chore: use user token for attestation commands #1900

jiparis · 2025-03-13T15:53:51Z

This is a follow up of #1003 to pass the user token to the attestation commands if the API token hasn't been provided via env var nor command line.
I've also removed the duplicated --token flag.

The affected commands (attestations) will now prompt the user to confirm the operation, since it will be performed against the "current" organization, which might vary depending on the chainloop org set command. The confirmation can be bypassed with the -y or --yes flag

Without CHAINLOOP_TOKEN:

✗ go run app/cli/main.go att init --workflow mywf --project myproject --replace
WRN API contacted in insecure mode
This command is will run against the organization "my-org"
Please confirm to continue y/N
n
ERR command canceled by user

✗ go run app/cli/main.go att init --workflow mywf --project myproject --replace -y
WRN API contacted in insecure mode
INF Attestation initialized! now you can check its status or add materials to it
┌───────────────────────────┬──────────────────────────────────────┐
│ Initialized At            │ 13 Mar 25 17:55 UTC                  │
├───────────────────────────┼──────────────────────────────────────┤
│ Attestation ID            │ 594dfd11-4aa6-40f2-9539-2903990afea6 │
│ Organization              │ my-org                               │
│ Name                      │ mywf                                 │
│ Project                   │ myproject                            │
│ Version                   │ v0.181.0 (prerelease)                │
│ Contract                  │ myproject-mywf (revision 95)         │
│ Policy violation strategy │ ADVISORY                             │
│ Policies                  │ ------                               │
│                           │ source-commit: Ok                    │
│                           │ sbom-present: missing SBOM material  │
└───────────────────────────┴──────────────────────────────────────┘

With CHAINLOOP_TOKEN (no warning is raised):

> export CHAINLOOP_TOKEN=xxxxxxxxx
> go run app/cli/main.go att init --workflow mywf --project myproject --replace
WRN API contacted in insecure mode
INF Attestation initialized! now you can check its status or add materials to it
┌───────────────────────────┬──────────────────────────────────────┐
│ Initialized At            │ 13 Mar 25 17:58 UTC                  │
├───────────────────────────┼──────────────────────────────────────┤
│ Attestation ID            │ 4b6bed22-401a-41fe-ad0b-a4013babb36f │
│ Organization              │ my-org                               │
│ Name                      │ mywf                                 │
│ Project                   │ myproject                            │
│ Version                   │ v0.181.0 (prerelease)                │
│ Contract                  │ myproject-mywf (revision 95)         │
│ Policy violation strategy │ ADVISORY                             │
│ Policies                  │ ------                               │
│                           │ source-commit: Ok                    │
│                           │ sbom-present: missing SBOM material  │
└───────────────────────────┴──────────────────────────────────────┘

For the rest of commands, the behaviour is the expected:

> cl wf contract ls
WRN API contacted in insecure mode
WRN Both user credentials and $CHAINLOOP_TOKEN set. Ignoring $CHAINLOOP_TOKEN.
┌───────────────────┬─────────────────┬─────────────────────┬─────────────┐
│ NAME              │ LATEST REVISION │ CREATED AT          │ # WORKFLOWS │
├───────────────────┼─────────────────┼─────────────────────┼─────────────┤
│ default-contract  │               1 │ 17 Dec 24 22:08 UTC │           0 │
│ test-test         │               4 │ 04 Nov 24 12:39 UTC │           1 │
│ myproject-example │               1 │ 21 Oct 24 16:52 UTC │           1 │
│ myproj-mywf       │               1 │ 21 Oct 24 16:42 UTC │           1 │
│ myproject-mywf    │              95 │ 29 Aug 24 17:19 UTC │           1 │
│ test3             │               1 │ 29 Aug 24 17:18 UTC │           0 │
└───────────────────┴─────────────────┴─────────────────────┴─────────────┘

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>

migmartri · 2025-03-13T16:01:42Z

app/cli/cmd/root.go

-		}
-
+	// Use the API token if the command can use it and it's provided
+	if _, ok := cmd.Annotations[useAPIToken]; ok && attAPIToken != "" {


I'd add a confirmation y/n saying that you are going to perform an attestation in org x

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>

use user token for attestation commands

f6da25f

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>

jiparis requested review from migmartri and javirln March 13, 2025 15:53

migmartri approved these changes Mar 13, 2025

View reviewed changes

jiparis added 4 commits March 13, 2025 18:04

remove duplicated flag

7bacb41

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>

warn when using attestation in user mode

4390609

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>

add flag --yes

f39ec03

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>

extract function

2e8cd60

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>

jiparis merged commit d55d686 into chainloop-dev:main Mar 13, 2025
13 checks passed

jiparis deleted the 1003-client branch March 13, 2025 18:14

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: use user token for attestation commands #1900

chore: use user token for attestation commands #1900

jiparis commented Mar 13, 2025 •

edited

Loading

migmartri Mar 13, 2025

chore: use user token for attestation commands #1900

chore: use user token for attestation commands #1900

Conversation

jiparis commented Mar 13, 2025 • edited Loading

migmartri Mar 13, 2025

Choose a reason for hiding this comment

jiparis commented Mar 13, 2025 •

edited

Loading