From d810930f0fe42c4987bd1da6ed508edd1aed72d2 Mon Sep 17 00:00:00 2001 From: James Healy Date: Wed, 5 Feb 2025 22:14:20 +1100 Subject: [PATCH] Fix the spec creating an API Key Role for Buildkite The conditional in add_default_params is always try (it's a single =) so statement.principal is set to the GitHub Actions principal (https://token.actions.githubusercontent.com) every time the new API Key Role form is loaded. That field is hidden on the form so the user doesn't have a chance to edit it, and after saving the created role has a provider of Buildkite with an expected principal for GitHub Actions. An alternative solution would be to remove the statement.principal assignment completely. It's not required - when the form is submitted the OIDC::ApiKeyRole#set_statement_principals callback will set the correct principal for both GitHub Actionas *and* Buildkite. --- app/controllers/oidc/api_key_roles_controller.rb | 2 +- test/system/oidc_test.rb | 13 ++++--------- 2 files changed, 5 insertions(+), 10 deletions(-) diff --git a/app/controllers/oidc/api_key_roles_controller.rb b/app/controllers/oidc/api_key_roles_controller.rb index b0322f5899d..29d065b07aa 100644 --- a/app/controllers/oidc/api_key_roles_controller.rb +++ b/app/controllers/oidc/api_key_roles_controller.rb @@ -134,7 +134,7 @@ def add_default_params(rubygem, statement, condition) return unless rubygem return unless (gh = helpers.link_to_github(rubygem)).presence - return unless (@api_key_role.provider = OIDC::Provider.github_actions) + return unless (@api_key_role.provider == OIDC::Provider.github_actions) statement.principal = { oidc: @api_key_role.provider.issuer } diff --git a/test/system/oidc_test.rb b/test/system/oidc_test.rb index 9d754fe5864..af2e016e6cc 100644 --- a/test/system/oidc_test.rb +++ b/test/system/oidc_test.rb @@ -248,19 +248,14 @@ def verify_session # rubocop:disable Minitest/TestMethodName id: "oidc_api_key_role_access_policy_statements_attributes_0_conditions_attributes_0_operator" assert_field "Value", with: Gemcutter::HOST, id: "oidc_api_key_role_access_policy_statements_attributes_0_conditions_attributes_0_value" - assert_field "Claim", with: "repository", - id: "oidc_api_key_role_access_policy_statements_attributes_0_conditions_attributes_1_claim" - assert_select "Operator", options: ["String Equals", "String Matches"], selected: "String Equals", - id: "oidc_api_key_role_access_policy_statements_attributes_0_conditions_attributes_1_operator" - assert_field "Value", with: "example/repo", - id: "oidc_api_key_role_access_policy_statements_attributes_0_conditions_attributes_1_value" # Adjust the form to align with Buildkite OIDC tokens page.select "https://agent.buildkite.com", from: "OIDC provider" - last_condition = page.find_all(id: /oidc_api_key_role_access_policy_statements_attributes_\d+_conditions_attributes_\d+_wrapper/).last - last_condition.fill_in "Claim", with: "organization_slug" - last_condition.fill_in "Value", with: "example-org" + page.click_button "Add condition" + new_condition = page.find_all(id: /oidc_api_key_role_access_policy_statements_attributes_\d+_conditions_attributes_\d+_wrapper/).last + new_condition.fill_in "Claim", with: "organization_slug" + new_condition.fill_in "Value", with: "example-org" page.click_button "Add condition" new_condition = page.find_all(id: /oidc_api_key_role_access_policy_statements_attributes_\d+_conditions_attributes_\d+_wrapper/).last