Improve flag filename completions

Be more consistent across with extensions accepted/filtered, add some.

Also, mark and comment out cases where there are no known typical
filename extensions for flags taking filename arguments, to make it
obvious that they have not been inadvertently omitted. Marking a flag as
filename without specifying extensions is a no-op, and actually
considered a bug per commentary in cobra sources:
https://github.com/spf13/cobra/blob/41b26ec8bb59dfba580f722201bf371c4f5703dd/completions.go#L387-L390

Closes sigstore/community#538

Signed-off-by: Ville Skyttä <[email protected]>

Author: scop

cmd/cosign/cli/options/attach.go

@@ -80,7 +80,7 @@ func (o *AttachSBOMOptions) AddFlags(cmd *cobra.Command) {
 
 	cmd.Flags().StringVar(&o.SBOM, "sbom", "",
 		"path to the sbom, or {-} for stdin")
-	_ = cmd.Flags().SetAnnotation("sbom", cobra.BashCompFilenameExt, []string{})
+	_ = cmd.MarkFlagFilename("sbom", sbomExts...)
 
 	cmd.Flags().StringVar(&o.SBOMType, "type", "spdx",
 		"type of sbom (spdx|cyclonedx|syft)")

cmd/cosign/cli/options/attest.go

@@ -54,18 +54,18 @@ func (o *AttestOptions) AddFlags(cmd *cobra.Command) {
 
 	cmd.Flags().StringVar(&o.Key, "key", "",
 		"path to the private key file, KMS URI or Kubernetes Secret")
-	_ = cmd.MarkFlagFilename("key", "key")
+	_ = cmd.MarkFlagFilename("key", privateKeyExts...)
 
 	cmd.Flags().StringVar(&o.Cert, "certificate", "",
 		"path to the X.509 certificate in PEM format to include in the OCI Signature")
-	_ = cmd.MarkFlagFilename("certificate", "cert")
+	_ = cmd.MarkFlagFilename("certificate", certificateExts...)
 
 	cmd.Flags().StringVar(&o.CertChain, "certificate-chain", "",
 		"path to a list of CA X.509 certificates in PEM format which will be needed "+
 			"when building the certificate chain for the signing certificate. "+
 			"Must start with the parent intermediate CA certificate of the "+
 			"signing certificate and end with the root certificate. Included in the OCI Signature")
-	_ = cmd.MarkFlagFilename("certificate-chain", "cert")
+	_ = cmd.MarkFlagFilename("certificate-chain", certificateExts...)
 
 	cmd.Flags().BoolVar(&o.NoUpload, "no-upload", false,
 		"do not upload the generated attestation")

cmd/cosign/cli/options/attest_blob.go

@@ -58,33 +58,34 @@ func (o *AttestBlobOptions) AddFlags(cmd *cobra.Command) {
 
 	cmd.Flags().StringVar(&o.Key, "key", "",
 		"path to the private key file, KMS URI or Kubernetes Secret")
-	_ = cmd.MarkFlagFilename("key", "key")
+	_ = cmd.MarkFlagFilename("key", privateKeyExts...)
 
 	cmd.Flags().StringVar(&o.Cert, "certificate", "",
 		"path to the X.509 certificate in PEM format to include in the OCI Signature")
-	_ = cmd.MarkFlagFilename("certificate", "cert")
+	_ = cmd.MarkFlagFilename("certificate", certificateExts...)
 
 	cmd.Flags().StringVar(&o.CertChain, "certificate-chain", "",
 		"path to a list of CA X.509 certificates in PEM format which will be needed "+
 			"when building the certificate chain for the signing certificate. "+
 			"Must start with the parent intermediate CA certificate of the "+
 			"signing certificate and end with the root certificate. Included in the OCI Signature")
-	_ = cmd.MarkFlagFilename("certificate-chain", "cert")
+	_ = cmd.MarkFlagFilename("certificate-chain", certificateExts...)
 
 	cmd.Flags().StringVar(&o.OutputSignature, "output-signature", "",
 		"write the signature to FILE")
-	_ = cmd.MarkFlagFilename("output-signature")
+	_ = cmd.MarkFlagFilename("output-signature", signatureExts...)
 
 	cmd.Flags().StringVar(&o.OutputAttestation, "output-attestation", "",
 		"write the attestation to FILE")
+	// _ = cmd.MarkFlagFilename("output-attestation") // no typical extensions
 
 	cmd.Flags().StringVar(&o.OutputCertificate, "output-certificate", "",
 		"write the certificate to FILE")
-	_ = cmd.MarkFlagFilename("key")
+	_ = cmd.MarkFlagFilename("key", certificateExts...)
 
 	cmd.Flags().StringVar(&o.BundlePath, "bundle", "",
 		"write everything required to verify the blob to a FILE")
-	_ = cmd.MarkFlagFilename("bundle")
+	_ = cmd.MarkFlagFilename("bundle", bundleExts...)
 
