Package io.envoyproxy.envoy.extensions.transport_sockets.tls.v3

Class SPIFFECertValidatorConfig

java.lang.Object
com.google.protobuf.AbstractMessageLite
com.google.protobuf.AbstractMessage
com.google.protobuf.GeneratedMessageV3
io.envoyproxy.envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig
All Implemented Interfaces:
com.google.protobuf.Message, com.google.protobuf.MessageLite, com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder, SPIFFECertValidatorConfigOrBuilder, Serializable
public final class SPIFFECertValidatorConfig extends com.google.protobuf.GeneratedMessageV3 implements SPIFFECertValidatorConfigOrBuilder
 Configuration specific to the `SPIFFE <https://github.com/spiffe/spiffe>`_ certificate validator.

 Example:

 .. validated-code-block:: yaml
   :type-name: envoy.extensions.transport_sockets.tls.v3.CertificateValidationContext

   custom_validator_config:
     name: envoy.tls.cert_validator.spiffe
     typed_config:
       "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig
       trust_domains:
       - name: foo.com
         trust_bundle:
           filename: "foo.pem"
       - name: envoy.com
         trust_bundle:
           filename: "envoy.pem"

 In this example, a presented peer certificate whose SAN matches ``spiffe://foo.com/**`` is validated against
 the "foo.pem" x.509 certificate. All the trust bundles are isolated from each other, so no trust domain can mint
 a SVID belonging to another trust domain. That means, in this example, a SVID signed by ``envoy.com``'s CA with ``spiffe://foo.com/**``
 SAN would be rejected since Envoy selects the trust bundle according to the presented SAN before validate the certificate.

 Note that SPIFFE validator inherits and uses the following options from :ref:`CertificateValidationContext <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.CertificateValidationContext>`.

 - :ref:`allow_expired_certificate <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.allow_expired_certificate>` to allow expired certificates.
 - :ref:`match_typed_subject_alt_names <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>` to match **URI** SAN of certificates. Unlike the default validator, SPIFFE validator only matches **URI** SAN (which equals to SVID in SPIFFE terminology) and ignore other SAN types.
Protobuf type envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig
See Also:

  • Field Details

    • TRUST_DOMAINS_FIELD_NUMBER

      public static final int TRUST_DOMAINS_FIELD_NUMBER
      See Also:

    • TRUST_BUNDLES_FIELD_NUMBER

      public static final int TRUST_BUNDLES_FIELD_NUMBER
      See Also:

  • Method Details

    • newInstance

      protected Object newInstance(com.google.protobuf.GeneratedMessageV3.UnusedPrivateParameter unused)
      Overrides:
      newInstance in class com.google.protobuf.GeneratedMessageV3

    • getDescriptor

      public static final com.google.protobuf.Descriptors.Descriptor getDescriptor()

    • internalGetFieldAccessorTable

      protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable()
      Specified by:
      internalGetFieldAccessorTable in class com.google.protobuf.GeneratedMessageV3

    • getTrustDomainsList

      public List<SPIFFECertValidatorConfig.TrustDomain> getTrustDomainsList()
       This field specifies trust domains used for validating incoming X.509-SVID(s).
      repeated .envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain trust_domains = 1 [(.validate.rules) = { ... }
      Specified by:
      getTrustDomainsList in interface SPIFFECertValidatorConfigOrBuilder

    • getTrustDomainsOrBuilderList

      public List<? extends SPIFFECertValidatorConfig.TrustDomainOrBuilder> getTrustDomainsOrBuilderList()
       This field specifies trust domains used for validating incoming X.509-SVID(s).
      repeated .envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain trust_domains = 1 [(.validate.rules) = { ... }
      Specified by:
      getTrustDomainsOrBuilderList in interface SPIFFECertValidatorConfigOrBuilder

    • getTrustDomainsCount

      public int getTrustDomainsCount()
       This field specifies trust domains used for validating incoming X.509-SVID(s).
      repeated .envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain trust_domains = 1 [(.validate.rules) = { ... }
      Specified by:
      getTrustDomainsCount in interface SPIFFECertValidatorConfigOrBuilder

    • getTrustDomains

      public SPIFFECertValidatorConfig.TrustDomain getTrustDomains(int index)
       This field specifies trust domains used for validating incoming X.509-SVID(s).
      repeated .envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain trust_domains = 1 [(.validate.rules) = { ... }
      Specified by:
      getTrustDomains in interface SPIFFECertValidatorConfigOrBuilder

    • getTrustDomainsOrBuilder

      public SPIFFECertValidatorConfig.TrustDomainOrBuilder getTrustDomainsOrBuilder(int index)
       This field specifies trust domains used for validating incoming X.509-SVID(s).
      repeated .envoy.extensions.transport_sockets.tls.v3.SPIFFECertValidatorConfig.TrustDomain trust_domains = 1 [(.validate.rules) = { ... }
      Specified by:
      getTrustDomainsOrBuilder in interface SPIFFECertValidatorConfigOrBuilder

    • hasTrustBundles

      public boolean hasTrustBundles()
       This field specifies all trust bundles as a single DataSource. If both
 trust_bundles and trust_domains are specified, trust_bundles will
 take precedence. Currently assumes file will be a SPIFFE Trust Bundle Map.
 If DataSource is a file, dynamic file watching will be enabled,
 and updates to the specified file will trigger a refresh of the trust_bundles.
      .envoy.config.core.v3.DataSource trust_bundles = 2;
      Specified by:
      hasTrustBundles in interface SPIFFECertValidatorConfigOrBuilder
      Returns:
      Whether the trustBundles field is set.

