c2cciutils 1.7.0.dev295__py3-none-any.whl → 1.7.0.dev301__py3-none-any.whl

c2cciutils/lib/oidc.py

@@ -0,0 +1,185 @@
+"""
+Manage OpenID Connect (OIDC) token exchange for external services.
+
+Inspired by
+https://github.com/pypa/gh-action-pypi-publish/blob/unstable/v1/oidc-exchange.py
+"""
+
+import base64
+import json
+import os
+import sys
+from typing import NoReturn
+
+import id as oidc_id  # pylint: disable=import-error
+import requests
+
+
+class _OidcError(Exception):
+    pass
+
+
+def _fatal(message: str) -> NoReturn:
+    # HACK: GitHub Actions' annotations don't work across multiple lines naively;
+    # translating `\n` into `%0A` (i.e., HTML percent-encoding) is known to work.
+    # See: https://github.com/actions/toolkit/issues/193
+    message = message.replace("\n", "%0A")
+    print(f"::error::Trusted publishing exchange failure: {message}", file=sys.stderr)
+    raise _OidcError(message)
+
+
+def _debug(message: str) -> None:
+    print(f"::debug::{message.title()}", file=sys.stderr)
+
+
+def _render_claims(token: str) -> str:
+    _, payload, _ = token.split(".", 2)
+
+    # urlsafe_b64decode needs padding; JWT payloads don't contain any.
+    payload += "=" * (4 - (len(payload) % 4))
+    claims = json.loads(base64.urlsafe_b64decode(payload))
+
+    return f"""
+The claims rendered below are **for debugging purposes only**. You should **not**
+use them to configure a trusted publisher unless they already match your expectations.
+
+If a claim is not present in the claim set, then it is rendered as `MISSING`.
+
+* `sub`: `{claims.get('sub', 'MISSING')}`
+* `repository`: `{claims.get('repository', 'MISSING')}`
+* `repository_owner`: `{claims.get('repository_owner', 'MISSING')}`
+* `repository_owner_id`: `{claims.get('repository_owner_id', 'MISSING')}`
+* `job_workflow_ref`: `{claims.get('job_workflow_ref', 'MISSING')}`
+* `ref`: `{claims.get('ref')}`
+
+See https://docs.pypi.org/trusted-publishers/troubleshooting/ for more help.
+"""
+
+
+def _get_token(hostname: str) -> str:
+    # Indices are expected to support `https://{hostname}/_/oidc/audience`,
+    # which tells OIDC exchange clients which audience to use.
+    audience_resp = requests.get(f"https://{hostname}/_/oidc/audience", timeout=5)
+    audience_resp.raise_for_status()
+
+    _debug(f"selected trusted publishing exchange endpoint: https://{hostname}/_/oidc/mint-token")
+
+    try:
+        oidc_token = oidc_id.detect_credential(audience=audience_resp.json()["audience"])
+    except oidc_id.IdentityError as identity_error:
+        _fatal(
+            f"""
+OpenID Connect token retrieval failed: {identity_error}
+
+This generally indicates a workflow configuration error, such as insufficient
+permissions. Make sure that your workflow has `id-token: write` configured
+at the job level, e.g.:
+
+```yaml
+permissions:
+  id-token: write
+```
+
+Learn more at https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings.
+"""
+        )
+
+    # Now we can do the actual token exchange.
+    mint_token_resp = requests.post(
+        f"https://{hostname}/_/oidc/mint-token",
+        json={"token": oidc_token},
+        timeout=5,
+    )
+
+    try:
+        mint_token_payload = mint_token_resp.json()
+    except requests.JSONDecodeError:
+        # Token exchange failure normally produces a JSON error response, but
+        # we might have hit a server error instead.
+        _fatal(
+            f"""
+Token request failed: the index produced an unexpected
+{mint_token_resp.status_code} response.
+
+This strongly suggests a server configuration or downtime issue; wait
+a few minutes and try again.
+
+You can monitor PyPI's status here: https://status.python.org/
+"""
+        )
+
+    # On failure, the JSON response includes the list of errors that
+    # occurred during minting.
+    if not mint_token_resp.ok:
+        reasons = "\n".join(
+            f'* `{error["code"]}`: {error["description"]}' for error in mint_token_payload["errors"]
+        )
+
+        rendered_claims = _render_claims(oidc_token)
+
+        _fatal(
+            f"""
+Token request failed: the server refused the request for the following reasons:
+
+{reasons}
+
+This generally indicates a trusted publisher configuration error, but could
+also indicate an internal error on GitHub or PyPI's part.
+
+{rendered_claims}
+"""
+        )
+
+    pypi_token = mint_token_payload.get("token")
+    if not isinstance(pypi_token, str):
+        _fatal(
+            """
+Token response error: the index gave us an invalid response.
+
+This strongly suggests a server configuration or downtime issue; wait
+a few minutes and try again.
+"""
+        )
+
+    # Mask the newly minted PyPI token, so that we don't accidentally leak it in logs.
+    print(f"::add-mask::{pypi_token}")
+
+    # This final print will be captured by the subshell in `twine-upload.sh`.
+    return pypi_token
+
+
+def pypi_login() -> None:
+    """
+    Connect to PyPI using OpenID Connect and mint a token for the user.
+
+    See Also
+    - https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect
+    - https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-pypi
+    """
+    pypirc_filename = os.path.expanduser("~/.pypirc")
+
+    if os.path.exists(pypirc_filename):
+        print(f"::info::{pypirc_filename} already exists; consider as already logged in.")
+        return
+
+    if "ACTIONS_ID_TOKEN_REQUEST_TOKEN" not in os.environ:
+        print(
+            """::error::Not available, you probably miss the permission `id-token: write`.
+              ```
+              permissions:
+                id-token: write
+              ```
+              See also: https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect"""
+        )
+        return
+
+    try:
+        token = _get_token("pypi.org")
+        with open(pypirc_filename, "w", encoding="utf-8") as pypirc_file:
+            pypirc_file.write("[pypi]\n")
+            pypirc_file.write("repository: https://upload.pypi.org/legacy/\n")
+            pypirc_file.write("username: __token__\n")
+            pypirc_file.write(f"password: {token}\n")
+    except _OidcError:
+        # Already visible in logs; no need to re-raise.
+        return

