keep old code as legacy

Author: EyalDelarea

lib/utils.js

@@ -46,6 +46,7 @@ const core_1 = require("@octokit/core");
 const github = __importStar(require("@actions/github"));
 const zlib_1 = require("zlib");
 const util_1 = require("util");
+const legacyOidc_1 = require("./legacyOidc");
 class Utils {
     /**
      * Retrieves server credentials for accessing JFrog's server
@@ -57,11 +58,28 @@ class Utils {
         return __awaiter(this, void 0, void 0, function* () {
             const jfrogCredentials = this.collectJfrogCredentialsFromEnvVars();
             if (jfrogCredentials.oidcProviderName) {
-                return yield this.setOidcTokenID(jfrogCredentials);
+                if (this.isCliSupportsOidc()) {
+                    return yield this.setOidcTokenID(jfrogCredentials);
+                }
+                else {
+                    // Fallback to legacy OIDC flow
+                    return yield legacyOidc_1.LegacyOidc.handleLegacyOidcFlow(jfrogCredentials);
+                }
             }
             return jfrogCredentials;
         });
     }
+    /**
+     * Determine if the currently configured CLI version supports native OIDC token injection.
+     */
+    static isCliSupportsOidc() {
+        var _a;
+        const version = (_a = core.getInput(this.CLI_VERSION_ARG)) === null || _a === void 0 ? void 0 : _a.toLowerCase();
+        if (version === 'latest') {
+            return true;
+        }
+        return !(0, semver_1.lt)(version, Utils.MIN_OIDC_SUPPORTED_VERSION);
+    }
     /**
      * @param jfrogCredentials - The existing JFrog credentials
      * @returns The updated JfrogCredentials with the OIDC tokenID
@@ -112,14 +130,15 @@ class Utils {
         if (jfrogCredentials.password) {
             core.setSecret(jfrogCredentials.password);
         }
-        Utils.validateOidcSupported(jfrogCredentials);
+        Utils.validateOidcNotWithRepositorySettings(jfrogCredentials);
         return jfrogCredentials;
     }
     /**
      * Validates OIDC auth method is supported by the JFrog CLI version
+     * // TODO rename or change
      * @param jfrogCredentials
      */
-    static validateOidcSupported(jfrogCredentials) {
+    static validateOidcNotWithRepositorySettings(jfrogCredentials) {
         const version = core.getInput(Utils.CLI_VERSION_ARG);
         if (!!version && version.toLowerCase() === 'latest') {
             return;
@@ -129,12 +148,6 @@ class Utils {
         if (!!downloadRepository && !jfrogCredentials.oidcProviderName) {
             throw new Error(`Download repository feature is not supported while using OIDC.`);
         }
-        if (!!version) {
-            if (jfrogCredentials.oidcProviderName && (0, semver_1.lt)(version, Utils.MIN_OIDC_SUPPORTED_VERSION)) {
-                throw new Error(`JFrog CLI version ${version} does not support OIDC (requires >= ${Utils.MIN_OIDC_SUPPORTED_VERSION}).\n` +
-                    `Either upgrade your CLI or downgrade the setup-jfrog-cli action to v4.5.6.`);
-            }
-        }
     }
     static getAndAddCliToPath(jfrogCredentials) {
         return __awaiter(this, void 0, void 0, function* () {

src/legacyOidc.ts

@@ -0,0 +1,94 @@
+import * as core from '@actions/core';
+import { HttpClient, HttpClientResponse } from '@actions/http-client';
+import { JfrogCredentials } from './utils';
+import { load } from 'js-yaml';
+import * as fs from 'fs';
+import * as path from 'path';
+
+type ApplicationConfig = {
+    application?: {
+        key?: string;
+    };
+};
+
+export interface TokenExchangeResponseData {
+    access_token: string;
+    errors: string;
+}
+
+type TokenExchangeRequest = {
+    grant_type: string;
+    subject_token_type: string;
+    subject_token: string;
+    provider_name: string;
+    project_key: string;
+    gh_job_id: string;
+    gh_run_id: string;
+    gh_repo: string;
+    application_key: string;
+};
+
+export class LegacyOidc {
+    public static async handleLegacyOidcFlow(jfrogCredentials: JfrogCredentials): Promise<JfrogCredentials> {
+        core.info('Obtaining an access token through OpenID Connect (legacy fallback)...');
+
+        const audience: string = core.getInput('oidc-audience');
+        let jsonWebToken: string;
+        try {
+            core.debug('Fetching JSON web token (legacy)');
+            jsonWebToken = await core.getIDToken(audience);
+        } catch (error: any) {
+            throw new Error(`Getting OpenID Connect JSON web token failed: ${error.message}`);
+        }
+
+        const applicationKey: string = await this.getApplicationKey();
+        return await this.exchangeToken(jfrogCredentials, jsonWebToken, applicationKey);
+    }
+
+    private static async exchangeToken(jfrogCredentials: JfrogCredentials, jsonWebToken: string, applicationKey: string): Promise<JfrogCredentials> {
+        const oidcProviderName: string = jfrogCredentials.oidcProviderName!;
+        const exchangeUrl: string = `${jfrogCredentials.jfrogUrl!.replace(/\/$/, '')}/access/api/v1/oidc/token`;
+
+        const data: TokenExchangeRequest = {
+            grant_type: 'urn:ietf:params:oauth:grant-type:token-exchange',
+            subject_token_type: 'urn:ietf:params:oauth:token-type:id_token',
+            subject_token: jsonWebToken,
+            provider_name: oidcProviderName,
+            project_key: process.env.JF_PROJECT || '',
+            gh_job_id: process.env.GITHUB_WORKFLOW || '',
+            gh_run_id: process.env.GITHUB_RUN_ID || '',
+            gh_repo: process.env.GITHUB_REPOSITORY || '',
+            application_key: applicationKey,
+        };
+
+        const httpClient: HttpClient = new HttpClient();
+        const response: HttpClientResponse = await httpClient.post(exchangeUrl, JSON.stringify(data), {
+            'Content-Type': 'application/json',
+        });
+        const responseBody: string = await response.readBody();
+        const responseJson: TokenExchangeResponseData = JSON.parse(responseBody);
+
+        if (responseJson.errors) {
+            throw new Error(`OIDC token exchange failed: ${JSON.stringify(responseJson.errors)}`);
+        }
+
+        core.exportVariable('JFROG_CLI_USAGE_CONFIG_OIDC', 'TRUE');
+        core.exportVariable('JFROG_CLI_USAGE_OIDC_USED', 'TRUE');
+
+        jfrogCredentials.accessToken = responseJson.access_token;
+        return jfrogCredentials;
+    }
+
+    private static async getApplicationKey(): Promise<string> {
+        const configFilePath: string = path.join('.jfrog', 'config.yaml');
+
+        if (!fs.existsSync(configFilePath)) {
+            core.debug('JFrog config file not found');
+            return '';
+        }
+
+        const configContent: string = await fs.promises.readFile(configFilePath, 'utf-8');
+        const configObj: ApplicationConfig = load(configContent) as ApplicationConfig;
+        return configObj?.application?.key ?? '';
+    }
+}

