Inital draft of OIDC Client

packages/oidc-client/src/internal/config-variables.ts

@@ -0,0 +1,31 @@
+export function getRuntimeToken(): string {
+  const token = process.env['ACTIONS_RUNTIME_TOKEN']
+  if (!token) {
+    throw new Error('Unable to get ACTIONS_RUNTIME_TOKEN env variable')
+  }
+  return token
+}
+
+export function getIDTokenUrl(): string {
+  const runtimeUrl = process.env['ACTIONS_ID_TOKEN_REQUEST_URL']
+  if (!runtimeUrl) {
+    throw new Error('Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable')
+  }
+  return runtimeUrl
+}
+
+export function getWorkFlowRunId(): string {
+  const workFlowRunId = process.env['GITHUB_RUN_ID']
+  if (!workFlowRunId) {
+    throw new Error('Unable to get GITHUB_RUN_ID env variable')
+  }
+  return workFlowRunId
+}
+
+export function getIDTokenFromEnv(): string {
+  const tokenId = process.env['OIDC_TOKEN_ID']   //Need to check the exact env var name
+  if(!tokenId) {
+    throw new Error('Unable to get OIDC_TOKEN_ID env variable')
+  }
+  return tokenId
+}

packages/oidc-client/src/internal/utils.ts

@@ -0,0 +1,30 @@
+
+import {debug, info, warning} from '@actions/core'
+import {HttpClient} from '@actions/http-client'
+import {BearerCredentialHandler} from '@actions/http-client/auth'
+import {IHeaders, IHttpClientResponse} from '@actions/http-client/interfaces'
+
+import {
+    getRuntimeToken,
+    getWorkFlowRunId
+  } from './config-variables'
+
+  export function isSuccessStatusCode(statusCode?: number): boolean {
+    if (!statusCode) {
+      return false
+    }
+    return statusCode >= 200 && statusCode < 300
+  }
+
+
+  export function createHttpClient(): HttpClient {
+    return new HttpClient('actions/oidc-client', [
+      new BearerCredentialHandler(getRuntimeToken())
+    ])
+  }
+
+
+  export function getApiVersion(): string {
+    return '1.0'
+  }
+

packages/oidc-client/src/main.ts

@@ -0,0 +1,73 @@
+import * as core from '@actions/core'
+import {IHeaders} from '@actions/http-client/interfaces'
+import {
+  createHttpClient,
+  isSuccessStatusCode
+} from './internal/utils'
+
+import {
+  getIDTokenFromEnv,
+  getIDTokenUrl
+} from './internal/config-variables'
+
+
+export async function getIDToken(audience: string): Promise<string> {
+  try {
+
+    //Check if id token is stored in environment variable
+
+    var id_token: string = getIDTokenFromEnv()
+    if(id_token != undefined) {
+      const secondsSinceEpoch = Math.round(Date.now() / 1000)
+      const id_token_json = JSON.parse(id_token)
+      if(parseInt(id_token_json['exp']) - secondsSinceEpoch > 120)    // Expiry time is more than 2 mins
+        return id_token
+    }
+
+
+    // New ID Token is requested from action service
+    
+    const id_tokne_url: string =  getIDTokenUrl()
+
+    if (id_tokne_url == undefined) {
+      throw new Error(`ID Token URL not found`)
+    }
+
+    core.debug(`ID token url is ${id_tokne_url}`)
+
+    const httpclient = createHttpClient()
+    if (httpclient == undefined) {
+      throw new Error(`Failed to get Httpclient `)
+    }
+    core.debug(`Httpclient created ${httpclient} `) // debug is only output if you set the secret `ACTIONS_RUNNER_DEBUG` to true
+
+
+    const response = await httpclient.post(id_tokne_url, audience)
+
+    
+    if (!isSuccessStatusCode(response.message.statusCode)){
+      throw new Error(
+        `Failed to get ID Token. Error message  :${response.message.statusMessage} `
+      )
+    }
+
+    const body: string = await response.readBody()
+    const val = JSON.parse(body)
+    id_token = val['id_token']
+
+    if (id_token == undefined) {
+      throw new Error(`Not able to fetch the ID token`)
+    }
+
+    // Save ID Token in Env Variable
+    core.exportVariable('OIDC_TOKEN_ID', id_token)
+
+    return id_token
+    
+  } catch (error) {
+    core.setFailed(error.message)
+    return error.message
+  }
+}
+
+module.exports.getIDToken = getIDToken