From d3133aa24004202048732d35ddb904a760273aef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adolfo=20Garc=C3=ADa=20Veytia=20=28Puerco=29?= Date: Mon, 2 May 2022 13:36:53 -0500 Subject: [PATCH 1/3] Add KeyOpt to disable internal providers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit adds an option to tell the fulcio client to avoid trying to get an auth token from the internal OIDC providers. Signed-off-by: Adolfo García Veytia (Puerco) --- cmd/cosign/cli/fulcio/fulcio.go | 2 +- cmd/cosign/cli/options/key.go | 25 +++++++++++++------------ 2 files changed, 14 insertions(+), 13 deletions(-) diff --git a/cmd/cosign/cli/fulcio/fulcio.go b/cmd/cosign/cli/fulcio/fulcio.go index cea16bb5dcf..689789cc2fe 100644 --- a/cmd/cosign/cli/fulcio/fulcio.go +++ b/cmd/cosign/cli/fulcio/fulcio.go @@ -119,7 +119,7 @@ func NewSigner(ctx context.Context, ko options.KeyOpts) (*Signer, error) { idToken := ko.IDToken // If token is not set in the options, get one from the provders - if idToken == "" && providers.Enabled(ctx) { + if idToken == "" && providers.Enabled(ctx) && !ko.OIDCDisableProviders { idToken, err = providers.Provide(ctx, "sigstore") if err != nil { return nil, errors.Wrap(err, "fetching ambient OIDC credentials") diff --git a/cmd/cosign/cli/options/key.go b/cmd/cosign/cli/options/key.go index 77957137c8f..55edca28569 100644 --- a/cmd/cosign/cli/options/key.go +++ b/cmd/cosign/cli/options/key.go @@ -18,18 +18,19 @@ package options import "github.com/sigstore/cosign/pkg/cosign" type KeyOpts struct { - Sk bool - Slot string - KeyRef string - FulcioURL string - RekorURL string - IDToken string - PassFunc cosign.PassFunc - OIDCIssuer string - OIDCClientID string - OIDCClientSecret string - OIDCRedirectURL string - BundlePath string + Sk bool + Slot string + KeyRef string + FulcioURL string + RekorURL string + IDToken string + PassFunc cosign.PassFunc + OIDCIssuer string + OIDCClientID string + OIDCClientSecret string + OIDCRedirectURL string + OIDCDisableProviders bool // Disable OIDC credential providers in keyless signer + BundlePath string // FulcioAuthFlow is the auth flow to use when authenticating against // Fulcio. See https://pkg.go.dev/github.com/sigstore/cosign/cmd/cosign/cli/fulcio#pkg-constants // for valid values. From 51792f16124d1c6674ad0757a03a9c6832d5d214 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adolfo=20Garc=C3=ADa=20Veytia=20=28Puerco=29?= Date: Mon, 2 May 2022 13:39:21 -0500 Subject: [PATCH 2/3] Add --oidc-disable-ambient-providers flag to disable internal OIDC providers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit adds a command line flag `--oidc-providers-disable` to `cosign sign` and `cosign sign-blob` to disable the internal OIDC providers. This does not break compatibility with the current cli and skips the providers logic to jump straight to the OIDC flow. Signed-off-by: Adolfo García Veytia (Puerco) --- cmd/cosign/cli/options/oidc.go | 12 ++++++++---- cmd/cosign/cli/sign.go | 1 + cmd/cosign/cli/signblob.go | 1 + 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/cmd/cosign/cli/options/oidc.go b/cmd/cosign/cli/options/oidc.go index cdcada2b0d5..848706487f5 100644 --- a/cmd/cosign/cli/options/oidc.go +++ b/cmd/cosign/cli/options/oidc.go @@ -29,10 +29,11 @@ const DefaultOIDCIssuerURL = "https://oauth2.sigstore.dev/auth" // OIDCOptions is the wrapper for OIDC related options. type OIDCOptions struct { - Issuer string - ClientID string - clientSecretFile string - RedirectURL string + Issuer string + ClientID string + clientSecretFile string + RedirectURL string + DisableAmbientProviders bool } func (o *OIDCOptions) ClientSecret() (string, error) { @@ -66,4 +67,7 @@ func (o *OIDCOptions) AddFlags(cmd *cobra.Command) { cmd.Flags().StringVar(&o.RedirectURL, "oidc-redirect-url", "", "[EXPERIMENTAL] OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'.") + + cmd.Flags().BoolVar(&o.DisableAmbientProviders, "oidc-disable-ambient-providers", false, + "[EXPERIMENTAL] Disable ambient OIDC providers. When true, ambient credentials will not be read") } diff --git a/cmd/cosign/cli/sign.go b/cmd/cosign/cli/sign.go index f0f2ea19129..620825f7031 100644 --- a/cmd/cosign/cli/sign.go +++ b/cmd/cosign/cli/sign.go @@ -95,6 +95,7 @@ func Sign() *cobra.Command { OIDCClientID: o.OIDC.ClientID, OIDCClientSecret: oidcClientSecret, OIDCRedirectURL: o.OIDC.RedirectURL, + OIDCDisableProviders: o.OIDC.DisableAmbientProviders, } annotationsMap, err := o.AnnotationsMap() if err != nil { diff --git a/cmd/cosign/cli/signblob.go b/cmd/cosign/cli/signblob.go index e5e14b2cf08..8e80b6f7b12 100644 --- a/cmd/cosign/cli/signblob.go +++ b/cmd/cosign/cli/signblob.go @@ -81,6 +81,7 @@ func SignBlob() *cobra.Command { OIDCClientID: o.OIDC.ClientID, OIDCClientSecret: oidcClientSecret, OIDCRedirectURL: o.OIDC.RedirectURL, + OIDCDisableProviders: o.OIDC.DisableAmbientProviders, BundlePath: o.BundlePath, } for _, blob := range args { From 4f5ed66e9b3db286ea6957e30ff695558307f410 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adolfo=20Garc=C3=ADa=20Veytia=20=28Puerco=29?