 	// TODO: have this default to true as a breaking change
 	cmd.Flags().BoolVar(&o.NewBundleFormat, "new-bundle-format", false,
@@ -107,5 +108,5 @@ func (o *AttestBlobOptions) AddFlags(cmd *cobra.Command) {
 
 	cmd.Flags().StringVar(&o.RFC3161TimestampPath, "rfc3161-timestamp-bundle", "",
 		"path to an RFC 3161 timestamp bundle FILE")
-	_ = cmd.MarkFlagFilename("rfc3161-timestamp-bundle")
+	// _ = cmd.MarkFlagFilename("rfc3161-timestamp-bundle") // no typical extensions
 }

cmd/cosign/cli/options/bundle.go

@@ -39,33 +39,41 @@ var _ Interface = (*BundleCreateOptions)(nil)
 func (o *BundleCreateOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVar(&o.Artifact, "artifact", "",
 		"path to artifact FILE")
+	// _ = cmd.MarkFlagFilename("artifact") // no typical extensions
 
 	cmd.Flags().StringVar(&o.AttestationPath, "attestation", "",
 		"path to attestation FILE")
+	// _ = cmd.MarkFlagFilename("attestation") // no typical extensions
 
 	cmd.Flags().StringVar(&o.BundlePath, "bundle", "",
 		"path to old format bundle FILE")
+	_ = cmd.MarkFlagFilename("bundle", bundleExts...)
 
 	cmd.Flags().StringVar(&o.CertificatePath, "certificate", "",
 		"path to the signing certificate, likely from Fulco.")
+	_ = cmd.MarkFlagFilename("certificate", certificateExts...)
 
 	cmd.Flags().BoolVar(&o.IgnoreTlog, "ignore-tlog", false,
 		"ignore transparency log verification, to be used when an artifact "+
 			"signature has not been uploaded to the transparency log.")
 
 	cmd.Flags().StringVar(&o.KeyRef, "key", "",
 		"path to the public key file, KMS URI or Kubernetes Secret")
+	_ = cmd.MarkFlagFilename("key", publicKeyExts...)
 
 	cmd.Flags().StringVar(&o.Out, "out", "", "path to output bundle")
+	_ = cmd.MarkFlagFilename("out", bundleExts...)
 
 	cmd.Flags().StringVar(&o.RekorURL, "rekor-url", "https://rekor.sigstore.dev",
 		"address of rekor STL server")
 
 	cmd.Flags().StringVar(&o.RFC3161TimestampPath, "rfc3161-timestamp", "",
 		"path to RFC3161 timestamp FILE")
+	// _ = cmd.MarkFlagFilename("rfc3161-timestamp") // no typical extensions
 
 	cmd.Flags().StringVar(&o.SignaturePath, "signature", "",
 		"path to base64-encoded signature over attestation in DSSE format")
+	_ = cmd.MarkFlagFilename("signature", signatureExts...)
 
 	cmd.Flags().BoolVar(&o.Sk, "sk", false,
 		"whether to use a hardware security key")

cmd/cosign/cli/options/certificate.go

@@ -46,7 +46,7 @@ var _ Interface = (*RekorOptions)(nil)
 func (o *CertVerifyOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVar(&o.Cert, "certificate", "",
 		"path to the public certificate. The certificate will be verified against the Fulcio roots if the --certificate-chain option is not passed.")
-	_ = cmd.MarkFlagFilename("certificate", "cert")
+	_ = cmd.MarkFlagFilename("certificate", certificateExts...)
 
 	cmd.Flags().StringVar(&o.CertIdentity, "certificate-identity", "",
 		"The identity expected in a valid Fulcio certificate. Valid values include email address, DNS names, IP addresses, and URIs. Either --certificate-identity or --certificate-identity-regexp must be set for keyless flows.")
@@ -82,24 +82,25 @@ func (o *CertVerifyOptions) AddFlags(cmd *cobra.Command) {
 			"when building the certificate chains for the signing certificate. "+
 			"The flag is optional and must be used together with --ca-roots, conflicts with "+
 			"--certificate-chain.")
-	_ = cmd.MarkFlagFilename("ca-intermediates", "cert")
+	_ = cmd.MarkFlagFilename("ca-intermediates", certificateExts...)
 	cmd.Flags().StringVar(&o.CARoots, "ca-roots", "",
 		"path to a bundle file of CA certificates in PEM format which will be needed "+
 			"when building the certificate chains for the signing certificate. Conflicts with --certificate-chain.")
-	_ = cmd.MarkFlagFilename("ca-roots", "cert")
+	_ = cmd.MarkFlagFilename("ca-roots", certificateExts...)
 
