-
Notifications
You must be signed in to change notification settings - Fork 33
/
localauthority.proto
247 lines (205 loc) · 10.5 KB
/
localauthority.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
syntax = "proto3";
package spire.api.server.localauthority.v1;
option go_package = "github.com/spiffe/spire-api-sdk/proto/spire/api/server/localauthority/v1;localauthorityv1";
// The LocalAuthority service provides a way to manage the signing keys (and
// related material) of the SPIRE Server exposing it.
service LocalAuthority {
// GetJWTAuthorityState returns the state of all locally configured
// JWT authorities.
rpc GetJWTAuthorityState(GetJWTAuthorityStateRequest) returns (GetJWTAuthorityStateResponse);
// PrepareJWTAuthority prepares a new JWT authority for use by
// generating a new key and injecting it into the bundle. This action
// will propagate the new public key cluster-wide.
rpc PrepareJWTAuthority(PrepareJWTAuthorityRequest) returns (PrepareJWTAuthorityResponse);
// ActivateJWTAuthority activates a prepared JWT authority for use,
// which will cause it to be used for all JWT signing operations
// serviced by this server going forward. If a new JWT authority has
// not already been prepared, a FailedPrecondition error will be returned.
rpc ActivateJWTAuthority(ActivateJWTAuthorityRequest) returns (ActivateJWTAuthorityResponse);
// TaintJWTAuthority marks the previously active JWT authority as
// being tainted. SPIRE Agents observing an authority to be tainted
// will perform proactive rotations of any key material related to
// the tainted authority. The result of this action will be observed
// cluster-wide.
// It can receive the Authority ID of an old JWT authority.
//
// If a previously active JWT authority does not exist (e.g. if one
// has been prepared but not activated yet), a FailedPrecondition
// error will be returned.
rpc TaintJWTAuthority(TaintJWTAuthorityRequest) returns (TaintJWTAuthorityResponse);
// RevokeJWTAuthority revokes the previously active JWT authority by
// removing it from the bundle and propagating this update throughout
// the cluster.
// It can receive the Authority ID of an old JWT authority.
//
// If a previously active JWT authority does not exist (e.g. if one
// has been prepared but not activated yet), a FailedPrecondition
// error will be returned.
rpc RevokeJWTAuthority(RevokeJWTAuthorityRequest) returns (RevokeJWTAuthorityResponse);
// GetX509AuthorityState returns the state of all locally configured
// X.509 authorities.
rpc GetX509AuthorityState(GetX509AuthorityStateRequest) returns (GetX509AuthorityStateResponse);
// PrepareX509Authority prepares a new X.509 authority for use by
// generating a new key and injecting the resulting CA certificate into
// the bundle. This action will propagate the new CA cluster-wide.
rpc PrepareX509Authority(PrepareX509AuthorityRequest) returns (PrepareX509AuthorityResponse);
// ActivateX509Authority activates a prepared X.509 authority for use,
// which will cause it to be used for all X.509 signing operations
// serviced by this server going forward. If a new X.509 authority has
// not already been prepared, a FailedPrecondition error will be returned.
rpc ActivateX509Authority(ActivateX509AuthorityRequest) returns (ActivateX509AuthorityResponse);
// TaintX509Authority marks the previously active X.509 authority as
// being tainted. SPIRE Agents observing an authority to be tainted
// will perform proactive rotations of any key material related to
// the tainted authority. The result of this action will be observed
// cluster-wide.
// The X.509 authority to taint is identified using the provided X.509 Subject Key
//
// If an upstream authority is configured then local authorities cannot be tainted,
// and a FailedPrecondition error will be returned.
//
// If a previously active X.509 authority does not exist (e.g. if one
// has been prepared but not activated yet), a FailedPrecondition
// error will be returned.
rpc TaintX509Authority(TaintX509AuthorityRequest) returns (TaintX509AuthorityResponse);
// TaintX509UpstreamAuthority marks the provided upstream authority as
// being tainted. SPIRE Agents observing a tainted authority
// will perform proactive rotations of any key material related to
// the tainted authority. The result of this action will be observed
// cluster-wide.
// It is important to change to a new active upstream authority before tainting the old one,
// since tainting will force the rotation of any bundle that is using
// the old upstream authority.
// The X.509 authority to taint is identified using the provided X.509 Subject Key
// Identifier (or SKID) of the old X.509 authority.
//
// If an X.509 upstream authority is not configured, or the identified upstream
// X.509 authority is active, a FailedPrecondition error will be returned.
rpc TaintX509UpstreamAuthority(TaintX509UpstreamAuthorityRequest) returns (TaintX509UpstreamAuthorityResponse);
// RevokeX509Authority revokes the previously active X.509 authority by
// removing it from the bundle and propagating this update throughout
// the cluster.
