Support Gitpod workspaces

pkg/cosign/env/env.go

@@ -63,6 +63,7 @@ const (
 	VariableGitHubToken               Variable = "GITHUB_TOKEN" //nolint:gosec
 	VariableGitHubRequestToken        Variable = "ACTIONS_ID_TOKEN_REQUEST_TOKEN"
 	VariableGitHubRequestURL          Variable = "ACTIONS_ID_TOKEN_REQUEST_URL"
+	VariableGitpodWorkspaceId         Variable = "GITPOD_WORKSPACE_ID"
 	VariableSPIFFEEndpointSocket      Variable = "SPIFFE_ENDPOINT_SOCKET"
 	VariableGoogleServiceAccountName  Variable = "GOOGLE_SERVICE_ACCOUNT_NAME"
 	VariableGitLabHost                Variable = "GITLAB_HOST"
@@ -157,6 +158,12 @@ var (
 			Sensitive:   false,
 			External:    true,
 		},
+		VariableGitpodWorkspaceId: {
+			Description: "is the ID of the workspace in Gitpod",
+			Expects:     "string with the ID of the Gitpod workspace",
+			Sensitive:   false,
+			External:    true,
+		},
 		VariableSPIFFEEndpointSocket: {
 			Description: "allows you to specify non-default SPIFFE socket to use.",
 			Expects:     "string with SPIFFE socket path",

pkg/providers/gitpod/doc.go

@@ -0,0 +1,18 @@
+//
+// Copyright 2021 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package gitpod defines an implementation of the providers.Interface
+// that reads identity tokens from the gitpod API within a workspace.
+package gitpod

pkg/providers/gitpod/gitpod.go

@@ -0,0 +1,72 @@
+//
+// Copyright 2021 The Sigstore Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package gitpod
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"os/exec"
+
+	"github.com/sigstore/cosign/v2/pkg/cosign/env"
+	"github.com/sigstore/cosign/v2/pkg/providers"
+)
+
+func init() {
+	providers.Register("filesystem", &gitpod{})
+}
+
+type gitpod struct{}
+
+var _ providers.Interface = (*gitpod)(nil)
+
+// Enabled implements providers.Interface
+func (ga *gitpod) Enabled(_ context.Context) bool {
+	// Check we are in a Gitpod Workspace
+	if env.Getenv(env.VariableGitpodWorkspaceId) != "" {
+
+		//Check we are able to generate tokens with a verified email address
+		output, err := exec.Command("gp", "idp", "token", "--audience", "example.org", "--decode").Output()
+		if err != nil {
+			return false
+		}
+
+		var token struct {
+			Payload *struct {
+				Email         *string `json:"email"`
+				EmailVerified bool    `json:"email_verified"`
+			} `json:"Payload"`
+		}
+		dec := json.NewDecoder(bytes.NewBuffer(output))
+		if err := dec.Decode(&token); err != nil {
+			return false
+		}
+
+		if token.Payload != nil {
+			return token.Payload.Email != nil && token.Payload.EmailVerified
+		}
+	}
+	return false
+}
+
+// Provide implements providers.Interface
+func (ga *gitpod) Provide(ctx context.Context, audience string) (string, error) {
+	token, err := exec.Command("gp", "idp", "token", "--audience", audience).Output()
+	if err != nil {
+		return "", err
+	}
+	return string(token), nil
+}