Add support for SPIFFE bundle sequence number

cmd/spire-server/cli/bundle/bundle_test.go

@@ -42,7 +42,7 @@ func TestShow(t *testing.T) {
   ],
   "jwt_authorities": [],
   "refresh_hint": "60",
-  "sequence_number": "0"
+  "sequence_number": "42"
 }`
 	for _, tt := range []struct {
 		name                 string
@@ -84,7 +84,8 @@ func TestShow(t *testing.T) {
 					X509Authorities: []*types.X509Certificate{
 						{Asn1: test.cert1.Raw},
 					},
-					RefreshHint: 60,
+					RefreshHint:    60,
+					SequenceNumber: 42,
 				},
 				}
 				args := tt.args

cmd/spire-server/cli/bundle/common_test.go

@@ -79,6 +79,7 @@ diIqWtxAqBLFrx8zNS4=
             ]
         }
     ],
+    "spiffe_sequence": 42,
     "spiffe_refresh_hint": 60
 }
 `

pkg/agent/manager/manager_test.go

@@ -1434,6 +1434,7 @@ type mockAPI struct {
 func newMockAPI(t *testing.T, config *mockAPIConfig) *mockAPI {
 	bundle := spiffebundle.New(trustDomain)
 	bundle.SetRefreshHint(0)
+	bundle.SetSequenceNumber(0)
 	h := &mockAPI{
 		t:            t,
 		c:            config,

pkg/common/bundleutil/bundle.go

@@ -49,17 +49,20 @@ func CommonBundleFromProto(b *types.Bundle) (*common.Bundle, error) {
 	return &common.Bundle{
 		TrustDomainId:  td.IDString(),
 		RefreshHint:    b.RefreshHint,
+		SequenceNumber: b.SequenceNumber,
 		RootCas:        rootCAs,
 		JwtSigningKeys: jwtKeys,
 	}, nil
 }
 
 func SPIFFEBundleToProto(b *spiffebundle.Bundle) (*common.Bundle, error) {
 	refreshHint, _ := b.RefreshHint()
+	s, _ := b.SequenceNumber()
 
 	bundle := &common.Bundle{
-		TrustDomainId: b.TrustDomain().IDString(),
-		RefreshHint:   int64(refreshHint.Seconds()),
+		TrustDomainId:  b.TrustDomain().IDString(),
+		RefreshHint:    int64(refreshHint.Seconds()),
+		SequenceNumber: s,
 	}
 	for _, rootCA := range b.X509Authorities() {
 		bundle.RootCas = append(bundle.RootCas, &common.Certificate{
@@ -99,6 +102,7 @@ func SPIFFEBundleFromProto(b *common.Bundle) (*spiffebundle.Bundle, error) {
 	bundle.SetX509Authorities(rootCAs)
 	bundle.SetJWTAuthorities(jwtSigningKeys)
 	bundle.SetRefreshHint(time.Second * time.Duration(b.RefreshHint))
+	bundle.SetSequenceNumber(b.SequenceNumber)
 
 	return bundle, nil
 }

pkg/common/bundleutil/bundle_test.go

@@ -137,11 +137,13 @@ func TestCommonBundleFromProto(t *testing.T) {
 						ExpiresAt: 1590514224,
 					},
 				},
+				SequenceNumber: 42,
 			},
 			expectBundle: &common.Bundle{
-				TrustDomainId: td.IDString(),
-				RefreshHint:   10,
-				RootCas:       []*common.Certificate{{DerBytes: rootCA.Raw}},
+				TrustDomainId:  td.IDString(),
+				RefreshHint:    10,
+				SequenceNumber: 42,
+				RootCas:        []*common.Certificate{{DerBytes: rootCA.Raw}},
 				JwtSigningKeys: []*common.PublicKey{
 					{
 						PkixBytes: pkixBytes,
@@ -162,6 +164,7 @@ func TestCommonBundleFromProto(t *testing.T) {
 						ExpiresAt: 1590514224,
 					},
 				},
+				SequenceNumber: 42,
 			},
 			expectError: "missing key ID",
 		},
@@ -203,6 +206,7 @@ func TestSPIFFEBundleToProto(t *testing.T) {
 	err = bundle.AddJWTAuthority("key-id-1", ca.X509Authorities()[0].PublicKey)
 	require.NoError(t, err)
 	bundle.SetRefreshHint(time.Second * 10)
+	bundle.SetSequenceNumber(42)
 	bundleNoRefreshHint := spiffebundle.FromX509Authorities(td, ca.X509Authorities())
 	bundleInvalidKey := spiffebundle.FromJWTAuthorities(td, map[string]crypto.PublicKey{"some-key": "invalid format"})
 
