Improve flag filename completions

Be more consistent across with extensions accepted/filtered, add some. Also, mark and comment out cases where there are no known typical filename extensions for flags taking filename arguments, to make it obvious that they have not been inadvertently omitted. Marking a flag as filename without specifying extensions is a no-op, and actually considered a bug per commentary in cobra sources: https://github.com/spf13/cobra/blob/41b26ec8bb59dfba580f722201bf371c4f5703dd/completions.go#L387-L390 Closes sigstore/community#538 Signed-off-by: Ville Skyttä <[email protected]>
sigstore · Feb 9, 2025 · b6ac9b3 · b6ac9b3
1 parent b43f6bc
commit b6ac9b3
Show file tree

Hide file tree

Showing 20 changed files with 104 additions and 40 deletions.
diff --git a/cmd/cosign/cli/options/attach.go b/cmd/cosign/cli/options/attach.go
@@ -80,7 +80,7 @@ func (o *AttachSBOMOptions) AddFlags(cmd *cobra.Command) {
 
 	cmd.Flags().StringVar(&o.SBOM, "sbom", "",
 		"path to the sbom, or {-} for stdin")
-	_ = cmd.Flags().SetAnnotation("sbom", cobra.BashCompFilenameExt, []string{})
+	_ = cmd.MarkFlagFilename("sbom", sbomExts...)
 
 	cmd.Flags().StringVar(&o.SBOMType, "type", "spdx",
 		"type of sbom (spdx|cyclonedx|syft)")

diff --git a/cmd/cosign/cli/options/attest.go b/cmd/cosign/cli/options/attest.go
@@ -54,18 +54,18 @@ func (o *AttestOptions) AddFlags(cmd *cobra.Command) {
 
 	cmd.Flags().StringVar(&o.Key, "key", "",
 		"path to the private key file, KMS URI or Kubernetes Secret")
-	_ = cmd.MarkFlagFilename("key", "key")
+	_ = cmd.MarkFlagFilename("key", privateKeyExts...)
 
 	cmd.Flags().StringVar(&o.Cert, "certificate", "",
 		"path to the X.509 certificate in PEM format to include in the OCI Signature")
-	_ = cmd.MarkFlagFilename("certificate", "cert")
+	_ = cmd.MarkFlagFilename("certificate", certificateExts...)
 
 	cmd.Flags().StringVar(&o.CertChain, "certificate-chain", "",
 		"path to a list of CA X.509 certificates in PEM format which will be needed "+
 			"when building the certificate chain for the signing certificate. "+
 			"Must start with the parent intermediate CA certificate of the "+
 			"signing certificate and end with the root certificate. Included in the OCI Signature")
-	_ = cmd.MarkFlagFilename("certificate-chain", "cert")
+	_ = cmd.MarkFlagFilename("certificate-chain", certificateExts...)
 
 	cmd.Flags().BoolVar(&o.NoUpload, "no-upload", false,
 		"do not upload the generated attestation")

diff --git a/cmd/cosign/cli/options/attest_blob.go b/cmd/cosign/cli/options/attest_blob.go
@@ -58,33 +58,34 @@ func (o *AttestBlobOptions) AddFlags(cmd *cobra.Command) {
 
 	cmd.Flags().StringVar(&o.Key, "key", "",
 		"path to the private key file, KMS URI or Kubernetes Secret")
-	_ = cmd.MarkFlagFilename("key", "key")
+	_ = cmd.MarkFlagFilename("key", privateKeyExts...)
 
 	cmd.Flags().StringVar(&o.Cert, "certificate", "",
 		"path to the X.509 certificate in PEM format to include in the OCI Signature")
-	_ = cmd.MarkFlagFilename("certificate", "cert")
+	_ = cmd.MarkFlagFilename("certificate", certificateExts...)
 
 	cmd.Flags().StringVar(&o.CertChain, "certificate-chain", "",
 		"path to a list of CA X.509 certificates in PEM format which will be needed "+
 			"when building the certificate chain for the signing certificate. "+
 			"Must start with the parent intermediate CA certificate of the "+
 			"signing certificate and end with the root certificate. Included in the OCI Signature")
-	_ = cmd.MarkFlagFilename("certificate-chain", "cert")
+	_ = cmd.MarkFlagFilename("certificate-chain", certificateExts...)
 
