PoC: Add support for plugins

.github/tests/it/client/Dockerfile

@@ -11,21 +11,33 @@ ARG DEBIAN_FRONTEND=noninteractive
 RUN apt update && apt install postgresql mysql-client -y
 
 RUN mkdir -p /run/client/certs
+RUN mkdir -p /run/client/plugin_certs
 COPY ./postgres-connect.sh /run/client/postgres-connect.sh
 COPY ./mysql-connect.sh /run/client/mysql-connect.sh
 COPY ./assert.sh /run/client/assert.sh
 
-RUN touch /run/client/certs/svid.crt /run/client/certs/svid.key /run/client/certs/root.crt
+RUN touch /run/client/certs/svid.crt /run/client/certs/svid.key /run/client/certs/root.crt \
+/run/client/certs/jwt.json /run/client/certs/jwk.json /run/client/plugin_certs/svid.crt \
+/run/client/plugin_certs/jwt.json /run/client/plugin_certs/jwk.json
 RUN chmod +x /run/client/postgres-connect.sh /run/client/mysql-connect.sh /run/client/assert.sh
-RUN chmod 600 /run/client/certs/svid.crt /run/client/certs/svid.key /run/client/certs/root.crt
+RUN chmod 600 /run/client/certs/svid.crt /run/client/certs/svid.key /run/client/certs/root.crt \ 
+/run/client/certs/jwt.json /run/client/certs/jwk.json /run/client/plugin_certs/svid.crt \
+/run/client/plugin_certs/jwt.json /run/client/plugin_certs/jwk.json
 RUN chown client:client \
     /run/client/postgres-connect.sh \
     /run/client/mysql-connect.sh \
     /run/client/assert.sh \
     /run/client/certs/svid.crt \
     /run/client/certs/svid.key \
-    /run/client/certs/root.crt
+    /run/client/certs/root.crt \
+    /run/client/certs/jwt.json \
+    /run/client/certs/jwk.json \
+    /run/client/plugin_certs/svid.crt \
+    /run/client/plugin_certs/jwt.json \
+    /run/client/plugin_certs/jwk.json
+
 
 USER root
 COPY --from=it-spiffe-helper /service/spiffe-helper /opt/helper/spiffe-helper
+COPY --from=it-spiffe-helper /service/simple-plugin /opt/helper/simple-plugin
 COPY --from=builder /service/client /opt/go-client/client

.github/tests/it/client/helper.conf

@@ -6,3 +6,17 @@ renewSignal = "SIGUSR1"
 svidFileName = "svid.crt"
 svidKeyFileName = "svid.key"
 svidBundleFileName = "root.crt"
+jwt_audience = "example.org"
+jwt_svid_file_name = "jwt.json"
+jwt_bundle_file_name = "jwk.json"
+
+plugins {
+    "simple-plugin" {
+        path="/opt/helper/simple-plugin"
+        checksum="039bffe8a30ce9a6f3a1596e2d82ac6269cf2a083584ffae19c0ef178e23aba4"
+        plugin_cert_dir="/run/client/plugin_certs/"
+        x509_svid_file_name="svid.crt"
+        jwt_svid_file_name="jwt.json"
+        jwt_bundle_file_name="jwk.json"
+    }
+}

.github/tests/it/integration_test.sh

@@ -33,6 +33,10 @@ TEST_FAILED=$((TEST_FAILED + $?))
 bash change-entry-client-test.sh
 TEST_FAILED=$((TEST_FAILED + $?))
 
