Skip to content

Commit

Permalink
Full release of actions/core 1.6.0 with oidc behavior (actions#919)
Browse files Browse the repository at this point in the history
* OIDC Client for actions/core

Co-authored-by: Sourav Chanduka <[email protected]>
Co-authored-by: Sourav Chanduka <[email protected]>
Co-authored-by: Tingluo Huang <[email protected]>
  • Loading branch information
4 people authored Sep 28, 2021
1 parent 60145e4 commit 27f76df
Show file tree
Hide file tree
Showing 8 changed files with 22,247 additions and 29 deletions.
22,059 changes: 22,033 additions & 26 deletions package-lock.json

Large diffs are not rendered by default.

48 changes: 48 additions & 0 deletions packages/core/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -262,3 +262,51 @@ var pid = core.getState("pidToKill");
process.kill(pid);
```

#### OIDC Token

You can use these methods to interact with the GitHub OIDC provider and get a JWT ID token which would help to get access token from third party cloud providers.

**Method Name**: getIDToken()

**Inputs**

audience : optional

**Outputs**

A [JWT](https://jwt.io/) ID Token

In action's `main.ts`:
```js
const core = require('@actions/core');
async function getIDTokenAction(): Promise<void> {
const audience = core.getInput('audience', {required: false})
const id_token1 = await core.getIDToken() // ID Token with default audience
const id_token2 = await core.getIDToken(audience) // ID token with custom audience
// this id_token can be used to get access token from third party cloud providers
}
getIDTokenAction()
```

In action's `actions.yml`:

```yaml
name: 'GetIDToken'
description: 'Get ID token from Github OIDC provider'
inputs:
audience:
description: 'Audience for which the ID token is intended for'
required: false
outputs:
id_token1:
description: 'ID token obtained from OIDC provider'
id_token2:
description: 'ID token obtained from OIDC provider'
runs:
using: 'node12'
main: 'dist/index.js'
```
4 changes: 4 additions & 0 deletions packages/core/RELEASES.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
# @actions/core Releases

### 1.6.0
- [Added OIDC Client function `getIDToken`](https://github.com/actions/toolkit/pull/919)
- [Added `file` parameter to `AnnotationProperties`](https://github.com/actions/toolkit/pull/896)

### 1.5.0
- [Added support for notice annotations and more annotation fields](https://github.com/actions/toolkit/pull/855)

Expand Down
18 changes: 18 additions & 0 deletions packages/core/__tests__/core.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ import * as fs from 'fs'
import * as os from 'os'
import * as path from 'path'
import * as core from '../src/core'
import {HttpClient} from '@actions/http-client'
import {toCommandProperties} from '../src/utils'

/* eslint-disable @typescript-eslint/unbound-method */
Expand Down Expand Up @@ -469,3 +470,20 @@ function verifyFileCommand(command: string, expectedContents: string): void {
fs.unlinkSync(filePath)
}
}

function getTokenEndPoint(): string {
return 'https://vstoken.actions.githubusercontent.com/.well-known/openid-configuration'
}

describe('oidc-client-tests', () => {
it('Get Http Client', async () => {
const http = new HttpClient('actions/oidc-client')
expect(http).toBeDefined()
})

it('HTTP get request to get token endpoint', async () => {
const http = new HttpClient('actions/oidc-client')
const res = await http.get(getTokenEndPoint())
expect(res.message.statusCode).toBe(200)
})
})
52 changes: 50 additions & 2 deletions packages/core/package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 4 additions & 1 deletion packages/core/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@actions/core",
"version": "1.5.0",
"version": "1.6.0",
"description": "Actions core lib",
"keywords": [
"github",
Expand Down Expand Up @@ -35,6 +35,9 @@
"bugs": {
"url": "https://github.com/actions/toolkit/issues"
},
"dependencies": {
"@actions/http-client": "^1.0.11"
},
"devDependencies": {
"@types/node": "^12.0.2"
}
Expand Down
6 changes: 6 additions & 0 deletions packages/core/src/core.ts
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ import {toCommandProperties, toCommandValue} from './utils'
import * as os from 'os'
import * as path from 'path'

import {OidcClient} from './oidc-utils'

/**
* Interface for getInput options
*/
Expand Down Expand Up @@ -353,3 +355,7 @@ export function saveState(name: string, value: any): void {
export function getState(name: string): string {
return process.env[`STATE_${name}`] || ''
}

export async function getIDToken(aud?: string): Promise<string> {
return await OidcClient.getIDToken(aud)
}
84 changes: 84 additions & 0 deletions packages/core/src/oidc-utils.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
/* eslint-disable @typescript-eslint/no-extraneous-class */
import * as actions_http_client from '@actions/http-client'
import {IRequestOptions} from '@actions/http-client/interfaces'
import {HttpClient} from '@actions/http-client'
import {BearerCredentialHandler} from '@actions/http-client/auth'
import {debug, setSecret} from './core'
interface TokenResponse {
value?: string
}

export class OidcClient {
private static createHttpClient(
allowRetry = true,
maxRetry = 10
): actions_http_client.HttpClient {
const requestOptions: IRequestOptions = {
allowRetries: allowRetry,
maxRetries: maxRetry
}

return new HttpClient(
'actions/oidc-client',
[new BearerCredentialHandler(OidcClient.getRequestToken())],
requestOptions
)
}

private static getRequestToken(): string {
const token = process.env['ACTIONS_ID_TOKEN_REQUEST_TOKEN']
if (!token) {
throw new Error(
'Unable to get ACTIONS_ID_TOKEN_REQUEST_TOKEN env variable'
)
}
return token
}

private static getIDTokenUrl(): string {
const runtimeUrl = process.env['ACTIONS_ID_TOKEN_REQUEST_URL']
if (!runtimeUrl) {
throw new Error('Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable')
}
return runtimeUrl
}

private static async getCall(id_token_url: string): Promise<string> {
const httpclient = OidcClient.createHttpClient()

const res = await httpclient
.getJson<TokenResponse>(id_token_url)
.catch(error => {
throw new Error(
`Failed to get ID Token. \n
Error Code : ${error.statusCode}\n
Error Message: ${error.result.message}`
)
})

const id_token = res.result?.value
if (!id_token) {
throw new Error('Response json body do not have ID Token field')
}
return id_token
}

static async getIDToken(audience?: string): Promise<string> {
try {
// New ID Token is requested from action service
let id_token_url: string = OidcClient.getIDTokenUrl()
if (audience) {
const encodedAudience = encodeURIComponent(audience)
id_token_url = `${id_token_url}&audience=${encodedAudience}`
}

debug(`ID token url is ${id_token_url}`)

const id_token = await OidcClient.getCall(id_token_url)
setSecret(id_token)
return id_token
} catch (error) {
throw new Error(`Error message: ${error.message}`)
}
}
}

0 comments on commit 27f76df

Please sign in to comment.