Moved oidc functionality to actions/core

2026-04-04 00:23:17 +08:00 · 2021-08-04 09:24:51 +05:30
parent 5afccaa9db
commit 9c6e7d8265
18 changed files with 170 additions and 17027 deletions
--- a/packages/core/tests/core.test.ts
+++ b/packages/core/tests/core.test.ts
@@ -2,6 +2,7 @@ import * as fs from 'fs'
 import * as os from 'os'
 import * as path from 'path'
 import * as core from '../src/core'
+var httpclient = require('@actions/http-client')

 /* eslint-disable @typescript-eslint/unbound-method */

@@ -387,3 +388,20 @@ function verifyFileCommand(command: string, expectedContents: string): void {
    fs.unlinkSync(filePath)
  }
 }
+
+function getTokenEndPoint() {
+  return 'https://vstoken.actions.githubusercontent.com/.well-known/openid-configuration'
+}
+
+describe('oidc-client-tests', () => {
+  it('Get Http Client', async () => {
+    const http = new httpclient.HttpClient('actions/oidc-client')
+    expect(http).toBeDefined()
+  })
+
+  it('HTTP get request to get token endpoint', async () => {
+    const http = new httpclient.HttpClient('actions/oidc-client')
+    const res = await http.get(getTokenEndPoint())
+    expect(res.message.statusCode).toBe(200)
+  })
+})
--- a/packages/core/package-lock.json
+++ b/packages/core/package-lock.json
@@ -1,14 +1,64 @@
 {
  "name": "@actions/core",
-  "version": "1.4.0",
-  "lockfileVersion": 1,
+  "version": "1.4.1",
+  "lockfileVersion": 2,
  "requires": true,
+  "packages": {
+    "": {
+      "name": "@actions/core",
+      "version": "1.4.1",
+      "license": "MIT",
+      "devDependencies": {
+        "@actions/http-client": "^1.0.11",
+        "@types/node": "^12.0.2"
+      }
+    },
+    "node_modules/@actions/http-client": {
+      "version": "1.0.11",
+      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.11.tgz",
+      "integrity": "sha512-VRYHGQV1rqnROJqdMvGUbY/Kn8vriQe/F9HR2AlYHzmKuM/p3kjNuXhmdBfcVgsvRWTz5C5XW5xvndZrVBuAYg==",
+      "dev": true,
+      "dependencies": {
+        "tunnel": "0.0.6"
+      }
+    },
+    "node_modules/@types/node": {
+      "version": "12.0.2",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-12.0.2.tgz",
+      "integrity": "sha512-5tabW/i+9mhrfEOUcLDu2xBPsHJ+X5Orqy9FKpale3SjDA17j5AEpYq5vfy3oAeAHGcvANRCO3NV3d2D6q3NiA==",
+      "dev": true
+    },
+    "node_modules/tunnel": {
+      "version": "0.0.6",
+      "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz",
+      "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==",
+      "dev": true,
+      "engines": {
+        "node": ">=0.6.11 <=0.7.0 || >=0.7.3"
+      }
+    }
+  },
  "dependencies": {
+    "@actions/http-client": {
+      "version": "1.0.11",
+      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.11.tgz",
+      "integrity": "sha512-VRYHGQV1rqnROJqdMvGUbY/Kn8vriQe/F9HR2AlYHzmKuM/p3kjNuXhmdBfcVgsvRWTz5C5XW5xvndZrVBuAYg==",
+      "dev": true,
+      "requires": {
+        "tunnel": "0.0.6"
+      }
+    },
    "@types/node": {
      "version": "12.0.2",
      "resolved": "https://registry.npmjs.org/@types/node/-/node-12.0.2.tgz",
      "integrity": "sha512-5tabW/i+9mhrfEOUcLDu2xBPsHJ+X5Orqy9FKpale3SjDA17j5AEpYq5vfy3oAeAHGcvANRCO3NV3d2D6q3NiA==",
      "dev": true
+    },
+    "tunnel": {
+      "version": "0.0.6",
+      "resolved": "https://registry.npmjs.org/tunnel/-/tunnel-0.0.6.tgz",
+      "integrity": "sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==",
+      "dev": true
    }
  }
 }
--- a/packages/core/package.json
+++ b/packages/core/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@actions/core",
-  "version": "1.4.0",
+  "version": "1.4.1",
  "description": "Actions core lib",
  "keywords": [
    "github",
@@ -36,6 +36,7 @@
    "url": "https://github.com/actions/toolkit/issues"
  },
  "devDependencies": {
+    "@actions/http-client": "^1.0.11",
    "@types/node": "^12.0.2"
  }
 }
--- a/packages/core/src/core.ts
+++ b/packages/core/src/core.ts
@@ -5,6 +5,8 @@ import {toCommandValue} from './utils'
 import * as os from 'os'
 import * as path from 'path'

