feat(provider): add support for oidc token authentication

Author: fargito

src/request_client.rs

@@ -4,11 +4,13 @@ use reqwest_middleware::{ClientBuilder as ClientWithMiddlewareBuilder, ClientWit
 use reqwest_retry::{RetryTransientMiddleware, policies::ExponentialBackoff};
 
 const UPLOAD_RETRY_COUNT: u32 = 3;
+const OIDC_RETRY_COUNT: u32 = 10;
+const USER_AGENT: &str = "codspeed-runner";
 
 lazy_static! {
     pub static ref REQUEST_CLIENT: ClientWithMiddleware = ClientWithMiddlewareBuilder::new(
         ClientBuilder::new()
-            .user_agent("codspeed-runner")
+            .user_agent(USER_AGENT)
             .build()
             .unwrap()
     )
@@ -19,7 +21,19 @@ lazy_static! {
 
     // Client without retry middleware for streaming uploads (can't be cloned)
     pub static ref STREAMING_CLIENT: reqwest::Client = ClientBuilder::new()
-        .user_agent("codspeed-runner")
+        .user_agent(USER_AGENT)
         .build()
         .unwrap();
+
+    // Client with retry middleware for OIDC token requests
+    pub static ref OIDC_CLIENT: ClientWithMiddleware = ClientWithMiddlewareBuilder::new(
+        ClientBuilder::new()
+            .user_agent(USER_AGENT)
+            .build()
+            .unwrap()
+    )
+    .with(RetryTransientMiddleware::new_with_policy(
+        ExponentialBackoff::builder().build_with_max_retries(OIDC_RETRY_COUNT)
+    ))
+    .build();
 }

src/run/mod.rs

@@ -195,6 +195,9 @@ pub async fn run(
         }
         debug!("Using the token from the CodSpeed configuration file");
         config.set_token(codspeed_config.auth.token.clone());
+    } else {
+        // If relevant, set the OIDC token for authentication
+        provider.set_oidc_token(&mut config).await;
     }
 
     let system_info = SystemInfo::new()?;

src/run/run_environment/buildkite/provider.rs

@@ -1,5 +1,6 @@
 use std::env;
 
+use async_trait::async_trait;
 use simplelog::SharedLogger;
 
 use crate::prelude::*;
@@ -119,6 +120,7 @@ impl RunEnvironmentDetector for BuildkiteProvider {
     }
 }
 
+#[async_trait(?Send)]
 impl RunEnvironmentProvider for BuildkiteProvider {
     fn get_repository_provider(&self) -> RepositoryProvider {
         RepositoryProvider::GitHub
@@ -151,6 +153,15 @@ impl RunEnvironmentProvider for BuildkiteProvider {
     fn get_run_provider_run_part(&self) -> Option<RunPart> {
         None
     }
+
+    /// For now, we do not support OIDC tokens for Buildkite
+    ///
+    /// If we want to in the future, we can implement it using the Buildkite Agent CLI.
+    ///
+    /// Docs:
+    /// - https://buildkite.com/docs/agent/v3/cli-oidc
+    /// - https://buildkite.com/docs/pipelines/security/oidc
+    async fn set_oidc_token(&self, _config: &mut Config) {}
 }
 
 #[cfg(test)]

src/run/run_environment/github_actions/provider.rs

@@ -1,12 +1,15 @@
+use async_trait::async_trait;
 use git2::Repository;
 use lazy_static::lazy_static;
 use regex::Regex;
+use serde::Deserialize;
 use serde_json::Value;
 use simplelog::SharedLogger;
 use std::collections::BTreeMap;
 use std::{env, fs};
 
 use crate::prelude::*;
+use crate::request_client::OIDC_CLIENT;
 use crate::run::run_environment::{RunEnvironment, RunPart};
 use crate::run::{
     config::Config,
@@ -30,6 +33,9 @@ pub struct GitHubActionsProvider {
     pub gh_data: GhData,
     pub event: RunEvent,
     pub repository_root_path: String,
+
+    /// Indicates whether the head repository is a fork of the base repository.
+    is_head_repo_fork: bool,
 }
 
 impl GitHubActionsProvider {
@@ -42,6 +48,11 @@ impl GitHubActionsProvider {
     }
 }
 
