fix: [CI-19670]: vul fix for jws version (#497)

* feat: [CI-19349]: Added oidc support for azure connector

* feat: [CI-19349]: Added env variables

* feat: [CI-19349]: Added tests

* Update cmd/drone-acr/main.go

* Update cmd/drone-acr/main.go

* feat: [CI-19349]: Added Debug statements

---------

Co-authored-by: OP (oppenheimer) <21008429+Ompragash@users.noreply.github.com>

.drone.yml

@@ -12,7 +12,7 @@ platform:
 
 steps:
   - name: vet
-    image: golang:1.22.4
+    image: golang:1.23
     commands:
       - go vet ./...
     environment:
@@ -22,7 +22,7 @@ steps:
         path: /go
 
   - name: test
-    image: golang:1.22.4
+    image: golang:1.23
     commands:
       - go test -cover ./...
     environment:
@@ -55,7 +55,7 @@ platform:
 
 steps:
   - name: go build
-    image: golang:1.22.4
+    image: golang:1.23
     environment:
       CGO_ENABLED: 0
     commands:
@@ -162,7 +162,7 @@ platform:
 
 steps:
   - name: go build
-    image: golang:1.22.7
+    image: golang:1.23
     environment:
       CGO_ENABLED: 0
     commands:
@@ -264,7 +264,7 @@ platform:
 
 steps:
   - name: build-push
-    image: golang:1.22.7
+    image: golang:1.23
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_COMMIT_SHA:0:8}" -a -tags netgo -o release/linux/amd64/drone-docker ./cmd/drone-docker'
     environment:
@@ -275,7 +275,7 @@ steps:
           - tag
 
   - name: build-tag
-    image: golang:1.22.7
+    image: golang:1.23
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_TAG##v}" -a -tags netgo -o release/linux/amd64/drone-docker ./cmd/drone-docker'
     environment:
@@ -285,7 +285,7 @@ steps:
         - tag
 
   - name: executable
-    image: golang:1.22.7
+    image: golang:1.23
     commands:
       - ./release/linux/amd64/drone-docker --help
 
@@ -329,7 +329,7 @@ platform:
 
 steps:
   - name: build-push
-    image: golang:1.22.7
+    image: golang:1.23
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_COMMIT_SHA:0:8}" -a -tags netgo -o release/linux/arm64/drone-docker ./cmd/drone-docker'
     environment:
@@ -340,7 +340,7 @@ steps:
           - tag
 
   - name: build-tag
-    image: golang:1.22.7
+    image: golang:1.23
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_TAG##v}" -a -tags netgo -o release/linux/arm64/drone-docker ./cmd/drone-docker'
     environment:
@@ -350,7 +350,7 @@ steps:
         - tag
 
   - name: executable
-    image: golang:1.22.7
+    image: golang:1.23
     commands:
       - ./release/linux/arm64/drone-docker --help
 
@@ -429,7 +429,7 @@ platform:
 
 steps:
   - name: build-push
-    image: golang:1.22.7
+    image: golang:1.23
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_COMMIT_SHA:0:8}" -a -tags netgo -o release/linux/amd64/drone-gcr ./cmd/drone-gcr'
     environment:
@@ -440,7 +440,7 @@ steps:
           - tag
 
   - name: build-tag
-    image: golang:1.22.7
+    image: golang:1.23
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_TAG##v}" -a -tags netgo -o release/linux/amd64/drone-gcr ./cmd/drone-gcr'
     environment:
@@ -488,7 +488,7 @@ platform:
 
 steps:
   - name: build-push
-    image: golang:1.22.7
+    image: golang:1.23
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_COMMIT_SHA:0:8}" -a -tags netgo -o release/linux/arm64/drone-gcr ./cmd/drone-gcr'
     environment:
@@ -499,7 +499,7 @@ steps:
           - tag
 
   - name: build-tag
-    image: golang:1.22.7
+    image: golang:1.23
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_TAG##v}" -a -tags netgo -o release/linux/arm64/drone-gcr ./cmd/drone-gcr'
     environment:
@@ -582,7 +582,7 @@ platform:
 
 steps:
   - name: build-push
-    image: golang:1.22.7
+    image: golang:1.23
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_COMMIT_SHA:0:8}" -a -tags netgo -o release/linux/amd64/drone-gar ./cmd/drone-gar'
     environment:
@@ -593,7 +593,7 @@ steps:
           - tag
 
   - name: build-tag
-    image: golang:1.22.7
+    image: golang:1.23
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_TAG##v}" -a -tags netgo -o release/linux/amd64/drone-gar ./cmd/drone-gar'
     environment:
@@ -641,7 +641,7 @@ platform:
 
 steps:
   - name: build-push
-    image: golang:1.22.7
+    image: golang:1.23
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_COMMIT_SHA:0:8}" -a -tags netgo -o release/linux/arm64/drone-gar ./cmd/drone-gar'
     environment:
@@ -652,7 +652,7 @@ steps:
           - tag
 
