FIXME: Add Fulcio with user-provided OIDC token

This seems, at best, useful for debugging and as an escape hatch for other missing OIDC operations. FIXME: test this at least once manually. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
containers · Jan 9, 2023 · 6eafaba · 6eafaba
1 parent 02dbc1c
commit 6eafaba
Showing 1 changed file with 27 additions and 0 deletions.
diff --git a/signature/sigstore/fulcio/fulcio.go b/signature/sigstore/fulcio/fulcio.go
@@ -18,6 +18,7 @@ import (
 	"github.com/sigstore/sigstore/pkg/oauthflow"
 	sigstoreSignature "github.com/sigstore/sigstore/pkg/signature"
 	"github.com/sirupsen/logrus"
+	"golang.org/x/oauth2"
 )
 
 // setupSignerWithFulcio updates s with a certificate generated by fulcioURL based on oidcIDToken
@@ -70,6 +71,32 @@ func setupSignerWithFulcio(s *internal.SigstoreSigner, fulcioURL *url.URL, oidcI
 	return nil
 }
 
+// WithFulcioAndPreexistingOIDCIDToken sets up signing to use a short-lived key and a Fulcio-issued certificate
+// based on a caller-provided OIDC ID token.
+func WithFulcioAndPreexistingOIDCIDToken(fulcioURL *url.URL, oidcIDToken string) internal.Option {
+	return func(s *internal.SigstoreSigner) error {
+		if s.PrivateKey != nil {
+			return fmt.Errorf("multiple private key sources specified when preparing to create sigstore signatures")
+		}
+
+		// This adds dependencies even just to parse the token. We could possibly reimplement that, and split this variant
+		// into a subpackage without the OIDC dependencies… but really, is this going to be used in significantly different situations
+		// than the two interactive OIDC authentication workflows?
+		//
+		// Are there any widely used tools to manually obtain an ID token? Why would there be?
+		// For long-term usage, users provisioning a static OIDC credential might just as well provision an already-generated certificate
+		// or something like that.
+		logrus.Debugf("Using a statically-provided OIDC token")
+		staticTokenGetter := oauthflow.StaticTokenGetter{RawToken: oidcIDToken}
+		oidcIDToken, err := staticTokenGetter.GetIDToken(nil, oauth2.Config{})
+		if err != nil {
+			return fmt.Errorf("parsing OIDC token: %w", err)
+		}
+
+		return setupSignerWithFulcio(s, fulcioURL, oidcIDToken)
+	}
+}
+
 // WithFulcioAndDeviceAuthorizationGrantOIDC sets up signing to use a short-lived key and a Fulcio-issued certificate
 // based on an OIDC ID token obtained using a device authorization grant (RFC 8628).
 //