Class DefaultWorkloadApiClient
java.lang.Object
io.spiffe.workloadapi.DefaultWorkloadApiClient
- All Implemented Interfaces:
WorkloadApiClient,Closeable,AutoCloseable
Represents a client to interact with the Workload API.
Supports one-shot calls and watch updates for X.509 and JWT SVIDs and bundles.
The watch for updates methods support retries using an exponential backoff policy to reestablish the stream connection to the Workload API.
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic classOptions for creating a newDefaultWorkloadApiClient. -
Method Summary
Modifier and TypeMethodDescriptionvoidclose()Closes this Workload API closing the underlying channel, cancelling the contexts and shutdown the executor service.Fetches the JWT bundles for JWT-SVID validation, keyed by trust domain.fetchJwtSvid(@NonNull SpiffeId subject, @NonNull String audience, String... extraAudience) Fetches a SPIFFE JWT-SVID on one-shot blocking call.fetchJwtSvid(@NonNull String audience, String... extraAudience) Fetches a SPIFFE JWT-SVID on one-shot blocking call.fetchJwtSvids(@NonNull SpiffeId subject, @NonNull String audience, String... extraAudience) Fetches a SPIFFE JWT-SVID on one-shot blocking call.fetchJwtSvids(@NonNull String audience, String... extraAudience) Fetches all SPIFFE JWT-SVIDs on one-shot blocking call.Fetches the X.509 bundles on a one-shot blocking call.Fetches an X.509 context on a one-shot blocking call.static WorkloadApiClientCreates a new Workload API client using the default socket endpoint address.static WorkloadApiClientnewClient(@NonNull DefaultWorkloadApiClient.ClientOptions options) Creates a new Workload API client configured with the given client options.validateJwtSvid(@NonNull String token, @NonNull String audience) Validates the JWT-SVID token.voidwatchJwtBundles(@NonNull Watcher<JwtBundleSet> watcher) Watches for JWT bundles updates.voidwatchX509Bundles(@NonNull Watcher<X509BundleSet> watcher) Watches for X.509 bundles updates.voidwatchX509Context(@NonNull Watcher<X509Context> watcher) Watches for X.509 context updates.
-
Method Details
-
newClient
Creates a new Workload API client using the default socket endpoint address.Address.getDefaultAddress()- Returns:
- a
WorkloadApiClient, the instance concrete type isDefaultWorkloadApiClient - Throws:
SocketEndpointAddressException- if the Workload API socket endpoint address is not valid
-
newClient
public static WorkloadApiClient newClient(@NonNull @NonNull DefaultWorkloadApiClient.ClientOptions options) throws SocketEndpointAddressException Creates a new Workload API client configured with the given client options.If the SPIFFE socket endpoint address is not provided in the options, it uses the default address.
Address.getDefaultAddress()- Parameters:
options-DefaultWorkloadApiClient.ClientOptions- Returns:
- a
WorkloadApiClient, the instance concrete type isDefaultWorkloadApiClient - Throws:
SocketEndpointAddressException- if the Workload API socket endpoint address is not valid
-
fetchX509Context
Fetches an X.509 context on a one-shot blocking call.- Specified by:
fetchX509Contextin interfaceWorkloadApiClient- Returns:
- an instance of a
X509Contextcontaining the X.509 materials fetched from the Workload API - Throws:
X509ContextException- if there is an error fetching or processing the X.509 context
-
watchX509Context
Watches for X.509 context updates.A new Stream to the Workload API is opened for each call to this method, so that the client starts getting updates immediately after the Stream is ready and doesn't have to wait until the Workload API dispatches the next update based on the SVIDs TTL.
- Specified by:
watchX509Contextin interfaceWorkloadApiClient- Parameters:
watcher- an instance that implements aWatcher.
-
fetchX509Bundles
Fetches the X.509 bundles on a one-shot blocking call.- Specified by:
fetchX509Bundlesin interfaceWorkloadApiClient- Returns:
- an instance of a
X509BundleSetcontaining the X.509 bundles keyed by TrustDomain - Throws:
X509BundleException- if there is an error fetching or processing the X.509 bundles
-
watchX509Bundles
Watches for X.509 bundles updates.A new Stream to the Workload API is opened for each call to this method, so that the client starts getting updates immediately after the Stream is ready and doesn't have to wait until the Workload API dispatches the next update.
