplementedSVIDServer) BatchNewWITSVID(context.Context, *BatchNewWITSVIDRequest) (*BatchNewWITSVIDResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method BatchNewWITSVID not implemented") +} func (UnimplementedSVIDServer) NewDownstreamX509CA(context.Context, *NewDownstreamX509CARequest) (*NewDownstreamX509CAResponse, error) { return nil, status.Errorf(codes.Unimplemented, "method NewDownstreamX509CA not implemented") } @@ -226,6 +274,24 @@ func _SVID_MintJWTSVID_Handler(srv interface{}, ctx context.Context, dec func(in return interceptor(ctx, in, info, handler) } +func _SVID_MintWITSVID_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(MintWITSVIDRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(SVIDServer).MintWITSVID(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: SVID_MintWITSVID_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(SVIDServer).MintWITSVID(ctx, req.(*MintWITSVIDRequest)) + } + return interceptor(ctx, in, info, handler) +} + func _SVID_BatchNewX509SVID_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { in := new(BatchNewX509SVIDRequest) if err := dec(in); err != nil { @@ -262,6 +328,24 @@ func _SVID_NewJWTSVID_Handler(srv interface{}, ctx context.Context, dec func(int return interceptor(ctx, in, info, handler) } +func _SVID_BatchNewWITSVID_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(BatchNewWITSVIDRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(SVIDServer).BatchNewWITSVID(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: SVID_BatchNewWITSVID_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(SVIDServer).BatchNewWITSVID(ctx, req.(*BatchNewWITSVIDRequest)) + } + return interceptor(ctx, in, info, handler) +} + func _SVID_NewDownstreamX509CA_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { in := new(NewDownstreamX509CARequest) if err := dec(in); err != nil { @@ -295,6 +379,10 @@ var SVID_ServiceDesc = grpc.ServiceDesc{ MethodName: "MintJWTSVID", Handler: _SVID_MintJWTSVID_Handler, }, + { + MethodName: "MintWITSVID", + Handler: _SVID_MintWITSVID_Handler, + }, { MethodName: "BatchNewX509SVID", Handler: _SVID_BatchNewX509SVID_Handler, @@ -303,6 +391,10 @@ var SVID_ServiceDesc = grpc.ServiceDesc{ MethodName: "NewJWTSVID", Handler: _SVID_NewJWTSVID_Handler, }, + { + MethodName: "BatchNewWITSVID", + Handler: _SVID_BatchNewWITSVID_Handler, + }, { MethodName: "NewDownstreamX509CA", Handler: _SVID_NewDownstreamX509CA_Handler, diff --git a/proto/spire/api/types/bundle.pb.go b/proto/spire/api/types/bundle.pb.go index e27cb21..41810c3 100644 --- a/proto/spire/api/types/bundle.pb.go +++ b/proto/spire/api/types/bundle.pb.go @@ -34,6 +34,8 @@ type Bundle struct { RefreshHint int64 `protobuf:"varint,4,opt,name=refresh_hint,json=refreshHint,proto3" json:"refresh_hint,omitempty"` // The sequence number of the bundle. SequenceNumber uint64 `protobuf:"varint,5,opt,name=sequence_number,json=sequenceNumber,proto3" json:"sequence_number,omitempty"` + // WIT authorities for authenticating WIT-SVIDs. + WitAuthorities []*WITKey `protobuf:"bytes,6,rep,name=wit_authorities,json=witAuthorities,proto3" json:"wit_authorities,omitempty"` unknownFields protoimpl.UnknownFields sizeCache protoimpl.SizeCache } @@ -103,6 +105,13 @@ func (x *Bundle) GetSequenceNumber() uint64 { return 0 } +func (x *Bundle) GetWitAuthorities() []*WITKey { + if x != nil { + return x.WitAuthorities + } + return nil +} + type X509Certificate struct { state protoimpl.MessageState `protogen:"open.v1"` // The ASN.1 DER encoded bytes of the X.509 certificate. @@ -230,6 +239,79 @@ func (x *JWTKey) GetTainted() bool { return false } +type WITKey struct { + state protoimpl.MessageState `protogen:"open.v1"` + // The PKIX encoded public key. + PublicKey []byte `protobuf:"bytes,1,opt,name=public_key,json=publicKey,proto3" json:"public_key,omitempty"` + // The key identifier. + KeyId string `protobuf:"bytes,2,opt,name=key_id,json=keyId,proto3" json:"key_id,omitempty"` + // When the key expires (seconds since Unix epoch). If zero, the key does + // not expire. + ExpiresAt int64 `protobuf:"varint,3,opt,name=expires_at,json=expiresAt,proto3" json:"expires_at,omitempty"` + // This authority is no longer secure and must not be used + Tainted bool `protobuf:"varint,4,opt,name=tainted,proto3" json:"tainted,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *WITKey) Reset() { + *x = WITKey{} + mi := &file_spire_api_types_bundle_proto_msgTypes[3] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *WITKey) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*WITKey) ProtoMessage() {} + +func (x *WITKey) ProtoReflect() protoreflect.Message { + mi := &file_spire_api_types_bundle_proto_msgTypes[3] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use WITKey.ProtoReflect.Descriptor instead. +func (*WITKey) Descriptor() ([]byte, []int) { + return file_spire_api_types_bundle_proto_rawDescGZIP(), []int{3} +} + +func (x *WITKey) GetPublicKey() []byte { + if x != nil { + return x.PublicKey + } + return nil +} + +func (x *WITKey) GetKeyId() string { + if x != nil { + return x.KeyId + } + return "" +} + +func (x *WITKey) GetExpiresAt() int64 { + if x != nil { + return x.ExpiresAt + } + return 0 +} + +func (x *WITKey) GetTainted() bool { + if x != nil { + return x.Tainted + } + return false +} + type BundleMask struct { state protoimpl.MessageState `protogen:"open.v1"` // x509_authorities field mask. @@ -240,13 +322,15 @@ type BundleMask struct { RefreshHint bool `protobuf:"varint,4,opt,name=refresh_hint,json=refreshHint,proto3" json:"refresh_hint,omitempty"` // sequence_number field mask. SequenceNumber bool `protobuf:"varint,5,opt,name=sequence_number,json=sequenceNumber,proto3" json:"sequence_number,omitempty"` + // wit_authorities field mask. + WitAuthorities bool `protobuf:"varint,6,opt,name=wit_authorities,json=witAuthorities,proto3" json:"wit_authorities,omitempty"` unknownFields protoimpl.UnknownFields sizeCache protoimpl.SizeCache } func (x *BundleMask) Reset() { *x = BundleMask{} - mi := &file_spire_api_types_bundle_proto_msgTypes[3] + mi := &file_spire_api_types_bundle_proto_msgTypes[4] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -258,7 +342,7 @@ func (x *BundleMask) String() string { func (*BundleMask) ProtoMessage() {} func (x *BundleMask) ProtoReflect() protoreflect.Message { - mi := &file_spire_api_types_bundle_proto_msgTypes[3] + mi := &file_spire_api_types_bundle_proto_msgTypes[4] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -271,7 +355,7 @@ func (x *BundleMask) ProtoReflect() protoreflect.Message { // Deprecated: Use BundleMask.ProtoReflect.Descriptor instead. func (*BundleMask) Descriptor() ([]byte, []int) { - return file_spire_api_types_bundle_proto_rawDescGZIP(), []int{3} + return file_spire_api_types_bundle_proto_rawDescGZIP(), []int{4} } func (x *BundleMask) GetX509Authorities() bool { @@ -302,17 +386,25 @@ func (x *BundleMask) GetSequenceNumber() bool { return false } +func (x *BundleMask) GetWitAuthorities() bool { + if x != nil { + return x.WitAuthorities + } + return false +} + var File_spire_api_types_bundle_proto protoreflect.FileDescriptor const file_spire_api_types_bundle_proto_rawDesc = "" + "\n" + - "\x1cspire/api/types/bundle.proto\x12\x0fspire.api.types\"\x86\x02\n" + + "\x1cspire/api/types/bundle.proto\x12\x0fspire.api.types\"\xc8\x02\n" + "\x06Bundle\x12!\n" + "\ftrust_domain\x18\x01 \x01(\tR\vtrustDomain\x12K\n" + "\x10x509_authorities\x18\x02 \x03(\v2 .spire.api.types.X509CertificateR\x0fx509Authorities\x12@\n" + "\x0fjwt_authorities\x18\x03 \x03(\v2\x17.spire.api.types.JWTKeyR\x0ejwtAuthorities\x12!\n" + "\frefresh_hint\x18\x04 \x01(\x03R\vrefreshHint\x12'\n" + - "\x0fsequence_number\x18\x05 \x01(\x04R\x0esequenceNumber\"?\n" + + "\x0fsequence_number\x18\x05 \x01(\x04R\x0esequenceNumber\x12@\n" + + "\x0fwit_authorities\x18\x06 \x03(\v2\x17.spire.api.types.WITKeyR\x0ewitAuthorities\"?\n" + "\x0fX509Certificate\x12\x12\n" + "\x04asn1\x18\x01 \x01(\fR\x04asn1\x12\x18\n" + "\atainted\x18\x02 \x01(\bR\atainted\"w\n" + @@ -322,13 +414,21 @@ const file_spire_api_types_bundle_proto_rawDesc = "" + "\x06key_id\x18\x02 \x01(\tR\x05keyId\x12\x1d\n" + "\n" + "expires_at\x18\x03 \x01(\x03R\texpiresAt\x12\x18\n" + - "\atainted\x18\x04 \x01(\bR\atainted\"\xac\x01\n" + + "\atainted\x18\x04 \x01(\bR\atainted\"w\n" + + "\x06WITKey\x12\x1d\n" + + "\n" + + "public_key\x18\x01 \x01(\fR\tpublicKey\x12\x15\n" + + "\x06key_id\x18\x02 \x01(\tR\x05keyId\x12\x1d\n" + + "\n" + + "expires_at\x18\x03 \x01(\x03R\texpiresAt\x12\x18\n" + + "\atainted\x18\x04 \x01(\bR\atainted\"\xd5\x01\n" + "\n" + "BundleMask\x12)\n" + "\x10x509_authorities\x18\x02 \x01(\bR\x0fx509Authorities\x12'\n" + "\x0fjwt_authorities\x18\x03 \x01(\bR\x0ejwtAuthorities\x12!\n" + "\frefresh_hint\x18\x04 \x01(\bR\vrefreshHint\x12'\n" + - "\x0fsequence_number\x18\x05 \x01(\bR\x0esequenceNumberB7Z5github.com/spiffe/spire-api-sdk/proto/spire/api/typesb\x06proto3" + "\x0fsequence_number\x18\x05 \x01(\bR\x0esequenceNumber\x12'\n" + + "\x0fwit_authorities\x18\x06 \x01(\bR\x0ewitAuthoritiesB7Z5github.com/spiffe/spire-api-sdk/proto/spire/api/typesb\x06proto3" var ( file_spire_api_types_bundle_proto_rawDescOnce sync.Once @@ -342,21 +442,23 @@ func file_spire_api_types_bundle_proto_rawDescGZIP() []byte { return file_spire_api_types_bundle_proto_rawDescData } -var file_spire_api_types_bundle_proto_msgTypes = make([]protoimpl.MessageInfo, 4) +var file_spire_api_types_bundle_proto_msgTypes = make([]protoimpl.MessageInfo, 5) var file_spire_api_types_bundle_proto_goTypes = []any{ (*Bundle)(nil), // 0: spire.api.types.Bundle (*X509Certificate)(nil), // 1: spire.api.types.X509Certificate (*JWTKey)(nil), // 2: spire.api.types.JWTKey - (*BundleMask)(nil), // 3: spire.api.types.BundleMask + (*WITKey)(nil), // 3: spire.api.types.WITKey + (*BundleMask)(nil), // 4: spire.api.types.BundleMask } var file_spire_api_types_bundle_proto_depIdxs = []int32{ 1, // 0: spire.api.types.Bundle.x509_authorities:type_name -> spire.api.types.X509Certificate 2, // 1: spire.api.types.Bundle.jwt_authorities:type_name -> spire.api.types.JWTKey - 2, // [2:2] is the sub-list for method output_type - 2, // [2:2] is the sub-list for method input_type - 2, // [2:2] is the sub-list for extension type_name - 2, // [2:2] is the sub-list for extension extendee - 0, // [0:2] is the sub-list for field type_name + 3, // 2: spire.api.types.Bundle.wit_authorities:type_name -> spire.api.types.WITKey + 3, // [3:3] is the sub-list for method output_type + 3, // [3:3] is the sub-list for method input_type + 3, // [3:3] is the sub-list for extension type_name + 3, // [3:3] is the sub-list for extension extendee + 0, // [0:3] is the sub-list for field type_name } func init() { file_spire_api_types_bundle_proto_init() } @@ -370,7 +472,7 @@ func file_spire_api_types_bundle_proto_init() { GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: unsafe.Slice(unsafe.StringData(file_spire_api_types_bundle_proto_rawDesc), len(file_spire_api_types_bundle_proto_rawDesc)), NumEnums: 0, - NumMessages: 4, + NumMessages: 5, NumExtensions: 0, NumServices: 0, }, diff --git a/proto/spire/api/types/bundle.proto b/proto/spire/api/types/bundle.proto