 	cmd.Flags().StringVar(&o.OutputSignature, "output-signature", "",
 		"write the signature to FILE")
-	_ = cmd.MarkFlagFilename("output-signature")
+	_ = cmd.MarkFlagFilename("output-signature", signatureExts...)
 
 	cmd.Flags().StringVar(&o.OutputAttestation, "output-attestation", "",
 		"write the attestation to FILE")
+	// _ = cmd.MarkFlagFilename("output-attestation") // no typical extensions
 
 	cmd.Flags().StringVar(&o.OutputCertificate, "output-certificate", "",
 		"write the certificate to FILE")
-	_ = cmd.MarkFlagFilename("key")
+	_ = cmd.MarkFlagFilename("key", certificateExts...)
 
 	cmd.Flags().StringVar(&o.BundlePath, "bundle", "",
 		"write everything required to verify the blob to a FILE")
-	_ = cmd.MarkFlagFilename("bundle")
+	_ = cmd.MarkFlagFilename("bundle", bundleExts...)
 
 	// TODO: have this default to true as a breaking change
 	cmd.Flags().BoolVar(&o.NewBundleFormat, "new-bundle-format", false,
@@ -107,5 +108,5 @@ func (o *AttestBlobOptions) AddFlags(cmd *cobra.Command) {
 
 	cmd.Flags().StringVar(&o.RFC3161TimestampPath, "rfc3161-timestamp-bundle", "",
 		"path to an RFC 3161 timestamp bundle FILE")
-	_ = cmd.MarkFlagFilename("rfc3161-timestamp-bundle")
+	// _ = cmd.MarkFlagFilename("rfc3161-timestamp-bundle") // no typical extensions
 }
diff --git a/cmd/cosign/cli/options/bundle.go b/cmd/cosign/cli/options/bundle.go
@@ -39,33 +39,41 @@ var _ Interface = (*BundleCreateOptions)(nil)
 func (o *BundleCreateOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVar(&o.Artifact, "artifact", "",
 		"path to artifact FILE")
+	// _ = cmd.MarkFlagFilename("artifact") // no typical extensions
 
 	cmd.Flags().StringVar(&o.AttestationPath, "attestation", "",
 		"path to attestation FILE")
+	// _ = cmd.MarkFlagFilename("attestation") // no typical extensions
 
 	cmd.Flags().StringVar(&o.BundlePath, "bundle", "",
 		"path to old format bundle FILE")
+	_ = cmd.MarkFlagFilename("bundle", bundleExts...)
 
 	cmd.Flags().StringVar(&o.CertificatePath, "certificate", "",
 		"path to the signing certificate, likely from Fulco.")
+	_ = cmd.MarkFlagFilename("certificate", certificateExts...)
 
 	cmd.Flags().BoolVar(&o.IgnoreTlog, "ignore-tlog", false,
 		"ignore transparency log verification, to be used when an artifact "+
 			"signature has not been uploaded to the transparency log.")
 
 	cmd.Flags().StringVar(&o.KeyRef, "key", "",
 		"path to the public key file, KMS URI or Kubernetes Secret")
+	_ = cmd.MarkFlagFilename("key", publicKeyExts...)
 
 	cmd.Flags().StringVar(&o.Out, "out", "", "path to output bundle")
+	_ = cmd.MarkFlagFilename("out", bundleExts...)
 
 	cmd.Flags().StringVar(&o.RekorURL, "rekor-url", "https://rekor.sigstore.dev",
 		"address of rekor STL server")
 
 	cmd.Flags().StringVar(&o.RFC3161TimestampPath, "rfc3161-timestamp", "",
 		"path to RFC3161 timestamp FILE")
+	// _ = cmd.MarkFlagFilename("rfc3161-timestamp") // no typical extensions
 
 	cmd.Flags().StringVar(&o.SignaturePath, "signature", "",
 		"path to base64-encoded signature over attestation in DSSE format")
+	_ = cmd.MarkFlagFilename("signature", signatureExts...)
 
