New flag --oidc-providers-disable to disable OIDC providers (#1832)

* Add KeyOpt to disable internal providers

This commit adds an option to tell the fulcio client to avoid trying
to get an auth token from the internal OIDC providers.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Add --oidc-disable-ambient-providers flag to disable internal OIDC providers

This commit adds a command line flag `--oidc-providers-disable` to
`cosign sign` and `cosign sign-blob` to disable the internal OIDC
providers. This does not break compatibility with the current cli and
skips the providers logic to jump straight to the OIDC flow.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

* Update internal docs for new OIDC flag

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

cmd/cosign/cli/fulcio/fulcio.go

@@ -119,7 +119,7 @@ func NewSigner(ctx context.Context, ko options.KeyOpts) (*Signer, error) {
 
 	idToken := ko.IDToken
 	// If token is not set in the options, get one from the provders
-	if idToken == "" && providers.Enabled(ctx) {
+	if idToken == "" && providers.Enabled(ctx) && !ko.OIDCDisableProviders {
 		idToken, err = providers.Provide(ctx, "sigstore")
 		if err != nil {
 			return nil, errors.Wrap(err, "fetching ambient OIDC credentials")

cmd/cosign/cli/options/key.go

@@ -18,18 +18,19 @@ package options
 import "github.com/sigstore/cosign/pkg/cosign"
 
 type KeyOpts struct {
-	Sk               bool
-	Slot             string
-	KeyRef           string
-	FulcioURL        string
-	RekorURL         string
-	IDToken          string
-	PassFunc         cosign.PassFunc
-	OIDCIssuer       string
-	OIDCClientID     string
-	OIDCClientSecret string
-	OIDCRedirectURL  string
-	BundlePath       string
+	Sk                   bool
+	Slot                 string
+	KeyRef               string
+	FulcioURL            string
+	RekorURL             string
+	IDToken              string
+	PassFunc             cosign.PassFunc
+	OIDCIssuer           string
+	OIDCClientID         string
+	OIDCClientSecret     string
+	OIDCRedirectURL      string
+	OIDCDisableProviders bool // Disable OIDC credential providers in keyless signer
+	BundlePath           string
 	// FulcioAuthFlow is the auth flow to use when authenticating against
 	// Fulcio. See https://pkg.go.dev/github.com/sigstore/cosign/cmd/cosign/cli/fulcio#pkg-constants
 	// for valid values.

cmd/cosign/cli/options/oidc.go

@@ -29,10 +29,11 @@ const DefaultOIDCIssuerURL = "https://oauth2.sigstore.dev/auth"
 
 // OIDCOptions is the wrapper for OIDC related options.
 type OIDCOptions struct {
-	Issuer           string
-	ClientID         string
-	clientSecretFile string
-	RedirectURL      string
+	Issuer                  string
+	ClientID                string
+	clientSecretFile        string
+	RedirectURL             string
+	DisableAmbientProviders bool
 }
 
 func (o *OIDCOptions) ClientSecret() (string, error) {
@@ -66,4 +67,7 @@ func (o *OIDCOptions) AddFlags(cmd *cobra.Command) {
 
 	cmd.Flags().StringVar(&o.RedirectURL, "oidc-redirect-url", "",
 		"[EXPERIMENTAL] OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'.")
+
+	cmd.Flags().BoolVar(&o.DisableAmbientProviders, "oidc-disable-ambient-providers", false,
+		"[EXPERIMENTAL] Disable ambient OIDC providers. When true, ambient credentials will not be read")
 }

cmd/cosign/cli/sign.go

@@ -95,6 +95,7 @@ func Sign() *cobra.Command {
 				OIDCClientID:             o.OIDC.ClientID,
 				OIDCClientSecret:         oidcClientSecret,
 				OIDCRedirectURL:          o.OIDC.RedirectURL,
+				OIDCDisableProviders:     o.OIDC.DisableAmbientProviders,
 			}
 			annotationsMap, err := o.AnnotationsMap()
 			if err != nil {

cmd/cosign/cli/signblob.go

@@ -81,6 +81,7 @@ func SignBlob() *cobra.Command {
 				OIDCClientID:             o.OIDC.ClientID,
 				OIDCClientSecret:         oidcClientSecret,
 				OIDCRedirectURL:          o.OIDC.RedirectURL,
+				OIDCDisableProviders:     o.OIDC.DisableAmbientProviders,
 				BundlePath:               o.BundlePath,
 			}
 			for _, blob := range args {