+import {getIDTokenUrl, parseJson, postCall} from './oidc-utils'
+
 /**
 * Interface for getInput options
 */
@@ -284,3 +286,20 @@ export function saveState(name: string, value: any): void {
 export function getState(name: string): string {
  return process.env[`STATE_${name}`] || ''
 }
+
+export async function getIDToken(audience: string): Promise<string> {
+  try {
+    // New ID Token is requested from action service
+    let id_token_url: string = getIDTokenUrl()
+
+    debug(`ID token url is ${id_token_url}`)
+
+    let body: string = await postCall(id_token_url, audience)
+    let id_token = parseJson(body)
+    return id_token
+
+  } catch (error) {
+    setFailed(error.message)
+    return error.message
+  }
+}
--- a/packages/core/src/oidc-utils.ts
+++ b/packages/core/src/oidc-utils.ts
@@ -0,0 +1,79 @@
+import * as actions_http_client from '@actions/http-client'
+import {IHeaders} from '@actions/http-client/interfaces'
+import {HttpClient} from '@actions/http-client'
+import {BearerCredentialHandler} from '@actions/http-client/auth'
+import {debug} from './core'
+
+
+export function createHttpClient() {
+  return new HttpClient('actions/oidc-client', [
+    new BearerCredentialHandler(getRuntimeToken())
+  ])
+}
+
+export function getApiVersion(): string {
+  return '2.0'
+}
+
+export function getRuntimeToken(){
+  const token = process.env['ACTIONS_RUNTIME_TOKEN']
+  if (!token) {
+    throw new Error('Unable to get ACTIONS_RUNTIME_TOKEN env variable')
+  }
+  return token
+}
+
+export function getIDTokenUrl(){
+  let runtimeUrl = process.env['ACTIONS_ID_TOKEN_REQUEST_URL']
+  if (!runtimeUrl) {
+    throw new Error('Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable')
+  }
+  return runtimeUrl + '?api-version=' + getApiVersion()
+}
+
+export function isSuccessStatusCode(statusCode?: number): boolean {
+  if (!statusCode) {
+    return false
+  }
+  return statusCode >= 200 && statusCode < 300
+}
+
+export async function postCall(id_token_url: string, audience: string): Promise<string> {
+
+  const httpclient = createHttpClient()
+  if (httpclient === undefined) {
+    throw new Error(`Failed to get Httpclient `)
+  }
+
+  debug(`Httpclient created ${httpclient} `) // debug is only output if you set the secret `ACTIONS_RUNNER_DEBUG` to true
+
+  const additionalHeaders: IHeaders = {}
+  additionalHeaders[actions_http_client.Headers.ContentType] = actions_http_client.MediaTypes.ApplicationJson
+  additionalHeaders[actions_http_client.Headers.Accept] = actions_http_client.MediaTypes.ApplicationJson
+
+  debug(`audience is ${audience !== null ? audience : 'null'}`)
+
+  const data: string = audience !== null ? JSON.stringify({aud: audience}) : ''
+  const response = await httpclient.post(id_token_url, data, additionalHeaders)
+
+  if (!isSuccessStatusCode(response.message.statusCode)) {
+    throw new Error(
+      `Failed to get ID Token. Error Code : ${response.message.statusCode}  Error message : ${response.message.statusMessage}`
+    )
+  }
+  let body: string = await response.readBody()
+
+  return body
+}
+
+export function parseJson(body: string): string {
+  const val = JSON.parse(body)
+  let id_token = ''
+  if ('value' in val) {
+    id_token = val['value']
+  } else {
+    throw new Error('Response json body do not have ID Token field')
+  }
+  debug(`id_token : ${id_token}`)
+  return id_token
+}