    • getTrustBundles

      public DataSource getTrustBundles()
       This field specifies all trust bundles as a single DataSource. If both
 trust_bundles and trust_domains are specified, trust_bundles will
 take precedence. Currently assumes file will be a SPIFFE Trust Bundle Map.
 If DataSource is a file, dynamic file watching will be enabled,
 and updates to the specified file will trigger a refresh of the trust_bundles.
      .envoy.config.core.v3.DataSource trust_bundles = 2;
      Specified by:
      getTrustBundles in interface SPIFFECertValidatorConfigOrBuilder
      Returns:
      The trustBundles.

    • getTrustBundlesOrBuilder

      public DataSourceOrBuilder getTrustBundlesOrBuilder()
       This field specifies all trust bundles as a single DataSource. If both
 trust_bundles and trust_domains are specified, trust_bundles will
 take precedence. Currently assumes file will be a SPIFFE Trust Bundle Map.
 If DataSource is a file, dynamic file watching will be enabled,
 and updates to the specified file will trigger a refresh of the trust_bundles.
      .envoy.config.core.v3.DataSource trust_bundles = 2;
      Specified by:
      getTrustBundlesOrBuilder in interface SPIFFECertValidatorConfigOrBuilder

    • isInitialized

      public final boolean isInitialized()
      Specified by:
      isInitialized in interface com.google.protobuf.MessageLiteOrBuilder
      Overrides:
      isInitialized in class com.google.protobuf.GeneratedMessageV3

    • writeTo

      public void writeTo(com.google.protobuf.CodedOutputStream output) throws IOException
      Specified by:
      writeTo in interface com.google.protobuf.MessageLite
      Overrides:
      writeTo in class com.google.protobuf.GeneratedMessageV3
      Throws:
      IOException

    • getSerializedSize

      public int getSerializedSize()
      Specified by:
      getSerializedSize in interface com.google.protobuf.MessageLite
      Overrides:
      getSerializedSize in class com.google.protobuf.GeneratedMessageV3

    • equals

      public boolean equals(Object obj)
      Specified by:
      equals in interface com.google.protobuf.Message
      Overrides:
      equals in class com.google.protobuf.AbstractMessage

    • hashCode

      public int hashCode()
      Specified by:
      hashCode in interface com.google.protobuf.Message
      Overrides:
      hashCode in class com.google.protobuf.AbstractMessage

    • parseFrom

      public static SPIFFECertValidatorConfig parseFrom(ByteBuffer data) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static SPIFFECertValidatorConfig parseFrom(ByteBuffer data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static SPIFFECertValidatorConfig parseFrom(com.google.protobuf.ByteString data) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static SPIFFECertValidatorConfig parseFrom(com.google.protobuf.ByteString data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static SPIFFECertValidatorConfig parseFrom(byte[] data) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static SPIFFECertValidatorConfig parseFrom(byte[] data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static SPIFFECertValidatorConfig parseFrom(InputStream input) throws IOException
      Throws:
      IOException

    • parseFrom

      public static SPIFFECertValidatorConfig parseFrom(InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException
      Throws:
      IOException

    • parseDelimitedFrom

      public static SPIFFECertValidatorConfig parseDelimitedFrom(InputStream input) throws IOException
      Throws:
      IOException

    • parseDelimitedFrom

      public static SPIFFECertValidatorConfig parseDelimitedFrom(InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException
      Throws:
      IOException

    • parseFrom

      public static SPIFFECertValidatorConfig parseFrom(com.google.protobuf.CodedInputStream input) throws IOException
      Throws:
      IOException

    • parseFrom

      public static SPIFFECertValidatorConfig parseFrom(com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException
      Throws:
      IOException

    • newBuilderForType

      public SPIFFECertValidatorConfig.Builder newBuilderForType()
      Specified by:
      newBuilderForType in interface com.google.protobuf.Message
      Specified by:
      newBuilderForType in interface com.google.protobuf.MessageLite

    • newBuilder

      public static SPIFFECertValidatorConfig.Builder newBuilder()

    • newBuilder

      public static SPIFFECertValidatorConfig.Builder newBuilder(SPIFFECertValidatorConfig prototype)

    • toBuilder

      public SPIFFECertValidatorConfig.Builder toBuilder()
      Specified by:
      toBuilder in interface com.google.protobuf.Message
      Specified by:
      toBuilder in interface com.google.protobuf.MessageLite

    • newBuilderForType

      protected SPIFFECertValidatorConfig.Builder newBuilderForType(com.google.protobuf.GeneratedMessageV3.BuilderParent parent)
      Specified by:
      newBuilderForType in class com.google.protobuf.GeneratedMessageV3

    • getDefaultInstance

      public static SPIFFECertValidatorConfig getDefaultInstance()

    • parser

      public static com.google.protobuf.Parser<SPIFFECertValidatorConfig> parser()

    • getParserForType

      public com.google.protobuf.Parser<SPIFFECertValidatorConfig> getParserForType()
      Specified by:
      getParserForType in interface com.google.protobuf.Message
      Specified by:
      getParserForType in interface com.google.protobuf.MessageLite
      Overrides:
      getParserForType in class com.google.protobuf.GeneratedMessageV3

    • getDefaultInstanceForType

      public SPIFFECertValidatorConfig getDefaultInstanceForType()
      Specified by:
      getDefaultInstanceForType in interface com.google.protobuf.MessageLiteOrBuilder
      Specified by:
      getDefaultInstanceForType in interface com.google.protobuf.MessageOrBuilder