Refactor SPIFFE from pkg/security to kit (dapr#7669)

* Refactor SPIFFE from `pkg/security` to `kit`

Updates the `pkg/security` package to move the SPIFFE implementation to
a new kit package. This new kit package is more modulated and fuller
test coverage. This package has been moved so that it can be both
imported by dapr & components-contrib, as well as making the package
more suitable for further development to support X.509 Component auth.

dapr/proposals#51

Also moves in test/utils from dapr to crypto/test for shared usage.

Part of dapr/proposals#51

Uses go mod fork of dapr/kit#92

Signed-off-by: joshvanl <[email protected]>

* Include SVID context with `Init`ing Component

Signed-off-by: joshvanl <[email protected]>

* Adds security to processor options

Signed-off-by: joshvanl <[email protected]>

* Update github.com/dapr/dapr to master

Signed-off-by: joshvanl <[email protected]>

* Update `util` to new `test` package import

Signed-off-by: joshvanl <[email protected]>

* Update go.sum

Signed-off-by: joshvanl <[email protected]>

---------

Signed-off-by: joshvanl <[email protected]>

cmd/injector/app/app.go

@@ -91,7 +91,7 @@ func Run() {
 		SentryAddress:           cfg.SentryAddress,
 		ControlPlaneTrustDomain: cfg.ControlPlaneTrustDomain,
 		ControlPlaneNamespace:   namespace,
-		TrustAnchorsFile:        cfg.TrustAnchorsFile,
+		TrustAnchorsFile:        &cfg.TrustAnchorsFile,
 		AppID:                   "dapr-injector",
 		MTLSEnabled:             true,
 		Mode:                    modes.KubernetesMode,
@@ -165,7 +165,7 @@ func Run() {
 				return rerr
 			}
 
-			caBundle, rErr := sec.CurrentTrustAnchors()
+			caBundle, rErr := sec.CurrentTrustAnchors(ctx)
 			if rErr != nil {
 				return rErr
 			}

cmd/placement/app/app.go

@@ -74,7 +74,7 @@ func Run() {
 		SentryAddress:           opts.SentryAddress,
 		ControlPlaneTrustDomain: opts.TrustDomain,
 		ControlPlaneNamespace:   security.CurrentNamespace(),
-		TrustAnchorsFile:        opts.TrustAnchorsFile,
+		TrustAnchorsFile:        &opts.TrustAnchorsFile,
 		AppID:                   "dapr-placement",
 		MTLSEnabled:             opts.TLSEnabled,
 		Mode:                    modes.DaprMode(opts.Mode),

go.mod

@@ -11,7 +11,7 @@ require (
 	github.com/cenkalti/backoff/v4 v4.2.1
 	github.com/cloudevents/sdk-go/v2 v2.14.0
 	github.com/dapr/components-contrib v1.13.0-rc.2.0.20240503231149-1f46231d875c
-	github.com/dapr/kit v0.13.1-0.20240402103809-0c7cfce53d9e
+	github.com/dapr/kit v0.13.1-0.20240415171926-a3f906d60908
 	github.com/evanphx/json-patch/v5 v5.8.1
 	github.com/go-chi/chi/v5 v5.0.11
 	github.com/go-chi/cors v1.2.1
@@ -45,7 +45,7 @@ require (
 	github.com/sony/gobreaker v0.5.0
 	github.com/spf13/cast v1.6.0
 	github.com/spf13/pflag v1.0.5
-	github.com/spiffe/go-spiffe/v2 v2.1.6
+	github.com/spiffe/go-spiffe/v2 v2.1.7
 	github.com/stretchr/testify v1.9.0
 	github.com/valyala/fasthttp v1.51.0
 	go.mongodb.org/mongo-driver v1.12.1
@@ -66,7 +66,6 @@ require (
 	google.golang.org/genproto/googleapis/api v0.0.0-20231120223509-83a465c0220f
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20231212172506-995d672761c0
 	google.golang.org/grpc v1.60.1
-	google.golang.org/grpc/examples v0.0.0-20230224211313-3775f633ce20
 	google.golang.org/protobuf v1.33.0
 	gopkg.in/yaml.v3 v3.0.1
 	k8s.io/api v0.28.4
@@ -414,6 +413,7 @@ require (
 	google.golang.org/api v0.149.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
 	google.golang.org/genproto v0.0.0-20231211222908-989df2bf70f3 // indirect
+	google.golang.org/grpc/examples v0.0.0-20230224211313-3775f633ce20 // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	gopkg.in/couchbase/gocb.v1 v1.6.7 // indirect
 	gopkg.in/couchbase/gocbcore.v7 v7.1.18 // indirect

