Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for Client Secret File #533

Merged
merged 1 commit into from
Jun 28, 2024
Merged

Support for Client Secret File #533

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 7 additions & 6 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,12 +83,13 @@ The following config options are supported:
| Environment Variable | Sigstore<br>Prefix | Default | Description |
| ---------------------------- | ------------------ | -------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| GITSIGN_CREDENTIAL_CACHE | | | Optional path to [gitsign-credential-cache](cmd/gitsign-credential-cache/README.md) socket. |
| GITSIGN_CONNECTOR_ID | ✅ | | Optional Connector ID to auto-select to pre-select auth flow to use. For the public sigstore instance, valid values are:<br>- `https://github.com/login/oauth`<br>- `https://accounts.google.com`<br>- `https://login.microsoftonline.com` |
| GITSIGN_TOKEN_PROVIDER | ✅ | | Optional OIDC token provider to use to fetch tokens. If not set, any available providers are used. valid values are:<br>- `interactive`<br>- `spiffe`<br>- `google-workload-identity`<br>- `google-impersonation`<br>- `github-actions`<br>- `filesystem`<br>- `buildkite-agent` |
| GITSIGN_FULCIO_URL | ✅ | https://fulcio.sigstore.dev | Address of Fulcio server |
| GITSIGN_LOG | ❌ | | Path to log status output. Helpful for debugging when no TTY is available in the environment. |
| GITSIGN_OIDC_CLIENT_ID | ✅ | sigstore | OIDC client ID for application |
| GITSIGN_OIDC_ISSUER | ✅ | https://oauth2.sigstore.dev/auth | OIDC provider to be used to issue ID token |
| GITSIGN_CONNECTOR_ID | ✅ | | Optional Connector ID to auto-select to pre-select auth flow to use. For the public sigstore instance, valid values are:<br>- `https://github.com/login/oauth`<br>- `https://accounts.google.com`<br>- `https://login.microsoftonline.com` |
| GITSIGN_TOKEN_PROVIDER | ✅ | | Optional OIDC token provider to use to fetch tokens. If not set, any available providers are used. valid values are:<br>- `interactive`<br>- `spiffe`<br>- `google-workload-identity`<br>- `google-impersonation`<br>- `github-actions`<br>- `filesystem`<br>- `buildkite-agent` |
| GITSIGN_FULCIO_URL | ✅ | https://fulcio.sigstore.dev | Address of Fulcio server |
| GITSIGN_LOG | ❌ | | Path to log status output. Helpful for debugging when no TTY is available in the environment. |
| GITSIGN_OIDC_CLIENT_ID | ✅ | sigstore | OIDC client ID for application
| GITSIGN_OIDC_CLIENT_SECRET_FILE | ✅ | | Path to the file containing the OIDC client secret for the application. | |
| GITSIGN_OIDC_ISSUER | ✅ | https://oauth2.sigstore.dev/auth | OIDC provider to be used to issue ID token |
| GITSIGN_OIDC_REDIRECT_URL | ✅ | | OIDC Redirect URL |
| GITSIGN_REKOR_URL | ✅ | https://rekor.sigstore.dev | Address of Rekor server |
| GITSIGN_TIMESTAMP_SERVER_URL | ✅ | | Address of timestamping authority. If set, a trusted timestamp will be included in the signature. |
Expand Down
24 changes: 24 additions & 0 deletions internal/config/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ import (
"os/exec"
"strconv"
"strings"
"unicode/utf8"
)

type RekorVerificationMode int
Expand Down Expand Up @@ -57,6 +58,9 @@ type Config struct {

// OIDC client ID for application
ClientID string
// File containing the OIDC Client Secret
clientSecretFile string
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
clientSecretFile string
ClientSecretFile string

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cpanato Emulating the design in cosign.

