This utility library enables interaction with the SPIFFE Workload API. It allows fetching of X.509 and JWT SVIDs, bundles and supports watch/stream updates. The types in the library are in compliance with SPIFFE standards. More about SPIFFE can be found at spiffe.io.
Include spiffe in your Cargo.toml dependencies:
toml
[dependencies]
spiffe = "0.3.0"
WorkloadApiClientCreate client using the endpoint socket path:
rust
let mut client = WorkloadApiClient::new_from_path("unix:/tmp/spire-agent/public/api.sock").await?;
Or by using the SPIFFE_ENDPOINT_SOCKET environment variable:
rust
let mut client = WorkloadApiClient::default().await?;
Fetch the default X.509 SVID, a set of X.509 bundles, all X.509 materials, or watch for updates on the X.509 context and bundles.
```rust // fetch the default X.509 SVID let x509svid: X509Svid = client.fetchx509_svid().await?;
// fetch a set of X.509 bundles (X.509 public key authorities) let x509bundles: X509BundleSet = client.fetchx509_bundles().await?;
// fetch all the X.509 materials (SVIDs and bundles) let x509context: X509Context = client.fetchx509_context().await?;
// get the X.509 chain of certificates from the SVID
let certchain: &Vec
// get the private key from the SVID let privatekey: &PrivateKey = x509svid.private_key();
// parse a SPIFFE trust domain let trustdomain = TrustDomain::tryfrom("example.org")?;
// get the X.509 bundle associated to the trust domain let x509bundle: &X509Bundle = x509bundles.getbundle(&trustdomain)?;
// get the X.509 authorities (public keys) in the bundle
let x509authorities: &Vec
// watch for updates on the X.509 context let mut x509contextstream = client.watchx509contextstream().await?; while let Some(x509contextupdate) = x509contextstream.next().await { match x509context_update { Ok(update) => { // handle the updated X509Context } Err(e) => { // handle the error } } }
// watch for updates on the X.509 bundles let mut x509bundlestream = client.watchx509bundlesstream().await?; while let Some(x509bundleupdate) = x509bundlestream.next().await { match x509bundle_update { Ok(update) => { // handle the updated X509 bundle } Err(e) => { // handle the error } } } ```
Fetch JWT tokens, parse and validate them, fetch JWT bundles, or watch for updates on the JWT bundles.
```rust // parse a SPIFFE ID to ask a token for let spiffeid = SpiffeId::tryfrom("spiffe://example.org/my-service")?;
// fetch a jwt token for the provided SPIFFE-ID and with the target audience service1.com
let jwttoken = client.fetchjwttoken(&["audience1", "audience2"], Some(&spiffeid)).await?;
// fetch the jwt token and parses it as a JwtSvid
let jwtsvid = client.fetchjwtsvid(&["audience1", "audience2"], Some(&spiffeid)).await?;
// fetch a set of jwt bundles (public keys for validating jwt token) let jwtbundles = client.fetchjwt_bundles().await?;
// parse a SPIFFE trust domain let trustdomain = TrustDomain::tryfrom("example.org")?;
// get the JWT bundle associated to the trust domain let jwtbundle: &JwtBundle = jwtbundles.getbundle(&trustdomain)?;
// get the JWT authorities (public keys) in the bundle let jwtauthority: &JwtAuthority = jwtbundle.findjwtauthority("akeyid")?;
// parse a JwtSvid validating the token signature with a JWT bundle source.
let validatedjwtsvid = JwtSvid::parseandvalidate(&jwttoken, &jwtbundles_set, &["service1.com"])?;
// watch for updates on the JWT bundles let mut jwtbundlestream = client.watchjwtbundlesstream().await?; while let Some(jwtbundleupdate) = jwtbundlestream.next().await { match jwtbundle_update { Ok(update) => { // handle the updated JWT bundle } Err(e) => { // handle the error } } } ```
For more detailed examples and additional features, refer to the documentation.