   - name: build-tag
-    image: golang:1.22.7
+    image: golang:1.23
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_TAG##v}" -a -tags netgo -o release/linux/arm64/drone-gar ./cmd/drone-gar'
     environment:
@@ -734,7 +734,7 @@ platform:
 
 steps:
   - name: build-push
-    image: golang:1.22.7
+    image: golang:1.23
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_COMMIT_SHA:0:8}" -a -tags netgo -o release/linux/amd64/drone-ecr ./cmd/drone-ecr'
     environment:
@@ -744,7 +744,7 @@ steps:
         exclude:
           - tag
   - name: build-tag
-    image: golang:1.22.7
+    image: golang:1.23
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_TAG##v}" -a -tags netgo -o release/linux/amd64/drone-ecr ./cmd/drone-ecr'
     environment:
@@ -792,7 +792,7 @@ platform:
 
 steps:
   - name: build-push
-    image: golang:1.22.7
+    image: golang:1.23
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_COMMIT_SHA:0:8}" -a -tags netgo -o release/linux/arm64/drone-ecr ./cmd/drone-ecr'
     environment:
@@ -802,7 +802,7 @@ steps:
         exclude:
           - tag
   - name: build-tag
-    image: golang:1.22.7
+    image: golang:1.23
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_TAG##v}" -a -tags netgo -o release/linux/arm64/drone-ecr ./cmd/drone-ecr'
     environment:
@@ -885,7 +885,7 @@ platform:
 
 steps:
   - name: build-push
-    image: golang:1.22.7
+    image: golang:1.23
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_COMMIT_SHA:0:8}" -a -tags netgo -o release/linux/amd64/drone-heroku ./cmd/drone-heroku'
     environment:
@@ -895,7 +895,7 @@ steps:
         exclude:
           - tag
   - name: build-tag
-    image: golang:1.22.7
+    image: golang:1.23
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_TAG##v}" -a -tags netgo -o release/linux/amd64/drone-heroku ./cmd/drone-heroku'
     environment:
@@ -944,7 +944,7 @@ platform:
 
 steps:
   - name: build-push
-    image: golang:1.22.7
+    image: golang:1.23
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_COMMIT_SHA:0:8}" -a -tags netgo -o release/linux/arm64/drone-heroku ./cmd/drone-heroku'
     environment:
@@ -954,7 +954,7 @@ steps:
         exclude:
           - tag
   - name: build-tag
-    image: golang:1.22.7
+    image: golang:1.23
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_TAG##v}" -a -tags netgo -o release/linux/arm64/drone-heroku ./cmd/drone-heroku'
     environment:
@@ -1035,7 +1035,7 @@ platform:
 
 steps:
   - name: build-push
-    image: golang:1.22.7
+    image: golang:1.23
     commands:
       - 'go build -v -ldflags "-X main.build=${DRONE_BUILD_NUMBER}" -a -tags netgo -o release/linux/amd64/drone-acr ./cmd/drone-acr'
     environment:
@@ -1045,7 +1045,7 @@ steps:
         exclude:
           - tag
   - name: build-tag
-    image: golang:1.22.7
+    image: golang:1.23
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_TAG##v} -X main.build=${DRONE_BUILD_NUMBER}" -a -tags netgo -o release/linux/amd64/drone-acr ./cmd/drone-acr'
     environment:
@@ -1093,7 +1093,7 @@ platform:
 
 steps:
   - name: build-push
-    image: golang:1.22.7
+    image: golang:1.23
     commands:
       - 'go build -v -ldflags "-X main.build=${DRONE_BUILD_NUMBER}" -a -tags netgo -o release/linux/arm64/drone-acr ./cmd/drone-acr'
     environment:
@@ -1104,7 +1104,7 @@ steps:
           - tag
 
   - name: build-tag
-    image: golang:1.22.7
+    image: golang:1.23
     commands:
       - 'go build -v -ldflags "-X main.version=${DRONE_TAG##v} -X main.build=${DRONE_BUILD_NUMBER}" -a -tags netgo -o release/linux/arm64/drone-acr ./cmd/drone-acr'
     environment:

.harness/harness.yaml

@@ -119,7 +119,7 @@ pipeline:
                         repo: plugins/<+matrix.repo>
                         tags:
                           - linux-amd64
-                        caching: true
+                        caching: false
                         dockerfile: docker/<+matrix.repo>/Dockerfile.linux.amd64
                       when:
                         stageStatus: Success
@@ -206,7 +206,7 @@ pipeline:
                         repo: plugins/<+matrix.repo>
                         tags:
                           - linux-arm64
-                        caching: true
+                        caching: false
                         dockerfile: docker/<+matrix.repo>/Dockerfile.linux.arm64
                       when:
                         stageStatus: Success
@@ -293,7 +293,7 @@ pipeline:
                         repo: plugins/<+matrix.repo>
                         tags:
                           - windows-1809-amd64
-                        caching: true
+                        caching: false
                         dockerfile: docker/<+matrix.repo>/Dockerfile.windows.amd64.1809
                       when:
                         stageStatus: Success
@@ -383,7 +383,7 @@ pipeline:
                         repo: plugins/<+matrix.repo>
                         tags:
                           - windows-ltsc2022-amd64
-                        caching: true
+                        caching: false
                         dockerfile: docker/<+matrix.repo>/Dockerfile.windows.amd64.ltsc2022
                       when:
                         stageStatus: Success
@@ -425,7 +425,7 @@ pipeline:
                       spec: docker/<+matrix.repo>/manifest.tmpl
                   when:
                     stageStatus: Success
-                    condition: <+codebase.build.type> == "tag" || <+codebase.build.type> == "branch"
+                    condition: <+codebase.build.type> == "tag"
                   strategy:
                     matrix:
                       repo:
@@ -444,3 +444,4 @@ pipeline:
   identifier: dronedockerharness
   projectIdentifier: Drone_Plugins
   name: drone-docker-harness
+  allowStageExecutions: true