c2cciutils/scripts/publish.py

@@ -20,6 +20,7 @@ import c2cciutils
 import c2cciutils.configuration
 import c2cciutils.env
 import c2cciutils.lib.docker
+import c2cciutils.lib.oidc
 import c2cciutils.publish
 import c2cciutils.scripts.download_applications
 from c2cciutils.publish import GoogleCalendar
@@ -170,6 +171,9 @@ def main() -> None:
         config.get("publish", {}).get("pypi", {}) if config.get("publish", {}).get("pypi", False) else {},
     )
     if pypi_config:
+        if pypi_config["packages"]:
+            c2cciutils.lib.oidc.pypi_login()
+
         for package in pypi_config["packages"]:
             if package.get("group", c2cciutils.configuration.PUBLISH_PIP_PACKAGE_GROUP_DEFAULT) == args.group:
                 publish = version_type in pypi_config.get("versions", [])

{c2cciutils-1.7.0.dev295.dist-info → c2cciutils-1.7.0.dev301.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: c2cciutils
-Version: 1.7.0.dev295
+Version: 1.7.0.dev301
 Summary: Common utilities for Camptocamp CI
 Home-page: https://github.com/camptocamp/c2cciutils
 License: FreeBSD
@@ -34,6 +34,7 @@ Requires-Dist: defusedxml (>=0.0.0,<1.0.0)
 Requires-Dist: google-api-python-client (>=2.0.0,<3.0.0) ; extra == "publish"
 Requires-Dist: google-auth-httplib2 (>=0.0.0,<1.0.0) ; extra == "publish"
 Requires-Dist: google-auth-oauthlib (>=1.0.0,<2.0.0) ; extra == "publish"
+Requires-Dist: id (>=1.0.0,<2.0.0) ; extra == "publish"
 Requires-Dist: markdown-table (>=2020.0.0,<2021.0.0)
 Requires-Dist: multi-repo-automation (>=1.0.0,<2.0.0) ; extra == "version"
 Requires-Dist: python-magic (>=0.0.0,<1.0.0)
@@ -272,6 +273,17 @@ Then by default:
 - Commit on `master` branch after the tag 1.3.0 => release `1.4.0.dev1`
 - Commit on `1.3` branch after the tag 1.3.0 => release `1.3.1.dev1`
 