go.sum

@@ -121,8 +121,8 @@ github.com/HdrHistogram/hdrhistogram-go v1.1.2/go.mod h1:yDgFjdqOqDEKOvasDdhWNXY
 github.com/IBM/sarama v1.42.2 h1:VoY4hVIZ+WQJ8G9KNY/SQlWguBQXQ9uvFPOnrcu8hEw=
 github.com/IBM/sarama v1.42.2/go.mod h1:FLPGUGwYqEs62hq2bVG6Io2+5n+pS6s/WOXVKWSLFtE=
 github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0=
-github.com/Microsoft/go-winio v0.6.0 h1:slsWYD/zyx7lCXoZVlvQrj0hPTM1HI4+v1sIda2yDvg=
-github.com/Microsoft/go-winio v0.6.0/go.mod h1:cTAf44im0RAYeL23bpB+fzCyDH2MJiz2BO69KH/soAE=
+github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
+github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
 github.com/Netflix/go-env v0.0.0-20220526054621-78278af1949d h1:wvStE9wLpws31NiWUx+38wny1msZ/tm+eL5xmm4Y7So=
 github.com/Netflix/go-env v0.0.0-20220526054621-78278af1949d/go.mod h1:9XMFaCeRyW7fC9XJOWQ+NdAv8VLG7ys7l3x4ozEGLUQ=
 github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
@@ -439,8 +439,8 @@ github.com/danieljoos/wincred v1.1.2 h1:QLdCxFs1/Yl4zduvBdcHB8goaYk9RARS2SgLLRuA
 github.com/danieljoos/wincred v1.1.2/go.mod h1:GijpziifJoIBfYh+S7BbkdUTU4LfM+QnGqR5Vl2tAx0=
 github.com/dapr/components-contrib v1.13.0-rc.2.0.20240503231149-1f46231d875c h1:vzu6TjW2XYZAQY+g9fHmTzOGYNB1lPvRAun7YLV73Nk=
 github.com/dapr/components-contrib v1.13.0-rc.2.0.20240503231149-1f46231d875c/go.mod h1:8/+3UcZLcNytOKLXPpseDT3gB0Mo4ryoMaiud+9u60k=
-github.com/dapr/kit v0.13.1-0.20240402103809-0c7cfce53d9e h1:mLvqfGuppb6uhsijmwTlF5sZVtGvig+Ua5ESKF17SxA=
-github.com/dapr/kit v0.13.1-0.20240402103809-0c7cfce53d9e/go.mod h1:dons8V2bF6MPR2yFdxtTa86PfaE7EJtKAOkZ9hOavBQ=
+github.com/dapr/kit v0.13.1-0.20240415171926-a3f906d60908 h1:8Bs9nVJh00BVNJxsB5Djf0xICW53kiKi3QL/jZ5qp8s=
+github.com/dapr/kit v0.13.1-0.20240415171926-a3f906d60908/go.mod h1:LkPZyrSpa2xLBgYMwUhDbWZcZVt/WdL7FSPlN0PrSog=
 github.com/dave/jennifer v1.4.0/go.mod h1:fIb+770HOpJ2fmN9EPPKOqm1vMGhB+TwXKMZhrIygKg=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -579,8 +579,8 @@ github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A=
 github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8=
-github.com/go-jose/go-jose/v3 v3.0.0 h1:s6rrhirfEP/CGIoc6p+PZAeogN2SxKav6Wp7+dyMWVo=
-github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8=
+github.com/go-jose/go-jose/v3 v3.0.1 h1:pWmKFVtt+Jl0vBZTIpz/eAKwsm6LkIxDVVbFHKkchhA=
+github.com/go-jose/go-jose/v3 v3.0.1/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.10.0 h1:dXFJfIHVvUcpSgDOV+Ne6t7jXri8Tfv2uOLHUZ2XNuo=
@@ -1522,8 +1522,8 @@ github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5q
 github.com/spf13/viper v1.7.1/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg=
 github.com/spf13/viper v1.15.0 h1:js3yy885G8xwJa6iOISGFwd+qlUo5AvyXb7CiihdtiU=
 github.com/spf13/viper v1.15.0/go.mod h1:fFcTBJxvhhzSJiZy8n+PeW6t8l+KeT/uTARa0jHOQLA=
-github.com/spiffe/go-spiffe/v2 v2.1.6 h1:4SdizuQieFyL9eNU+SPiCArH4kynzaKOOj0VvM8R7Xo=
-github.com/spiffe/go-spiffe/v2 v2.1.6/go.mod h1:eVDqm9xFvyqao6C+eQensb9ZPkyNEeaUbqbBpOhBnNk=
+github.com/spiffe/go-spiffe/v2 v2.1.7 h1:VUkM1yIyg/x8X7u1uXqSRVRCdMdfRIEdFBzpqoeASGk=
+github.com/spiffe/go-spiffe/v2 v2.1.7/go.mod h1:QJDGdhXllxjxvd5B+2XnhhXB/+rC8gr+lNrtOryiWeE=
 github.com/stealthrocket/wasi-go v0.8.1-0.20230912180546-8efbab50fb58 h1:mTC4gyv3lcJ1XpzZMAckqkvWUqeT5Bva4RAT1IoHAAA=
 github.com/stealthrocket/wasi-go v0.8.1-0.20230912180546-8efbab50fb58/go.mod h1:ZAYCOqLJkc9P6fcq14TV4cf+gJ2fHthp9kCGxBViagE=
 github.com/stealthrocket/wazergo v0.19.1 h1:BPrITETPgSFwiytwmToO0MbUC/+RGC39JScz1JmmG6c=

