feat: adds support for oidc publish

Author: reggi

lib/commands/publish.js

@@ -16,6 +16,7 @@ const { getContents, logTar } = require('../utils/tar.js')
 const { flatten } = require('@npmcli/config/lib/definitions')
 const pkgJson = require('@npmcli/package-json')
 const BaseCommand = require('../base-cmd.js')
+const { oidc } = require('../../lib/utils/oidc.js')
 
 class Publish extends BaseCommand {
   static description = 'Publish a package'
@@ -136,6 +137,9 @@ class Publish extends BaseCommand {
     npa(`${manifest.name}@${defaultTag}`)
 
     const registry = npmFetch.pickRegistry(resolved, opts)
+
+    await oidc({ packageName: manifest.name, registry, opts, config: this.npm.config })
+
     const creds = this.npm.config.getCredentialsByURI(registry)
     const noCreds = !(creds.token || creds.username || creds.certfile && creds.keyfile)
     const outputRegistry = replaceInfo(registry)

lib/utils/oidc.js

@@ -0,0 +1,138 @@
+const { log } = require('proc-log')
+const npmFetch = require('npm-registry-fetch')
+const ciInfo = require('ci-info')
+const fetch = require('make-fetch-happen')
+
+/**
+ * Handles OpenID Connect (OIDC) token retrieval and exchange for CI environments.
+ *
+ * This function is designed to work in Continuous Integration (CI) environments such as GitHub Actions
+ * and GitLab. It retrieves an OIDC token from the CI environment, exchanges it for an npm token, and
+ * sets the token in the provided configuration for authentication with the npm registry.
+ *
+ * This function is intended to never throw, as it mutates the state of the `opts` and `config` objects on success.
+ * OIDC is always an optional feature, and the function should not throw if OIDC is not configured by the registry.
+ *
+ * @see https://github.com/watson/ci-info for CI environment detection.
+ * @see https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect for GitHub Actions OIDC.
+ */
+async function oidc ({ packageName, registry, opts, config }) {
+  /*
+   * This code should never run when people try to publish locally on their machines.
+   * It is designed to execute only in Continuous Integration (CI) environments.
+   */
+  try {
+    if (!(
+      /** @see https://github.com/watson/ci-info/blob/v4.2.0/vendors.json#L152 */
+      ciInfo.GITHUB_ACTIONS ||
+      /** @see https://github.com/watson/ci-info/blob/v4.2.0/vendors.json#L161C13-L161C22 */
+      ciInfo.GITLAB
+    )) {
+      return undefined
+    }
+
+    log.silly('oidc', 'Detemrmining if npm should use OIDC publishing')
+
+    /**
+     * Check if the environment variable `NPM_ID_TOKEN` is set.
+     * In GitLab CI, the ID token is provided via an environment variable,
+     * with `NPM_ID_TOKEN` serving as a predefined default. For consistency,
+     * all supported CI environments are expected to support this variable.
+     * In contrast, GitHub Actions uses a request-based approach to retrieve the ID token.
+     * The presence of this token within GitHub Actions will override the request-based approach.
+     * This variable follows the prefix/suffix convention from sigstore (e.g., `SIGSTORE_ID_TOKEN`).
+     * @see https://docs.sigstore.dev/cosign/signing/overview/
+     */
+    let idToken = process.env.NPM_ID_TOKEN
+
+    if (idToken) {
+      log.silly('oidc', 'NPM_ID_TOKEN present')
+    } else {
+      log.silly('oidc', 'NPM_ID_TOKEN not present, checking for GITHUB_ACTIONS')
+      if (ciInfo.GITHUB_ACTIONS) {
+        /**
+         * GitHub Actions provides these environment variables:
+         * - `ACTIONS_ID_TOKEN_REQUEST_URL`: The URL to request the ID token.
+         * - `ACTIONS_ID_TOKEN_REQUEST_TOKEN`: The token to authenticate the request.
+         * Only when a workflow has the following permissions:
+         * ```
+         * permissions:
+         *    id-token: write
+         * ```
+         * @see https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers#adding-permissions-settings
+         */
+        if (
+          process.env.ACTIONS_ID_TOKEN_REQUEST_URL &&
+          process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN
+        ) {
+          log.silly('oidc', '"GITHUB_ACTIONS" detected with "ACTIONS_ID_" envs, fetching id_token')
+
+          /**
+           * The specification for an audience is `npm:registry.npmjs.org`,
+           * where "registry.npmjs.org" can be any supported registry.
+           */
+          const audience = `npm:${new URL(registry).hostname}`
+
+          const url = new URL(process.env.ACTIONS_ID_TOKEN_REQUEST_URL)
+          url.searchParams.append('audience', audience)
+          const response = await fetch(url.href, {
+            method: 'POST',
+            retry: opts.retry,
+            headers: {
+              Accept: 'application/json',
+              Authorization: `Bearer ${process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN}`,
+            },
+          })
+
+          if (!response.ok) {
+            throw new Error(`Failed to fetch id_token from GitHub: received an invalid response`)
+          }
+          const json = await response.json()
+          if (!json.value) {
+            throw new Error(`Failed to fetch id_token from GitHub: missing value`)
+          }
+          log.silly('oidc:', 'GITHUB_ACTIONS valid fetch response for id_token')
+          idToken = json.value
+        } else {
+          throw new Error('GITHUB_ACTIONS detected. If you intend to publish using OIDC, please set workflow permissions for `id-token: write`')
+        }
+      }
+    }
+
+    if (!idToken) {
+      log.silly('oidc', 'Exiting OIDC, no id_token available')
+      return undefined
+    }
+
+    const response = await npmFetch.json(new URL('/-/npm/v1/oidc/token/exchange', registry), {
+      ...opts,
+      method: 'POST',
+      body: JSON.stringify({
+        package_name: packageName,
+        id_token: idToken,
+      }),
+    })
+
+    if (!response?.token) {
+      throw new Error('OIDC token exchange failure: missing token in response body')
+    }
+    const parsedRegistry = new URL(registry)
+    const regKey = `//${parsedRegistry.host}${parsedRegistry.pathname}`
+    const authTokenKey = `${regKey}:_authToken`
+    /*
+     * The "opts" object is a clone of npm.flatOptions and is passed through the `publish` command,
+     * eventually reaching `otplease`. To ensure the token is accessible during the publishing process,
+     * it must be directly attached to the `opts` object.
+     * Additionally, the token is required by the "live" configuration or getters within `config`.
+     */
+    opts[authTokenKey] = response.token
+    config.set(authTokenKey, response.token, 'user')
+  } catch (error) {
+    log.verbose('oidc', error.message)
+  }
+  return undefined
+}
+
+module.exports = {
+  oidc,
+}

