Add --oidc-disable-ambient-providers flag to disable internal OIDC pr…

…oviders This commit adds a command line flag `--oidc-providers-disable` to `cosign sign` and `cosign sign-blob` to disable the internal OIDC providers. This does not break compatibility with the current cli and skips the providers logic to jump straight to the OIDC flow. Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
sigstore · May 2, 2022 · 51792f1 · 51792f1
1 parent d3133aa
commit 51792f1
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 4 deletions.
diff --git a/cmd/cosign/cli/options/oidc.go b/cmd/cosign/cli/options/oidc.go
@@ -29,10 +29,11 @@ const DefaultOIDCIssuerURL = "https://oauth2.sigstore.dev/auth"
 
 // OIDCOptions is the wrapper for OIDC related options.
 type OIDCOptions struct {
-	Issuer           string
-	ClientID         string
-	clientSecretFile string
-	RedirectURL      string
+	Issuer                  string
+	ClientID                string
+	clientSecretFile        string
+	RedirectURL             string
+	DisableAmbientProviders bool
 }
 
 func (o *OIDCOptions) ClientSecret() (string, error) {
@@ -66,4 +67,7 @@ func (o *OIDCOptions) AddFlags(cmd *cobra.Command) {
 
 	cmd.Flags().StringVar(&o.RedirectURL, "oidc-redirect-url", "",
 		"[EXPERIMENTAL] OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'.")
+
+	cmd.Flags().BoolVar(&o.DisableAmbientProviders, "oidc-disable-ambient-providers", false,
+		"[EXPERIMENTAL] Disable ambient OIDC providers. When true, ambient credentials will not be read")
 }
diff --git a/cmd/cosign/cli/sign.go b/cmd/cosign/cli/sign.go
@@ -95,6 +95,7 @@ func Sign() *cobra.Command {
 				OIDCClientID:             o.OIDC.ClientID,
 				OIDCClientSecret:         oidcClientSecret,
 				OIDCRedirectURL:          o.OIDC.RedirectURL,
+				OIDCDisableProviders:     o.OIDC.DisableAmbientProviders,
 			}
 			annotationsMap, err := o.AnnotationsMap()
 			if err != nil {

diff --git a/cmd/cosign/cli/signblob.go b/cmd/cosign/cli/signblob.go
@@ -81,6 +81,7 @@ func SignBlob() *cobra.Command {
 				OIDCClientID:             o.OIDC.ClientID,
 				OIDCClientSecret:         oidcClientSecret,
 				OIDCRedirectURL:          o.OIDC.RedirectURL,
+				OIDCDisableProviders:     o.OIDC.DisableAmbientProviders,
 				BundlePath:               o.BundlePath,
 			}
 			for _, blob := range args {