Use upstream rust-spiffe dependency

Also add a feature for the SPIFFE authenticator, activated by default.

Signed-off-by: Hugues de Valon <[email protected]>

Author: hug-dev

.travis.yml

@@ -1,5 +1,8 @@
 # Executing our tests on Arm64 with Travis CI
+dist: focal
 arch: arm64
 language: rust
+before_script:
+  - sudo apt-get update && sudo apt-get -y install pkg-config libssl-dev
 script:
   - ./tests/ci.sh

Cargo.toml

@@ -19,10 +19,12 @@ log = "0.4.11"
 derivative = "2.1.1"
 zeroize = "1.1.0"
 users = "0.10.0"
-spiffe = { path = "../../rust-spiffe/spiffe" }
+spiffe = { git = "https://github.com/hug-dev/rust-spiffe", branch = "refactor-jwt", optional = true }
 
 [dev-dependencies]
 mockstream = "0.0.3"
 
 [features]
+default = ["spiffe-auth"]
+spiffe-auth = ["spiffe"]
 testing = ["parsec-interface/testing"]

src/auth.rs

@@ -1,12 +1,9 @@
 // Copyright 2020 Contributors to the Parsec project.
 // SPDX-License-Identifier: Apache-2.0
 //! Client app authentication data
-use crate::error::{ClientErrorKind, Error, Result};
-use log::error;
+use crate::error::{Error, Result};
 use parsec_interface::requests::{request::RequestAuth, AuthType};
-use spiffe::workload::jwt::JWTClient;
 use std::convert::TryFrom;
-use std::env;
 
 /// Authentication data used in Parsec requests
 #[derive(Clone, Debug)]
@@ -27,6 +24,7 @@ pub enum Authentication {
     /// Authentication using JWT SVID tokens. The will fetch its JWT-SVID and pass it in the
     /// Authentication field. The socket endpoint is found through the SPIFFE_ENDPOINT_SOCKET
     /// environment variable.
+    #[cfg(feature = "spiffe-auth")]
     JwtSvid,
 }
 
@@ -37,6 +35,7 @@ impl Authentication {
             Authentication::None => AuthType::NoAuth,
             Authentication::Direct(_) => AuthType::Direct,
             Authentication::UnixPeerCredentials => AuthType::UnixPeerCredentials,
+            #[cfg(feature = "spiffe-auth")]
             Authentication::JwtSvid => AuthType::JwtSvid,
         }
     }
@@ -53,7 +52,13 @@ impl TryFrom<&Authentication> for RequestAuth {
                 let current_uid = users::get_current_uid();
                 Ok(RequestAuth::new(current_uid.to_le_bytes().to_vec()))
             }
+            #[cfg(feature = "spiffe-auth")]
             Authentication::JwtSvid => {
+                use crate::error::ClientErrorKind;
+                use log::error;
+                use spiffe::workload::jwt::JWTClient;
+                use std::env;
+
                 let client = JWTClient::new(
                     &env::var("SPIFFE_ENDPOINT_SOCKET").map_err(|e| {
                         error!(
@@ -63,10 +68,11 @@ impl TryFrom<&Authentication> for RequestAuth {
                         Error::Client(ClientErrorKind::NoAuthenticator)
                     })?,
                     None,
+                    None,
                 );
                 let audience = String::from("parsec");
 
-                let result = client.fetch(audience, None).map_err(|e| {
+                let result = client.fetch(audience).map_err(|e| {
                     error!("Error while fetching the JWT-SVID ({}).", e);
                     Error::Client(ClientErrorKind::Spiffe(e))
                 })?;
@@ -84,6 +90,7 @@ impl PartialEq for Authentication {
             (Authentication::Direct(app_name), Authentication::Direct(other_app_name)) => {
                 app_name == other_app_name
             }
+            #[cfg(feature = "spiffe-auth")]
             (Authentication::JwtSvid, Authentication::JwtSvid) => true,
             _ => false,
         }

src/core/basic_client.rs

@@ -258,6 +258,7 @@ impl BasicClient {
                 AuthType::UnixPeerCredentials => {
                     self.auth_data = Authentication::UnixPeerCredentials
                 }
+                #[cfg(feature = "spiffe-auth")]
                 AuthType::JwtSvid => self.auth_data = Authentication::JwtSvid,
                 auth => {
                     warn!(

src/error.rs

@@ -43,6 +43,7 @@ pub enum ClientErrorKind {
     /// Required parameter was not provided
     MissingParam,
     /// Error while using the SPIFFE Workload API
+    #[cfg(feature = "spiffe-auth")]
     Spiffe(spiffe::workload::Error),
 }
 
@@ -67,6 +68,7 @@ impl fmt::Display for ClientErrorKind {
             ClientErrorKind::NoProvider => write!(f, "client is missing an implicit provider"),
             ClientErrorKind::NoAuthenticator => write!(f, "service is not reporting any authenticators or none of the reported ones are supported by the client"),
             ClientErrorKind::MissingParam => write!(f, "one of the `Option` parameters was required but was not provided"),
+            #[cfg(feature = "spiffe-auth")]
             ClientErrorKind::Spiffe(error) => error.fmt(f),
         }
     }

tests/ci.sh

@@ -13,6 +13,7 @@ set -euf -o pipefail
 ################
 RUST_BACKTRACE=1 cargo build
 RUST_BACKTRACE=1 cargo build --features testing
+RUST_BACKTRACE=1 cargo build --no-default-features
 
 #################
 # Static checks #