feat(provider): add support for oidc token authentication

Author: fargito

Cargo.lock

@@ -30,7 +30,7 @@ serde = { version = "1.0.192", features = ["derive"] }
 serde_json = { version = "1.0.108", features = ["preserve_order"] }
 url = "2.4.1"
 sha256 = "1.4.0"
-tokio = { version = "1", features = ["macros", "rt"] }
+tokio = { version = "1", features = ["macros", "rt", "process"] }
 tokio-tar = "0.3.1"
 tokio-util = "0.7.16"
 md5 = "0.7.0"

Cargo.toml

@@ -195,6 +195,13 @@ pub async fn run(
         }
         debug!("Using the token from the CodSpeed configuration file");
         config.set_token(codspeed_config.auth.token.clone());
+    } else {
+        let oidc_token = provider.get_oidc_token().await;
+        if oidc_token.is_some() {
+            debug!("Using OIDC token for authentication");
+
+            config.set_token(oidc_token);
+        }
     }
 
     let system_info = SystemInfo::new()?;

src/run/mod.rs

@@ -1,6 +1,8 @@
 use std::env;
 
+use async_trait::async_trait;
 use simplelog::SharedLogger;
+use tokio::process::Command;
 
 use crate::prelude::*;
 use crate::run::helpers::{GitRemote, parse_git_remote};
@@ -119,6 +121,7 @@ impl RunEnvironmentDetector for BuildkiteProvider {
     }
 }
 
+#[async_trait(?Send)]
 impl RunEnvironmentProvider for BuildkiteProvider {
     fn get_repository_provider(&self) -> RepositoryProvider {
         RepositoryProvider::GitHub
@@ -151,6 +154,39 @@ impl RunEnvironmentProvider for BuildkiteProvider {
     fn get_run_provider_run_part(&self) -> Option<RunPart> {
         None
     }
+
+    /// Return an OIDC token obtained from Buildkite, if available.
+    ///
+    /// This uses the `buildkite-agent oidc request-token` command to obtain
+    /// a token with the audience set to "codspeed".
+    ///
+    /// Docs:
+    /// - https://buildkite.com/docs/agent/v3/cli-oidc
+    /// - https://buildkite.com/docs/pipelines/security/oidc
+    async fn get_oidc_token(&self) -> Option<String> {
+        let output = Command::new("buildkite-agent")
+            .args(["oidc", "request-token", "--audience", "codspeed"])
+            .output()
+            .await
+            .ok()?;
+
+        if !output.status.success() {
+            warn!(
+                "Failed to request OIDC token from Buildkite: {}",
+                String::from_utf8_lossy(&output.stderr)
+            );
+            return None;
+        }
+
+        let token = String::from_utf8(output.stdout).ok()?;
+        let token = token.trim();
+
+        if token.is_empty() {
+            return None;
+        }
+
+        Some(token.to_string())
+    }
 }
 
 #[cfg(test)]

src/run/run_environment/buildkite/provider.rs

@@ -1,6 +1,9 @@
+use async_trait::async_trait;
 use git2::Repository;
 use lazy_static::lazy_static;
 use regex::Regex;
+use reqwest::Client;
+use serde::Deserialize;
 use serde_json::Value;
 use simplelog::SharedLogger;
 use std::collections::BTreeMap;
@@ -42,6 +45,11 @@ impl GitHubActionsProvider {
     }
 }
 
+#[derive(Deserialize)]
+struct OIDCResponse {
+    value: Option<String>,
+}
+
 lazy_static! {
     static ref PR_REF_REGEX: Regex = Regex::new(r"^refs/pull/(?P<pr_number>\d+)/merge$").unwrap();
 }
@@ -129,6 +137,7 @@ impl RunEnvironmentDetector for GitHubActionsProvider {
     }
 }
 
