Interface WorkloadApiClient

All Superinterfaces:
AutoCloseable, Closeable
All Known Implementing Classes:
DefaultWorkloadApiClient
public interface WorkloadApiClient extends Closeable
Represents a client to interact with the Workload API.

Supports one-shot calls and watch updates for X.509 and JWT SVIDs and bundles.

  • Method Details

    • fetchX509Context

      X509Context fetchX509Context() throws X509ContextException
      Fetches an X.509 context on a one-shot blocking call.
      Returns:
      an instance of a X509Context containing the X.509 materials fetched from the Workload API
      Throws:
      X509ContextException - if there is an error fetching or processing the X.509 context

    • watchX509Context

      void watchX509Context(@NonNull @NonNull Watcher<X509Context> watcher)
      Watches for X.509 context updates.

      A new Stream to the Workload API is opened for each call to this method, so that the client starts getting updates immediately after the Stream is ready and doesn't have to wait until the Workload API dispatches the next update based on the SVIDs TTL.

      Parameters:
      watcher - an instance that implements a Watcher.

    • fetchX509Bundles

      X509BundleSet fetchX509Bundles() throws X509BundleException
      Fetches the X.509 bundles on a one-shot blocking call.
      Returns:
      an instance of a X509BundleSet containing the X.509 bundles keyed by TrustDomain
      Throws:
      X509BundleException - if there is an error fetching or processing the X.509 bundles

    • watchX509Bundles

      void watchX509Bundles(@NonNull @NonNull Watcher<X509BundleSet> watcher)
      Watches for X.509 bundles updates.

      A new Stream to the Workload API is opened for each call to this method, so that the client starts getting updates immediately after the Stream is ready and doesn't have to wait until the Workload API dispatches the next update.

      Parameters:
      watcher - an instance that implements a Watcher for X509BundleSet.

    • fetchJwtSvid

      JwtSvid fetchJwtSvid(@NonNull @NonNull String audience, String... extraAudience) throws JwtSvidException
      Fetches a SPIFFE JWT-SVID on one-shot blocking call.
      Parameters:
      audience - the audience of the JWT-SVID
      extraAudience - the extra audience for the JWT_SVID
      Returns:
      an instance of a JwtSvid
      Throws:
      JwtSvidException - if there is an error fetching or processing the JWT from the Workload API

    • fetchJwtSvid

      JwtSvid fetchJwtSvid(@NonNull @NonNull SpiffeId subject, @NonNull @NonNull String audience, String... extraAudience) throws JwtSvidException
      Fetches a SPIFFE JWT-SVID on one-shot blocking call.
      Parameters:
      subject - a SPIFFE ID
      audience - the audience of the JWT-SVID
      extraAudience - the extra audience for the JWT_SVID
      Returns:
      an instance of a JwtSvid
      Throws:
      JwtSvidException - if there is an error fetching or processing the JWT from the Workload API

    • fetchJwtSvids

      List<JwtSvid> fetchJwtSvids(@NonNull @NonNull String audience, String... extraAudience) throws JwtSvidException
      Fetches all SPIFFE JWT-SVIDs on one-shot blocking call.
      Parameters:
      audience - the audience of the JWT-SVID
      extraAudience - the extra audience for the JWT_SVID
      Returns:
      all of JwtSvid object
      Throws:
      JwtSvidException - if there is an error fetching or processing the JWT from the Workload API

    • fetchJwtSvids

      List<JwtSvid> fetchJwtSvids(@NonNull @NonNull SpiffeId subject, @NonNull @NonNull String audience, String... extraAudience) throws JwtSvidException
      Fetches a SPIFFE JWT-SVID on one-shot blocking call.
      Parameters:
      subject - a SPIFFE ID
      audience - the audience of the JWT-SVID
      extraAudience - the extra audience for the JWT_SVID
      Returns:
      all of JwtSvid objectÏ
      Throws:
      JwtSvidException - if there is an error fetching or processing the JWT from the Workload API

    • fetchJwtBundles

      JwtBundleSet fetchJwtBundles() throws JwtBundleException
      Fetches the JWT bundles for JWT-SVID validation, keyed by trust domain.
      Returns:
      an instance of a JwtBundleSet
      Throws:
      JwtBundleException - when there is an error getting or processing the response from the Workload API

    • validateJwtSvid

      JwtSvid validateJwtSvid(@NonNull @NonNull String token, @NonNull @NonNull String audience) throws JwtSvidException
      Validates the JWT-SVID token. The parsed and validated JWT-SVID is returned.
      Parameters:
      token - JWT token
      audience - audience of the JWT
      Returns:
      a JwtSvid if the token and audience could be validated.
      Throws:
      JwtSvidException - when the token cannot be validated with the audience

    • watchJwtBundles

      void watchJwtBundles(@NonNull @NonNull Watcher<JwtBundleSet> watcher)
      Watches for JWT bundles updates.

      A new Stream to the Workload API is opened for each call to this method, so that the client starts getting updates immediately after the Stream is ready and doesn't have to wait until the Workload API dispatches the next update based on the SVIDs TTL.

      Parameters:
      watcher - receives the update for JwtBundles.