index d011ba6..67250c8 100644 --- a/proto/spire/api/types/bundle.proto +++ b/proto/spire/api/types/bundle.proto @@ -18,6 +18,9 @@ message Bundle { // The sequence number of the bundle. uint64 sequence_number = 5; + + // WIT authorities for authenticating WIT-SVIDs. + repeated WITKey wit_authorities = 6; } message X509Certificate { @@ -43,6 +46,21 @@ message JWTKey { bool tainted = 4; } +message WITKey { + // The PKIX encoded public key. + bytes public_key = 1; + + // The key identifier. + string key_id = 2; + + // When the key expires (seconds since Unix epoch). If zero, the key does + // not expire. + int64 expires_at = 3; + + // This authority is no longer secure and must not be used + bool tainted = 4; +} + message BundleMask { // x509_authorities field mask. bool x509_authorities = 2; @@ -55,4 +73,7 @@ message BundleMask { // sequence_number field mask. bool sequence_number = 5; + + // wit_authorities field mask. + bool wit_authorities = 6; } diff --git a/proto/spire/api/types/witsvid.pb.go b/proto/spire/api/types/witsvid.pb.go new file mode 100644 index 0000000..27bf05a --- /dev/null +++ b/proto/spire/api/types/witsvid.pb.go @@ -0,0 +1,172 @@ +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.36.7 +// protoc v6.30.2 +// source: spire/api/types/witsvid.proto + +package types + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + reflect "reflect" + sync "sync" + unsafe "unsafe" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +// WIT SPIFFE Verifiable Identity Document. It contains the raw WIT token +// as well as a few denormalized fields for convenience. +type WITSVID struct { + state protoimpl.MessageState `protogen:"open.v1"` + // The serialized JWT token. + Token string `protobuf:"bytes,1,opt,name=token,proto3" json:"token,omitempty"` + // The SPIFFE ID of the JWT-SVID. + Id *SPIFFEID `protobuf:"bytes,2,opt,name=id,proto3" json:"id,omitempty"` + // Expiration timestamp (seconds since Unix epoch). + ExpiresAt int64 `protobuf:"varint,3,opt,name=expires_at,json=expiresAt,proto3" json:"expires_at,omitempty"` + // Issuance timestamp (seconds since Unix epoch). + IssuedAt int64 `protobuf:"varint,4,opt,name=issued_at,json=issuedAt,proto3" json:"issued_at,omitempty"` + // Optional. An operator-specified string used to provide guidance on how this + // identity should be used by a workload when more than one SVID is returned. + // For example, `internal` and `external` to indicate an SVID for internal or + // external use, respectively. + Hint string `protobuf:"bytes,5,opt,name=hint,proto3" json:"hint,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *WITSVID) Reset() { + *x = WITSVID{} + mi := &file_spire_api_types_witsvid_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *WITSVID) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*WITSVID) ProtoMessage() {} + +func (x *WITSVID) ProtoReflect() protoreflect.Message { + mi := &file_spire_api_types_witsvid_proto_msgTypes[0] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use WITSVID.ProtoReflect.Descriptor instead. +func (*WITSVID) Descriptor() ([]byte, []int) { + return file_spire_api_types_witsvid_proto_rawDescGZIP(), []int{0} +} + +func (x *WITSVID) GetToken() string { + if x != nil { + return x.Token + } + return "" +} + +func (x *WITSVID) GetId() *SPIFFEID { + if x != nil { + return x.Id + } + return nil +} + +func (x *WITSVID) GetExpiresAt() int64 { + if x != nil { + return x.ExpiresAt + } + return 0 +} + +func (x *WITSVID) GetIssuedAt() int64 { + if x != nil { + return x.IssuedAt + } + return 0 +} + +func (x *WITSVID) GetHint() string { + if x != nil { + return x.Hint + } + return "" +} + +var File_spire_api_types_witsvid_proto protoreflect.FileDescriptor + +const file_spire_api_types_witsvid_proto_rawDesc = "" + + "\n" + + "\x1dspire/api/types/witsvid.proto\x12\x0fspire.api.types\x1a\x1espire/api/types/spiffeid.proto\"\x9a\x01\n" + + "\aWITSVID\x12\x14\n" + + "\x05token\x18\x01 \x01(\tR\x05token\x12)\n" + + "\x02id\x18\x02 \x01(\v2\x19.spire.api.types.SPIFFEIDR\x02id\x12\x1d\n" + + "\n" + + "expires_at\x18\x03 \x01(\x03R\texpiresAt\x12\x1b\n" + + "\tissued_at\x18\x04 \x01(\x03R\bissuedAt\x12\x12\n" + + "\x04hint\x18\x05 \x01(\tR\x04hintB7Z5github.com/spiffe/spire-api-sdk/proto/spire/api/typesb\x06proto3" + +var ( + file_spire_api_types_witsvid_proto_rawDescOnce sync.Once + file_spire_api_types_witsvid_proto_rawDescData []byte +) + +func file_spire_api_types_witsvid_proto_rawDescGZIP() []byte { + file_spire_api_types_witsvid_proto_rawDescOnce.Do(func() { + file_spire_api_types_witsvid_proto_rawDescData = protoimpl.X.CompressGZIP(unsafe.Slice(unsafe.StringData(file_spire_api_types_witsvid_proto_rawDesc), len(file_spire_api_types_witsvid_proto_rawDesc))) + }) + return file_spire_api_types_witsvid_proto_rawDescData +} + +var file_spire_api_types_witsvid_proto_msgTypes = make([]protoimpl.MessageInfo, 1) +var file_spire_api_types_witsvid_proto_goTypes = []any{ + (*WITSVID)(nil), // 0: spire.api.types.WITSVID + (*SPIFFEID)(nil), // 1: spire.api.types.SPIFFEID +} +var file_spire_api_types_witsvid_proto_depIdxs = []int32{ + 1, // 0: spire.api.types.WITSVID.id:type_name -> spire.api.types.SPIFFEID + 1, // [1:1] is the sub-list for method output_type + 1, // [1:1] is the sub-list for method input_type + 1, // [1:1] is the sub-list for extension type_name + 1, // [1:1] is the sub-list for extension extendee + 0, // [0:1] is the sub-list for field type_name +} + +func init() { file_spire_api_types_witsvid_proto_init() } +func file_spire_api_types_witsvid_proto_init() { + if File_spire_api_types_witsvid_proto != nil { + return + } + file_spire_api_types_spiffeid_proto_init() + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: unsafe.Slice(unsafe.StringData(file_spire_api_types_witsvid_proto_rawDesc), len(file_spire_api_types_witsvid_proto_rawDesc)), + NumEnums: 0, + NumMessages: 1, + NumExtensions: 0, + NumServices: 0, + }, + GoTypes: file_spire_api_types_witsvid_proto_goTypes, + DependencyIndexes: file_spire_api_types_witsvid_proto_depIdxs, + MessageInfos: file_spire_api_types_witsvid_proto_msgTypes, + }.Build() + File_spire_api_types_witsvid_proto = out.File + file_spire_api_types_witsvid_proto_goTypes = nil + file_spire_api_types_witsvid_proto_depIdxs = nil +} diff --git a/proto/spire/api/types/witsvid.proto b/proto/spire/api/types/witsvid.proto new file mode 100644 index 0000000..2d2e48d --- /dev/null +++ b/proto/spire/api/types/witsvid.proto @@ -0,0 +1,28 @@ +syntax = "proto3"; +package spire.api.types; + +option go_package = "github.com/spiffe/spire-api-sdk/proto/spire/api/types"; + +import "spire/api/types/spiffeid.proto"; + +// WIT SPIFFE Verifiable Identity Document. It contains the raw WIT token +// as well as a few denormalized fields for convenience. +message WITSVID { + // The serialized JWT token. + string token = 1; + + // The SPIFFE ID of the JWT-SVID. + spire.api.types.SPIFFEID id = 2; + + // Expiration timestamp (seconds since Unix epoch). + int64 expires_at = 3; + + // Issuance timestamp (seconds since Unix epoch). + int64 issued_at = 4; + + // Optional. An operator-specified string used to provide guidance on how this + // identity should be used by a workload when more than one SVID is returned. + // For example, `internal` and `external` to indicate an SVID for internal or + // external use, respectively. + string hint = 5; +} From 8530f31e6b0e97cdcea383a9ecc6a5d11a4b16e5 Mon Sep 17 00:00:00 2001 From: Sorin Dumitru Date: Mon, 27 Oct 2025 21:31:09 +0000 Subject: [PATCH 2/5] Specify desired protoc_gen_go_version on install Signed-off-by: Sorin Dumitru --- Makefile | 2 +- proto/spire/api/server/bundle/v1/bundle.pb.go | 6 ++--- proto/spire/api/server/bundle/v1/bundle.proto | 2 +- .../api/server/bundle/v1/bundle_grpc.pb.go | 26 +++++++++---------- 4 files changed, 18 insertions(+), 18 deletions(-) diff --git a/Makefile b/Makefile index e848eb1..ee22b31 100644 --- a/Makefile +++ b/Makefile @@ -142,7 +142,7 @@ $(protoc_gen_go_bin): | go-check @echo "Installing protoc-gen-go $(protoc_gen_go_version)..." @rm -rf $(protoc_gen_go_base_dir) @mkdir -p $(protoc_gen_go_dir) - @$(go_path) go build -o $(protoc_gen_go_bin) google.golang.org/protobuf/cmd/protoc-gen-go + @GOBIN=$(protoc_gen_go_dir) $(go_path) go install google.golang.org/protobuf/cmd/protoc-gen-go@$(protoc_gen_go_version) ############################################################################# # protoc-gen-go-grpc diff --git a/proto/spire/api/server/bundle/v1/bundle.pb.go b/proto/spire/api/server/bundle/v1/bundle.pb.go index ce6c3b3..ee2487d 100644 --- a/proto/spire/api/server/bundle/v1/bundle.pb.go +++ b/proto/spire/api/server/bundle/v1/bundle.pb.go @@ -1336,7 +1336,7 @@ const file_spire_api_server_bundle_v1_bundle_proto_rawDesc = "" + "\tGetBundle\x12,.spire.api.server.bundle.v1.GetBundleRequest\x1a\x17.spire.api.types.Bundle\x12X\n" + "\fAppendBundle\x12/.spire.api.server.bundle.v1.AppendBundleRequest\x1a\x17.spire.api.types.Bundle\x12\x86\x01\n" + "\x13PublishJWTAuthority\x126.spire.api.server.bundle.v1.PublishJWTAuthorityRequest\x1a7.spire.api.server.bundle.v1.PublishJWTAuthorityResponse\x12\x86\x01\n" + - "\x13PublisWITTAuthority\x126.spire.api.server.bundle.v1.PublishWITAuthorityRequest\x1a7.spire.api.server.bundle.v1.PublishWITAuthorityResponse\x12\x89\x01\n" + + "\x13PublishWITAuthority\x126.spire.api.server.bundle.v1.PublishWITAuthorityRequest\x1a7.spire.api.server.bundle.v1.PublishWITAuthorityResponse\x12\x89\x01\n" + "\x14ListFederatedBundles\x127.spire.api.server.bundle.v1.ListFederatedBundlesRequest\x1a8.spire.api.server.bundle.v1.ListFederatedBundlesResponse\x12d\n" + "\x12GetFederatedBundle\x125.spire.api.server.bundle.v1.GetFederatedBundleRequest\x1a\x17.spire.api.types.Bundle\x12\x9b\x01\n" + "\x1aBatchCreateFederatedBundle\x12=.spire.api.server.bundle.v1.BatchCreateFederatedBundleRequest\x1a>.spire.api.server.bundle.v1.BatchCreateFederatedBundleResponse\x12\x9b\x01\n" + @@ -1426,7 +1426,7 @@ var file_spire_api_server_bundle_v1_bundle_proto_depIdxs = []int32{ 3, // 32: spire.api.server.bundle.v1.Bundle.GetBundle:input_type -> spire.api.server.bundle.v1.GetBundleRequest 4, // 33: spire.api.server.bundle.v1.Bundle.AppendBundle:input_type -> spire.api.server.bundle.v1.AppendBundleRequest 5, // 34: spire.api.server.bundle.v1.Bundle.PublishJWTAuthority:input_type -> spire.api.server.bundle.v1.PublishJWTAuthorityRequest - 7, // 35: spire.api.server.bundle.v1.Bundle.PublisWITTAuthority:input_type -> spire.api.server.bundle.v1.PublishWITAuthorityRequest + 7, // 35: spire.api.server.bundle.v1.Bundle.PublishWITAuthority:input_type -> spire.api.server.bundle.v1.PublishWITAuthorityRequest 9, // 36: spire.api.server.bundle.v1.Bundle.ListFederatedBundles:input_type -> spire.api.server.bundle.v1.ListFederatedBundlesRequest 11, // 37: spire.api.server.bundle.v1.Bundle.GetFederatedBundle:input_type -> spire.api.server.bundle.v1.GetFederatedBundleRequest 12, // 38: spire.api.server.bundle.v1.Bundle.BatchCreateFederatedBundle:input_type -> spire.api.server.bundle.v1.BatchCreateFederatedBundleRequest @@ -1437,7 +1437,7 @@ var file_spire_api_server_bundle_v1_bundle_proto_depIdxs = []int32{ 28, // 