COSIGN_USAGE.md

@@ -0,0 +1,162 @@
+# Cosign Integration for Drone-Docker
+
+This document describes how to use the cosign container image signing feature in drone-docker.
+
+## Overview
+
+The drone-docker plugin now supports automatic container image signing using cosign after each successful push. This provides cryptographic verification that images haven't been tampered with.
+
+## Environment Variables
+
+The plugin accepts three cosign-related environment variables:
+
+### `PLUGIN_COSIGN_PRIVATE_KEY` (Required for signing)
+- **Description**: Private key for signing (PEM format content or file path)
+- **Format**: Either PEM content or file path to private key
+- **Usage**: Should be provided via secrets
+
+### `PLUGIN_COSIGN_PASSWORD` (Optional)
+- **Description**: Password for encrypted private keys
+- **Usage**: Only needed if your private key is password-protected
+
+### `PLUGIN_COSIGN_PARAMS` (Optional)
+- **Description**: Additional cosign parameters
+- **Examples**: 
+  - `-a build_id=123` (add annotations)
+  - `--tlog-upload=false` (disable transparency log)
+  - `--rekor-url=https://custom-rekor.example.com` (custom rekor instance)
+
+## Usage Examples
+
+### 1. Basic Signing (Drone)
+
+```yaml
+kind: pipeline
+type: docker
+name: default
+
+steps:
+- name: docker
+  image: plugins/docker
+  settings:
+    repo: myregistry/myapp
+    tags: latest
+    cosign_private_key:
+      from_secret: cosign_private_key
+    cosign_password:
+      from_secret: cosign_password
+```
+
+### 2. Advanced Signing with Annotations (Drone)
+
+```yaml
+steps:
+- name: docker
+  image: plugins/docker
+  settings:
+    repo: myregistry/myapp
+    tags: 
+      - latest
+      - ${DRONE_BUILD_NUMBER}
+    cosign_private_key:
+      from_secret: cosign_private_key
+    cosign_params: "-a build_id=${DRONE_BUILD_NUMBER} -a commit_sha=${DRONE_COMMIT_SHA} -a branch=${DRONE_BRANCH}"
+```
+
+### 3. Harness CI/CD Usage
+
+```yaml
+- step:
+    type: Plugin
+    name: Build and Sign
+    identifier: build_and_sign
+    spec:
+      connectorRef: account.harnessImage
+      image: plugins/docker
+      settings:
+        repo: myregistry/myapp
+        tags: <+pipeline.sequenceId>
+        cosign_private_key: <+secrets.getValue("cosign_private_key")>
+        cosign_password: <+secrets.getValue("cosign_password")>
+        cosign_params: "-a harness_build=<+pipeline.sequenceId> -a harness_project=<+project.name>"
+```
+
+## Key Management
+
+### Generating Cosign Keys
+
+```bash
+# Generate a new key pair
+cosign generate-key-pair
+
+# This creates:
+# - cosign.key (private key) 
+# - cosign.pub (public key)
+```
+
+### Storing Keys Securely
+**Harness Secrets:**
+1. Go to Project Settings → Secrets
+2. Create new secret with type "File" for private key
+3. Create new secret with type "Text" for password
+
+## Security Features
+
+### Automatic Validation
+- ✅ **Private key format validation**: Ensures PEM format is correct
+- ✅ **Password requirement detection**: Warns if encrypted key needs password
+- ✅ **Keyless signing prevention**: Warns that OIDC keyless signing isn't supported
+
+### Error Handling
+- **Invalid private key**: `❌ Invalid private key format. Expected PEM format`
+- **Missing password**: `🔐 Encrypted private key requires password. Set PLUGIN_COSIGN_PASSWORD`
+- **Keyless signing**: `⚠️ WARNING: Keyless signing (OIDC) isn't supported yet in this plugin`
+
+## Signing Behavior
+
+### When Signing Occurs
+- ✅ **After each successful push**: Images are signed immediately after push
+- ✅ **Multiple tags**: Each tag gets signed individually
+- ✅ **Push-only mode**: Works with existing images
+- ✅ **Dry-run respect**: Skips signing in dry-run mode
+
+### Image References
+- **Preferred**: Signs by digest (e.g., `image@sha256:abc123...`) for security
+- **Fallback**: Signs by tag if digest unavailable
+
+### Authentication
+- **Registry auth**: Automatically uses existing Docker registry credentials
+
+## Verification
+
+To verify a signed image:
+
+```bash
+# Verify with public key
+cosign verify --key cosign.pub myregistry/myapp:latest
+
+# Verify with annotations
+cosign verify --key cosign.pub \
+  -a build_id=123 \
+  myregistry/myapp:latest
+```
+
+## Troubleshooting
+
+### Common Issues
+
+1. **"cosign: command not found"**
+   - The container image includes cosign binary
+   - Use the latest plugin image: `plugins/docker:latest`
+
+2. **"keyless signing not supported"**
+   - This plugin only supports private key signing
+   - Don't use `--oidc` or `--identity-token` in `cosign_params`
+
+3. **"encrypted private key requires password"**
+   - Set `PLUGIN_COSIGN_PASSWORD` environment variable
+   - Or use an unencrypted private key
+
+4. **Registry authentication issues**
+   - Cosign uses the same Docker registry credentials
+   - Ensure Docker login is working first

cmd/drone-acr/main.go

@@ -20,6 +20,7 @@ import (
 	"github.com/sirupsen/logrus"
 
 	docker "github.com/drone-plugins/drone-docker"
+	azureutil "github.com/drone-plugins/drone-docker/internal/azure"
 )
 
 type subscriptionUrlResponse struct {
@@ -62,12 +63,14 @@ func main() {
 		password = getenv("SERVICE_PRINCIPAL_CLIENT_SECRET")
 
