Implement SPIFFE Broker Endpoint & API

Makefile

@@ -185,8 +185,10 @@ git_dirty := $(shell git status -s)
 protos := \
 	proto/private/server/journal/journal.proto \
 	proto/spire/common/common.proto \
+	proto/brokerapi/brokerapi.proto
 
 api-protos := \
+	proto/brokerapi/brokerapi.proto
 
 plugin-protos := \
 	proto/spire/common/plugin/plugin.proto

cmd/spire-agent/cli/run/run.go

@@ -66,6 +66,7 @@ type Config struct {
 type agentConfig struct {
 	DataDir                       string    `hcl:"data_dir"`
 	AdminSocketPath               string    `hcl:"admin_socket_path"`
+	BrokerSocketPath              string    `hcl:"broker_socket_path"`
 	InsecureBootstrap             bool      `hcl:"insecure_bootstrap"`
 	RebootstrapMode               string    `hcl:"rebootstrap_mode"`
 	RebootstrapDelay              string    `hcl:"rebootstrap_delay"`
@@ -491,6 +492,15 @@ func NewAgentConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool)
 		}
 		ac.AdminBindAddress = adminAddr
 	}
+
+	if c.Agent.hasBrokerAddr() {
+		brokerAddr, err := c.Agent.getBrokerAddr()
+		if err != nil {
+			return nil, err
+		}
+		ac.BrokerBindAddress = brokerAddr
+	}
+
 	// Handle join token - read from file if specified
 	if c.Agent.JoinTokenFile != "" {
 		tokenBytes, err := os.ReadFile(c.Agent.JoinTokenFile)

cmd/spire-agent/cli/run/run_posix.go

@@ -53,6 +53,30 @@ func (c *agentConfig) hasAdminAddr() bool {
 	return c.AdminSocketPath != ""
 }
 
+func (c *agentConfig) getBrokerAddr() (net.Addr, error) {
+	socketPathAbs, err := filepath.Abs(c.SocketPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get absolute path for socket_path: %w", err)
+	}
+	brokerSocketPathAbs, err := filepath.Abs(c.BrokerSocketPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get absolute path for broker_socket_path: %w", err)
+	}
+
+	if strings.HasPrefix(brokerSocketPathAbs, filepath.Dir(socketPathAbs)+"/") {
+		return nil, errors.New("broker socket cannot be in the same directory or a subdirectory as that containing the Workload API socket")
+	}
+
+	return &net.UnixAddr{
+		Name: brokerSocketPathAbs,
+		Net:  "unix",
+	}, nil
+}
+
+func (c *agentConfig) hasBrokerAddr() bool {
+	return c.BrokerSocketPath != ""
+}
+
 // validateOS performs posix specific validations of the agent config
 func (c *agentConfig) validateOS() error {
 	if c.Experimental.NamedPipeName != "" {
@@ -88,5 +112,16 @@ func prepareEndpoints(c *agent.Config) error {
 		}
 	}
 
+	if c.BrokerBindAddress != nil {
+		// Create uds dir and parents if not exists
+		brokerDir := filepath.Dir(c.BrokerBindAddress.String())
+		if _, statErr := os.Stat(brokerDir); os.IsNotExist(statErr) {
+			c.Log.WithField("dir", brokerDir).Infof("Creating broker UDS directory")
+			if err := os.MkdirAll(brokerDir, 0755); err != nil {
+				return err
+			}
+		}
+	}
+
 	return nil
 }

cmd/spire-agent/cli/run/run_windows.go

@@ -32,6 +32,14 @@ func (c *agentConfig) hasAdminAddr() bool {
 	return c.Experimental.AdminNamedPipeName != ""
 }
 
+func (c *agentConfig) getBrokerAddr() (net.Addr, error) {
+	return nil, errors.New("broker_socket_path is not supported in this platform")
+}
+
+func (c *agentConfig) hasBrokerAddr() bool {
+	return false
+}
+
 // validateOS performs windows specific validations of the agent config
 func (c *agentConfig) validateOS() error {
 	if c.SocketPath != "" {

conf/agent/agent.conf

@@ -6,6 +6,11 @@ agent {
     socket_path ="/tmp/spire-agent/public/api.sock"
     trust_bundle_path = "./conf/agent/dummy_root_ca.crt"
     trust_domain = "example.org"
+
+    authorized_delegates = [
+        "spiffe://example.org/broker",
+    ]
+    broker_socket_path = "/tmp/spire-agent/broker/api.sock"
 }
 
 plugins {

conf/agent/agent_full.conf

@@ -86,6 +86,9 @@ agent {
         # "spiffe://example.org/authorized_client1",
     # ]
 
