@enactprotocol/trust 2.0.0

package/src/sigstore/oauth/client.ts

@@ -0,0 +1,89 @@
+/**
+ * OAuth Client
+ *
+ * Wrapper around openid-client for PKCE-based OAuth flow with Sigstore.
+ */
+
+import { type BaseClient, Issuer, generators } from "openid-client";
+
+interface OAuthClientOptions {
+  issuer: string;
+  redirectURL: string;
+  clientID: string;
+  clientSecret: string | undefined;
+}
+
+/**
+ * Initialize an OAuth client by discovering the issuer's configuration
+ */
+export async function initializeOAuthClient(options: OAuthClientOptions): Promise<OAuthClient> {
+  const issuer = await Issuer.discover(options.issuer);
+
+  const client = new issuer.Client(
+    options.clientSecret
+      ? {
+          client_id: options.clientID,
+          client_secret: options.clientSecret,
+          token_endpoint_auth_method: "client_secret_basic" as const,
+        }
+      : {
+          client_id: options.clientID,
+          token_endpoint_auth_method: "none" as const,
+        }
+  );
+
+  return new OAuthClient(client, options.redirectURL);
+}
+
+/**
+ * OAuthClient wraps an openid-client Client instance to maintain
+ * state for the PKCE authorization flow.
+ */
+export class OAuthClient {
+  private client: BaseClient;
+  private redirectURL: string;
+  private verifier: string;
+  private nonce: string;
+  private state: string;
+
+  constructor(client: BaseClient, redirectURL: string) {
+    this.client = client;
+    this.redirectURL = redirectURL;
+    this.verifier = generators.codeVerifier(32);
+    this.nonce = generators.nonce(32);
+    this.state = generators.state(16);
+  }
+
+  /**
+   * Get the authorization URL to redirect the user to
+   */
+  get authorizationUrl(): string {
+    return this.client.authorizationUrl({
+      scope: "openid email",
+      redirect_uri: this.redirectURL,
+      code_challenge: generators.codeChallenge(this.verifier),
+      code_challenge_method: "S256",
+      state: this.state,
+      nonce: this.nonce,
+    });
+  }
+
+  /**
+   * Exchange the callback URL for an ID token
+   */
+  public async getIDToken(callbackURL: string): Promise<string> {
+    const params = this.client.callbackParams(callbackURL);
+    const tokenSet = await this.client.callback(this.redirectURL, params, {
+      response_type: "code",
+      code_verifier: this.verifier,
+      state: this.state,
+      nonce: this.nonce,
+    });
+
+    if (!tokenSet.id_token) {
+      throw new Error("No ID token received from OAuth provider");
+    }
+
+    return tokenSet.id_token;
+  }
+}

package/src/sigstore/oauth/index.ts

@@ -0,0 +1,95 @@
+/**
+ * OAuth Identity Provider
+ *
+ * Provides interactive OIDC authentication for keyless signing.
+ * Opens a browser for the user to authenticate with their identity provider
+ * (GitHub, Google, Microsoft) and returns an OIDC token that can be used
+ * with Fulcio to obtain a signing certificate.
+ */
+
+import open from "open";
+import { initializeOAuthClient } from "./client";
+import { CallbackServer } from "./server";
+
+/** Default Sigstore OAuth issuer */
+export const SIGSTORE_OAUTH_ISSUER = "https://oauth2.sigstore.dev/auth";
+
+/** Default Sigstore OAuth client ID */
+export const SIGSTORE_CLIENT_ID = "sigstore";
+
+export interface OAuthIdentityProviderOptions {
+  /** OIDC issuer URL (default: Sigstore public instance) */
+  issuer?: string;
+  /** OAuth client ID (default: "sigstore") */
+  clientID?: string;
+  /** OAuth client secret (optional, not needed for public clients) */
+  clientSecret?: string;
+  /** Redirect URL (optional, auto-generated if not provided) */
+  redirectURL?: string;
+}
+
+/**
+ * IdentityProvider interface - matches sigstore's expected interface
+ */
+export interface IdentityProvider {
+  getToken: () => Promise<string>;
+}
+
+/**
+ * OAuthIdentityProvider implements interactive browser-based OAuth flow
+ * to obtain an OIDC token for keyless signing.
+ */
+export class OAuthIdentityProvider implements IdentityProvider {
+  private server: CallbackServer;
+  private issuer: string;
+  private clientID: string;
+  private clientSecret: string | undefined;
+
+  constructor(options: OAuthIdentityProviderOptions = {}) {
+    this.issuer = options.issuer ?? SIGSTORE_OAUTH_ISSUER;
+    this.clientID = options.clientID ?? SIGSTORE_CLIENT_ID;
+    this.clientSecret = options.clientSecret;
+
+    let serverOpts: { hostname: string; port: number };
+    if (options.redirectURL) {
+      const url = new URL(options.redirectURL);
+      serverOpts = { hostname: url.hostname, port: Number(url.port) };
+    } else {
+      // Use random port on localhost
+      serverOpts = { hostname: "localhost", port: 0 };
+    }
+
+    this.server = new CallbackServer(serverOpts);
+  }
+
+  /**
+   * Get an OIDC token by performing interactive OAuth flow.
+   * Opens a browser for the user to authenticate.
+   */
+  public async getToken(): Promise<string> {
+    // Start server to receive OAuth callback
+    const serverURL = await this.server.start();
+
+    // Initialize OAuth client with discovered configuration
+    const client = await initializeOAuthClient({
+      issuer: this.issuer,
+      redirectURL: serverURL,
+      clientID: this.clientID,
+      clientSecret: this.clientSecret,
+    });
+
+    // Open browser to OAuth login page
+    await open(client.authorizationUrl);
+
+    if (!this.server.callback) {
+      throw new Error("callback server not started");
+    }
+
+    // Wait for callback and exchange auth code for ID token
+    return this.server.callback.then((callbackURL) => client.getIDToken(callbackURL));
+  }
+}
+
+// Re-export for convenience
+export { CallbackServer } from "./server";
+export { OAuthClient, initializeOAuthClient } from "./client";