 		// Service principal credentials
-		clientId       = getenv("CLIENT_ID")
-		clientSecret   = getenv("CLIENT_SECRET")
-		clientCert     = getenv("CLIENT_CERTIFICATE")
-		tenantId       = getenv("TENANT_ID")
-		subscriptionId = getenv("SUBSCRIPTION_ID")
-		publicUrl      = getenv("DAEMON_REGISTRY")
+		clientId       = getenv("CLIENT_ID", "AZURE_CLIENT_ID", "AZURE_APP_ID", "PLUGIN_CLIENT_ID")
+		clientSecret   = getenv("CLIENT_SECRET", "PLUGIN_CLIENT_SECRET")
+		clientCert     = getenv("CLIENT_CERTIFICATE", "PLUGIN_CLIENT_CERTIFICATE")
+		tenantId       = getenv("TENANT_ID", "AZURE_TENANT_ID", "PLUGIN_TENANT_ID")
+		subscriptionId = getenv("SUBSCRIPTION_ID", "PLUGIN_SUBSCRIPTION_ID")
+		publicUrl      = getenv("DAEMON_REGISTRY", "PLUGIN_DAEMON_REGISTRY")
+		authorityHost  = getenv("AZURE_AUTHORITY_HOST", "PLUGIN_AZURE_AUTHORITY_HOST")
+		idToken        = getenv("PLUGIN_OIDC_TOKEN_ID")
 	)
 
 	// default registry value
@@ -80,9 +83,29 @@ func main() {
 		// docker login credentials are not provided
 		var err error
 		username = defaultUsername
-		password, publicUrl, err = getAuth(clientId, clientSecret, clientCert, tenantId, subscriptionId, registry)
-		if err != nil {
-			logrus.Fatal(err)
+		if idToken != "" && clientId != "" && tenantId != "" {
+			logrus.Debug("Using OIDC authentication flow")
+			var aadToken string
+			aadToken, err = azureutil.GetAADAccessTokenViaClientAssertion(context.Background(), tenantId, clientId, idToken, authorityHost)
+			if err != nil {
+				logrus.Fatal(err)
+			}
+			var p string
+			p, err = getPublicUrl(aadToken, registry, subscriptionId)
+			if err == nil {
+				publicUrl = p
+			} else {
+				fmt.Fprintf(os.Stderr, "failed to get public url with error: %s\n", err)
+			}
+			password, err = fetchACRToken(tenantId, aadToken, registry)
+			if err != nil {
+				logrus.Fatal(err)
+			}
+		} else {
+			password, publicUrl, err = getAuth(clientId, clientSecret, clientCert, tenantId, subscriptionId, registry)
+			if err != nil {
+				logrus.Fatal(err)
+			}
 		}
 	}
 

cmd/drone-acr/main_test.go

@@ -0,0 +1,32 @@
+package main
+
+import (
+    "os"
+    "testing"
+)
+
+func TestGetAuthInputValidation(t *testing.T) {
+    // missing tenant
+    if _, _, err := getAuth("client", "secret", "", "", "sub", "registry.azurecr.io"); err == nil {
+        t.Fatalf("expected error for missing tenantId")
+    }
+    // missing clientId
+    if _, _, err := getAuth("", "secret", "", "tenant", "sub", "registry.azurecr.io"); err == nil {
+        t.Fatalf("expected error for missing clientId")
+    }
+    // missing both secret and cert
+    if _, _, err := getAuth("client", "", "", "tenant", "sub", "registry.azurecr.io"); err == nil {
+        t.Fatalf("expected error for missing credentials")
+    }
+}
+
+func TestGetenvAuthorityHost(t *testing.T) {
+    os.Setenv("AZURE_AUTHORITY_HOST", "https://login.microsoftonline.us")
+    defer os.Unsetenv("AZURE_AUTHORITY_HOST")
+
+    got := getenv("AZURE_AUTHORITY_HOST")
+    if got != "https://login.microsoftonline.us" {
+        t.Fatalf("expected AZURE_AUTHORITY_HOST to be returned, got %q", got)
+    }
+}
+

cmd/drone-docker/main.go

@@ -323,6 +323,22 @@ func main() {
 			Usage:  "access token",
 			EnvVar: "ACCESS_TOKEN",
 		},
+		// Cosign signing configuration
+		cli.StringFlag{
+			Name:   "cosign.private-key",
+			Usage:  "cosign private key content or file path for signing",
+			EnvVar: "PLUGIN_COSIGN_PRIVATE_KEY",
+		},
+		cli.StringFlag{
+			Name:   "cosign.password",
+			Usage:  "password for encrypted cosign private key",
+			EnvVar: "PLUGIN_COSIGN_PASSWORD",
+		},
+		cli.StringFlag{
+			Name:   "cosign.params",
+			Usage:  "additional cosign parameters (e.g., annotations, flags)",
+			EnvVar: "PLUGIN_COSIGN_PARAMS",
+		},
 	}
 
 	if err := app.Run(os.Args); err != nil {
@@ -398,6 +414,11 @@ func run(c *cli.Context) error {
 		BaseImageRegistry: c.String("docker.baseimageregistry"),
 		BaseImageUsername: c.String("docker.baseimageusername"),
 		BaseImagePassword: c.String("docker.baseimagepassword"),
+		Cosign: docker.CosignConfig{
+			PrivateKey: c.String("cosign.private-key"),
+			Password:   c.String("cosign.password"),
+			Params:     c.String("cosign.params"),
+		},
 	}
 
 	if c.Bool("tags.auto") {

daemon.go

@@ -11,6 +11,7 @@ import (
 const dockerExe = "/usr/local/bin/docker"
 const dockerdExe = "/usr/local/bin/dockerd"
 const dockerHome = "/root/.docker/"
+const cosignExe = "/usr/local/bin/cosign"
 
 func (p Plugin) startDaemon() {
 	cmd := commandDaemon(p.Daemon)

daemon_win.go

@@ -1,3 +1,4 @@
+//go:build windows
 // +build windows
 
 package docker
@@ -5,6 +6,7 @@ package docker
 const dockerExe = "C:\\bin\\docker.exe"
 const dockerdExe = ""
 const dockerHome = "C:\\ProgramData\\docker\\"
+const cosignExe = "C:\\bin\\cosign.exe"
 
 func (p Plugin) startDaemon() {
 	// this is a no-op on windows

docker.go

@@ -76,18 +76,26 @@ type (
 		SSHKeyPath          string   // Docker build ssh key path
 	}
 
