Class DefaultJwtSource

java.lang.Object
io.spiffe.workloadapi.DefaultJwtSource
All Implemented Interfaces:
BundleSource<JwtBundle>, JwtSvidSource, JwtSource, Closeable, AutoCloseable
public class DefaultJwtSource extends Object implements JwtSource
Represents a source of SPIFFE JWT SVIDs and JWT bundles maintained via the Workload API.

  • Method Details

    • newSource

      public static JwtSource newSource() throws JwtSourceException, SocketEndpointAddressException
      Creates a new JWT source. It blocks until the initial update with the JWT bundles has been received from the Workload API or until the timeout configured through the system property `spiffe.newJwtSource.timeout` expires. If no timeout is configured, it blocks until it gets a JWT update from the Workload API.

      It uses the default address socket endpoint from the environment variable to get the Workload API address.

      Returns:
      an instance of DefaultJwtSource, with the JWT bundles initialized
      Throws:
      SocketEndpointAddressException - if the address to the Workload API is not valid
      JwtSourceException - if the source could not be initialized

    • newSource

      public static JwtSource newSource(@NonNull @NonNull JwtSourceOptions options) throws SocketEndpointAddressException, JwtSourceException
      Creates a new JWT source. It blocks until the initial update with the JWT bundles has been received from the Workload API, doing retries with a backoff exponential policy, or until the initTimeout has expired.

      If the timeout is not provided in the options, the default timeout is read from the system property `spiffe.newJwtSource.timeout`. If none is configured, this method will block until the JWT bundles can be retrieved from the Workload API.

      The WorkloadApiClient can be provided in the options, if it is not, a new client is created.

      Parameters:
      options - JwtSourceOptions
      Returns:
      an instance of DefaultJwtSource, with the JWT bundles initialized
      Throws:
      SocketEndpointAddressException - if the address to the Workload API is not valid
      JwtSourceException - if the source could not be initialized

    • fetchJwtSvid

      public JwtSvid fetchJwtSvid(String audience, String... extraAudiences) throws JwtSvidException
      Description copied from interface: JwtSvidSource
      Fetches a JWT-SVID from the source with the given audiences.
      Specified by:
      fetchJwtSvid in interface JwtSvidSource
      Parameters:
      audience - the audience
      extraAudiences - a list of extra audiences as an array of String
      Returns:
      a JwtSvid
      Throws:
      JwtSvidException - when there is an error fetching the JWT SVID

    • fetchJwtSvid

      public JwtSvid fetchJwtSvid(SpiffeId subject, String audience, String... extraAudiences) throws JwtSvidException
      Fetches a new JWT SVID from the Workload API for the given subject SPIFFE ID and audiences.
      Specified by:
      fetchJwtSvid in interface JwtSvidSource
      Parameters:
      subject - a SpiffeId
      audience - the audience
      extraAudiences - a list of extra audiences as an array of String
      Returns:
      a JwtSvid
      Throws:
      IllegalStateException - if the source is closed
      JwtSvidException - when there is an error fetching the JWT SVID

    • fetchJwtSvids

      public List<JwtSvid> fetchJwtSvids(String audience, String... extraAudiences) throws JwtSvidException
      Description copied from interface: JwtSvidSource
      Fetches all SPIFFE JWT-SVIDs on one-shot blocking call.
      Specified by:
      fetchJwtSvids in interface JwtSvidSource
      Parameters:
      audience - the audience of the JWT-SVID
      extraAudiences - the extra audience for the JWT_SVID
      Returns:
      all of JwtSvid object
      Throws:
      JwtSvidException - if there is an error fetching or processing the JWT from the Workload API

    • fetchJwtSvids

      public List<JwtSvid> fetchJwtSvids(SpiffeId subject, String audience, String... extraAudiences) throws JwtSvidException
      Fetches all new JWT SVIDs from the Workload API for the given subject SPIFFE ID and audiences.
      Specified by:
      fetchJwtSvids in interface JwtSvidSource
      Parameters:
      subject - a SPIFFE ID
      audience - the audience of the JWT-SVID
      extraAudiences - the extra audience for the JWT_SVID
      Returns:
      all JwtSvids
      Throws:
      IllegalStateException - if the source is closed
      JwtSvidException - if there is an error fetching or processing the JWT from the Workload API

    • getBundleForTrustDomain

      public JwtBundle getBundleForTrustDomain(@NonNull @NonNull TrustDomain trustDomain) throws BundleNotFoundException
      Returns the JWT bundle for a given trust domain.
      Specified by:
      getBundleForTrustDomain in interface BundleSource<JwtBundle>
      Parameters:
      trustDomain - an instance of a TrustDomain
      Returns:
      an instance of a X509Bundle
      Throws:
      BundleNotFoundException - is there is no bundle for the trust domain provided
      IllegalStateException - if the source is closed

    • close

      public void close()
      Closes this source, dropping the connection to the Workload API. Other source methods will return an error after close has been called.

      It is marked with SneakyThrows because it is not expected to throw the checked exception defined on the Closeable interface.

      Specified by:
      close in interface AutoCloseable
      Specified by:
      close in interface Closeable