BuildWorkloadJWTSVIDClaims fix for real credential composer implementation #4489
Conversation
enj
requested review from
evan2645,
amartinezfayo,
azdagron,
MarcosDY and
rturner3
as code owners
…ation TestBuildWorkloadJWTSVIDClaims/real_no-op_composer fails with the following error without this change: rpc error: code = Internal desc = credentialcomposer(noop): invalid workload JWTSVID attributes: failed to encode claims: proto: invalid type: *jwt.NumericDate Signed-off-by: Monis Khan <i@monis.app>
enj
force-pushed
the
enj/i/fix_cred_composer
branch
from
6605c5c
to
65ea485
Compare
|
Hey @enj! Thanks for expanding the test coverage and providing a fix. I think the proposed solution is pretty robust and probably just fine. I do wonder about paying the marshaling/unmarshalling cost for each svid minting (multiplied by the number of cred composers in the chain) but that probably is a very small fraction of the CPU spent on each RPC. One option is to change the callers to not use these custom types. The only place this is called currently is by the credtemplate.Builder, which could trivially be changed to use sometimevar.Unix() on the fields that it is currently using jwt.NumericDate for. Another option here would be change the credentialcomposer facade interface to take in structpb.Struct for the claims instead of map[string]interface{} so callers have worry about this concern instead. This has the added value that the loop that invokes credential composers no longer needs to do conversions in and out of structpb.Struct for each iteration. |
TestBuildWorkloadJWTSVIDClaims/real_no-op_composerfails with the following error without this change:Pull Request check list
Affected functionality
Commands such as
spire-server jwt mint(and their associated RPC APIs)Description of change
json.MarshaltheJWTSVIDAttributes.Claimsbefore attempting to convert tostructpb.Struct.