Add CLI and entry conversion support for JWT-SVID audience policies

This commit adds support for the new JWT-SVID audience policy configuration
in the SPIRE server CLI and entry conversion logic:

CLI changes:
- Add -jwtSVIDDefaultAudiencePolicy flag for default audience policy
- Add -jwtSVIDAudiencePolicy flag for per-audience policy configuration
- Update entry create, update, and show commands to handle new fields
- Add AudiencePolicyFlag custom type for parsing audience:policy pairs

Entry conversion:
- Add JwtSvidDefaultAudiencePolicy and JwtSvidAudiencePolicies to
  EntryToProto and ProtoToEntry conversion functions
- Add audiencePolicyToInternal helper for enum conversion

Policy options: default, auditable, unique
- default: No JTI claim, caching enabled (current behavior)
- auditable: JTI claim included, caching enabled
- unique: JTI claim included, caching disabled (unique tokens)

Part of spiffe#6043

NOTE: Only merge after these dependent PRs are merged:
- spire-api-sdk: spiffe/spire-api-sdk#84
- spire-plugin-sdk: https://github.com/spiffe/spire-plugin-sdk/pull/113

Author: srikalyan

cmd/spire-server/cli/entry/create.go

@@ -74,6 +74,12 @@ type createCommand struct {
 	// storeSVID determines if the issued SVID must be stored through an SVIDStore plugin
 	storeSVID bool
 
+	// JWT-SVID default audience policy
+	jwtSVIDDefaultAudiencePolicy string
+
+	// JWT-SVID per-audience policies
+	jwtSVIDAudiencePolicies AudiencePolicyFlag
+
 	printer cliprinter.Printer
 
 	env *commoncli.Env
@@ -103,6 +109,8 @@ func (c *createCommand) AppendFlags(f *flag.FlagSet) {
 	f.Int64Var(&c.entryExpiry, "entryExpiry", 0, "An expiry, from epoch in seconds, for the resulting registration entry to be pruned")
 	f.Var(&c.dnsNames, "dns", "A DNS name that will be included in SVIDs issued based on this entry, where appropriate. Can be used more than once")
 	f.StringVar(&c.hint, "hint", "", "The entry hint, used to disambiguate entries with the same SPIFFE ID")
+	f.StringVar(&c.jwtSVIDDefaultAudiencePolicy, "jwtSVIDDefaultAudiencePolicy", "", "Default JWT-SVID audience policy for audiences not explicitly configured. One of: default, auditable, unique")
+	f.Var(&c.jwtSVIDAudiencePolicies, "jwtSVIDAudiencePolicy", "Per-audience JWT-SVID policy in the format 'audience:policy' where policy is one of: default, auditable, unique. Can be used more than once")
 	cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, prettyPrintCreate)
 }
 
@@ -187,17 +195,24 @@ func (c *createCommand) parseConfig() ([]*types.Entry, error) {
 		return nil, fmt.Errorf("invalid value for JWT SVID TTL: %w", err)
 	}
 
+	jwtSvidDefaultAudiencePolicy, err := parseJWTSVIDAudiencePolicy(c.jwtSVIDDefaultAudiencePolicy)
+	if err != nil {
+		return nil, err
+	}
+
 	e := &types.Entry{
-		Id:          c.entryID,
-		ParentId:    parentID,
-		SpiffeId:    spiffeID,
-		Downstream:  c.downstream,
-		ExpiresAt:   c.entryExpiry,
-		DnsNames:    c.dnsNames,
-		StoreSvid:   c.storeSVID,
-		X509SvidTtl: x509SvidTTL,
-		JwtSvidTtl:  jwtSvidTTL,
-		Hint:        c.hint,
+		Id:                           c.entryID,
+		ParentId:                     parentID,
+		SpiffeId:                     spiffeID,
+		Downstream:                   c.downstream,
+		ExpiresAt:                    c.entryExpiry,
+		DnsNames:                     c.dnsNames,
+		StoreSvid:                    c.storeSVID,
+		X509SvidTtl:                  x509SvidTTL,
+		JwtSvidTtl:                   jwtSvidTTL,
+		Hint:                         c.hint,
+		JwtSvidDefaultAudiencePolicy: jwtSvidDefaultAudiencePolicy,
+		JwtSvidAudiencePolicies:      c.jwtSVIDAudiencePolicies,
 	}
 
