Authentication: trusted publishing setup for artifact publishing

Author: glaubinix

composer.json

@@ -18,7 +18,8 @@
         "php-http/discovery": "^1.0",
         "psr/http-client-implementation": "^1.0",
         "php-http/message-factory": "^1.0",
-        "psr/http-message-implementation": "^1.0"
+        "psr/http-message-implementation": "^1.0",
+        "private-packagist/oidc-identities": "dev-main"
     },
     "require-dev": {
         "friendsofphp/php-cs-fixer": "^3.0",

src/Client.php

@@ -16,20 +16,26 @@
 use PrivatePackagist\ApiClient\HttpClient\Plugin\ExceptionThrower;
 use PrivatePackagist\ApiClient\HttpClient\Plugin\PathPrepend;
 use PrivatePackagist\ApiClient\HttpClient\Plugin\RequestSignature;
+use PrivatePackagist\ApiClient\HttpClient\Plugin\TrustedPublishingTokenExchange;
+use Psr\Log\LoggerInterface;
+use Psr\Log\NullLogger;
 
 class Client
 {
     /** @var HttpPluginClientBuilder */
     private $httpClientBuilder;
     /** @var ResponseMediator */
     private $responseMediator;
+    /** @var LoggerInterface */
+    private $logger;
 
     /** @param string $privatePackagistUrl */
-    public function __construct(?HttpPluginClientBuilder $httpClientBuilder = null, $privatePackagistUrl = null, ?ResponseMediator $responseMediator = null)
+    public function __construct(?HttpPluginClientBuilder $httpClientBuilder = null, $privatePackagistUrl = null, ?ResponseMediator $responseMediator = null, ?LoggerInterface  $logger = null)
     {
         $this->httpClientBuilder = $builder = $httpClientBuilder ?: new HttpPluginClientBuilder();
         $privatePackagistUrl = $privatePackagistUrl ? : 'https://packagist.com';
         $this->responseMediator = $responseMediator ? : new ResponseMediator();
+        $this->logger = $logger ? : new NullLogger();
 
         $builder->addPlugin(new Plugin\AddHostPlugin(Psr17FactoryDiscovery::findUriFactory()->createUri($privatePackagistUrl)));
         $builder->addPlugin(new PathPrepend('/api'));
@@ -58,6 +64,12 @@ public function authenticate(
         $this->httpClientBuilder->addPlugin(new RequestSignature($key, $secret));
     }
 
+    public function authenticateWithTrustedPublishing(string $organizationUrlName, string $packageName)
+    {
+        $this->httpClientBuilder->removePlugin(TrustedPublishingTokenExchange::class);
+        $this->httpClientBuilder->addPlugin(new TrustedPublishingTokenExchange($organizationUrlName, $packageName, $this->getHttpClientBuilder(), $this->logger));
+    }
+
     public function credentials()
     {
         return new Api\Credentials($this, $this->responseMediator);

src/HttpClient/Plugin/TrustedPublishingTokenExchange.php

@@ -0,0 +1,68 @@
+<?php declare(strict_types=1);
+
+/**
+ * (c) Packagist Conductors GmbH <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace PrivatePackagist\ApiClient\HttpClient\Plugin;
+
+use Http\Client\Common\HttpMethodsClient;
+use Http\Client\Common\Plugin;
+use Http\Discovery\Psr17FactoryDiscovery;
+use Http\Discovery\Psr18ClientDiscovery;
+use PrivatePackagist\ApiClient\HttpClient\HttpPluginClientBuilder;
+use PrivatePackagist\OIDC\Identities\TokenGenerator;
+use Psr\Http\Message\RequestInterface;
+use Psr\Log\LoggerInterface;
+
+class TrustedPublishingTokenExchange implements Plugin
+{
+    use Plugin\VersionBridgePlugin;
+
+    /** @var string */
+    private $organizationUrlName;
+    /** @var string */
+    private $packageName;
+    /** @var HttpPluginClientBuilder $httpPluginClientBuilder */
+    private $httpPluginClientBuilder;
+    /** @var LoggerInterface */
+    private $logger;
+
+    public function __construct(string $organizationUrlName, string $packageName, HttpPluginClientBuilder $httpPluginClientBuilder, LoggerInterface $logger)
+    {
+        $this->organizationUrlName = $organizationUrlName;
+        $this->packageName = $packageName;
+        $this->httpPluginClientBuilder = $httpPluginClientBuilder;
+        $this->logger = $logger;
+    }
+
+    protected function doHandleRequest(RequestInterface $request, callable $next, callable $first)
+    {
+        $this->httpPluginClientBuilder->removePlugin(self::class);
+
+        $privatePackagistHttpclient = $this->httpPluginClientBuilder->getHttpClient();
+        $audience = json_decode((string) $privatePackagistHttpclient->get('/oidc/audience')->getBody(), true);
+        $this->logger->debug('Audience', $audience);
+
+        $oidcHttpClient = new HttpMethodsClient(
+            Psr18ClientDiscovery::find(),
+            Psr17FactoryDiscovery::findRequestFactory(),
+            Psr17FactoryDiscovery::findStreamFactory()
+        );
+
+        $tokenGenerator = new TokenGenerator($this->logger, $oidcHttpClient);
+        $token = $tokenGenerator->generate($audience['audience']);
+        if (!$token) {
+            return $next($request);
+        }
+
+        $apiCredentials = json_decode((string) $privatePackagistHttpclient->post('/oidc/token-exchange/' . $this->organizationUrlName . '/' . $this->packageName, ['Authorization' => 'Bearer ' . $token->token])->getBody(), true);
+
+        $this->httpPluginClientBuilder->addPlugin($requestSignature = new RequestSignature($apiCredentials['key'], $apiCredentials['secret']));
+
+        return $requestSignature->handleRequest($request, $next, $first);
+    }
+}