diff --git a/pkg/server/api/agent/v1/service.go b/pkg/server/api/agent/v1/service.go index d8584af066..f0fc9017c6 100644 --- a/pkg/server/api/agent/v1/service.go +++ b/pkg/server/api/agent/v1/service.go @@ -5,6 +5,8 @@ import ( "crypto/x509" "errors" "fmt" + "net/url" + "strings" "time" "github.com/andres-erbsen/clock" @@ -695,6 +697,19 @@ func (s *Service) attestChallengeResponse(ctx context.Context, agentStream agent st := status.Convert(err) return nil, api.MakeErr(log, st.Code(), st.Message(), nil) } + if result.AgentID != "" { + parsedId, err := url.Parse(result.AgentID) + if err == nil { + path := parsedId.Path + trimmedPath := strings.TrimPrefix(path, "/") + if trimmedPath != "" { + result.Selectors = append(result.Selectors, &common.Selector{ + Type: "spiffe", + Value: fmt.Sprintf("svid:%s", trimmedPath), + }) + } + } + } return result, nil } diff --git a/pkg/server/api/agent/v1/service_test.go b/pkg/server/api/agent/v1/service_test.go index e5187748de..0d14300bec 100644 --- a/pkg/server/api/agent/v1/service_test.go +++ b/pkg/server/api/agent/v1/service_test.go @@ -2718,6 +2718,7 @@ func TestAttestAgent(t *testing.T) { request: getAttestAgentRequest("test_type", []byte("payload_with_result"), testCsr), expectedID: spiffeid.RequireFromPath(td, "/spire/agent/test_type/id_with_result"), expectedSelectors: []*common.Selector{ + {Type: "spiffe", Value: "svid:spire/agent/test_type/id_with_result"}, {Type: "test_type", Value: "result"}, }, expectLogs: []spiretest.LogEntry{ @@ -2749,6 +2750,7 @@ func TestAttestAgent(t *testing.T) { request: getAttestAgentRequest("test_type", []byte("payload_with_result"), testCsr), expectedID: spiffeid.RequireFromPath(td, "/spire/agent/test_type/id_with_result"), expectedSelectors: []*common.Selector{ + {Type: "spiffe", Value: "svid:spire/agent/test_type/id_with_result"}, {Type: "test_type", Value: "result"}, }, expectLogs: []spiretest.LogEntry{ @@ -2798,6 +2800,7 @@ func TestAttestAgent(t *testing.T) { request: getAttestAgentRequest("test_type", []byte("payload_with_challenge"), testCsr), expectedID: spiffeid.RequireFromPath(td, "/spire/agent/test_type/id_with_challenge"), expectedSelectors: []*common.Selector{ + {Type: "spiffe", Value: "svid:spire/agent/test_type/id_with_challenge"}, {Type: "test_type", Value: "challenge"}, }, expectLogs: []spiretest.LogEntry{ @@ -2828,6 +2831,7 @@ func TestAttestAgent(t *testing.T) { request: getAttestAgentRequest("test_type", []byte("payload_attested_before"), testCsr), expectedID: spiffeid.RequireFromPath(td, "/spire/agent/test_type/id_attested_before"), expectedSelectors: []*common.Selector{ + {Type: "spiffe", Value: "svid:spire/agent/test_type/id_attested_before"}, {Type: "test_type", Value: "attested_before"}, }, expectedVersion: "1.2.3", @@ -3178,6 +3182,9 @@ func TestAttestAgent(t *testing.T) { name: "nodeattestor returns ID outside of its namespace", request: getAttestAgentRequest("test_type", []byte("payload_return_id_outside_namespace"), testCsr), expectedID: spiffeid.RequireFromPath(td, "/id_outside_namespace"), + expectedSelectors: []*common.Selector{ + {Type: "spiffe", Value: "svid:id_outside_namespace"}, + }, expectLogs: []spiretest.LogEntry{ { Level: logrus.WarnLevel, @@ -3214,6 +3221,7 @@ func TestAttestAgent(t *testing.T) { request: getAttestAgentRequest("test_type", []byte("payload_selector_dups"), testCsr), expectedID: spiffeid.RequireFromPath(td, "/spire/agent/test_type/id_selector_dups"), expectedSelectors: []*common.Selector{ + {Type: "spiffe", Value: "svid:spire/agent/test_type/id_selector_dups"}, {Type: "test_type", Value: "A"}, {Type: "test_type", Value: "B"}, {Type: "test_type", Value: "C"},