From 7f7a8e1dbc60120880fc1f7053515407c4c1ed46 Mon Sep 17 00:00:00 2001
From: Noah Stride <noah.stride@goteleport.com>
Date: Mon, 9 Dec 2024 14:17:27 +0000
Subject: [PATCH] Add attrs

---
 .../workloadidentity/v1/issuer_service.proto  |  4 +++
 .../workloadidentityv1/issuer_service.go      | 33 +++++++++++++++++++
 2 files changed, 37 insertions(+)

diff --git a/api/proto/teleport/workloadidentity/v1/issuer_service.proto b/api/proto/teleport/workloadidentity/v1/issuer_service.proto
index 7456b598d572b..1b74b5ffbc300 100644
--- a/api/proto/teleport/workloadidentity/v1/issuer_service.proto
+++ b/api/proto/teleport/workloadidentity/v1/issuer_service.proto
@@ -91,3 +91,7 @@ message IssueWorkloadIdentityResponse {
 
 // The attributes provided by `tbot` regarding the workload's attestation.
 message WorkloadAttrs {}
+
+message JoinAttrs {}
+
+message Attrs {}
\ No newline at end of file
diff --git a/lib/auth/machineid/workloadidentityv1/issuer_service.go b/lib/auth/machineid/workloadidentityv1/issuer_service.go
index 5b4412f632816..1cc1e36325315 100644
--- a/lib/auth/machineid/workloadidentityv1/issuer_service.go
+++ b/lib/auth/machineid/workloadidentityv1/issuer_service.go
@@ -76,9 +76,42 @@ func NewIssuanceService(cfg *IssuanceServiceConfig) (*IssuanceService, error) {
 	}, nil
 }
 
+func (s *IssuanceService) evaluateRules(wi *workloadidentityv1pb.WorkloadIdentity) error {
+	return trace.NotImplemented("not implemented")
+}
+
 func (s *IssuanceService) IssueWorkloadIdentity(
 	ctx context.Context,
 	req *workloadidentityv1pb.IssueWorkloadIdentityRequest,
 ) (*workloadidentityv1pb.IssueWorkloadIdentityResponse, error) {
+	_, err := s.authorizer.Authorize(ctx)
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	if req.GetName() == "" {
+		return nil, trace.BadParameter("name: is required")
+	}
+
+	// TODO: Enforce WorkloadIdentity labelling access control?
+	wi, err := s.cache.GetWorkloadIdentity(ctx, req.GetName())
+	if err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	// TODO: Build up workload identity evaluation context.
+
+	if err := s.evaluateRules(wi); err != nil {
+		return nil, trace.Wrap(err)
+	}
+
+	// TODO: Enforce rules
+
+	// TODO: Perform templating
+
+	// TODO: Issue X509 or JWT
+
+	// Return.
+
 	return nil, trace.NotImplemented("not implemented")
 }