feat: adds support for oidc publish (#8336)

Author: reggi

lib/commands/publish.js

@@ -16,6 +16,7 @@ const { getContents, logTar } = require('../utils/tar.js')
 const { flatten } = require('@npmcli/config/lib/definitions')
 const pkgJson = require('@npmcli/package-json')
 const BaseCommand = require('../base-cmd.js')
+const { oidc } = require('../../lib/utils/oidc.js')
 
 class Publish extends BaseCommand {
   static description = 'Publish a package'
@@ -136,6 +137,9 @@ class Publish extends BaseCommand {
     npa(`${manifest.name}@${defaultTag}`)
 
     const registry = npmFetch.pickRegistry(resolved, opts)
+
+    await oidc({ packageName: manifest.name, registry, opts, config: this.npm.config })
+
     const creds = this.npm.config.getCredentialsByURI(registry)
     const noCreds = !(creds.token || creds.username || creds.certfile && creds.keyfile)
     const outputRegistry = replaceInfo(registry)

lib/commands/view.js

@@ -448,10 +448,12 @@ function cleanup (data) {
   }
 
   const keys = Object.keys(data)
+
   if (keys.length <= 3 && data.name && (
     (keys.length === 1) ||
     (keys.length === 3 && data.email && data.url) ||
-    (keys.length === 2 && (data.email || data.url))
+    (keys.length === 2 && (data.email || data.url)) ||
+    data.trustedPublisher
   )) {
     data = unparsePerson(data)
   }