+#[async_trait(?Send)]
 impl RunEnvironmentProvider for GitHubActionsProvider {
     fn get_repository_provider(&self) -> RepositoryProvider {
         RepositoryProvider::GitHub
@@ -236,6 +245,46 @@ impl RunEnvironmentProvider for GitHubActionsProvider {
             .to_string();
         Ok(commit_hash)
     }
+
+    /// Get the OIDC token for GitHub Actions.
+    ///
+    /// This requires that the workflow has the `id-token` permission enabled.
+    ///
+    /// Docs:
+    /// - https://docs.github.com/en/actions/how-tos/secure-your-work/security-harden-deployments/oidc-with-reusable-workflows
+    /// - https://docs.github.com/en/actions/concepts/security/openid-connect
+    /// - https://docs.github.com/en/actions/reference/security/oidc#methods-for-requesting-the-oidc-token
+    async fn get_oidc_token(&self) -> Option<String> {
+        // The `ACTIONS_ID_TOKEN_REQUEST_TOKEN` environment variable is set when the `id-token` permission is granted.
+        // This is necessary to authenticate with OIDC, but not strictly set just for OIDC.
+        let request_token = get_env_variable("ACTIONS_ID_TOKEN_REQUEST_TOKEN").ok();
+        let request_url = get_env_variable("ACTIONS_ID_TOKEN_REQUEST_URL").ok();
+
+        if request_token.is_none() || request_url.is_none() {
+            warn!(
+                "The Workflow is missing the 'id-token: write' permission required to request an OIDC token. \
+                Please refer to https://docs.github.com/en/actions/how-to-guides/security-hardening-your-workflows/about-security-hardening-with-openid-connect for more information."
+            );
+
+            return None;
+        }
+
+        let request_url = request_url.unwrap();
+        let request_url = format!("{request_url}&audience=codspeed");
+        let request_token = request_token.unwrap();
+
+        Client::new()
+            .get(request_url)
+            .header("Accept", "application/json")
+            .header("Authorization", format!("Bearer {request_token}"))
+            .send()
+            .await
+            .ok()?
+            .json::<OIDCResponse>()
+            .await
+            .ok()?
+            .value
+    }
 }
 
 #[cfg(test)]

src/run/run_environment/github_actions/provider.rs

@@ -1,3 +1,4 @@
+use async_trait::async_trait;
 use simplelog::SharedLogger;
 use std::collections::BTreeMap;
 use std::env;
@@ -139,6 +140,7 @@ impl RunEnvironmentDetector for GitLabCIProvider {
     }
 }
 
+#[async_trait(?Send)]
 impl RunEnvironmentProvider for GitLabCIProvider {
     fn get_logger(&self) -> Box<dyn SharedLogger> {
         Box::new(GitLabCILogger::new())
@@ -175,6 +177,15 @@ impl RunEnvironmentProvider for GitLabCIProvider {
             metadata: BTreeMap::new(),
         })
     }
+
+    /// For GitLab CI, OIDC tokens must be passed via env variable.
+    ///
+    /// See:
+    /// - https://docs.gitlab.com/integration/openid_connect_provider/
+    /// - https://docs.gitlab.com/ci/secrets/id_token_authentication/
+    async fn get_oidc_token(&self) -> Option<String> {
+        None
+    }
 }
 
 #[cfg(test)]

src/run/run_environment/gitlab_ci/provider.rs

@@ -1,3 +1,4 @@
+use async_trait::async_trait;
 use git2::Repository;
 use simplelog::SharedLogger;
 
@@ -117,6 +118,7 @@ impl RunEnvironmentDetector for LocalProvider {
     }
 }
 
+#[async_trait(?Send)]
 impl RunEnvironmentProvider for LocalProvider {
     fn get_repository_provider(&self) -> RepositoryProvider {
         self.repository_provider.clone()
@@ -178,6 +180,10 @@ impl RunEnvironmentProvider for LocalProvider {
     fn get_run_provider_run_part(&self) -> Option<RunPart> {
         None
     }
+
+    async fn get_oidc_token(&self) -> Option<String> {
+        unimplemented!("LocalProvider does not support OIDC tokens")
+    }
 }
 
 fn extract_provider_owner_and_repository_from_remote_url(

src/run/run_environment/local/provider.rs

@@ -1,3 +1,4 @@
+use async_trait::async_trait;
 use git2::Repository;
 use simplelog::SharedLogger;
 
@@ -18,6 +19,7 @@ pub trait RunEnvironmentDetector {
 
 /// `RunEnvironmentProvider` is a trait that defines the necessary methods
 /// for a continuous integration provider.
+#[async_trait(?Send)]
 pub trait RunEnvironmentProvider {
     /// Returns the logger for the RunEnvironment.
     fn get_logger(&self) -> Box<dyn SharedLogger>;
@@ -34,6 +36,9 @@ pub trait RunEnvironmentProvider {
     /// Return the metadata necessary to identify the `RunPart`
     fn get_run_provider_run_part(&self) -> Option<RunPart>;
 
+    /// Get an OIDC token for the current run environment, if supported.
+    async fn get_oidc_token(&self) -> Option<String>;
+
     /// Returns the metadata necessary for uploading results to CodSpeed.
     ///
     /// # Arguments