+    # broker_socket_path: Location to bind the SPIFFE Broker Endpoint.
+    # broker_socket_path = ""
+
     # sds: Optional SDS configuration section.
     # sds = {
     #     # default_svid_name: The TLS Certificate resource name to use for the default

pkg/agent/agent.go

@@ -17,6 +17,7 @@ import (
 	admin_api "github.com/spiffe/spire/pkg/agent/api"
 	node_attestor "github.com/spiffe/spire/pkg/agent/attestor/node"
 	workload_attestor "github.com/spiffe/spire/pkg/agent/attestor/workload"
+	"github.com/spiffe/spire/pkg/agent/broker"
 	"github.com/spiffe/spire/pkg/agent/catalog"
 	"github.com/spiffe/spire/pkg/agent/endpoints"
 	"github.com/spiffe/spire/pkg/agent/manager"
@@ -255,6 +256,24 @@ func (a *Agent) Run(ctx context.Context) error {
 		tasks = append(tasks, adminEndpoints.ListenAndServe)
 	}
 
+	if a.c.BrokerBindAddress != nil {
+		brokerEndpoints, err := broker.New(&broker.Config{
+			BindAddr:            a.c.BrokerBindAddress,
+			Manager:             manager,
+			Log:                 a.c.Log,
+			Metrics:             metrics,
+			Attestor:            workloadAttestor,
+			TrustDomain:         a.c.TrustDomain,
+			AuthorizedDelegates: a.c.AuthorizedDelegates,
+			SVIDSource:          as,
+			BundleSource:        manager.GetX509Bundle(),
+		})
+		if err != nil {
+			return fmt.Errorf("failed to create broker endpoints: %w", err)
+		}
+		tasks = append(tasks, brokerEndpoints.ListenAndServe)
+	}
+
 	if a.c.LogReopener != nil {
 		tasks = append(tasks, a.c.LogReopener)
 	}

pkg/agent/attestor/node/node.go

@@ -36,13 +36,6 @@ const (
 	roundRobinServiceConfig = `{ "loadBalancingConfig": [ { "round_robin": {} } ] }`
 )
 
-type AttestationResult struct {
-	SVID         []*x509.Certificate
-	Key          keymanager.Key
-	Bundle       *spiffebundle.Bundle
-	Reattestable bool
-}
-
 type Attestor interface {
 	Attest(ctx context.Context) (*AttestationResult, error)
 }

pkg/agent/attestor/node/result.go

@@ -0,0 +1,40 @@
+package attestor
+
+import (
+	"crypto/x509"
+	"fmt"
+
+	"github.com/spiffe/go-spiffe/v2/bundle/spiffebundle"
+	"github.com/spiffe/go-spiffe/v2/bundle/x509bundle"
+	"github.com/spiffe/go-spiffe/v2/spiffeid"
+	"github.com/spiffe/go-spiffe/v2/svid/x509svid"
+	"github.com/spiffe/spire/pkg/agent/plugin/keymanager"
+)
+
+// Allow AttestationResult to be used as go-spiffe SVID and bundle sources.
+// TODO(arndt): Check whether the key of the agent is ok to be exposed to other parties.
+var (
+	_ x509svid.Source   = (*AttestationResult)(nil)
+	_ x509bundle.Source = (*AttestationResult)(nil)
+)
+
+type AttestationResult struct {
+	SVID         []*x509.Certificate
+	Key          keymanager.Key
+	Bundle       *spiffebundle.Bundle
+	Reattestable bool
+}
+
+func (ar *AttestationResult) GetX509SVID() (*x509svid.SVID, error) {
+	return &x509svid.SVID{
+		Certificates: ar.SVID,
+		PrivateKey:   ar.Key,
+	}, nil
+}
+
+func (ar *AttestationResult) GetX509BundleForTrustDomain(trustDomain spiffeid.TrustDomain) (*x509bundle.Bundle, error) {
+	if ar.Bundle.TrustDomain() != trustDomain {
+		return nil, fmt.Errorf("bundle for trust domain %q not found", trustDomain)
+	}
+	return ar.Bundle.X509Bundle(), nil
+}