Add ability to override the Spiffe socket via environmental variable: (…

…#1421) SPIFFE_ENDPOINT_SOCKET Signed-off-by: Ville Aikas <[email protected]>
sigstore · Feb 8, 2022 · 691dfa3 · 691dfa3
1 parent 4a67440
commit 691dfa3
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 6 deletions.
diff --git a/pkg/providers/spiffe/spiffe.go b/pkg/providers/spiffe/spiffe.go
@@ -34,24 +34,36 @@ type spiffe struct{}
 var _ providers.Interface = (*spiffe)(nil)
 
 const (
-	// socketPath is the path to where we read an OIDC
-	// token from the spiffe.
+	// defaultSocketPath is the path to where we read an OIDC
+	// token from the spiffe by default.
 	// nolint
-	socketPath = "/tmp/spire-agent/public/api.sock"
+	defaultSocketPath = "/tmp/spire-agent/public/api.sock"
+	// This allows you to specify non-default Spiffe socket to use.
+	socketEnv = "SPIFFE_ENDPOINT_SOCKET"
 )
 
+// getSocketPath gets which Spiffe socket to use. Either default
+// or the one specified by environment variable.
+func getSocketPath() string {
+	if env := os.Getenv(socketEnv); env != "" {
+		return env
+	}
+	return defaultSocketPath
+}
+
 // Enabled implements providers.Interface
 func (ga *spiffe) Enabled(ctx context.Context) bool {
 	// If we can stat the file without error then this is enabled.
-	_, err := os.Stat(socketPath)
+	_, err := os.Stat(getSocketPath())
 	return err == nil
 }
 
 // Provide implements providers.Interface
 func (ga *spiffe) Provide(ctx context.Context, audience string) (string, error) {
 	// Creates a new Workload API client, connecting to provided socket path
-	// Environment variable `SPIFFE_ENDPOINT_SOCKET` is used as default
-	client, err := workloadapi.New(ctx, workloadapi.WithAddr("unix://"+socketPath))
+	// Environment variable `SPIFFE_ENDPOINT_SOCKET` is used if given and
+	// defaultSocketPath if not.
+	client, err := workloadapi.New(ctx, workloadapi.WithAddr("unix://"+getSocketPath()))
 	if err != nil {
 		return "", err
 	}

diff --git a/pkg/providers/spiffe/spiffe_test.go b/pkg/providers/spiffe/spiffe_test.go
@@ -0,0 +1,33 @@
+// Copyright 2022 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package spiffe
+
+import (
+	"os"
+
+	"testing"
+)
+
+const nonDefault = "/run/sockets/spire"
+
+func TestGetSocketPath(t *testing.T) {
+	if got := getSocketPath(); got != defaultSocketPath {
+		t.Errorf("Expected %s got %s", defaultSocketPath, got)
+	}
+	os.Setenv(socketEnv, nonDefault)
+	if got := getSocketPath(); got != nonDefault {
+		t.Errorf("Expected %s got %s", nonDefault, got)
+	}
+}