-
Notifications
You must be signed in to change notification settings - Fork 21
/
workloadattestor.go
132 lines (112 loc) · 4.83 KB
/
workloadattestor.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
package workloadattestor
import (
"context"
"sync"
"github.com/hashicorp/go-hclog"
"github.com/hashicorp/hcl"
"github.com/spiffe/spire-plugin-sdk/pluginmain"
"github.com/spiffe/spire-plugin-sdk/pluginsdk"
workloadattestorv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/plugin/agent/workloadattestor/v1"
configv1 "github.com/spiffe/spire-plugin-sdk/proto/spire/service/common/config/v1"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/status"
)
var (
// This compile-time assertion ensures the plugin conforms properly to the
// pluginsdk.NeedsLogger interface.
// TODO: Remove if the plugin does not need the logger.
_ pluginsdk.NeedsLogger = (*Plugin)(nil)
// This compile-time assertion ensures the plugin conforms properly to the
// pluginsdk.NeedsHostServices interface.
// TODO: Remove if the plugin does not need host services.
_ pluginsdk.NeedsHostServices = (*Plugin)(nil)
)
// Config defines the configuration for the plugin.
// TODO: Add relevant configurables or remove if no configuration is required.
type Config struct {
}
// Plugin implements the WorkloadAttestor plugin
type Plugin struct {
// UnimplementedWorkloadAttestorServer is embedded to satisfy gRPC
workloadattestorv1.UnimplementedWorkloadAttestorServer
// UnimplementedConfigServer is embedded to satisfy gRPC
// TODO: Remove if this plugin does not require configuration
configv1.UnimplementedConfigServer
// Configuration should be set atomically
// TODO: Remove if this plugin does not require configuration
configMtx sync.RWMutex
config *Config
// The logger received from the framework via the SetLogger method
// TODO: Remove if this plugin does not need the logger.
logger hclog.Logger
}
// Attest implements the WorkloadAttestor Attest RPC. Attests the specified workload process. If the process is not one
// the attestor is in a position to attest (e.g. k8s attestor attesting a non-k8s workload), the call will succeed but
// return no selectors. If the process is one of the attestor is in a position to attest, but the attestor fails to
// gather all selectors related to that workload, the call will fail. Otherwise, the attestor will return one or more
// workload selectors.
func (p *Plugin) Attest(ctx context.Context, req *workloadattestorv1.AttestRequest) (*workloadattestorv1.AttestResponse, error) {
config, err := p.getConfig()
if err != nil {
return nil, err
}
// TODO: Implement the RPC behavior. The following line silences compiler
// warnings and can be removed once the configuration is referenced by the
// implementation.
config = config
return nil, status.Error(codes.Unimplemented, "not implemented")
}
// Configure configures the plugin. This is invoked by SPIRE when the plugin is
// first loaded. In the future, it may be invoked to reconfigure the plugin.
// As such, it should replace the previous configuration atomically.
// TODO: Remove if no configuration is required
func (p *Plugin) Configure(ctx context.Context, req *configv1.ConfigureRequest) (*configv1.ConfigureResponse, error) {
config := new(Config)
if err := hcl.Decode(config, req.HclConfiguration); err != nil {
return nil, status.Errorf(codes.InvalidArgument, "failed to decode configuration: %v", err)
}
// TODO: Validate configuration before setting/replacing existing
// configuration
p.setConfig(config)
return &configv1.ConfigureResponse{}, nil
}
// BrokerHostServices is called by the framework when the plugin is loaded to
// give the plugin a chance to obtain clients to SPIRE host services.
// TODO: Remove if the plugin does not need host services.
func (p *Plugin) BrokerHostServices(broker pluginsdk.ServiceBroker) error {
// TODO: Use the broker to obtain host service clients
return nil
}
// SetLogger is called by the framework when the plugin is loaded and provides
// the plugin with a logger wired up to SPIRE's logging facilities.
// TODO: Remove if the plugin does not need the logger.
func (p *Plugin) SetLogger(logger hclog.Logger) {
p.logger = logger
}
// setConfig replaces the configuration atomically under a write lock.
// TODO: Remove if no configuration is required
func (p *Plugin) setConfig(config *Config) {
p.configMtx.Lock()
p.config = config
p.configMtx.Unlock()
}
// getConfig gets the configuration under a read lock.
// TODO: Remove if no configuration is required
func (p *Plugin) getConfig() (*Config, error) {
p.configMtx.RLock()
defer p.configMtx.RUnlock()
if p.config == nil {
return nil, status.Error(codes.FailedPrecondition, "not configured")
}
return p.config, nil
}
func main() {
plugin := new(Plugin)
// Serve the plugin. This function call will not return. If there is a
// failure to serve, the process will exit with a non-zero exit code.
pluginmain.Serve(
workloadattestorv1.WorkloadAttestorPluginServer(plugin),
// TODO: Remove if no configuration is required
configv1.ConfigServiceServer(plugin),
)
}