Merge pull request #269 from depot/debug-oidc

Add debug env var for OIDC exchange
depot · Apr 11, 2024 · 6b365f6 · 6b365f6
2 parents c6e9eca + 7e68923
commit 6b365f6
Show file tree

Hide file tree

Showing 6 changed files with 31 additions and 2 deletions.
diff --git a/pkg/helpers/token.go b/pkg/helpers/token.go
@@ -20,8 +20,20 @@ func ResolveToken(ctx context.Context, token string) (string, error) {
 	}
 
 	if token == "" {
+		var err error
+		debug := os.Getenv("DEPOT_DEBUG_OIDC") != ""
+
 		for _, provider := range oidc.Providers {
-			token, _ = provider.RetrieveToken(ctx)
+			if debug {
+				fmt.Printf("Trying OIDC provider %s\n", provider.Name())
+			}
+
+			token, err = provider.RetrieveToken(ctx)
+
+			if err != nil && debug {
+				fmt.Printf("OIDC provider %s failed: %v\n", provider.Name(), err)
+			}
+
 			if token != "" {
 				return token, nil
 			}

diff --git a/pkg/oidc/actionspublic.go b/pkg/oidc/actionspublic.go
@@ -13,6 +13,10 @@ func NewActionsPublicProvider() *ActionsPublicProvider {
 	return &ActionsPublicProvider{}
 }
 
+func (p *ActionsPublicProvider) Name() string {
+	return "actions-public"
+}
+
 func (p *ActionsPublicProvider) RetrieveToken(ctx context.Context) (string, error) {
 	token, err := actionspublic.RetrieveToken(ctx, "https://depot.dev")
 	return token, err

diff --git a/pkg/oidc/buildkite.go b/pkg/oidc/buildkite.go
@@ -16,10 +16,14 @@ func NewBuildkiteOIDCProvider() *BuildkiteOIDCProvider {
 	return &BuildkiteOIDCProvider{}
 }
 
+func (p *BuildkiteOIDCProvider) Name() string {
+	return "buildkite"
+}
+
 func (p *BuildkiteOIDCProvider) RetrieveToken(ctx context.Context) (string, error) {
 	agentToken := os.Getenv("BUILDKITE_AGENT_ACCESS_TOKEN")
 	if agentToken == "" {
-		return "", nil
+		return "", fmt.Errorf("Not running in a Buildkite agent environment")
 	}
 
 	endpoint := os.Getenv("BUILDKITE_AGENT_ENDPOINT")

diff --git a/pkg/oidc/circleci.go b/pkg/oidc/circleci.go
@@ -12,6 +12,10 @@ func NewCircleCIOIDCProvider() *CircleCIOIDCProvider {
 	return &CircleCIOIDCProvider{}
 }
 
+func (p *CircleCIOIDCProvider) Name() string {
+	return "circleci"
+}
+
 func (p *CircleCIOIDCProvider) RetrieveToken(ctx context.Context) (string, error) {
 	token := os.Getenv("CIRCLE_OIDC_TOKEN_V2")
 	return token, nil

diff --git a/pkg/oidc/github.go b/pkg/oidc/github.go
@@ -14,6 +14,10 @@ func NewGitHubOIDCProvider() *GitHubOIDCProvider {
 	return &GitHubOIDCProvider{}
 }
 
+func (p *GitHubOIDCProvider) Name() string {
+	return "github"
+}
+
 func (p *GitHubOIDCProvider) RetrieveToken(ctx context.Context) (string, error) {
 	requestToken := os.Getenv("ACTIONS_ID_TOKEN_REQUEST_TOKEN")
 	if requestToken == "" {

diff --git a/pkg/oidc/provider.go b/pkg/oidc/provider.go
@@ -5,6 +5,7 @@ import "context"
 const audience = "https://depot.dev"
 
 type OIDCProvider interface {
+	Name() string
 	RetrieveToken(ctx context.Context) (string, error)
 }