= Date: Mon, 2 May 2022 14:22:12 -0500 Subject: [PATCH 3/3] Update internal docs for new OIDC flag MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Adolfo García Veytia (Puerco) --- doc/cosign_attest.md | 1 + doc/cosign_policy_sign.md | 1 + doc/cosign_sign-blob.md | 1 + doc/cosign_sign.md | 1 + 4 files changed, 4 insertions(+) diff --git a/doc/cosign_attest.md b/doc/cosign_attest.md index d153eac2396..014ad4f680c 100644 --- a/doc/cosign_attest.md +++ b/doc/cosign_attest.md @@ -53,6 +53,7 @@ cosign attest [flags] --no-upload do not upload the generated attestation --oidc-client-id string [EXPERIMENTAL] OIDC client ID for application (default "sigstore") --oidc-client-secret-file string [EXPERIMENTAL] Path to file containing OIDC client secret for application + --oidc-disable-ambient-providers [EXPERIMENTAL] Disable ambient OIDC providers. When true, ambient credentials will not be read --oidc-issuer string [EXPERIMENTAL] OIDC provider to be used to issue ID token (default "https://oauth2.sigstore.dev/auth") --oidc-redirect-url string [EXPERIMENTAL] OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'. --predicate string path to the predicate file. diff --git a/doc/cosign_policy_sign.md b/doc/cosign_policy_sign.md index 8633756314c..f09ef6a8820 100644 --- a/doc/cosign_policy_sign.md +++ b/doc/cosign_policy_sign.md @@ -25,6 +25,7 @@ cosign policy sign [flags] --namespace string registry namespace that the root policy belongs to (default "ns") --oidc-client-id string [EXPERIMENTAL] OIDC client ID for application (default "sigstore") --oidc-client-secret-file string [EXPERIMENTAL] Path to file containing OIDC client secret for application + --oidc-disable-ambient-providers [EXPERIMENTAL] Disable ambient OIDC providers. When true, ambient credentials will not be read --oidc-issuer string [EXPERIMENTAL] OIDC provider to be used to issue ID token (default "https://oauth2.sigstore.dev/auth") --oidc-redirect-url string [EXPERIMENTAL] OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'. --out string output policy locally (default "o") diff --git a/doc/cosign_sign-blob.md b/doc/cosign_sign-blob.md index ca54d101ac8..6ac4183f646 100644 --- a/doc/cosign_sign-blob.md +++ b/doc/cosign_sign-blob.md @@ -45,6 +45,7 @@ cosign sign-blob [flags] --key string path to the private key file, KMS URI or Kubernetes Secret --oidc-client-id string [EXPERIMENTAL] OIDC client ID for application (default "sigstore") --oidc-client-secret-file string [EXPERIMENTAL] Path to file containing OIDC client secret for application + --oidc-disable-ambient-providers [EXPERIMENTAL] Disable ambient OIDC providers. When true, ambient credentials will not be read --oidc-issuer string [EXPERIMENTAL] OIDC provider to be used to issue ID token (default "https://oauth2.sigstore.dev/auth") --oidc-redirect-url string [EXPERIMENTAL] OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'. --output string write the signature to FILE diff --git a/doc/cosign_sign.md b/doc/cosign_sign.md index 88230c10524..61e1ea5a2b8 100644 --- a/doc/cosign_sign.md +++ b/doc/cosign_sign.md @@ -70,6 +70,7 @@ cosign sign [flags] --key string path to the private key file, KMS URI or Kubernetes Secret --oidc-client-id string [EXPERIMENTAL] OIDC client ID for application (default "sigstore") --oidc-client-secret-file string [EXPERIMENTAL] Path to file containing OIDC client secret for application + --oidc-disable-ambient-providers [EXPERIMENTAL] Disable ambient OIDC providers. When true, ambient credentials will not be read --oidc-issuer string [EXPERIMENTAL] OIDC provider to be used to issue ID token (default "https://oauth2.sigstore.dev/auth") --oidc-redirect-url string [EXPERIMENTAL] OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'. --output-certificate string write the certificate to FILE