+#### Authentication
+
+If the file `~/.pypirc` exists we consider that we ar already logged in also
+we will do the login with the `pypi` server with OpenID Connect (OIDC).
+
+The OIDC login is recommended because it didn't needs any additional secrets,
+but it need some configuration on pypi in the package,
+see the [GitHub Documentation](https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-pypi#adding-the-identity-provider-to-pypi).
+
+#### Integration if the package directly in a Docker image
+
 To make it working in the `Dockerfile` you should have in the `poetry` stage:
 
 ```Dockerfile

{c2cciutils-1.7.0.dev295.dist-info → c2cciutils-1.7.0.dev301.dist-info}/RECORD

@@ -9,6 +9,7 @@ c2cciutils/configuration.py,sha256=yGv9L9OVAMb1Rnxt4NKf92pLNl7zHnbXeyUgKnhE2Vs,2
 c2cciutils/default_branch.graphql,sha256=CaP3rRsNiyg_7RvqbMk0tOJr0aqWd8cOeSV-ZKgvKY4,131
 c2cciutils/env.py,sha256=J-lC7GdOkdFVIrWFZEkAxHmIuTYwhDJiE30BICj2UoM,3425
 c2cciutils/lib/docker.py,sha256=lwvCarwSSUWK1Y4O7qcTILPdpkTf2Ujhl_fCwZ6dBUY,5677
+c2cciutils/lib/oidc.py,sha256=NWhLdVlpvzhk5_BcogodpLypcZo7sr9XtGCVbUmaiFM,6261
 c2cciutils/package-lock.json,sha256=QkNaqlUrLMW3qvYQSoEMQCoWOx-0CaQ5-u4hkDUEHpc,15611
 c2cciutils/package.json,sha256=A3gItP1CsTXzsMdigeCu3fNeltY08nYVs_LCU4B5PJs,134
 c2cciutils/pr_checks.py,sha256=tBwDHxThcu6648pE2cqpLNsaU711lwwgRc7sB4qR6fU,10109
@@ -30,11 +31,11 @@ c2cciutils/scripts/k8s/wait.py,sha256=qzQn6hbB9p1CX4bUxrkukPnbu_p6oRNem29WiMtplN
 c2cciutils/scripts/main.py,sha256=ZksoYEDRJD0igEU6i0PnuOFtch4OzsxyHZQxbrjd5AY,1029
 c2cciutils/scripts/pin_pipenv.py,sha256=jBTwlolcEL0MUyq6VYzO-adkcL1gqN7B3kBb3UjTo2k,2150
 c2cciutils/scripts/pr_checks.py,sha256=PA9z9QB81H2JhGSr4T02eoxyeWDjQZ4XoIKFzS5o5A0,2190
-c2cciutils/scripts/publish.py,sha256=4bFgsaUssKrP_N7lG9FILalQ2oexyxCCcC1ofqcxqTU,20313
+c2cciutils/scripts/publish.py,sha256=lc75i0BP4zHKWqeWpseVY1-hO4mJVTy57zEOCmeideg,20422
 c2cciutils/scripts/trigger_image_update.py,sha256=UPCSgFcllewo1NOC7kUkJ2QMXU0dCA2QAq6LFQHr0Uw,2780
 c2cciutils/scripts/version.py,sha256=BU6I3nG3ofgUXCLrUBNOql45Dz9Loox4gt4ebHRM3iQ,8912
-c2cciutils-1.7.0.dev295.dist-info/LICENSE,sha256=EMCYfDu0AgsMQO6k8Hl_xHzoFxM0db1xu9n_asZW9Vc,1307
-c2cciutils-1.7.0.dev295.dist-info/METADATA,sha256=B5FMZd4CQp4iuFxb79zAA4DKNLCEBlJ5QymJadAPx4c,18524
-c2cciutils-1.7.0.dev295.dist-info/entry_points.txt,sha256=jPDp7KeB0Fz_TpOwbOODeW2WEcdLNJZACPtKpRqtHs4,1030
-c2cciutils-1.7.0.dev295.dist-info/WHEEL,sha256=vVCvjcmxuUltf8cYhJ0sJMRDLr1XsPuxEId8YDzbyCY,88
-c2cciutils-1.7.0.dev295.dist-info/RECORD,,
+c2cciutils-1.7.0.dev301.dist-info/LICENSE,sha256=EMCYfDu0AgsMQO6k8Hl_xHzoFxM0db1xu9n_asZW9Vc,1307
+c2cciutils-1.7.0.dev301.dist-info/METADATA,sha256=j8Cwm-UbOhc7xwvVEzc3ftcvV3WA9RQeEm64Q2pxOns,19149
+c2cciutils-1.7.0.dev301.dist-info/entry_points.txt,sha256=jPDp7KeB0Fz_TpOwbOODeW2WEcdLNJZACPtKpRqtHs4,1030
+c2cciutils-1.7.0.dev301.dist-info/WHEEL,sha256=vVCvjcmxuUltf8cYhJ0sJMRDLr1XsPuxEId8YDzbyCY,88
+c2cciutils-1.7.0.dev301.dist-info/RECORD,,