From 707a2cbda9695c643e43d60c79f5732dfae395bb Mon Sep 17 00:00:00 2001 From: Billy Lynch Date: Thu, 25 Aug 2022 13:42:25 -0400 Subject: [PATCH] Recognize SIGSTORE_ prefixed environment variables. (#123) For values that may have shared meaning across sigstore tools, recongize GITSIGN_ and SIGSTORE_ prefixed variables. Note there's not an authoritative list on what environment variables are compatible across tools - we should figure out where this should go long term. Signed-off-by: Billy Lynch --- README.md | 27 ++++++++++++++++----------- internal/config/config.go | 19 +++++++++++++------ internal/config/config_test.go | 11 ++++++++++- 3 files changed, 39 insertions(+), 18 deletions(-) diff --git a/README.md b/README.md index 7b38ea94..01efc0e5 100644 --- a/README.md +++ b/README.md @@ -66,20 +66,25 @@ The following config options are supported: | issuer | https://oauth2.sigstore.dev/auth | OIDC provider to be used to issue ID token | | redirectURL | | OIDC Redirect URL | | rekor | https://rekor.sigstore.dev | Address of Rekor server | -| connectorID | | Optional Connector ID to auto-select to pre-select auth flow to use. For the public sigstore instance, valid values are:
- `https://github.com/login/oauth`
- `https://accounts.google.com`
- `https://login.microsoftonline.com`| +| connectorID | | Optional Connector ID to auto-select to pre-select auth flow to use. For the public sigstore instance, valid values are:
- `https://github.com/login/oauth`
- `https://accounts.google.com`
- `https://login.microsoftonline.com` | ### Environment Variables -| Environment Variable | Default | Description | -| ------------------------- | -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| GITSIGN_CREDENTIAL_CACHE | | Optional path to [gitsign-credential-cache](cmd/gitsign-credential-cache/README.md) socket. | -| GITSIGN_CONNECTOR_ID | | Optional Connector ID to auto-select to pre-select auth flow to use. For the public sigstore instance, valid values are:
- `https://github.com/login/oauth`
- `https://accounts.google.com`
- `https://login.microsoftonline.com`| -| GITSIGN_FULCIO_URL | https://fulcio.sigstore.dev | Address of Fulcio server | -| GITSIGN_LOG | | Path to log status output. Helpful for debugging when no TTY is available in the environment. | -| GITSIGN_OIDC_CLIENT_ID | sigstore | OIDC client ID for application | -| GITSIGN_OIDC_ISSUER | https://oauth2.sigstore.dev/auth | OIDC provider to be used to issue ID token | -| GITSIGN_OIDC_REDIRECT_URL | | OIDC Redirect URL | -| GITSIGN_REKOR_URL | https://rekor.sigstore.dev | Address of Rekor server | +| Environment Variable | Sigstore
Prefix | Default | Description | +| ------------------------- | ------------------ | -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | +| GITSIGN_CREDENTIAL_CACHE | ❌ | | Optional path to [gitsign-credential-cache](cmd/gitsign-credential-cache/README.md) socket. | +| GITSIGN_CONNECTOR_ID | ✅ | | Optional Connector ID to auto-select to pre-select auth flow to use. For the public sigstore instance, valid values are:
- `https://github.com/login/oauth`
- `https://accounts.google.com`
- `https://login.microsoftonline.com` | +| GITSIGN_FULCIO_URL | ✅ | https://fulcio.sigstore.dev | Address of Fulcio server | +| GITSIGN_LOG | ❌ | | Path to log status output. Helpful for debugging when no TTY is available in the environment. | +| GITSIGN_OIDC_CLIENT_ID | ✅ | sigstore | OIDC client ID for application | +| GITSIGN_OIDC_ISSUER | ✅ | https://oauth2.sigstore.dev/auth | OIDC provider to be used to issue ID token | +| GITSIGN_OIDC_REDIRECT_URL | ✅ | | OIDC Redirect URL | +| GITSIGN_REKOR_URL | ✅ | https://rekor.sigstore.dev | Address of Rekor server | + +For environment variables that support `Sigstore Prefix`, the values may be +provided with either a `GITSIGN_` or `SIGSTORE_` prefix - e.g. +`GITSIGN_CONNECTOR_ID` or `SIGSTORE_CONNECTOR_ID`. If both environment variables +are set, `GITSIGN_` prefix takes priority. ## Usage diff --git a/internal/config/config.go b/internal/config/config.go index cc4c9dd7..8ef2b12a 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -15,6 +15,7 @@ package config import ( + "fmt" "os" "github.com/go-git/go-git/v5" @@ -77,13 +78,19 @@ func getWithRepo(repo *git.Repository) (*Config, error) { } // Get values from env vars - out.Fulcio = envOrValue("GITSIGN_FULCIO_URL", out.Fulcio) - out.Rekor = envOrValue("GITSIGN_REKOR_URL", out.Rekor) - out.ClientID = envOrValue("GITSIGN_OIDC_CLIENT_ID", out.ClientID) - out.RedirectURL = envOrValue("GITSIGN_OIDC_REDIRECT_URL", out.RedirectURL) - out.Issuer = envOrValue("GITSIGN_OIDC_ISSUER", out.Issuer) + + // Check for common environment variables that could be shared with other + // Sigstore tools. Gitsign envs should take precedence. + for _, prefix := range []string{"SIGSTORE", "GITSIGN"} { + out.Fulcio = envOrValue(fmt.Sprintf("%s_FULCIO_URL", prefix), out.Fulcio) + out.Rekor = envOrValue(fmt.Sprintf("%s_REKOR_URL", prefix), out.Rekor) + out.ClientID = envOrValue(fmt.Sprintf("%s_OIDC_CLIENT_ID", prefix), out.ClientID) + out.RedirectURL = envOrValue(fmt.Sprintf("%s_OIDC_REDIRECT_URL", prefix), out.RedirectURL) + out.Issuer = envOrValue(fmt.Sprintf("%s_OIDC_ISSUER", prefix), out.Issuer) + out.ConnectorID = envOrValue(fmt.Sprintf("%s_CONNECTOR_ID", prefix), out.ConnectorID) + } + out.LogPath = envOrValue("GITSIGN_LOG", out.LogPath) - out.ConnectorID = envOrValue("GITSIGN_CONNECTOR_ID", out.ConnectorID) return out, nil } diff --git a/internal/config/config_test.go b/internal/config/config_test.go index 73b3c05a..d5ef4d32 100644 --- a/internal/config/config_test.go +++ b/internal/config/config_test.go @@ -65,6 +65,13 @@ func TestGet(t *testing.T) { // This just overrides default value. t.Setenv("GITSIGN_OIDC_ISSUER", "tacocat") + // Recognize SIGSTORE prefixes. + t.Setenv("SIGSTORE_OIDC_REDIRECT_URL", "example.com") + + // GITSIGN prefix takes priority over SIGSTORE. + t.Setenv("SIGSTORE_CONNECTOR_ID", "foo") + t.Setenv("GITSIGN_CONNECTOR_ID", "bar") + want := &Config{ // Default overridden by config Fulcio: "example.com", @@ -73,7 +80,9 @@ func TestGet(t *testing.T) { // Default value ClientID: "sigstore", // Overridden by env var - Issuer: "tacocat", + Issuer: "tacocat", + RedirectURL: "example.com", + ConnectorID: "bar", } got, err := getWithRepo(repo)