Class: Spiffe::Workload::Client

Inherits:

Object

• Object
• Spiffe::Workload::Client

Defined in:

lib/spiffe/workload/client.rb

Overview

Client for SPIFFE Workload API Connects to SPIRE Agent via Unix domain socket and fetches SVIDs

Constant Summary

DEFAULT_SOCKET_PATH =

'/run/spire/sockets/agent.sock'

DEFAULT_TIMEOUT =

seconds

5

Instance Attribute Summary

• #socket_path ⇒ Object readonly

  Returns the value of attribute socket_path.

Instance Method Summary

• #current_x509_svid ⇒ X509SVIDWrapper^?

  Get the current X.509 SVID without blocking.

• #initialize(socket_path: nil, timeout: DEFAULT_TIMEOUT) ⇒ Client constructor

  A new instance of Client.

• #jwt_bundles ⇒ Hash<String, String>

  Fetch JWT bundles.

• #jwt_svid(audience:, spiffe_id: nil) ⇒ JWTSVIDWrapper

  Fetch JWT SVID for the given audience.

• #on_x509_svid_update {|X509SVID| ... } ⇒ Object

  Register a callback to be called when X.509 SVID is updated.

• #shutdown ⇒ Object

  Shutdown the client and stop all background threads.

• #tls_context ⇒ OpenSSL::SSL::SSLContext

  Create an OpenSSL context configured with the current SVID.

• #x509_bundles ⇒ Hash<String, OpenSSL::X509::Store>

  Fetch X.509 trust bundles.

• #x509_svid ⇒ X509SVIDWrapper

  Fetch X.509 SVID (blocking call, returns first response).

• #x509_svids ⇒ Array<X509SVIDWrapper>

  Fetch all X.509 SVIDs.

Constructor Details

#initialize(socket_path: nil, timeout: DEFAULT_TIMEOUT) ⇒ Client

Returns a new instance of Client.

Parameters:

• socket_path (String) (defaults to: nil) —

  Path to SPIRE Agent Unix socket

• timeout (Integer) (defaults to: DEFAULT_TIMEOUT) —

  Connection timeout in seconds

# File 'lib/spiffe/workload/client.rb', line 22

def initialize(socket_path: nil, timeout: DEFAULT_TIMEOUT)
  @socket_path = socket_path || ENV['SPIFFE_ENDPOINT_SOCKET']&.sub('unix://', '') || DEFAULT_SOCKET_PATH
  @timeout = timeout
  @mutex = Mutex.new
  @x509_svid_cache = nil
  @x509_bundles_cache = nil
  @jwt_bundles_cache = nil
  @rotation_thread = nil
  @shutdown = false

  validate_socket!
end

Instance Attribute Details

#socket_path ⇒ Object (readonly)

Returns the value of attribute socket_path.

# File 'lib/spiffe/workload/client.rb', line 18

def socket_path
  @socket_path
end

Instance Method Details

#current_x509_svid ⇒ X509SVIDWrapper^?

Get the current X.509 SVID without blocking

Returns:

• (X509SVIDWrapper, nil)

# File 'lib/spiffe/workload/client.rb', line 49

def current_x509_svid
  @mutex.synchronize { @x509_svid_cache }
end

#jwt_bundles ⇒ Hash<String, String>

Fetch JWT bundles

Returns:

• (Hash<String, String>) —

  Map of trust domain to JWKS

# File 'lib/spiffe/workload/client.rb', line 99

def jwt_bundles
  ensure_jwt_bundles_stream_started
  
  @mutex.synchronize do
    @jwt_bundles_cache || {}
  end
end

#jwt_svid(audience:, spiffe_id: nil) ⇒ JWTSVIDWrapper

Fetch JWT SVID for the given audience

Parameters:

• audience (String, Array<String>) —

  Target audience(s)

• spiffe_id (String, nil) (defaults to: nil) —

  Optional specific SPIFFE ID to request

Returns:

• (JWTSVIDWrapper) —

  The JWT SVID

Raises:

• (Spiffe::Error) —

  If fetch fails

# File 'lib/spiffe/workload/client.rb', line 68

def jwt_svid(audience:, spiffe_id: nil)
  audiences = audience.is_a?(Array) ? audience : [audience]
  
  request = Spiffe::Workload::JWTSVIDRequest.new(
    audience: audiences,
    spiffe_id: spiffe_id || ''
  )

  # SPIRE requires this security header for workload API calls
  metadata = { 'workload.spiffe.io' => 'true' }
  response = stub.fetch_jwtsvid(request, metadata: metadata)
  
  raise Spiffe::Error, 'No JWT SVID returned' if response.svids.empty?
  
  JWTSVIDWrapper.from_proto(response.svids.first)
rescue GRPC::BadStatus => e
  raise Spiffe::Error, "Failed to fetch JWT SVID: #{e.message}"
end

#on_x509_svid_update {|X509SVID| ... } ⇒ Object

Register a callback to be called when X.509 SVID is updated

Yields:

• (X509SVID) —

  The new SVID

# File 'lib/spiffe/workload/client.rb', line 123

def on_x509_svid_update(&block)
  @mutex.synchronize do
    @x509_update_callbacks ||= []
    @x509_update_callbacks << block
  end
end

#shutdown ⇒ Object

Shutdown the client and stop all background threads

# File 'lib/spiffe/workload/client.rb', line 131

def shutdown
  @shutdown = true
  @rotation_thread&.kill
  @x509_stream_thread&.kill
  @x509_bundles_stream_thread&.kill
  @jwt_bundles_stream_thread&.kill
end

#tls_context ⇒ OpenSSL::SSL::SSLContext

Create an OpenSSL context configured with the current SVID

Returns:

• (OpenSSL::SSL::SSLContext)

# File 'lib/spiffe/workload/client.rb', line 109

def tls_context
  svid = x509_svid
  
  context = OpenSSL::SSL::SSLContext.new
  context.cert = svid.leaf_certificate
  context.key = svid.private_key
  context.extra_chain_cert = svid.cert_chain[1..-1] if svid.cert_chain.length > 1
  context.cert_store = svid.trust_bundle
  context.verify_mode = OpenSSL::SSL::VERIFY_PEER
  context
end

#x509_bundles ⇒ Hash<String, OpenSSL::X509::Store>

Fetch X.509 trust bundles

Returns:

• (Hash<String, OpenSSL::X509::Store>) —

  Map of trust domain to bundle

# File 'lib/spiffe/workload/client.rb', line 89

def x509_bundles
  ensure_x509_bundles_stream_started
  
  @mutex.synchronize do
    @x509_bundles_cache || {}
  end
end

#x509_svid ⇒ X509SVIDWrapper

Fetch X.509 SVID (blocking call, returns first response)

Returns:

• (X509SVIDWrapper) —

  The default X.509 SVID

Raises:

• (Spiffe::Error) —

  If fetch fails

# File 'lib/spiffe/workload/client.rb', line 38

def x509_svid
  ensure_x509_svid_stream_started
  
  @mutex.synchronize do
    raise Spiffe::Error, 'No X.509 SVID available' unless @x509_svid_cache
    @x509_svid_cache
  end
end

#x509_svids ⇒ Array<X509SVIDWrapper>

Fetch all X.509 SVIDs

Returns:

• (Array<X509SVIDWrapper>)

# File 'lib/spiffe/workload/client.rb', line 55

def x509_svids
  ensure_x509_svid_stream_started
  
  @mutex.synchronize do
    @x509_svids_cache || []
  end
end