feat: add Identity client

Author: markgoddard

pkg/connect/client/clientset.go

@@ -10,6 +10,7 @@ import (
 	clusterv1alpha1 "github.com/cofide/cofide-api-sdk/pkg/connect/client/cluster/v1alpha1"
 	datastorev1alpha1 "github.com/cofide/cofide-api-sdk/pkg/connect/client/datastore/v1alpha1"
 	federationV1Alpha1 "github.com/cofide/cofide-api-sdk/pkg/connect/client/federation/v1alpha1"
+	identityv1alpha1 "github.com/cofide/cofide-api-sdk/pkg/connect/client/identity/v1alpha1"
 	trustzonev1alpha1 "github.com/cofide/cofide-api-sdk/pkg/connect/client/trustzone/v1alpha1"
 	workloadv1alpha1 "github.com/cofide/cofide-api-sdk/pkg/connect/client/workload/v1alpha1"
 
@@ -27,6 +28,7 @@ type ClientSet interface {
 	FederationV1Alpha1() federationV1Alpha1.FederationClient
 	DataStoreV1Alpha1() datastorev1alpha1.DataStoreClient
 	WorkloadV1Alpha1() workloadv1alpha1.WorkloadClient
+	IdentityV1Alpha1() identityv1alpha1.IdentityClient
 }
 
 type clientSet struct {
@@ -38,6 +40,7 @@ type clientSet struct {
 	federationV1Alpha1        federationV1Alpha1.FederationClient
 	datastoreV1Alpha1         datastorev1alpha1.DataStoreClient
 	workloadV1Alpha1          workloadv1alpha1.WorkloadClient
+	identityV1Alpha1          identityv1alpha1.IdentityClient
 }
 
 // New instantiates a new ClientSet for communication with a Connect API.
@@ -51,6 +54,7 @@ func New(conn grpc.ClientConnInterface) ClientSet {
 		federationV1Alpha1:        federationV1Alpha1.New(conn),
 		datastoreV1Alpha1:         datastorev1alpha1.New(conn),
 		workloadV1Alpha1:          workloadv1alpha1.New(conn),
+		identityV1Alpha1:          identityv1alpha1.New(conn),
 	}
 }
 
@@ -85,3 +89,7 @@ func (c *clientSet) DataStoreV1Alpha1() datastorev1alpha1.DataStoreClient {
 func (c *clientSet) WorkloadV1Alpha1() workloadv1alpha1.WorkloadClient {
 	return c.workloadV1Alpha1
 }
+
+func (c *clientSet) IdentityV1Alpha1() identityv1alpha1.IdentityClient {
+	return c.identityV1Alpha1
+}

pkg/connect/client/clientset_test.go

@@ -19,4 +19,6 @@ func TestClientSet(t *testing.T) {
 	require.NotNil(t, client.APBindingV1Alpha1())
 	require.NotNil(t, client.FederationV1Alpha1())
 	require.NotNil(t, client.DataStoreV1Alpha1())
+	require.NotNil(t, client.WorkloadV1Alpha1())
+	require.NotNil(t, client.IdentityV1Alpha1())
 }

pkg/connect/client/fake/client/fakeclient.go

@@ -18,6 +18,8 @@ import (
 	fakeconnect "github.com/cofide/cofide-api-sdk/pkg/connect/client/fake/connect"
 	federationV1Alpha1 "github.com/cofide/cofide-api-sdk/pkg/connect/client/federation/v1alpha1"
 	fakefederationV1Alpha1 "github.com/cofide/cofide-api-sdk/pkg/connect/client/federation/v1alpha1/fake"
+	identityv1alpha1 "github.com/cofide/cofide-api-sdk/pkg/connect/client/identity/v1alpha1"
+	fakeidentityv1alpha1 "github.com/cofide/cofide-api-sdk/pkg/connect/client/identity/v1alpha1/fake"
 	trustzonev1alpha1 "github.com/cofide/cofide-api-sdk/pkg/connect/client/trustzone/v1alpha1"
 	faketrustzonev1alpha1 "github.com/cofide/cofide-api-sdk/pkg/connect/client/trustzone/v1alpha1/fake"
 	workloadv1alpha1 "github.com/cofide/cofide-api-sdk/pkg/connect/client/workload/v1alpha1"
@@ -33,6 +35,7 @@ type fakeClientSet struct {
 	federationV1Alpha1        federationV1Alpha1.FederationClient
 	datastoreV1Alpha1         datastorev1alpha1.DataStoreClient
 	workloadV1Alpha1          workloadv1alpha1.WorkloadClient
+	identityV1Alpha1          identityv1alpha1.IdentityClient
 }
 
