Class CachedJwtSource

java.lang.Object
io.spiffe.workloadapi.CachedJwtSource
All Implemented Interfaces:
BundleSource<JwtBundle>, JwtSvidSource, JwtSource, Closeable, AutoCloseable
public class CachedJwtSource extends Object implements JwtSource
Represents a source of SPIFFE JWT SVIDs and JWT bundles maintained via the Workload API. The JWT SVIDs are cached and fetchJwtSvid methods return from cache checking that the JWT SVID has still at least half of its lifetime.

  • Method Details

    • newSource

      public static JwtSource newSource() throws JwtSourceException, SocketEndpointAddressException
      Creates a new Cached JWT source. It blocks until the initial update with the JWT bundles has been received from the Workload API or until the timeout configured through the system property `spiffe.newJwtSource.timeout` expires. If no timeout is configured, it blocks until it gets a JWT update from the Workload API.

      It uses the default address socket endpoint from the environment variable to get the Workload API address.

      Returns:
      an instance of DefaultJwtSource, with the JWT bundles initialized
      Throws:
      SocketEndpointAddressException - if the address to the Workload API is not valid
      JwtSourceException - if the source could not be initialized

    • newSource

      public static JwtSource newSource(@NonNull @NonNull JwtSourceOptions options) throws SocketEndpointAddressException, JwtSourceException
      Creates a new JWT source. It blocks until the initial update with the JWT bundles has been received from the Workload API, doing retries with an exponential backoff policy, or until the initTimeout has expired.

      If the timeout is not provided in the options, the default timeout is read from the system property `spiffe.newJwtSource.timeout`. If none is configured, this method will block until the JWT bundles can be retrieved from the Workload API.

      The WorkloadApiClient can be provided in the options, if it is not, a new client is created.

      Parameters:
      options - JwtSourceOptions
      Returns:
      an instance of CachedJwtSource, with the JWT bundles initialized
      Throws:
      SocketEndpointAddressException - if the address to the Workload API is not valid
      JwtSourceException - if the source could not be initialized

    • fetchJwtSvid

      public JwtSvid fetchJwtSvid(String audience, String... extraAudiences) throws JwtSvidException
      Fetches a JWT SVID for the given audiences. The JWT SVID is cached and returned from the cache if it still has at least half of its lifetime.
      Specified by:
      fetchJwtSvid in interface JwtSvidSource
      Parameters:
      audience - the audience
      extraAudiences - a list of extra audiences as an array of String
      Returns:
      a JwtSvid
      Throws:
      JwtSvidException

    • fetchJwtSvid

      public JwtSvid fetchJwtSvid(SpiffeId subject, String audience, String... extraAudiences) throws JwtSvidException
      Fetches a JWT SVID for the given subject and audience. The JWT SVID is cached and returned from cache if it has still at least half of its lifetime.
      Specified by:
      fetchJwtSvid in interface JwtSvidSource
      Parameters:
      subject - a SpiffeId
      audience - the audience
      extraAudiences - a list of extra audiences as an array of String
      Returns:
      a JwtSvid
      Throws:
      IllegalStateException - if the source is closed
      JwtSvidException - when there is an error fetching the JWT SVID

    • fetchJwtSvids

      public List<JwtSvid> fetchJwtSvids(String audience, String... extraAudiences) throws JwtSvidException
      Fetches a list of JWT SVIDs for the given audience. The JWT SVIDs are cached and returned from cache if they have still at least half of their lifetime.
      Specified by:
      fetchJwtSvids in interface JwtSvidSource
      Parameters:
      audience - the audience of the JWT-SVID
      extraAudiences - the extra audience for the JWT_SVID
      Returns:
      a list of JwtSvids
      Throws:
      IllegalStateException - if the source is closed
      JwtSvidException - if there is an error fetching or processing the JWT from the Workload API

    • fetchJwtSvids

      public List<JwtSvid> fetchJwtSvids(SpiffeId subject, String audience, String... extraAudiences) throws JwtSvidException
      Fetches a list of JWT SVIDs for the given subject and audience. The JWT SVIDs are cached and returned from cache if they have still at least half of their lifetime.
      Specified by:
      fetchJwtSvids in interface JwtSvidSource
      Parameters:
      subject - a SPIFFE ID
      audience - the audience of the JWT-SVID
      extraAudiences - the extra audience for the JWT_SVID
      Returns:
      a list of JwtSvids
      Throws:
      IllegalStateException - if the source is closed
      JwtSvidException - if there is an error fetching or processing the JWT from the Workload API

    • getBundleForTrustDomain

      public JwtBundle getBundleForTrustDomain(@NonNull @NonNull TrustDomain trustDomain) throws BundleNotFoundException
      Returns the JWT bundle for a given trust domain.
      Specified by:
      getBundleForTrustDomain in interface BundleSource<JwtBundle>
      Parameters:
      trustDomain - an instance of a TrustDomain
      Returns:
      an instance of a X509Bundle
      Throws:
      BundleNotFoundException - is there is no bundle for the trust domain provided
      IllegalStateException - if the source is closed

    • close

      public void close()
      Closes this source, dropping the connection to the Workload API. Other source methods will return an error after close has been called.

      It is marked with SneakyThrows because it is not expected to throw the checked exception defined on the Closeable interface.

      Specified by:
      close in interface AutoCloseable
      Specified by:
      close in interface Closeable