oidc-exchange, twine-upload: remove more OIDC refs

...but not all, since some make sense in a debugging
context.

Signed-off-by: William Woodruff <william@trailofbits.com>
This commit is contained in:
William Woodruff 2023-04-03 21:30:44 +09:00
parent 4372cb5585
commit 0b567d5b01
No known key found for this signature in database
2 changed files with 9 additions and 7 deletions

View file

@ -13,7 +13,7 @@ _GITHUB_STEP_SUMMARY = Path(os.getenv("GITHUB_STEP_SUMMARY"))
# The top-level error message that gets rendered. # The top-level error message that gets rendered.
# This message wraps one of the other templates/messages defined below. # This message wraps one of the other templates/messages defined below.
_ERROR_SUMMARY_MESSAGE = """ _ERROR_SUMMARY_MESSAGE = """
Trusted publisher (OIDC) exchange failure: Trusted publishing exchange failure:
{message} {message}
@ -28,7 +28,7 @@ Read more about trusted publishers at https://docs.pypi.org/trusted-publishers/
# Rendered if OIDC identity token retrieval fails for any reason. # Rendered if OIDC identity token retrieval fails for any reason.
_TOKEN_RETRIEVAL_FAILED_MESSAGE = """ _TOKEN_RETRIEVAL_FAILED_MESSAGE = """
OIDC token retrieval failed: {identity_error} OpenID Connect token retrieval failed: {identity_error}
This generally indicates a workflow configuration error, such as insufficient This generally indicates a workflow configuration error, such as insufficient
permissions. Make sure that your workflow has `id-token: write` configured permissions. Make sure that your workflow has `id-token: write` configured
@ -71,7 +71,7 @@ def die(msg: str) -> NoReturn:
with _GITHUB_STEP_SUMMARY.open("a", encoding="utf-8") as io: with _GITHUB_STEP_SUMMARY.open("a", encoding="utf-8") as io:
print(_ERROR_SUMMARY_MESSAGE.format(message=msg), file=io) print(_ERROR_SUMMARY_MESSAGE.format(message=msg), file=io)
print(f"::error::OIDC exchange failure: {msg}", file=sys.stderr) print(f"::error::trusted publishing exchange failure: {msg}", file=sys.stderr)
sys.exit(1) sys.exit(1)
@ -94,12 +94,14 @@ def assert_successful_audience_call(resp: requests.Response, domain: str):
case HTTPStatus.FORBIDDEN: case HTTPStatus.FORBIDDEN:
# This index supports OIDC, but forbids the client from using # This index supports OIDC, but forbids the client from using
# it (either because it's disabled, limited to a beta group, etc.) # it (either because it's disabled, limited to a beta group, etc.)
die(f"audience retrieval failed: repository at {domain} has OIDC disabled") die(
f"audience retrieval failed: repository at {domain} has trusted publishing disabled",
)
case HTTPStatus.NOT_FOUND: case HTTPStatus.NOT_FOUND:
# This index does not support OIDC. # This index does not support OIDC.
die( die(
"audience retrieval failed: repository at " "audience retrieval failed: repository at "
f"{domain} does not indicate OIDC support", f"{domain} does not indicate trusted publishing support",
) )
case other: case other:
status = HTTPStatus(other) status = HTTPStatus(other)
@ -124,7 +126,7 @@ assert_successful_audience_call(audience_resp, repository_domain)
oidc_audience = audience_resp.json()["audience"] oidc_audience = audience_resp.json()["audience"]
debug(f"selected OIDC token exchange endpoint: {token_exchange_url}") debug(f"selected trusted publishing exchange endpoint: {token_exchange_url}")
try: try:
oidc_token = id.detect_credential(audience=oidc_audience) oidc_token = id.detect_credential(audience=oidc_audience)

View file

@ -44,7 +44,7 @@ if [[ "${INPUT_USER}" == "__token__" && -z "${INPUT_PASSWORD}" ]] ; then
# No password supplied by the user implies that we're in the OIDC flow; # No password supplied by the user implies that we're in the OIDC flow;
# retrieve the OIDC credential and exchange it for a PyPI API token. # retrieve the OIDC credential and exchange it for a PyPI API token.
echo \ echo \
'::notice::Attempting to perform OIDC credential exchange' \ '::notice::Attempting to perform trusted publishing exchange' \
'to retrieve a temporary short-lived API token for authentication' \ 'to retrieve a temporary short-lived API token for authentication' \
"against ${INPUT_REPOSITORY_URL} due to __token__ username with no" \ "against ${INPUT_REPOSITORY_URL} due to __token__ username with no" \
'supplied password field' 'supplied password field'