Move mini-spire into cofidectl

Signed-off-by: Maartje Eyskens <[email protected]>
cofide · Nov 15, 2024 · c4504ce · c4504ce
1 parent 536cd1c
commit c4504ce
Show file tree

Hide file tree

Showing 9 changed files with 873 additions and 52 deletions.
diff --git a/cmd/cofidectl/cmd/dev/dev.go b/cmd/cofidectl/cmd/dev/dev.go
@@ -0,0 +1,20 @@
+package dev
+
+import (
+	"github.com/spf13/cobra"
+)
+
+var federationDesc = `
+This command consists of multiple subcommands to administer the Cofide local development environment
+`
+
+func NewDevCmd() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "dev mini-spire [ARGS]",
+		Short: "setup a local development spire",
+		Long:  federationDesc,
+		Args:  cobra.NoArgs,
+	}
+	cmd.AddCommand(devMiniSpireCmd())
+	return cmd
+}
diff --git a/cmd/cofidectl/cmd/dev/mini-spire.go b/cmd/cofidectl/cmd/dev/mini-spire.go
@@ -0,0 +1,86 @@
+package dev
+
+import (
+	"fmt"
+	"net"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/cofide/cofidectl/internal/pkg/dev/minispire"
+	"github.com/spf13/cobra"
+	pb "github.com/spiffe/go-spiffe/v2/proto/spiffe/workload"
+	"google.golang.org/grpc"
+)
+
+var devMiniSpireDesc = `
+This command will bring up a local SPIRE workload API socket that sets up a local development CA and issues SVIDs to every client connecting to it.
+THIS COMMAND SHOULD NEVER BE USED IN ANY PRODUCTION OR SERVER ENVIRONMENT.
+`
+
+type devMiniSpireOpts struct {
+	socket  string
+	domain  string
+	keyType string
+}
+
+func devMiniSpireCmd() *cobra.Command {
+	opts := devMiniSpireOpts{}
+
+	cmd := &cobra.Command{
+		Use:   "mini-spire [ARGS]",
+		Short: "Sets up a SPIRE agent for local development",
+		Long:  devMiniSpireDesc,
+		Args:  cobra.NoArgs,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			fmt.Println("Building in-memory CA")
+			var kt minispire.KeyType
+			if opts.keyType == "rsa" {
+				kt = minispire.KeyTypeRSA
+			} else if opts.keyType == "ecdsa" {
+				kt = minispire.KeyTypeECDSAP256
+			} else {
+				return fmt.Errorf("key type %q is unknown", opts.keyType)
+			}
+			ca, err := minispire.NewInMemoryCA(kt)
+			if err != nil {
+				return fmt.Errorf("failed to create in-memory CA: %v", err)
+			}
+
+			fmt.Println("Starting SPIRE server")
+			lis, err := net.Listen("unix", opts.socket)
+			if err != nil {
+				return fmt.Errorf("failed to listen in %q: %v", opts.socket, err)
+			}
+
+			grpcServer := grpc.NewServer(grpc.Creds(minispire.NewCredentials()))
+			wl := minispire.NewWorkloadHandler(minispire.Config{
+				Domain: opts.domain,
+				CA:     ca,
+			})
+			pb.RegisterSpiffeWorkloadAPIServer(grpcServer, wl)
+
+			go func() {
+				fmt.Println("SPIRE server listening on", opts.socket)
+				grpcServer.Serve(lis)
+			}()
+
+			// listen for signals to stop the server
+			osSignals := make(chan os.Signal, 1)
+			signal.Notify(osSignals, syscall.SIGINT, syscall.SIGTERM)
+			<-osSignals
+
+			fmt.Println("Shutting down server")
+			lis.Close()
+
+			return nil
+		},
+	}
+
+	f := cmd.Flags()
+	f.StringVarP(&opts.domain, "domain", "d", "example.com", "Trust domain to use for this trust zone")
+	f.StringVarP(&opts.socket, "socket", "s", "/tmp/spire.sock", "Path to the UNIX socket to listen on")
+	f.StringVarP(&opts.keyType, "key-type", "k", "rsa", "Key type to use for the CA (rsa or ecdsa)")
+
+	return cmd
+}
diff --git a/cmd/cofidectl/cmd/root.go b/cmd/cofidectl/cmd/root.go
@@ -10,6 +10,7 @@ import (
 	"github.com/cofide/cofidectl/cmd/cofidectl/cmd/apbinding"
 	"github.com/cofide/cofidectl/cmd/cofidectl/cmd/attestationpolicy"
 	cmdcontext "github.com/cofide/cofidectl/cmd/cofidectl/cmd/context"
+	"github.com/cofide/cofidectl/cmd/cofidectl/cmd/dev"
 	"github.com/cofide/cofidectl/cmd/cofidectl/cmd/federation"
 	"github.com/cofide/cofidectl/cmd/cofidectl/cmd/trustzone"
 	"github.com/cofide/cofidectl/cmd/cofidectl/cmd/workload"
@@ -64,6 +65,7 @@ func (r *RootCommand) GetRootCommand() (*cobra.Command, error) {
 		wlCmd.GetRootCommand(),
 		upCmd.UpCmd(),
 		downCmd.DownCmd(),
+		dev.NewDevCmd(),
 	)
 
 	return cmd, nil

diff --git a/go.mod b/go.mod
@@ -1,18 +1,21 @@
 module github.com/cofide/cofidectl
 
