Add Octopus - Authenticate w/ OIDC step template

[ryanrousseau]

Background

This PR adds a step that will authenticate a generic OIDC account against an Octopus Server and provide the resulting access token as an output variable.

Pre-requisites

• Id should be a GUID that is not 00000000-0000-0000-0000-000000000000
  • NOTE If you are modifying an existing step template, please make sure that you do not modify the Id property (updating the Id will break the Library sync functionality in Octopus).
• Version should be incremented, otherwise the integration with Octopus won't update the step template correctly
• Parameter names should not start with $
• Step template parameter names (the ones declared in the JSON, not the script body) should be prefixed with a namespace so that they are less likely to clash with other user-defined variables in Octopus (see this issue). For example, use an abbreviated name of the step template or the category of the step template).
• LastModifiedBy field must be present, and (optionally) updated with the correct author
• The best practices documented here have been applied

[github-actions]

Start Hyponome locally

docker pull ghcr.io/hnrkndrssn/hyponome:main
docker run --rm -p 8000:8080 -it ghcr.io/hnrkndrssn/hyponome:main

Review in Hyponome

[ryanrousseau]

Script body

function Invoke-OctopusApi {
  param(
    $Uri,
    $Method,
    $Body
  )

  try {
    Write-Verbose "Making request to $Uri"

    if ($null -eq $Body)
    {
      Write-Verbose "No body to send in the request"
      return Invoke-RestMethod -Method $method -Uri $Uri -ContentType "application/json; charset=utf-8"
    } 

  $Body = $Body | ConvertTo-Json -Depth 10
  Write-Verbose $Body
  
    return Invoke-RestMethod -Uri $Uri -Method $Method -Body $Body -ContentType "application/json; charset=utf-8" -ErrorAction Stop
  }
  catch {
    Write-Host "Request failed with message `"$($_.Exception.Message)`""

    if ($_.Exception.Response) {
        $code = $_.Exception.Response.StatusCode.value__
        $message = $_.Exception.Message
        Write-Host "HTTP response code: $code"

        Write-Host "Server returned: $error"
      }

    Fail-Step "Failed to make $method request to $uri"
  }
}

if ([string]::IsNullOrWhiteSpace($OctopusParameters["AuthenticateWithOIDC.ServerUri"])) {
  Fail-Step "Octopus Server Uri is required."
}

if ([string]::IsNullOrWhiteSpace($OctopusParameters["AuthenticateWithOIDC.OidcAccount"])) {
  Fail-Step "OIDC Account is required."
}

$server = $OctopusParameters["AuthenticateWithOIDC.ServerUri"]
$serviceAccountId = $OctopusParameters["AuthenticateWithOIDC.OidcAccount.Audience"]
$jwt = $OctopusParameters["AuthenticateWithOIDC.OidcAccount.OpenIdConnect.Jwt"]

$body = @{
  grant_type = "urn:ietf:params:oauth:grant-type:token-exchange";
  audience = "$serviceAccountId";
  subject_token_type = "urn:ietf:params:oauth:token-type:jwt";
  subject_token = "$jwt"
}

$uri = "$server/.well-known/openid-configuration"
$response = Invoke-OctopusApi -Uri $uri -Method "GET"
$response = Invoke-OctopusApi -Uri $response.token_endpoint -Method "POST" -Body $body

Set-OctopusVariable -name "AccessToken" -value $response.access_token -sensitive

$stepName = $OctopusParameters["Octopus.Step.Name"]
Write-Host "Created output variable: ##{Octopus.Action[$stepName].Output.AccessToken}"

[twerthi]

LGTM