File Explorer

/var/lang/lib/node_modules/npm/lib/utils
This explorer reads the filesystem of the server it runs on, so /workspace/user isn't present here. Browsing and the terminal still work against this server's own disk from /.
0 dirs
35 files
oidc.js7.2 KB · 181 lines
1const { log } = require('proc-log')2const npmFetch = require('npm-registry-fetch')3const ciInfo = require('ci-info')4const fetch = require('make-fetch-happen')5const npa = require('npm-package-arg')6const libaccess = require('libnpmaccess')7 8/**9 * Handles OpenID Connect (OIDC) token retrieval and exchange for CI environments.10 *11 * This function is designed to work in Continuous Integration (CI) environments such as GitHub Actions,12 * GitLab, and CircleCI. It retrieves an OIDC token from the CI environment, exchanges it for an npm token, and13 * sets the token in the provided configuration for authentication with the npm registry.14 *15 * This function is intended to never throw, as it mutates the state of the `opts` and `config` objects on success.16 * OIDC is always an optional feature, and the function should not throw if OIDC is not configured by the registry.17 *18 * @see https://github.com/watson/ci-info for CI environment detection.19 * @see https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect for GitHub Actions OIDC.20 * @see https://circleci.com/docs/openid-connect-tokens/ for CircleCI OIDC.21 */22async function oidc ({ packageName, registry, opts, config }) {23  /*24   * This code should never run when people try to publish locally on their machines.25   * It is designed to execute only in Continuous Integration (CI) environments.26   */27 28  try {29    if (!(30      /** @see https://github.com/watson/ci-info/blob/v4.2.0/vendors.json#L152 */31      ciInfo.GITHUB_ACTIONS ||32      /** @see https://github.com/watson/ci-info/blob/v4.2.0/vendors.json#L161C13-L161C22 */33      ciInfo.GITLAB ||34      /** @see https://github.com/watson/ci-info/blob/v4.2.0/vendors.json#L78 */35      ciInfo.CIRCLE36    )) {37      return undefined38    }39 40    /**41     * Check if the environment variable `NPM_ID_TOKEN` is set.42     * In GitLab CI, the ID token is provided via an environment variable,43     * with `NPM_ID_TOKEN` serving as a predefined default. For consistency,44     * all supported CI environments are expected to support this variable.45     * In contrast, GitHub Actions uses a request-based approach to retrieve the ID token.46     * The presence of this token within GitHub Actions will override the request-based approach.47     * This variable follows the prefix/suffix convention from sigstore (e.g., `SIGSTORE_ID_TOKEN`).48     * @see https://docs.sigstore.dev/cosign/signing/overview/49     */50    let idToken = process.env.NPM_ID_TOKEN51 52    if (!idToken && ciInfo.GITHUB_ACTIONS) {53      /**54       * GitHub Actions provides these environment variables:55       * - `ACTIONS_ID_TOKEN_REQUEST_URL`: The URL to request the ID token.56       * - `ACTIONS_ID_TOKEN_REQUEST_TOKEN`: The token to authenticate the request.57       * Only when a workflow has the following permissions:58       * ```59       * permissions:60       *    id-token: write61       * ```62       * @see https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers#adding-permissions-settings63       */64      if (!(65        process.env.ACTIONS_ID_TOKEN_REQUEST_URL &&66        process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN67      )) {68        log.silly('oidc', 'Skipped because incorrect permissions for id-token within GitHub workflow')69        return undefined70      }71 72      /**73       * The specification for an audience is `npm:registry.npmjs.org`,74       * where "registry.npmjs.org" can be any supported registry.75       */76      const audience = `npm:${new URL(registry).hostname}`77      const url = new URL(process.env.ACTIONS_ID_TOKEN_REQUEST_URL)78      url.searchParams.append('audience', audience)79      const startTime = Date.now()80      const response = await fetch(url.href, {81        retry: opts.retry,82        headers: {83          Accept: 'application/json',84          Authorization: `Bearer ${process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN}`,85        },86      })87 88      const elapsedTime = Date.now() - startTime89 90      log.http(91        'fetch',92        `GET ${url.href} ${response.status} ${elapsedTime}ms`93      )94 95      const json = await response.json()96 97      if (!response.ok) {98        log.verbose('oidc', `Failed to fetch id_token from GitHub: received an invalid response`)99        return undefined100      }101 102      if (!json.value) {103        log.verbose('oidc', `Failed to fetch id_token from GitHub: missing value`)104        return undefined105      }106 107      idToken = json.value108    }109 110    if (!idToken) {111      log.silly('oidc', 'Skipped because no id_token available')112      return undefined113    }114 115    const parsedRegistry = new URL(registry)116    const regKey = `//${parsedRegistry.host}${parsedRegistry.pathname}`117    const authTokenKey = `${regKey}:_authToken`118 119    const escapedPackageName = npa(packageName).escapedName120    let response121    try {122      response = await npmFetch.json(new URL(`/-/npm/v1/oidc/token/exchange/package/${escapedPackageName}`, registry), {123        ...opts,124        [authTokenKey]: idToken, // Use the idToken as the auth token for the request125        method: 'POST',126      })127    } catch (error) {128      log.verbose('oidc', `Failed token exchange request with body message: ${error?.body?.message || 'Unknown error'}`)129      return undefined130    }131 132    if (!response?.token) {133      log.verbose('oidc', 'Failed because token exchange was missing the token in the response body')134      return undefined135    }136 137    /*138     * The "opts" object is a clone of npm.flatOptions and is passed through the `publish` command,139     * eventually reaching `otplease`. To ensure the token is accessible during the publishing process,140     * it must be directly attached to the `opts` object.141     * Additionally, the token is required by the "live" configuration or getters within `config`.142     */143    opts[authTokenKey] = response.token144    config.set(authTokenKey, response.token, 'user')145    log.verbose('oidc', `Successfully retrieved and set token`)146 147    try {148      const isDefaultProvenance = config.isDefault('provenance')149      // CircleCI doesn't support provenance yet, so skip the auto-enable logic150      if (isDefaultProvenance && !ciInfo.CIRCLE) {151        const [headerB64, payloadB64] = idToken.split('.')152        if (headerB64 && payloadB64) {153          const payloadJson = Buffer.from(payloadB64, 'base64').toString('utf8')154          const payload = JSON.parse(payloadJson)155          if (156            (ciInfo.GITHUB_ACTIONS && payload.repository_visibility === 'public') ||157            // only set provenance for gitlab if the repo is public and SIGSTORE_ID_TOKEN is available158            (ciInfo.GITLAB && payload.project_visibility === 'public' && process.env.SIGSTORE_ID_TOKEN)159          ) {160            const visibility = await libaccess.getVisibility(packageName, opts)161            if (visibility?.public) {162              log.verbose('oidc', `Enabling provenance`)163              opts.provenance = true164              config.set('provenance', true, 'user')165            }166          }167        }168      }169    } catch (error) {170      log.verbose('oidc', `Failed to set provenance with message: ${error?.message || 'Unknown error'}`)171    }172  } catch (error) {173    log.verbose('oidc', `Failure with message: ${error?.message || 'Unknown error'}`)174  }175  return undefined176}177 178module.exports = {179  oidc,180}181