// It can receive the public key of an old X.509 authority.
//
// If a previously active X.509 authority does not exist (e.g. if one
// has been prepared but not activated yet), a FailedPrecondition
// error will be returned.
rpc RevokeX509Authority(RevokeX509AuthorityRequest) returns (RevokeX509AuthorityResponse);
// RevokeX509UpstreamAuthority revokes the previously active X.509 upstream authority by
// removing it from the bundle and propagating this update throughout
// the cluster.
// The X.509 authority to revoke is identified using the provided subject key ID of
// the authority's CA certificate.
//
// If a previously active X.509 upstream authority does not exist, a FailedPrecondition
// error will be returned.
rpc RevokeX509UpstreamAuthority(RevokeX509UpstreamAuthorityRequest) returns (RevokeX509UpstreamAuthorityResponse);
}
message GetJWTAuthorityStateRequest {}
message GetJWTAuthorityStateResponse {
// Authority currently being used for signing operations.
AuthorityState active = 1;
// Authority added on bundle but is not used yet.
AuthorityState prepared = 2;
// Authority in that was previously used for signing operations,
// but it is not longer.
AuthorityState old = 3;
}
message PrepareJWTAuthorityRequest {}
message PrepareJWTAuthorityResponse {
AuthorityState prepared_authority = 1;
}
message ActivateJWTAuthorityRequest {
// Optional. The authority ID of the local authority JWT authority to activate.
// This is the JWT Key ID.
// By default, the prepared local JWT authority is used.
string authority_id = 1;
}
message ActivateJWTAuthorityResponse {
AuthorityState activated_authority = 1;
}
message TaintJWTAuthorityRequest {
// Optional. The authority ID of the local authority JWT authority to taint.
// This is the JWT Key ID.
// By default, the old local JWT authority is used.
string authority_id = 1;
}
message TaintJWTAuthorityResponse {
AuthorityState tainted_authority = 1;
}
message RevokeJWTAuthorityRequest {
// Optional. The authority ID of the local authority JWT authority to revoke.
// This is the JWT Key ID.
// By default, the old local JWT authority is used.
string authority_id = 1;
}
message RevokeJWTAuthorityResponse {
AuthorityState revoked_authority = 1;
}
message GetX509AuthorityStateRequest {}
message GetX509AuthorityStateResponse {
// Authority currently being used for signing operations.
AuthorityState active = 1;
// Authority added on bundle but is not used yet.
AuthorityState prepared = 2;
// Authority in that was previously used for signing operations,
// but it is not longer.
AuthorityState old = 3;
}
message PrepareX509AuthorityRequest {}
message PrepareX509AuthorityResponse {
AuthorityState prepared_authority = 1;
}
message ActivateX509AuthorityRequest {
// Optional. The authority ID of the local X.509 authority to activate.
// This is the X.509 Subject Key Identifier (or SKID) of the
// authority's CA certificate, which is calculated by doing a
// SHA-1 hash over the ASN.1 encoding of the public key.
// By default, the prepared local X.509 authority is used.
string authority_id = 1;
}
message ActivateX509AuthorityResponse {
AuthorityState activated_authority = 1;
}
message TaintX509AuthorityRequest {
// Optional. The authority ID of the local X.509 authority to taint.
// This is the X.509 Subject Key Identifier (or SKID) of the
// authority's CA certificate, which is calculated by doing a
// SHA-1 hash over the ASN.1 encoding of the public key.
// By default, the old local X.509 authority is used.
string authority_id = 1;
}
message TaintX509AuthorityResponse {
AuthorityState tainted_authority = 1;
}
message TaintX509UpstreamAuthorityRequest {
// This is the X.509 Subject Key Identifier (or SKID) of the
// authority's CA certificate of the upstream X.509 authority to taint.
string subject_key_id = 1;
}
message TaintX509UpstreamAuthorityResponse {
}
message RevokeX509UpstreamAuthorityRequest {
// This is the X.509 Subject Key Identifier (or SKID) of the
// authority's CA certificate of the upstream X.509 authority to revoke.
string subject_key_id = 1;
}
message RevokeX509UpstreamAuthorityResponse {
}
message RevokeX509AuthorityRequest {
// Optional. The authority ID of the local X.509 authority to revoke.
// This is the X.509 Subject Key Identifier (or SKID) of the
// authority's CA certificate, which is calculated by doing a
// SHA-1 hash over the ASN.1 encoding of the public key.
// By default, the old local X.509 authority is used.
string authority_id = 1;
}
message RevokeX509AuthorityResponse {
AuthorityState revoked_authority = 1;
}
message AuthorityState {
// The authority ID.
string authority_id = 1;
// Expiration timestamp (seconds since Unix epoch).
int64 expires_at = 2;
}