+# Testing to upload a plugin and notify changes on SVIDs and bundles
+bash run-plugin-test.sh
+TEST_FAILED=$((TEST_FAILED + $?))
+
 echo
 if  ((TEST_FAILED == 1)); then
     echo -e "${RED}❌ ${TEST_FAILED} test failed.${RESET}"

.github/tests/it/run-plugin-test.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+RESET='\033[0m'
+bad=0
+
+ok(){
+    echo -e "${GREEN}✔️ $1 succeeded ${RESET}"
+}
+
+fail(){
+    echo -e "${RED}❌ $1 failed ${RESET}"
+}
+
+docker compose exec client su client -c "test -s /run/client/plugin_certs/svid.crt"
+if [ $? -eq 0 ]; then 
+  ok "Test plugin X.509 svid update"
+else
+  fail "Test plugin X.509 svid update"
+  exit 1
+fi
+
+docker compose exec client su client -c "test -s /run/client/plugin_certs/jwt.json"
+if [ $? -eq 0 ]; then 
+  ok "Test plugin JWT svid update"
+else
+  fail "Test plugin JWT svid update"
+  exit 1
+fi
+
+docker compose exec client su client -c "test -s /run/client/plugin_certs/jwk.json"
+if [ $? -eq 0 ]; then 
+  ok "Test plugin JWT bundle update"
+else
+  fail "Test plugin JWT bundle update"
+  exit 1
+fi
+
+exit 0

.github/tests/it/spiffe-helper/Dockerfile

@@ -2,3 +2,4 @@ FROM golang:1.21-alpine AS spiffe-helper
 COPY ./ /service/
 WORKDIR /service
 RUN go build -tags netgo -a -v -o /service/spiffe-helper ./cmd/spiffe-helper
+RUN go build -tags netgo -a -v -o /service/simple-plugin ./examples/plugin/plugin.go

.github/tests/run-plugin-test.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+# Define the target directory path
+target_dir="./it"
+
+# Check if the target directory exists
+if [ ! -d "$target_dir" ]; then
+  echo "Error: The target directory '$target_dir' does not exist."
+  exit 1
+fi
+
+# Change to the target directory
+cd "$target_dir" || exit
+
+bash run-plugin-test.sh 1

README.md

@@ -31,9 +31,11 @@ The configuration file is an [HCL](https://github.com/hashicorp/hcl) formatted f
  | `jwt_audience`                | JWT SVID audience.                                                                                             | `"your-audience"`                                                                                                                                                    |
  | `jwt_svid_file_name`          | File name to be used to store JWT SVID in Base64-encoded string.                                               | `"jwt_svid.token"`                                                                                                                                                   |
  | `jwt_bundle_file_name`        | File name to be used to store JWT Bundle in JSON format.                                                       | `"jwt_bundle.json"`                                                                                                                                                  |
+| `plugins`                      | Block of plugins.                                                                                              |   |
+
 
 ### Configuration example
-```
+```hcl
 agent_address = "/tmp/spire-agent/public/api.sock"
 cmd = "ghostunnel"
 cmd_args = "server --listen localhost:8002 --target localhost:8001 --keystore certs/svid_key.pem --cacert certs/svid_bundle.pem --allow-uri-san spiffe://example.org/Database"
@@ -45,10 +47,17 @@ svid_bundle_file_name = "svid_bundle.pem"
 jwt_audience = "your-audience"
 jwt_svid_file_name = "jwt.token"
 jwt_bundle_file_name = "bundle.json"
+plugins {
+    "plugin_name" {
+        path="/tmp/plugins/plugin_name"
+        checksum="7ae182614c5b2f96b0c6655a6bf3e1e64fb0dbb9142fa50c8cf0002c5c5bb9c5"
+        custom_config="random_value"
+    }
+}
 ```
 
 ### Windows example
-```
+```hcl
 agent_address = "spire-agent\\public\\api"
 cert_dir = "certs"
 svid_file_name = "svid.pem"
@@ -57,4 +66,11 @@ svid_bundle_file_name = "svid_bundle.pem"
 jwt_audience = "your-audience"
 jwt_svid_file_name = "jwt.token"
 jwt_bundle_file_name = "bundle.json"
+plugins {
+    "plugin_name" {
+        path="c:\\tmp\\plugins\\plugin_name"
+        checksum="7ae182614c5b2f96b0c6655a6bf3e1e64fb0dbb9142fa50c8cf0002c5c5bb9c5"
+        custom_config="random_value"
+    }
+}
 ```

cmd/spiffe-helper/main.go

@@ -34,9 +34,9 @@ func startSidecar(configPath string, log logrus.FieldLogger) error {
 	ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt)
 	defer stop()
 
