oidc-exhcange: factor out audience call check

Signed-off-by: William Woodruff <[email protected]>

Author: woodruffw

oidc-exchange.py

@@ -47,6 +47,31 @@ def get_normalized_input(name: str) -> str | None:
     return os.getenv(name.replace("-", "_"))
 
 
+def assert_successful_audience_call(resp: requests.Response, domain: str):
+    if resp.ok:
+        return
+
+    match resp.status_code:
+        case 403:
+            # This index supports OIDC, but forbids the client from using
+            # it (either because it's disabled, ratelimited, etc.)
+            die(f"audience retrieval failed: repository at {domain} has OIDC disabled")
+        case 404:
+            # This index does not support OIDC.
+            die(
+                "audience retrieval failed: repository at "
+                f"{domain} does not indicate OIDC support"
+            )
+        case other:
+            # Unknown: the index may or may not support OIDC, but didn't respond with
+            # something we expect. This can happen if the index is broken, in maintenance mode,
+            # misconfigured, etc.
+            die(
+                "audience retrieval failed: repository at "
+                f"{domain} responded with unexpected {other}"
+            )
+
+
 repository_url = get_normalized_input("repository-url")
 if not repository_url:
     # Easy case: no explicit repository URL, which means we're using PyPI and we can just
@@ -61,28 +86,7 @@ def get_normalized_input(name: str) -> str | None:
     # which tells OIDC exchange clients which audience to use.
     audience_url = f"https://{repository_domain}/_/oidc/audience"
     audience_resp = requests.get(audience_url)
-
-    if not audience_resp.ok:
-        if audience_resp.status_code == 403:
-            # This index supports OIDC, but forbids the client from using
-            # it (either because it's disabled, ratelimited, etc.)
-            die(
-                f"audience retrieval failed: repository at {repository_domain} has OIDC disabled"
-            )
-        elif audience_resp.status_code == 404:
-            # This index does not support OIDC.
-            die(
-                "audience retrieval failed: repository at "
-                f"{repository_domain} does not indicate OIDC support"
-            )
-        else:
-            # Unknown: the index may or may not support OIDC, but didn't respond with
-            # something we expect. This can happen if the index is broken, in maintenance mode,
-            # misconfigured, etc.
-            die(
-                "audience retrieval failed: repository at "
-                f"{repository_domain} responded with unexpected {audience_resp.status_code}"
-            )
+    assert_successful_audience_call(audience_resp, repository_domain)
 
     oidc_audience = audience_resp.json()["audience"]