+#[derive(Deserialize)]
+struct OIDCResponse {
+    value: Option<String>,
+}
+
 lazy_static! {
     static ref PR_REF_REGEX: Regex = Regex::new(r"^refs/pull/(?P<pr_number>\d+)/merge$").unwrap();
 }
@@ -55,7 +66,7 @@ impl TryFrom<&Config> for GitHubActionsProvider {
         let (owner, repository) = Self::get_owner_and_repository()?;
         let ref_ = get_env_variable("GITHUB_REF")?;
         let is_pr = PR_REF_REGEX.is_match(&ref_);
-        let head_ref = if is_pr {
+        let (head_ref, is_head_repo_fork) = if is_pr {
             let github_event_path = get_env_variable("GITHUB_EVENT_PATH")?;
             let github_event = fs::read_to_string(github_event_path)?;
             let github_event: Value = serde_json::from_str(&github_event)
@@ -76,9 +87,9 @@ impl TryFrom<&Config> for GitHubActionsProvider {
             } else {
                 pull_request["head"]["ref"].as_str().unwrap().to_owned()
             };
-            Some(head_ref)
+            (Some(head_ref), is_head_repo_fork)
         } else {
-            None
+            (None, false)
         };
 
         let github_event_name = get_env_variable("GITHUB_EVENT_NAME")?;
@@ -118,6 +129,7 @@ impl TryFrom<&Config> for GitHubActionsProvider {
             }),
             base_ref: get_env_variable("GITHUB_BASE_REF").ok(),
             repository_root_path,
+            is_head_repo_fork,
         })
     }
 }
@@ -129,6 +141,7 @@ impl RunEnvironmentDetector for GitHubActionsProvider {
     }
 }
 