Testing issues resolved and checks are ✅


// OIDC Redirect URL
RedirectURL string
// OIDC provider to be used to issue ID token
Expand Down Expand Up @@ -89,6 +93,23 @@ type Config struct {
AutocloseTimeout int
}

// CLientSecret retrieves the OIDC client secret from the file provided
func (o *Config) ClientSecret() (string, error) {
if o.clientSecretFile != "" {
clientSecretBytes, err := os.ReadFile(o.clientSecretFile)
if err != nil {
return "", fmt.Errorf("reading OIDC client secret: %w", err)
}
if !utf8.Valid(clientSecretBytes) {
return "", fmt.Errorf("OIDC client secret in file %s not valid utf8", o.clientSecretFile)
}
clientSecretString := string(clientSecretBytes)
clientSecretString = strings.TrimSpace(clientSecretString)
return clientSecretString, nil
}
return "", nil
}

// Get fetches the gitsign config options for the repo in the current working
// directory.
func Get() (*Config, error) {
Expand Down Expand Up @@ -127,6 +148,7 @@ func Get() (*Config, error) {
out.FulcioRoot = envOrValue(fmt.Sprintf("%s_FULCIO_ROOT", prefix), out.FulcioRoot)
out.Rekor = envOrValue(fmt.Sprintf("%s_REKOR_URL", prefix), out.Rekor)
out.ClientID = envOrValue(fmt.Sprintf("%s_OIDC_CLIENT_ID", prefix), out.ClientID)
out.clientSecretFile = envOrValue(fmt.Sprintf("%s_OIDC_CLIENT_SECRET_FILE", prefix), out.clientSecretFile)
out.RedirectURL = envOrValue(fmt.Sprintf("%s_OIDC_REDIRECT_URL", prefix), out.RedirectURL)
out.Issuer = envOrValue(fmt.Sprintf("%s_OIDC_ISSUER", prefix), out.Issuer)
out.ConnectorID = envOrValue(fmt.Sprintf("%s_CONNECTOR_ID", prefix), out.ConnectorID)
Expand Down Expand Up @@ -198,6 +220,8 @@ func applyGitOptions(out *Config, cfg map[string]string) {
out.RekorMode = v
case strings.EqualFold(k, "gitsign.clientID"):
out.ClientID = v
case strings.EqualFold(k, "gitsign.clientSecretFile"):
out.clientSecretFile = v
case strings.EqualFold(k, "gitsign.redirectURL"):
out.RedirectURL = v
case strings.EqualFold(k, "gitsign.issuer"):
Expand Down
2 changes: 1 addition & 1 deletion internal/config/config_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,7 @@ func TestGet(t *testing.T) {
t.Fatal(err)
}

if diff := cmp.Diff(want, got); diff != "" {
if diff := cmp.Diff(want, got, cmp.AllowUnexported(Config{})); diff != "" {
t.Error(diff)
}
}
15 changes: 11 additions & 4 deletions internal/fulcio/identity.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -195,6 +195,12 @@ func NewIdentityFactory(in io.Reader, out io.Writer) *IdentityFactory {
func (f *IdentityFactory) NewIdentity(ctx context.Context, cfg *config.Config) (*Identity, error) {
clientID := cfg.ClientID

clientSecret, err := cfg.ClientSecret()

if err != nil {
return nil, err
}

// Autoclose only works if we don't go through the identity selection page
// (otherwise it'll show a countdown timer that doesn't work)
if cfg.ConnectorID == "" {
Expand Down Expand Up @@ -247,10 +253,11 @@ func (f *IdentityFactory) NewIdentity(ctx context.Context, cfg *config.Config) (

client, err := fulcio.NewClient(cfg.Fulcio,
fulcio.OIDCOptions{
Issuer: cfg.Issuer,
ClientID: clientID,
RedirectURL: cfg.RedirectURL,
TokenGetter: authFlow,
Issuer: cfg.Issuer,
ClientID: clientID,
ClientSecret: clientSecret,
RedirectURL: cfg.RedirectURL,
TokenGetter: authFlow,
})
if err != nil {
return nil, fmt.Errorf("error creating Fulcio client: %w", err)
Expand Down
Loading