Add auth flow option to KeyOpts. (sigstore#1827)

This change adds an option for callers to manually select the fulcio auth flow to go through. This allows callers that don't fit into the default heuristic to have some control over how cosign is invoked. For now, this is only added as a KeyOpt and not a flag, since this is currently only needed by tools calling the cosign libraries, not cosign itself. Flags can be added on later if needed. This change should not have any impact on existing cosign behavior. Signed-off-by: Billy Lynch <billy@chainguard.dev>
mlieberman85 · May 6, 2022 · 5fbdb82 · 5fbdb82
1 parent f06e34c
commit 5fbdb82
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/cmd/cosign/cli/fulcio/fulcio.go b/cmd/cosign/cli/fulcio/fulcio.go
@@ -138,6 +138,9 @@ func NewSigner(ctx context.Context, ko options.KeyOpts) (*Signer, error) {
 
 	var flow string
 	switch {
+	case ko.FulcioAuthFlow != "":
+		// Caller manually set flow option.
+		flow = ko.FulcioAuthFlow
 	case idToken != "":
 		flow = FlowToken
 	case !term.IsTerminal(0):

diff --git a/cmd/cosign/cli/options/key.go b/cmd/cosign/cli/options/key.go
@@ -30,6 +30,10 @@ type KeyOpts struct {
 	OIDCClientSecret string
 	OIDCRedirectURL  string
 	BundlePath       string
+	// FulcioAuthFlow is the auth flow to use when authenticating against
+	// Fulcio. See https://pkg.go.dev/github.com/sigstore/cosign/cmd/cosign/cli/fulcio#pkg-constants
+	// for valid values.
+	FulcioAuthFlow string
 
 	// Modeled after InsecureSkipVerify in tls.Config, this disables
 	// verifying the SCT.