adding socketpath to spire-agent socket in server

CSCfi · Mar 29, 2024 · 99d396f · 99d396f
1 parent e859010
commit 99d396f
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 30 deletions.
diff --git a/server/app.py b/server/app.py
@@ -6,9 +6,10 @@
     get_server_identity_JWT,
     validate_client_JWT_SVID,
 )
-from lib  import spire_interactions
+from lib import spire_interactions
 from tools.docker_utils import get_build_env_image_digests
 from pyspiffe.spiffe_id.spiffe_id import SpiffeId
+from pyspiffe.workloadapi import default_jwt_source
 
 from tools.config.config import parse_configuration
 from tools.cli.cli import parse_arguments
@@ -25,19 +26,40 @@
 options = parse_arguments()
 configuration = parse_configuration(options.config)
 
-if configuration['spire-server'].get('spire-server-bin') :
-    spire_interactions.spire_server_bin = configuration['spire-server']['spire-server-bin']
+if configuration["spire-server"].get("spire-server-bin"):
+    spire_interactions.spire_server_bin = configuration["spire-server"][
+        "spire-server-bin"
+    ]
+
+if configuration.get("spire-agent") and configuration["spire-agent"].get(
+    "spire-agent-socket"
+):
+    spire_interactions.jwt_workload_api = default_jwt_source.DefaultJwtSource(
+        workload_api_client=None,
+        spiffe_socket_path=f"unix://{configuration['spire-agent'].get('spire-agent-socket')}",
+        timeout_in_seconds=None,
+    )
+else:
+    spire_interactions.jwt_workload_api = default_jwt_source.DefaultJwtSource(
+        workload_api_client=None,
+        spiffe_socket_path="unix:///tmp/spire-agent/public/api.sock",
+        timeout_in_seconds=None,
+    )
 
-if configuration['spire-server'].get('pre-command') :
-    spire_interactions.pre_command = configuration['spire-server']['pre-command']
-    if configuration['spire-server']['pre-command'] == "\"\"":
+if configuration["spire-server"].get("pre-command"):
+    spire_interactions.pre_command = configuration["spire-server"]["pre-command"]
+    if configuration["spire-server"]["pre-command"] == '""':
         spire_interactions.pre_command = ""
-    
+
 # Defining the trust domain (SPIRE Trust Domain)
-trust_domain = configuration['spire-server']['trust-domain']
+trust_domain = configuration["spire-server"]["trust-domain"]
 
 # Perform vault login, to be able to run later operations against vault
-hvac_client = vault_login(configuration['vault']['url'], get_server_identity_JWT(), configuration['vault']['server-role'])
+hvac_client = vault_login(
+    configuration["vault"]["url"],
+    get_server_identity_JWT(),
+    configuration["vault"]["server-role"],
+)
 
 
 # Dummy endpoint that handles the registration of compute nodes.
@@ -101,9 +123,7 @@ async def handle_client_registration():
 
         # Create a spiffeID for the workloads on the client.
         # Register workloads that have to run on this agent
-        workload_spiffeID = SpiffeId(
-            f"spiffe://{trust_domain}/c/{client_id}/workload"
-        )
+        workload_spiffeID = SpiffeId(f"spiffe://{trust_domain}/c/{client_id}/workload")
 
         # Write the role bound to the workload's spiffeID
         write_client_role(hvac_client, f"client_{client_id}", workload_spiffeID)
@@ -128,22 +148,34 @@ async def handle_client_registration():
                     "client_id": client_id,
                     "token": agent_token,
                 }
-        
-        # Spire-Agent binary        
+
+        # Spire-Agent binary
         result = entry_create(
-            agent_spiffeID, workload_spiffeID, ["unix:sha256:5ebff0fdb3335ec0221c35dcc7d3a4433eb8a5073a15a6dcfdbbb95bb8dbfa8e"]
+            agent_spiffeID,
+            workload_spiffeID,
+            [
+                "unix:sha256:5ebff0fdb3335ec0221c35dcc7d3a4433eb8a5073a15a6dcfdbbb95bb8dbfa8e"
+            ],
         )
-        
-        # Python 3.9 binary        
+
+        # Python 3.9 binary
         result = entry_create(
-            agent_spiffeID, workload_spiffeID, ["unix:sha256:956a50083eb7a58240fea28ac52ff39e9c04c5c74468895239b24bdf4760bffe"]
+            agent_spiffeID,
+            workload_spiffeID,
+            [
+                "unix:sha256:956a50083eb7a58240fea28ac52ff39e9c04c5c74468895239b24bdf4760bffe"
+            ],
         )
-        
+
         # Qemu x86_64 (For docker mac) // Could add Rosetta binary
         result = entry_create(
-            agent_spiffeID, workload_spiffeID, ["unix:sha256:3fc6c8fbd8fe429b67276854fbb5ae594118f7f0b10352a508477833b04ee9b7"]
+            agent_spiffeID,
+            workload_spiffeID,
+            [
+                "unix:sha256:3fc6c8fbd8fe429b67276854fbb5ae594118f7f0b10352a508477833b04ee9b7"
+            ],
         )
-        
+
         # Success
         return {
             "success": True,
@@ -176,9 +208,7 @@ async def handle_workload_creation():
     client_id = hashlib.sha256(client_id.encode()).hexdigest()[0:9]
 
     # Parse the spiffeID that will access the application
-    spiffeID = SpiffeId(
-        f"spiffe://{trust_domain}/c/{client_id}/s/{data['secret']}"
-    )
+    spiffeID = SpiffeId(f"spiffe://{trust_domain}/c/{client_id}/s/{data['secret']}")
 
     # Check that the SVID correspond to the client_id (Can be removed if developper is certified)
     if validate_client_JWT_SVID(data["jwt"], client_id):

diff --git a/server/lib/spire_interactions.py b/server/lib/spire_interactions.py
@@ -8,11 +8,7 @@
 pre_command = "microk8s.kubectl exec -n spire spire-server-0 --"
 
 
-jwt_workload_api =  default_jwt_source.DefaultJwtSource(
-    workload_api_client=None,
-    spiffe_socket_path="unix:///tmp/spire-agent/public/api.sock",
-    timeout_in_seconds=None
-)
+jwt_workload_api = None
 
 
 def token_generate(spiffeID: SpiffeId) -> subprocess.CompletedProcess:
@@ -33,7 +29,7 @@ def token_generate(spiffeID: SpiffeId) -> subprocess.CompletedProcess:
         command = f"{spire_server_bin} token generate -spiffeID {str(spiffeID)}".split(
             " "
         )
-        
+
     return subprocess.run(command, capture_output=True)