 	selectors := []*types.Selector{}

cmd/spire-server/cli/entry/create_test.go

@@ -319,7 +319,9 @@ StoreSvid        : true
         ],
         "revision_number": "0",
         "store_svid": true,
-        "jwt_svid_ttl": 30
+        "jwt_svid_ttl": 30,
+      "jwt_svid_default_audience_policy": "JWT_SVID_AUDIENCE_POLICY_DEFAULT",
+      "jwt_svid_audience_policies": {}
       }
     }
   ]
@@ -426,7 +428,9 @@ StoreSvid        : true
         ],
         "revision_number": "0",
         "store_svid": true,
-        "jwt_svid_ttl": 0
+        "jwt_svid_ttl": 0,
+      "jwt_svid_default_audience_policy": "JWT_SVID_AUDIENCE_POLICY_DEFAULT",
+      "jwt_svid_audience_policies": {}
       }
     }
   ]
@@ -531,7 +535,9 @@ StoreSvid        : true
         "dns_names": [],
         "revision_number": "0",
         "store_svid": false,
-        "jwt_svid_ttl": 30
+        "jwt_svid_ttl": 30,
+      "jwt_svid_default_audience_policy": "JWT_SVID_AUDIENCE_POLICY_DEFAULT",
+      "jwt_svid_audience_policies": {}
       }
     },
     {
@@ -565,7 +571,9 @@ StoreSvid        : true
         "dns_names": [],
         "revision_number": "0",
         "store_svid": false,
-        "jwt_svid_ttl": 30
+        "jwt_svid_ttl": 30,
+      "jwt_svid_default_audience_policy": "JWT_SVID_AUDIENCE_POLICY_DEFAULT",
+      "jwt_svid_audience_policies": {}
       }
     },
     {
@@ -603,7 +611,9 @@ StoreSvid        : true
         "dns_names": [],
         "revision_number": "0",
         "store_svid": true,
-        "jwt_svid_ttl": 30
+        "jwt_svid_ttl": 30,
+      "jwt_svid_default_audience_policy": "JWT_SVID_AUDIENCE_POLICY_DEFAULT",
+      "jwt_svid_audience_policies": {}
       }
     }
   ]
@@ -664,7 +674,9 @@ Error: failed to create one or more entries
         "dns_names": [],
         "revision_number": "0",
         "store_svid": false,
-        "jwt_svid_ttl": 0
+        "jwt_svid_ttl": 0,
+      "jwt_svid_default_audience_policy": "JWT_SVID_AUDIENCE_POLICY_DEFAULT",
+      "jwt_svid_audience_policies": {}
       }
     }
   ]

cmd/spire-server/cli/entry/show_test.go

@@ -534,7 +534,9 @@ func getJSONPrintedEntry(idx int) string {
       "dns_names": [],
       "revision_number": "0",
       "store_svid": false,
-      "jwt_svid_ttl": 0
+      "jwt_svid_ttl": 0,
+      "jwt_svid_default_audience_policy": "JWT_SVID_AUDIENCE_POLICY_DEFAULT",
+      "jwt_svid_audience_policies": {}
     }`
 	case 1:
 		return `{
@@ -567,7 +569,9 @@ func getJSONPrintedEntry(idx int) string {
       "dns_names": [],
       "revision_number": "0",
       "store_svid": false,
-      "jwt_svid_ttl": 0
+      "jwt_svid_ttl": 0,
+      "jwt_svid_default_audience_policy": "JWT_SVID_AUDIENCE_POLICY_DEFAULT",
+      "jwt_svid_audience_policies": {}
     }`
 	case 2:
 		return `{
@@ -602,7 +606,9 @@ func getJSONPrintedEntry(idx int) string {
       "dns_names": [],
       "revision_number": "0",
       "store_svid": false,
-      "jwt_svid_ttl": 0
+      "jwt_svid_ttl": 0,
+      "jwt_svid_default_audience_policy": "JWT_SVID_AUDIENCE_POLICY_DEFAULT",
+      "jwt_svid_audience_policies": {}
     }`
 	case 3:
 		return `{
@@ -631,7 +637,9 @@ func getJSONPrintedEntry(idx int) string {
       "dns_names": [],
       "revision_number": "0",
       "store_svid": false,
-      "jwt_svid_ttl": 0
+      "jwt_svid_ttl": 0,
+      "jwt_svid_default_audience_policy": "JWT_SVID_AUDIENCE_POLICY_DEFAULT",
+      "jwt_svid_audience_policies": {}
     }`
 	default:
 		return "index should be lower than 4"

cmd/spire-server/cli/entry/update.go

@@ -70,6 +70,12 @@ type updateCommand struct {
 	// Entry hint, used to disambiguate entries with the same SPIFFE ID
 	hint string
 
