Add a JWT-SVID authentication method

Using this method, the client will fetch its JWT-SVID and send it in the
authentication field.
The socket endpoint is found through the SPIFFE_ENDPOINT_SOCKET
environment variable.

Signed-off-by: Hugues de Valon <[email protected]>

Author: hug-dev

Cargo.toml

@@ -19,6 +19,7 @@ log = "0.4.11"
 derivative = "2.1.1"
 zeroize = "1.1.0"
 users = "0.10.0"
+spiffe = { path = "../../rust-spiffe/spiffe" }
 
 [dev-dependencies]
 mockstream = "0.0.3"

src/auth.rs

@@ -1,7 +1,12 @@
 // Copyright 2020 Contributors to the Parsec project.
 // SPDX-License-Identifier: Apache-2.0
 //! Client app authentication data
+use crate::error::{ClientErrorKind, Error, Result};
+use log::error;
 use parsec_interface::requests::{request::RequestAuth, AuthType};
+use spiffe::workload::jwt::JWTClient;
+use std::convert::TryFrom;
+use std::env;
 
 /// Authentication data used in Parsec requests
 #[derive(Clone, Debug)]
@@ -19,6 +24,10 @@ pub enum Authentication {
     /// Used for authentication via Peer Credentials provided by Unix
     /// operating systems for Domain Socket connections.
     UnixPeerCredentials,
+    /// Authentication using JWT SVID tokens. The will fetch its JWT-SVID and pass it in the
+    /// Authentication field. The socket endpoint is found through the SPIFFE_ENDPOINT_SOCKET
+    /// environment variable.
+    JwtSvid,
 }
 
 impl Authentication {
@@ -28,18 +37,40 @@ impl Authentication {
             Authentication::None => AuthType::NoAuth,
             Authentication::Direct(_) => AuthType::Direct,
             Authentication::UnixPeerCredentials => AuthType::UnixPeerCredentials,
+            Authentication::JwtSvid => AuthType::JwtSvid,
         }
     }
 }
 
-impl From<&Authentication> for RequestAuth {
-    fn from(data: &Authentication) -> Self {
+impl TryFrom<&Authentication> for RequestAuth {
+    type Error = Error;
+
+    fn try_from(data: &Authentication) -> Result<Self> {
         match data {
-            Authentication::None => RequestAuth::new(Vec::new()),
-            Authentication::Direct(name) => RequestAuth::new(name.bytes().collect()),
+            Authentication::None => Ok(RequestAuth::new(Vec::new())),
+            Authentication::Direct(name) => Ok(RequestAuth::new(name.bytes().collect())),
             Authentication::UnixPeerCredentials => {
                 let current_uid = users::get_current_uid();
-                RequestAuth::new(current_uid.to_le_bytes().to_vec())
+                Ok(RequestAuth::new(current_uid.to_le_bytes().to_vec()))
+            }
+            Authentication::JwtSvid => {
+                let client = JWTClient::new(
+                    &env::var("SPIFFE_ENDPOINT_SOCKET").map_err(|e| {
+                        error!(
+                            "Can not read the SPIFFE_ENDPOINT_SOCKET environment variable ({}).",
+                            e
+                        );
+                        Error::Client(ClientErrorKind::Spiffe)
+                    })?,
+                    None,
+                );
+                let audience = String::from("parsec");
+
+                let result = client.fetch(audience, None).map_err(|e| {
+                    error!("Error while fetching the JWT-SVID ({}).", e);
+                    Error::Client(ClientErrorKind::Spiffe)
+                })?;
+                Ok(RequestAuth::new(result.svid().as_bytes().into()))
             }
         }
     }

src/core/basic_client.rs

@@ -258,6 +258,7 @@ impl BasicClient {
                 AuthType::UnixPeerCredentials => {
                     self.auth_data = Authentication::UnixPeerCredentials
                 }
+                AuthType::JwtSvid => self.auth_data = Authentication::JwtSvid,
                 auth => {
                     warn!(
                         "Authenticator of type \"{:?}\" not supported by this client library",

src/core/operation_client.rs

@@ -12,6 +12,7 @@ use parsec_interface::operations_protobuf::ProtobufConverter;
 use parsec_interface::requests::{
     request::RequestHeader, Opcode, ProviderID, Request, Response, ResponseStatus,
 };
+use std::convert::TryInto;
 
 /// Low-level client optimised for communicating with the Parsec service at an operation level.
 ///
@@ -66,7 +67,7 @@ impl OperationClient {
         Ok(Request {
             header,
             body,
-            auth: auth.into(),
+            auth: auth.try_into()?,
         })
     }
 

src/error.rs

@@ -42,6 +42,8 @@ pub enum ClientErrorKind {
     NoAuthenticator,
     /// Required parameter was not provided
     MissingParam,
+    /// Error while using the SPIFFE Workload API
+    Spiffe,
 }
 
 impl From<ClientErrorKind> for Error {
@@ -74,6 +76,7 @@ impl PartialEq for ClientErrorKind {
             ClientErrorKind::NoProvider => matches!(other, ClientErrorKind::NoProvider),
             ClientErrorKind::NoAuthenticator => matches!(other, ClientErrorKind::NoAuthenticator),
             ClientErrorKind::MissingParam => matches!(other, ClientErrorKind::MissingParam),
+            ClientErrorKind::Spiffe => matches!(other, ClientErrorKind::Spiffe),
         }
     }
 }
@@ -93,6 +96,7 @@ impl fmt::Display for ClientErrorKind {
             ClientErrorKind::NoProvider => write!(f, "client is missing an implicit provider"),
             ClientErrorKind::NoAuthenticator => write!(f, "service is not reporting any authenticators or none of the reported ones are supported by the client"),
             ClientErrorKind::MissingParam => write!(f, "one of the `Option` parameters was required but was not provided"),
+            ClientErrorKind::Spiffe => write!(f, "error using the SPIFFE Workload API"),
         }
     }
 }