+#[async_trait(?Send)]
 impl RunEnvironmentProvider for GitHubActionsProvider {
     fn get_repository_provider(&self) -> RepositoryProvider {
         RepositoryProvider::GitHub
@@ -236,6 +249,80 @@ impl RunEnvironmentProvider for GitHubActionsProvider {
             .to_string();
         Ok(commit_hash)
     }
+
+    /// Set the OIDC token for GitHub Actions if necessary
+    ///
+    /// ## Logic
+    /// - If the user has explicitly set a token in the configuration (i.e. "static token"), do not override it, but display an info message.
+    /// - Otherwise, check if the necessary environment variables are set to use OIDC.
+    /// - Then attempt to request an OIDC token.
+    ///
+    /// If environment variables are not set, this could be because:
+    ///   - The user has misconfigured the workflow (missing `id-token` permission)
+    ///   - The run is from a public fork, in which case GitHub Actions does not provide these environment variables for security reasons.
+    ///
+    ///
+    /// ## Notes
+    /// Retrieving the token requires that the workflow has the `id-token` permission enabled.
+    ///
+    /// Docs:
+    /// - https://docs.github.com/en/actions/how-tos/secure-your-work/security-harden-deployments/oidc-with-reusable-workflows
+    /// - https://docs.github.com/en/actions/concepts/security/openid-connect
+    /// - https://docs.github.com/en/actions/reference/security/oidc#methods-for-requesting-the-oidc-token
+    async fn set_oidc_token(&self, config: &mut Config) {
+        // Check if a static token is already set
+        if config.token.is_some() {
+            info!(
+                "CodSpeed now supports OIDC tokens for authentication.\n
+                Add the `id-token: write` permission to your workflow, remove the token from your configuration, and benefit from enhanced security.\n
+                Learn more at https://codspeed.io/docs/integrations/ci/github-actions#openid-connect-oidc-authentication"
+            );
+
+            return;
+        }
+
+        // The `ACTIONS_ID_TOKEN_REQUEST_TOKEN` environment variable is set when the `id-token` permission is granted, which is necessary to authenticate with OIDC.
+        let request_token = get_env_variable("ACTIONS_ID_TOKEN_REQUEST_TOKEN").ok();
+        let request_url = get_env_variable("ACTIONS_ID_TOKEN_REQUEST_URL").ok();
+
+        if request_token.is_none() || request_url.is_none() {
+            // Only display a warning if the run is not from a fork
+            if !self.is_head_repo_fork {
+                warn!(
+                    "CodSpeed was unable to request an OIDC token for this job.\n
+                    Add the `id-token: write` permission to your workflow, and benefit from enhanced security and faster processing times.\n
+                    Learn more at https://codspeed.io/docs/integrations/ci/github-actions#openid-connect-oidc-authentication"
+                );
+            }
+
+            return;
+        }
+
+        let request_url = request_url.unwrap();
+        let request_url = format!("{request_url}&audience={}", self.get_oidc_audience());
+        let request_token = request_token.unwrap();
+
+        let token = match OIDC_CLIENT
+            .get(request_url)
+            .header("Accept", "application/json")
+            .header("Authorization", format!("Bearer {request_token}"))
+            .send()
+            .await
+        {
+            Ok(response) => match response.json::<OIDCResponse>().await {
+                Ok(oidc_response) => oidc_response.value,
+                Err(_) => None,
+            },
+            Err(_) => None,
+        };
+
+        if token.is_some() {
+            debug!("Successfully retrieved OIDC token for authentication.");
+            config.set_token(token);
+        } else {
+            warn!("Failed to retrieve OIDC token for authentication.");
+        }
+    }
 }
 
 #[cfg(test)]
@@ -298,6 +385,7 @@ mod tests {
                     github_actions_provider.sender.as_ref().unwrap().id,
                     "1234567890"
                 );
+                assert!(!github_actions_provider.is_head_repo_fork);
             },
         )
     }
@@ -338,6 +426,8 @@ mod tests {
                     ..Config::test()
                 };
                 let github_actions_provider = GitHubActionsProvider::try_from(&config).unwrap();
+                assert!(!github_actions_provider.is_head_repo_fork);
+
                 let run_environment_metadata = github_actions_provider
                     .get_run_environment_metadata()
                     .unwrap();
@@ -391,6 +481,8 @@ mod tests {
                     ..Config::test()
                 };
                 let github_actions_provider = GitHubActionsProvider::try_from(&config).unwrap();
+                assert!(github_actions_provider.is_head_repo_fork);
+
                 let run_environment_metadata = github_actions_provider
                     .get_run_environment_metadata()
                     .unwrap();
@@ -471,6 +563,8 @@ mod tests {
                     ..Config::test()
                 };
                 let github_actions_provider = GitHubActionsProvider::try_from(&config).unwrap();
+                assert!(!github_actions_provider.is_head_repo_fork);
+
                 let run_environment_metadata = github_actions_provider
                     .get_run_environment_metadata()
                     .unwrap();
@@ -503,6 +597,7 @@ mod tests {
                 },
                 event: RunEvent::Push,
                 repository_root_path: "/home/work/my-repo".into(),
+                is_head_repo_fork: false,
             };
 
             let run_part = github_actions_provider.get_run_provider_run_part().unwrap();
@@ -545,6 +640,7 @@ mod tests {
                     },
                     event: RunEvent::Push,
                     repository_root_path: "/home/work/my-repo".into(),
+                    is_head_repo_fork: false,
                 };
 
                 let run_part = github_actions_provider.get_run_provider_run_part().unwrap();
@@ -596,6 +692,7 @@ mod tests {
                     },
                     event: RunEvent::Push,
                     repository_root_path: "/home/work/my-repo".into(),
+                    is_head_repo_fork: false,
                 };
 