+	// CosignConfig defines Cosign signing parameters.
+	CosignConfig struct {
+		PrivateKey string // Private key content (PEM format) or file path
+		Password   string // Password for encrypted private keys
+		Params     string // Additional cosign parameters
+	}
+
 	// Plugin defines the Docker plugin parameters.
 	Plugin struct {
-		Login             Login  // Docker login configuration
-		Build             Build  // Docker build configuration
-		Daemon            Daemon // Docker daemon configuration
-		Dryrun            bool   // Docker push is skipped
-		Cleanup           bool   // Docker purge is enabled
-		CardPath          string // Card path to write file to
-		ArtifactFile      string // Artifact path to write file to
-		BaseImageRegistry string // Docker registry to pull base image
-		BaseImageUsername string // Docker registry username to pull base image
-		BaseImagePassword string // Docker registry password to pull base image
+		Login             Login        // Docker login configuration
+		Build             Build        // Docker build configuration
+		Daemon            Daemon       // Docker daemon configuration
+		Cosign            CosignConfig // Cosign signing configuration
+		Dryrun            bool         // Docker push is skipped
+		Cleanup           bool         // Docker purge is enabled
+		CardPath          string       // Card path to write file to
+		ArtifactFile      string       // Artifact path to write file to
+		BaseImageRegistry string       // Docker registry to pull base image
+		BaseImageUsername string       // Docker registry username to pull base image
+		BaseImagePassword string       // Docker registry password to pull base image
 	}
 
 	Card []struct {
@@ -193,6 +201,9 @@ func (p Plugin) Exec() error {
 			fmt.Println(out)
 			return fmt.Errorf("Error authenticating base connector: exit status 1")
 		}
+	} else {
+		fmt.Println("\033[33mTo ensure consistent and reliable pipeline execution, we recommend setting up a Base Image Connector.\033[0m\n" +
+			"\033[33mWhile optional at this time, configuring it helps prevent failures caused by Docker Hub's rate limits.\033[0m")
 	}
 
 	// login to the Docker registry
@@ -246,6 +257,14 @@ func (p Plugin) Exec() error {
 
 	cmds = append(cmds, commandBuild(p.Build)) // docker build
 
+	// Validate cosign configuration if present
+	if p.shouldSignWithCosign() {
+		if err := validateCosignConfig(p.Cosign); err != nil {
+			return fmt.Errorf("cosign validation failed: %w", err)
+		}
+		fmt.Println("🔐 Cosign signing enabled - images will be signed after push")
+	}
+
 	for _, tag := range p.Build.Tags {
 		cmds = append(cmds, commandTag(p.Build, tag)) // docker tag
 
@@ -287,6 +306,31 @@ func (p Plugin) Exec() error {
 		}
 	}
 
+	// Handle cosign signing after all commands complete (like artifact generation)
+	if p.shouldSignWithCosign() && !p.Dryrun {
+		// Set up environment variables for cosign
+		os.Setenv("COSIGN_YES", "true")
+
+		if digest, err := getDigest(p.Build.TempTag); err == nil {
+			fmt.Printf("🔐 Found image digest: %s\n", digest)
+			
+			// Sign with digest reference
+			imageRef := fmt.Sprintf("%s@%s", p.Build.Repo, digest)
+			cosignCmd := createCosignCommand(imageRef, p.Cosign)
+			executeCosignCommand(cosignCmd)
+		} else {
+			fmt.Printf("⚠️  WARNING: Could not get image digest for cosign signing: %s\n", err)
+			fmt.Printf("   Falling back to tag-based signing\n")
+			
+			// Fall back to tag-based signing for each tag
+			for _, tag := range p.Build.Tags {
+				imageRef := fmt.Sprintf("%s:%s", p.Build.Repo, tag)
+				cosignCmd := createCosignCommand(imageRef, p.Cosign)
+				executeCosignCommand(cosignCmd)
+			}
+		}
+	}
+
 	// execute cleanup routines in batch mode
 	if p.Cleanup {
 		// clear the slice
@@ -642,6 +686,11 @@ func isCommandRmi(args []string) bool {
 	return len(args) > 2 && args[1] == "rmi"
 }
 
