Use ReadOnlyEntry for GetAuthorizedEntries API

Signed-off-by: Sorin Dumitru <[email protected]>

Author: sorindumitru

pkg/agent/client/client_test.go

@@ -21,6 +21,7 @@ import (
 	svidv1 "github.com/spiffe/spire-api-sdk/proto/spire/api/server/svid/v1"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
 	"github.com/spiffe/spire/pkg/common/telemetry"
+	"github.com/spiffe/spire/pkg/server/api"
 	"github.com/spiffe/spire/pkg/server/api/entry/v1"
 	"github.com/spiffe/spire/proto/spire/common"
 	"github.com/spiffe/spire/test/spiretest"
@@ -1023,7 +1024,13 @@ func (c *fakeEntryServer) GetAuthorizedEntries(_ context.Context, in *entryv1.Ge
 
 func (c *fakeEntryServer) SyncAuthorizedEntries(stream entryv1.Entry_SyncAuthorizedEntriesServer) error {
 	const entryPageSize = 2
-	return entry.SyncAuthorizedEntries(stream, c.entries, entryPageSize)
+
+	entries := []api.ReadOnlyEntry{}
+	for _, entry := range c.entries {
+		entries = append(entries, api.NewReadOnlyEntry(entry))
+	}
+
+	return entry.SyncAuthorizedEntries(stream, entries, entryPageSize)
 }
 
 type fakeBundleServer struct {

pkg/server/api/api.go

@@ -18,7 +18,7 @@ type AuthorizedEntryFetcher interface {
 	LookupAuthorizedEntries(ctx context.Context, id spiffeid.ID, entryIDs map[string]struct{}) (map[string]ReadOnlyEntry, error)
 	// FetchAuthorizedEntries fetches the entries that the specified
 	// SPIFFE ID is authorized for
-	FetchAuthorizedEntries(ctx context.Context, id spiffeid.ID) ([]*types.Entry, error)
+	FetchAuthorizedEntries(ctx context.Context, id spiffeid.ID) ([]ReadOnlyEntry, error)
 }
 
 // AuthorizedEntryFetcherFunc is an implementation of AuthorizedEntryFetcher

pkg/server/api/entry.go

@@ -28,6 +28,10 @@ func NewReadOnlyEntry(entry *types.Entry) ReadOnlyEntry {
 	}
 }
 
+func (e ReadOnlyEntry) GetId() string {
+	return e.entry.Id
+}
+
 func (e *ReadOnlyEntry) GetSpiffeId() *types.SPIFFEID {
 	return &types.SPIFFEID{
 		TrustDomain: e.entry.SpiffeId.TrustDomain,
@@ -51,6 +55,10 @@ func (e *ReadOnlyEntry) GetRevisionNumber() int64 {
 	return e.entry.RevisionNumber
 }
 
+func (e *ReadOnlyEntry) GetCreatedAt() int64 {
+	return e.entry.CreatedAt
+}
+
 // Manually clone the entry instead of using the protobuf helpers
 // since those are two times slower.
 func (e *ReadOnlyEntry) Clone(mask *types.EntryMask) *types.Entry {

pkg/server/api/entry/v1/service.go

@@ -391,14 +391,12 @@ func (s *Service) GetAuthorizedEntries(ctx context.Context, req *entryv1.GetAuth
 		return nil, err
 	}
 
-	for i, entry := range entries {
-		applyMask(entry, req.OutputMask)
-		entries[i] = entry
-	}
+	resp := &entryv1.GetAuthorizedEntriesResponse{}
 
-	resp := &entryv1.GetAuthorizedEntriesResponse{
-		Entries: entries,
+	for _, entry := range entries {
+		resp.Entries = append(resp.Entries, entry.Clone(req.OutputMask))
 	}
+
 	rpccontext.AuditRPC(ctx)
 
 	return resp, nil
@@ -424,7 +422,7 @@ func (s *Service) SyncAuthorizedEntries(stream entryv1.Entry_SyncAuthorizedEntri
 	return SyncAuthorizedEntries(stream, entries, s.entryPageSize)
 }
 
-func SyncAuthorizedEntries(stream entryv1.Entry_SyncAuthorizedEntriesServer, entries []*types.Entry, entryPageSize int) (err error) {
+func SyncAuthorizedEntries(stream entryv1.Entry_SyncAuthorizedEntriesServer, entries []api.ReadOnlyEntry, entryPageSize int) (err error) {
 	// Receive the initial request with the output mask.
 	req, err := stream.Recv()
 	if err != nil {
@@ -447,18 +445,17 @@ func SyncAuthorizedEntries(stream entryv1.Entry_SyncAuthorizedEntriesServer, ent
 