mock-registry/lib/index.js

@@ -359,7 +359,7 @@ class MockRegistry {
   }
 
   publish (name, {
-    packageJson, access, noGet, noPut, putCode, manifest, packuments,
+    packageJson, access, noGet, noPut, putCode, manifest, packuments, token,
   } = {}) {
     if (!noGet) {
       // this getPackage call is used to get the latest semver version before publish
@@ -373,7 +373,7 @@ class MockRegistry {
       }
     }
     if (!noPut) {
-      this.putPackage(name, { code: putCode, packageJson, access })
+      this.putPackage(name, { code: putCode, packageJson, access, token })
     }
   }
 
@@ -391,10 +391,14 @@ class MockRegistry {
     this.nock = nock
   }
 
-  putPackage (name, { code = 200, resp = {}, ...putPackagePayload }) {
-    this.nock.put(`/${npa(name).escapedName}`, body => {
+  putPackage (name, { code = 200, resp = {}, token, ...putPackagePayload }) {
+    let n = this.nock.put(`/${npa(name).escapedName}`, body => {
       return this.#tap.match(body, this.putPackagePayload({ name, ...putPackagePayload }))
-    }).reply(code, resp)
+    })
+    if (token) {
+      n = n.matchHeader('authorization', `Bearer ${token}`)
+    }
+    n.reply(code, resp)
   }
 