pkg/actors/placement/client_test.go

@@ -161,7 +161,7 @@ func testSecurity(t *testing.T) security.Handler {
 		ControlPlaneTrustDomain: "test.example.com",
 		ControlPlaneNamespace:   "default",
 		MTLSEnabled:             false,
-		OverrideCertRequestSource: func(context.Context, []byte) ([]*x509.Certificate, error) {
+		OverrideCertRequestFn: func(context.Context, []byte) ([]*x509.Certificate, error) {
 			return []*x509.Certificate{nil}, nil
 		},
 	})

pkg/injector/service/handler_test.go

@@ -15,6 +15,7 @@ package service
 
 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"io"
 	"net/http"
@@ -52,7 +53,7 @@ func TestHandleRequest(t *testing.T) {
 
 	require.NoError(t, err)
 	injector := i.(*injector)
-	injector.currentTrustAnchors = func() ([]byte, error) {
+	injector.currentTrustAnchors = func(context.Context) ([]byte, error) {
 		return nil, nil
 	}
 

pkg/injector/service/injector.go

@@ -56,7 +56,7 @@ var AllowedServiceAccountInfos = []string{
 }
 
 type (
-	currentTrustAnchorsFn func() (ca []byte, err error)
+	currentTrustAnchorsFn func(context.Context) (ca []byte, err error)
 )
 
 // Injector is the interface for the Dapr runtime sidecar injection component.

pkg/injector/service/pod_patch.go

@@ -51,7 +51,7 @@ func (i *injector) getPodPatchOperations(ctx context.Context, ar *admissionv1.Ad
 	sentryAddress := patcher.ServiceSentry.Address(i.config.Namespace, i.config.KubeClusterDomain)
 	operatorAddress := patcher.ServiceAPI.Address(i.config.Namespace, i.config.KubeClusterDomain)
 
-	trustAnchors, err := i.currentTrustAnchors()
+	trustAnchors, err := i.currentTrustAnchors(ctx)
 	if err != nil {
 		return nil, err
 	}

pkg/operator/api/api_test.go

@@ -42,7 +42,7 @@ import (
 	"github.com/dapr/dapr/pkg/operator/api/informer"
 	informerfake "github.com/dapr/dapr/pkg/operator/api/informer/fake"
 	operatorv1pb "github.com/dapr/dapr/pkg/proto/operator/v1"
-	"github.com/dapr/dapr/tests/util"
+	"github.com/dapr/kit/crypto/test"
 )
 