 	cmd.Flags().StringVar(&o.CertChain, "certificate-chain", "",
 		"path to a list of CA certificates in PEM format which will be needed "+
 			"when building the certificate chain for the signing certificate. "+
 			"Must start with the parent intermediate CA certificate of the "+
 			"signing certificate and end with the root certificate. Conflicts with --ca-roots and --ca-intermediates.")
-	_ = cmd.MarkFlagFilename("certificate-chain", "cert")
+	_ = cmd.MarkFlagFilename("certificate-chain", certificateExts...)
 	cmd.MarkFlagsMutuallyExclusive("ca-roots", "certificate-chain")
 	cmd.MarkFlagsMutuallyExclusive("ca-intermediates", "certificate-chain")
 
 	cmd.Flags().StringVar(&o.SCT, "sct", "",
 		"path to a detached Signed Certificate Timestamp, formatted as a RFC6962 AddChainResponse struct. "+
 			"If a certificate contains an SCT, verification will check both the detached and embedded SCTs.")
+	// _ = cmd.MarkFlagFilename("sct") // no typical extensions
 	cmd.Flags().BoolVar(&o.IgnoreSCT, "insecure-ignore-sct", false,
 		"when set, verification will not check that a certificate contains an embedded SCT, a proof of "+
 			"inclusion in a certificate transparency log")

cmd/cosign/cli/options/files.go

@@ -54,5 +54,5 @@ func (o *FilesOptions) String() string {
 func (o *FilesOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringSliceVarP(&o.Files, "files", "f", nil,
 		"<filepath>:[platform/arch]")
-	_ = cmd.MarkFlagFilename("files")
+	// _ = cmd.MarkFlagFilename("files") // no typical extensions
 }

cmd/cosign/cli/options/fulcio.go

@@ -39,6 +39,7 @@ func (o *FulcioOptions) AddFlags(cmd *cobra.Command) {
 
 	cmd.Flags().StringVar(&o.IdentityToken, "identity-token", "",
 		"identity token to use for certificate from fulcio. the token or a path to a file containing the token is accepted.")
+	// _ = cmd.MarkFlagFilename("identity-token") // no typical extensions
 
 	cmd.Flags().StringVar(&o.AuthFlow, "fulcio-auth-flow", "",
 		"fulcio interactive oauth2 flow to use for certificate from fulcio. Defaults to determining the flow based on the runtime environment. (options) normal|device|token|client_credentials")

cmd/cosign/cli/options/import_key_pair.go

@@ -36,11 +36,11 @@ var _ Interface = (*ImportKeyPairOptions)(nil)
 func (o *ImportKeyPairOptions) AddFlags(cmd *cobra.Command) {
 	cmd.Flags().StringVarP(&o.Key, "key", "k", "",
 		"import key pair to use for signing")
-	_ = cmd.MarkFlagFilename("key")
+	_ = cmd.MarkFlagFilename("key", privateKeyExts...)
 
 	cmd.Flags().StringVarP(&o.OutputKeyPrefix, "output-key-prefix", "o", "import-cosign",
 		"name used for outputted key pairs")
-	_ = cmd.MarkFlagFilename("output-key-prefix")
+	// _ = cmd.MarkFlagFilename("output-key-prefix") // no typical extensions
 
 	cmd.Flags().BoolVarP(&o.SkipConfirmation, "yes", "y", false,
 		"skip confirmation prompts for overwriting existing key")

cmd/cosign/cli/options/oidc.go

@@ -64,7 +64,7 @@ func (o *OIDCOptions) AddFlags(cmd *cobra.Command) {
 
 	cmd.Flags().StringVar(&o.clientSecretFile, "oidc-client-secret-file", "",
 		"Path to file containing OIDC client secret for application")
-	_ = cmd.MarkFlagFilename("oidc-client-secret-file")
+	// _ = cmd.MarkFlagFilename("oidc-client-secret-file") // no typical extensions
 
 	cmd.Flags().StringVar(&o.RedirectURL, "oidc-redirect-url", "",
 		"OIDC redirect URL (Optional). The default oidc-redirect-url is 'http://localhost:0/auth/callback'.")

cmd/cosign/cli/options/options.go

@@ -21,3 +21,37 @@ type Interface interface {
 	// AddFlags adds this options' flags to the cobra command.
 	AddFlags(cmd *cobra.Command)
 }
+
+var bundleExts = []string{
+	"bundle",
+}
+var certificateExts = []string{
+	"cert",
+	"crt",
+	"pem",
+}
+var logExts = []string{
+	"log",
+}
+var moduleExts = []string{
+	"dll",
+	"dylib",
+	"so",
+}
+var privateKeyExts = []string{
+	"key",
+}
+var publicKeyExts = []string{
+	"pub",
+}
+var sbomExts = []string{
+	"json",
+	"xml",
+	"spdx",
+}
+var signatureExts = []string{
+	"sig",
+}
+var wasmExts = []string{
+	"wasm",
+}