Add hint field delegated identity API

cmd/spire-server/cli/jwt/mint_test.go

@@ -202,6 +202,7 @@ func TestMintRun(t *testing.T) {
 	  "path": "/workload"
 	},
     "expires_at": "1628600000",
+    "hint": "",
     "issued_at": "1628500000"
   }
 }`, token)},
@@ -244,6 +245,7 @@ func TestMintRun(t *testing.T) {
   "svid": {
     "token": "malformed token",
     "expires_at": "0",
+    "hint": "",
     "issued_at": "0"
   }
 }`,
@@ -278,6 +280,7 @@ func TestMintRun(t *testing.T) {
 	  "path": "/workload"
 	},
     "expires_at": "1628500000",
+    "hint": "",
     "issued_at": "1628600000"
   }
 }`, expiredToken),

go.mod

@@ -59,7 +59,7 @@ require (
 	github.com/sigstore/sigstore v1.5.2
 	github.com/sirupsen/logrus v1.9.0
 	github.com/spiffe/go-spiffe/v2 v2.1.4
-	github.com/spiffe/spire-api-sdk v1.2.5-0.20230315170933-494fe186be48
+	github.com/spiffe/spire-api-sdk v1.2.5-0.20230413135745-699e242b965d
 	github.com/spiffe/spire-plugin-sdk v1.4.4-0.20230203133000-75d7213a0ba0
 	github.com/stretchr/testify v1.8.2
 	github.com/uber-go/tally/v4 v4.1.7

go.sum

@@ -2020,8 +2020,8 @@ github.com/spf13/viper v1.13.0 h1:BWSJ/M+f+3nmdz9bxB+bWX28kkALN2ok11D0rSo8EJU=
 github.com/spf13/viper v1.13.0/go.mod h1:Icm2xNL3/8uyh/wFuB1jI7TiTNKp8632Nwegu+zgdYw=
 github.com/spiffe/go-spiffe/v2 v2.1.4 h1:Z31Ycaf2Z5DF38sQGmp+iGKjBhBlSzfAq68bfy67Mxw=
 github.com/spiffe/go-spiffe/v2 v2.1.4/go.mod h1:eVDqm9xFvyqao6C+eQensb9ZPkyNEeaUbqbBpOhBnNk=
-github.com/spiffe/spire-api-sdk v1.2.5-0.20230315170933-494fe186be48 h1:jRrlbqir48TQ4yMupNf9I1/OMrVTK0myhWxwOYqiS0g=
-github.com/spiffe/spire-api-sdk v1.2.5-0.20230315170933-494fe186be48/go.mod h1:4uuhFlN6KBWjACRP3xXwrOTNnvaLp1zJs8Lribtr4fI=
+github.com/spiffe/spire-api-sdk v1.2.5-0.20230413135745-699e242b965d h1:0etgpf2R3yE+dwCM+leo1OcayEXfBdv0nZ3I7k/iRmk=
+github.com/spiffe/spire-api-sdk v1.2.5-0.20230413135745-699e242b965d/go.mod h1:4uuhFlN6KBWjACRP3xXwrOTNnvaLp1zJs8Lribtr4fI=
 github.com/spiffe/spire-plugin-sdk v1.4.4-0.20230203133000-75d7213a0ba0 h1:+ETVN721ZSZvi8CmR0oGf2KRSIkVMvWC8PqON9IknrM=
 github.com/spiffe/spire-plugin-sdk v1.4.4-0.20230203133000-75d7213a0ba0/go.mod h1:4KW5J6abGIAyUS8IL7Fi0NOfoWR6jA5LufKPnIdm9FE=
 github.com/src-d/gcfg v1.4.0/go.mod h1:p/UMsR43ujA89BJY9duynAwIpvqEujIH/jFlfL7jWoI=

pkg/agent/api/delegatedidentity/v1/service.go

@@ -196,6 +196,7 @@ func composeX509SVIDBySelectors(update *cache.WorkloadUpdate) (*delegatedidentit
 				Id:        id,
 				CertChain: x509util.RawCertsFromCertificates(identity.SVID),
 				ExpiresAt: identity.SVID[0].NotAfter.Unix(),
+				Hint:      identity.Entry.Hint,
 			},
 			X509SvidKey: keyData,
 		}
@@ -270,7 +271,8 @@ func (s *Service) FetchJWTSVIDs(ctx context.Context, req *delegatedidentityv1.Fe
 		log.WithError(err).Error("Invalid argument; could not parse provided selectors")
 		return nil, status.Error(codes.InvalidArgument, "could not parse provided selectors")
 	}
-	var spiffeIDs []spiffeid.ID
+
+	resp = new(delegatedidentityv1.FetchJWTSVIDsResponse)
 
 	entries := s.manager.MatchingRegistrationEntries(selectors)
 	for _, entry := range entries {
@@ -280,38 +282,34 @@ func (s *Service) FetchJWTSVIDs(ctx context.Context, req *delegatedidentityv1.Fe
 			return nil, status.Errorf(codes.InvalidArgument, "invalid requested SPIFFE ID: %v", err)
 		}
 
-		spiffeIDs = append(spiffeIDs, spiffeID)
-	}
-
-	if len(spiffeIDs) == 0 {
-		log.Error("No identity issued")
-		return nil, status.Error(codes.PermissionDenied, "no identity issued")
-	}
-
-	resp = new(delegatedidentityv1.FetchJWTSVIDsResponse)
-	for _, id := range spiffeIDs {
-		loopLog := log.WithField(telemetry.SPIFFEID, id.String())
+		loopLog := log.WithField(telemetry.SPIFFEID, spiffeID.String())
 
 		var svid *client.JWTSVID
-		svid, err = s.manager.FetchJWTSVID(ctx, id, req.Audience)
+		svid, err = s.manager.FetchJWTSVID(ctx, spiffeID, req.Audience)
 		if err != nil {
 			loopLog.WithError(err).Error("Could not fetch JWT-SVID")
 			return nil, status.Errorf(codes.Unavailable, "could not fetch JWT-SVID: %v", err)
 		}
 		resp.Svids = append(resp.Svids, &types.JWTSVID{
 			Token: svid.Token,
 			Id: &types.SPIFFEID{
-				TrustDomain: id.TrustDomain().String(),
-				Path:        id.Path(),
+				TrustDomain: spiffeID.TrustDomain().String(),
+				Path:        spiffeID.Path(),
 			},
 			ExpiresAt: svid.ExpiresAt.Unix(),
 			IssuedAt:  svid.IssuedAt.Unix(),
+			Hint:      entry.Hint,
 		})
 
 		ttl := time.Until(svid.ExpiresAt)
 		loopLog.WithField(telemetry.TTL, ttl.Seconds()).Debug("Fetched JWT SVID")
 	}
 
+	if len(resp.Svids) == 0 {
+		log.Error("No identity issued")
+		return nil, status.Error(codes.PermissionDenied, "no identity issued")
+	}
+
 	return resp, nil
 }