43: spire.api.server.bundle.v1.Bundle.GetBundle:output_type -> spire.api.types.Bundle 28, // 44: spire.api.server.bundle.v1.Bundle.AppendBundle:output_type -> spire.api.types.Bundle 6, // 45: spire.api.server.bundle.v1.Bundle.PublishJWTAuthority:output_type -> spire.api.server.bundle.v1.PublishJWTAuthorityResponse - 8, // 46: spire.api.server.bundle.v1.Bundle.PublisWITTAuthority:output_type -> spire.api.server.bundle.v1.PublishWITAuthorityResponse + 8, // 46: spire.api.server.bundle.v1.Bundle.PublishWITAuthority:output_type -> spire.api.server.bundle.v1.PublishWITAuthorityResponse 10, // 47: spire.api.server.bundle.v1.Bundle.ListFederatedBundles:output_type -> spire.api.server.bundle.v1.ListFederatedBundlesResponse 28, // 48: spire.api.server.bundle.v1.Bundle.GetFederatedBundle:output_type -> spire.api.types.Bundle 13, // 49: spire.api.server.bundle.v1.Bundle.BatchCreateFederatedBundle:output_type -> spire.api.server.bundle.v1.BatchCreateFederatedBundleResponse diff --git a/proto/spire/api/server/bundle/v1/bundle.proto b/proto/spire/api/server/bundle/v1/bundle.proto index 62e595f..24c480c 100644 --- a/proto/spire/api/server/bundle/v1/bundle.proto +++ b/proto/spire/api/server/bundle/v1/bundle.proto @@ -42,7 +42,7 @@ service Bundle { // the server appends the WIT authority to its own bundle. // // The caller must present a downstream X509-SVID. - rpc PublisWITTAuthority(PublishWITAuthorityRequest) returns (PublishWITAuthorityResponse); + rpc PublishWITAuthority(PublishWITAuthorityRequest) returns (PublishWITAuthorityResponse); // Lists federated bundles. // diff --git a/proto/spire/api/server/bundle/v1/bundle_grpc.pb.go b/proto/spire/api/server/bundle/v1/bundle_grpc.pb.go index 0d9bd21..a95cb31 100644 --- a/proto/spire/api/server/bundle/v1/bundle_grpc.pb.go +++ b/proto/spire/api/server/bundle/v1/bundle_grpc.pb.go @@ -24,7 +24,7 @@ const ( Bundle_GetBundle_FullMethodName = "/spire.api.server.bundle.v1.Bundle/GetBundle" Bundle_AppendBundle_FullMethodName = "/spire.api.server.bundle.v1.Bundle/AppendBundle" Bundle_PublishJWTAuthority_FullMethodName = "/spire.api.server.bundle.v1.Bundle/PublishJWTAuthority" - Bundle_PublisWITTAuthority_FullMethodName = "/spire.api.server.bundle.v1.Bundle/PublisWITTAuthority" + Bundle_PublishWITAuthority_FullMethodName = "/spire.api.server.bundle.v1.Bundle/PublishWITAuthority" Bundle_ListFederatedBundles_FullMethodName = "/spire.api.server.bundle.v1.Bundle/ListFederatedBundles" Bundle_GetFederatedBundle_FullMethodName = "/spire.api.server.bundle.v1.Bundle/GetFederatedBundle" Bundle_BatchCreateFederatedBundle_FullMethodName = "/spire.api.server.bundle.v1.Bundle/BatchCreateFederatedBundle" @@ -69,7 +69,7 @@ type BundleClient interface { // the server appends the WIT authority to its own bundle. // // The caller must present a downstream X509-SVID. - PublisWITTAuthority(ctx context.Context, in *PublishWITAuthorityRequest, opts ...grpc.CallOption) (*PublishWITAuthorityResponse, error) + PublishWITAuthority(ctx context.Context, in *PublishWITAuthorityRequest, opts ...grpc.CallOption) (*PublishWITAuthorityResponse, error) // Lists federated bundles. // // The caller must be local or present an admin X509-SVID. @@ -144,10 +144,10 @@ func (c *bundleClient) PublishJWTAuthority(ctx context.Context, in *PublishJWTAu return out, nil } -func (c *bundleClient) PublisWITTAuthority(ctx context.Context, in *PublishWITAuthorityRequest, opts ...grpc.CallOption) (*PublishWITAuthorityResponse, error) { +func (c *bundleClient) PublishWITAuthority(ctx context.Context, in *PublishWITAuthorityRequest, opts ...grpc.CallOption) (*PublishWITAuthorityResponse, error) { cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) out := new(PublishWITAuthorityResponse) - err := c.cc.Invoke(ctx, Bundle_PublisWITTAuthority_FullMethodName, in, out, cOpts...) + err := c.cc.Invoke(ctx, Bundle_PublishWITAuthority_FullMethodName, in, out, cOpts...) if err != nil { return nil, err } @@ -250,7 +250,7 @@ type BundleServer interface { // the server appends the WIT authority to its own bundle. // // The caller must present a downstream X509-SVID. - PublisWITTAuthority(context.Context, *PublishWITAuthorityRequest) (*PublishWITAuthorityResponse, error) + PublishWITAuthority(context.Context, *PublishWITAuthorityRequest) (*PublishWITAuthorityResponse, error) // Lists federated bundles. // // The caller must be local or present an admin X509-SVID. @@ -297,8 +297,8 @@ func (UnimplementedBundleServer) AppendBundle(context.Context, *AppendBundleRequ func (UnimplementedBundleServer) PublishJWTAuthority(context.Context, *PublishJWTAuthorityRequest) (*PublishJWTAuthorityResponse, error) { return nil, status.Errorf(codes.Unimplemented, "method PublishJWTAuthority not implemented") } -func (UnimplementedBundleServer) PublisWITTAuthority(context.Context, *PublishWITAuthorityRequest) (*PublishWITAuthorityResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method PublisWITTAuthority not implemented") +func (UnimplementedBundleServer) PublishWITAuthority(context.Context, *PublishWITAuthorityRequest) (*PublishWITAuthorityResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method PublishWITAuthority not implemented") } func (UnimplementedBundleServer) ListFederatedBundles(context.Context, *ListFederatedBundlesRequest) (*ListFederatedBundlesResponse, error) { return nil, status.Errorf(codes.Unimplemented, "method ListFederatedBundles not implemented") @@ -411,20 +411,20 @@ func _Bundle_PublishJWTAuthority_Handler(srv interface{}, ctx context.Context, d return interceptor(ctx, in, info, handler) } -func _Bundle_PublisWITTAuthority_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { +func _Bundle_PublishWITAuthority_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { in := new(PublishWITAuthorityRequest) if err := dec(in); err != nil { return nil, err } if interceptor == nil { - return srv.(BundleServer).PublisWITTAuthority(ctx, in) + return srv.(BundleServer).PublishWITAuthority(ctx, in) } info := &grpc.UnaryServerInfo{ Server: srv, - FullMethod: Bundle_PublisWITTAuthority_FullMethodName, + FullMethod: Bundle_PublishWITAuthority_FullMethodName, } handler := func(ctx context.Context, req interface{}) (interface{}, error) { - return srv.(BundleServer).PublisWITTAuthority(ctx, req.(*PublishWITAuthorityRequest)) + return srv.(BundleServer).PublishWITAuthority(ctx, req.(*PublishWITAuthorityRequest)) } return interceptor(ctx, in, info, handler) } @@ -561,8 +561,8 @@ var Bundle_ServiceDesc = grpc.ServiceDesc{ Handler: _Bundle_PublishJWTAuthority_Handler, }, { - MethodName: "PublisWITTAuthority", - Handler: _Bundle_PublisWITTAuthority_Handler, + MethodName: "PublishWITAuthority", + Handler: _Bundle_PublishWITAuthority_Handler, }, { MethodName: "ListFederatedBundles", From 467ae70500cd8da915e962206ce205c6e9550075 Mon Sep 17 00:00:00 2001 From: Sorin Dumitru Date: Fri, 7 Nov 2025 09:45:40 +0000 Subject: [PATCH 3/5] Also add local-authority APIs Signed-off-by: Sorin Dumitru --- .../localauthority/v1/localauthority.pb.go | 604 ++++++++++++++++-- .../localauthority/v1/localauthority.proto | 89 +++ .../v1/localauthority_grpc.pb.go | 248 +++++++ 3 files changed, 890 insertions(+), 51 deletions(-) diff --git a/proto/spire/api/server/localauthority/v1/localauthority.pb.go b/proto/spire/api/server/localauthority/v1/localauthority.pb.go index 7595410..23e1c19 100644 --- a/proto/spire/api/server/localauthority/v1/localauthority.pb.go +++ b/proto/spire/api/server/localauthority/v1/localauthority.pb.go @@ -1111,6 +1111,456 @@ func (x *RevokeX509AuthorityResponse) GetRevokedAuthority() *AuthorityState { return nil } +type GetWITAuthorityStateRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *GetWITAuthorityStateRequest) Reset() { + *x = GetWITAuthorityStateRequest{} + mi := &file_spire_api_server_localauthority_v1_localauthority_proto_msgTypes[24] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *GetWITAuthorityStateRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*GetWITAuthorityStateRequest) ProtoMessage() {} + +func (x *GetWITAuthorityStateRequest) ProtoReflect() protoreflect.Message { + mi := &file_spire_api_server_localauthority_v1_localauthority_proto_msgTypes[24] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use GetWITAuthorityStateRequest.ProtoReflect.Descriptor instead. +func (*GetWITAuthorityStateRequest) Descriptor() ([]byte, []int) { + return file_spire_api_server_localauthority_v1_localauthority_proto_rawDescGZIP(), []int{24} +} + +type GetWITAuthorityStateResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + // Authority currently being used for signing operations. + Active *AuthorityState `protobuf:"bytes,1,opt,name=active,proto3" json:"active,omitempty"` + // Authority added on bundle but is not used yet. + Prepared *AuthorityState `protobuf:"bytes,2,opt,name=prepared,proto3" json:"prepared,omitempty"` + // Authority in that was previously used for signing operations, + // but it is not longer. + Old *AuthorityState `protobuf:"bytes,3,opt,name=old,proto3" json:"old,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *GetWITAuthorityStateResponse) Reset() { + *x = GetWITAuthorityStateResponse{} + mi := &file_spire_api_server_localauthority_v1_localauthority_proto_msgTypes[25] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *GetWITAuthorityStateResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*GetWITAuthorityStateResponse) ProtoMessage() {} + +func (x *GetWITAuthorityStateResponse) ProtoReflect() protoreflect.Message { + mi := &file_spire_api_server_localauthority_v1_localauthority_proto_msgTypes[25] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use GetWITAuthorityStateResponse.ProtoReflect.Descriptor instead. +func (*GetWITAuthorityStateResponse) Descriptor() ([]byte, []int) { + return file_spire_api_server_localauthority_v1_localauthority_proto_rawDescGZIP(), []int{25} +} + +func (x *GetWITAuthorityStateResponse) GetActive() *AuthorityState { + if x != nil { + return x.Active + } + return nil +} + +func (x *GetWITAuthorityStateResponse) GetPrepared() *AuthorityState { + if x != nil { + return x.Prepared + } + return nil +} + +func (x *GetWITAuthorityStateResponse) GetOld() *AuthorityState { + if x != nil { + return x.Old + } + return nil +} + +type PrepareWITAuthorityRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *PrepareWITAuthorityRequest) Reset() { + *x = PrepareWITAuthorityRequest{} + mi := &file_spire_api_server_localauthority_v1_localauthority_proto_msgTypes[26] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *PrepareWITAuthorityRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*PrepareWITAuthorityRequest) ProtoMessage() {} + +func (x *PrepareWITAuthorityRequest) ProtoReflect() protoreflect.Message { + mi := &file_spire_api_server_localauthority_v1_localauthority_proto_msgTypes[26] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use PrepareWITAuthorityRequest.ProtoReflect.Descriptor instead. +func (*PrepareWITAuthorityRequest) Descriptor() ([]byte, []int) { + return file_spire_api_server_localauthority_v1_localauthority_proto_rawDescGZIP(), []int{26} +} + +type PrepareWITAuthorityResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + PreparedAuthority *AuthorityState `protobuf:"bytes,1,opt,name=prepared_authority,json=preparedAuthority,proto3" json:"prepared_authority,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *PrepareWITAuthorityResponse) Reset() { + *x = PrepareWITAuthorityResponse{} + mi := &file_spire_api_server_localauthority_v1_localauthority_proto_msgTypes[27] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *PrepareWITAuthorityResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*PrepareWITAuthorityResponse) ProtoMessage() {} + +func (x *PrepareWITAuthorityResponse) ProtoReflect() protoreflect.Message { + mi := &file_spire_api_server_localauthority_v1_localauthority_proto_msgTypes[27] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use PrepareWITAuthorityResponse.ProtoReflect.Descriptor instead. +func (*PrepareWITAuthorityResponse) Descriptor() ([]byte, []int) { + return file_spire_api_server_localauthority_v1_localauthority_proto_rawDescGZIP(), []int{27} +} + +func (x *PrepareWITAuthorityResponse) GetPreparedAuthority() *AuthorityState { + if x != nil { + return x.PreparedAuthority + } + return nil +} + +type ActivateWITAuthorityRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + // The authority ID of the local authority WIT authority to activate. + // This is the WIT Key ID. + AuthorityId string `protobuf:"bytes,1,opt,name=authority_id,json=authorityId,proto3" json:"authority_id,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *ActivateWITAuthorityRequest) Reset() { + *x = ActivateWITAuthorityRequest{} + mi := &file_spire_api_server_localauthority_v1_localauthority_proto_msgTypes[28] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *ActivateWITAuthorityRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ActivateWITAuthorityRequest) ProtoMessage() {} + +func (x *ActivateWITAuthorityRequest) ProtoReflect() protoreflect.Message { + mi := &file_spire_api_server_localauthority_v1_localauthority_proto_msgTypes[28] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ActivateWITAuthorityRequest.ProtoReflect.Descriptor instead. +func (*ActivateWITAuthorityRequest) Descriptor() ([]byte, []int) { + return file_spire_api_server_localauthority_v1_localauthority_proto_rawDescGZIP(), []int{28} +} + +func (x *ActivateWITAuthorityRequest) GetAuthorityId() string { + if x != nil { + return x.AuthorityId + } + return "" +} + +type ActivateWITAuthorityResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + ActivatedAuthority *AuthorityState `protobuf:"bytes,1,opt,name=activated_authority,json=activatedAuthority,proto3" json:"activated_authority,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *ActivateWITAuthorityResponse) Reset() { + *x = ActivateWITAuthorityResponse{} + mi := &file_spire_api_server_localauthority_v1_localauthority_proto_msgTypes[29] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *ActivateWITAuthorityResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*ActivateWITAuthorityResponse) ProtoMessage() {} + +func (x *ActivateWITAuthorityResponse) ProtoReflect() protoreflect.Message { + mi := &file_spire_api_server_localauthority_v1_localauthority_proto_msgTypes[29] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use ActivateWITAuthorityResponse.ProtoReflect.Descriptor instead. +func (*ActivateWITAuthorityResponse) Descriptor() ([]byte, []int) { + return file_spire_api_server_localauthority_v1_localauthority_proto_rawDescGZIP(), []int{29} +} + +func (x *ActivateWITAuthorityResponse) GetActivatedAuthority() *AuthorityState { + if x != nil { + return x.ActivatedAuthority + } + return nil +} + +type TaintWITAuthorityRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + // The authority ID of the local authority WIT authority to taint. + // This is the WIT Key ID. + AuthorityId string `protobuf:"bytes,1,opt,name=authority_id,json=authorityId,proto3" json:"authority_id,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *TaintWITAuthorityRequest) Reset() { + *x = TaintWITAuthorityRequest{} + mi := &file_spire_api_server_localauthority_v1_localauthority_proto_msgTypes[30] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *TaintWITAuthorityRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*TaintWITAuthorityRequest) ProtoMessage() {} + +func (x *TaintWITAuthorityRequest) ProtoReflect() protoreflect.Message { + mi := &file_spire_api_server_localauthority_v1_localauthority_proto_msgTypes[30] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use TaintWITAuthorityRequest.ProtoReflect.Descriptor instead. +func (*TaintWITAuthorityRequest) Descriptor() ([]byte, []int) { + return file_spire_api_server_localauthority_v1_localauthority_proto_rawDescGZIP(), []int{30} +} + +func (x *TaintWITAuthorityRequest) GetAuthorityId() string { + if x != nil { + return x.AuthorityId + } + return "" +} + +type TaintWITAuthorityResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + TaintedAuthority *AuthorityState `protobuf:"bytes,1,opt,name=tainted_authority,json=taintedAuthority,proto3" json:"tainted_authority,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *TaintWITAuthorityResponse) Reset() { + *x = TaintWITAuthorityResponse{} + mi := &file_spire_api_server_localauthority_v1_localauthority_proto_msgTypes[31] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *TaintWITAuthorityResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*TaintWITAuthorityResponse) ProtoMessage() {} + +func (x *TaintWITAuthorityResponse) ProtoReflect() protoreflect.Message { + mi := &file_spire_api_server_localauthority_v1_localauthority_proto_msgTypes[31] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use TaintWITAuthorityResponse.ProtoReflect.Descriptor instead. +func (*TaintWITAuthorityResponse) Descriptor() ([]byte, []int) { + return file_spire_api_server_localauthority_v1_localauthority_proto_rawDescGZIP(), []int{31} +} + +func (x *TaintWITAuthorityResponse) GetTaintedAuthority() *AuthorityState { + if x != nil { + return x.TaintedAuthority + } + return nil +} + +type RevokeWITAuthorityRequest struct { + state protoimpl.MessageState `protogen:"open.v1"` + // The authority ID of the local authority WIT authority to revoke. + // This is the WIT Key ID. + AuthorityId string `protobuf:"bytes,1,opt,name=authority_id,json=authorityId,proto3" json:"authority_id,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *RevokeWITAuthorityRequest) Reset() { + *x = RevokeWITAuthorityRequest{} + mi := &file_spire_api_server_localauthority_v1_localauthority_proto_msgTypes[32] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *RevokeWITAuthorityRequest) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*RevokeWITAuthorityRequest) ProtoMessage() {} + +func (x *RevokeWITAuthorityRequest) ProtoReflect() protoreflect.Message { + mi := &file_spire_api_server_localauthority_v1_localauthority_proto_msgTypes[32] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use RevokeWITAuthorityRequest.ProtoReflect.Descriptor instead. +func (*RevokeWITAuthorityRequest) Descriptor() ([]byte, []int) { + return file_spire_api_server_localauthority_v1_localauthority_proto_rawDescGZIP(), []int{32} +} + +func (x *RevokeWITAuthorityRequest) GetAuthorityId() string { + if x != nil { + return x.AuthorityId + } + return "" +} + +type RevokeWITAuthorityResponse struct { + state protoimpl.MessageState `protogen:"open.v1"` + RevokedAuthority *AuthorityState `protobuf:"bytes,1,opt,name=revoked_authority,json=revokedAuthority,proto3" json:"revoked_authority,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache +} + +func (x *RevokeWITAuthorityResponse) Reset() { + *x = RevokeWITAuthorityResponse{} + mi := &file_spire_api_server_localauthority_v1_localauthority_proto_msgTypes[33] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) +} + +func (x *RevokeWITAuthorityResponse) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*RevokeWITAuthorityResponse) ProtoMessage() {} + +func (x *RevokeWITAuthorityResponse) ProtoReflect() protoreflect.Message { + mi := &file_spire_api_server_localauthority_v1_localauthority_proto_msgTypes[33] + if x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use RevokeWITAuthorityResponse.ProtoReflect.Descriptor instead. +func (*RevokeWITAuthorityResponse) Descriptor() ([]byte, []int) { + return file_spire_api_server_localauthority_v1_localauthority_proto_rawDescGZIP(), []int{33} +} + +func (x *RevokeWITAuthorityResponse) GetRevokedAuthority() *AuthorityState { + if x != nil { + return x.RevokedAuthority + } + return nil +} + type AuthorityState struct { state protoimpl.MessageState `protogen:"open.v1"` // The authority ID. @@ -1126,7 +1576,7 @@ type AuthorityState struct { func (x *AuthorityState) Reset() { *x = AuthorityState{} - mi := &file_spire_api_server_localauthority_v1_localauthority_proto_msgTypes[24] + mi := &file_spire_api_server_localauthority_v1_localauthority_proto_msgTypes[34] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -1138,7 +1588,7 @@ func (x *AuthorityState) String() string { func (*AuthorityState) ProtoMessage() {} func (x *AuthorityState) ProtoReflect() protoreflect.Message { - mi := &file_spire_api_server_localauthority_v1_localauthority_proto_msgTypes[24] + mi := &file_spire_api_server_localauthority_v1_localauthority_proto_msgTypes[34] if x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -1151,7 +1601,7 @@ func (x *AuthorityState) ProtoReflect() protoreflect.Message { // Deprecated: Use AuthorityState.ProtoReflect.Descriptor instead. func (*AuthorityState) Descriptor() ([]byte, []int) { - return file_spire_api_server_localauthority_v1_localauthority_proto_rawDescGZIP(), []int{24} + return file_spire_api_server_localauthority_v1_localauthority_proto_rawDescGZIP(), []int{34} } func (x *AuthorityState) GetAuthorityId() string { @@ -1227,12 +1677,32 @@ const file_spire_api_server_localauthority_v1_localauthority_proto_rawDesc = "" "\x1aRevokeX509AuthorityRequest\x12!\n" + "\fauthority_id\x18\x01 \x01(\tR\vauthorityId\"~\n" + "\x1bRevokeX509AuthorityResponse\x12_\n" + + "\x11revoked_authority\x18\x01 \x01(\v22.spire.api.server.localauthority.v1.AuthorityStateR\x10revokedAuthority\"\x1d\n" + + "\x1bGetWITAuthorityStateRequest\"\x80\x02\n" + + "\x1cGetWITAuthorityStateResponse\x12J\n" + + "\x06active\x18\x01 \x01(\v22.spire.api.server.localauthority.v1.AuthorityStateR\x06active\x12N\n" + + "\bprepared\x18\x02 \x01(\v22.spire.api.server.localauthority.v1.AuthorityStateR\bprepared\x12D\n" + + "\x03old\x18\x03 \x01(\v22.spire.api.server.localauthority.v1.AuthorityStateR\x03old\"\x1c\n" + + "\x1aPrepareWITAuthorityRequest\"\x80\x01\n" + + "\x1bPrepareWITAuthorityResponse\x12a\n" + + "\x12prepared_authority\x18\x01 \x01(\v22.spire.api.server.localauthority.v1.AuthorityStateR\x11preparedAuthority\"@\n" + + "\x1bActivateWITAuthorityRequest\x12!\n" + + "\fauthority_id\x18\x01 \x01(\tR\vauthorityId\"\x83\x01\n" + + "\x1cActivateWITAuthorityResponse\x12c\n" + + "\x13activated_authority\x18\x01 \x01(\v22.spire.api.server.localauthority.v1.AuthorityStateR\x12activatedAuthority\"=\n" + + "\x18TaintWITAuthorityRequest\x12!