 type mockComponentUpdateServer struct {
@@ -196,7 +196,7 @@ func TestProcessComponentSecrets(t *testing.T) {
 func TestComponentUpdate(t *testing.T) {
 	appID := spiffeid.RequireFromString("spiffe://example.org/ns/ns1/app1")
 	serverID := spiffeid.RequireFromString("spiffe://example.org/ns/dapr-system/dapr-operator")
-	pki := util.GenPKI(t, util.PKIOptions{
+	pki := test.GenPKI(t, test.PKIOptions{
 		LeafID:   serverID,
 		ClientID: appID,
 	})
@@ -317,7 +317,7 @@ func TestComponentUpdate(t *testing.T) {
 func TestHTTPEndpointUpdate(t *testing.T) {
 	appID := spiffeid.RequireFromString("spiffe://example.org/ns/ns1/app1")
 	serverID := spiffeid.RequireFromString("spiffe://example.org/ns/dapr-system/dapr-operator")
-	pki := util.GenPKI(t, util.PKIOptions{
+	pki := test.GenPKI(t, test.PKIOptions{
 		LeafID:   serverID,
 		ClientID: appID,
 	})
@@ -411,7 +411,7 @@ func TestHTTPEndpointUpdate(t *testing.T) {
 func TestListScopes(t *testing.T) {
 	appID := spiffeid.RequireFromString("spiffe://example.org/ns/namespace-a/app1")
 	serverID := spiffeid.RequireFromString("spiffe://example.org/ns/dapr-system/dapr-operator")
-	pki := util.GenPKI(t, util.PKIOptions{
+	pki := test.GenPKI(t, test.PKIOptions{
 		LeafID:   serverID,
 		ClientID: appID,
 	})
@@ -482,7 +482,7 @@ func TestListScopes(t *testing.T) {
 func TestListsNamespaced(t *testing.T) {
 	appID := spiffeid.RequireFromString("spiffe://example.org/ns/namespace-a/app1")
 	serverID := spiffeid.RequireFromString("spiffe://example.org/ns/dapr-system/dapr-operator")
-	pki := util.GenPKI(t, util.PKIOptions{
+	pki := test.GenPKI(t, test.PKIOptions{
 		LeafID:   serverID,
 		ClientID: appID,
 	})

pkg/operator/api/authz/authz_test.go

@@ -24,13 +24,13 @@ import (
 	"google.golang.org/grpc/status"
 
 	"github.com/dapr/dapr/pkg/security/spiffe"
-	"github.com/dapr/dapr/tests/util"
+	"github.com/dapr/kit/crypto/test"
 )
 
 func Test_Request(t *testing.T) {
 	appID := spiffeid.RequireFromString("spiffe://example.org/ns/ns1/app1")
 	serverID := spiffeid.RequireFromString("spiffe://example.org/ns/dapr-system/dapr-operator")
-	pki := util.GenPKI(t, util.PKIOptions{LeafID: serverID, ClientID: appID})
+	pki := test.GenPKI(t, test.PKIOptions{LeafID: serverID, ClientID: appID})
 
 	t.Run("no auth context should error", func(t *testing.T) {
 		id, err := Request(context.Background(), "ns1")
@@ -55,7 +55,7 @@ func Test_Request(t *testing.T) {
 
 	t.Run("invalid SPIFFE path should error", func(t *testing.T) {
 		appID := spiffeid.RequireFromString("spiffe://example.org/foo/bar")
-		pki2 := util.GenPKI(t, util.PKIOptions{LeafID: serverID, ClientID: appID})
+		pki2 := test.GenPKI(t, test.PKIOptions{LeafID: serverID, ClientID: appID})
 		id, err := Request(pki2.ClientGRPCCtx(t), "ns1")
 		require.Error(t, err)
 		assert.Equal(t, codes.PermissionDenied, status.Code(err))

pkg/operator/api/informer/informer_test.go

@@ -30,14 +30,14 @@ import (
 	compapi "github.com/dapr/dapr/pkg/apis/components/v1alpha1"
 	subapi "github.com/dapr/dapr/pkg/apis/subscriptions/v2alpha1"
 	"github.com/dapr/dapr/pkg/proto/operator/v1"
-	"github.com/dapr/dapr/tests/util"
+	"github.com/dapr/kit/crypto/test"
 )
 
 func Test_WatchUpdates(t *testing.T) {
 	t.Run("bad authz should error", func(t *testing.T) {
 		appID := spiffeid.RequireFromString("spiffe://example.org/ns/ns1/app1")
 		serverID := spiffeid.RequireFromString("spiffe://example.org/ns/dapr-system/dapr-operator")
-		pki := util.GenPKI(t, util.PKIOptions{LeafID: serverID, ClientID: appID})
+		pki := test.GenPKI(t, test.PKIOptions{LeafID: serverID, ClientID: appID})
 
 		i := New[compapi.Component](Options{}).(*informer[compapi.Component])
 