+// helper to check if args match "cosign sign"
+func isCommandCosign(args []string) bool {
+	return len(args) > 1 && args[0] == cosignExe
+}
+
 func commandRmi(tag string) *exec.Cmd {
 	return exec.Command(dockerExe, "rmi", tag)
 }
@@ -678,7 +727,7 @@ func GetDroneDockerExecCmd() string {
 }
 
 func getDigest(buildName string) (string, error) {
-	cmd := exec.Command("docker", "inspect", "--format='{{index .RepoDigests 0}}'", buildName)
+	cmd := exec.Command(dockerExe, "inspect", "--format='{{index .RepoDigests 0}}'", buildName)
 	output, err := cmd.Output()
 	if err != nil {
 		return "", err
@@ -692,3 +741,108 @@ func getDigest(buildName string) (string, error) {
 	}
 	return "", errors.New("unable to fetch digest")
 }
+
+// shouldSignWithCosign determines if cosign signing should be performed
+func (p Plugin) shouldSignWithCosign() bool {
+	return p.Cosign.PrivateKey != ""
+}
+
+// validateCosignConfig validates the cosign configuration
+func validateCosignConfig(config CosignConfig) error {
+	if config.PrivateKey == "" {
+		return nil // No cosign config, skip silently
+	}
+
+	// Check if cosign binary is available
+	if _, err := exec.LookPath(cosignExe); err != nil {
+		fmt.Printf("❌ ERROR: cosign binary not found at %s\n", cosignExe)
+		fmt.Println("   Ensure you're using a plugin image that includes cosign")
+		return fmt.Errorf("cosign binary not available: %w", err)
+	}
+
+	// Check if it's trying to use keyless signing
+	if strings.Contains(config.Params, "--oidc") ||
+		strings.Contains(config.Params, "--identity-token") {
+		fmt.Println("⚠️  WARNING: Keyless signing (OIDC) isn't supported yet in this plugin. Use private key signing instead.")
+		return errors.New("keyless signing not supported")
+	}
+
+	// Validate private key format if it's PEM content
+	if strings.HasPrefix(config.PrivateKey, "-----BEGIN") {
+		if !isValidPEMKey(config.PrivateKey) {
+			return errors.New("❌ Invalid private key format. Expected PEM format")
+		}
+
+		// Check encrypted key password requirement
+		if isEncryptedPEMKey(config.PrivateKey) && config.Password == "" {
+			return errors.New("🔐 Encrypted private key requires password. Set PLUGIN_COSIGN_PASSWORD")
+		}
+
+	} else {
+		// File-based key - check if it's accessible (basic check)
+		if _, err := os.Stat(config.PrivateKey); err != nil {
+			fmt.Printf("⚠️  WARNING: Private key file may not be accessible: %s\n", config.PrivateKey)
+			fmt.Println("   This will be verified during signing")
+		}
+	}
+
+	return nil
+}
+
+// isEncryptedPEMKey checks if a PEM key is encrypted
+func isEncryptedPEMKey(pemContent string) bool {
+	return strings.Contains(pemContent, "ENCRYPTED")
+}
+
+// isValidPEMKey performs basic PEM format validation
+func isValidPEMKey(pemContent string) bool {
+	return strings.Contains(pemContent, "-----BEGIN") &&
+		strings.Contains(pemContent, "-----END") &&
+		(strings.Contains(pemContent, "PRIVATE KEY") ||
+			strings.Contains(pemContent, "RSA PRIVATE KEY") ||
+			strings.Contains(pemContent, "EC PRIVATE KEY"))
+}
+
+// createCosignCommand creates a cosign sign command with the given image reference
+func createCosignCommand(imageRef string, cosign CosignConfig) *exec.Cmd {
+	args := []string{"sign", "--yes"}
+	
+	// Handle private key (content vs file path)
+	if strings.HasPrefix(cosign.PrivateKey, "-----BEGIN") {
+		args = append(args, "--key", "env://COSIGN_PRIVATE_KEY")
+		os.Setenv("COSIGN_PRIVATE_KEY", cosign.PrivateKey)
+	} else {
+		args = append(args, "--key", cosign.PrivateKey)
+	}
+	
+	// Set password if provided
+	if cosign.Password != "" {
+		os.Setenv("COSIGN_PASSWORD", cosign.Password)
+	}
+	
+	// Add any extra parameters
+	if cosign.Params != "" {
+		extraArgs := strings.Fields(cosign.Params)
+		args = append(args, extraArgs...)
+	}
+	
+	// Add the image reference to sign
+	args = append(args, imageRef)
+	
+	return exec.Command(cosignExe, args...)
+}
+
+// executeCosignCommand executes the given cosign command and handles errors
+func executeCosignCommand(cmd *exec.Cmd) {
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+	fmt.Printf("🚀 Executing: %s %s\n", cmd.Path, strings.Join(cmd.Args[1:], " "))
+	
+	if err := cmd.Run(); err != nil {
+		fmt.Printf("⚠️  WARNING: Image signing failed: %s\n", err)
+		fmt.Printf("   Image was pushed successfully but could not be signed\n")
+		fmt.Printf("   This is not fatal - continuing with the build\n")
+	}
+}
+
+

docker/docker/Dockerfile.linux.amd64

@@ -1,6 +1,10 @@
-FROM docker:20.10.14-dind
+FROM docker:28.1.1-dind
 
 ENV DOCKER_HOST=unix:///var/run/docker.sock
 
+# Install cosign for container image signing
+RUN wget -O /usr/local/bin/cosign https://github.com/sigstore/cosign/releases/download/v2.5.3/cosign-linux-amd64 \
+    && chmod +x /usr/local/bin/cosign
+
 ADD release/linux/amd64/drone-docker /bin/
 ENTRYPOINT ["/usr/local/bin/dockerd-entrypoint.sh", "/bin/drone-docker"]

docker/docker/Dockerfile.linux.arm64

@@ -1,6 +1,10 @@
-FROM arm64v8/docker:20.10.14-dind
+FROM arm64v8/docker:28.1.1-dind
 
 ENV DOCKER_HOST=unix:///var/run/docker.sock
 
+# Install cosign for container image signing
+RUN wget -O /usr/local/bin/cosign https://github.com/sigstore/cosign/releases/download/v2.5.3/cosign-linux-arm64 \
+    && chmod +x /usr/local/bin/cosign
+
 ADD release/linux/arm64/drone-docker /bin/
 ENTRYPOINT ["/usr/local/bin/dockerd-entrypoint.sh", "/bin/drone-docker"]

docker/docker/Dockerfile.windows.amd64.1809

@@ -24,6 +24,10 @@ LABEL maintainer="Drone.IO Community <drone-dev@googlegroups.com>" `
   org.label-schema.schema-version="1.0"
 
