Skip to content

fix(spiffeid): tighten path validation and segment construction#420

Merged
maxlambrecht merged 4 commits intospiffe:mainfrom
maxlambrecht:fix/spiffeid-path-segments
Mar 26, 2026
Merged

fix(spiffeid): tighten path validation and segment construction#420
maxlambrecht merged 4 commits intospiffe:mainfrom
maxlambrecht:fix/spiffeid-path-segments

Conversation

@maxlambrecht
Copy link
Copy Markdown
Member

@maxlambrecht maxlambrecht commented Mar 25, 2026

What

  • Require SpiffeId.validatePath() inputs to start with /
  • Validate path segments independently when building SPIFFE IDs from segments
  • Add tests for accepted non-DNS-shaped trust domains

Why

  • Align path validation with segment-based SPIFFE ID construction
  • Document and protect trust-domain edge cases allowed by the current SPIFFE spec

How tested

  • Updated unit tests in SpiffeIdTest and TrustDomainTest
  • Added coverage for path validation, segment-based ID creation, canonical casing, and accepted non-DNS-shaped trust domains

@maxlambrecht maxlambrecht requested a review from rturner3 as a code owner March 25, 2026 18:22
@maxlambrecht maxlambrecht requested a review from Copilot March 25, 2026 18:22
Copilot AI reviewed Mar 25, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens SPIFFE ID path validation to align SpiffeId.validatePath() with segment-based SPIFFE ID construction, and expands tests to document trust-domain edge cases allowed by the SPIFFE spec.

Changes:

  • Require SpiffeId.validatePath() inputs to start with / and validate segments more explicitly.
  • Validate segments independently in SpiffeId.fromSegments(...) (instead of validating as full paths).
  • Add/adjust unit tests for canonical casing and non-DNS-shaped trust domains (underscore, IPv4, and other edge shapes).

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File Description
java-spiffe-core/src/main/java/io/spiffe/spiffeid/SpiffeId.java Updates path validation and switches segment construction to validate each segment directly.
java-spiffe-core/src/test/java/io/spiffe/spiffeid/SpiffeIdTest.java Adds coverage for validatePath leading-slash rules, canonical casing, equality semantics, and non-DNS trust domains.
java-spiffe-core/src/test/java/io/spiffe/spiffeid/TrustDomainTest.java Adds coverage for non-DNS-shaped trust domains, underscore/IPv4 acceptance, and IPv6 rejection.
java-spiffe-core/src/test/java/io/spiffe/svid/jwtsvid/JwtSvidParseInsecureTest.java Updates SPIFFE ID construction to use segments ("host") instead of a path string ("/host").

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@maxlambrecht
fix(spiffeid): tighten path validation and segment construction
63c763d 
Signed-off-by: Max Lambrecht <maxlambrecht@gmail.com>
@maxlambrecht maxlambrecht force-pushed the fix/spiffeid-path-segments branch from 5024785 to 63c763d Compare March 25, 2026 18:31
rturner3
rturner3 reviewed Mar 25, 2026
View reviewed changes
@maxlambrecht
address PR comment
1f106be 
Signed-off-by: Max Lambrecht <maxlambrecht@gmail.com>
@maxlambrecht
Merge branch 'fix/spiffeid-path-segments' of https://github.com/maxla…
866b4fe 
…mbrecht/java-spiffe into fix/spiffeid-path-segments
@maxlambrecht maxlambrecht merged commit d688c39 into spiffe:main Mar 26, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@rturner3 rturner3 rturner3 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@maxlambrecht @rturner3