 	cmd.Flags().BoolVar(&o.Sk, "sk", false,
 		"whether to use a hardware security key")

diff --git a/cmd/cosign/cli/options/certificate.go b/cmd/cosign/cli/options/certificate.go
@@ -46,7 +46,7 @@ var _ Interface = (*RekorOptions)(nil)
 func (o *CertVerifyOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVar(&o.Cert, "certificate", "",
 		"path to the public certificate. The certificate will be verified against the Fulcio roots if the --certificate-chain option is not passed.")
-	_ = cmd.MarkFlagFilename("certificate", "cert")
+	_ = cmd.MarkFlagFilename("certificate", certificateExts...)
 
 	cmd.Flags().StringVar(&o.CertIdentity, "certificate-identity", "",
 		"The identity expected in a valid Fulcio certificate. Valid values include email address, DNS names, IP addresses, and URIs. Either --certificate-identity or --certificate-identity-regexp must be set for keyless flows.")
@@ -82,24 +82,25 @@ func (o *CertVerifyOptions) AddFlags(cmd *cobra.Command) {
 			"when building the certificate chains for the signing certificate. "+
 			"The flag is optional and must be used together with --ca-roots, conflicts with "+
 			"--certificate-chain.")
-	_ = cmd.MarkFlagFilename("ca-intermediates", "cert")
+	_ = cmd.MarkFlagFilename("ca-intermediates", certificateExts...)
 	cmd.Flags().StringVar(&o.CARoots, "ca-roots", "",
 		"path to a bundle file of CA certificates in PEM format which will be needed "+
 			"when building the certificate chains for the signing certificate. Conflicts with --certificate-chain.")
-	_ = cmd.MarkFlagFilename("ca-roots", "cert")
+	_ = cmd.MarkFlagFilename("ca-roots", certificateExts...)
 
 	cmd.Flags().StringVar(&o.CertChain, "certificate-chain", "",
 		"path to a list of CA certificates in PEM format which will be needed "+
 			"when building the certificate chain for the signing certificate. "+
 			"Must start with the parent intermediate CA certificate of the "+
 			"signing certificate and end with the root certificate. Conflicts with --ca-roots and --ca-intermediates.")
-	_ = cmd.MarkFlagFilename("certificate-chain", "cert")
+	_ = cmd.MarkFlagFilename("certificate-chain", certificateExts...)
 	cmd.MarkFlagsMutuallyExclusive("ca-roots", "certificate-chain")
 	cmd.MarkFlagsMutuallyExclusive("ca-intermediates", "certificate-chain")
 
 	cmd.Flags().StringVar(&o.SCT, "sct", "",
 		"path to a detached Signed Certificate Timestamp, formatted as a RFC6962 AddChainResponse struct. "+
 			"If a certificate contains an SCT, verification will check both the detached and embedded SCTs.")
+	// _ = cmd.MarkFlagFilename("sct") // no typical extensions
 	cmd.Flags().BoolVar(&o.IgnoreSCT, "insecure-ignore-sct", false,
 		"when set, verification will not check that a certificate contains an embedded SCT, a proof of "+
 			"inclusion in a certificate transparency log")

diff --git a/cmd/cosign/cli/options/files.go b/cmd/cosign/cli/options/files.go
@@ -54,5 +54,5 @@ func (o *FilesOptions) String() string {
 func (o *FilesOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringSliceVarP(&o.Files, "files", "f", nil,
 		"<filepath>:[platform/arch]")
-	_ = cmd.MarkFlagFilename("files")
+	// _ = cmd.MarkFlagFilename("files") // no typical extensions
 }
diff --git a/cmd/cosign/cli/options/fulcio.go b/cmd/cosign/cli/options/fulcio.go
@@ -39,6 +39,7 @@ func (o *FulcioOptions) AddFlags(cmd *cobra.Command) {
 
 	cmd.Flags().StringVar(&o.IdentityToken, "identity-token", "",
 		"identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted.")
+	// _ = cmd.MarkFlagFilename("identity-token") // no typical extensions
 
