feat(trusted-publishing): log progression of token-exchange steps

for #958

Author: travi

lib/trusted-publishing/oidc-context.js

@@ -1,6 +1,6 @@
 import { OFFICIAL_REGISTRY } from "../definitions/constants.js";
 import exchangeToken from "./token-exchange.js";
 
-export default async function oidcContextEstablished(registry, pkg) {
-  return OFFICIAL_REGISTRY === registry && !!(await exchangeToken(pkg));
+export default async function oidcContextEstablished(registry, pkg, context) {
+  return OFFICIAL_REGISTRY === registry && !!(await exchangeToken(pkg, context));
 }

lib/trusted-publishing/token-exchange.js

@@ -7,53 +7,65 @@ import {
   GITLAB_PIPELINES_PROVIDER_NAME,
 } from "../definitions/constants.js";
 
-async function exchangeIdToken(idToken, packageName) {
+async function exchangeIdToken(idToken, packageName, logger) {
   const response = await fetch(
     `${OFFICIAL_REGISTRY}-/npm/v1/oidc/token/exchange/package/${encodeURIComponent(packageName)}`,
     {
       method: "POST",
       headers: { Authorization: `Bearer ${idToken}` },
     }
   );
+  const responseBody = await response.json();
 
   if (response.ok) {
-    return (await response.json()).token;
+    logger.log("OIDC token exchange with the npm registry succeeded");
+
+    return responseBody.token;
   }
 
+  logger.log(`OIDC token exchange with the npm registry failed: ${response.status} ${responseBody.message}`);
+
   return undefined;
 }
 
-async function exchangeGithubActionsToken(packageName) {
+async function exchangeGithubActionsToken(packageName, logger) {
   let idToken;
 
+  logger.log("Verifying OIDC context for publishing from GitHub Actions");
+
   try {
     idToken = await getIDToken("npm:registry.npmjs.org");
   } catch (e) {
+    logger.log(`Retrieval of GitHub Actions OIDC token failed: ${e.message}`);
+    logger.log("Have you granted the `id-token: write` permission to this workflow?");
+
     return undefined;
   }
 
-  return exchangeIdToken(idToken, packageName);
+  return exchangeIdToken(idToken, packageName, logger);
 }
 
-async function exchangeGitlabPipelinesToken(packageName) {
+async function exchangeGitlabPipelinesToken(packageName, logger) {
   const idToken = process.env.NPM_ID_TOKEN;
 
+  logger.log("Verifying OIDC context for publishing from GitLab Pipelines");
+
   if (!idToken) {
     return undefined;
   }
 
-  return await exchangeIdToken(idToken, packageName);
+  return exchangeIdToken(idToken, packageName, logger);
 }
 
-export default async function exchangeToken(pkg) {
+export default function exchangeToken(pkg, {logger}) {
   const { name: ciProviderName } = envCi();
 
   if (GITHUB_ACTIONS_PROVIDER_NAME === ciProviderName) {
-    return await exchangeGithubActionsToken(pkg.name);
+    return exchangeGithubActionsToken(pkg.name, logger);
   }
 
   if (GITLAB_PIPELINES_PROVIDER_NAME === ciProviderName) {
-    return await exchangeGitlabPipelinesToken(pkg.name);
+    return exchangeGitlabPipelinesToken(pkg.name, logger);
   }
 
   return undefined;

lib/verify-auth.js

@@ -74,7 +74,7 @@ async function verifyTokenAuth(registry, npmrc, context) {
 export default async function (npmrc, pkg, context) {
   const registry = getRegistry(pkg, context);
 
-  if (oidcContextEstablished(registry, pkg)) {
+  if (oidcContextEstablished(registry, pkg, context)) {
     return;
   }
 

test/trusted-publishing/oidc-context.test.js

@@ -5,11 +5,12 @@ import { OFFICIAL_REGISTRY } from "../../lib/definitions/constants.js";
 
 let oidcContextEstablished, trustedCiProvider, exchangeToken;
 const pkg = {};
+const context = {};
 
 test.beforeEach(async (t) => {
   await td.replace(globalThis, "fetch");
   ({ default: exchangeToken } = await td.replaceEsm("../../lib/trusted-publishing/token-exchange.js"));
-  td.when(exchangeToken(pkg)).thenResolve(undefined);
+  td.when(exchangeToken(pkg, context)).thenResolve(undefined);
 
