Authentication: trusted publishing setup for artifact publishing

Author: glaubinix

composer.json

@@ -18,7 +18,8 @@
         "php-http/discovery": "^1.0",
         "psr/http-client-implementation": "^1.0",
         "php-http/message-factory": "^1.0",
-        "psr/http-message-implementation": "^1.0"
+        "psr/http-message-implementation": "^1.0",
+        "private-packagist/oidc-identities": "dev-main"
     },
     "require-dev": {
         "friendsofphp/php-cs-fixer": "^3.0",

src/Client.php

@@ -16,6 +16,7 @@
 use PrivatePackagist\ApiClient\HttpClient\Plugin\ExceptionThrower;
 use PrivatePackagist\ApiClient\HttpClient\Plugin\PathPrepend;
 use PrivatePackagist\ApiClient\HttpClient\Plugin\RequestSignature;
+use PrivatePackagist\ApiClient\HttpClient\Plugin\TrustedPublishingTokenExchange;
 
 class Client
 {
@@ -58,6 +59,14 @@ public function authenticate(
         $this->httpClientBuilder->addPlugin(new RequestSignature($key, $secret));
     }
 
+    /**
+     * @param string $organizationUrlName
+     */
+    public function authenticateWithTrustedPublishing($organizationUrlName) {
+        $this->httpClientBuilder->removePlugin(TrustedPublishingTokenExchange::class);
+        $this->httpClientBuilder->addPlugin(new TrustedPublishingTokenExchange($organizationUrlName));
+    }
+
     public function credentials()
     {
         return new Api\Credentials($this, $this->responseMediator);

src/HttpClient/Plugin/TrustedPublishingTokenExchange.php

@@ -0,0 +1,60 @@
+<?php declare(strict_types=1);
+
+namespace PrivatePackagist\ApiClient\HttpClient\Plugin;
+
+use Http\Client\Common\HttpMethodsClient;
+use Http\Client\Common\Plugin;
+use Http\Discovery\Psr17FactoryDiscovery;
+use Http\Discovery\Psr18ClientDiscovery;
+use PrivatePackagist\ApiClient\HttpClient\HttpPluginClientBuilder;
+use PrivatePackagist\OIDC\Identities\TokenGenerator;
+use Psr\Http\Message\RequestInterface;
+use Psr\Log\LoggerInterface;
+
+class TrustedPublishingTokenExchange implements Plugin
+{
+    use Plugin\VersionBridgePlugin;
+
+    /** @var string */
+    private $organizationUrlName;
+    /** @var HttpPluginClientBuilder $httpPluginClientBuilder */
+    private $httpPluginClientBuilder;
+    /** @var LoggerInterface */
+    private $logger;
+
+    /**
+     * @param string $organizationUrlName
+     */
+    public function __construct($organizationUrlName, HttpPluginClientBuilder $httpPluginClientBuilder, LoggerInterface $logger)
+    {
+        $this->organizationUrlName = $organizationUrlName;
+        $this->httpPluginClientBuilder = $httpPluginClientBuilder;
+        $this->logger = $logger;
+    }
+
+    protected function doHandleRequest(RequestInterface $request, callable $next, callable $first)
+    {
+        $privatePackagistHttpclient = $this->httpPluginClientBuilder->getHttpClient();
+        $audience = json_decode((string) $privatePackagistHttpclient->get('/oidc/audience')->getBody(), true);
+        $this->logger->debug('Audience', $audience);
+
+        $oidcHttpClient = new HttpMethodsClient(
+            Psr18ClientDiscovery::find(),
+            Psr17FactoryDiscovery::findRequestFactory(),
+            Psr17FactoryDiscovery::findStreamFactory()
+        );
+
+        $tokenGenerator = new TokenGenerator($this->logger, $oidcHttpClient);
+        $token = $tokenGenerator->generate($audience['audience']);
+        if (!$token) {
+            return $next($request);
+        }
+
+        $apiCredentials = json_decode((string) $privatePackagistHttpclient->post('/oidc/mint-token/' . $this->organizationUrlName, ['Authorization' => 'Bearer ' . $token->token])->getBody(), true);
+
+        $this->httpPluginClientBuilder->removePlugin(self::class);
+        $this->httpPluginClientBuilder->addPlugin($requestSignature = new RequestSignature($apiCredentials['key'], $apiCredentials['secret']));
+
+        return $requestSignature->handleRequest($request, $next, $first);
+    }
+}