-	spiffeSidecar, err := sidecar.New(configPath, log)
+	spiffeSidecar, err := sidecar.New(ctx, configPath, log)
 	if err != nil {
-		return fmt.Errorf("Failed to create sidecar: %w", err)
+		return fmt.Errorf("failed to create sidecar: %w", err)
 	}
 
 	return spiffeSidecar.RunDaemon(ctx)

examples/plugin/plugin.go

@@ -0,0 +1,65 @@
+package main
+
+import (
+	"context"
+	"log"
+	"os"
+	"path"
+
+	"github.com/hashicorp/go-plugin"
+	pb "github.com/spiffe/spiffe-helper/pkg/notifier"
+)
+
+type SimplePlugin struct {
+	pb.NotifierServer
+	configs map[string]string
+}
+
+func writeSomething(path string) {
+	file, err := os.Create(path)
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer file.Close()
+
+	if _, err := file.WriteString("something"); err != nil {
+		log.Fatal(err)
+	}
+}
+
+func (s *SimplePlugin) LoadConfigs(ctx context.Context, request *pb.LoadConfigsRequest) (*pb.LoadConfigsResponse, error) {
+	s.configs = request.Configs
+	log.Printf("Plugin loaded")
+	return &pb.LoadConfigsResponse{}, nil
+}
+
+func (s *SimplePlugin) UpdateX509SVID(ctx context.Context, request *pb.UpdateX509SVIDRequest) (*pb.UpdateX509SVIDResponse, error) {
+	path := path.Join(s.configs["plugin_cert_dir"], s.configs["x509_svid_file_name"])
+	writeSomething(path)
+	log.Printf("X.509 SVID updated")
+	return &pb.UpdateX509SVIDResponse{}, nil
+}
+
+func (s *SimplePlugin) UpdateJWTSVID(ctx context.Context, request *pb.UpdateJWTSVIDRequest) (*pb.UpdateJWTSVIDResponse, error) {
+	path := path.Join(s.configs["plugin_cert_dir"], s.configs["jwt_svid_file_name"])
+	writeSomething(path)
+	log.Printf("JWT SVID updated")
+	return &pb.UpdateJWTSVIDResponse{}, nil
+}
+
+func (s *SimplePlugin) UpdateJWTBundle(ctx context.Context, request *pb.UpdateJWTBundleRequest) (*pb.UpdateJWTBundleResponse, error) {
+	path := path.Join(s.configs["plugin_cert_dir"], s.configs["jwt_bundle_file_name"])
+	writeSomething(path)
+	log.Printf("JWT bundle updated")
+	return &pb.UpdateJWTBundleResponse{}, nil
+}
+
+func main() {
+	plugin.Serve(&plugin.ServeConfig{
+		HandshakeConfig: pb.GetHandshakeConfig(),
+		Plugins: map[string]plugin.Plugin{
+			"simplePlugin": &pb.GRPCNotifier{Impl: &SimplePlugin{}},
+		},
+		GRPCServer: plugin.DefaultGRPCServer,
+	})
+}

go.mod

@@ -3,21 +3,31 @@ module github.com/spiffe/spiffe-helper
 go 1.21
 
 require (
+	github.com/hashicorp/go-plugin v1.4.10
 	github.com/hashicorp/hcl v1.0.0
 	github.com/spiffe/go-spiffe/v2 v2.1.6
 	github.com/stretchr/testify v1.8.4
 	golang.org/x/sys v0.15.0
 	google.golang.org/grpc v1.60.1
+	google.golang.org/protobuf v1.31.0
 )
 
 require google.golang.org/genproto/googleapis/rpc v0.0.0-20231002182017-d307bd883b97 // indirect
 
