From 5fbdb821b91e55316c00fefc2efd96d53f21a627 Mon Sep 17 00:00:00 2001 From: Billy Lynch Date: Mon, 2 May 2022 14:55:46 -0400 Subject: [PATCH] Add auth flow option to KeyOpts. (#1827) This change adds an option for callers to manually select the fulcio auth flow to go through. This allows callers that don't fit into the default heuristic to have some control over how cosign is invoked. For now, this is only added as a KeyOpt and not a flag, since this is currently only needed by tools calling the cosign libraries, not cosign itself. Flags can be added on later if needed. This change should not have any impact on existing cosign behavior. Signed-off-by: Billy Lynch --- cmd/cosign/cli/fulcio/fulcio.go | 3 +++ cmd/cosign/cli/options/key.go | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/cmd/cosign/cli/fulcio/fulcio.go b/cmd/cosign/cli/fulcio/fulcio.go index eed76b39496..cea16bb5dcf 100644 --- a/cmd/cosign/cli/fulcio/fulcio.go +++ b/cmd/cosign/cli/fulcio/fulcio.go @@ -138,6 +138,9 @@ func NewSigner(ctx context.Context, ko options.KeyOpts) (*Signer, error) { var flow string switch { + case ko.FulcioAuthFlow != "": + // Caller manually set flow option. + flow = ko.FulcioAuthFlow case idToken != "": flow = FlowToken case !term.IsTerminal(0): diff --git a/cmd/cosign/cli/options/key.go b/cmd/cosign/cli/options/key.go index db36e9235b7..77957137c8f 100644 --- a/cmd/cosign/cli/options/key.go +++ b/cmd/cosign/cli/options/key.go @@ -30,6 +30,10 @@ type KeyOpts struct { OIDCClientSecret string OIDCRedirectURL string BundlePath string + // FulcioAuthFlow is the auth flow to use when authenticating against + // Fulcio. See https://pkg.go.dev/github.com/sigstore/cosign/cmd/cosign/cli/fulcio#pkg-constants + // for valid values. + FulcioAuthFlow string // Modeled after InsecureSkipVerify in tls.Config, this disables // verifying the SCT.