                 let run_part = github_actions_provider.get_run_provider_run_part().unwrap();
@@ -645,6 +742,7 @@ mod tests {
                     },
                     event: RunEvent::Push,
                     repository_root_path: "/home/work/my-repo".into(),
+                    is_head_repo_fork: false,
                 };
 
                 let run_part = github_actions_provider.get_run_provider_run_part().unwrap();

src/run/run_environment/gitlab_ci/provider.rs

@@ -1,3 +1,4 @@
+use async_trait::async_trait;
 use simplelog::SharedLogger;
 use std::collections::BTreeMap;
 use std::env;
@@ -139,6 +140,7 @@ impl RunEnvironmentDetector for GitLabCIProvider {
     }
 }
 
+#[async_trait(?Send)]
 impl RunEnvironmentProvider for GitLabCIProvider {
     fn get_logger(&self) -> Box<dyn SharedLogger> {
         Box::new(GitLabCILogger::new())
@@ -175,6 +177,13 @@ impl RunEnvironmentProvider for GitLabCIProvider {
             metadata: BTreeMap::new(),
         })
     }
+
+    /// For GitLab CI, OIDC tokens must be passed via env variable.
+    ///
+    /// See:
+    /// - https://docs.gitlab.com/integration/openid_connect_provider/
+    /// - https://docs.gitlab.com/ci/secrets/id_token_authentication/
+    async fn set_oidc_token(&self, _config: &mut Config) {}
 }
 
 #[cfg(test)]

src/run/run_environment/local/provider.rs

@@ -1,3 +1,4 @@
+use async_trait::async_trait;
 use git2::Repository;
 use simplelog::SharedLogger;
 
@@ -117,6 +118,7 @@ impl RunEnvironmentDetector for LocalProvider {
     }
 }
 
+#[async_trait(?Send)]
 impl RunEnvironmentProvider for LocalProvider {
     fn get_repository_provider(&self) -> RepositoryProvider {
         self.repository_provider.clone()

src/run/run_environment/provider.rs

@@ -1,3 +1,4 @@
+use async_trait::async_trait;
 use git2::Repository;
 use simplelog::SharedLogger;
 
@@ -16,8 +17,16 @@ pub trait RunEnvironmentDetector {
     fn detect() -> bool;
 }
 
+/// Audience to be used when requesting OIDC tokens.
+///
+/// It will be validated when the token is used to authenticate with CodSpeed.
+///
+/// This value must match the audience configured in CodSpeed backend.
+static OIDC_AUDIENCE: &str = "codspeed.io";
+
 /// `RunEnvironmentProvider` is a trait that defines the necessary methods
 /// for a continuous integration provider.
+#[async_trait(?Send)]
 pub trait RunEnvironmentProvider {
     /// Returns the logger for the RunEnvironment.
     fn get_logger(&self) -> Box<dyn SharedLogger>;
@@ -34,6 +43,21 @@ pub trait RunEnvironmentProvider {
     /// Return the metadata necessary to identify the `RunPart`
     fn get_run_provider_run_part(&self) -> Option<RunPart>;
 
+    /// Get the OIDC audience that must be used when requesting OIDC tokens.
+    ///
+    /// It will be validated when the token is used to authenticate with CodSpeed.
+    fn get_oidc_audience(&self) -> &str {
+        OIDC_AUDIENCE
+    }
+
+    /// Handle an OIDC token for the current run environment, if supported.
+    ///
+    /// Updates the config if necessary.
+    ///
+    /// Depending on the provider, this may involve requesting the token,
+    /// warning the user about potential misconfigurations, or other necessary steps.
+    async fn set_oidc_token(&self, _config: &mut Config) {}
+
     /// Returns the metadata necessary for uploading results to CodSpeed.
     ///
     /// # Arguments