+require github.com/hashicorp/go-hclog v0.14.1 // indirect
+
 require (
 	github.com/Microsoft/go-winio v0.6.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/fatih/color v1.7.0 // indirect
 	github.com/go-jose/go-jose/v3 v3.0.0 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb // indirect
 	github.com/kr/text v0.1.0 // indirect
+	github.com/mattn/go-colorable v0.1.4 // indirect
+	github.com/mattn/go-isatty v0.0.10 // indirect
+	github.com/mitchellh/go-testing-interface v0.0.0-20171004221916-a61a99592b77 // indirect
+	github.com/oklog/run v1.0.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/sirupsen/logrus v1.9.3
 	github.com/zeebo/errs v1.3.0 // indirect
@@ -26,6 +36,5 @@ require (
 	golang.org/x/net v0.16.0 // indirect
 	golang.org/x/text v0.13.0 // indirect
 	golang.org/x/tools v0.6.0 // indirect
-	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -3,6 +3,8 @@ github.com/Microsoft/go-winio v0.6.0/go.mod h1:cTAf44im0RAYeL23bpB+fzCyDH2MJiz2B
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/fatih/color v1.7.0 h1:DkWD4oS2D8LGGgTQ6IvwJJXSL5Vp2ffcQg58nFV38Ys=
+github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/go-jose/go-jose/v3 v3.0.0 h1:s6rrhirfEP/CGIoc6p+PZAeogN2SxKav6Wp7+dyMWVo=
 github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
@@ -12,20 +14,38 @@ github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/hashicorp/go-hclog v0.14.1 h1:nQcJDQwIAGnmoUWp8ubocEX40cCml/17YkF6csQLReU=
+github.com/hashicorp/go-hclog v0.14.1/go.mod h1:whpDNt7SSdeAju8AWKIWsul05p54N/39EeqMAyrmvFQ=
+github.com/hashicorp/go-plugin v1.4.10 h1:xUbmA4jC6Dq163/fWcp8P3JuHilrHHMLNRxzGQJ9hNk=
+github.com/hashicorp/go-plugin v1.4.10/go.mod h1:6/1TEzT0eQznvI/gV2CM29DLSkAK/e58mUWKVsPaph0=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
+github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb h1:b5rjCoWHc7eqmAS4/qyk21ZsHyb6Mxv/jykxvNTkU4M=
+github.com/hashicorp/yamux v0.0.0-20180604194846-3520598351bb/go.mod h1:+NfK9FKeTrX5uv1uIXGdwYDTeHna2qgaIlx54MXqjAM=
+github.com/jhump/protoreflect v1.6.0 h1:h5jfMVslIg6l29nsMs0D8Wj17RDVdNYti0vDN/PZZoE=
+github.com/jhump/protoreflect v1.6.0/go.mod h1:eaTn3RZAmMBcV0fifFvlm6VHNz3wSkYyXYWUh7ymB74=
 github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/mattn/go-colorable v0.1.4 h1:snbPLB8fVfU9iwbbo30TPtbLRzwWu6aJS6Xh4eaaviA=
+github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
+github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
+github.com/mattn/go-isatty v0.0.10 h1:qxFzApOv4WsAL965uUPIsXzAKCZxN2p9UqdhFS4ZW10=
+github.com/mattn/go-isatty v0.0.10/go.mod h1:qgIWMr58cqv1PHHyhnkY9lrL7etaEgOFcMEpPG5Rm84=
+github.com/mitchellh/go-testing-interface v0.0.0-20171004221916-a61a99592b77 h1:7GoSOOW2jpsfkntVKaS2rAr1TJqfcxotyaUcuxoZSzg=
+github.com/mitchellh/go-testing-interface v0.0.0-20171004221916-a61a99592b77/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
+github.com/oklog/run v1.0.0 h1:Ru7dDtJNOyC66gQ5dQmaCa0qIsAUFY3sFpK1Xk8igrw=
+github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/spiffe/go-spiffe/v2 v2.1.6 h1:4SdizuQieFyL9eNU+SPiCArH4kynzaKOOj0VvM8R7Xo=
 github.com/spiffe/go-spiffe/v2 v2.1.6/go.mod h1:eVDqm9xFvyqao6C+eQensb9ZPkyNEeaUbqbBpOhBnNk=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
@@ -44,7 +64,9 @@ golang.org/x/net v0.16.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
 golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ=
 golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191008105621-543471e840be/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
 golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=