 	// Apply output mask to entries. The output mask field will be
 	// intentionally ignored on subsequent requests.
-	for i, entry := range entries {
-		applyMask(entry, req.OutputMask)
-		entries[i] = entry
-	}
+	initialOutputMask := req.OutputMask
 
 	// If the number of entries is less than or equal to the entry page size,
 	// then just send the full list back. Otherwise, we'll send a sparse list
 	// and then stream back full entries as requested.
 	if len(entries) <= entryPageSize {
-		return stream.Send(&entryv1.SyncAuthorizedEntriesResponse{
-			Entries: entries,
-		})
+		resp := &entryv1.SyncAuthorizedEntriesResponse{}
+		for _, entry := range entries {
+			resp.Entries = append(resp.Entries, entry.Clone(initialOutputMask))
+		}
+		return stream.Send(resp)
 	}
 
 	// Prepopulate the entry page used in the response with empty entry structs.
@@ -475,9 +472,9 @@ func SyncAuthorizedEntries(stream entryv1.Entry_SyncAuthorizedEntriesServer, ent
 			more = true
 		}
 		for j, entry := range entries[i : i+n] {
-			entryRevisions[j].Id = entry.Id
-			entryRevisions[j].RevisionNumber = entry.RevisionNumber
-			entryRevisions[j].CreatedAt = entry.CreatedAt
+			entryRevisions[j].Id = entry.GetId()
+			entryRevisions[j].RevisionNumber = entry.GetRevisionNumber()
+			entryRevisions[j].CreatedAt = entry.GetCreatedAt()
 		}
 
 		if err := stream.Send(&entryv1.SyncAuthorizedEntriesResponse{
@@ -530,7 +527,7 @@ func SyncAuthorizedEntries(stream entryv1.Entry_SyncAuthorizedEntriesServer, ent
 		entriesToSearch := entries
 		for _, id := range req.Ids {
 			i, found := sort.Find(len(entriesToSearch), func(i int) int {
-				return strings.Compare(id, entriesToSearch[i].Id)
+				return strings.Compare(id, entriesToSearch[i].GetId())
 			})
 			if found {
 				if len(resp.Entries) == entryPageSize {
@@ -543,7 +540,7 @@ func SyncAuthorizedEntries(stream entryv1.Entry_SyncAuthorizedEntriesServer, ent
 					}
 					resp.Entries = resp.Entries[:0]
 				}
-				resp.Entries = append(resp.Entries, entriesToSearch[i])
+				resp.Entries = append(resp.Entries, entriesToSearch[i].Clone(initialOutputMask))
 			}
 			entriesToSearch = entriesToSearch[i:]
 			if len(entriesToSearch) == 0 {
@@ -560,7 +557,7 @@ func SyncAuthorizedEntries(stream entryv1.Entry_SyncAuthorizedEntriesServer, ent
 }
 
 // fetchEntries fetches authorized entries using caller ID from context
-func (s *Service) fetchEntries(ctx context.Context, log logrus.FieldLogger) ([]*types.Entry, error) {
+func (s *Service) fetchEntries(ctx context.Context, log logrus.FieldLogger) ([]api.ReadOnlyEntry, error) {
 	callerID, ok := rpccontext.CallerID(ctx)
 	if !ok {
 		return nil, api.MakeErr(log, codes.Internal, "caller ID missing from request context", nil)
@@ -844,8 +841,8 @@ func fieldsFromCountEntryFilter(ctx context.Context, td spiffeid.TrustDomain, fi
 	return fields
 }
 
-func sortEntriesByID(entries []*types.Entry) {
+func sortEntriesByID(entries []api.ReadOnlyEntry) {
 	sort.Slice(entries, func(a, b int) bool {
-		return entries[a].Id < entries[b].Id
+		return entries[a].GetId() < entries[b].GetId()
 	})
 }

pkg/server/api/entry/v1/service_test.go

@@ -4849,13 +4849,13 @@ func (f *entryFetcher) LookupAuthorizedEntries(ctx context.Context, agentID spif
 
 	entriesMap := make(map[string]api.ReadOnlyEntry)
 	for _, entry := range entries {
-		entriesMap[entry.GetId()] = api.NewReadOnlyEntry(entry)
+		entriesMap[entry.GetId()] = entry
 	}
 
 	return entriesMap, nil
 }
 
-func (f *entryFetcher) FetchAuthorizedEntries(ctx context.Context, agentID spiffeid.ID) ([]*types.Entry, error) {
+func (f *entryFetcher) FetchAuthorizedEntries(ctx context.Context, agentID spiffeid.ID) ([]api.ReadOnlyEntry, error) {
 	if f.err != "" {
 		return nil, status.Error(codes.Internal, f.err)
 	}
@@ -4869,7 +4869,12 @@ func (f *entryFetcher) FetchAuthorizedEntries(ctx context.Context, agentID spiff
 		return nil, fmt.Errorf("provided caller id is different to expected")
 	}
 