\n" + + "\fauthority_id\x18\x01 \x01(\tR\vauthorityId\"|\n" + + "\x19TaintWITAuthorityResponse\x12_\n" + + "\x11tainted_authority\x18\x01 \x01(\v22.spire.api.server.localauthority.v1.AuthorityStateR\x10taintedAuthority\">\n" + + "\x19RevokeWITAuthorityRequest\x12!\n" + + "\fauthority_id\x18\x01 \x01(\tR\vauthorityId\"}\n" + + "\x1aRevokeWITAuthorityResponse\x12_\n" + "\x11revoked_authority\x18\x01 \x01(\v22.spire.api.server.localauthority.v1.AuthorityStateR\x10revokedAuthority\"\x9c\x01\n" + "\x0eAuthorityState\x12!\n" + "\fauthority_id\x18\x01 \x01(\tR\vauthorityId\x12\x1d\n" + "\n" + "expires_at\x18\x02 \x01(\x03R\texpiresAt\x12H\n" + - "!upstream_authority_subject_key_id\x18\x03 \x01(\tR\x1dupstreamAuthoritySubjectKeyId2\xf2\x0e\n" + + "!upstream_authority_subject_key_id\x18\x03 \x01(\tR\x1dupstreamAuthoritySubjectKeyId2\xec\x14\n" + "\x0eLocalAuthority\x12\x99\x01\n" + "\x14GetJWTAuthorityState\x12?.spire.api.server.localauthority.v1.GetJWTAuthorityStateRequest\x1a@.spire.api.server.localauthority.v1.GetJWTAuthorityStateResponse\x12\x96\x01\n" + "\x13PrepareJWTAuthority\x12>.spire.api.server.localauthority.v1.PrepareJWTAuthorityRequest\x1a?.spire.api.server.localauthority.v1.PrepareJWTAuthorityResponse\x12\x99\x01\n" + @@ -1245,7 +1715,12 @@ const file_spire_api_server_localauthority_v1_localauthority_proto_rawDesc = "" "\x12TaintX509Authority\x12=.spire.api.server.localauthority.v1.TaintX509AuthorityRequest\x1a>.spire.api.server.localauthority.v1.TaintX509AuthorityResponse\x12\xab\x01\n" + "\x1aTaintX509UpstreamAuthority\x12E.spire.api.server.localauthority.v1.TaintX509UpstreamAuthorityRequest\x1aF.spire.api.server.localauthority.v1.TaintX509UpstreamAuthorityResponse\x12\x96\x01\n" + "\x13RevokeX509Authority\x12>.spire.api.server.localauthority.v1.RevokeX509AuthorityRequest\x1a?.spire.api.server.localauthority.v1.RevokeX509AuthorityResponse\x12\xae\x01\n" + - "\x1bRevokeX509UpstreamAuthority\x12F.spire.api.server.localauthority.v1.RevokeX509UpstreamAuthorityRequest\x1aG.spire.api.server.localauthority.v1.RevokeX509UpstreamAuthorityResponseB[ZYgithub.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1;localauthorityv1b\x06proto3" + "\x1bRevokeX509UpstreamAuthority\x12F.spire.api.server.localauthority.v1.RevokeX509UpstreamAuthorityRequest\x1aG.spire.api.server.localauthority.v1.RevokeX509UpstreamAuthorityResponse\x12\x99\x01\n" + + "\x14GetWITAuthorityState\x12?.spire.api.server.localauthority.v1.GetWITAuthorityStateRequest\x1a@.spire.api.server.localauthority.v1.GetWITAuthorityStateResponse\x12\x96\x01\n" + + "\x13PrepareWITAuthority\x12>.spire.api.server.localauthority.v1.PrepareWITAuthorityRequest\x1a?.spire.api.server.localauthority.v1.PrepareWITAuthorityResponse\x12\x99\x01\n" + + "\x14ActivateWITAuthority\x12?.spire.api.server.localauthority.v1.ActivateWITAuthorityRequest\x1a@.spire.api.server.localauthority.v1.ActivateWITAuthorityResponse\x12\x90\x01\n" + + "\x11TaintWITAuthority\x12<.spire.api.server.localauthority.v1.TaintWITAuthorityRequest\x1a=.spire.api.server.localauthority.v1.TaintWITAuthorityResponse\x12\x93\x01\n" + + "\x12RevokeWITAuthority\x12=.spire.api.server.localauthority.v1.RevokeWITAuthorityRequest\x1a>.spire.api.server.localauthority.v1.RevokeWITAuthorityResponseB[ZYgithub.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1;localauthorityv1b\x06proto3" var ( file_spire_api_server_localauthority_v1_localauthority_proto_rawDescOnce sync.Once @@ -1259,7 +1734,7 @@ func file_spire_api_server_localauthority_v1_localauthority_proto_rawDescGZIP() return file_spire_api_server_localauthority_v1_localauthority_proto_rawDescData } -var file_spire_api_server_localauthority_v1_localauthority_proto_msgTypes = make([]protoimpl.MessageInfo, 25) +var file_spire_api_server_localauthority_v1_localauthority_proto_msgTypes = make([]protoimpl.MessageInfo, 35) var file_spire_api_server_localauthority_v1_localauthority_proto_goTypes = []any{ (*GetJWTAuthorityStateRequest)(nil), // 0: spire.api.server.localauthority.v1.GetJWTAuthorityStateRequest (*GetJWTAuthorityStateResponse)(nil), // 1: spire.api.server.localauthority.v1.GetJWTAuthorityStateResponse @@ -1285,52 +1760,79 @@ var file_spire_api_server_localauthority_v1_localauthority_proto_goTypes = []any (*RevokeX509UpstreamAuthorityResponse)(nil), // 21: spire.api.server.localauthority.v1.RevokeX509UpstreamAuthorityResponse (*RevokeX509AuthorityRequest)(nil), // 22: spire.api.server.localauthority.v1.RevokeX509AuthorityRequest (*RevokeX509AuthorityResponse)(nil), // 23: spire.api.server.localauthority.v1.RevokeX509AuthorityResponse - (*AuthorityState)(nil), // 24: spire.api.server.localauthority.v1.AuthorityState + (*GetWITAuthorityStateRequest)(nil), // 24: spire.api.server.localauthority.v1.GetWITAuthorityStateRequest + (*GetWITAuthorityStateResponse)(nil), // 25: spire.api.server.localauthority.v1.GetWITAuthorityStateResponse + (*PrepareWITAuthorityRequest)(nil), // 26: spire.api.server.localauthority.v1.PrepareWITAuthorityRequest + (*PrepareWITAuthorityResponse)(nil), // 27: spire.api.server.localauthority.v1.PrepareWITAuthorityResponse + (*ActivateWITAuthorityRequest)(nil), // 28: spire.api.server.localauthority.v1.ActivateWITAuthorityRequest + (*ActivateWITAuthorityResponse)(nil), // 29: spire.api.server.localauthority.v1.ActivateWITAuthorityResponse + (*TaintWITAuthorityRequest)(nil), // 30: spire.api.server.localauthority.v1.TaintWITAuthorityRequest + (*TaintWITAuthorityResponse)(nil), // 31: spire.api.server.localauthority.v1.TaintWITAuthorityResponse + (*RevokeWITAuthorityRequest)(nil), // 32: spire.api.server.localauthority.v1.RevokeWITAuthorityRequest + (*RevokeWITAuthorityResponse)(nil), // 33: spire.api.server.localauthority.v1.RevokeWITAuthorityResponse + (*AuthorityState)(nil), // 34: spire.api.server.localauthority.v1.AuthorityState } var file_spire_api_server_localauthority_v1_localauthority_proto_depIdxs = []int32{ - 24, // 0: spire.api.server.localauthority.v1.GetJWTAuthorityStateResponse.active:type_name -> spire.api.server.localauthority.v1.AuthorityState - 24, // 1: spire.api.server.localauthority.v1.GetJWTAuthorityStateResponse.prepared:type_name -> spire.api.server.localauthority.v1.AuthorityState - 24, // 2: spire.api.server.localauthority.v1.GetJWTAuthorityStateResponse.old:type_name -> spire.api.server.localauthority.v1.AuthorityState - 24, // 3: spire.api.server.localauthority.v1.PrepareJWTAuthorityResponse.prepared_authority:type_name -> spire.api.server.localauthority.v1.AuthorityState - 24, // 4: spire.api.server.localauthority.v1.ActivateJWTAuthorityResponse.activated_authority:type_name -> spire.api.server.localauthority.v1.AuthorityState - 24, // 5: spire.api.server.localauthority.v1.TaintJWTAuthorityResponse.tainted_authority:type_name -> spire.api.server.localauthority.v1.AuthorityState - 24, // 6: spire.api.server.localauthority.v1.RevokeJWTAuthorityResponse.revoked_authority:type_name -> spire.api.server.localauthority.v1.AuthorityState - 24, // 7: spire.api.server.localauthority.v1.GetX509AuthorityStateResponse.active:type_name -> spire.api.server.localauthority.v1.AuthorityState - 24, // 8: spire.api.server.localauthority.v1.GetX509AuthorityStateResponse.prepared:type_name -> spire.api.server.localauthority.v1.AuthorityState - 24, // 9: spire.api.server.localauthority.v1.GetX509AuthorityStateResponse.old:type_name -> spire.api.server.localauthority.v1.AuthorityState - 24, // 10: spire.api.server.localauthority.v1.PrepareX509AuthorityResponse.prepared_authority:type_name -> spire.api.server.localauthority.v1.AuthorityState - 24, // 11: spire.api.server.localauthority.v1.ActivateX509AuthorityResponse.activated_authority:type_name -> spire.api.server.localauthority.v1.AuthorityState - 24, // 12: spire.api.server.localauthority.v1.TaintX509AuthorityResponse.tainted_authority:type_name -> spire.api.server.localauthority.v1.AuthorityState - 24, // 13: spire.api.server.localauthority.v1.RevokeX509AuthorityResponse.revoked_authority:type_name -> spire.api.server.localauthority.v1.AuthorityState - 0, // 14: spire.api.server.localauthority.v1.LocalAuthority.GetJWTAuthorityState:input_type -> spire.api.server.localauthority.v1.GetJWTAuthorityStateRequest - 2, // 15: spire.api.server.localauthority.v1.LocalAuthority.PrepareJWTAuthority:input_type -> spire.api.server.localauthority.v1.PrepareJWTAuthorityRequest - 4, // 16: spire.api.server.localauthority.v1.LocalAuthority.ActivateJWTAuthority:input_type -> spire.api.server.localauthority.v1.ActivateJWTAuthorityRequest - 6, // 17: spire.api.server.localauthority.v1.LocalAuthority.TaintJWTAuthority:input_type -> spire.api.server.localauthority.v1.TaintJWTAuthorityRequest - 8, // 18: spire.api.server.localauthority.v1.LocalAuthority.RevokeJWTAuthority:input_type -> spire.api.server.localauthority.v1.RevokeJWTAuthorityRequest - 10, // 19: spire.api.server.localauthority.v1.LocalAuthority.GetX509AuthorityState:input_type -> spire.api.server.localauthority.v1.GetX509AuthorityStateRequest - 12, // 20: spire.api.server.localauthority.v1.LocalAuthority.PrepareX509Authority:input_type -> spire.api.server.localauthority.v1.PrepareX509AuthorityRequest - 14, // 21: spire.api.server.localauthority.v1.LocalAuthority.ActivateX509Authority:input_type -> spire.api.server.localauthority.v1.ActivateX509AuthorityRequest - 16, // 22: spire.api.server.localauthority.v1.LocalAuthority.TaintX509Authority:input_type -> spire.api.server.localauthority.v1.TaintX509AuthorityRequest - 18, // 23: spire.api.server.localauthority.v1.LocalAuthority.TaintX509UpstreamAuthority:input_type -> spire.api.server.localauthority.v1.TaintX509UpstreamAuthorityRequest - 22, // 24: spire.api.server.localauthority.v1.LocalAuthority.RevokeX509Authority:input_type -> spire.api.server.localauthority.v1.RevokeX509AuthorityRequest - 20, // 25: spire.api.server.localauthority.v1.LocalAuthority.RevokeX509UpstreamAuthority:input_type -> spire.api.server.localauthority.v1.RevokeX509UpstreamAuthorityRequest - 1, // 26: spire.api.server.localauthority.v1.LocalAuthority.GetJWTAuthorityState:output_type -> spire.api.server.localauthority.v1.GetJWTAuthorityStateResponse - 3, // 27: spire.api.server.localauthority.v1.LocalAuthority.PrepareJWTAuthority:output_type -> spire.api.server.localauthority.v1.PrepareJWTAuthorityResponse - 5, // 28: spire.api.server.localauthority.v1.LocalAuthority.ActivateJWTAuthority:output_type -> spire.api.server.localauthority.v1.ActivateJWTAuthorityResponse - 7, // 29: spire.api.server.localauthority.v1.LocalAuthority.TaintJWTAuthority:output_type -> spire.api.server.localauthority.v1.TaintJWTAuthorityResponse - 9, // 30: spire.api.server.localauthority.v1.LocalAuthority.RevokeJWTAuthority:output_type -> spire.api.server.localauthority.v1.RevokeJWTAuthorityResponse - 11, // 31: spire.api.server.localauthority.v1.LocalAuthority.GetX509AuthorityState:output_type -> spire.api.server.localauthority.v1.GetX509AuthorityStateResponse - 13, // 32: spire.api.server.localauthority.v1.LocalAuthority.PrepareX509Authority:output_type -> spire.api.server.localauthority.v1.PrepareX509AuthorityResponse - 15, // 33: spire.api.server.localauthority.v1.LocalAuthority.ActivateX509Authority:output_type -> spire.api.server.localauthority.v1.ActivateX509AuthorityResponse - 17, // 34: spire.api.server.localauthority.v1.LocalAuthority.TaintX509Authority:output_type -> spire.api.server.localauthority.v1.TaintX509AuthorityResponse - 19, // 35: spire.api.server.localauthority.v1.LocalAuthority.TaintX509UpstreamAuthority:output_type -> spire.api.server.localauthority.v1.TaintX509UpstreamAuthorityResponse - 23, // 36: spire.api.server.localauthority.v1.LocalAuthority.RevokeX509Authority:output_type -> spire.api.server.localauthority.v1.RevokeX509AuthorityResponse - 21, // 37: spire.api.server.localauthority.v1.LocalAuthority.RevokeX509UpstreamAuthority:output_type -> spire.api.server.localauthority.v1.RevokeX509UpstreamAuthorityResponse - 26, // [26:38] is the sub-list for method output_type - 14, // [14:26] is the sub-list for method input_type - 14, // [14:14] is the sub-list for extension type_name - 14, // [14:14] is the sub-list for extension extendee - 0, // [0:14] is the sub-list for field type_name + 34, // 0: spire.api.server.localauthority.v1.GetJWTAuthorityStateResponse.active:type_name -> spire.api.server.localauthority.v1.AuthorityState + 34, // 1: spire.api.server.localauthority.v1.GetJWTAuthorityStateResponse.prepared:type_name -> spire.api.server.localauthority.v1.AuthorityState + 34, // 2: spire.api.server.localauthority.v1.GetJWTAuthorityStateResponse.old:type_name -> spire.api.server.localauthority.v1.AuthorityState + 34, // 3: spire.api.server.localauthority.v1.PrepareJWTAuthorityResponse.prepared_authority:type_name -> spire.api.server.localauthority.v1.AuthorityState + 34, // 4: spire.api.server.localauthority.v1.ActivateJWTAuthorityResponse.activated_authority:type_name -> spire.api.server.localauthority.v1.AuthorityState + 34, // 5: spire.api.server.localauthority.v1.TaintJWTAuthorityResponse.tainted_authority:type_name -> spire.api.server.localauthority.v1.AuthorityState + 34, // 6: spire.api.server.localauthority.v1.RevokeJWTAuthorityResponse.revoked_authority:type_name -> spire.api.server.localauthority.v1.AuthorityState + 34, // 7: spire.api.server.localauthority.v1.GetX509AuthorityStateResponse.active:type_name -> spire.api.server.localauthority.v1.AuthorityState + 34, // 8: spire.api.server.localauthority.v1.GetX509AuthorityStateResponse.prepared:type_name -> spire.api.server.localauthority.v1.AuthorityState + 34, // 9: spire.api.server.localauthority.v1.GetX509AuthorityStateResponse.old:type_name -> spire.api.server.localauthority.v1.AuthorityState + 34, // 10: spire.api.server.localauthority.v1.PrepareX509AuthorityResponse.prepared_authority:type_name -> spire.api.server.localauthority.v1.AuthorityState + 34, // 11: spire.api.server.localauthority.v1.ActivateX509AuthorityResponse.activated_authority:type_name -> spire.api.server.localauthority.v1.AuthorityState + 34, // 12: spire.api.server.localauthority.v1.TaintX509AuthorityResponse.tainted_authority:type_name -> spire.api.server.localauthority.v1.AuthorityState + 34, // 13: spire.api.server.localauthority.v1.RevokeX509AuthorityResponse.revoked_authority:type_name -> spire.api.server.localauthority.v1.AuthorityState + 34, // 14: spire.api.server.localauthority.v1.GetWITAuthorityStateResponse.active:type_name -> spire.api.server.localauthority.v1.AuthorityState + 34, // 15: spire.api.server.localauthority.v1.GetWITAuthorityStateResponse.prepared:type_name -> spire.api.server.localauthority.v1.AuthorityState + 34, // 16: spire.api.server.localauthority.v1.GetWITAuthorityStateResponse.old:type_name -> spire.api.server.localauthority.v1.AuthorityState + 34, // 17: spire.api.server.localauthority.v1.PrepareWITAuthorityResponse.prepared_authority:type_name -> spire.api.server.localauthority.v1.AuthorityState + 34, // 18: spire.api.server.localauthority.v1.ActivateWITAuthorityResponse.activated_authority:type_name -> spire.api.server.localauthority.v1.AuthorityState + 34, // 19: spire.api.server.localauthority.v1.TaintWITAuthorityResponse.tainted_authority:type_name -> spire.api.server.localauthority.v1.AuthorityState + 34, // 20: spire.api.server.localauthority.v1.RevokeWITAuthorityResponse.revoked_authority:type_name -> spire.api.server.localauthority.v1.AuthorityState + 0, // 21: spire.api.server.localauthority.v1.LocalAuthority.GetJWTAuthorityState:input_type -> spire.api.server.localauthority.v1.GetJWTAuthorityStateRequest + 2, // 22: spire.api.server.localauthority.v1.LocalAuthority.PrepareJWTAuthority:input_type -> spire.api.server.localauthority.v1.PrepareJWTAuthorityRequest + 4, // 23: spire.api.server.localauthority.v1.LocalAuthority.ActivateJWTAuthority:input_type -> spire.api.server.localauthority.v1.ActivateJWTAuthorityRequest + 6, // 24: spire.api.server.localauthority.v1.LocalAuthority.TaintJWTAuthority:input_type -> spire.api.server.localauthority.v1.TaintJWTAuthorityRequest + 8, // 25: spire.api.server.localauthority.v1.LocalAuthority.RevokeJWTAuthority:input_type -> spire.api.server.localauthority.v1.RevokeJWTAuthorityRequest + 10, // 26: spire.api.server.localauthority.v1.LocalAuthority.GetX509AuthorityState:input_type -> spire.api.server.localauthority.v1.GetX509AuthorityStateRequest + 12, // 27: spire.api.server.localauthority.v1.LocalAuthority.PrepareX509Authority:input_type -> spire.api.server.localauthority.v1.PrepareX509AuthorityRequest + 14, // 28: spire.api.server.localauthority.v1.LocalAuthority.ActivateX509Authority:input_type -> spire.api.server.localauthority.v1.ActivateX509AuthorityRequest + 16, // 29: spire.api.server.localauthority.v1.LocalAuthority.TaintX509Authority:input_type -> spire.api.server.localauthority.v1.TaintX509AuthorityRequest + 18, // 30: spire.api.server.localauthority.v1.LocalAuthority.TaintX509UpstreamAuthority:input_type -> spire.api.server.localauthority.v1.TaintX509UpstreamAuthorityRequest + 22, // 31: spire.api.server.localauthority.v1.LocalAuthority.RevokeX509Authority:input_type -> spire.api.server.localauthority.v1.RevokeX509AuthorityRequest + 20, // 32: spire.api.server.localauthority.v1.LocalAuthority.RevokeX509UpstreamAuthority:input_type -> spire.api.server.localauthority.v1.RevokeX509UpstreamAuthorityRequest + 24, // 33: spire.api.server.localauthority.v1.LocalAuthority.GetWITAuthorityState:input_type -> spire.api.server.localauthority.v1.GetWITAuthorityStateRequest + 26, // 34: spire.api.server.localauthority.v1.LocalAuthority.PrepareWITAuthority:input_type -> spire.api.server.localauthority.v1.PrepareWITAuthorityRequest + 28, // 35: spire.api.server.localauthority.v1.LocalAuthority.ActivateWITAuthority:input_type -> spire.api.server.localauthority.v1.ActivateWITAuthorityRequest + 30, // 36: spire.api.server.localauthority.v1.LocalAuthority.TaintWITAuthority:input_type -> spire.api.server.localauthority.v1.TaintWITAuthorityRequest + 32, // 37: spire.api.server.localauthority.v1.LocalAuthority.RevokeWITAuthority:input_type -> spire.api.server.localauthority.v1.RevokeWITAuthorityRequest + 1, // 38: spire.api.server.localauthority.v1.LocalAuthority.GetJWTAuthorityState:output_type -> spire.api.server.localauthority.v1.GetJWTAuthorityStateResponse + 3, // 39: spire.api.server.localauthority.v1.LocalAuthority.PrepareJWTAuthority:output_type -> spire.api.server.localauthority.v1.PrepareJWTAuthorityResponse + 5, // 40: spire.api.server.localauthority.v1.LocalAuthority.ActivateJWTAuthority:output_type -> spire.api.server.localauthority.v1.ActivateJWTAuthorityResponse + 7, // 41: spire.api.server.localauthority.v1.LocalAuthority.TaintJWTAuthority:output_type -> spire.api.server.localauthority.v1.TaintJWTAuthorityResponse + 9, // 42: spire.api.server.localauthority.v1.LocalAuthority.RevokeJWTAuthority:output_type -> spire.api.server.localauthority.v1.RevokeJWTAuthorityResponse + 11, // 43: spire.api.server.localauthority.v1.LocalAuthority.GetX509AuthorityState:output_type -> spire.api.server.localauthority.v1.GetX509AuthorityStateResponse + 13, // 44: spire.api.server.localauthority.v1.LocalAuthority.PrepareX509Authority:output_type -> spire.api.server.localauthority.v1.PrepareX509AuthorityResponse + 15, // 45: spire.api.server.localauthority.v1.LocalAuthority.ActivateX509Authority:output_type -> spire.api.server.localauthority.v1.ActivateX509AuthorityResponse + 17, // 46: spire.api.server.localauthority.v1.LocalAuthority.TaintX509Authority:output_type -> spire.api.server.localauthority.v1.TaintX509AuthorityResponse + 19, // 47: spire.api.server.localauthority.v1.LocalAuthority.TaintX509UpstreamAuthority:output_type -> spire.api.server.localauthority.v1.TaintX509UpstreamAuthorityResponse + 23, // 48: spire.api.server.localauthority.v1.LocalAuthority.RevokeX509Authority:output_type -> spire.api.server.localauthority.v1.RevokeX509AuthorityResponse + 21, // 49: spire.api.server.localauthority.v1.LocalAuthority.RevokeX509UpstreamAuthority:output_type -> spire.api.server.localauthority.v1.RevokeX509UpstreamAuthorityResponse + 25, // 50: spire.api.server.localauthority.v1.LocalAuthority.GetWITAuthorityState:output_type -> spire.api.server.localauthority.v1.GetWITAuthorityStateResponse + 27, // 51: spire.api.server.localauthority.v1.LocalAuthority.PrepareWITAuthority:output_type -> spire.api.server.localauthority.v1.PrepareWITAuthorityResponse + 29, // 52: spire.api.server.localauthority.v1.LocalAuthority.ActivateWITAuthority:output_type -> spire.api.server.localauthority.v1.ActivateWITAuthorityResponse + 31, // 53: spire.api.server.localauthority.v1.LocalAuthority.TaintWITAuthority:output_type -> spire.api.server.localauthority.v1.TaintWITAuthorityResponse + 33, // 54: spire.api.server.localauthority.v1.LocalAuthority.RevokeWITAuthority:output_type -> spire.api.server.localauthority.v1.RevokeWITAuthorityResponse + 38, // [38:55] is the sub-list for method output_type + 21, // [21:38] is the sub-list for method input_type + 21, // [21:21] is the sub-list for extension type_name + 21, // [21:21] is the sub-list for extension extendee + 0, // [0:21] is the sub-list for field type_name } func init() { file_spire_api_server_localauthority_v1_localauthority_proto_init() } @@ -1344,7 +1846,7 @@ func file_spire_api_server_localauthority_v1_localauthority_proto_init() { GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: unsafe.Slice(unsafe.StringData(file_spire_api_server_localauthority_v1_localauthority_proto_rawDesc), len(file_spire_api_server_localauthority_v1_localauthority_proto_rawDesc)), NumEnums: 0, - NumMessages: 25, + NumMessages: 35, NumExtensions: 0, NumServices: 1, }, diff --git a/proto/spire/api/server/localauthority/v1/localauthority.proto b/proto/spire/api/server/localauthority/v1/localauthority.proto index ff58049..3373d29 100644 --- a/proto/spire/api/server/localauthority/v1/localauthority.proto +++ b/proto/spire/api/server/localauthority/v1/localauthority.proto @@ -106,6 +106,45 @@ service LocalAuthority { // If a previously active X.509 upstream authority does not exist, a FailedPrecondition // error will be returned. rpc RevokeX509UpstreamAuthority(RevokeX509UpstreamAuthorityRequest) returns (RevokeX509UpstreamAuthorityResponse); + + // GetWITAuthorityState returns the state of all locally configured + // WIT authorities. + rpc