   ({ default: oidcContextEstablished } = await import("../../lib/trusted-publishing/oidc-context.js"));
 });
@@ -22,19 +23,19 @@ test.serial(
   "that `true` is returned when a trusted-publishing context has been established with the official registry",
   async (t) => {
     td.when(fetch("https://matt.travi.org")).thenResolve(new Response(null, { status: 401 }));
-    td.when(exchangeToken(pkg)).thenResolve("token-value");
+    td.when(exchangeToken(pkg, context)).thenResolve("token-value");
 
-    t.true(await oidcContextEstablished(OFFICIAL_REGISTRY, pkg));
+    t.true(await oidcContextEstablished(OFFICIAL_REGISTRY, pkg, context));
   }
 );
 
 test.serial("that `false` is returned when OIDC token exchange fails in a supported CI provider", async (t) => {
   td.when(fetch("https://matt.travi.org")).thenResolve(new Response(null, { status: 401 }));
-  td.when(exchangeToken(pkg)).thenResolve(undefined);
+  td.when(exchangeToken(pkg, context)).thenResolve(undefined);
 
-  t.false(await oidcContextEstablished(OFFICIAL_REGISTRY, pkg));
+  t.false(await oidcContextEstablished(OFFICIAL_REGISTRY, pkg, context));
 });
 
 test.serial("that `false` is returned when a custom registry is targeted", async (t) => {
-  t.false(await oidcContextEstablished("https://custom.registry.org/", pkg));
+  t.false(await oidcContextEstablished("https://custom.registry.org/", pkg, context));
 });

test/trusted-publishing/token-exchange.test.js

@@ -14,6 +14,7 @@ const packageName = "@scope/some-package";
 const pkg = { name: packageName };
 const idToken = "id-token-value";
 const token = "token-value";
+const logger = { log: () => undefined };
 
 test.beforeEach(async (t) => {
   await td.replace(globalThis, "fetch");
@@ -41,7 +42,7 @@ test.serial("that an access token is returned when token exchange succeeds on Gi
     new Response(JSON.stringify({ token }), { status: 201, headers: { "Content-Type": "application/json" } })
   );
 
-  t.is(await exchangeToken(pkg), token);
+  t.is(await exchangeToken(pkg, {logger}), token);
 });
 
 test.serial("that `undefined` is returned when ID token retrieval fails on GitHub Actions", async (t) => {
@@ -50,7 +51,7 @@ test.serial("that `undefined` is returned when ID token retrieval fails on GitHu
     new Error("Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable")
   );
 
-  t.is(await exchangeToken(pkg), undefined);
+  t.is(await exchangeToken(pkg, {logger}), undefined);
 });
 
 test.serial("that `undefined` is returned when token exchange fails on GitHub Actions", async (t) => {
@@ -65,7 +66,7 @@ test.serial("that `undefined` is returned when token exchange fails on GitHub Ac
     new Response(JSON.stringify({ message: "foo" }), { status: 401, headers: { "Content-Type": "application/json" } })
   );
 
-  t.is(await exchangeToken(pkg), undefined);
+  t.is(await exchangeToken(pkg, {logger}), undefined);
 });
 
 test.serial("that an access token is returned when token exchange succeeds on GitLab Pipelines", async (t) => {
@@ -80,13 +81,13 @@ test.serial("that an access token is returned when token exchange succeeds on Gi
     new Response(JSON.stringify({ token }), { status: 201, headers: { "Content-Type": "application/json" } })
   );
 
-  t.is(await exchangeToken(pkg), token);
+  t.is(await exchangeToken(pkg, {logger}), token);
 });
 
 test.serial("that `undefined` is returned when ID token is not available on GitLab Pipelines", async (t) => {
   td.when(envCi()).thenReturn({ name: GITLAB_PIPELINES_PROVIDER_NAME });
 