 // New instantiates a new ClientSet that fakes communication with a Connect API.
@@ -46,6 +49,7 @@ func New(fake *fakeconnect.FakeConnect) client.ClientSet {
 		federationV1Alpha1:        fakefederationV1Alpha1.New(fake),
 		datastoreV1Alpha1:         fakedatastorev1alpha1.New(fake),
 		workloadV1Alpha1:          fakeworkloadv1alpha1.New(fake),
+		identityV1Alpha1:          fakeidentityv1alpha1.New(fake),
 	}
 }
 
@@ -80,3 +84,7 @@ func (c *fakeClientSet) DataStoreV1Alpha1() datastorev1alpha1.DataStoreClient {
 func (c *fakeClientSet) WorkloadV1Alpha1() workloadv1alpha1.WorkloadClient {
 	return c.workloadV1Alpha1
 }
+
+func (c *fakeClientSet) IdentityV1Alpha1() identityv1alpha1.IdentityClient {
+	return c.identityV1Alpha1
+}

pkg/connect/client/fake/client/fakeclient_test.go

@@ -15,4 +15,10 @@ func TestFakeClientSet(t *testing.T) {
 	require.NotNil(t, client.TrustZoneV1Alpha1())
 	require.NotNil(t, client.ClusterV1Alpha1())
 	require.NotNil(t, client.AgentV1Alpha1())
+	require.NotNil(t, client.AttestationPolicyV1Alpha1())
+	require.NotNil(t, client.APBindingV1Alpha1())
+	require.NotNil(t, client.FederationV1Alpha1())
+	require.NotNil(t, client.DataStoreV1Alpha1())
+	require.NotNil(t, client.WorkloadV1Alpha1())
+	require.NotNil(t, client.IdentityV1Alpha1())
 }

pkg/connect/client/fake/connect/fakeconnect.go

@@ -10,6 +10,7 @@ import (
 	datastoresvcpb "github.com/cofide/cofide-api-sdk/gen/go/proto/connect/datastore_service/v1alpha1"
 	federatedservicepb "github.com/cofide/cofide-api-sdk/gen/go/proto/federated_service/v1alpha1"
 	federationpb "github.com/cofide/cofide-api-sdk/gen/go/proto/federation/v1alpha1"
+	identitypb "github.com/cofide/cofide-api-sdk/gen/go/proto/identity/v1alpha1"
 	trustzonepb "github.com/cofide/cofide-api-sdk/gen/go/proto/trust_zone/v1alpha1"
 	workloadpb "github.com/cofide/cofide-api-sdk/gen/go/proto/workload/v1alpha1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
@@ -32,6 +33,7 @@ type FakeConnect struct {
 	Federations         map[string]*federationpb.Federation
 	AttestedNodes       map[string]*datastoresvcpb.AttestedNode
 	Workloads           map[string]*workloadpb.Workload
+	Identities          map[string]*identitypb.Identity
 }
 
 func New() *FakeConnect {
@@ -48,6 +50,7 @@ func New() *FakeConnect {
 		Federations:         make(map[string]*federationpb.Federation),
 		AttestedNodes:       make(map[string]*datastoresvcpb.AttestedNode),
 		Workloads:           make(map[string]*workloadpb.Workload),
+		Identities:          make(map[string]*identitypb.Identity),
 	}
 }
 
@@ -106,3 +109,10 @@ func (f *FakeConnect) ValidateWorkload(workloadID string) error {
 	}
 	return nil
 }
+
+func (f *FakeConnect) ValidateIdentity(identityID string) error {
+	if _, ok := f.Identities[identityID]; !ok {
+		return status.Error(codes.InvalidArgument, "invalid identity")
+	}
+	return nil
+}