package/src/sigstore/oauth/server.ts

@@ -0,0 +1,163 @@
+/**
+ * OAuth Callback Server
+ *
+ * A simple HTTP server that receives the OAuth redirect callback
+ * after the user authenticates in their browser.
+ */
+
+import http from "node:http";
+import type { Socket } from "node:net";
+
+interface CallbackServerOptions {
+  port: number;
+  hostname: string;
+}
+
+/**
+ * CallbackServer is a simple HTTP server which receives the OAuth
+ * redirect from the OAuth provider after the user signs-in. It will shutdown
+ * once the callback is received and the callback promise will resolve with
+ * the URL of the incoming request.
+ */
+export class CallbackServer {
+  private server: http.Server;
+  private sockets: Set<Socket>;
+  private port: number;
+  private hostname: string;
+
+  public callback: Promise<string> | undefined;
+
+  constructor(options: CallbackServerOptions) {
+    this.server = http.createServer();
+    this.sockets = new Set<Socket>();
+    this.port = options.port;
+    this.hostname = options.hostname;
+  }
+
+  async start(): Promise<string> {
+    await new Promise<void>((resolve) => {
+      this.server.listen(this.port, this.hostname, resolve);
+    });
+
+    // Keep track of connections so we can force a shutdown
+    this.server.on("connection", (socket) => {
+      this.sockets.add(socket);
+      socket.on("close", () => {
+        this.sockets.delete(socket);
+      });
+    });
+
+    // The callback will resolve with the incoming request URL
+    this.callback = new Promise<string>((resolve) => {
+      this.server.on("request", ({ url }, res) => {
+        res.writeHead(200, { "Content-Type": "text/html" });
+        res.end(AUTH_SUCCESS_HTML);
+
+        // Shutdown the server and resolve the callback promise
+        this.shutdown().then(() => resolve(url!));
+      });
+    });
+
+    // Calculate and return the URL which can be used to reach the server
+    return this.serverURL(this.server);
+  }
+
+  public async shutdown(): Promise<void> {
+    // Destroy all sockets and close the server
+    return new Promise<void>((resolve) => {
+      for (const socket of this.sockets) {
+        socket.destroy();
+        this.sockets.delete(socket);
+      }
+      this.server.close(() => resolve());
+    });
+  }
+
+  private serverURL(server: http.Server): string {
+    const address = server.address();
+    if (address === null) {
+      throw new Error("invalid server config: address is null");
+    }
+    if (typeof address === "string") {
+      throw new Error("invalid server config: address is a string");
+    }
+
+    return `http://${this.hostname}:${address.port}`;
+  }
+}
+
+// Success HTML page shown after authentication
+const AUTH_SUCCESS_HTML = `
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Enact - Authentication Successful</title>
+    <style>
+      :root { font-family: system-ui, -apple-system, sans-serif; }
+      body { 
+        display: flex; 
+        justify-content: center; 
+        align-items: center; 
+        min-height: 100vh; 
+        margin: 0; 
+        background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+      }
+      .container { 
+        background: white; 
+        padding: 3rem; 
+        border-radius: 1rem; 
+        box-shadow: 0 20px 25px -5px rgba(0, 0, 0, 0.1);
+        text-align: center;
+        max-width: 400px;
+      }
+      .checkmark {
+        width: 80px;
+        height: 80px;
+        margin: 0 auto 1.5rem;
+        background: #10b981;
+        border-radius: 50%;
+        display: flex;
+        align-items: center;
+        justify-content: center;
+      }
+      .checkmark svg {
+        width: 40px;
+        height: 40px;
+        stroke: white;
+        stroke-width: 3;
+        fill: none;
+      }
+      h1 { 
+        color: #1f2937; 
+        margin: 0 0 0.5rem; 
+        font-size: 1.5rem;
+      }
+      p { 
+        color: #6b7280; 
+        margin: 0;
+        font-size: 1rem;
+      }
+      .brand {
+        margin-top: 2rem;
+        color: #9ca3af;
+        font-size: 0.875rem;
+      }
+      .brand strong {
+        color: #667eea;
+      }
+    </style>
+  </head>
+  <body>
+    <div class="container">
+      <div class="checkmark">
+        <svg viewBox="0 0 24 24">
+          <polyline points="20 6 9 17 4 12"></polyline>
+        </svg>
+      </div>
+      <h1>Authentication Successful!</h1>
+      <p>You may now close this window and return to your terminal.</p>
+      <p class="brand">Signed with <strong>Sigstore</strong> via <strong>Enact</strong></p>
+    </div>
+  </body>
+</html>
+`;