@@ -216,9 +220,10 @@ func TestSPIFFEBundleToProto(t *testing.T) {
 			name:   "success with jwt and x509 authorities",
 			bundle: bundle,
 			expProto: &common.Bundle{
-				TrustDomainId: td.IDString(),
-				RootCas:       []*common.Certificate{{DerBytes: rootCA.Raw}},
-				RefreshHint:   10,
+				TrustDomainId:  td.IDString(),
+				RootCas:        []*common.Certificate{{DerBytes: rootCA.Raw}},
+				RefreshHint:    10,
+				SequenceNumber: 42,
 				JwtSigningKeys: []*common.PublicKey{
 					{
 						PkixBytes: pkixBytes,
@@ -231,9 +236,10 @@ func TestSPIFFEBundleToProto(t *testing.T) {
 			name:   "success spiffe bundle with no refreshHint set",
 			bundle: bundleNoRefreshHint,
 			expProto: &common.Bundle{
-				TrustDomainId: td.IDString(),
-				RootCas:       []*common.Certificate{{DerBytes: rootCA.Raw}},
-				RefreshHint:   0,
+				TrustDomainId:  td.IDString(),
+				RootCas:        []*common.Certificate{{DerBytes: rootCA.Raw}},
+				RefreshHint:    0,
+				SequenceNumber: 0,
 			},
 		},
 		{
@@ -266,8 +272,10 @@ func TestSPIFFEBundleFromProto(t *testing.T) {
 	err = bundle.AddJWTAuthority("key-id-1", ca.X509Authorities()[0].PublicKey)
 	require.NoError(t, err)
 	bundle.SetRefreshHint(time.Second * 10)
+	bundle.SetSequenceNumber(42)
 	bundleZeroedRefreshHint := spiffebundle.FromX509Authorities(td, ca.X509Authorities())
 	bundleZeroedRefreshHint.SetRefreshHint(0)
+	bundleZeroedRefreshHint.SetSequenceNumber(0)
 
 	tests := []struct {
 		name      string
@@ -278,9 +286,10 @@ func TestSPIFFEBundleFromProto(t *testing.T) {
 		{
 			name: "success with jwt and x509 authorities",
 			proto: &common.Bundle{
-				TrustDomainId: td.IDString(),
-				RootCas:       []*common.Certificate{{DerBytes: rootCA.Raw}},
-				RefreshHint:   10,
+				TrustDomainId:  td.IDString(),
+				RootCas:        []*common.Certificate{{DerBytes: rootCA.Raw}},
+				RefreshHint:    10,
+				SequenceNumber: 42,
 				JwtSigningKeys: []*common.PublicKey{
 					{
 						PkixBytes: pkixBytes,
@@ -301,9 +310,10 @@ func TestSPIFFEBundleFromProto(t *testing.T) {
 		{
 			name: "fail with error parsing spiffe trust domain",
 			proto: &common.Bundle{
-				TrustDomainId: "|invalid|",
-				RootCas:       []*common.Certificate{{DerBytes: rootCA.Raw}},
-				RefreshHint:   10,
+				TrustDomainId:  "|invalid|",
+				RootCas:        []*common.Certificate{{DerBytes: rootCA.Raw}},
+				RefreshHint:    10,
+				SequenceNumber: 42,
 				JwtSigningKeys: []*common.PublicKey{
 					{
 						PkixBytes: pkixBytes,

pkg/common/bundleutil/marshal.go

@@ -11,6 +11,7 @@ import (
 
 type marshalConfig struct {
 	refreshHint    time.Duration
+	sequenceNumber uint64
 	noX509SVIDKeys bool
 	noJWTSVIDKeys  bool
 	standardJWKS   bool
@@ -34,6 +35,14 @@ func OverrideRefreshHint(value time.Duration) MarshalOption {
 	})
 }
 
