Module: Legion::Crypt::Spiffe

Extended by:

Logging::Helper

Defined in:

lib/legion/crypt/spiffe.rb,
lib/legion/crypt/spiffe/svid_rotation.rb,
lib/legion/crypt/spiffe/identity_helpers.rb,
lib/legion/crypt/spiffe/workload_api_client.rb

Defined Under Namespace

Modules: IdentityHelpers Classes: Error, InvalidSpiffeIdError, JwtSvid, SpiffeId, SvidError, SvidRotation, WorkloadApiClient, WorkloadApiError, X509Svid

Constant Summary

SPIFFE_SCHEME =

'spiffe'

DEFAULT_SOCKET_PATH =

'/tmp/spire-agent/public/api.sock'

DEFAULT_TRUST_DOMAIN =

'legion.internal'

SVID_RENEWAL_RATIO =

0.5

Constants included from Logging::Helper

Logging::Helper::CompatLogger

Class Method Summary

• .allow_x509_fallback? ⇒ Boolean
• .enabled? ⇒ Boolean
• .parse_id(spiffe_id_string) ⇒ Object

  Parse a SPIFFE ID string into a SpiffeId struct.

• .socket_path ⇒ Object
• .trust_domain ⇒ Object
• .valid_id?(spiffe_id_string) ⇒ Boolean
• .workload_id ⇒ Object

Methods included from Logging::Helper

handle_exception, log

Class Method Details

.allow_x509_fallback? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/legion/crypt/spiffe.rb', line 121

def allow_x509_fallback?
  security = safe_security_settings
  return false if security.nil?

  spiffe = security[:spiffe] || security['spiffe'] || {}
  spiffe[:allow_x509_fallback] || spiffe['allow_x509_fallback'] || false
end

.enabled? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/legion/crypt/spiffe.rb', line 87

def enabled?
  security = safe_security_settings
  return false if security.nil?

  spiffe = security[:spiffe] || security['spiffe']
  return false if spiffe.nil?

  spiffe[:enabled] || spiffe['enabled'] || false
end

.parse_id(spiffe_id_string) ⇒ Object

Parse a SPIFFE ID string into a SpiffeId struct. Raises InvalidSpiffeIdError on malformed input.

# File 'lib/legion/crypt/spiffe.rb', line 64

def parse_id(spiffe_id_string)
  raise InvalidSpiffeIdError, 'SPIFFE ID must be a non-empty string' if spiffe_id_string.nil? || spiffe_id_string.empty?

  uri = URI.parse(spiffe_id_string)
  validate_uri!(uri, spiffe_id_string)

  SpiffeId.new(
    trust_domain: uri.host,
    path:         uri.path.empty? ? '/' : uri.path
  )
rescue URI::InvalidURIError => e
  handle_exception(e, level: :warn, operation: 'crypt.spiffe.parse_id', spiffe_id: spiffe_id_string)
  raise InvalidSpiffeIdError, "Invalid SPIFFE ID '#{spiffe_id_string}': #{e.message}"
end

.socket_path ⇒ Object

# File 'lib/legion/crypt/spiffe.rb', line 97

def socket_path
  security = safe_security_settings
  return DEFAULT_SOCKET_PATH if security.nil?

  spiffe = security[:spiffe] || security['spiffe'] || {}
  spiffe[:socket_path] || spiffe['socket_path'] || DEFAULT_SOCKET_PATH
end

.trust_domain ⇒ Object

# File 'lib/legion/crypt/spiffe.rb', line 105

def trust_domain
  security = safe_security_settings
  return DEFAULT_TRUST_DOMAIN if security.nil?

  spiffe = security[:spiffe] || security['spiffe'] || {}
  spiffe[:trust_domain] || spiffe['trust_domain'] || DEFAULT_TRUST_DOMAIN
end

.valid_id?(spiffe_id_string) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/legion/crypt/spiffe.rb', line 79

def valid_id?(spiffe_id_string)
  parse_id(spiffe_id_string)
  true
rescue InvalidSpiffeIdError => e
  handle_exception(e, level: :debug, operation: 'crypt.spiffe.valid_id', spiffe_id: spiffe_id_string)
  false
end

.workload_id ⇒ Object

# File 'lib/legion/crypt/spiffe.rb', line 113

def workload_id
  security = safe_security_settings
  return nil if security.nil?

  spiffe = security[:spiffe] || security['spiffe'] || {}
  spiffe[:workload_id] || spiffe['workload_id']
end