tking/guildhouse-spire-plugins
SHA256
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
SPIRE plugins: Keylime node attestor (Go)
10 commits 1 branch 0 tags 404 KiB
Go 98.2%
Dockerfile 1.5%
Makefile 0.3%
Find a file
Tyler J King fe5e2cf3c6 feat(spire): gsap-attestor WorkloadAttestor plugin 
SPIRE WorkloadAttestor that reads governance env vars from /proc/{pid}/environ
(walking up the process tree to find gsh) and emits gsap: selectors on workload
SVIDs. Maps BASCULE_* vars set by bascule-shell and future GSH_* vars to the
11-selector vocabulary defined in gsap-types/src/selectors.rs.

- pkg/gsap/selectors.go: shared Go constants mirroring Rust vocabulary
- cmd/gsap-attestor/: plugin implementation with /proc reading, process tree
  walking, capability ceiling translation, and fail-open for non-governed processes
- 28 tests covering selector extraction, proc parsing, tree walking, and depth limits
- Makefile, Dockerfile, deploy config updated

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-13 03:59:08 -04:00
.github/workflows Remediate all 17 audit findings from AUDIT.md 2026-02-18 11:45:33 -05:00
cmd feat(spire): gsap-attestor WorkloadAttestor plugin 2026-05-13 03:59:08 -04:00
deploy feat(spire): gsap-attestor WorkloadAttestor plugin 2026-05-13 03:59:08 -04:00
docs feat: network-policy extension, governance lifecycle, audit remediation 2026-03-18 15:54:46 -04:00
gen feat: network-policy extension, governance lifecycle, audit remediation 2026-03-18 15:54:46 -04:00
pkg feat(spire): gsap-attestor WorkloadAttestor plugin 2026-05-13 03:59:08 -04:00
proto Initial scaffolding: specs, plugins, pkg/shellstream 2026-02-18 10:47:09 -05:00
specs feat: network-policy extension, governance lifecycle, audit remediation 2026-03-18 15:54:46 -04:00
test/fixtures Remediate all 17 audit findings from AUDIT.md 2026-02-18 11:45:33 -05:00
.gitignore feat: network-policy extension, governance lifecycle, audit remediation 2026-03-18 15:54:46 -04:00
AUDIT.md Remediate all 17 audit findings from AUDIT.md 2026-02-18 11:45:33 -05:00
buf.gen.yaml Initial scaffolding: specs, plugins, pkg/shellstream 2026-02-18 10:47:09 -05:00
buf.yaml Initial scaffolding: specs, plugins, pkg/shellstream 2026-02-18 10:47:09 -05:00
CLAUDE.md feat: network-policy extension, governance lifecycle, audit remediation 2026-03-18 15:54:46 -04:00
Containerfile.dev feat: network-policy extension, governance lifecycle, audit remediation 2026-03-18 15:54:46 -04:00
Dockerfile feat(spire): gsap-attestor WorkloadAttestor plugin 2026-05-13 03:59:08 -04:00
go.mod feat: network-policy extension, governance lifecycle, audit remediation 2026-03-18 15:54:46 -04:00
go.sum feat: network-policy extension, governance lifecycle, audit remediation 2026-03-18 15:54:46 -04:00
GSAP-ATTESTOR-DESIGN.md feat(spire): gsap-attestor WorkloadAttestor plugin 2026-05-13 03:59:08 -04:00
LICENSE Initial scaffolding: specs, plugins, pkg/shellstream 2026-02-18 10:47:09 -05:00
Makefile feat(spire): gsap-attestor WorkloadAttestor plugin 2026-05-13 03:59:08 -04:00
README.md feat: network-policy extension, governance lifecycle, audit remediation 2026-03-18 15:54:46 -04:00
SECURITY-AUDIT.md feat: network-policy extension, governance lifecycle, audit remediation 2026-03-18 15:54:46 -04:00

README.md

Guildhouse SPIRE Plugins

SPIRE plugins and specifications for governed SSH access via SPIFFE identity.

This repository extends the SPIFFE ecosystem with SSH certificate issuance, governance-aware credential lifecycle management, and Guildhouse platform integration.

Project Status

Stage: Active Development

Component Status
Specifications (specs/) Draft — ready for SIG-Spec review
pkg/shellstream Fully implemented with comprehensive tests
pkg/config Implemented — HCL parsing + validation
pkg/oidc Implemented — OIDC discovery, JWKS verification, JWT validation
pkg/governance Implemented — gRPC client with mTLS, intent lifecycle, merkle anchoring
pkg/sshcert Implemented — SSH certificate builder with Shellstream extensions
Plugin binaries (cmd/) Implemented — go-plugin registration, Configure + core methods
Proto codegen (gen/) Generated — quartermaster/v1 + bascule/v1 gRPC stubs
CI pipeline Configured (.github/workflows/ci.yaml)

Quick Start

# Clone and build
git clone https://github.com/guildhouse-cooperative/guildhouse-spire-plugins.git
cd guildhouse-spire-plugins
make build    # Build all plugin binaries → bin/

# Run tests
make test     # Run all unit tests
make lint     # Run go vet

Specifications

The primary deliverables are three formal specifications in specs/:

Plugins

Four SPIRE plugins in cmd/:

Plugin SPIRE Type Runs In Purpose
oidc-attestor WorkloadAttestor Agent OIDC token verification, claim-to-selector mapping
ssh-credential-composer CredentialComposer Server SSH certificate generation with Shellstream extensions
governance-notifier Notifier Server Credential event notification, merkle anchoring
substrate-keymanager KeyManager Server Governance-aware signing key management

Packages

Shared Go libraries in pkg/:

  • shellstream — Encode/decode Shellstream SSH certificate extensions (comprehensive tests)
  • oidc — OIDC discovery + JWKS key fetching + JWT signature verification (RS256, ES256)
  • governance — GovernanceService + NotaryService gRPC client with mTLS, intent lifecycle, merkle anchoring
  • sshcert — SSH certificate builder with Ed25519 keypair generation and Shellstream extension embedding
  • config — HCL configuration loading and validation

Documentation

Detailed documentation in docs/:

Building

make build    # Build all plugin binaries
make test     # Run tests
make lint     # Run go vet
make clean    # Remove build artifacts

Proto Code Generation

Proto files in proto/ are copies from the Guildhouse monorepo. To regenerate Go bindings:

make proto-gen

Requires buf to be installed.

License

Apache License 2.0 — see LICENSE.