diff --git a/lib/oidc-utils.js b/lib/oidc-utils.js index e874644e8..88e598d58 100644 --- a/lib/oidc-utils.js +++ b/lib/oidc-utils.js @@ -222,6 +222,16 @@ class OidcUtils { core.exportVariable('JFROG_CLI_USAGE_CONFIG_OIDC', 'TRUE'); core.exportVariable('JFROG_CLI_USAGE_OIDC_USED', 'TRUE'); } + /** + * Constructs the payload for the OIDC token exchange request. + * NOTE: This structure is intended for legacy CLI versions and matches the access API format. + * The payload includes a context object and some duplicated parameters for backward compatibility. + * Future updates will move all additional parameters into the context object. + * @param jwt + * @param providerName + * @param applicationKey + * @private + */ static buildOidcTokenExchangePayload(jwt, providerName, applicationKey) { var _a, _b, _c, _d, _e, _f, _g, _h; return { @@ -230,26 +240,24 @@ class OidcUtils { subject_token: jwt, provider_name: providerName, project_key: (_a = process.env.JF_PROJECT) !== null && _a !== void 0 ? _a : '', + // gh_* params are used for usage tracking gh_job_id: (_b = process.env.GITHUB_JOB) !== null && _b !== void 0 ? _b : '', gh_run_id: (_c = process.env.GITHUB_RUN_ID) !== null && _c !== void 0 ? _c : '', gh_repo: (_d = process.env.GITHUB_REPOSITORY) !== null && _d !== void 0 ? _d : '', gh_revision: (_e = process.env.GITHUB_SHA) !== null && _e !== void 0 ? _e : '', gh_branch: (_f = process.env.GITHUB_REF_NAME) !== null && _f !== void 0 ? _f : '', application_key: applicationKey, + // This object is planned to be expanded as needed + // even though currently it contains some duplicated parameters context: { vcs_commit: { - vcs_url: this.buildVcsUrl(), + vcs_url: utils_1.Utils.buildVcsUrl(), branch: (_g = process.env.GITHUB_REF_NAME) !== null && _g !== void 0 ? _g : '', revision: (_h = process.env.GITHUB_SHA) !== null && _h !== void 0 ? _h : '', }, }, }; } - static buildVcsUrl() { - const serverUrl = process.env.GITHUB_SERVER_URL; - const repo = process.env.GITHUB_REPOSITORY; - return serverUrl && repo ? `${serverUrl}/${repo}` : ''; - } /** * Retrieves the application key from .jfrog/config file. * diff --git a/lib/utils.js b/lib/utils.js index 9785caca0..7ee12f4cc 100644 --- a/lib/utils.js +++ b/lib/utils.js @@ -245,7 +245,7 @@ class Utils { return Utils.SETUP_JFROG_CLI_SERVER_ID; } static setCliEnv() { - var _a, _b, _c, _d, _e; + var _a, _b, _c, _d, _e, _f, _g, _h, _j; if (core.isDebug()) { Utils.exportVariableIfNotSet('JFROG_CLI_LOG_LEVEL', 'DEBUG'); } @@ -256,6 +256,10 @@ class Utils { Utils.exportVariableIfNotSet('JFROG_CLI_CI_JOB_ID', (_b = process.env.GITHUB_WORKFLOW) !== null && _b !== void 0 ? _b : ''); Utils.exportVariableIfNotSet('JFROG_CLI_CI_RUN_ID', (_c = process.env.GITHUB_RUN_ID) !== null && _c !== void 0 ? _c : ''); Utils.exportVariableIfNotSet('JFROG_CLI_GITHUB_TOKEN', (_d = process.env.GITHUB_TOKEN) !== null && _d !== void 0 ? _d : ''); + // Used for OIDC token exchange extra params + Utils.exportVariableIfNotSet('JFROG_CLI_CI_VCS_REVISION', (_f = (_e = process.env.GITHUB_SHA) !== null && _e !== void 0 ? _e : '') !== null && _f !== void 0 ? _f : ''); + Utils.exportVariableIfNotSet('JFROG_CLI_CI_BRANCH', (_h = (_g = process.env.GITHUB_REF_NAME) !== null && _g !== void 0 ? _g : '') !== null && _h !== void 0 ? _h : ''); + Utils.exportVariableIfNotSet('JFROG_CLI_CI_VCS_URL', Utils.buildVcsUrl()); let buildNameEnv = process.env.GITHUB_WORKFLOW; if (buildNameEnv) { Utils.exportVariableIfNotSet('JFROG_CLI_BUILD_NAME', buildNameEnv); @@ -276,7 +280,12 @@ class Utils { job_summary_1.JobSummary.enableJobSummaries(); } // Indicate if JF_GIT_TOKEN is provided as an environment variable, used by Xray usage. - Utils.exportVariableIfNotSet('JFROG_CLI_USAGE_GH_TOKEN_FOR_CODE_SCANNING_ALERTS_PROVIDED', (_e = process.env.JF_GIT_TOKEN) !