GetWITAuthorityState(GetWITAuthorityStateRequest) returns (GetWITAuthorityStateResponse); + + // PrepareWITAuthority prepares a new WIT authority for use by + // generating a new key and injecting it into the bundle. This action + // will propagate the new public key cluster-wide. + rpc PrepareWITAuthority(PrepareWITAuthorityRequest) returns (PrepareWITAuthorityResponse); + + // ActivateWITAuthority activates a prepared WIT authority for use, + // which will cause it to be used for all WIT signing operations + // serviced by this server going forward. If a new WIT authority has + // not already been prepared, a FailedPrecondition error will be returned. + rpc ActivateWITAuthority(ActivateWITAuthorityRequest) returns (ActivateWITAuthorityResponse); + + // TaintWITAuthority marks the previously active WIT authority as + // being tainted. SPIRE Agents observing an authority to be tainted + // will perform proactive rotations of any key material related to + // the tainted authority. The result of this action will be observed + // cluster-wide. + // The WIT authority to taint is identified using the authority ID of + // the old WIT authority. + // + // If a previously active WIT authority does not exist (e.g. if one + // has been prepared but not activated yet), a FailedPrecondition + // error will be returned. + rpc TaintWITAuthority(TaintWITAuthorityRequest) returns (TaintWITAuthorityResponse); + + // RevokeWITAuthority revokes the previously active WIT authority by + // removing it from the bundle and propagating this update throughout + // the cluster. + // The WIT authority to revoke is identified using the authority ID of + // the old WIT authority. + // + // If a previously active WIT authority does not exist (e.g. if one + // has been prepared but not activated yet), a FailedPrecondition + // error will be returned. + rpc RevokeWITAuthority(RevokeWITAuthorityRequest) returns (RevokeWITAuthorityResponse); } message GetJWTAuthorityStateRequest {} @@ -238,6 +277,56 @@ message RevokeX509AuthorityResponse { AuthorityState revoked_authority = 1; } +message GetWITAuthorityStateRequest {} + +message GetWITAuthorityStateResponse { + // Authority currently being used for signing operations. + AuthorityState active = 1; + + // Authority added on bundle but is not used yet. + AuthorityState prepared = 2; + + // Authority in that was previously used for signing operations, + // but it is not longer. + AuthorityState old = 3; +} + +message PrepareWITAuthorityRequest {} + +message PrepareWITAuthorityResponse { + AuthorityState prepared_authority = 1; +} + +message ActivateWITAuthorityRequest { + // The authority ID of the local authority WIT authority to activate. + // This is the WIT Key ID. + string authority_id = 1; +} + +message ActivateWITAuthorityResponse { + AuthorityState activated_authority = 1; +} + +message TaintWITAuthorityRequest { + // The authority ID of the local authority WIT authority to taint. + // This is the WIT Key ID. + string authority_id = 1; +} + +message TaintWITAuthorityResponse { + AuthorityState tainted_authority = 1; +} + +message RevokeWITAuthorityRequest { + // The authority ID of the local authority WIT authority to revoke. + // This is the WIT Key ID. + string authority_id = 1; +} + +message RevokeWITAuthorityResponse { + AuthorityState revoked_authority = 1; +} + message AuthorityState { // The authority ID. string authority_id = 1; diff --git a/proto/spire/api/server/localauthority/v1/localauthority_grpc.pb.go b/proto/spire/api/server/localauthority/v1/localauthority_grpc.pb.go index ab80057..66483af 100644 --- a/proto/spire/api/server/localauthority/v1/localauthority_grpc.pb.go +++ b/proto/spire/api/server/localauthority/v1/localauthority_grpc.pb.go @@ -31,6 +31,11 @@ const ( LocalAuthority_TaintX509UpstreamAuthority_FullMethodName = "/spire.api.server.localauthority.v1.LocalAuthority/TaintX509UpstreamAuthority" LocalAuthority_RevokeX509Authority_FullMethodName = "/spire.api.server.localauthority.v1.LocalAuthority/RevokeX509Authority" LocalAuthority_RevokeX509UpstreamAuthority_FullMethodName = "/spire.api.server.localauthority.v1.LocalAuthority/RevokeX509UpstreamAuthority" + LocalAuthority_GetWITAuthorityState_FullMethodName = "/spire.api.server.localauthority.v1.LocalAuthority/GetWITAuthorityState" + LocalAuthority_PrepareWITAuthority_FullMethodName = "/spire.api.server.localauthority.v1.LocalAuthority/PrepareWITAuthority" + LocalAuthority_ActivateWITAuthority_FullMethodName = "/spire.api.server.localauthority.v1.LocalAuthority/ActivateWITAuthority" + LocalAuthority_TaintWITAuthority_FullMethodName = "/spire.api.server.localauthority.v1.LocalAuthority/TaintWITAuthority" + LocalAuthority_RevokeWITAuthority_FullMethodName = "/spire.api.server.localauthority.v1.LocalAuthority/RevokeWITAuthority" ) // LocalAuthorityClient is the client API for LocalAuthority service. @@ -130,6 +135,40 @@ type LocalAuthorityClient interface { // If a previously active X.509 upstream authority does not exist, a FailedPrecondition // error will be returned. RevokeX509UpstreamAuthority(ctx context.Context, in *RevokeX509UpstreamAuthorityRequest, opts ...grpc.CallOption) (*RevokeX509UpstreamAuthorityResponse, error) + // GetWITAuthorityState returns the state of all locally configured + // WIT authorities. + GetWITAuthorityState(ctx context.Context, in *GetWITAuthorityStateRequest, opts ...grpc.CallOption) (*GetWITAuthorityStateResponse, error) + // PrepareWITAuthority prepares a new WIT authority for use by + // generating a new key and injecting it into the bundle. This action + // will propagate the new public key cluster-wide. + PrepareWITAuthority(ctx context.Context, in *PrepareWITAuthorityRequest, opts ...grpc.CallOption) (*PrepareWITAuthorityResponse, error) + // ActivateWITAuthority activates a prepared WIT authority for use, + // which will cause it to be used for all WIT signing operations + // serviced by this server going forward. If a new WIT authority has + // not already been prepared, a FailedPrecondition error will be returned. + ActivateWITAuthority(ctx context.Context, in *ActivateWITAuthorityRequest, opts ...grpc.CallOption) (*ActivateWITAuthorityResponse, error) + // TaintWITAuthority marks the previously active WIT authority as + // being tainted. SPIRE Agents observing an authority to be tainted + // will perform proactive rotations of any key material related to + // the tainted authority. The result of this action will be observed + // cluster-wide. + // The WIT authority to taint is identified using the authority ID of + // the old WIT authority. + // + // If a previously active WIT authority does not exist (e.g. if one + // has been prepared but not activated yet), a FailedPrecondition + // error will be returned. + TaintWITAuthority(ctx context.Context, in *TaintWITAuthorityRequest, opts ...grpc.CallOption) (*TaintWITAuthorityResponse, error) + // RevokeWITAuthority revokes the previously active WIT authority by + // removing it from the bundle and propagating this update throughout + // the cluster. + // The WIT authority to revoke is identified using the authority ID of + // the old WIT authority. + // + // If a previously active WIT authority does not exist (e.g. if one + // has been prepared but not activated yet), a FailedPrecondition + // error will be returned. + RevokeWITAuthority(ctx context.Context, in *RevokeWITAuthorityRequest, opts ...grpc.CallOption) (*RevokeWITAuthorityResponse, error) } type localAuthorityClient struct { @@ -260,6 +299,56 @@ func (c *localAuthorityClient) RevokeX509UpstreamAuthority(ctx context.Context, return out, nil } +func (c *localAuthorityClient) GetWITAuthorityState(ctx context.Context, in *GetWITAuthorityStateRequest, opts ...grpc.CallOption) (*GetWITAuthorityStateResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(GetWITAuthorityStateResponse) + err := c.cc.Invoke(ctx, LocalAuthority_GetWITAuthorityState_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *localAuthorityClient) PrepareWITAuthority(ctx context.Context, in *PrepareWITAuthorityRequest, opts ...grpc.CallOption) (*PrepareWITAuthorityResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(PrepareWITAuthorityResponse) + err := c.cc.Invoke(ctx, LocalAuthority_PrepareWITAuthority_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *localAuthorityClient) ActivateWITAuthority(ctx context.Context, in *ActivateWITAuthorityRequest, opts ...grpc.CallOption) (*ActivateWITAuthorityResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(ActivateWITAuthorityResponse) + err := c.cc.Invoke(ctx, LocalAuthority_ActivateWITAuthority_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *localAuthorityClient) TaintWITAuthority(ctx context.Context, in *TaintWITAuthorityRequest, opts ...grpc.CallOption) (*TaintWITAuthorityResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(TaintWITAuthorityResponse) + err := c.cc.Invoke(ctx, LocalAuthority_TaintWITAuthority_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + +func (c *localAuthorityClient) RevokeWITAuthority(ctx context.Context, in *RevokeWITAuthorityRequest, opts ...grpc.CallOption) (*RevokeWITAuthorityResponse, error) { + cOpts := append([]grpc.CallOption{grpc.StaticMethod()}, opts...) + out := new(RevokeWITAuthorityResponse) + err := c.cc.Invoke(ctx, LocalAuthority_RevokeWITAuthority_FullMethodName, in, out, cOpts...) + if err != nil { + return nil, err + } + return out, nil +} + // LocalAuthorityServer is the server API for LocalAuthority service. // All implementations must embed UnimplementedLocalAuthorityServer // for forward compatibility. @@ -357,6 +446,40 @@ type LocalAuthorityServer interface { // If a previously active X.509 upstream authority does not exist, a FailedPrecondition // error will be returned. RevokeX509UpstreamAuthority(context.Context, *RevokeX509UpstreamAuthorityRequest) (*RevokeX509UpstreamAuthorityResponse, error) + // GetWITAuthorityState returns the state of all locally configured + // WIT authorities. + GetWITAuthorityState(context.Context, *GetWITAuthorityStateRequest) (*GetWITAuthorityStateResponse, error) + // PrepareWITAuthority prepares a new WIT authority for use by + // generating a new key and injecting it into the bundle. This action + // will propagate the new public key cluster-wide. + PrepareWITAuthority(context.Context, *PrepareWITAuthorityRequest) (*PrepareWITAuthorityResponse, error) + // ActivateWITAuthority activates a prepared WIT authority for use, + // which will cause it to be used for all WIT signing operations + // serviced by this server going forward. If a new WIT authority has + // not already been prepared, a FailedPrecondition error will be returned. + ActivateWITAuthority(context.Context, *ActivateWITAuthorityRequest) (*ActivateWITAuthorityResponse, error) + // TaintWITAuthority marks the previously active WIT authority as + // being tainted. SPIRE Agents observing an authority to be tainted + // will perform proactive rotations of any key material related to + // the tainted authority. The result of this action will be observed + // cluster-wide. + // The WIT authority to taint is identified using