Remove experimental flags from attest-blob and refactor

cmd/cosign/cli/attest/attest_blob.go

@@ -27,11 +27,11 @@ import (
 	"path"
 	"path/filepath"
 	"strings"
-	"time"
 
 	"github.com/pkg/errors"
 	"github.com/sigstore/cosign/cmd/cosign/cli/options"
 	"github.com/sigstore/cosign/cmd/cosign/cli/sign"
+	"github.com/sigstore/cosign/pkg/cosign"
 	"github.com/sigstore/cosign/pkg/cosign/attestation"
 	"github.com/sigstore/cosign/pkg/types"
 	"github.com/sigstore/sigstore/pkg/signature"
@@ -40,17 +40,31 @@ import (
 )
 
 // nolint
-func AttestBlobCmd(ctx context.Context, ko options.KeyOpts, artifactPath string, artifactHash string, certPath string, certChainPath string, predicatePath string, predicateType string, timeout time.Duration, outputSignature, outputAttestation string) error {
+type AttestBlobCommand struct {
+	KeyRef       string
+	ArtifactHash string
+
+	PredicatePath string
+	PredicateType string
+
+	OutputSignature   string
+	OutputAttestation string
+
+	PassFunc cosign.PassFunc
+}
+
+// nolint
+func (c *AttestBlobCommand) Exec(ctx context.Context, artifactPath string) error {
 	// TODO: Add in experimental keyless mode
-	if !options.OneOf(ko.KeyRef, ko.Sk) {
+	if !options.OneOf(c.KeyRef) {
 		return &options.KeyParseError{}
 	}
 
 	var artifact []byte
 	var hexDigest string
 	var err error
 
-	if artifactHash == "" {
+	if c.ArtifactHash == "" {
 		if artifactPath == "-" {
 			artifact, err = io.ReadAll(os.Stdin)
 		} else {
@@ -62,31 +76,30 @@ func AttestBlobCmd(ctx context.Context, ko options.KeyOpts, artifactPath string,
 		}
 	}
 
-	sv, err := sign.SignerFromKeyOpts(ctx, certPath, certChainPath, ko)
+	ko := options.KeyOpts{
+		KeyRef:   c.KeyRef,
+		PassFunc: c.PassFunc,
+	}
+
+	sv, err := sign.SignerFromKeyOpts(ctx, "", "", ko)
 	if err != nil {
 		return errors.Wrap(err, "getting signer")
 	}
 	defer sv.Close()
 
-	if timeout != 0 {
-		var cancelFn context.CancelFunc
-		ctx, cancelFn = context.WithTimeout(ctx, timeout)
-		defer cancelFn()
-	}
-
-	if artifactHash == "" {
+	if c.ArtifactHash == "" {
 		digest, _, err := signature.ComputeDigestForSigning(bytes.NewReader(artifact), crypto.SHA256, []crypto.Hash{crypto.SHA256, crypto.SHA384})
 		if err != nil {
 			return err
 		}
 		hexDigest = strings.ToLower(hex.EncodeToString(digest))
 	} else {
-		hexDigest = artifactHash
+		hexDigest = c.ArtifactHash
 	}
 	wrapped := dsse.WrapSigner(sv, types.IntotoPayloadType)
 
-	fmt.Fprintln(os.Stderr, "Using predicate from:", predicatePath)
-	predicate, err := os.Open(predicatePath)
+	fmt.Fprintln(os.Stderr, "Using predicate from:", c.PredicatePath)
+	predicate, err := os.Open(c.PredicatePath)
 	if err != nil {
 		return err
 	}
@@ -96,7 +109,7 @@ func AttestBlobCmd(ctx context.Context, ko options.KeyOpts, artifactPath string,
 
 	sh, err := attestation.GenerateStatement(attestation.GenerateOpts{
 		Predicate: predicate,
-		Type:      predicateType,
+		Type:      c.PredicateType,
 		Digest:    hexDigest,
 		Repo:      base,
 	})
@@ -115,20 +128,20 @@ func AttestBlobCmd(ctx context.Context, ko options.KeyOpts, artifactPath string,
 	}
 
 	sig = []byte(base64.StdEncoding.EncodeToString(sig))
-	if outputSignature != "" {
-		if err := os.WriteFile(outputSignature, sig, 0600); err != nil {
+	if c.OutputSignature != "" {
+		if err := os.WriteFile(c.OutputSignature, sig, 0600); err != nil {
 			return fmt.Errorf("create signature file: %w", err)
 		}
-		fmt.Fprintf(os.Stderr, "Signature written in %s\n", outputSignature)
+		fmt.Fprintf(os.Stderr, "Signature written in %s\n", c.OutputSignature)
 	} else {
 		fmt.Fprintln(os.Stdout, string(sig))
 	}
 