lib/utils/oidc.js

@@ -0,0 +1,180 @@
+const { log } = require('proc-log')
+const npmFetch = require('npm-registry-fetch')
+const ciInfo = require('ci-info')
+const fetch = require('make-fetch-happen')
+const npa = require('npm-package-arg')
+
+/**
+ * Handles OpenID Connect (OIDC) token retrieval and exchange for CI environments.
+ *
+ * This function is designed to work in Continuous Integration (CI) environments such as GitHub Actions
+ * and GitLab. It retrieves an OIDC token from the CI environment, exchanges it for an npm token, and
+ * sets the token in the provided configuration for authentication with the npm registry.
+ *
+ * This function is intended to never throw, as it mutates the state of the `opts` and `config` objects on success.
+ * OIDC is always an optional feature, and the function should not throw if OIDC is not configured by the registry.
+ *
+ * @see https://github.com/watson/ci-info for CI environment detection.
+ * @see https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect for GitHub Actions OIDC.
+ */
+async function oidc ({ packageName, registry, opts, config }) {
+  /*
+   * This code should never run when people try to publish locally on their machines.
+   * It is designed to execute only in Continuous Integration (CI) environments.
+   */
+
+  try {
+    if (!(
+      /** @see https://github.com/watson/ci-info/blob/v4.2.0/vendors.json#L152 */
+      ciInfo.GITHUB_ACTIONS ||
+      /** @see https://github.com/watson/ci-info/blob/v4.2.0/vendors.json#L161C13-L161C22 */
+      ciInfo.GITLAB
+    )) {
+      return undefined
+    }
+
+    /**
+     * Check if the environment variable `NPM_ID_TOKEN` is set.
+     * In GitLab CI, the ID token is provided via an environment variable,
+     * with `NPM_ID_TOKEN` serving as a predefined default. For consistency,
+     * all supported CI environments are expected to support this variable.
+     * In contrast, GitHub Actions uses a request-based approach to retrieve the ID token.
+     * The presence of this token within GitHub Actions will override the request-based approach.
+     * This variable follows the prefix/suffix convention from sigstore (e.g., `SIGSTORE_ID_TOKEN`).
+     * @see https://docs.sigstore.dev/cosign/signing/overview/
+     */
+    let idToken = process.env.NPM_ID_TOKEN
+
+    if (!idToken && ciInfo.GITHUB_ACTIONS) {
+      /**
+       * GitHub Actions provides these environment variables:
+       * - `ACTIONS_ID_TOKEN_REQUEST_URL`: The URL to request the ID token.
+       * - `ACTIONS_ID_TOKEN_REQUEST_TOKEN`: The token to authenticate the request.
+       * Only when a workflow has the following permissions:
+       * ```
+       * permissions:
+       *    id-token: write
+       * ```
+       * @see https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers#adding-permissions-settings
+       */
+      if (!(
+        process.env.ACTIONS_ID_TOKEN_REQUEST_URL &&
+        process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN
+      )) {
+        log.silly('oidc', 'Skipped because incorrect permissions for id-token within GitHub workflow')
+        return undefined
+      }
+
+      /**
+       * The specification for an audience is `npm:registry.npmjs.org`,
+       * where "registry.npmjs.org" can be any supported registry.
+       */
+      const audience = `npm:${new URL(registry).hostname}`
+      const url = new URL(process.env.ACTIONS_ID_TOKEN_REQUEST_URL)
+      url.searchParams.append('audience', audience)
+      const startTime = Date.now()
+      const response = await fetch(url.href, {
+        retry: opts.retry,
+        headers: {
+          Accept: 'application/json',
+          Authorization: `Bearer ${process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN}`,
+        },
+      })
+
+      const elapsedTime = Date.now() - startTime
+
+      log.http(
+        'fetch',
+        `GET ${url.href} ${response.status} ${elapsedTime}ms`
+      )
+
+      const json = await response.json()
+
+      if (!response.ok) {
+        log.verbose('oidc', `Failed to fetch id_token from GitHub: received an invalid response`)
+        return undefined
+      }
+
+      if (!json.value) {
+        log.verbose('oidc', `Failed to fetch id_token from GitHub: missing value`)
+        return undefined
+      }
+
+      idToken = json.value
+    }
+
+    if (!idToken) {
+      log.silly('oidc', 'Skipped because no id_token available')
+      return undefined
+    }
+
+    // this checks if the user configured provenance or it's the default unset value
+    const isDefaultProvenance = config.isDefault('provenance')
+    const provenanceIntent = config.get('provenance')
+
+    // if provenance is the default value or the user explicitly set it
+    if (isDefaultProvenance || provenanceIntent) {
+      const [headerB64, payloadB64] = idToken.split('.')
+      let enableProvenance = false
+      if (headerB64 && payloadB64) {
+        const payloadJson = Buffer.from(payloadB64, 'base64').toString('utf8')
+        try {
+          const payload = JSON.parse(payloadJson)
+          if (ciInfo.GITHUB_ACTIONS && payload.repository_visibility === 'public') {
+            enableProvenance = true
+          }
+          // only set provenance for gitlab if SIGSTORE_ID_TOKEN is available
+          if (ciInfo.GITLAB && payload.project_visibility === 'public' && process.env.SIGSTORE_ID_TOKEN) {
+            enableProvenance = true
+          }
+        } catch (e) {
+          // Failed to parse idToken payload as JSON
+        }
+      }
+
+      if (enableProvenance) {
+        // Repository is public, setting provenance
+        opts.provenance = true
+        config.set('provenance', true, 'user')
+      }
+    }
+
+    const parsedRegistry = new URL(registry)
+    const regKey = `//${parsedRegistry.host}${parsedRegistry.pathname}`
+    const authTokenKey = `${regKey}:_authToken`
+
+    const escapedPackageName = npa(packageName).escapedName
+    let response
+    try {
+      response = await npmFetch.json(new URL(`/-/npm/v1/oidc/token/exchange/package/${escapedPackageName}`, registry), {
+        ...opts,
+        [authTokenKey]: idToken, // Use the idToken as the auth token for the request
+        method: 'POST',
+      })
+    } catch (error) {
+      log.verbose('oidc', `Failed token exchange request with body message: ${error?.body?.message || 'Unknown error'}`)
+      return undefined
+    }
+
+    if (!response?.token) {
+      log.verbose('oidc', 'Failed because token exchange was missing the token in the response body')
+      return undefined
+    }
+    /*
+     * The "opts" object is a clone of npm.flatOptions and is passed through the `publish` command,
+     * eventually reaching `otplease`. To ensure the token is accessible during the publishing process,
+     * it must be directly attached to the `opts` object.
+     * Additionally, the token is required by the "live" configuration or getters within `config`.
+     */
+    opts[authTokenKey] = response.token
+    config.set(authTokenKey, response.token, 'user')
+    log.verbose('oidc', `Successfully retrieved and set token`)
+  } catch (error) {
+    log.verbose('oidc', `Failure with message: ${error?.message || 'Unknown error'}`)
+  }
+  return undefined
+}
+
+module.exports = {
+  oidc,
+}

mock-registry/lib/index.js

@@ -80,7 +80,11 @@ class MockRegistry {
         // XXX: this is opt-in currently because it breaks some existing CLI
         // tests. We should work towards making this the default for all tests.
         t.comment(logReq(req, 'interceptors', 'socket', 'response', '_events'))
-        t.fail(`Unmatched request: ${req.method} ${req.path}`)
+        const protocol = req?.options?.protocol || 'http:'
+        const hostname = req?.options?.hostname || req?.hostname || 'localhost'
+        const p = req?.path || '/'
+        const url = new URL(p, `${protocol}//${hostname}`).toString()
+        t.fail(`Unmatched request: ${req.method} ${url}`)
       }
     }
 
@@ -359,7 +363,7 @@ class MockRegistry {
   }
 
   publish (name, {
-    packageJson, access, noGet, noPut, putCode, manifest, packuments,
+    packageJson, access, noGet, noPut, putCode, manifest, packuments, token,
   } = {}) {
     if (!noGet) {
       // this getPackage call is used to get the latest semver version before publish
@@ -373,7 +377,7 @@ class MockRegistry {
       }
     }
     if (!noPut) {
-      this.putPackage(name, { code: putCode, packageJson, access })
+      this.putPackage(name, { code: putCode, packageJson, access, token })
     }
   }
 