== null && _e !== void 0 ? _e : ''); + Utils.exportVariableIfNotSet('JFROG_CLI_USAGE_GH_TOKEN_FOR_CODE_SCANNING_ALERTS_PROVIDED', (_j = process.env.JF_GIT_TOKEN) !== null && _j !== void 0 ? _j : ''); + } + static buildVcsUrl() { + const serverUrl = process.env.GITHUB_SERVER_URL; + const repo = process.env.GITHUB_REPOSITORY; + return serverUrl && repo ? `${serverUrl}/${repo}` : ''; } static exportVariableIfNotSet(key, value) { if (!process.env[key]) { diff --git a/src/oidc-utils.ts b/src/oidc-utils.ts index 8e4b7c68c..2769070d5 100644 --- a/src/oidc-utils.ts +++ b/src/oidc-utils.ts @@ -211,6 +211,16 @@ export class OidcUtils { core.exportVariable('JFROG_CLI_USAGE_OIDC_USED', 'TRUE'); } + /** + * Constructs the payload for the OIDC token exchange request. + * NOTE: This structure is intended for legacy CLI versions and matches the access API format. + * The payload includes a context object and some duplicated parameters for backward compatibility. + * Future updates will move all additional parameters into the context object. + * @param jwt + * @param providerName + * @param applicationKey + * @private + */ private static buildOidcTokenExchangePayload(jwt: string, providerName: string, applicationKey: string): Record { return { grant_type: 'urn:ietf:params:oauth:grant-type:token-exchange', @@ -218,15 +228,18 @@ export class OidcUtils { subject_token: jwt, provider_name: providerName, project_key: process.env.JF_PROJECT ?? '', + // gh_* params are used for usage tracking gh_job_id: process.env.GITHUB_JOB ?? '', gh_run_id: process.env.GITHUB_RUN_ID ?? '', gh_repo: process.env.GITHUB_REPOSITORY ?? '', gh_revision: process.env.GITHUB_SHA ?? '', gh_branch: process.env.GITHUB_REF_NAME ?? '', application_key: applicationKey, + // This object is planned to be expanded as needed + // even though currently it contains some duplicated parameters context: { vcs_commit: { - vcs_url: this.buildVcsUrl(), + vcs_url: Utils.buildVcsUrl(), branch: process.env.GITHUB_REF_NAME ?? '', revision: process.env.GITHUB_SHA ?? '', }, @@ -234,12 +247,6 @@ export class OidcUtils { }; } - private static buildVcsUrl(): string { - const serverUrl: string | undefined = process.env.GITHUB_SERVER_URL; - const repo: string | undefined = process.env.GITHUB_REPOSITORY; - return serverUrl && repo ? `${serverUrl}/${repo}` : ''; - } - /** * Retrieves the application key from .jfrog/config file. * diff --git a/src/utils.ts b/src/utils.ts index e6e82bd6f..b1f013552 100644 --- a/src/utils.ts +++ b/src/utils.ts @@ -287,6 +287,11 @@ export class Utils { Utils.exportVariableIfNotSet('JFROG_CLI_CI_RUN_ID', process.env.GITHUB_RUN_ID ?? ''); Utils.exportVariableIfNotSet('JFROG_CLI_GITHUB_TOKEN', process.env.GITHUB_TOKEN ?? ''); + // Used for OIDC token exchange extra params + Utils.exportVariableIfNotSet('JFROG_CLI_CI_VCS_REVISION', process.env.GITHUB_SHA ?? '' ?? ''); + Utils.exportVariableIfNotSet('JFROG_CLI_CI_BRANCH', process.env.GITHUB_REF_NAME ?? '' ?? ''); + Utils.exportVariableIfNotSet('JFROG_CLI_CI_VCS_URL', Utils.buildVcsUrl()); + let buildNameEnv: string | undefined = process.env.GITHUB_WORKFLOW; if (buildNameEnv) { Utils.exportVariableIfNotSet('JFROG_CLI_BUILD_NAME', buildNameEnv); @@ -316,6 +321,12 @@ export class Utils { Utils.exportVariableIfNotSet('JFROG_CLI_USAGE_GH_TOKEN_FOR_CODE_SCANNING_ALERTS_PROVIDED', process.env.JF_GIT_TOKEN ?? ''); } + public static buildVcsUrl(): string { + const serverUrl: string | undefined = process.env.GITHUB_SERVER_URL; + const repo: string | undefined = process.env.GITHUB_REPOSITORY; + return serverUrl && repo ? `${serverUrl}/${repo}` : ''; + } + public static exportVariableIfNotSet(key: string, value: string) { if (!process.env[key]) { core.exportVariable(key, value);