denoland-deno/cli/tools/registry/auth.rs

// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.

use std::io::IsTerminal;

use deno_core::anyhow;
use deno_core::anyhow::bail;
use deno_core::error::AnyError;

pub enum AuthMethod {
  Interactive,
  Token(String),
  Oidc(OidcConfig),
}

pub struct OidcConfig {
  pub url: String,
  pub token: String,
}

pub(crate) fn is_gha() -> bool {
  std::env::var("GITHUB_ACTIONS").unwrap_or_default() == "true"
}

pub(crate) fn gha_oidc_token() -> Option<String> {
  std::env::var("ACTIONS_ID_TOKEN_REQUEST_TOKEN").ok()
}

fn get_gh_oidc_env_vars() -> Option<Result<(String, String), AnyError>> {
  if std::env::var("GITHUB_ACTIONS").unwrap_or_default() == "true" {
    let url = std::env::var("ACTIONS_ID_TOKEN_REQUEST_URL");
    let token = std::env::var("ACTIONS_ID_TOKEN_REQUEST_TOKEN");
    match (url, token) {
        (Ok(url), Ok(token)) => Some(Ok((url, token))),
        (Err(_), Err(_)) => Some(Err(anyhow::anyhow!(
          "No means to authenticate. Pass a token to `--token`, or enable tokenless publishing from GitHub Actions using OIDC. Learn more at https://deno.co/ghoidc"
        ))),
        _ => None,
      }
  } else {
    None
  }
}

pub fn get_auth_method(
  maybe_token: Option<String>,
  dry_run: bool,
) -> Result<AuthMethod, AnyError> {
  if dry_run {
    // We don't authenticate in dry-run mode.
    return Ok(AuthMethod::Interactive);
  }

  if let Some(token) = maybe_token {
    return Ok(AuthMethod::Token(token));
  }

  match get_gh_oidc_env_vars() {
    Some(Ok((url, token))) => Ok(AuthMethod::Oidc(OidcConfig { url, token })),
    Some(Err(err)) => Err(err),
    None if std::io::stdin().is_terminal() => Ok(AuthMethod::Interactive),
    None => {
      bail!("No means to authenticate. Pass a token to `--token`.")
    }
  }
}
chore: update copyright to 2024 (#21753) 2024-01-01 14:58:21 -05:00			`// Copyright 2018-2024 the Deno authors. All rights reserved. MIT license.`
refactor: split registry into multiple modules (#21572) Co-authored-by: David Sherret <dsherret@gmail.com> Co-authored-by: Luca Casonato <hello@lcas.dev> 2023-12-14 06:05:59 -05:00
			`use std::io::IsTerminal;`

			`use deno_core::anyhow;`
			`use deno_core::anyhow::bail;`
			`use deno_core::error::AnyError;`

			`pub enum AuthMethod {`
			`Interactive,`
			`Token(String),`
			`Oidc(OidcConfig),`
			`}`

			`pub struct OidcConfig {`
			`pub url: String,`
			`pub token: String,`
			`}`

feat(publish): provenance attestation (#22573) Supply chain security for JSR. ``` $ deno publish --provenance Successfully published @divy/test_provenance@0.0.3 Provenance transparency log available at https://search.sigstore.dev/?logIndex=73657418 ``` 0. Package has been published. 1. Fetches the version manifest and verifies it's matching with uploaded files and exports. 2. Builds the attestation SLSA payload using Github actions env. 3. Creates an ephemeral key pair for signing the github token (aud=sigstore) and DSSE pre authentication tag. 4. Requests a X.509 signing certificate from Fulcio using the challenge and ephemeral public key PEM. 5. Prepares a DSSE envelop for Rekor to witness. Posts an intoto entry to Rekor and gets back the transparency log index. 6. Builds the provenance bundle and posts it to JSR. 2024-02-27 21:28:02 -05:00			`pub(crate) fn is_gha() -> bool {`
			`std::env::var("GITHUB_ACTIONS").unwrap_or_default() == "true"`
			`}`

			`pub(crate) fn gha_oidc_token() -> Option<String> {`
			`std::env::var("ACTIONS_ID_TOKEN_REQUEST_TOKEN").ok()`
			`}`

refactor: split registry into multiple modules (#21572) Co-authored-by: David Sherret <dsherret@gmail.com> Co-authored-by: Luca Casonato <hello@lcas.dev> 2023-12-14 06:05:59 -05:00			`fn get_gh_oidc_env_vars() -> Option<Result<(String, String), AnyError>> {`
			`if std::env::var("GITHUB_ACTIONS").unwrap_or_default() == "true" {`
			`let url = std::env::var("ACTIONS_ID_TOKEN_REQUEST_URL");`
			`let token = std::env::var("ACTIONS_ID_TOKEN_REQUEST_TOKEN");`
			`match (url, token) {`
			`(Ok(url), Ok(token)) => Some(Ok((url, token))),`
			`(Err(_), Err(_)) => Some(Err(anyhow::anyhow!(`
			"No means to authenticate. Pass a token to `--token`, or enable tokenless publishing from GitHub Actions using OIDC. Learn more at https://deno.co/ghoidc"
			`))),`
			`_ => None,`
			`}`
			`} else {`
			`None`
			`}`
			`}`

			`pub fn get_auth_method(`
			`maybe_token: Option<String>,`
fix(publish): permissionless dry-run in GHA (#22679) Fixes https://github.com/denoland/deno/issues/22658 2024-03-06 07:56:20 -05:00			`dry_run: bool,`
refactor: split registry into multiple modules (#21572) Co-authored-by: David Sherret <dsherret@gmail.com> Co-authored-by: Luca Casonato <hello@lcas.dev> 2023-12-14 06:05:59 -05:00			`) -> Result<AuthMethod, AnyError> {`
fix(publish): permissionless dry-run in GHA (#22679) Fixes https://github.com/denoland/deno/issues/22658 2024-03-06 07:56:20 -05:00			`if dry_run {`
			`// We don't authenticate in dry-run mode.`
			`return Ok(AuthMethod::Interactive);`
			`}`

refactor: split registry into multiple modules (#21572) Co-authored-by: David Sherret <dsherret@gmail.com> Co-authored-by: Luca Casonato <hello@lcas.dev> 2023-12-14 06:05:59 -05:00			`if let Some(token) = maybe_token {`
			`return Ok(AuthMethod::Token(token));`
			`}`

			`match get_gh_oidc_env_vars() {`
			`Some(Ok((url, token))) => Ok(AuthMethod::Oidc(OidcConfig { url, token })),`
			`Some(Err(err)) => Err(err),`
			`None if std::io::stdin().is_terminal() => Ok(AuthMethod::Interactive),`
			`None => {`
			bail!("No means to authenticate. Pass a token to `--token`.")
			`}`
			`}`
			`}`