Add a failing system test for creating an API Key Role for Buildkite

The form and POSTing to create works, but the resulting API Key Role has a condition that expects a principal of "https://token.actions.githubusercontent.com"
rubygems · Feb 13, 2025 · 6613f4d · 6613f4d
1 parent 763630d
commit 6613f4d
Showing 1 changed file with 82 additions and 0 deletions.
diff --git a/test/system/oidc_test.rb b/test/system/oidc_test.rb
@@ -218,6 +218,88 @@ def verify_session # rubocop:disable Minitest/TestMethodName
     assert_equal_hash(expected, role.reload.as_json.slice(*expected.keys))
   end
 
+  test "creating an api key role for a provider who isn't GitHub" do
+    provider_two = create(:oidc_provider_buildkite, issuer: "https://agent.buildkite.com")
+    rubygem = create(:rubygem, owners: [@user])
+
+    # We intentionally use a gem that hosts source on GitHub, but a different CI/CD provider for pushing
+    create(:version, rubygem: rubygem, metadata: { "source_code_uri" => "https://github.com/example/repo" })
+
+    sign_in
+    page.assert_selector "h1", text: "Dashboard"
+    visit rubygem_path(rubygem.slug)
+    click_link "OIDC: Create"
+    verify_session
+
+    page.assert_selector "h1", text: "New OIDC API Key Role"
+
+    # The page loads defaulting to Github Actions shaped config
+    assert_field "Name", with: "Push #{rubygem.name}"
+    assert_select "OIDC provider", options: ["https://token.actions.githubusercontent.com","https://agent.buildkite.com"], selected: "https://token.actions.githubusercontent.com"
+    assert_checked_field "Push rubygem"
+    assert_field "Valid for", with: "PT30M"
+    assert_select "Gem Scope", options: ["All Gems", rubygem.name], selected: rubygem.name
+
+    assert_select "Effect", options: %w[allow deny], selected: "allow",
+      id: "oidc_api_key_role_access_policy_statements_attributes_0_effect"
+    assert_field "Claim", with: "aud",
+      id: "oidc_api_key_role_access_policy_statements_attributes_0_conditions_attributes_0_claim"
+    assert_select "Operator", options: ["String Equals", "String Matches"], selected: "String Equals",
+      id: "oidc_api_key_role_access_policy_statements_attributes_0_conditions_attributes_0_operator"
+    assert_field "Value", with: Gemcutter::HOST,
+      id: "oidc_api_key_role_access_policy_statements_attributes_0_conditions_attributes_0_value"
+    assert_field "Claim", with: "repository",
+      id: "oidc_api_key_role_access_policy_statements_attributes_0_conditions_attributes_1_claim"
+    assert_select "Operator", options: ["String Equals", "String Matches"], selected: "String Equals",
+      id: "oidc_api_key_role_access_policy_statements_attributes_0_conditions_attributes_1_operator"
+    assert_field "Value", with: "example/repo",
+      id: "oidc_api_key_role_access_policy_statements_attributes_0_conditions_attributes_1_value"
+
+    # Adjust the form to align with Buildkite OIDC tokens
+    page.select "https://agent.buildkite.com", from: "OIDC provider"
+
+    last_condition = page.find_all(id: /oidc_api_key_role_access_policy_statements_attributes_\d+_conditions_attributes_\d+_wrapper/).last
+    last_condition.fill_in "Claim", with: "organization_slug"
+    last_condition.fill_in "Value", with: "example-org"
+
+    page.click_button "Add condition"
+    new_condition = page.find_all(id: /oidc_api_key_role_access_policy_statements_attributes_\d+_conditions_attributes_\d+_wrapper/).last
+    new_condition.fill_in "Claim", with: "pipeline_slug"
+    new_condition.fill_in "Value", with: "example-pipeline"
+
+    click_button "Create Api key role"
+
+    page.assert_selector "h1", text: "API Key Role Push #{rubygem.name}"
+
+    role = OIDC::ApiKeyRole.where(name: "Push #{rubygem.name}", user: @user, provider: provider_two).sole
+
+    token = role.token
+    expected = {
+      "name" => "Push #{rubygem.name}",
+      "token" => token,
+      "api_key_permissions" => {
+        "scopes" => ["push_rubygem"],
+        "valid_for" => 1800,
+        "gems" => [rubygem.name]
+      },
+      "access_policy" => {
+        "statements" => [
+          {
+            "effect" => "allow",
+            "principal" => { "oidc" => "https://agent.buildkite.com" },
+            "conditions" => [
+              { "operator" => "string_equals", "claim" => "aud", "value" => "localhost" },
+              { "operator" => "string_equals", "claim" => "organization_slug", "value" => "example-org" },
+              { "operator" => "string_equals", "claim" => "pipeline_slug", "value" => "example-pipeline" }
+            ]
+          }
+        ]
+      }
+    }
+
+    assert_equal_hash(expected, role.as_json.slice(*expected.keys))
+  end
+
   test "creating rubygem trusted publishers" do
     rubygem = create(:rubygem, name: "rubygem0")
     create(:version, rubygem: rubygem, metadata: { "source_code_uri" => "https://github.com/example/rubygem0" })