refactor: extract shared create_session utility

cloudsmith-iduffy · Copilot · cloudsmith-iduffy · commit 050c1b695221 · 2026-03-14T14:39:15.000Z
Move HTTP session creation logic into a shared create_session() function
in cloudsmith_cli/core/credentials/session.py. This provides a single
place for configuring proxy, SSL verification, user-agent, headers, and
optional Bearer auth on requests sessions.

Refactor KeyringProvider to use the shared function instead of inline
session configuration.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/cloudsmith_cli/core/credentials/oidc/exchange.py b/cloudsmith_cli/core/credentials/oidc/exchange.py
@@ -0,0 +1,129 @@
+"""Cloudsmith OIDC token exchange.
+
+Exchanges a vendor CI/CD OIDC JWT for a short-lived Cloudsmith API token
+via the POST /openid/{org}/ endpoint.
+
+References:
+    https://help.cloudsmith.io/docs/openid-connect
+"""
+
+from __future__ import annotations
+
+import logging
+import random
+import time
+from typing import TYPE_CHECKING
+
+import requests
+
+if TYPE_CHECKING:
+    from ...config_resolver import ClientConfig
+
+logger = logging.getLogger(__name__)
+
+DEFAULT_TIMEOUT = 30
+MAX_RETRIES = 3
+
+
+def exchange_oidc_token(
+    config: ClientConfig,
+    org: str,
+    service_slug: str,
+    oidc_token: str,
+) -> str:
+    """Exchange a vendor OIDC JWT for a Cloudsmith API token.
+
+    Raises:
+        OidcExchangeError: If the exchange fails after retries.
+    """
+    host = config.api_host.rstrip("/")
+    if not host.startswith("http"):
+        host = f"https://{host}"
+
+    url = f"{host}/openid/{org}/"
+    payload = {
+        "oidc_token": oidc_token,
+        "service_slug": service_slug,
+    }
+
+    session = config.create_session()
+
+    last_error = None
+    try:
+        for attempt in range(1, MAX_RETRIES + 1):
+            try:
+                response = session.post(
+                    url,
+                    json=payload,
+                    headers={"Content-Type": "application/json"},
+                    timeout=DEFAULT_TIMEOUT,
+                )
+            except requests.exceptions.RequestException as exc:
+                last_error = OidcExchangeError(
+                    f"OIDC token exchange request failed: {exc}"
+                )
+                logger.debug(
+                    "OIDC exchange attempt %d/%d failed with error: %s",
+                    attempt,
+                    MAX_RETRIES,
+                    exc,
+                )
+                if attempt < MAX_RETRIES:
+                    backoff = min(30, (2**attempt) + random.uniform(0, 1))
+                    logger.debug("Retrying in %.1fs...", backoff)
+                    time.sleep(backoff)
+                continue
+
+            if response.status_code in (200, 201):
+                data = response.json()
+                token = data.get("token")
+                if not token or not isinstance(token, str) or not token.strip():
+                    raise OidcExchangeError(
+                        "Cloudsmith OIDC exchange returned an empty or invalid token"
+                    )
+                return token
+
+            # 4xx errors are not retryable
+            if 400 <= response.status_code < 500:
+                try:
+                    error_json = response.json()
+                    error_detail = error_json.get(
+                        "detail", error_json.get("error", str(error_json))
+                    )
+                except Exception:  # pylint: disable=broad-exception-caught
+                    error_detail = response.text[:200]
+
+                logger.debug(
+                    "OIDC exchange 4xx error: %s - %s",
+                    response.status_code,
+                    error_detail,
+                )
+                raise OidcExchangeError(
+                    f"OIDC token exchange failed with {response.status_code}: "
+                    f"{error_detail}"
+                )
+
+            # 5xx errors are retryable
+            last_error = OidcExchangeError(
+                f"OIDC token exchange failed with {response.status_code} "
+                f"(attempt {attempt}/{MAX_RETRIES})"
+            )
+            logger.debug(
+                "OIDC exchange attempt %d/%d failed with status %d",
+                attempt,
+                MAX_RETRIES,
+                response.status_code,
+            )
+
+            if attempt < MAX_RETRIES:
+                backoff = min(30, (2**attempt) + random.uniform(0, 1))
+                logger.debug("Retrying in %.1fs...", backoff)
+                time.sleep(backoff)
+
+        raise last_error
+    finally:
+        session.close()
+
+
+class OidcExchangeError(Exception):
+    """Raised when the OIDC token exchange with Cloudsmith fails."""
