Add a "filesystem" OIDC provider. (sigstore#956)

This change adds an ambient OIDC provider that will enable when the following filesystem path is populated: `/var/run/sigstore/cosign/oidc-token`. The intended use of this (primarily) is to enable consuming Kubernetes OIDC tokens produced through Service Account Projected Volumes. To consume this you would add the following to your Kubernetes pod spec: ```yaml containers: - name: my-container-name image: ... volumeMounts: - name: oidc-info mountPath: /var/run/sigstore/cosign volumes: - name: oidc-info projected: sources: - serviceAccountToken: path: oidc-token expirationSeconds: 600 # Use as short-lived as possible. audience: sigstore ``` This would also work with Tekton step definitions, or other things that permit the use of projected volumes. Note: Fulcio doesn't currently allow any Kubernetes provider OIDC tokens on the public instance, but one of the things I plan to look at next is supporting the endpoints from GKE and EKS (both of which have public discovery endpoints). Related: sigstore/fulcio#219 Related: sigstore/fulcio#212 Signed-off-by: Matt Moore <mattomata@gmail.com> Signed-off-by: Billy Lynch <billy@chainguard.dev>
wlynch · Jun 8, 2022 · be001b7 · be001b7
1 parent f415c43
commit be001b7
Show file tree

Hide file tree

Showing 3 changed files with 76 additions and 0 deletions.
diff --git a/all/all.go b/all/all.go
@@ -19,6 +19,7 @@ import (
 	"github.com/sigstore/cosign/pkg/providers"
 
 	// Link in all of the providers.
+	_ "github.com/sigstore/cosign/pkg/providers/filesystem"
 	_ "github.com/sigstore/cosign/pkg/providers/github"
 	_ "github.com/sigstore/cosign/pkg/providers/google"
 )

diff --git a/filesystem/doc.go b/filesystem/doc.go
@@ -0,0 +1,21 @@
+//
+// Copyright 2021 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package filesystem defines an implementation of the providers.Interface
+// that reads identity tokens from a well-known filesystem location.
+// This is intended for use with Kubernetes Service Account Projected Volumes,
+// but nothing is stopping other systems from placing identity tokens in
+// the same place.
+package filesystem
diff --git a/filesystem/filesystem.go b/filesystem/filesystem.go
@@ -0,0 +1,54 @@
+//
+// Copyright 2021 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package filesystem
+
+import (
+	"context"
+	"os"
+
+	"github.com/sigstore/cosign/pkg/providers"
+)
+
+func init() {
+	providers.Register("filesystem", &filesystem{})
+}
+
+type filesystem struct{}
+
+var _ providers.Interface = (*filesystem)(nil)
+
+const (
+	// FilesystemTokenPath is the path to where we read an OIDC
+	// token from the filesystem.
+	// nolint
+	FilesystemTokenPath = "/var/run/sigstore/cosign/oidc-token"
+)
+
+// Enabled implements providers.Interface
+func (ga *filesystem) Enabled(ctx context.Context) bool {
+	// If we can stat the file without error then this is enabled.
+	_, err := os.Stat(FilesystemTokenPath)
+	return err == nil
+}
+
+// Provide implements providers.Interface
+func (ga *filesystem) Provide(ctx context.Context, audience string) (string, error) {
+	b, err := os.ReadFile(FilesystemTokenPath)
+	if err != nil {
+		return "", err
+	}
+	return string(b), nil
+}