+	// JWT-SVID default audience policy
+	jwtSVIDDefaultAudiencePolicy string
+
+	// JWT-SVID per-audience policies
+	jwtSVIDAudiencePolicies AudiencePolicyFlag
+
 	printer cliprinter.Printer
 
 	env *commoncli.Env
@@ -98,6 +104,8 @@ func (c *updateCommand) AppendFlags(f *flag.FlagSet) {
 	f.Int64Var(&c.entryExpiry, "entryExpiry", 0, "An expiry, from epoch in seconds, for the resulting registration entry to be pruned")
 	f.Var(&c.dnsNames, "dns", "A DNS name that will be included in SVIDs issued based on this entry, where appropriate. Can be used more than once")
 	f.StringVar(&c.hint, "hint", "", "The entry hint, used to disambiguate entries with the same SPIFFE ID")
+	f.StringVar(&c.jwtSVIDDefaultAudiencePolicy, "jwtSVIDDefaultAudiencePolicy", "", "Default JWT-SVID audience policy for audiences not explicitly configured. One of: default, auditable, unique")
+	f.Var(&c.jwtSVIDAudiencePolicies, "jwtSVIDAudiencePolicy", "Per-audience JWT-SVID policy in the format 'audience:policy' where policy is one of: default, auditable, unique. Can be used more than once")
 	cliprinter.AppendFlagWithCustomPretty(&c.printer, f, c.env, prettyPrintUpdate)
 }
 
@@ -181,16 +189,23 @@ func (c *updateCommand) parseConfig() ([]*types.Entry, error) {
 		return nil, fmt.Errorf("invalid value for JWT SVID TTL: %w", err)
 	}
 
+	jwtSvidDefaultAudiencePolicy, err := parseJWTSVIDAudiencePolicy(c.jwtSVIDDefaultAudiencePolicy)
+	if err != nil {
+		return nil, err
+	}
+
 	e := &types.Entry{
-		Id:          c.entryID,
-		ParentId:    parentID,
-		SpiffeId:    spiffeID,
-		Downstream:  c.downstream,
-		ExpiresAt:   c.entryExpiry,
-		DnsNames:    c.dnsNames,
-		X509SvidTtl: x509SvidTTL,
-		JwtSvidTtl:  jwtSvidTTL,
-		Hint:        c.hint,
+		Id:                           c.entryID,
+		ParentId:                     parentID,
+		SpiffeId:                     spiffeID,
+		Downstream:                   c.downstream,
+		ExpiresAt:                    c.entryExpiry,
+		DnsNames:                     c.dnsNames,
+		X509SvidTtl:                  x509SvidTTL,
+		JwtSvidTtl:                   jwtSvidTTL,
+		Hint:                         c.hint,
+		JwtSvidDefaultAudiencePolicy: jwtSvidDefaultAudiencePolicy,
+		JwtSvidAudiencePolicies:      c.jwtSVIDAudiencePolicies,
 	}
 
 	selectors := []*types.Selector{}

cmd/spire-server/cli/entry/update_test.go

@@ -61,7 +61,9 @@ func TestUpdate(t *testing.T) {
         ],
         "revision_number": "0",
         "store_svid": true,
-        "jwt_svid_ttl": 30
+        "jwt_svid_ttl": 30,
+      "jwt_svid_default_audience_policy": "JWT_SVID_AUDIENCE_POLICY_DEFAULT",
+      "jwt_svid_audience_policies": {}
       }`
 	entry0AdminJSON := `{
         "id": "entry-id",
@@ -99,7 +101,9 @@ func TestUpdate(t *testing.T) {
         ],
         "revision_number": "0",
         "store_svid": false,
-        "jwt_svid_ttl": 30
+        "jwt_svid_ttl": 30,
+      "jwt_svid_default_audience_policy": "JWT_SVID_AUDIENCE_POLICY_DEFAULT",
+      "jwt_svid_audience_policies": {}
       }`
 	entry1JSON := `{
         "id": "entry-id-1",
@@ -127,7 +131,9 @@ func TestUpdate(t *testing.T) {
         "dns_names": [],
         "revision_number": "0",
         "store_svid": false,
-        "jwt_svid_ttl": 300
+        "jwt_svid_ttl": 300,
+        "jwt_svid_default_audience_policy": "JWT_SVID_AUDIENCE_POLICY_DEFAULT",
+        "jwt_svid_audience_policies": {}
       }
     }`
 	entry2JSON := `{
@@ -156,7 +162,9 @@ func TestUpdate(t *testing.T) {
         "dns_names": [],
         "revision_number": "0",
         "store_svid": false,
-        "jwt_svid_ttl": 300
+        "jwt_svid_ttl": 300,
+        "jwt_svid_default_audience_policy": "JWT_SVID_AUDIENCE_POLICY_DEFAULT",
+        "jwt_svid_audience_policies": {}
       }
     }`
 	entry3JSON := `{
@@ -189,7 +197,9 @@ func TestUpdate(t *testing.T) {
         "dns_names": [],
         "revision_number": "0",
         "store_svid": true,
-        "jwt_svid_ttl": 300
+        "jwt_svid_ttl": 300,
+      "jwt_svid_default_audience_policy": "JWT_SVID_AUDIENCE_POLICY_DEFAULT",
+      "jwt_svid_audience_policies": {}
       }`
 	nonExistentEntryJSON := `{
         "id": "non-existent-id",
@@ -217,7 +227,9 @@ func TestUpdate(t *testing.T) {
         "dns_names": [],
         "revision_number": "0",
         "store_svid": false,
-        "x509_svid_ttl": 0
+        "x509_svid_ttl": 0,
+        "jwt_svid_default_audience_policy": "JWT_SVID_AUDIENCE_POLICY_DEFAULT",
+        "jwt_svid_audience_policies": {}
       }`
 
 	entry1 := &types.Entry{

cmd/spire-server/cli/entry/util.go

@@ -5,6 +5,8 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"sort"
+	"strings"
 	"time"
 