   putPackagePayload (opts) {
@@ -626,6 +630,13 @@ class MockRegistry {
       }
     }
   }
+
+  mockOidcTokenExchange ({ packageName, idToken, token, statusCode = 200 } = {}) {
+    this.nock.post(this.fullPath('/-/npm/v1/oidc/token/exchange'), body => {
+      return body.package_name === packageName && body.id_token === idToken
+    }).reply(statusCode, statusCode !== 500 ? { token: token } : { message: 'Internal Server Error' })
+    return { token }
+  }
 }
 
 module.exports = MockRegistry

mock-registry/lib/oidc.js

@@ -0,0 +1,107 @@
+const nock = require('nock')
+const ciInfo = require('ci-info')
+
+class MockOidc {
+  constructor ({ github = false, gitlab = false }) {
+    this.github = github
+    this.gitlab = gitlab
+    this.setupEnvironment()
+  }
+
+  ACTIONS_ID_TOKEN_REQUEST_URL = 'https://github.com/actions/id-token'
+  ACTIONS_ID_TOKEN_REQUEST_TOKEN = 'ACTIONS_ID_TOKEN_REQUEST_TOKEN'
+  NPM_ID_TOKEN = 'NPM_ID_TOKEN'
+  GITHUB_ID_TOKEN = 'mock-github-id-token'
+
+  get idToken () {
+    if (this.github) {
+      return this.GITHUB_ID_TOKEN
+    }
+    if (this.gitlab) {
+      return this.NPM_ID_TOKEN
+    }
+    return undefined
+  }
+
+  setupEnvironment () {
+    if (this.github) {
+      process.env.CI = 'true'
+      process.env.GITHUB_ACTIONS = 'true'
+      process.env.ACTIONS_ID_TOKEN_REQUEST_URL = this.ACTIONS_ID_TOKEN_REQUEST_URL
+      process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN = this.ACTIONS_ID_TOKEN_REQUEST_TOKEN
+      ciInfo.GITHUB_ACTIONS = true
+    }
+
+    if (this.gitlab) {
+      process.env.CI = 'true'
+      process.env.GITLAB_CI = 'true'
+      process.env.NPM_ID_TOKEN = this.NPM_ID_TOKEN
+      ciInfo.GITLAB = true
+    }
+  }
+
+  mockGithubOidc ({ idToken = this.GITHUB_ID_TOKEN, audience, statusCode = 200 } = {}) {
+    if (!this.github) {
+      return
+    }
+
+    const url = new URL(this.ACTIONS_ID_TOKEN_REQUEST_URL)
+    nock(url.origin)
+      .post(url.pathname)
+      .query({ audience })
+      .matchHeader('authorization', `Bearer ${this.ACTIONS_ID_TOKEN_REQUEST_TOKEN}`)
+      .matchHeader('accept', 'application/json')
+      .reply(statusCode, statusCode !== 500 ? { value: idToken } : { message: 'Internal Server Error' })
+
+    return { idToken }
+  }
+
+  reset () {
+    delete process.env.CI
+    delete process.env.GITHUB_ACTIONS
+    delete process.env.ACTIONS_ID_TOKEN_REQUEST_URL
+    delete process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN
+    delete process.env.GITLAB_CI
+    delete process.env.NPM_ID_TOKEN
+    ciInfo.GITHUB_ACTIONS = false
+    ciInfo.GITLAB = false
+    nock.cleanAll()
+  }
+
+  static tnock (t, opts = {}, { debug = false, strict = false } = {}) {
+    const instance = new MockOidc(opts)
+
+    const noMatch = (req) => {
+      if (debug) {
+        /* eslint-disable-next-line no-console */
+        console.error('NO MATCH', t.name, req.options ? req.options : req.path)
+      }
+      if (strict) {
+        t.comment(`Unmatched request: ${req.method} ${req.path}`)
+        t.fail(`Unmatched request: ${req.method} ${req.path}`)
+      }
+    }
+
+    nock.emitter.on('no match', noMatch)
+    nock.disableNetConnect()
+
+    if (strict) {
+      t.afterEach(() => {
+        t.strictSame(nock.pendingMocks(), [], 'no pending mocks after each')
+      })
+    }
+
+    t.teardown(() => {
+      nock.enableNetConnect()
+      nock.emitter.off('no match', noMatch)
+      nock.cleanAll()
+      instance.reset()
+    })
+
+    return instance
+  }
+}
+
+module.exports = {
+  MockOidc,
+}