 RUN mkdir C:\bin
+
+# Install cosign for container image signing
+ADD https://github.com/sigstore/cosign/releases/download/v2.5.3/cosign-windows-amd64.exe C:/bin/cosign.exe
+
 COPY --from=download /windows/system32/netapi32.dll /windows/system32/netapi32.dll
 COPY --from=download /app/docker.exe C:/bin/docker.exe
 ADD release/windows/amd64/drone-docker.exe C:/bin/drone-docker.exe

docker/docker/Dockerfile.windows.amd64.ltsc2022

@@ -22,6 +22,10 @@ LABEL maintainer="Drone.IO Community <drone-dev@googlegroups.com>" `
   org.label-schema.schema-version="1.0"
 
 RUN mkdir C:\bin
+
+# Install cosign for container image signing
+ADD https://github.com/sigstore/cosign/releases/download/v2.5.3/cosign-windows-amd64.exe C:/bin/cosign.exe
+
 COPY --from=download /windows/system32/netapi32.dll /windows/system32/netapi32.dll
 COPY --from=download /app/docker.exe C:/bin/docker.exe
 ADD release/windows/amd64/drone-docker.exe C:/bin/drone-docker.exe

go.mod

@@ -14,13 +14,12 @@ require (
 	github.com/sirupsen/logrus v1.9.0
 	github.com/stretchr/testify v1.10.0
 	github.com/urfave/cli v1.22.2
-	golang.org/x/oauth2 v0.13.0
+	golang.org/x/oauth2 v0.27.0
 	google.golang.org/api v0.146.0
 )
 
 require (
-	cloud.google.com/go/compute v1.23.1 // indirect
-	cloud.google.com/go/compute/metadata v0.2.3 // indirect
+	cloud.google.com/go/compute/metadata v0.3.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.3.3 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
@@ -42,7 +41,6 @@ require (
 	golang.org/x/net v0.37.0 // indirect
 	golang.org/x/sys v0.31.0 // indirect
 	golang.org/x/text v0.23.0 // indirect
-	google.golang.org/appengine v1.6.8 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20231016165738-49dd2c1f3d0b // indirect
 	google.golang.org/grpc v1.59.0 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect

go.sum

@@ -1,8 +1,6 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go/compute v1.23.1 h1:V97tBoDaZHb6leicZ1G6DLK2BAaZLJ/7+9BB/En3hR0=
-cloud.google.com/go/compute v1.23.1/go.mod h1:CqB3xpmPKKt3OJpW2ndFIXnA9A4xAy/F3Xp1ixncW78=
-cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
-cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
+cloud.google.com/go/compute/metadata v0.3.0 h1:Tz+eQXMEqDIKRsmY3cHTL6FVaynIjX2QxYC4trgAKZc=
+cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
 github.com/99designs/httpsignatures-go v0.0.0-20170731043157-88528bf4ca7e/go.mod h1:Xa6lInWHNQnuWoF0YPSsx+INFA9qk7/7pTjwb3PInkY=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.1 h1:DSDNVxqkoXJiko6x8a90zidoYqnYYa6c1MTzDKzKkTo=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.1/go.mod h1:zGqV2R4Cr/k8Uye5w+dgQ06WJtEcbQG/8J7BB6hnCr4=
@@ -61,7 +59,6 @@ github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvq
 github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
 github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
@@ -124,57 +121,42 @@ github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOf
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/urfave/cli v1.22.2 h1:gsqYFH8bb9ekPA12kRo0hfjngWQjkJPlN9R0N78BoUo=
 github.com/urfave/cli v1.22.2/go.mod h1:Gos4lmkARVdJ6EkW0WaNv/tZAAMe9V7XWyB60NtXRu0=
-github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
 golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
-golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.37.0 h1:1zLorHbz+LYj7MQlSf1+2tPIIgibq2eL5xkrGk6f+2c=
 golang.org/x/net v0.37.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.13.0 h1:jDDenyj+WgFtmV3zYVoi8aE2BwtXFLWOA67ZfNWftiY=
-golang.org/x/oauth2 v0.13.0/go.mod h1:/JMhi4ZRXAf4HG9LiNmxvk+45+96RUlVThiH8FzNBn0=
+golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
+golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
 golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
 golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
-golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
 golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
 golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -182,16 +164,11 @@ golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGm
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
-golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/api v0.146.0 h1:9aBYT4vQXt9dhCuLNfwfd3zpwu8atg0yPkjBymwSrOM=
 google.golang.org/api v0.146.0/go.mod h1:OARJqIfoYjXJj4C1AiBSXYZt03qsoz8FQYU6fBEfrHM=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
-google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM=
-google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=