 	cmd.Flags().StringVar(&o.AuthFlow, "fulcio-auth-flow", "",
 		"fulcio interactive oauth2 flow to use for certificate from fulcio. Defaults to determining the flow based on the runtime environment. (options) normal|device|token|client_credentials")

diff --git a/cmd/cosign/cli/options/import_key_pair.go b/cmd/cosign/cli/options/import_key_pair.go
@@ -36,11 +36,11 @@ var _ Interface = (*ImportKeyPairOptions)(nil)
 func (o *ImportKeyPairOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVarP(&o.Key, "key", "k", "",
 		"import key pair to use for signing")
-	_ = cmd.MarkFlagFilename("key")
+	_ = cmd.MarkFlagFilename("key", privateKeyExts...)
 
 	cmd.Flags().StringVarP(&o.OutputKeyPrefix, "output-key-prefix", "o", "import-cosign",
 		"name used for outputted key pairs")
-	_ = cmd.MarkFlagFilename("output-key-prefix")
+	// _ = cmd.MarkFlagFilename("output-key-prefix") // no typical extensions
 
 	cmd.Flags().BoolVarP(&o.SkipConfirmation, "yes", "y", false,
 		"skip confirmation prompts for overwriting existing key")

diff --git a/cmd/cosign/cli/options/oidc.go b/cmd/cosign/cli/options/oidc.go
@@ -64,7 +64,7 @@ func (o *OIDCOptions) AddFlags(cmd *cobra.Command) {
 
 	cmd.Flags().StringVar(&o.clientSecretFile, "oidc-client-secret-file", "",
 		"Path to file containing OIDC client secret for application")
-	_ = cmd.MarkFlagFilename("oidc-client-secret-file")
+	// _ = cmd.MarkFlagFilename("oidc-client-secret-file") // no typical extensions
 
 	cmd.Flags().StringVar(&o.RedirectURL, "oidc-redirect-url", "",
 		"OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'.")

diff --git a/cmd/cosign/cli/options/options.go b/cmd/cosign/cli/options/options.go
@@ -21,3 +21,37 @@ type Interface interface {
 	// AddFlags adds this options' flags to the cobra command.
 	AddFlags(cmd *cobra.Command)
 }
+
+var bundleExts = []string{
+	"bundle",
+}
+var certificateExts = []string{
+	"cert",
+	"crt",
+	"pem",
+}
+var logExts = []string{
+	"log",
+}
+var moduleExts = []string{
+	"dll",
+	"dylib",
+	"so",
+}
+var privateKeyExts = []string{
+	"key",
+}
+var publicKeyExts = []string{
+	"pub",
+}
+var sbomExts = []string{
+	"json",
+	"xml",
+	"spdx",
+}
+var signatureExts = []string{
+	"sig",
+}
+var wasmExts = []string{
+	"wasm",
+}
diff --git a/cmd/cosign/cli/options/pkcs11_tool.go b/cmd/cosign/cli/options/pkcs11_tool.go
@@ -31,7 +31,7 @@ var _ Interface = (*PKCS11ToolListTokensOptions)(nil)
 func (o *PKCS11ToolListTokensOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVar(&o.ModulePath, "module-path", env.Getenv(env.VariablePKCS11ModulePath),
 		"absolute path to the PKCS11 module")
-	_ = cmd.MarkFlagFilename("module-path")
+	_ = cmd.MarkFlagFilename("module-path", moduleExts...)
 }
 
 // PKCS11ToolListKeysUrisOptions is the wrapper for `pkcs11-tool list-keys-uris` related options.
@@ -47,7 +47,7 @@ var _ Interface = (*PKCS11ToolListKeysUrisOptions)(nil)
 func (o *PKCS11ToolListKeysUrisOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVar(&o.ModulePath, "module-path", env.Getenv(env.VariablePKCS11ModulePath),
 		"absolute path to the PKCS11 module")
-	_ = cmd.MarkFlagFilename("module-path")
+	_ = cmd.MarkFlagFilename("module-path", moduleExts...)
 
