WIP: Workload Identities

.devcontainer/devcontainer.json

@@ -0,0 +1,34 @@
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the
+// README at: https://github.com/devcontainers/templates/tree/main/src/rust
+{
+	"name": "Rust",
+	// Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
+	"image": "mcr.microsoft.com/devcontainers/rust:1-1-bookworm",
+	"features": {
+		"ghcr.io/devcontainers/features/docker-in-docker:2": {}
+	}
+
+	// Use 'mounts' to make the cargo cache persistent in a Docker Volume.
+	// "mounts": [
+	// 	{
+	// 		"source": "devcontainer-cargo-cache-${devcontainerId}",
+	// 		"target": "/usr/local/cargo",
+	// 		"type": "volume"
+	// 	}
+	// ]
+
+	// Features to add to the dev container. More info: https://containers.dev/features.
+	// "features": {},
+
+	// Use 'forwardPorts' to make a list of ports inside the container available locally.
+	// "forwardPorts": [],
+
+	// Use 'postCreateCommand' to run commands after the container is created.
+	// "postCreateCommand": "rustc --version",
+
+	// Configure tool-specific properties.
+	// "customizations": {},
+
+	// Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root.
+	// "remoteUser": "root"
+}

.dockerignore

@@ -12,6 +12,7 @@ README.md
 !target/x86_64-unknown-linux-gnu/release/golem-component-service
 !target/x86_64-unknown-linux-gnu/release/golem-component-compilation-service
 !target/x86_64-unknown-linux-gnu/release/golem-worker-service
+!target/x86_64-unknown-linux-gnu/release/golem
 !target/aarch64-unknown-linux-gnu/debug/golem-shard-manager
 !target/aarch64-unknown-linux-gnu/debug/worker-executor
 !target/aarch64-unknown-linux-gnu/debug/golem-component-compilation-service
@@ -22,3 +23,4 @@ README.md
 !target/aarch64-unknown-linux-gnu/release/golem-component-service
 !target/aarch64-unknown-linux-gnu/release/golem-component-compilation-service
 !target/aarch64-unknown-linux-gnu/release/golem-worker-service
+!target/aarch64-unknown-linux-gnu/release/golem

Cargo.toml

@@ -38,6 +38,7 @@ exclude = [
     "test-components/golem-rust-tests",
     "test-components/http-client",
     "test-components/http-client-2",
+    "test-components/identity",
     "test-components/interruption",
     "test-components/initial-file-read-write",
     "test-components/key-value-service",
@@ -75,6 +76,7 @@ async_zip = "0.0.17"
 aws-config = "1.1.3"
 aws-sdk-s3 = "1.13.0"
 axum = { version = "0.7.9", features = ["multipart"] }
+base64ct = { version = "1.6.0" }
 bigdecimal = "0.4.5"
 bincode = { version = "2.0.0-rc.3", features = ["serde"] }
 bytes = "1.5.0"
@@ -128,6 +130,7 @@ openidconnect = "3.5.0"
 opentelemetry = "0.24.0"
 opentelemetry-prometheus = "0.17.0"
 opentelemetry_sdk = "0.24.1"
+p256 = "0.13.2"
 phf = { version = "0.11.2", features = ["macros"] }
 poem-openapi = { version = "5.1.4", features = [
     "swagger-ui",
@@ -154,6 +157,7 @@ reqwest = { version = "0.12.5", features = [
 ] }
 rustls = { version = "0.23.10" }
 rand = "0.8.5"
+sec1 = "0.7.3"
 semver = "1.0.23"
 serde = { version = "1.0", features = ["derive"] }
 serde_json = { version = "1.0", features = ["raw_value"] }

golem-common/Cargo.toml

@@ -58,7 +58,9 @@ typed-path = { workspace = true }
 url = { workspace = true }
 uuid = { workspace = true }
 wasm-wave = { workspace = true }
-
+base64ct = {workspace = true }
+p256 = { workspace = true }
+sec1 = { workspace = true }
 [dev-dependencies]
 anyhow = { workspace = true }
 test-r = { workspace = true }

golem-common/src/config.rs

@@ -12,6 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
+use base64ct::{Base64, Encoding};
 use bincode::{Decode, Encode};
 use figment::providers::{Env, Format, Serialized, Toml};
 use figment::value::Value;
@@ -467,3 +468,61 @@ pub struct DbPostgresConfig {
     pub max_connections: u32,
     pub schema: Option<String>,
 }
+
+#[derive(Clone, Debug, Serialize, Deserialize)]
+pub struct WorkerIdentityConfig {
+    pub issuer: String,
+    pub audience: String,
+
+    pub set: Vec<WorkerIdentityKey>,
+    pub active_keys: Vec<String>,
+}
+
+#[derive(Clone, Debug, Serialize, Deserialize)]
+pub struct WorkerIdentityKey {
+    pub alg: String,
+    pub kid: String,
+    #[serde(deserialize_with = "base64_to_vec")]
+    pub der: Vec<u8>,
+}
+
+impl WorkerIdentityKey {
+    pub fn generate(kid: String) -> Self {
+        use sec1::EncodeEcPrivateKey;
+        use p256::pkcs8::EncodePrivateKey;
+
+        let  key =p256::ecdsa::SigningKey::random(&mut rand::rngs::OsRng)
+            .to_pkcs8_der()
+            .expect("encode secret key faile")
+            .as_bytes()
+            .to_vec();
+
+        Self {
+            kid,
+            alg: "ES256".to_string(),
+            der: key
+        }
+    }
+}
+
+impl Default for WorkerIdentityConfig {
+    fn default() -> Self {
+        Self {
+            issuer: "default issuer".to_string(),
+            audience: "default audience".to_string(),
+            set: vec![],
+            active_keys: vec![],
+        }
+    }
+}
+
+use serde::Deserializer;
+
+/// Custom deserializer to decode a Base64 string into `Vec<u8>`
+fn base64_to_vec<'de, D>(deserializer: D) -> Result<Vec<u8>, D::Error>
+where
+    D: Deserializer<'de>,
+{
+    let s = String::deserialize(deserializer)?; // Deserialize as a string
+    Base64::decode_vec(&s).map_err(serde::de::Error::custom) // Decode Base64 into Vec<u8>
+}