// // Copyright 2021 The Sigstore Authors. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package spiffe import ( "context" "os" "github.com/spiffe/go-spiffe/v2/svid/jwtsvid" "github.com/sigstore/cosign/v2/pkg/cosign/env" "github.com/sigstore/cosign/v2/pkg/providers" "github.com/spiffe/go-spiffe/v2/workloadapi" ) func init() { providers.Register("spiffe", &spiffe{}) } type spiffe struct{} var _ providers.Interface = (*spiffe)(nil) const ( // defaultSocketPath is the path to where we read an OIDC // token from the spiffe by default. // nolint defaultSocketPath = "/tmp/spire-agent/public/api.sock" ) // getSocketPath gets which Spiffe socket to use. Either default // or the one specified by environment variable. func getSocketPath() string { if env := env.Getenv(env.VariableSPIFFEEndpointSocket); env != "" { return env } return defaultSocketPath } // Enabled implements providers.Interface func (ga *spiffe) Enabled(_ context.Context) bool { // If we can stat the file without error then this is enabled. _, err := os.Stat(getSocketPath()) return err == nil } // Provide implements providers.Interface func (ga *spiffe) Provide(ctx context.Context, audience string) (string, error) { // Creates a new Workload API client, connecting to provided socket path // Environment variable `SPIFFE_ENDPOINT_SOCKET` is used if given and // defaultSocketPath if not. client, err := workloadapi.New(ctx, workloadapi.WithAddr("unix://"+getSocketPath())) if err != nil { return "", err } defer client.Close() svid, err := client.FetchJWTSVID(ctx, jwtsvid.Params{ Audience: audience, }) if err != nil { return "", err } return svid.Marshal(), nil }