-  t.is(await exchangeToken(pkg), undefined);
+  t.is(await exchangeToken(pkg, {logger}), undefined);
 });
 
 test.serial("that `undefined` is returned when token exchange fails on GitLab Pipelines", async (t) => {
@@ -101,11 +102,11 @@ test.serial("that `undefined` is returned when token exchange fails on GitLab Pi
     new Response(JSON.stringify({ message: "foo" }), { status: 401, headers: { "Content-Type": "application/json" } })
   );
 
-  t.is(await exchangeToken(pkg), undefined);
+  t.is(await exchangeToken(pkg, {logger}), undefined);
 });
 
 test.serial("that `undefined` is returned when no supported CI provider is detected", async (t) => {
   td.when(envCi()).thenReturn({ name: "Other Service" });
 
-  t.is(await exchangeToken(pkg), undefined);
+  t.is(await exchangeToken(pkg, {logger}), undefined);
 });

test/verify-auth.test.js

@@ -30,7 +30,7 @@ test.serial(
   "that the auth context for the official registry is considered valid when trusted publishing is established",
   async (t) => {
     td.when(getRegistry(pkg, context)).thenReturn(DEFAULT_NPM_REGISTRY);
-    td.when(oidcContextEstablished(DEFAULT_NPM_REGISTRY, pkg)).thenReturn(true);
+    td.when(oidcContextEstablished(DEFAULT_NPM_REGISTRY, pkg, context)).thenReturn(true);
 
     await t.notThrowsAsync(verifyAuth(npmrc, pkg, context));
   }
@@ -40,7 +40,7 @@ test.serial(
   "that the provided token is verified with `npm whoami` when trusted publishing is not established for the official registry",
   async (t) => {
     td.when(getRegistry(pkg, context)).thenReturn(DEFAULT_NPM_REGISTRY);
-    td.when(oidcContextEstablished(DEFAULT_NPM_REGISTRY, pkg)).thenReturn(false);
+    td.when(oidcContextEstablished(DEFAULT_NPM_REGISTRY, pkg, context)).thenReturn(false);
     td.when(
       execa("npm", ["whoami", "--userconfig", npmrc, "--registry", DEFAULT_NPM_REGISTRY], {
         cwd,
@@ -60,7 +60,7 @@ test.serial(
   "that the auth context for the official registry is considered invalid when no token is provided and trusted publishing is not established",
   async (t) => {
     td.when(getRegistry(pkg, context)).thenReturn(DEFAULT_NPM_REGISTRY);
-    td.when(oidcContextEstablished(DEFAULT_NPM_REGISTRY, pkg)).thenReturn(false);
+    td.when(oidcContextEstablished(DEFAULT_NPM_REGISTRY, pkg, context)).thenReturn(false);
     td.when(
       execa("npm", ["whoami", "--userconfig", npmrc, "--registry", DEFAULT_NPM_REGISTRY], {
         cwd,
@@ -89,7 +89,7 @@ test.serial(
     execaResult.stderr = { pipe: () => undefined };
     execaResult.stdout = { pipe: () => undefined };
     td.when(getRegistry(pkg, context)).thenReturn(otherRegistry);
-    td.when(oidcContextEstablished(otherRegistry, pkg)).thenReturn(false);
+    td.when(oidcContextEstablished(DEFAULT_NPM_REGISTRY, pkg, context)).thenReturn(false);
     td.when(
       execa(
         "npm",
@@ -127,7 +127,7 @@ test.serial(
     execaResult.stderr = { pipe: () => undefined };
     execaResult.stdout = { pipe: () => undefined };
     td.when(getRegistry(pkg, context)).thenReturn(otherRegistry);
-    td.when(oidcContextEstablished(otherRegistry, pkg)).thenReturn(false);
+    td.when(oidcContextEstablished(otherRegistry, pkg, context)).thenReturn(false);
     td.when(
       execa(
         "npm",
@@ -163,6 +163,7 @@ test.serial("that errors from setting up auth bubble through this function", asy
   const registry = DEFAULT_NPM_REGISTRY;
   const thrownError = new Error();
   td.when(getRegistry(pkg, context)).thenReturn(registry);
+  td.when(oidcContextEstablished(registry, pkg, context)).thenReturn(false);
   td.when(setNpmrcAuth(npmrc, registry, context)).thenThrow(new AggregateError([thrownError]));
 
   const {