+// OverrideSequenceNumber overrides the sequence number in the bundle
+func OverrideSequenceNumber(value uint64) MarshalOption {
+	return marshalOption(func(c *marshalConfig) error {
+		c.sequenceNumber = value
+		return nil
+	})
+}
+
 // NoX509SVIDKeys skips marshalling X509 SVID keys
 func NoX509SVIDKeys() MarshalOption {
 	return marshalOption(func(c *marshalConfig) error {
@@ -105,6 +114,7 @@ func Marshal(bundle *spiffebundle.Bundle, opts ...MarshalOption) ([]byte, error)
 		out = bundleDoc{
 			JSONWebKeySet: jwks,
 			RefreshHint:   int(c.refreshHint / time.Second),
+			Sequence:      c.sequenceNumber,
 		}
 	}
 

pkg/common/coretypes/bundle/bundle_test.go

@@ -115,6 +115,7 @@ MWnIPs59/JF8AiBeKSM/rkL2igQchDTvlJJWsyk9YL8UZI/XfZO7907TWA==
 		RootCas:        []*common.Certificate{{DerBytes: root.Raw}},
 		JwtSigningKeys: []*common.PublicKey{{Kid: "ID", PkixBytes: pkixBytes, NotAfter: expiresAt.Unix()}},
 		RefreshHint:    1,
+		SequenceNumber: 2,
 	}
 )
 

pkg/common/coretypes/bundle/commontypes.go

@@ -32,6 +32,7 @@ func ToCommonFromPluginProto(pb *plugintypes.Bundle) (*common.Bundle, error) {
 	return &common.Bundle{
 		TrustDomainId:  td.IDString(),
 		RefreshHint:    pb.RefreshHint,
+		SequenceNumber: pb.SequenceNumber,
 		JwtSigningKeys: jwtSigningKeys,
 		RootCas:        rootCAs,
 	}, nil

pkg/common/protoutil/masks_test.go

@@ -47,6 +47,7 @@ func TestAllTrueMasks(t *testing.T) {
 		RootCas:        true,
 		JwtSigningKeys: true,
 		RefreshHint:    true,
+		SequenceNumber: true,
 	}, protoutil.AllTrueCommonBundleMask)
 
 	spiretest.AssertProtoEqual(t, &common.AttestedNodeMask{

pkg/server/api/bundle.go

@@ -27,7 +27,7 @@ func BundleToProto(b *common.Bundle) (*types.Bundle, error) {
 	return &types.Bundle{
 		TrustDomain:     td.String(),
 		RefreshHint:     b.RefreshHint,
-		SequenceNumber:  0,
+		SequenceNumber:  b.SequenceNumber,
 		X509Authorities: CertificatesToProto(b.RootCas),
 		JwtAuthorities:  PublicKeysToProto(b.JwtSigningKeys),
 	}, nil
@@ -78,6 +78,7 @@ func ProtoToBundle(b *types.Bundle) (*common.Bundle, error) {
 	commonBundle := &common.Bundle{
 		TrustDomainId:  td.IDString(),
 		RefreshHint:    b.RefreshHint,
+		SequenceNumber: b.SequenceNumber,
 		RootCas:        rootCas,
 		JwtSigningKeys: jwtSigningKeys,
 	}
@@ -94,6 +95,7 @@ func ProtoToBundleMask(mask *types.BundleMask) *common.BundleMask {
 		JwtSigningKeys: mask.JwtAuthorities,
 		RootCas:        mask.X509Authorities,
 		RefreshHint:    mask.RefreshHint,
+		SequenceNumber: mask.SequenceNumber,
 	}
 }