Merge pull request #925 from sigstore/tokenstring

Make token string oidc client available outside of cli

Author: vlsi

sigstore-cli/src/main/java/dev/sigstore/cli/Sign.java

@@ -18,6 +18,7 @@
 import dev.sigstore.KeylessSigner;
 import dev.sigstore.TrustedRootProvider;
 import dev.sigstore.oidc.client.OidcClients;
+import dev.sigstore.oidc.client.TokenStringOidcClient;
 import dev.sigstore.tuf.RootProvider;
 import dev.sigstore.tuf.SigstoreTufClient;
 import java.net.URL;
@@ -110,7 +111,7 @@ public Integer call() throws Exception {
     if (identityToken != null) {
       // If we've explicitly provided an identity token, customize the signer to only use the token
       // string OIDC client.
-      signerBuilder.oidcClients(OidcClients.of(new TokenStringOidcClient(identityToken)));
+      signerBuilder.oidcClients(OidcClients.of(TokenStringOidcClient.from(identityToken)));
     }
     var signer = signerBuilder.build();
     var bundle = signer.signFile(artifact);

…/sigstore/cli/TokenStringOidcClient.java …e/oidc/client/TokenStringOidcClient.javasigstore-cli/src/main/java/dev/sigstore/cli/TokenStringOidcClient.java renamed to sigstore-java/src/main/java/dev/sigstore/oidc/client/TokenStringOidcClient.java sigstore-cli/src/main/java/dev/sigstore/cli/TokenStringOidcClient.java renamed to sigstore-java/src/main/java/dev/sigstore/oidc/client/TokenStringOidcClient.java

@@ -13,23 +13,36 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package dev.sigstore.cli;
+package dev.sigstore.oidc.client;
 
 import com.google.api.client.json.gson.GsonFactory;
 import com.google.api.client.json.webtoken.JsonWebSignature;
-import dev.sigstore.oidc.client.ImmutableOidcToken;
-import dev.sigstore.oidc.client.OidcClient;
-import dev.sigstore.oidc.client.OidcException;
-import dev.sigstore.oidc.client.OidcToken;
 import java.io.IOException;
 import java.util.Map;
 
+/**
+ * This should only be used when the user has an out of band mechanism for obtaining an OIDC token
+ * to be consumed by a sigstore signing event. So it should not be included in any defaults for
+ * {@link OidcClients}.
+ *
+ * <p>It's not explicitly designed for multi use, but implementers of the {@link
+ * TokenStringProvider} may include mechanisms for longer lived signing events. Each time a token is
+ * requested, the provider may execute a fetch of the token.
+ */
 public class TokenStringOidcClient implements OidcClient {
 
-  private final String idToken;
+  private final TokenStringProvider idTokenProvider;
+
+  TokenStringOidcClient(TokenStringProvider provider) {
+    this.idTokenProvider = provider;
+  }
+
+  public static TokenStringOidcClient from(TokenStringProvider provider) {
+    return new TokenStringOidcClient(provider);
+  }
 
-  public TokenStringOidcClient(String idToken) {
-    this.idToken = idToken;
+  public static TokenStringOidcClient from(String token) {
+    return new TokenStringOidcClient(() -> token);
   }
 
   @Override
@@ -40,6 +53,7 @@ public boolean isEnabled(Map<String, String> env) {
   @Override
   public OidcToken getIDToken(Map<String, String> env) throws OidcException {
     try {
+      var idToken = idTokenProvider.getTokenString();
       var jws = JsonWebSignature.parse(new GsonFactory(), idToken);
       return ImmutableOidcToken.builder()
           .idToken(idToken)
@@ -48,6 +62,13 @@ public OidcToken getIDToken(Map<String, String> env) throws OidcException {
           .build();
     } catch (IOException e) {
       throw new OidcException("Failed to parse JWT", e);
+    } catch (Exception e) {
+      throw new OidcException("Failed to obtain token", e);
     }
   }
+
+  @FunctionalInterface
+  public interface TokenStringProvider {
+    String getTokenString() throws Exception;
+  }
 }