Skip to content

Commit

Permalink
drop pydantic dep (#320)
Browse files Browse the repository at this point in the history
Signed-off-by: William Woodruff <[email protected]>
  • Loading branch information
woodruffw authored Dec 4, 2024
1 parent 4e7bffc commit 2449d3a
Show file tree
Hide file tree
Showing 3 changed files with 33 additions and 20 deletions.
18 changes: 5 additions & 13 deletions id/_internal/oidc/ambient.py
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@
import subprocess # nosec B404

import requests
from pydantic import BaseModel, StrictStr

from ... import AmbientCredentialError, GitHubOidcPermissionCredentialError

Expand All @@ -46,16 +45,6 @@
_env_var_regex = re.compile(r"[^A-Z0-9_]|^[^A-Z_]")


class _GitHubTokenPayload(BaseModel):
"""
A trivial model for GitHub's OIDC token endpoint payload.
This exists solely to provide nice error handling.
"""

value: StrictStr


def detect_github(audience: str) -> str | None:
"""
Detect and return a GitHub Actions ambient OIDC credential.
Expand Down Expand Up @@ -106,12 +95,15 @@ def detect_github(audience: str) -> str | None:

try:
body = resp.json()
payload = _GitHubTokenPayload(**body)
value = body["value"]

if not isinstance(value, str):
raise ValueError("OIDC token is not a string")
except Exception as e:
raise AmbientCredentialError("GitHub: malformed or incomplete JSON") from e

logger.debug("GitHub: successfully requested OIDC token")
return payload.value
return value


def detect_gcp(audience: str) -> str | None:
Expand Down
6 changes: 1 addition & 5 deletions pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ classifiers = [
"Topic :: Security",
"Topic :: Security :: Cryptography",
]
dependencies = ["pydantic", "requests"]
dependencies = ["requests"]
requires-python = ">=3.8"

[project.urls]
Expand Down Expand Up @@ -55,9 +55,6 @@ id = "id.__main__:main"
# environment, or the CLI (which is documented separately).
ignore-semiprivate = true
ignore-private = true
# Ignore nested classes for docstring coverage because we use them primarily
# for pydantic model configuration.
ignore-nested-classes = true
fail-under = 100

[tool.mypy]
Expand All @@ -76,7 +73,6 @@ warn_return_any = true
warn_unreachable = true
warn_unused_configs = true
warn_unused_ignores = true
plugins = ["pydantic.mypy"]

[tool.bandit]
exclude_dirs = ["./test"]
Expand Down
29 changes: 27 additions & 2 deletions test/unit/internal/oidc/test_ambient.py
Original file line number Diff line number Diff line change
Expand Up @@ -143,12 +143,37 @@ def test_detect_github_request_timeout(monkeypatch):
]


def test_detect_github_bad_payload(monkeypatch):
def test_detect_github_invalid_json_payload(monkeypatch):
monkeypatch.setenv("GITHUB_ACTIONS", "true")
monkeypatch.setenv("ACTIONS_ID_TOKEN_REQUEST_TOKEN", "faketoken")
monkeypatch.setenv("ACTIONS_ID_TOKEN_REQUEST_URL", "fakeurl")

resp = pretend.stub(raise_for_status=lambda: None, json=pretend.call_recorder(lambda: {}))
resp = pretend.stub(raise_for_status=lambda: None, json=pretend.raiser(json.JSONDecodeError))
requests = pretend.stub(get=pretend.call_recorder(lambda url, **kw: resp))
monkeypatch.setattr(ambient, "requests", requests)

with pytest.raises(
ambient.AmbientCredentialError,
match="GitHub: malformed or incomplete JSON",
):
ambient.detect_github("some-audience")
assert requests.get.calls == [
pretend.call(
"fakeurl",
params={"audience": "some-audience"},
headers={"Authorization": "bearer faketoken"},
timeout=30,
)
]


@pytest.mark.parametrize("payload", [{}, {"notvalue": None}, {"value": None}, {"value": 1234}])
def test_detect_github_bad_payload(monkeypatch, payload):
monkeypatch.setenv("GITHUB_ACTIONS", "true")
monkeypatch.setenv("ACTIONS_ID_TOKEN_REQUEST_TOKEN", "faketoken")
monkeypatch.setenv("ACTIONS_ID_TOKEN_REQUEST_URL", "fakeurl")

resp = pretend.stub(raise_for_status=lambda: None, json=pretend.call_recorder(lambda: payload))
requests = pretend.stub(get=pretend.call_recorder(lambda url, **kw: resp))
monkeypatch.setattr(ambient, "requests", requests)

Expand Down

0 comments on commit 2449d3a

Please sign in to comment.