 	cmd.Flags().UintVar(&o.SlotID, "slot-id", 0,
 		"id of the PKCS11 slot, uses 0 if empty")

diff --git a/cmd/cosign/cli/options/predicate.go b/cmd/cosign/cli/options/predicate.go
@@ -94,6 +94,7 @@ func (o *PredicateLocalOptions) AddFlags(cmd *cobra.Command) {
 
 	cmd.Flags().StringVar(&o.Path, "predicate", "",
 		"path to the predicate file.")
+	_ = cmd.MarkFlagFilename("predicate", sbomExts...)
 	_ = cmd.MarkFlagRequired("predicate")
 }
 

diff --git a/cmd/cosign/cli/options/public_key.go b/cmd/cosign/cli/options/public_key.go
@@ -34,9 +34,9 @@ func (o *PublicKeyOptions) AddFlags(cmd *cobra.Command) {
 
 	cmd.Flags().StringVar(&o.Key, "key", "",
 		"path to the private key file, KMS URI or Kubernetes Secret")
-	_ = cmd.MarkFlagFilename("key")
+	_ = cmd.MarkFlagFilename("key", privateKeyExts...)
 
 	cmd.Flags().StringVar(&o.OutFile, "outfile", "",
 		"path to a payload file to use rather than generating one")
-	_ = cmd.MarkFlagFilename("outfile")
+	_ = cmd.MarkFlagFilename("outfile", publicKeyExts...)
 }
diff --git a/cmd/cosign/cli/options/registry.go b/cmd/cosign/cli/options/registry.go
@@ -80,12 +80,15 @@ func (o *RegistryOptions) AddFlags(cmd *cobra.Command) {
 
 	cmd.Flags().StringVar(&o.RegistryCACert, "registry-cacert", "",
 		"path to the X.509 CA certificate file in PEM format to be used for the connection to the registry")
+	_ = cmd.MarkFlagFilename("registry-cacert", certificateExts...)
 
 	cmd.Flags().StringVar(&o.RegistryClientCert, "registry-client-cert", "",
 		"path to the X.509 certificate file in PEM format to be used for the connection to the registry")
+	_ = cmd.MarkFlagFilename("registry-client-cert", certificateExts...)
 
 	cmd.Flags().StringVar(&o.RegistryClientKey, "registry-client-key", "",
 		"path to the X.509 private key file in PEM format to be used, together with the 'registry-client-cert' value, for the connection to the registry")
+	_ = cmd.MarkFlagFilename("registry-client-key", privateKeyExts...)
 
 	cmd.Flags().StringVar(&o.RegistryServerName, "registry-server-name", "",
 		"SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the registry")

diff --git a/cmd/cosign/cli/options/root.go b/cmd/cosign/cli/options/root.go
@@ -44,7 +44,7 @@ var _ Interface = (*RootOptions)(nil)
 func (o *RootOptions) AddFlags(cmd *cobra.Command) {
 	cmd.PersistentFlags().StringVar(&o.OutputFile, "output-file", "",
 		"log output to a file")
-	_ = cmd.MarkFlagFilename("output-file")
+	_ = cmd.MarkFlagFilename("output-file", logExts...)
 
 	cmd.PersistentFlags().BoolVarP(&o.Verbose, "verbose", "d", false,
 		"log debug output")

diff --git a/cmd/cosign/cli/options/sign.go b/cmd/cosign/cli/options/sign.go
@@ -66,42 +66,43 @@ func (o *SignOptions) AddFlags(cmd *cobra.Command) {
 
 	cmd.Flags().StringVar(&o.Key, "key", "",
 		"path to the private key file, KMS URI or Kubernetes Secret")
-	_ = cmd.MarkFlagFilename("key")
+	_ = cmd.MarkFlagFilename("key", privateKeyExts...)
 
 	cmd.Flags().StringVar(&o.Cert, "certificate", "",
 		"path to the X.509 certificate in PEM format to include in the OCI Signature")
-	_ = cmd.MarkFlagFilename("certificate", "cert")
+	_ = cmd.MarkFlagFilename("certificate", certificateExts...)
 
