Fix the spec creating an API Key Role for Buildkite

The conditional in add_default_params is always try (it's a single =) so statement.principal is set to the GitHub Actions principal (https://token.actions.githubusercontent.com) every time the new API Key Role form is loaded. That field is hidden on the form so the user doesn't have a chance to edit it, and after saving the created role has a provider of Buildkite with an expected principal for GitHub Actions. An alternative solution would be to remove the statement.principal assignment completely. It's not required - when the form is submitted the OIDC::ApiKeyRole#set_statement_principals callback will set the correct principal for both GitHub Actionas *and* Buildkite.
rubygems · Feb 13, 2025 · d810930 · d810930
1 parent 6613f4d
commit d810930
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 10 deletions.
diff --git a/app/controllers/oidc/api_key_roles_controller.rb b/app/controllers/oidc/api_key_roles_controller.rb
@@ -134,7 +134,7 @@ def add_default_params(rubygem, statement, condition)
 
     return unless rubygem
     return unless (gh = helpers.link_to_github(rubygem)).presence
-    return unless (@api_key_role.provider = OIDC::Provider.github_actions)
+    return unless (@api_key_role.provider == OIDC::Provider.github_actions)
 
     statement.principal = { oidc: @api_key_role.provider.issuer }
 

diff --git a/test/system/oidc_test.rb b/test/system/oidc_test.rb
@@ -248,19 +248,14 @@ def verify_session # rubocop:disable Minitest/TestMethodName
       id: "oidc_api_key_role_access_policy_statements_attributes_0_conditions_attributes_0_operator"
     assert_field "Value", with: Gemcutter::HOST,
       id: "oidc_api_key_role_access_policy_statements_attributes_0_conditions_attributes_0_value"
-    assert_field "Claim", with: "repository",
-      id: "oidc_api_key_role_access_policy_statements_attributes_0_conditions_attributes_1_claim"
-    assert_select "Operator", options: ["String Equals", "String Matches"], selected: "String Equals",
-      id: "oidc_api_key_role_access_policy_statements_attributes_0_conditions_attributes_1_operator"
-    assert_field "Value", with: "example/repo",
-      id: "oidc_api_key_role_access_policy_statements_attributes_0_conditions_attributes_1_value"
 
     # Adjust the form to align with Buildkite OIDC tokens
     page.select "https://agent.buildkite.com", from: "OIDC provider"
 
-    last_condition = page.find_all(id: /oidc_api_key_role_access_policy_statements_attributes_\d+_conditions_attributes_\d+_wrapper/).last
-    last_condition.fill_in "Claim", with: "organization_slug"
-    last_condition.fill_in "Value", with: "example-org"
+    page.click_button "Add condition"
+    new_condition = page.find_all(id: /oidc_api_key_role_access_policy_statements_attributes_\d+_conditions_attributes_\d+_wrapper/).last
+    new_condition.fill_in "Claim", with: "organization_slug"
+    new_condition.fill_in "Value", with: "example-org"
 
     page.click_button "Add condition"
     new_condition = page.find_all(id: /oidc_api_key_role_access_policy_statements_attributes_\d+_conditions_attributes_\d+_wrapper/).last