Skip to content

Commit

Permalink
Adds Support for Fulcio Client Credentials Flow, and Argument to Set …
Browse files Browse the repository at this point in the history
…Flow Explicitly (#3578)

* add fulcio oauth flow client credentials

Signed-off-by: Noah Kreiger <noahkreiger@gmail.com>

* fix docgen

Signed-off-by: Noah Kreiger <noahkreiger@gmail.com>

* add options

Signed-off-by: Noah Kreiger <noahkreiger@gmail.com>

---------

Signed-off-by: Noah Kreiger <noahkreiger@gmail.com>
  • Loading branch information
nkreiger committed Mar 12, 2024
1 parent b551637 commit 5d60a9a
Show file tree
Hide file tree
Showing 10 changed files with 18 additions and 3 deletions.
1 change: 1 addition & 0 deletions cmd/cosign/cli/attest.go
Expand Up @@ -74,6 +74,7 @@ func Attest() *cobra.Command {
Slot: o.SecurityKey.Slot,
FulcioURL: o.Fulcio.URL,
IDToken: o.Fulcio.IdentityToken,
FulcioAuthFlow: o.Fulcio.AuthFlow,
InsecureSkipFulcioVerify: o.Fulcio.InsecureSkipFulcioVerify,
RekorURL: o.Rekor.URL,
OIDCIssuer: o.OIDC.Issuer,
Expand Down
1 change: 1 addition & 0 deletions cmd/cosign/cli/attest_blob.go
Expand Up @@ -61,6 +61,7 @@ func AttestBlob() *cobra.Command {
Slot: o.SecurityKey.Slot,
FulcioURL: o.Fulcio.URL,
IDToken: o.Fulcio.IdentityToken,
FulcioAuthFlow: o.Fulcio.AuthFlow,
InsecureSkipFulcioVerify: o.Fulcio.InsecureSkipFulcioVerify,
RekorURL: o.Rekor.URL,
OIDCIssuer: o.OIDC.Issuer,
Expand Down
9 changes: 6 additions & 3 deletions cmd/cosign/cli/fulcio/fulcio.go
Expand Up @@ -38,9 +38,10 @@ import (
)

const (
flowNormal = "normal"
flowDevice = "device"
flowToken = "token"
flowNormal = "normal"
flowDevice = "device"
flowToken = "token"
flowClientCredentials = "client_credentials"
)

type oidcConnector interface {
Expand Down Expand Up @@ -89,6 +90,8 @@ func getCertForOauthID(sv signature.SignerVerifier, fc api.LegacyClient, connect
func GetCert(_ context.Context, sv signature.SignerVerifier, idToken, flow, oidcIssuer, oidcClientID, oidcClientSecret, oidcRedirectURL string, fClient api.LegacyClient) (*api.CertificateResponse, error) {
c := &realConnector{}
switch flow {
case flowClientCredentials:
c.flow = oauthflow.NewClientCredentialsFlow(oidcIssuer)
case flowDevice:
c.flow = oauthflow.NewDeviceFlowTokenGetterForIssuer(oidcIssuer)
case flowNormal:
Expand Down
4 changes: 4 additions & 0 deletions cmd/cosign/cli/options/fulcio.go
Expand Up @@ -24,6 +24,7 @@ const DefaultFulcioURL = "https://fulcio.sigstore.dev"
// FulcioOptions is the wrapper for Fulcio related options.
type FulcioOptions struct {
URL string
AuthFlow string
IdentityToken string
InsecureSkipFulcioVerify bool
}
Expand All @@ -39,6 +40,9 @@ func (o *FulcioOptions) AddFlags(cmd *cobra.Command) {
cmd.Flags().StringVar(&o.IdentityToken, "identity-token", "",
"identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted.")

cmd.Flags().StringVar(&o.AuthFlow, "fulcio-auth-flow", "",
"fulcio interactive oauth2 flow to use for certificate from fulcio. Defaults to determining the flow based on the runtime environment. (options) normal|device|token|client_credentials")

cmd.Flags().BoolVar(&o.InsecureSkipFulcioVerify, "insecure-skip-verify", false,
"skip verifying fulcio published to the SCT (this should only be used for testing).")
}
1 change: 1 addition & 0 deletions cmd/cosign/cli/sign.go
Expand Up @@ -110,6 +110,7 @@ race conditions or (worse) malicious tampering.
Slot: o.SecurityKey.Slot,
FulcioURL: o.Fulcio.URL,
IDToken: o.Fulcio.IdentityToken,
FulcioAuthFlow: o.Fulcio.AuthFlow,
InsecureSkipFulcioVerify: o.Fulcio.InsecureSkipFulcioVerify,
RekorURL: o.Rekor.URL,
OIDCIssuer: o.OIDC.Issuer,
Expand Down
1 change: 1 addition & 0 deletions cmd/cosign/cli/signblob.go
Expand Up @@ -75,6 +75,7 @@ func SignBlob() *cobra.Command {
Slot: o.SecurityKey.Slot,
FulcioURL: o.Fulcio.URL,
IDToken: o.Fulcio.IdentityToken,
FulcioAuthFlow: o.Fulcio.AuthFlow,
InsecureSkipFulcioVerify: o.Fulcio.InsecureSkipFulcioVerify,
RekorURL: o.Rekor.URL,
OIDCIssuer: o.OIDC.Issuer,
Expand Down
1 change: 1 addition & 0 deletions doc/cosign_attest-blob.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_attest.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_sign-blob.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions doc/cosign_sign.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit 5d60a9a

Please sign in to comment.