@@ -391,10 +395,14 @@ class MockRegistry {
     this.nock = nock
   }
 
-  putPackage (name, { code = 200, resp = {}, ...putPackagePayload }) {
-    this.nock.put(`/${npa(name).escapedName}`, body => {
+  putPackage (name, { code = 200, resp = {}, token, ...putPackagePayload }) {
+    let n = this.nock.put(`/${npa(name).escapedName}`, body => {
       return this.#tap.match(body, this.putPackagePayload({ name, ...putPackagePayload }))
-    }).reply(code, resp)
+    })
+    if (token) {
+      n = n.matchHeader('authorization', `Bearer ${token}`)
+    }
+    n.reply(code, resp)
   }
 
   putPackagePayload (opts) {
@@ -626,6 +634,13 @@ class MockRegistry {
       }
     }
   }
+
+  mockOidcTokenExchange ({ packageName, idToken, statusCode = 200, body } = {}) {
+    const encodedPackageName = npa(packageName).escapedName
+    this.nock.post(this.fullPath(`/-/npm/v1/oidc/token/exchange/package/${encodedPackageName}`))
+      .matchHeader('authorization', `Bearer ${idToken}`)
+      .reply(statusCode, body || {})
+  }
 }
 
 module.exports = MockRegistry

mock-registry/lib/provenance.js

@@ -0,0 +1,97 @@
+const mockGlobals = require('@npmcli/mock-globals')
+const nock = require('nock')
+
+const sigstoreIdToken = () => {
+  return `.${Buffer.from(JSON.stringify({
+    iss: 'https://oauth2.sigstore.dev/auth',
+    email: 'foo@bar.com',
+  }))
+  .toString('base64')}.`
+}
+
+const mockProvenance = (t, {
+  oidcURL,
+  requestToken,
+  workflowPath,
+  repository,
+  serverUrl,
+  ref,
+  sha,
+  runID,
+  runAttempt,
+  runnerEnv,
+}) => {
+  const idToken = sigstoreIdToken()
+
+  mockGlobals(t, {
+    'process.env': {
+      CI: true,
+      GITHUB_ACTIONS: true,
+      ACTIONS_ID_TOKEN_REQUEST_URL: oidcURL,
+      ACTIONS_ID_TOKEN_REQUEST_TOKEN: requestToken,
+      GITHUB_WORKFLOW_REF: `${repository}/${workflowPath}@${ref}`,
+      GITHUB_REPOSITORY: repository,
+      GITHUB_SERVER_URL: serverUrl,
+      GITHUB_REF: ref,
+      GITHUB_SHA: sha,
+      GITHUB_RUN_ID: runID,
+      GITHUB_RUN_ATTEMPT: runAttempt,
+      RUNNER_ENVIRONMENT: runnerEnv,
+    },
+  })
+
+  const url = new URL(oidcURL)
+  nock(url.origin)
+    .get(url.pathname)
+    .query({ audience: 'sigstore' })
+    .matchHeader('authorization', `Bearer ${requestToken}`)
+    .matchHeader('accept', 'application/json')
+    .reply(200, { value: idToken })
+
+  const leafCertificate = `-----BEGIN CERTIFICATE-----\nabc\n-----END CERTIFICATE-----\n`
+
+  // Mock the Fulcio signing certificate endpoint
+  nock('https://fulcio.sigstore.dev')
+    .post('/api/v2/signingCert')
+    .reply(200, {
+      signedCertificateEmbeddedSct: {
+        chain: {
+          certificates: [
+            leafCertificate,
+            `-----BEGIN CERTIFICATE-----\nxyz\n-----END CERTIFICATE-----\n`,
+          ],
+        },
+      },
+    })
+
+  nock('https://rekor.sigstore.dev')
+    .post('/api/v1/log/entries')
+    .reply(201, {
+      '69e5a0c1663ee4452674a5c9d5050d866c2ee31e2faaf79913aea7cc27293cf6': {
+        body: Buffer.from(JSON.stringify({
+          kind: 'hashedrekord',
+          apiVersion: '0.0.1',
+          spec: {
+            signature: {
+              content: 'ABC123',
+              publicKey: { content: Buffer.from(leafCertificate).toString('base64') },
+            },
+          },
+        })).toString(
+          'base64'
+        ),
+        integratedTime: 1654015743,
+        logID:
+          'c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d',
+        logIndex: 2513258,
+        verification: {
+          signedEntryTimestamp: 'MEUCIQD6CD7ZNLUipFoxzmSL/L8Ewic4SRkXN77UjfJZ7d/wAAIgatokSuX9Rg0iWxAgSfHMtcsagtDCQalU5IvXdQ+yLEA=',
+        },
+      },
+    })
+}
+
+module.exports = {
+  mockProvenance,
+  sigstoreIdToken,
+}