 	cmd.Flags().StringVar(&o.CertChain, "certificate-chain", "",
 		"path to a list of CA X.509 certificates in PEM format which will be needed "+
 			"when building the certificate chain for the signing certificate. "+
 			"Must start with the parent intermediate CA certificate of the "+
 			"signing certificate and end with the root certificate. Included in the OCI Signature")
-	_ = cmd.MarkFlagFilename("certificate-chain", "cert")
+	_ = cmd.MarkFlagFilename("certificate-chain", certificateExts...)
 
 	cmd.Flags().BoolVar(&o.Upload, "upload", true,
 		"whether to upload the signature")
 
 	cmd.Flags().StringVar(&o.OutputSignature, "output-signature", "",
 		"write the signature to FILE")
-	_ = cmd.MarkFlagFilename("output-signature")
+	_ = cmd.MarkFlagFilename("output-signature", signatureExts...)
 	cmd.Flags().StringVar(&o.OutputPayload, "output-payload", "",
 		"write the signed payload to FILE")
-	_ = cmd.MarkFlagFilename("output-payload")
+	// _ = cmd.MarkFlagFilename("output-payload") // no typical extensions
 
 	cmd.Flags().StringVar(&o.OutputCertificate, "output-certificate", "",
 		"write the certificate to FILE")
-	_ = cmd.MarkFlagFilename("output-certificate")
+	_ = cmd.MarkFlagFilename("output-certificate", certificateExts...)
 
 	cmd.Flags().StringVar(&o.PayloadPath, "payload", "",
 		"path to a payload file to use rather than generating one")
-	_ = cmd.MarkFlagFilename("payload")
+	// _ = cmd.MarkFlagFilename("payload") // no typical extensions
 
 	cmd.Flags().BoolVarP(&o.Recursive, "recursive", "r", false,
 		"if a multi-arch image is specified, additionally sign each discrete image")
 
 	cmd.Flags().StringVar(&o.Attachment, "attachment", "",
 		"DEPRECATED, related image attachment to sign (sbom), default none")
+	_ = cmd.MarkFlagFilename("attachment", sbomExts...)
 
 	cmd.Flags().BoolVarP(&o.SkipConfirmation, "yes", "y", false,
 		"skip confirmation prompts for non-destructive operations")
@@ -111,20 +112,23 @@ func (o *SignOptions) AddFlags(cmd *cobra.Command) {
 
 	cmd.Flags().StringVar(&o.TSAClientCACert, "timestamp-client-cacert", "",
 		"path to the X.509 CA certificate file in PEM format to be used for the connection to the TSA Server")
+	_ = cmd.MarkFlagFilename("timestamp-client-cacert", certificateExts...)
 
 	cmd.Flags().StringVar(&o.TSAClientCert, "timestamp-client-cert", "",
 		"path to the X.509 certificate file in PEM format to be used for the connection to the TSA Server")
+	_ = cmd.MarkFlagFilename("timestamp-client-cert", certificateExts...)
 
 	cmd.Flags().StringVar(&o.TSAClientKey, "timestamp-client-key", "",
 		"path to the X.509 private key file in PEM format to be used, together with the 'timestamp-client-cert' value, for the connection to the TSA Server")
+	_ = cmd.MarkFlagFilename("timestamp-client-key", privateKeyExts...)
 
 	cmd.Flags().StringVar(&o.TSAServerName, "timestamp-server-name", "",
 		"SAN name to use as the 'ServerName' tls.Config field to verify the mTLS connection to the TSA Server")
 
 	cmd.Flags().StringVar(&o.TSAServerURL, "timestamp-server-url", "",
 		"url to the Timestamp RFC3161 server, default none. Must be the path to the API to request timestamp responses, e.g. https://freetsa.org/tsr")
 
-	_ = cmd.MarkFlagFilename("certificate", "cert")
+	_ = cmd.MarkFlagFilename("certificate", certificateExts...)
 
 	cmd.Flags().BoolVar(&o.IssueCertificate, "issue-certificate", false,
 		"issue a code signing certificate from Fulcio, even if a key is provided")