@@ -55,7 +55,7 @@ func Test_WatchUpdates(t *testing.T) {
 	t.Run("should receive app events on batch events in order", func(t *testing.T) {
 		appID := spiffeid.RequireFromString("spiffe://example.org/ns/ns1/app1")
 		serverID := spiffeid.RequireFromString("spiffe://example.org/ns/dapr-system/dapr-operator")
-		pki := util.GenPKI(t, util.PKIOptions{LeafID: serverID, ClientID: appID})
+		pki := test.GenPKI(t, test.PKIOptions{LeafID: serverID, ClientID: appID})
 
 		i := New[compapi.Component](Options{}).(*informer[compapi.Component])
 		t.Cleanup(func() { close(i.closeCh) })

pkg/operator/operator.go

@@ -105,7 +105,7 @@ func NewOperator(ctx context.Context, opts Options) (Operator, error) {
 		SentryAddress:           config.SentryAddress,
 		ControlPlaneTrustDomain: config.ControlPlaneTrustDomain,
 		ControlPlaneNamespace:   security.CurrentNamespace(),
-		TrustAnchorsFile:        opts.TrustAnchorsFile,
+		TrustAnchorsFile:        &opts.TrustAnchorsFile,
 		AppID:                   "dapr-operator",
 		// mTLS is always enabled for the operator.
 		MTLSEnabled: true,
@@ -299,7 +299,7 @@ func (o *operator) Run(ctx context.Context) error {
 				return rErr
 			}
 
-			caBundle, rErr := sec.CurrentTrustAnchors()
+			caBundle, rErr := sec.CurrentTrustAnchors(ctx)
 			if rErr != nil {
 				return rErr
 			}

pkg/runtime/processor/binding/init_test.go

@@ -28,6 +28,7 @@ import (
 	"github.com/dapr/dapr/pkg/runtime/meta"
 	"github.com/dapr/dapr/pkg/runtime/processor"
 	"github.com/dapr/dapr/pkg/runtime/registry"
+	"github.com/dapr/dapr/pkg/security/fake"
 	daprt "github.com/dapr/dapr/pkg/testing"
 	"github.com/dapr/kit/logger"
 )
@@ -47,6 +48,7 @@ func TestInitBindings(t *testing.T) {
 			GlobalConfig:   new(config.Configuration),
 			Meta:           meta.New(meta.Options{}),
 			GRPC:           manager.NewManager(nil, modes.StandaloneMode, &manager.AppChannelConfig{Port: 0}),
+			Security:       fake.New(),
 		})
 
 		c := compapi.Component{}
@@ -69,6 +71,7 @@ func TestInitBindings(t *testing.T) {
 			ComponentStore: compstore.New(),
 			GlobalConfig:   new(config.Configuration),
 			Meta:           meta.New(meta.Options{}),
+			Security:       fake.New(),
 		})
 
 		c := compapi.Component{}
@@ -99,6 +102,7 @@ func TestInitBindings(t *testing.T) {
 			GlobalConfig:   new(config.Configuration),
 			Meta:           meta.New(meta.Options{}),
 			GRPC:           manager.NewManager(nil, modes.StandaloneMode, &manager.AppChannelConfig{Port: 0}),
+			Security:       fake.New(),
 		})
 
 		input := compapi.Component{}
@@ -124,6 +128,7 @@ func TestInitBindings(t *testing.T) {
 			GlobalConfig:   new(config.Configuration),
 			Meta:           meta.New(meta.Options{}),
 			GRPC:           manager.NewManager(nil, modes.StandaloneMode, &manager.AppChannelConfig{Port: 0}),
+			Security:       fake.New(),
 		})
 
 		c := compapi.Component{}

pkg/runtime/processor/binding/send_test.go

@@ -183,7 +183,7 @@ func TestGetSubscribedBindingsGRPC(t *testing.T) {
 		ControlPlaneTrustDomain: "test.example.com",
 		ControlPlaneNamespace:   "default",
 		MTLSEnabled:             false,
-		OverrideCertRequestSource: func(context.Context, []byte) ([]*x509.Certificate, error) {
+		OverrideCertRequestFn: func(context.Context, []byte) ([]*x509.Certificate, error) {
 			return []*x509.Certificate{nil}, nil
 		},
 	})

pkg/runtime/processor/components.go

@@ -40,7 +40,7 @@ func (p *Processor) Init(ctx context.Context, comp componentsapi.Component) erro
 		return err
 	}
 
-	if err := m.Init(ctx, comp); err != nil {
+	if err := m.Init(p.security.WithSVIDContext(ctx), comp); err != nil {
 		return errors.Join(err, p.compStore.DropPendingComponent())
 	}
 

pkg/runtime/processor/processor.go

@@ -42,6 +42,7 @@ import (
 	"github.com/dapr/dapr/pkg/runtime/processor/state"
 	"github.com/dapr/dapr/pkg/runtime/processor/wfbackend"
 	"github.com/dapr/dapr/pkg/runtime/registry"
+	"github.com/dapr/dapr/pkg/security"
 	"github.com/dapr/kit/concurrency"
 	"github.com/dapr/kit/logger"
 )
@@ -93,6 +94,8 @@ type Options struct {
 	OperatorClient operatorv1.OperatorClient
 
 	MiddlewareHTTP *http.HTTP
+
+	Security security.Handler
 }
 
 // Processor manages the lifecycle of all components categories.
@@ -105,6 +108,7 @@ type Processor struct {
 	pubsub          PubsubManager
 	binding         BindingManager
 	workflowBackend WorkflowBackendManager
+	security        security.Handler
 
 	pendingHTTPEndpoints       chan httpendpointsapi.HTTPEndpoint
 	pendingComponents          chan componentsapi.Component
@@ -182,6 +186,7 @@ func New(opts Options) *Processor {
 		binding:                    binding,
 		secret:                     secret,
 		workflowBackend:            wfbe,
+		security:                   opts.Security,
 		managers: map[components.Category]manager{
 			components.CategoryBindings: binding,
 			components.CategoryConfiguration: configuration.New(configuration.Options{

pkg/runtime/processor/processor_test.go

@@ -39,6 +39,7 @@ import (
 	"github.com/dapr/dapr/pkg/runtime/meta"
 	rtmock "github.com/dapr/dapr/pkg/runtime/mock"
 	"github.com/dapr/dapr/pkg/runtime/registry"
+	"github.com/dapr/dapr/pkg/security/fake"
 	daprt "github.com/dapr/dapr/pkg/testing"
 	"github.com/dapr/kit/logger"
 )
@@ -63,6 +64,7 @@ func newTestProcWithID(id string) (*Processor, *registry.Registry) {
 		GRPC:           nil,
 		Channels:       new(channels.Channels),
 		GlobalConfig:   new(config.Configuration),
+		Security:       fake.New(),
 	}), reg
 }
 

pkg/runtime/processor/state/state_test.go

@@ -38,6 +38,7 @@ import (
 	"github.com/dapr/dapr/pkg/runtime/mock"
 	"github.com/dapr/dapr/pkg/runtime/processor"
 	"github.com/dapr/dapr/pkg/runtime/registry"
+	"github.com/dapr/dapr/pkg/security/fake"
 	daprt "github.com/dapr/dapr/pkg/testing"
 	"github.com/dapr/kit/logger"
 )
@@ -50,6 +51,7 @@ func TestInitState(t *testing.T) {
 		ComponentStore: compStore,
 		GlobalConfig:   new(config.Configuration),
 		Meta:           meta.New(meta.Options{Mode: modes.StandaloneMode}),
+		Security:       fake.New(),
 	})
 
 	bytes := make([]byte, 32)

pkg/runtime/runtime.go

@@ -197,6 +197,7 @@ func newDaprRuntime(ctx context.Context,
 		GRPC:           grpc,
 		Channels:       channels,
 		MiddlewareHTTP: httpMiddleware,
+		Security:       sec,
 	})
 
 	var reloader *hotreload.Reloader