Skip to content

Commit

Permalink
New flag --oidc-providers-disable to disable OIDC providers (#1832)
Browse files Browse the repository at this point in the history 
* Add KeyOpt to disable internal providers

This commit adds an option to tell the fulcio client to avoid trying
to get an auth token from the internal OIDC providers.

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

* Add --oidc-disable-ambient-providers flag to disable internal OIDC providers

This commit adds a command line flag `--oidc-providers-disable` to
`cosign sign` and `cosign sign-blob` to disable the internal OIDC
providers. This does not break compatibility with the current cli and
skips the providers logic to jump straight to the OIDC flow.

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>

* Update internal docs for new OIDC flag

Signed-off-by: Adolfo García Veytia (Puerco) <[email protected]>
  • Loading branch information
@puerco
puerco authored May 2, 2022
1 parent 88b68f4 commit 2e00e8a
Show file tree
Hide file tree
Showing 9 changed files with 28 additions and 17 deletions.
2 changes: 1 addition & 1 deletion cmd/cosign/cli/fulcio/fulcio.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,7 +119,7 @@ func NewSigner(ctx context.Context, ko options.KeyOpts) (*Signer, error) {

idToken := ko.IDToken
// If token is not set in the options, get one from the provders
if idToken == "" && providers.Enabled(ctx) {
if idToken == "" && providers.Enabled(ctx) && !ko.OIDCDisableProviders {
idToken, err = providers.Provide(ctx, "sigstore")
if err != nil {
return nil, errors.Wrap(err, "fetching ambient OIDC credentials")
Expand Down
25 changes: 13 additions & 12 deletions cmd/cosign/cli/options/key.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,18 +18,19 @@ package options
import "github.com/sigstore/cosign/pkg/cosign"

type KeyOpts struct {
Sk bool
Slot string
KeyRef string
FulcioURL string
RekorURL string
IDToken string
PassFunc cosign.PassFunc
OIDCIssuer string
OIDCClientID string
OIDCClientSecret string
OIDCRedirectURL string
BundlePath string
Sk bool
Slot string
KeyRef string
FulcioURL string
RekorURL string
IDToken string
PassFunc cosign.PassFunc
OIDCIssuer string
OIDCClientID string
OIDCClientSecret string
OIDCRedirectURL string
OIDCDisableProviders bool // Disable OIDC credential providers in keyless signer
BundlePath string
// FulcioAuthFlow is the auth flow to use when authenticating against
// Fulcio. See https://pkg.go.dev/github.com/sigstore/cosign/cmd/cosign/cli/fulcio#pkg-constants
// for valid values.
Expand Down
12 changes: 8 additions & 4 deletions cmd/cosign/cli/options/oidc.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,10 +29,11 @@ const DefaultOIDCIssuerURL = "https://oauth2.sigstore.dev/auth"

// OIDCOptions is the wrapper for OIDC related options.
type OIDCOptions struct {
Issuer string
ClientID string
clientSecretFile string
RedirectURL string
Issuer string
ClientID string
clientSecretFile string
RedirectURL string
DisableAmbientProviders bool
}

func (o *OIDCOptions) ClientSecret() (string, error) {
Expand Down Expand Up @@ -66,4 +67,7 @@ func (o *OIDCOptions) AddFlags(cmd *cobra.Command) {

cmd.Flags().StringVar(&o.RedirectURL, "oidc-redirect-url", "",
"[EXPERIMENTAL] OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'.")

cmd.Flags().BoolVar(&o.DisableAmbientProviders, "oidc-disable-ambient-providers", false,
"[EXPERIMENTAL] Disable ambient OIDC providers. When true, ambient credentials will not be read")
}
1 change: 1 addition & 0 deletions cmd/cosign/cli/sign.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,7 @@ func Sign() *cobra.Command {
OIDCClientID: o.OIDC.ClientID,
OIDCClientSecret: oidcClientSecret,
OIDCRedirectURL: o.OIDC.RedirectURL,
OIDCDisableProviders: o.OIDC.DisableAmbientProviders,
}
annotationsMap, err := o.AnnotationsMap()
if err != nil {
Expand Down
1 change: 1 addition & 0 deletions cmd/cosign/cli/signblob.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,7 @@ func SignBlob() *cobra.Command {
OIDCClientID: o.OIDC.ClientID,
OIDCClientSecret: oidcClientSecret,
OIDCRedirectURL: o.OIDC.RedirectURL,
OIDCDisableProviders: o.OIDC.DisableAmbientProviders,
BundlePath: o.BundlePath,
}
for _, blob := range args {
Expand Down
1 change: 1 addition & 0 deletions doc/cosign_attest.md
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_policy_sign.md
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_sign-blob.md
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_sign.md
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit 2e00e8a

Please sign in to comment.