Implement spiffebundle.Bundle type

[amartinezfayo]

• Implement the spiffebundle.Bundle type of the v2 API.
• Add FromJWTKeys and FromX509Roots functions to x509bundle, jwtbundle and spiffebundle packages.

Fixes: #59

[azdagron]

Thanks, @amartinezfayo !

My biggest concern here is false sharing as X.509 root slices and JWT key maps are passed around. We should come up with consistent behavior that 1) minimizes the number of copies, but 2) prevents false sharing where the method feels like it should produce an independent copy.

I don't think we have to go so far as duplicating the x.509 certificate and JWT keys, just the containers they are in.

[azdagron]

I think this case can be removed. From the spec:

Clients encountering unknown use values MUST ignore the entire JWK element.

[amartinezfayo]

It was not clear to me what was the right thing to do here, since the spec also says "The use parameter MUST be set". I'm ok removing this.

[azdagron]

Hmm. That's a good point. @evan2645, what do you think? Spec seems to say "fail if not set, and ignore if set to an unknown value"... ?

[evan2645]

I'm sorry that the spec has caused this confusion. As part of this exchange, suggestions on how to clarify the text (and/or a PR/issue in https://github.com/spiffe/spiffe) would be useful.

Yes, use MUST be set... but requiring it to be set should not by itself suggest a particular behavior if a validator finds that this is not the case. All SPIFFE bundle producers MUST set the use claim. SPIFFE bundle validators MUST ignore JWK entries with unknown use claims (including an empty or missing use claim).

[evan2645]

If we have logging available, this would be a good place to do it.

[evan2645]

Is that something allowed by the spec? JWKS RFC only says that the keys array must exist, not that it must have at least one key...

Fair point. It does seem like a pretty strange condition, though...

The jwtbundle.Bundle type assumes that the use is jwt-svid, it does not require any SPIFFE specific parameters when parsing a JWKS document and does not set the use` when marshalling. That's the current behavior in this branch.

Yes I think that is the correct behavior. We should do whatever the JWKS RFC says when parsing jwt-svid bundle. IIRC the RFC says to ignore unknown values. One open question is, in this case, jwt-svid use value is non unknown, so should be be technically able to load a jwt-svid bundle given a spiffe bundle? Seems like a nicety. But I don't think we should not allow a JWKS bundle to be loaded as a SPIFFE bundle

[amartinezfayo]

@evan2645 @azdagron From the feedback received, I would keep this check and require the use field as a condition of conformance to the SPIFFE Trust Domain and Bundle spec, while we ignore the entire JWK element in case of an unknown use value. Are we ok with that?

[azdagron]

@amartinezfayo. I think what we've settled with is to ignore keys with missing or unrecognized use values, i.e. don't enforce conformance as a validator, just do the safe thing (i.e. ignore keys that aren't safe to use).

We don't have a good story for library-level logging for this kind of thing.

[amartinezfayo]

Thanks for the clarification @azdagron.

[amartinezfayo]

@evan2645 I filed spiffe/spiffe#121 to consider a clarification from the spec perspective.

[azdagron]

Unless there is a valid, ergonomic case for receiving a nil bundle, I'd advocate that we let it panic. Either way returning a valid Bundle pointer here seems like the wrong thing to do since it will not have a trust domain and will be unusable. If we decide not to panic, we should return nil.

[amartinezfayo]

Makes sense, I'll change this to panic.

[azdagron]

Same comment here regarding panicking on a nil bundle...

[amartinezfayo]

Makes sense, I'll change this to panic.

[azdagron]

We should probably copy the slice so we don't accidentally introduce false sharing.

[azdagron]

We should probably copy the map so we don't accidentally introduce false sharing.

[azdagron]

nit: testCase type here can be deduced by the compiler and should be omitted

[azdagron]

Suggested change

	// Prase the marshaled bundle
	// Parse the marshaled bundle

[azdagron]

I'm embarrassed I didn't remember this during the PR for the x509 bundle. This function is provided by the stdlib (x509.Certificate.Equal) and has the same behavior.

[azdagron]

I think things are a little nicer if this is a time.Duration and the conversion happens during marshalling/unmarshalling instead of inside SetRefreshHint/RefreshHint.

[azdagron]

These should be pointers so we have explicit behavior on set v.s. unset values. For example, as written, somebody couldn't set a sequence number of zero and have it show up in the marshaled bundle.

Suggested change

	SequenceNumber uint64 `json:"spiffe_sequence,omitempty"`
	RefreshHint int64 `json:"spiffe_refresh_hint,omitempty"`
	SequenceNumber *uint64 `json:"spiffe_sequence,omitempty"`
	RefreshHint *int64 `json:"spiffe_refresh_hint,omitempty"`

[azdagron]

I was thinking more along the lines just trying to use the bundle pointer and letting the runtime panic, like:

func FromX509Bundle(x509Bundle *x509bundle.Bundle) *Bundle {
    return &Bundle{
        trustDomain: x509bundle.TrustDomain(),
        x509Bundle.X509Roots(),
    }
}

Doing the explicit nil check with the panic seems like overkill.

[azdagron]

same here

[azdagron]

Hmm, is the removal of the set scaffolding accidental?

[amartinezfayo]

Oops!

[azdagron]

copyX509Roots and copyJWTKey probably belong in a common package under internal/... we're going to want to update jwtbundle and x509bundle to use them in the respective JWTKeys and X509Roots functions.

[azdagron]

@amartinezfayo. I think what we've settled with is to ignore keys with missing or unrecognized use values, i.e. don't enforce conformance as a validator, just do the safe thing (i.e. ignore keys that aren't safe to use).

We don't have a good story for library-level logging for this kind of thing.