feat(spiffe): JWT-SVID signing endpoint (RFC UAA-SPIFFE-001)#3968
Draft
rkoster wants to merge 9 commits into
Draft
feat(spiffe): JWT-SVID signing endpoint (RFC UAA-SPIFFE-001)#3968rkoster wants to merge 9 commits into
rkoster wants to merge 9 commits into
Conversation
Reject process_type not matching [A-Za-z0-9_-]{1,63} and audience that is blank, over 512 chars, or contains control characters (400). process_type is concatenated into the SPIFFE ID path and every proof-of-possession message field must be newline-free, so this closes SPIFFE-ID injection and PoP message ambiguity. Adds characterization tests pinning existing fail-closed behaviour: malformed PEM, future-dated and malformed-base64 PoP, and a not-yet-valid instance cert.
Comment on lines
+49
to
+59
| SecurityFilterChain chain = http | ||
| .securityMatcher("/jwt-svid/**") | ||
| .authorizeHttpRequests(auth -> { | ||
| auth.requestMatchers("/**").hasAuthority("uaa.resource"); | ||
| auth.anyRequest().denyAll(); | ||
| }) | ||
| .authenticationManager(clientAuthenticationManager) | ||
| .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) | ||
| .addFilterAt(clientAuthenticationFilter.getFilter(), BasicAuthenticationFilter.class) | ||
| .anonymous(AnonymousConfigurer::disable) | ||
| .csrf(CsrfConfigurer::disable) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a JWT-SVID signing endpoint to UAA so it can act as a SPIFFE identity
server for Cloud Foundry workloads (offline-OIDC federation).
POST /jwt-svid/signauthenticates a SPIFFE Agent (client credentials), verifiesthe caller's CF instance-identity certificate against the configured CA,
parses org/space/app GUIDs from the cert OUs, checks a proof-of-possession
signature for freshness, and mints an RS256 JWT-SVID signed with UAA's active key
and OIDC issuer (so it verifies offline against
/token_keys).Key changes (all under
org.cloudfoundry.identity.uaa.spiffe)JwtSvidController,JwtSvidRequest/JwtSvidResponse,JwtSvidSignerInstanceIdentityVerifier,CertificateOuParser,ProofOfPossessionVerifierSpiffeId,CfInstanceIdentity,SpiffeProperties,SpiffeConfiguration,SpiffeSecurityConfigurationContext
Part of RFC UAA-SPIFFE-001 — UAA as a SPIFFE Identity Server for Cloud Foundry.
Cross-repo dependencies
spiffe-signer— exposesuaa.spiffe.*(trustdomain, instance-identity CA) and the signer client.
spiffe-agent.Status
Draft / POC. End-to-end verified on bosh-lite: a CF app received a valid JWT-SVID
with
cforg/space/app/process_type claims.