the authority ID of + // the old WIT authority. + // + // If a previously active WIT authority does not exist (e.g. if one + // has been prepared but not activated yet), a FailedPrecondition + // error will be returned. + TaintWITAuthority(context.Context, *TaintWITAuthorityRequest) (*TaintWITAuthorityResponse, error) + // RevokeWITAuthority revokes the previously active WIT authority by + // removing it from the bundle and propagating this update throughout + // the cluster. + // The WIT authority to revoke is identified using the authority ID of + // the old WIT authority. + // + // If a previously active WIT authority does not exist (e.g. if one + // has been prepared but not activated yet), a FailedPrecondition + // error will be returned. + RevokeWITAuthority(context.Context, *RevokeWITAuthorityRequest) (*RevokeWITAuthorityResponse, error) mustEmbedUnimplementedLocalAuthorityServer() } @@ -403,6 +526,21 @@ func (UnimplementedLocalAuthorityServer) RevokeX509Authority(context.Context, *R func (UnimplementedLocalAuthorityServer) RevokeX509UpstreamAuthority(context.Context, *RevokeX509UpstreamAuthorityRequest) (*RevokeX509UpstreamAuthorityResponse, error) { return nil, status.Errorf(codes.Unimplemented, "method RevokeX509UpstreamAuthority not implemented") } +func (UnimplementedLocalAuthorityServer) GetWITAuthorityState(context.Context, *GetWITAuthorityStateRequest) (*GetWITAuthorityStateResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method GetWITAuthorityState not implemented") +} +func (UnimplementedLocalAuthorityServer) PrepareWITAuthority(context.Context, *PrepareWITAuthorityRequest) (*PrepareWITAuthorityResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method PrepareWITAuthority not implemented") +} +func (UnimplementedLocalAuthorityServer) ActivateWITAuthority(context.Context, *ActivateWITAuthorityRequest) (*ActivateWITAuthorityResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method ActivateWITAuthority not implemented") +} +func (UnimplementedLocalAuthorityServer) TaintWITAuthority(context.Context, *TaintWITAuthorityRequest) (*TaintWITAuthorityResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method TaintWITAuthority not implemented") +} +func (UnimplementedLocalAuthorityServer) RevokeWITAuthority(context.Context, *RevokeWITAuthorityRequest) (*RevokeWITAuthorityResponse, error) { + return nil, status.Errorf(codes.Unimplemented, "method RevokeWITAuthority not implemented") +} func (UnimplementedLocalAuthorityServer) mustEmbedUnimplementedLocalAuthorityServer() {} func (UnimplementedLocalAuthorityServer) testEmbeddedByValue() {} @@ -640,6 +778,96 @@ func _LocalAuthority_RevokeX509UpstreamAuthority_Handler(srv interface{}, ctx co return interceptor(ctx, in, info, handler) } +func _LocalAuthority_GetWITAuthorityState_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(GetWITAuthorityStateRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(LocalAuthorityServer).GetWITAuthorityState(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: LocalAuthority_GetWITAuthorityState_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(LocalAuthorityServer).GetWITAuthorityState(ctx, req.(*GetWITAuthorityStateRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _LocalAuthority_PrepareWITAuthority_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(PrepareWITAuthorityRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(LocalAuthorityServer).PrepareWITAuthority(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: LocalAuthority_PrepareWITAuthority_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(LocalAuthorityServer).PrepareWITAuthority(ctx, req.(*PrepareWITAuthorityRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _LocalAuthority_ActivateWITAuthority_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(ActivateWITAuthorityRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(LocalAuthorityServer).ActivateWITAuthority(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: LocalAuthority_ActivateWITAuthority_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(LocalAuthorityServer).ActivateWITAuthority(ctx, req.(*ActivateWITAuthorityRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _LocalAuthority_TaintWITAuthority_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(TaintWITAuthorityRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(LocalAuthorityServer).TaintWITAuthority(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: LocalAuthority_TaintWITAuthority_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(LocalAuthorityServer).TaintWITAuthority(ctx, req.(*TaintWITAuthorityRequest)) + } + return interceptor(ctx, in, info, handler) +} + +func _LocalAuthority_RevokeWITAuthority_Handler(srv interface{}, ctx context.Context, dec func(interface{}) error, interceptor grpc.UnaryServerInterceptor) (interface{}, error) { + in := new(RevokeWITAuthorityRequest) + if err := dec(in); err != nil { + return nil, err + } + if interceptor == nil { + return srv.(LocalAuthorityServer).RevokeWITAuthority(ctx, in) + } + info := &grpc.UnaryServerInfo{ + Server: srv, + FullMethod: LocalAuthority_RevokeWITAuthority_FullMethodName, + } + handler := func(ctx context.Context, req interface{}) (interface{}, error) { + return srv.(LocalAuthorityServer).RevokeWITAuthority(ctx, req.(*RevokeWITAuthorityRequest)) + } + return interceptor(ctx, in, info, handler) +} + // LocalAuthority_ServiceDesc is the grpc.ServiceDesc for LocalAuthority service. // It's only intended for direct use with grpc.RegisterService, // and not to be introspected or modified (even as a copy) @@ -695,6 +923,26 @@ var LocalAuthority_ServiceDesc = grpc.ServiceDesc{ MethodName: "RevokeX509UpstreamAuthority", Handler: _LocalAuthority_RevokeX509UpstreamAuthority_Handler, }, + { + MethodName: "GetWITAuthorityState", + Handler: _LocalAuthority_GetWITAuthorityState_Handler, + }, + { + MethodName: "PrepareWITAuthority", + Handler: _LocalAuthority_PrepareWITAuthority_Handler, + }, + { + MethodName: "ActivateWITAuthority", + Handler: _LocalAuthority_ActivateWITAuthority_Handler, + }, + { + MethodName: "TaintWITAuthority", + Handler: _LocalAuthority_TaintWITAuthority_Handler, + }, + { + MethodName: "RevokeWITAuthority", + Handler: _LocalAuthority_RevokeWITAuthority_Handler, + }, }, Streams: []grpc.StreamDesc{}, Metadata: "spire/api/server/localauthority/v1/localauthority.proto", From 501000adecc3b3017efd67f15b18e90424eecf99 Mon Sep 17 00:00:00 2001 From: Sorin Dumitru Date: Fri, 7 Nov 2025 16:46:54 +0000 Subject: [PATCH 4/5] Fixup typos Signed-off-by: Sorin Dumitru --- proto/spire/api/server/svid/v1/svid.pb.go | 6 +++--- proto/spire/api/server/svid/v1/svid.proto | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/proto/spire/api/server/svid/v1/svid.pb.go b/proto/spire/api/server/svid/v1/svid.pb.go index 95153b2..ce5d859 100644 --- a/proto/spire/api/server/svid/v1/svid.pb.go +++ b/proto/spire/api/server/svid/v1/svid.pb.go @@ -497,7 +497,7 @@ func (x *NewJWTSVIDRequest) GetAudience() []string { type BatchNewWITSVIDRequest struct { state protoimpl.MessageState `protogen:"open.v1"` - // Required. One or more X509-SVID parameters for X509-SVID entries to + // Required. One or more WIT-SVID parameters for WIT-SVID entries to // be signed. Params []*NewWITSVIDParams `protobuf:"bytes,1,rep,name=params,proto3" json:"params,omitempty"` unknownFields protoimpl.UnknownFields @@ -543,7 +543,7 @@ func (x *BatchNewWITSVIDRequest) GetParams() []*NewWITSVIDParams { type BatchNewWITSVIDResponse struct { state protoimpl.MessageState `protogen:"open.v1"` - // Result for each X509-SVID requested (order is maintained). + // Result for each WIT-SVID requested (order is maintained). Results []*BatchNewWITSVIDResponse_Result `protobuf:"bytes,1,rep,name=results,proto3" json:"results,omitempty"` unknownFields protoimpl.UnknownFields sizeCache protoimpl.SizeCache @@ -913,7 +913,7 @@ type BatchNewWITSVIDResponse_Result struct { state protoimpl.MessageState `protogen:"open.v1"` // The status of creating the WIT-SVID. Status *types.Status `protobuf:"bytes,1,opt,name=status,proto3" json:"status,omitempty"` - // The newly created X509-SVID. This will be set if the status is OK. + // The newly created WIT-SVID. This will be set if the status is OK. Svid *types.WITSVID `protobuf:"bytes,2,opt,name=svid,proto3" json:"svid,omitempty"` unknownFields protoimpl.UnknownFields sizeCache protoimpl.SizeCache diff --git a/proto/spire/api/server/svid/v1/svid.proto b/proto/spire/api/server/svid/v1/svid.proto index c27d1c3..bad5589 100644 --- a/proto/spire/api/server/svid/v1/svid.proto +++ b/proto/spire/api/server/svid/v1/svid.proto @@ -139,7 +139,7 @@ message NewJWTSVIDRequest { message BatchNewWITSVIDRequest { - // Required. One or more X509-SVID parameters for X509-SVID entries to + // Required. One or more WIT-SVID parameters for WIT-SVID entries to // be signed. repeated NewWITSVIDParams params = 1; } @@ -149,11 +149,11 @@ message BatchNewWITSVIDResponse { // The status of creating the WIT-SVID. spire.api.types.Status status = 1; - // The newly created X509-SVID. This will be set if the status is OK. + // The newly created WIT-SVID. This will be set if the status is OK. spire.api.types.WITSVID svid = 2; } - // Result for each X509-SVID requested (order is maintained). + // Result for each WIT-SVID requested (order is maintained). repeated Result results = 1; } From 9c15297fd94f152610f5bb0ce4b72fd613f88c6c Mon Sep 17 00:00:00 2001 From: Sorin Dumitru Date: Fri, 7 Nov 2025 17:14:21 +0000 Subject: [PATCH 5/5] Some more typos Signed-off-by: Sorin Dumitru --- proto/spire/api/types/witsvid.pb.go | 4 ++-- proto/spire/api/types/witsvid.proto | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/proto/spire/api/types/witsvid.pb.go b/proto/spire/api/types/witsvid.pb.go index 27bf05a..b5faa8d 100644 --- a/proto/spire/api/types/witsvid.pb.go +++ b/proto/spire/api/types/witsvid.pb.go @@ -25,9 +25,9 @@ const ( // as well as a few denormalized fields for convenience. type WITSVID struct { state protoimpl.MessageState `protogen:"open.v1"` - // The serialized JWT token. + // The serialized WIT token. Token string `protobuf:"bytes,1,opt,name=token,proto3" json:"token,omitempty"` - // The SPIFFE ID of the JWT-SVID. + // The SPIFFE ID of the WIT-SVID. Id *SPIFFEID `protobuf:"bytes,2,opt,name=id,proto3" json:"id,omitempty"` // Expiration timestamp (seconds since Unix epoch). ExpiresAt int64 `protobuf:"varint,3,opt,name=expires_at,json=expiresAt,proto3" json:"expires_at,omitempty"` diff --git a/proto/spire/api/types/witsvid.proto b/proto/spire/api/types/witsvid.proto index 2d2e48d..6d23da1 100644 --- a/proto/spire/api/types/witsvid.proto +++ b/proto/spire/api/types/witsvid.proto @@ -8,10 +8,10 @@ import "spire/api/types/spiffeid.proto"; // WIT SPIFFE Verifiable Identity Document. It contains the raw WIT token // as well as a few denormalized fields for convenience. message WITSVID { - // The serialized JWT token. + // The serialized WIT token. string token = 1; - // The SPIFFE ID of the JWT-SVID. + // The SPIFFE ID of the WIT-SVID. spire.api.types.SPIFFEID id = 2; // Expiration timestamp (seconds since Unix epoch).