pkg/connect/client/identity/v1alpha1/fake/fake.go

@@ -0,0 +1,83 @@
+// Copyright 2025 Cofide Limited.
+// SPDX-License-Identifier: Apache-2.0
+
+package fake
+
+import (
+	"context"
+
+	identitysvcpb "github.com/cofide/cofide-api-sdk/gen/go/proto/connect/identity_service/v1alpha1"
+	identitypb "github.com/cofide/cofide-api-sdk/gen/go/proto/identity/v1alpha1"
+	fakeconnect "github.com/cofide/cofide-api-sdk/pkg/connect/client/fake/connect"
+	identityv1alpha1 "github.com/cofide/cofide-api-sdk/pkg/connect/client/identity/v1alpha1"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/proto"
+)
+
+type fakeIdentityClient struct {
+	fake *fakeconnect.FakeConnect
+}
+
+// New instantiates a new IdentityClient for communication with a fake Connect API.
+func New(fake *fakeconnect.FakeConnect) identityv1alpha1.IdentityClient {
+	return &fakeIdentityClient{
+		fake: fake,
+	}
+}
+
+func (c *fakeIdentityClient) GetIdentity(ctx context.Context, identityID string) (*identitypb.Identity, error) {
+	c.fake.Mu.Lock()
+	defer c.fake.Mu.Unlock()
+
+	identity, ok := c.fake.Identities[identityID]
+	if !ok {
+		return nil, status.Error(codes.NotFound, "identity not found")
+	}
+	return clone(identity), nil
+}
+
+func (c *fakeIdentityClient) ListIdentities(ctx context.Context, filter *identitysvcpb.ListIdentitiesRequest_Filter) ([]*identitypb.Identity, error) {
+	c.fake.Mu.Lock()
+	defer c.fake.Mu.Unlock()
+
+	identities := []*identitypb.Identity{}
+	for _, identity := range c.fake.Identities {
+		if identityMatches(identity, filter) {
+			identities = append(identities, clone(identity))
+		}
+	}
+	return identities, nil
+}
+
+func identityMatches(identity *identitypb.Identity, filter *identitysvcpb.ListIdentitiesRequest_Filter) bool {
+	if filter == nil {
+		return true
+	}
+	if filter.OrgId != nil && identity.GetOrgId() != *filter.OrgId {
+		return false
+	}
+	if filter.TrustZoneId != nil && identity.GetTrustZoneId() != *filter.TrustZoneId {
+		return false
+	}
+	if filter.ClusterId != nil && identity.GetClusterId() != *filter.ClusterId {
+		return false
+	}
+	if filter.AttestationPolicyId != nil && identity.GetAttestationPolicyId() != *filter.AttestationPolicyId {
+		return false
+	}
+	if filter.ApBindingId != nil && identity.GetApBindingId() != *filter.ApBindingId {
+		return false
+	}
+	if filter.WorkloadId != nil && identity.GetWorkloadId() != *filter.WorkloadId {
+		return false
+	}
+	if filter.SpiffeId != nil && identity.GetSpiffeId() != *filter.SpiffeId {
+		return false
+	}
+	return true
+}
+
+func clone(identity *identitypb.Identity) *identitypb.Identity {
+	return proto.Clone(identity).(*identitypb.Identity)
+}

pkg/connect/client/identity/v1alpha1/fake/fake_test.go

@@ -0,0 +1,49 @@
+// Copyright 2025 Cofide Limited.
+// SPDX-License-Identifier: Apache-2.0
+
+package fake
+
+import (
+	"context"
+	"testing"
+
+	identitypb "github.com/cofide/cofide-api-sdk/gen/go/proto/identity/v1alpha1"
+	fakeconnect "github.com/cofide/cofide-api-sdk/pkg/connect/client/fake/connect"
+	"github.com/cofide/cofide-api-sdk/pkg/connect/client/test"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_fakeIdentityClient_GetIdentity(t *testing.T) {
+	fake := fakeconnect.New()
+	client := New(fake)
+	ctx := context.Background()
+
+	_, err := client.GetIdentity(ctx, test.FakeIdentityID)
+	require.Error(t, err)
+
+	identity := test.FakeIdentity()
+	fake.Identities[test.FakeIdentityID] = identity
+
+	gotIdentity, err := client.GetIdentity(ctx, test.FakeIdentityID)
+	require.NoError(t, err)
+	assert.EqualExportedValues(t, identity, gotIdentity)
+}
+
+func Test_fakeIdentityClient_ListIdentities(t *testing.T) {
+	fake := fakeconnect.New()
+	client := New(fake)
+	ctx := context.Background()
+
+	identity := test.FakeIdentity()
+
+	identities, err := client.ListIdentities(ctx, nil)
+	require.NoError(t, err)
+	assert.EqualExportedValues(t, []*identitypb.Identity{}, identities)
+
+	fake.Identities[test.FakeIdentityID] = test.FakeIdentity()
+
+	identities, err = client.ListIdentities(ctx, nil)
+	require.NoError(t, err)
+	assert.EqualExportedValues(t, []*identitypb.Identity{identity}, identities)
+}