 	"github.com/spiffe/go-spiffe/v2/spiffeid"
@@ -63,6 +65,23 @@ func printEntry(e *types.Entry, printf func(string, ...any) error) {
 		_ = printf("Hint             : %s\n", e.Hint)
 	}
 
+	// Only show JWT-SVID audience policies if configured
+	if e.JwtSvidDefaultAudiencePolicy != types.JWTSVIDAudiencePolicy_JWT_SVID_AUDIENCE_POLICY_DEFAULT {
+		_ = printf("JWT Default Policy: %s\n", jwtSVIDAudiencePolicyName(e.JwtSvidDefaultAudiencePolicy))
+	}
+	if len(e.JwtSvidAudiencePolicies) > 0 {
+		// Sort audiences for consistent output
+		audiences := make([]string, 0, len(e.JwtSvidAudiencePolicies))
+		for aud := range e.JwtSvidAudiencePolicies {
+			audiences = append(audiences, aud)
+		}
+		sort.Strings(audiences)
+		for _, aud := range audiences {
+			policy := e.JwtSvidAudiencePolicies[aud]
+			_ = printf("JWT Aud Policy   : %s:%s\n", aud, jwtSVIDAudiencePolicyName(policy))
+		}
+	}
+
 	_ = printf("\n")
 }
 
@@ -137,3 +156,63 @@ func (s *StringsFlag) Set(val string) error {
 	*s = append(*s, val)
 	return nil
 }
+
+// AudiencePolicyFlag defines a custom type for audience:policy pairs.
+// Format: "audience:policy" where policy is one of: default, auditable, unique
+type AudiencePolicyFlag map[string]types.JWTSVIDAudiencePolicy
+
+// String returns the string representation of the flag.
+func (a *AudiencePolicyFlag) String() string {
+	return fmt.Sprint(*a)
+}
+
+// Set parses and appends an audience:policy pair.
+func (a *AudiencePolicyFlag) Set(val string) error {
+	parts := strings.SplitN(val, ":", 2)
+	if len(parts) != 2 {
+		return fmt.Errorf("invalid audience policy format %q, expected audience:policy", val)
+	}
+
+	audience := parts[0]
+	if audience == "" {
+		return fmt.Errorf("audience cannot be empty in %q", val)
+	}
+
+	policy, err := parseJWTSVIDAudiencePolicy(parts[1])
+	if err != nil {
+		return err
+	}
+
+	if *a == nil {
+		*a = make(map[string]types.JWTSVIDAudiencePolicy)
+	}
+	(*a)[audience] = policy
+	return nil
+}
+
+// parseJWTSVIDAudiencePolicy parses a policy string into the enum value.
+func parseJWTSVIDAudiencePolicy(s string) (types.JWTSVIDAudiencePolicy, error) {
+	switch strings.ToLower(s) {
+	case "default", "":
+		return types.JWTSVIDAudiencePolicy_JWT_SVID_AUDIENCE_POLICY_DEFAULT, nil
+	case "auditable":
+		return types.JWTSVIDAudiencePolicy_JWT_SVID_AUDIENCE_POLICY_AUDITABLE, nil
+	case "unique":
+		return types.JWTSVIDAudiencePolicy_JWT_SVID_AUDIENCE_POLICY_UNIQUE, nil
+	default:
+		return types.JWTSVIDAudiencePolicy_JWT_SVID_AUDIENCE_POLICY_DEFAULT,
+			fmt.Errorf("invalid JWT-SVID audience policy %q, must be one of: default, auditable, unique", s)
+	}
+}
+
+// jwtSVIDAudiencePolicyName returns the human-readable name of the policy.
+func jwtSVIDAudiencePolicyName(p types.JWTSVIDAudiencePolicy) string {
+	switch p {
+	case types.JWTSVIDAudiencePolicy_JWT_SVID_AUDIENCE_POLICY_AUDITABLE:
+		return "auditable"
+	case types.JWTSVIDAudiencePolicy_JWT_SVID_AUDIENCE_POLICY_UNIQUE:
+		return "unique"
+	default:
+		return "default"
+	}
+}