-go 1.22.7
+go 1.23.2
 
 require (
 	buf.build/go/protoyaml v0.2.0
 	cuelang.org/go v0.10.0
 	github.com/cofide/cofide-api-sdk v0.2.0
-	github.com/fatih/color v1.13.0
+	github.com/cofide/cofide-sdk-go v0.0.0-unpublished
+	github.com/fatih/color v1.16.0
+	github.com/go-jose/go-jose/v4 v4.0.4
 	github.com/gofrs/flock v0.12.1
 	github.com/google/go-cmp v0.6.0
 	github.com/hashicorp/go-plugin v1.6.2
 	github.com/manifoldco/promptui v0.9.0
 	github.com/spf13/cobra v1.8.1
 	github.com/spiffe/go-spiffe/v2 v2.4.0
+	github.com/spiffe/spire v1.11.0
 	github.com/spiffe/spire-api-sdk v1.10.4
 	github.com/stretchr/testify v1.9.0
 	google.golang.org/grpc v1.67.1
@@ -23,6 +26,8 @@ require (
 // Uncomment the following for development with local Cofide API SDK changes:
 //replace github.com/cofide/cofide-api-sdk => ../cofide-api-sdk
 
+replace github.com/cofide/cofide-sdk-go v0.0.0-unpublished => ../cofide-sdk-go
+
 require (
 	buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.34.2-20240717164558-a6c49f84cc0f.2 // indirect
 	dario.cat/mergo v1.0.1 // indirect
@@ -51,9 +56,9 @@ require (
 	github.com/cyphar/filepath-securejoin v0.3.1 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/distribution/reference v0.6.0 // indirect
-	github.com/docker/cli v27.1.0+incompatible // indirect
+	github.com/docker/cli v27.1.1+incompatible // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
-	github.com/docker/docker v27.1.1+incompatible // indirect
+	github.com/docker/docker v27.3.1+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.8.0 // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-metrics v0.0.1 // indirect
@@ -72,9 +77,9 @@ require (
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
-	github.com/google/btree v1.0.1 // indirect
+	github.com/google/btree v1.1.3 // indirect
 	github.com/google/cel-go v0.21.0 // indirect
-	github.com/google/gnostic-models v0.6.8 // indirect
+	github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/google/uuid v1.6.0 // indirect
@@ -120,7 +125,7 @@ require (
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/prometheus/client_golang v1.19.1 // indirect
+	github.com/prometheus/client_golang v1.20.4 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.55.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
@@ -138,26 +143,25 @@ require (
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
 	github.com/xlab/treeprint v1.2.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect
-	go.opentelemetry.io/otel v1.28.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.22.0 // indirect
+	github.com/zeebo/errs v1.3.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 // indirect
+	go.opentelemetry.io/otel v1.29.0 // indirect
 	go.opentelemetry.io/otel/exporters/prometheus v0.49.0 // indirect
-	go.opentelemetry.io/otel/metric v1.28.0 // indirect
-	go.opentelemetry.io/otel/sdk/metric v1.27.0 // indirect
-	go.opentelemetry.io/otel/trace v1.28.0 // indirect
+	go.opentelemetry.io/otel/metric v1.29.0 // indirect
+	go.opentelemetry.io/otel/trace v1.29.0 // indirect
 	go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect
 	golang.org/x/crypto v0.28.0 // indirect
-	golang.org/x/exp v0.0.0-20240325151524-a685a6edb6d8 // indirect
+	golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8 // indirect
 	golang.org/x/mod v0.20.0 // indirect
 	golang.org/x/net v0.30.0 // indirect
 	golang.org/x/oauth2 v0.23.0 // indirect
 	golang.org/x/sync v0.8.0 // indirect
 	golang.org/x/sys v0.26.0 // indirect
 	golang.org/x/term v0.25.0 // indirect
 	golang.org/x/text v0.19.0 // indirect
-	golang.org/x/time v0.3.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240814211410-ddb44dafa142 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect
+	golang.org/x/time v0.7.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20240930140551-af27646dc61f // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20241007155032-5fefd90f89a9 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect