Skip to content

Commit

Permalink
Add --oidc-provider flag to specify which provider to use for ambient…
Browse files Browse the repository at this point in the history 
… credentials
  • Loading branch information
@priyawadhwa
priyawadhwa committed Jun 15, 2022
1 parent b01a173 commit d8149f8
Show file tree
Hide file tree
Showing 10 changed files with 23 additions and 2 deletions.
1 change: 1 addition & 0 deletions cmd/cosign/cli/attest.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,7 @@ func Attest() *cobra.Command {
OIDCClientID: o.OIDC.ClientID,
OIDCClientSecret: oidcClientSecret,
OIDCRedirectURL: o.OIDC.RedirectURL,
OIDCProvider: o.OIDC.Provider,
}
for _, img := range args {
if err := attest.AttestCmd(cmd.Context(), ko, o.Registry, img, o.Cert, o.CertChain, o.NoUpload,
Expand Down
11 changes: 10 additions & 1 deletion cmd/cosign/cli/fulcio/fulcio.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -124,9 +124,18 @@ func NewSigner(ctx context.Context, ko options.KeyOpts) (*Signer, error) {
}

idToken := ko.IDToken
var provider providers.Interface
// If token is not set in the options, get one from the provders
if idToken == "" && providers.Enabled(ctx) && !ko.OIDCDisableProviders {
idToken, err = providers.Provide(ctx, "sigstore")
if ko.OIDCProvider != "" {
provider, err = providers.ProvideFrom(ctx, ko.OIDCProvider)
if err != nil {
return nil, fmt.Errorf("getting provider: %w", err)
}
idToken, err = provider.Provide(ctx, "sigstore")
} else {
idToken, err = providers.Provide(ctx, "sigstore")
}
if err != nil {
return nil, fmt.Errorf("fetching ambient OIDC credentials: %w", err)
}
Expand Down
3 changes: 2 additions & 1 deletion cmd/cosign/cli/options/key.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,8 @@ type KeyOpts struct {
OIDCClientID string
OIDCClientSecret string
OIDCRedirectURL string
OIDCDisableProviders bool // Disable OIDC credential providers in keyless signer
OIDCDisableProviders bool // Disable OIDC credential providers in keyless signer
OIDCProvider string // Specify which OIDC credential provider to use for keyless signer
BundlePath string
// FulcioAuthFlow is the auth flow to use when authenticating against
// Fulcio. See https://pkg.go.dev/github.com/sigstore/cosign/cmd/cosign/cli/fulcio#pkg-constants
Expand Down
4 changes: 4 additions & 0 deletions cmd/cosign/cli/options/oidc.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ type OIDCOptions struct {
ClientID string
clientSecretFile string
RedirectURL string
Provider string
DisableAmbientProviders bool
}

Expand Down Expand Up @@ -67,6 +68,9 @@ func (o *OIDCOptions) AddFlags(cmd *cobra.Command) {
cmd.Flags().StringVar(&o.RedirectURL, "oidc-redirect-url", "",
"[EXPERIMENTAL] OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'.")

cmd.Flags().StringVar(&o.Provider, "oidc-provider", "",
"[EXPERIMENTAL] Specify the provider to get the OIDC token from (Optional). If unset, all options will be tried. Options include: [spiffe, google, github, filesystem]")

cmd.Flags().BoolVar(&o.DisableAmbientProviders, "oidc-disable-ambient-providers", false,
"[EXPERIMENTAL] Disable ambient OIDC providers. When true, ambient credentials will not be read")
}
1 change: 1 addition & 0 deletions cmd/cosign/cli/policy_init.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -188,6 +188,7 @@ func signPolicy() *cobra.Command {
OIDCClientID: o.OIDC.ClientID,
OIDCClientSecret: oidcClientSecret,
OIDCRedirectURL: o.OIDC.RedirectURL,
OIDCProvider: o.OIDC.Provider,
})
if err != nil {
return err
Expand Down
1 change: 1 addition & 0 deletions cmd/cosign/cli/sign.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,7 @@ func Sign() *cobra.Command {
OIDCClientSecret: oidcClientSecret,
OIDCRedirectURL: o.OIDC.RedirectURL,
OIDCDisableProviders: o.OIDC.DisableAmbientProviders,
OIDCProvider: o.OIDC.Provider,
}
annotationsMap, err := o.AnnotationsMap()
if err != nil {
Expand Down
1 change: 1 addition & 0 deletions doc/cosign_attest.md
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_policy_sign.md
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_sign-blob.md
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_sign.md
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit d8149f8

Please sign in to comment.