-	if outputAttestation != "" {
-		if err := os.WriteFile(outputAttestation, payload, 0600); err != nil {
+	if c.OutputAttestation != "" {
+		if err := os.WriteFile(c.OutputAttestation, payload, 0600); err != nil {
 			return fmt.Errorf("create signature file: %w", err)
 		}
-		fmt.Fprintf(os.Stderr, "Attestation written in %s\n", outputAttestation)
+		fmt.Fprintf(os.Stderr, "Attestation written in %s\n", c.OutputAttestation)
 	} else {
 		fmt.Fprintln(os.Stdout, string(payload))
 	}

cmd/cosign/cli/attest_blob.go

@@ -15,9 +15,7 @@
 package cli
 
 import (
-	"github.com/pkg/errors"
 	"github.com/sigstore/cosign/cmd/cosign/cli/attest"
-	"github.com/sigstore/cosign/cmd/cosign/cli/generate"
 	"github.com/sigstore/cosign/cmd/cosign/cli/options"
 	"github.com/spf13/cobra"
 )
@@ -45,21 +43,17 @@ func AttestBlob() *cobra.Command {
   # attach an attestation to a blob with a key pair stored in Hashicorp Vault
   cosign attest-blob --predicate <FILE> --type <TYPE> --key hashivault://[KEY] <BLOB>`,
 
-		Args: cobra.MinimumNArgs(1),
+		Args: cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			ko := options.KeyOpts{
-				KeyRef:   o.Key,
-				PassFunc: generate.GetPass,
-				Sk:       o.SecurityKey.Use,
-				Slot:     o.SecurityKey.Slot,
+			v := attest.AttestBlobCommand{
+				KeyRef:            o.Key,
+				ArtifactHash:      o.Hash,
+				PredicateType:     o.Predicate.Type,
+				PredicatePath:     o.Predicate.Path,
+				OutputSignature:   o.OutputSignature,
+				OutputAttestation: o.OutputAttestation,
 			}
-			for _, artifact := range args {
-				if err := attest.AttestBlobCmd(cmd.Context(), ko, artifact, o.Hash, o.Cert, o.CertChain,
-					o.Predicate.Path, o.Predicate.Type, ro.Timeout, o.OutputSignature, o.OutputAttestation); err != nil {
-					return errors.Wrapf(err, "attesting %s", artifact)
-				}
-			}
-			return nil
+			return v.Exec(cmd.Context(), args[0])
 		},
 	}
 	o.AddFlags(cmd)

cmd/cosign/cli/options/attest_blob.go

@@ -15,73 +15,35 @@
 package options
 
 import (
-	"time"
-
 	"github.com/spf13/cobra"
 )
 
 // AttestOptions is the top level wrapper for the attest command.
 type AttestBlobOptions struct {
 	Key               string
-	Cert              string
-	CertChain         string
-	NoUpload          bool
-	Force             bool
-	Recursive         bool
-	Replace           bool
-	Timeout           time.Duration
 	Hash              string
 	OutputSignature   string
 	OutputAttestation string
 
-	Rekor       RekorOptions
-	Fulcio      FulcioOptions
-	OIDC        OIDCOptions
-	SecurityKey SecurityKeyOptions
-	Predicate   PredicateLocalOptions
+	Predicate PredicateLocalOptions
 }
 
 var _ Interface = (*AttestOptions)(nil)
 
 // AddFlags implements Interface
 func (o *AttestBlobOptions) AddFlags(cmd *cobra.Command) {
-	o.SecurityKey.AddFlags(cmd)
 	o.Predicate.AddFlags(cmd)
-	o.Fulcio.AddFlags(cmd)
-	o.OIDC.AddFlags(cmd)
-	o.Rekor.AddFlags(cmd)
 
 	cmd.Flags().StringVar(&o.Key, "key", "",
 		"path to the private key file, KMS URI or Kubernetes Secret")
 
-	cmd.Flags().StringVar(&o.Cert, "cert", "",
-		"path to the x509 certificate to include in the Signature")
-
 	cmd.Flags().StringVar(&o.OutputSignature, "output-signature", "",
 		"write the signature to FILE")
 	_ = cmd.Flags().SetAnnotation("output-signature", cobra.BashCompFilenameExt, []string{})
 
 	cmd.Flags().StringVar(&o.OutputAttestation, "output-attestation", "",
 		"write the attestation to FILE")
 
-	cmd.Flags().StringVar(&o.CertChain, "cert-chain", "",
-		"path to a list of CA X.509 certificates in PEM format which will be needed "+
-			"when building the certificate chain for the signing certificate. "+
-			"Must start with the parent intermediate CA certificate of the "+
-			"signing certificate and end with the root certificate. Included in the OCI Signature")
-
-	cmd.Flags().BoolVar(&o.NoUpload, "no-upload", false,
-		"do not upload the generated attestation")
-
-	cmd.Flags().BoolVarP(&o.Force, "force", "f", false,
-		"skip warnings and confirmations")
-
-	cmd.Flags().BoolVarP(&o.Replace, "replace", "", false,
-		"")
-
-	cmd.Flags().DurationVar(&o.Timeout, "timeout", time.Second*30,
-		"HTTP Timeout defaults to 30 seconds")
-
 	cmd.Flags().StringVar(&o.Hash, "hash", "",
 		"hash of blob in hexadecimal (base16). Used if you want to sign an artifact stored elsewhere and have the hash")
 }