- Specified by:
watchX509Bundlesin interfaceWorkloadApiClient- Parameters:
watcher- an instance that implements aWatcherforX509BundleSet.
-
fetchJwtSvid
public JwtSvid fetchJwtSvid(@NonNull @NonNull String audience, String... extraAudience) throws JwtSvidException Fetches a SPIFFE JWT-SVID on one-shot blocking call.- Specified by:
fetchJwtSvidin interfaceWorkloadApiClient- Parameters:
audience- the audience of the JWT-SVIDextraAudience- the extra audience for the JWT_SVID- Returns:
- an instance of a
JwtSvid - Throws:
JwtSvidException- if there is an error fetching or processing the JWT from the Workload API
-
fetchJwtSvid
public JwtSvid fetchJwtSvid(@NonNull @NonNull SpiffeId subject, @NonNull @NonNull String audience, String... extraAudience) throws JwtSvidException Fetches a SPIFFE JWT-SVID on one-shot blocking call.- Specified by:
fetchJwtSvidin interfaceWorkloadApiClient- Parameters:
subject- a SPIFFE IDaudience- the audience of the JWT-SVIDextraAudience- the extra audience for the JWT_SVID- Returns:
- an instance of a
JwtSvid - Throws:
JwtSvidException- if there is an error fetching or processing the JWT from the Workload API
-
fetchJwtSvids
public List<JwtSvid> fetchJwtSvids(@NonNull @NonNull String audience, String... extraAudience) throws JwtSvidException Fetches all SPIFFE JWT-SVIDs on one-shot blocking call.- Specified by:
fetchJwtSvidsin interfaceWorkloadApiClient- Parameters:
audience- the audience of the JWT-SVIDextraAudience- the extra audience for the JWT_SVID- Returns:
- all of
JwtSvidobject - Throws:
JwtSvidException- if there is an error fetching or processing the JWT from the Workload API
-
fetchJwtSvids
public List<JwtSvid> fetchJwtSvids(@NonNull @NonNull SpiffeId subject, @NonNull @NonNull String audience, String... extraAudience) throws JwtSvidException Fetches a SPIFFE JWT-SVID on one-shot blocking call.- Specified by:
fetchJwtSvidsin interfaceWorkloadApiClient- Parameters:
subject- a SPIFFE IDaudience- the audience of the JWT-SVIDextraAudience- the extra audience for the JWT_SVID- Returns:
- Throws:
JwtSvidException- if there is an error fetching or processing the JWT from the Workload API
-
fetchJwtBundles
Fetches the JWT bundles for JWT-SVID validation, keyed by trust domain.- Specified by:
fetchJwtBundlesin interfaceWorkloadApiClient- Returns:
- an instance of a
JwtBundleSet - Throws:
JwtBundleException- when there is an error getting or processing the response from the Workload API
-
validateJwtSvid
public JwtSvid validateJwtSvid(@NonNull @NonNull String token, @NonNull @NonNull String audience) throws JwtSvidException Validates the JWT-SVID token. The parsed and validated JWT-SVID is returned.- Specified by:
validateJwtSvidin interfaceWorkloadApiClient- Parameters:
token- JWT tokenaudience- audience of the JWT- Returns:
- a
JwtSvidif the token and audience could be validated. - Throws:
JwtSvidException- when the token cannot be validated with the audience
-
watchJwtBundles
Watches for JWT bundles updates.A new Stream to the Workload API is opened for each call to this method, so that the client starts getting updates immediately after the Stream is ready and doesn't have to wait until the Workload API dispatches the next update based on the SVIDs TTL.
- Specified by:
watchJwtBundlesin interfaceWorkloadApiClient- Parameters:
watcher- receives the update for JwtBundles.
-
close
public void close()Closes this Workload API closing the underlying channel, cancelling the contexts and shutdown the executor service.- Specified by:
closein interfaceAutoCloseable- Specified by:
closein interfaceCloseable
-