Add a "filesystem" OIDC provider.

This change adds an ambient OIDC provider that will enable when the following
filesystem path is populated: `/var/run/sigstore/cosign/oidc-token`.  The intended
use of this (primarily) is to enable consuming Kubernetes OIDC tokens produced
through Service Account Projected Volumes.

To consume this you would add the following to your Kubernetes pod spec:
```yaml
      containers:
      - name: my-container-name
        image: ...
        volumeMounts:
        - name: oidc-info
          mountPath: /var/run/sigstore/cosign

      volumes:
        - name: oidc-info
          projected:
            sources:
              - serviceAccountToken:
                  path: oidc-token
                  expirationSeconds: 600 # Use as short-lived as possible.
                  audience: sigstore
```

This would also work with Tekton step definitions, or other things that permit
the use of projected volumes.

Note: Fulcio doesn't currently allow any Kubernetes provider OIDC tokens on the
public instance, but one of the things I plan to look at next is supporting the
endpoints from GKE and EKS (both of which have public discovery endpoints).

Related: sigstore/fulcio#219
Related: sigstore/fulcio#212

Signed-off-by: Matt Moore <mattomata@gmail.com>

pkg/providers/all/all.go

@@ -19,6 +19,7 @@ import (
 	"github.com/sigstore/cosign/pkg/providers"
 
 	// Link in all of the providers.
+	_ "github.com/sigstore/cosign/pkg/providers/filesystem"
 	_ "github.com/sigstore/cosign/pkg/providers/github"
 	_ "github.com/sigstore/cosign/pkg/providers/google"
 )

pkg/providers/filesystem/doc.go

@@ -0,0 +1,21 @@
+//
+// Copyright 2021 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package filesystem defines an implementation of the providers.Interface
+// that reads identity tokens from a well-known filesystem location.
+// This is intended for use with Kubernetes Service Account Projected Volumes,
+// but nothing is stopping other systems from placing identity tokens in
+// the same place.
+package filesystem

pkg/providers/filesystem/filesystem.go

@@ -0,0 +1,51 @@
+//
+// Copyright 2021 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package filesystem
+
+import (
+	"context"
+	"os"
+
+	"github.com/sigstore/cosign/pkg/providers"
+)
+
+func init() {
+	providers.Register("filesystem", &filesystem{})
+}
+
+type filesystem struct{}
+
+var _ providers.Interface = (*filesystem)(nil)
+
+const (
+	FilesystemTokenPath = "/var/run/sigstore/cosign/oidc-token"
+)
+
+// Enabled implements providers.Interface
+func (ga *filesystem) Enabled(ctx context.Context) bool {
+	// If we can stat the file without error then this is enabled.
+	_, err := os.Stat(FilesystemTokenPath)
+	return err == nil
+}
+
+// Provide implements providers.Interface
+func (ga *filesystem) Provide(ctx context.Context, audience string) (string, error) {
+	b, err := os.ReadFile(FilesystemTokenPath)
+	if err != nil {
+		return "", err
+	}
+	return string(b), nil
+}