pkg/connect/client/identity/v1alpha1/identity.go

@@ -0,0 +1,45 @@
+// Copyright 2025 Cofide Limited.
+// SPDX-License-Identifier: Apache-2.0
+
+package v1alpha1
+
+import (
+	"context"
+
+	identitysvcpb "github.com/cofide/cofide-api-sdk/gen/go/proto/connect/identity_service/v1alpha1"
+	identitypb "github.com/cofide/cofide-api-sdk/gen/go/proto/identity/v1alpha1"
+	"google.golang.org/grpc"
+)
+
+// IdentityClient is an interface for a client for the v1alpha1 version of the Connect IdentityService.
+type IdentityClient interface {
+	GetIdentity(ctx context.Context, identityID string) (*identitypb.Identity, error)
+	ListIdentities(ctx context.Context, filter *identitysvcpb.ListIdentitiesRequest_Filter) ([]*identitypb.Identity, error)
+}
+
+type identityClient struct {
+	identityClient identitysvcpb.IdentityServiceClient
+}
+
+// New instantiates a new TrustZoneClient for communication with a Connect API.
+func New(conn grpc.ClientConnInterface) IdentityClient {
+	return &identityClient{
+		identityClient: identitysvcpb.NewIdentityServiceClient(conn),
+	}
+}
+
+func (c *identityClient) GetIdentity(ctx context.Context, identityID string) (*identitypb.Identity, error) {
+	resp, err := c.identityClient.GetIdentity(ctx, &identitysvcpb.GetIdentityRequest{IdentityId: identityID})
+	if err != nil {
+		return nil, err
+	}
+	return resp.Identity, nil
+}
+
+func (c *identityClient) ListIdentities(ctx context.Context, filter *identitysvcpb.ListIdentitiesRequest_Filter) ([]*identitypb.Identity, error) {
+	resp, err := c.identityClient.ListIdentities(ctx, &identitysvcpb.ListIdentitiesRequest{Filter: filter})
+	if err != nil {
+		return nil, err
+	}
+	return resp.Identities, nil
+}

pkg/connect/client/test/fakes.go

@@ -9,6 +9,7 @@ import (
 	attestationpolicypb "github.com/cofide/cofide-api-sdk/gen/go/proto/attestation_policy/v1alpha1"
 	clusterpb "github.com/cofide/cofide-api-sdk/gen/go/proto/cluster/v1alpha1"
 	federatedservicepb "github.com/cofide/cofide-api-sdk/gen/go/proto/federated_service/v1alpha1"
+	identitypb "github.com/cofide/cofide-api-sdk/gen/go/proto/identity/v1alpha1"
 	trustzonepb "github.com/cofide/cofide-api-sdk/gen/go/proto/trust_zone/v1alpha1"
 	workloadpb "github.com/cofide/cofide-api-sdk/gen/go/proto/workload/v1alpha1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
@@ -37,6 +38,12 @@ const (
 	FakeK8sPodUID       = "fake-k8s-pod-uid"
 	FakeK8sPodName      = "fake-k8s-pod-name"
 	FakeK8sPodNamespace = "fake-k8s-pod-namespace"
+
+	FakeIdentityID    = "fake-identity-id"
+	FakeSPIFFEID      = "spiffe://fake.trust.domain/ns/fake-k8s-pod-namespace/sa/fake-k8s-pod-service-account"
+	FakeParentID      = "spiffe://fake.trust.domain/spire/agent/k8s_psat/fake-cluster-name/fake-spire-agent"
+	FakeSelectorType  = "fake-selector-type"
+	FakeSelectorValue = "fake-selector-value"
 )
 
 func FakeTrustZone() *trustzonepb.TrustZone {
@@ -106,3 +113,25 @@ func FakeK8sPodWorkload() *workloadpb.Workload {
 		},
 	}
 }
+
+func FakeIdentity() *identitypb.Identity {
+	return &identitypb.Identity{
+		Id:          FakeIdentityID,
+		TrustZoneId: FakeTrustZoneID,
+		ClusterId:   FakeClusterID,
+		WorkloadId:  FakeWorkloadID,
+		SpiffeId:    FakeSPIFFEID,
+		ParentId:    FakeParentID,
+		Selectors: []*identitypb.Selector{
+			{
+				Type:  FakeSelectorType,
+				Value: FakeSelectorValue,
+			},
+		},
+		Federations: []*identitypb.IdentityFederation{
+			{
+				TrustZoneId: PtrOf(FakeTrustZoneID),
+			},
+		},
+	}
+}