Add debug providers command. (#3728)

When trying to run cosign on a remote workstation it would be nice to have a command to confirm the OIDC provider behavior of what is/isn't enabled and in what order. This PR adds a new hidden debug subcommand, with a debug providers subcommand that prints out the list of orderd providers and whether or not they are enabled. Signed-off-by: Billy Lynch <billy@chainguard.dev>
sigstore · Jun 11, 2024 · ca1733a · ca1733a
1 parent 5bbccd5
commit ca1733a
Show file tree

Hide file tree

Showing 4 changed files with 96 additions and 14 deletions.
diff --git a/cmd/cosign/cli/commands.go b/cmd/cosign/cli/commands.go
@@ -96,6 +96,7 @@ func New() *cobra.Command {
 	cmd.AddCommand(Attest())
 	cmd.AddCommand(AttestBlob())
 	cmd.AddCommand(Clean())
+	cmd.AddCommand(Debug())
 	cmd.AddCommand(Tree())
 	cmd.AddCommand(Completion())
 	cmd.AddCommand(Copy())

diff --git a/cmd/cosign/cli/debug.go b/cmd/cosign/cli/debug.go
@@ -0,0 +1,43 @@
+// Copyright 2024 The Sigstore Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cli
+
+import (
+	"github.com/sigstore/cosign/v2/cmd/cosign/cli/debug"
+	"github.com/spf13/cobra"
+)
+
+func Debug() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:    "debug",
+		Hidden: true,
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			return cmd.Help()
+		},
+	}
+	cmd.AddCommand(debugProviders())
+	return cmd
+}
+
+func debugProviders() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "providers",
+		Short: "Show enabled/disabled OIDC providers.",
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			return debug.ProviderCmd(cmd.Context(), cmd.OutOrStdout())
+		},
+	}
+	return cmd
+}
diff --git a/cmd/cosign/cli/debug/provider.go b/cmd/cosign/cli/debug/provider.go
@@ -0,0 +1,30 @@
+// Copyright 2024 The Sigstore Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package debug
+
+import (
+	"context"
+	"fmt"
+	"io"
+
+	"github.com/sigstore/cosign/v2/pkg/providers"
+)
+
+func ProviderCmd(ctx context.Context, w io.Writer) error {
+	for _, p := range providers.Providers() {
+		fmt.Fprintf(w, "%s: %t\n", p.Name, p.Provider.Enabled(ctx))
+	}
+	return nil
+}
diff --git a/pkg/providers/interface.go b/pkg/providers/interface.go
@@ -24,12 +24,12 @@ import (
 
 var (
 	m         sync.Mutex
-	providers []providerEntry
+	providers []ProviderEntry
 )
 
-type providerEntry struct {
-	name string
-	p    Interface
+type ProviderEntry struct {
+	Name     string
+	Provider Interface
 }
 
 // Interface is what providers need to implement to participate in furnishing OIDC tokens.
@@ -47,20 +47,20 @@ func Register(name string, p Interface) {
 	defer m.Unlock()
 
 	for _, pe := range providers {
-		if pe.name == name {
-			panic(fmt.Sprintf("duplicate provider for name %q, %T and %T", name, pe.p, p))
+		if pe.Name == name {
+			panic(fmt.Sprintf("duplicate provider for name %q, %T and %T", name, pe.Provider, p))
 		}
 	}
-	providers = append(providers, providerEntry{name: name, p: p})
+	providers = append(providers, ProviderEntry{Name: name, Provider: p})
 }
 
 // Enabled checks whether any of the registered providers are enabled in this execution context.
 func Enabled(ctx context.Context) bool {
 	m.Lock()
 	defer m.Unlock()
 
-	for _, provider := range providers {
-		if provider.p.Enabled(ctx) {
+	for _, pe := range providers {
+		if pe.Provider.Enabled(ctx) {
 			return true
 		}
 	}
@@ -74,11 +74,12 @@ func Provide(ctx context.Context, audience string) (string, error) {
 
 	var id string
 	var err error
-	for _, provider := range providers {
-		if !provider.p.Enabled(ctx) {
+	for _, pe := range providers {
+		p := pe.Provider
+		if !p.Enabled(ctx) {
 			continue
 		}
-		id, err = provider.p.Provide(ctx, audience)
+		id, err = p.Provide(ctx, audience)
 		if err == nil {
 			return id, nil
 		}
@@ -97,9 +98,16 @@ func ProvideFrom(_ context.Context, provider string) (Interface, error) {
 	defer m.Unlock()
 
 	for _, p := range providers {
-		if p.name == provider {
-			return p.p, nil
+		if p.Name == provider {
+			return p.Provider, nil
 		}
 	}
 	return nil, fmt.Errorf("%s is not a valid provider", provider)
 }
+
+func Providers() []ProviderEntry {
+	m.Lock()
+	defer m.Unlock()
+
+	return providers
+}