-	return f.entries, nil
+	entries := []api.ReadOnlyEntry{}
+	for _, entry := range f.entries {
+		entries = append(entries, api.NewReadOnlyEntry(entry))
+	}
+
+	return entries, nil
 }
 
 type HasID interface {

pkg/server/api/svid/v1/service_test.go

@@ -1158,6 +1158,7 @@ func TestServiceBatchNewX509SVID(t *testing.T) {
 	}
 	invalidEntry := &types.Entry{
 		Id:       "invalid",
+		SpiffeId: &types.SPIFFEID{},
 		ParentId: api.ProtoFromID(agentID),
 	}
 	test.ef.entries = []*types.Entry{workloadEntry, dnsEntry, ttlEntry, x509TtlEntry, invalidEntry}
@@ -1324,7 +1325,7 @@ func TestServiceBatchNewX509SVID(t *testing.T) {
 						Message: "Entry has malformed SPIFFE ID",
 						Data: logrus.Fields{
 							telemetry.RegistrationID: "invalid",
-							logrus.ErrorKey:          "request must specify SPIFFE ID",
+							logrus.ErrorKey:          "trust domain is missing",
 						},
 					},
 					{
@@ -1336,7 +1337,7 @@ func TestServiceBatchNewX509SVID(t *testing.T) {
 							telemetry.RegistrationID: "invalid",
 							telemetry.Csr:            api.HashByte(m["invalid"]),
 							telemetry.StatusCode:     "Internal",
-							telemetry.StatusMessage:  "entry has malformed SPIFFE ID: request must specify SPIFFE ID",
+							telemetry.StatusMessage:  "entry has malformed SPIFFE ID: trust domain is missing",
 							telemetry.SPIFFEID:       "",
 						},
 					},
@@ -1656,7 +1657,7 @@ func TestServiceBatchNewX509SVID(t *testing.T) {
 						Message: "Entry has malformed SPIFFE ID",
 						Data: logrus.Fields{
 							telemetry.RegistrationID: "invalid",
-							logrus.ErrorKey:          "request must specify SPIFFE ID",
+							logrus.ErrorKey:          "trust domain is missing",
 						},
 					},
 					{
@@ -1668,7 +1669,7 @@ func TestServiceBatchNewX509SVID(t *testing.T) {
 							telemetry.RegistrationID: "invalid",
 							telemetry.Csr:            api.HashByte(m["invalid"]),
 							telemetry.StatusCode:     "Internal",
-							telemetry.StatusMessage:  "entry has malformed SPIFFE ID: request must specify SPIFFE ID",
+							telemetry.StatusMessage:  "entry has malformed SPIFFE ID: trust domain is missing",
 							telemetry.SPIFFEID:       "",
 						},
 					},
@@ -2181,27 +2182,32 @@ func (f *entryFetcher) LookupAuthorizedEntries(ctx context.Context, agentID spif
 
 	entriesMap := make(map[string]api.ReadOnlyEntry)
 	for _, entry := range entries {
-		entriesMap[entry.GetId()] = api.NewReadOnlyEntry(entry)
+		entriesMap[entry.GetId()] = entry
 	}
 
 	return entriesMap, nil
 }
 
-func (f *entryFetcher) FetchAuthorizedEntries(ctx context.Context, agentID spiffeid.ID) ([]*types.Entry, error) {
+func (f *entryFetcher) FetchAuthorizedEntries(ctx context.Context, agentID spiffeid.ID) ([]api.ReadOnlyEntry, error) {
 	if f.err != "" {
 		return nil, status.Error(codes.Internal, f.err)
 	}
 
 	caller, ok := rpccontext.CallerID(ctx)
 	if !ok {
-		return nil, errors.New("no caller ID on context")
+		return nil, errors.New("missing caller ID")
 	}
 
 	if caller != agentID {
 		return nil, fmt.Errorf("provided caller id is different to expected")
 	}
 
-	return f.entries, nil
+	entries := []api.ReadOnlyEntry{}
+	for _, entry := range f.entries {
+		entries = append(entries, api.NewReadOnlyEntry(entry))
+	}
+
+	return entries, nil
 }
 
 type fakeRateLimiter struct {

pkg/server/authorizedentries/cache.go

@@ -88,7 +88,7 @@ func (c *Cache) LookupAuthorizedEntries(agentID spiffeid.ID, requestedEntries ma
 	return foundEntries
 }
 