internal/azure/tokenutil.go

@@ -0,0 +1,75 @@
+package azure
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+)
+
+const DefaultResource = "https://management.azure.com/"
+const defaultAuthorityHost = "https://login.microsoftonline.com"
+const defaultHTTPTimeout = 30 * time.Second
+
+// GetAADAccessTokenViaClientAssertion exchanges an external OIDC ID token for an Azure AD access token
+
+func GetAADAccessTokenViaClientAssertion(ctx context.Context, tenantID, clientID, oidcToken, authorityHost string) (string, error) {
+    resource := DefaultResource
+
+	form := url.Values{
+		"client_id":             {clientID},
+		"scope":                 {resource + ".default"},
+		"grant_type":            {"client_credentials"},
+		"client_assertion_type": {"urn:ietf:params:oauth:client-assertion-type:jwt-bearer"},
+		"client_assertion":      {oidcToken},
+	}
+
+	base := authorityHost
+	if strings.TrimSpace(base) == "" {
+		base = defaultAuthorityHost
+	}
+	base = strings.TrimRight(base, "/")
+	endpoint := fmt.Sprintf("%s/%s/oauth2/v2.0/token", base, tenantID)
+
+	client := &http.Client{Timeout: defaultHTTPTimeout}
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, endpoint, strings.NewReader(form.Encode()))
+	if err != nil {
+		return "", err
+	}
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	req.Header.Set("Accept", "application/json")
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return "", err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
+		var aadErr struct {
+			Error            string `json:"error"`
+			ErrorDescription string `json:"error_description"`
+		}
+		limited := io.LimitedReader{R: resp.Body, N: 4096}
+		_ = json.NewDecoder(&limited).Decode(&aadErr)
+		if aadErr.Error != "" {
+			return "", fmt.Errorf("AAD token request failed: status=%d, error=%s", resp.StatusCode, aadErr.Error)
+		}
+		return "", fmt.Errorf("AAD token request failed: status=%d", resp.StatusCode)
+	}
+	var payload struct {
+		AccessToken string `json:"access_token"`
+		TokenType   string `json:"token_type"`
+		ExpiresIn   int    `json:"expires_in"`
+	}
+	if err := json.NewDecoder(resp.Body).Decode(&payload); err != nil {
+		return "", err
+	}
+	if payload.AccessToken == "" {
+		return "", fmt.Errorf("AAD token response missing access_token")
+	}
+	return payload.AccessToken, nil
+}

internal/azure/tokenutil_test.go

@@ -0,0 +1,104 @@
+package azure
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+)
+
+func TestGetAADAccessTokenViaClientAssertion_Success(t *testing.T) {
+
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != http.MethodPost {
+			t.Fatalf("expected POST, got %s", r.Method)
+		}
+		if ct := r.Header.Get("Content-Type"); !strings.Contains(ct, "application/x-www-form-urlencoded") {
+			t.Fatalf("expected form content-type, got %s", ct)
+		}
+		if err := r.ParseForm(); err != nil {
+			t.Fatalf("failed parsing form: %v", err)
+		}
+		assertEq(t, r.Form.Get("client_id"), "client")
+		assertEq(t, r.Form.Get("grant_type"), "client_credentials")
+		assertEq(t, r.Form.Get("client_assertion_type"), "urn:ietf:params:oauth:client-assertion-type:jwt-bearer")
+		assertEq(t, r.Form.Get("client_assertion"), "idtoken")
+		assertEq(t, r.Form.Get("scope"), DefaultResource+".default")
+
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusOK)
+		_, _ = w.Write([]byte(`{"access_token":"AT","token_type":"Bearer","expires_in":3600}`))
+	}))
+	defer ts.Close()
+
+	tok, err := GetAADAccessTokenViaClientAssertion(context.Background(), "tenant", "client", "idtoken", ts.URL)
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if tok != "AT" {
+		t.Fatalf("expected access token AT, got %q", tok)
+	}
+}
+
+func TestGetAADAccessTokenViaClientAssertion_400WithErrorField(t *testing.T) {
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusBadRequest)
+		_, _ = w.Write([]byte(`{"error":"invalid_client","error_description":"bad"}`))
+	}))
+	defer ts.Close()
+
+	_, err := GetAADAccessTokenViaClientAssertion(context.Background(), "tenant", "client", "idtoken", ts.URL)
+	if err == nil || !strings.Contains(err.Error(), "status=400") || !strings.Contains(err.Error(), "invalid_client") {
+		t.Fatalf("expected 400 with invalid_client error, got %v", err)
+	}
+}
+
+func TestGetAADAccessTokenViaClientAssertion_400WithoutErrorField(t *testing.T) {
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusBadRequest)
+		_, _ = w.Write([]byte("{}"))
+	}))
+	defer ts.Close()
+
+	_, err := GetAADAccessTokenViaClientAssertion(context.Background(), "tenant", "client", "idtoken", ts.URL)
+	if err == nil || !strings.Contains(err.Error(), "status=400") {
+		t.Fatalf("expected 400 error, got %v", err)
+	}
+}
+
+func TestGetAADAccessTokenViaClientAssertion_MalformedJSON(t *testing.T) {
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+		_, _ = w.Write([]byte("not-json"))
+	}))
+	defer ts.Close()
+
+	_, err := GetAADAccessTokenViaClientAssertion(context.Background(), "tenant", "client", "idtoken", ts.URL)
+	if err == nil {
+		t.Fatalf("expected JSON decode error, got nil")
+	}
+}
+
+func TestGetAADAccessTokenViaClientAssertion_MissingAccessToken(t *testing.T) {
+	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusOK)
+		_, _ = w.Write([]byte(`{"token_type":"Bearer","expires_in":3600}`))
+	}))
+	defer ts.Close()
+
+	_, err := GetAADAccessTokenViaClientAssertion(context.Background(), "tenant", "client", "idtoken", ts.URL)
+	if err == nil || !strings.Contains(err.Error(), "missing access_token") {
+		t.Fatalf("expected missing access_token error, got %v", err)
+	}
+}
+
+func assertEq(t *testing.T, got, want string) {
+	t.Helper()
+	if got != want {
+		t.Fatalf("mismatch: got=%q want=%q", got, want)
+	}
+}
+