Skip to content

Commit

Permalink
Recognize SIGSTORE_ prefixed environment variables. (#123)
Browse files Browse the repository at this point in the history 
For values that may have shared meaning across sigstore tools, recongize
GITSIGN_ and SIGSTORE_ prefixed variables.

Note there's not an authoritative list on what environment variables
are compatible across tools - we should figure out where this should go long term.

Signed-off-by: Billy Lynch <billy@chainguard.dev>
  • Loading branch information
@wlynch
wlynch committed Aug 25, 2022
1 parent cff750b commit 707a2cb
Show file tree
Hide file tree
Showing 3 changed files with 39 additions and 18 deletions.
27 changes: 16 additions & 11 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,20 +66,25 @@ The following config options are supported:
| issuer | https://oauth2.sigstore.dev/auth | OIDC provider to be used to issue ID token |
| redirectURL | | OIDC Redirect URL |
| rekor | https://rekor.sigstore.dev | Address of Rekor server |
| connectorID | | Optional Connector ID to auto-select to pre-select auth flow to use. For the public sigstore instance, valid values are:<br>- `https://github.com/login/oauth`<br>- `https://accounts.google.com`<br>- `https://login.microsoftonline.com`|
| connectorID | | Optional Connector ID to auto-select to pre-select auth flow to use. For the public sigstore instance, valid values are:<br>- `https://github.com/login/oauth`<br>- `https://accounts.google.com`<br>- `https://login.microsoftonline.com` |

### Environment Variables

| Environment Variable | Default | Description |
| ------------------------- | -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| GITSIGN_CREDENTIAL_CACHE | | Optional path to [gitsign-credential-cache](cmd/gitsign-credential-cache/README.md) socket. |
| GITSIGN_CONNECTOR_ID | | Optional Connector ID to auto-select to pre-select auth flow to use. For the public sigstore instance, valid values are:<br>- `https://github.com/login/oauth`<br>- `https://accounts.google.com`<br>- `https://login.microsoftonline.com`|
| GITSIGN_FULCIO_URL | https://fulcio.sigstore.dev | Address of Fulcio server |
| GITSIGN_LOG | | Path to log status output. Helpful for debugging when no TTY is available in the environment. |
| GITSIGN_OIDC_CLIENT_ID | sigstore | OIDC client ID for application |
| GITSIGN_OIDC_ISSUER | https://oauth2.sigstore.dev/auth | OIDC provider to be used to issue ID token |
| GITSIGN_OIDC_REDIRECT_URL | | OIDC Redirect URL |
| GITSIGN_REKOR_URL | https://rekor.sigstore.dev | Address of Rekor server |
| Environment Variable | Sigstore<br>Prefix | Default | Description |
| ------------------------- | ------------------ | -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| GITSIGN_CREDENTIAL_CACHE || | Optional path to [gitsign-credential-cache](cmd/gitsign-credential-cache/README.md) socket. |
| GITSIGN_CONNECTOR_ID || | Optional Connector ID to auto-select to pre-select auth flow to use. For the public sigstore instance, valid values are:<br>- `https://github.com/login/oauth`<br>- `https://accounts.google.com`<br>- `https://login.microsoftonline.com` |
| GITSIGN_FULCIO_URL || https://fulcio.sigstore.dev | Address of Fulcio server |
| GITSIGN_LOG || | Path to log status output. Helpful for debugging when no TTY is available in the environment. |
| GITSIGN_OIDC_CLIENT_ID || sigstore | OIDC client ID for application |
| GITSIGN_OIDC_ISSUER || https://oauth2.sigstore.dev/auth | OIDC provider to be used to issue ID token |
| GITSIGN_OIDC_REDIRECT_URL || | OIDC Redirect URL |
| GITSIGN_REKOR_URL || https://rekor.sigstore.dev | Address of Rekor server |

For environment variables that support `Sigstore Prefix`, the values may be
provided with either a `GITSIGN_` or `SIGSTORE_` prefix - e.g.
`GITSIGN_CONNECTOR_ID` or `SIGSTORE_CONNECTOR_ID`. If both environment variables
are set, `GITSIGN_` prefix takes priority.

## Usage

Expand Down
19 changes: 13 additions & 6 deletions internal/config/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
package config

import (
"fmt"
"os"

"github.com/go-git/go-git/v5"
Expand Down Expand Up @@ -77,13 +78,19 @@ func getWithRepo(repo *git.Repository) (*Config, error) {
}

// Get values from env vars
out.Fulcio = envOrValue("GITSIGN_FULCIO_URL", out.Fulcio)
out.Rekor = envOrValue("GITSIGN_REKOR_URL", out.Rekor)
out.ClientID = envOrValue("GITSIGN_OIDC_CLIENT_ID", out.ClientID)
out.RedirectURL = envOrValue("GITSIGN_OIDC_REDIRECT_URL", out.RedirectURL)
out.Issuer = envOrValue("GITSIGN_OIDC_ISSUER", out.Issuer)

// Check for common environment variables that could be shared with other
// Sigstore tools. Gitsign envs should take precedence.
for _, prefix := range []string{"SIGSTORE", "GITSIGN"} {
out.Fulcio = envOrValue(fmt.Sprintf("%s_FULCIO_URL", prefix), out.Fulcio)
out.Rekor = envOrValue(fmt.Sprintf("%s_REKOR_URL", prefix), out.Rekor)
out.ClientID = envOrValue(fmt.Sprintf("%s_OIDC_CLIENT_ID", prefix), out.ClientID)
out.RedirectURL = envOrValue(fmt.Sprintf("%s_OIDC_REDIRECT_URL", prefix), out.RedirectURL)
out.Issuer = envOrValue(fmt.Sprintf("%s_OIDC_ISSUER", prefix), out.Issuer)
out.ConnectorID = envOrValue(fmt.Sprintf("%s_CONNECTOR_ID", prefix), out.ConnectorID)
}

out.LogPath = envOrValue("GITSIGN_LOG", out.LogPath)
out.ConnectorID = envOrValue("GITSIGN_CONNECTOR_ID", out.ConnectorID)

return out, nil
}
Expand Down
11 changes: 10 additions & 1 deletion internal/config/config_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,13 @@ func TestGet(t *testing.T) {
// This just overrides default value.
t.Setenv("GITSIGN_OIDC_ISSUER", "tacocat")

// Recognize SIGSTORE prefixes.
t.Setenv("SIGSTORE_OIDC_REDIRECT_URL", "example.com")

// GITSIGN prefix takes priority over SIGSTORE.
t.Setenv("SIGSTORE_CONNECTOR_ID", "foo")
t.Setenv("GITSIGN_CONNECTOR_ID", "bar")

want := &Config{
// Default overridden by config
Fulcio: "example.com",
Expand All @@ -73,7 +80,9 @@ func TestGet(t *testing.T) {
// Default value
ClientID: "sigstore",
// Overridden by env var
Issuer: "tacocat",
Issuer: "tacocat",
RedirectURL: "example.com",
ConnectorID: "bar",
}

got, err := getWithRepo(repo)
Expand Down

0 comments on commit 707a2cb

Please sign in to comment.