-func (c *Cache) GetAuthorizedEntries(agentID spiffeid.ID) []*types.Entry {
+func (c *Cache) GetAuthorizedEntries(agentID spiffeid.ID) []api.ReadOnlyEntry {
 	c.mu.RLock()
 	defer c.mu.RUnlock()
 

pkg/server/authorizedentries/cache_test.go

@@ -11,6 +11,7 @@ import (
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
 	"github.com/spiffe/spire/pkg/common/idutil"
+	"github.com/spiffe/spire/pkg/common/protoutil"
 	"github.com/spiffe/spire/pkg/server/api"
 	"github.com/spiffe/spire/test/clock"
 	"github.com/spiffe/spire/test/spiretest"
@@ -432,8 +433,16 @@ func assertAuthorizedEntries(tb testing.TB, cache *Cache, agentID spiffeid.ID, a
 		return m
 	}
 
+	readOnlyEntriesMap := func(entries []api.ReadOnlyEntry) map[string]*types.Entry {
+		m := make(map[string]*types.Entry)
+		for _, entry := range entries {
+			m[entry.GetId()] = entry.Clone(protoutil.AllTrueEntryMask)
+		}
+		return m
+	}
+
 	wantMap := entriesMap(wantEntries)
-	gotMap := entriesMap(cache.GetAuthorizedEntries(agentID))
+	gotMap := readOnlyEntriesMap(cache.GetAuthorizedEntries(agentID))
 
 	for id, want := range wantMap {
 		got, ok := gotMap[id]

pkg/server/authorizedentries/entries.go

@@ -2,7 +2,7 @@ package authorizedentries
 
 import (
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
-	"google.golang.org/protobuf/proto"
+	"github.com/spiffe/spire/pkg/server/api"
 )
 
 type entryRecord struct {
@@ -29,17 +29,13 @@ func entryRecordByParentID(a, b entryRecord) bool {
 	}
 }
 
-func cloneEntriesFromRecords(entryRecords []entryRecord) []*types.Entry {
+func cloneEntriesFromRecords(entryRecords []entryRecord) []api.ReadOnlyEntry {
 	if len(entryRecords) == 0 {
 		return nil
 	}
-	cloned := make([]*types.Entry, 0, len(entryRecords))
+	cloned := make([]api.ReadOnlyEntry, 0, len(entryRecords))
 	for _, entryRecord := range entryRecords {
-		cloned = append(cloned, cloneEntry(entryRecord.EntryCloneOnly))
+		cloned = append(cloned, api.NewReadOnlyEntry(entryRecord.EntryCloneOnly))
 	}
 	return cloned
 }
-
-func cloneEntry(entry *types.Entry) *types.Entry {
-	return proto.Clone(entry).(*types.Entry)
-}

pkg/server/cache/entrycache/fullcache.go

@@ -7,7 +7,6 @@ import (
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
 	"github.com/spiffe/spire-api-sdk/proto/spire/api/types"
 	"github.com/spiffe/spire/pkg/server/api"
-	"google.golang.org/protobuf/proto"
 )
 
 var (
@@ -30,7 +29,7 @@ var _ Cache = (*FullEntryCache)(nil)
 // at a particular moment in time.
 type Cache interface {
 	LookupAuthorizedEntries(agentID spiffeid.ID, entries map[string]struct{}) map[string]api.ReadOnlyEntry
-	GetAuthorizedEntries(agentID spiffeid.ID) []*types.Entry
+	GetAuthorizedEntries(agentID spiffeid.ID) []api.ReadOnlyEntry
 }
 
 // Selector is a key-value attribute of a node or workload.
@@ -190,13 +189,13 @@ func (c *FullEntryCache) LookupAuthorizedEntries(agentID spiffeid.ID, requestedE
 }
 
 // GetAuthorizedEntries gets all authorized registration entries for a given Agent SPIFFE ID.
-func (c *FullEntryCache) GetAuthorizedEntries(agentID spiffeid.ID) []*types.Entry {
+func (c *FullEntryCache) GetAuthorizedEntries(agentID spiffeid.ID) []api.ReadOnlyEntry {
 	seen := allocSeenSet()
 	defer freeSeenSet(seen)
 
-	foundEntries := []*types.Entry{}
+	foundEntries := []api.ReadOnlyEntry{}
 	c.crawl(spiffeIDFromID(agentID), seen, func(entry *types.Entry) {
-		foundEntries = append(foundEntries, proto.Clone(entry).(*types.Entry))
+		foundEntries = append(foundEntries, api.NewReadOnlyEntry(entry))
 	})
 
 	return foundEntries