spiffe.go

Documentation: github.com/sigstore/cosign/v2/pkg/providers/spiffe

     1  //
     2  // Copyright 2021 The Sigstore Authors.
     3  //
     4  // Licensed under the Apache License, Version 2.0 (the "License");
     5  // you may not use this file except in compliance with the License.
     6  // You may obtain a copy of the License at
     7  //
     8  //     http://www.apache.org/licenses/LICENSE-2.0
     9  //
    10  // Unless required by applicable law or agreed to in writing, software
    11  // distributed under the License is distributed on an "AS IS" BASIS,
    12  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  // See the License for the specific language governing permissions and
    14  // limitations under the License.
    15  
    16  package spiffe
    17  
    18  import (
    19  	"context"
    20  	"os"
    21  
    22  	"github.com/spiffe/go-spiffe/v2/svid/jwtsvid"
    23  
    24  	"github.com/sigstore/cosign/v2/pkg/cosign/env"
    25  	"github.com/sigstore/cosign/v2/pkg/providers"
    26  	"github.com/spiffe/go-spiffe/v2/workloadapi"
    27  )
    28  
    29  func init() {
    30  	providers.Register("spiffe", &spiffe{})
    31  }
    32  
    33  type spiffe struct{}
    34  
    35  var _ providers.Interface = (*spiffe)(nil)
    36  
    37  const (
    38  	// defaultSocketPath is the path to where we read an OIDC
    39  	// token from the spiffe by default.
    40  	// nolint
    41  	defaultSocketPath = "/tmp/spire-agent/public/api.sock"
    42  )
    43  
    44  // getSocketPath gets which Spiffe socket to use. Either default
    45  // or the one specified by environment variable.
    46  func getSocketPath() string {
    47  	if env := env.Getenv(env.VariableSPIFFEEndpointSocket); env != "" {
    48  		return env
    49  	}
    50  	return defaultSocketPath
    51  }
    52  
    53  // Enabled implements providers.Interface
    54  func (ga *spiffe) Enabled(_ context.Context) bool {
    55  	// If we can stat the file without error then this is enabled.
    56  	_, err := os.Stat(getSocketPath())
    57  	return err == nil
    58  }
    59  
    60  // Provide implements providers.Interface
    61  func (ga *spiffe) Provide(ctx context.Context, audience string) (string, error) {
    62  	// Creates a new Workload API client, connecting to provided socket path
    63  	// Environment variable `SPIFFE_ENDPOINT_SOCKET` is used if given and
    64  	// defaultSocketPath if not.
    65  	client, err := workloadapi.New(ctx, workloadapi.WithAddr("unix://"+getSocketPath()))
    66  	if err != nil {
    67  		return "", err
    68  	}
    69  	defer client.Close()
    70  
    71  	svid, err := client.FetchJWTSVID(ctx, jwtsvid.Params{
    72  		Audience: audience,
    73  	})
    74  	if err != nil {
    75  		return "", err
    76  	}
    77  
    78  	return svid.Marshal(), nil
    79  }
    80
View as plain text