src/utils.ts

@@ -13,6 +13,7 @@ import { OctokitResponse } from '@octokit/types/dist-types/OctokitResponse';
 import * as github from '@actions/github';
 import { gzip } from 'zlib';
 import { promisify } from 'util';
+import { LegacyOidc } from './legacyOidc';
 
 export class Utils {
     // eslint-disable-next-line @typescript-eslint/no-var-requires
@@ -111,11 +112,27 @@ export class Utils {
         const jfrogCredentials: JfrogCredentials = this.collectJfrogCredentialsFromEnvVars();
 
         if (jfrogCredentials.oidcProviderName) {
-            return await this.setOidcTokenID(jfrogCredentials);
+            if (this.isCliSupportsOidc()) {
+                return await this.setOidcTokenID(jfrogCredentials);
+            } else {
+                // Fallback to legacy OIDC flow
+                return await LegacyOidc.handleLegacyOidcFlow(jfrogCredentials);
+            }
         }
         return jfrogCredentials;
     }
 
+    /**
+     * Determine if the currently configured CLI version supports native OIDC token injection.
+     */
+    private static isCliSupportsOidc(): boolean {
+        const version: string = core.getInput(this.CLI_VERSION_ARG)?.toLowerCase();
+        if (version === 'latest') {
+            return true;
+        }
+        return !lt(version, Utils.MIN_OIDC_SUPPORTED_VERSION);
+    }
+
     /**
      * @param jfrogCredentials - The existing JFrog credentials
      * @returns The updated JfrogCredentials with the OIDC tokenID
@@ -166,16 +183,17 @@ export class Utils {
             core.setSecret(jfrogCredentials.password);
         }
 
-        Utils.validateOidcSupported(jfrogCredentials);
+        Utils.validateOidcNotWithRepositorySettings(jfrogCredentials);
 
         return jfrogCredentials;
     }
 
     /**
      * Validates OIDC auth method is supported by the JFrog CLI version
+     * // TODO rename or change
      * @param jfrogCredentials
      */
-    public static validateOidcSupported(jfrogCredentials: JfrogCredentials) {
+    public static validateOidcNotWithRepositorySettings(jfrogCredentials: JfrogCredentials) {
         const version: string = core.getInput(Utils.CLI_VERSION_ARG);
         if (!!version && version.toLowerCase() === 'latest') {
             return;
@@ -186,14 +204,6 @@ export class Utils {
         if (!!downloadRepository && !jfrogCredentials.oidcProviderName) {
             throw new Error(`Download repository feature is not supported while using OIDC.`);
         }
-        if (!!version) {
-            if (jfrogCredentials.oidcProviderName && lt(version, Utils.MIN_OIDC_SUPPORTED_VERSION)) {
-                throw new Error(
-                    `JFrog CLI version ${version} does not support OIDC (requires >= ${Utils.MIN_OIDC_SUPPORTED_VERSION}).\n` +
-                        `Either upgrade your CLI or downgrade the setup-jfrog-cli action to v4.5.6.`,
-                );
-            }
-        }
     }
 
     public static async getAndAddCliToPath(jfrogCredentials: JfrogCredentials) {
@@ -881,18 +891,3 @@ export interface JfrogCredentials {
     oidcAudience: string | undefined;
     oidcTokenId: string | undefined;
 }
-
-export interface TokenExchangeResponseData {
-    access_token: string;
-    errors: string;
-}
-
-export interface JWTTokenData {
-    sub: string;
-    scp: string;
-    aud: string;
-    iss: string;
-    exp: bigint;
-    iat: bigint;
-    jti: string;
-}

test/main.spec.ts

@@ -514,11 +514,11 @@ describe('Utils.validateOidcSupported', () => {
 
         if (shouldThrow) {
             expect(() => {
-                Utils.validateOidcSupported(jfrogCredentials);
+                Utils.validateOidcNotWithRepositorySettings(jfrogCredentials);
             }).toThrow(errorMessage);
         } else {
             expect(() => {
-                Utils.validateOidcSupported(jfrogCredentials);
+                Utils.validateOidcNotWithRepositorySettings(jfrogCredentials);
             }).not.toThrow();
         }
     };