Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Example Buildkite OIDC token for regression tests #5412

Open
yob opened this issue Jan 29, 2025 · 0 comments · May be fixed by #5416
Open

Example Buildkite OIDC token for regression tests #5412

yob opened this issue Jan 29, 2025 · 0 comments · May be fixed by #5416

Comments

@yob
Copy link

yob commented Jan 29, 2025

Over in #5296 (comment) we released that using Buildkite OIDC tokens with the API Key Roles feature was broken by the addition of a requirement for tokens to have a jti claim.

That's been addressed by Buildkite adding a jti claim to its OIDC tokens, but @segiddins suggested providing an example Buildkite OIDC token that could be used to create a regression test.

Here's a sample, decoded (using the jwt-cli npm package) so the claims are visible, then slightly redacted with example values:

✻ Header
{
  "kid": "f4b821837b4edcba56136f22f37ee6969520df23407126cce188d4141c015d68",
  "alg": "RS256"
}
✻ Payload
{
  "iss": "https://agent.buildkite.com",
  "sub": "organization:example-org:pipeline:example-pipeline:ref:refs/heads/main:commit:b5ffe3aeea51cec6c41aef16e45ee6bce47d8810:step:",
  "aud": "rubygems.org",
  "iat": 1736757460,
  "nbf": 1736757460,
  "exp": 1736757760,
  "jti": "0194b014-8517-7cef-b232-76a827315f08",
  "organization_slug": "example-org",
  "pipeline_slug": "example-pipeline",
  "build_number": 5,
  "build_branch": "main",
  "build_tag": null,
  "build_commit": "b5ffe3aeea51cec6c41aef16e45ee6bce47d8810",
  "step_key": null,
  "job_id": "01945ecf-80f0-41e8-9b83-a2970a9305a1",
  "agent_id": "01945ecf-8bcf-40a6-9d70-a765db9a0928",
  "build_source": "ui",
  "runner_environment": "buildkite-hosted"
}
yob added a commit to yob/rubygems.org that referenced this issue Jan 30, 2025
@yob
Add integration test for assuming an API Key Role using a Buildkite O…
262e057 
…IDC token

Until recently, Buildkite OIDC tokens did not contain a `jti` claim. At
some point in early 2024 it was possible to assume an API Key Role using
Buildkite OIDC tokens, but when testing in January 2025 we found the
assume role request was failing with an error:

> Missing/invalid jti

Buildkite has addressed that by adding a `jti` claim to tokens - it's a
good claim to include. However, to reduce the risk of regressions in the
future, this proposes adding an integration test with a Buildkite-shaped
OIDC token.

The trait added to the OIDC::Provider factory is based on a real token
that I generated then anonymized. I only test the happy path with this
token - there's a buncha existing tests for various unhappy paths
(expired token, etc) using the Github Actions shaped OIDC token and
there's little value in replicating them.

Most of the added test is copy-pasted from the happy-path Github Actions
test further up the file.

Fixes rubygems#5412
@yob yob linked a pull request Jan 30, 2025 that will close this issue
Open
yob added a commit to yob/rubygems.org that referenced this issue Feb 2, 2025
@yob
Add integration test for assuming an API Key Role using a Buildkite O…
0098d67 
…IDC token

Until recently, Buildkite OIDC tokens did not contain a `jti` claim. At
some point in early 2024 it was possible to assume an API Key Role using
Buildkite OIDC tokens, but when testing in January 2025 we found the
assume role request was failing with an error:

> Missing/invalid jti

Buildkite has addressed that by adding a `jti` claim to tokens - it's a
good claim to include. However, to reduce the risk of regressions in the
future, this proposes adding an integration test with a Buildkite-shaped
OIDC token.

The trait added to the OIDC::Provider factory is based on a real token
that I generated then anonymized. I only test the happy path with this
token - there's a buncha existing tests for various unhappy paths
(expired token, etc) using the Github Actions shaped OIDC token and
there's little value in replicating them.

Most of the added test is copy-pasted from the happy-path Github Actions
test further up the file.

Fixes rubygems#5412
yob added a commit to yob/rubygems.org that referenced this issue Feb 2, 2025
@yob
Add integration test for assuming an API Key Role using a Buildkite O…
7e2c2ef 
…IDC token

Until recently, Buildkite OIDC tokens did not contain a `jti` claim. At
some point in early 2024 it was possible to assume an API Key Role using
Buildkite OIDC tokens, but when testing in January 2025 we found the
assume role request was failing with an error:

> Missing/invalid jti

Buildkite has addressed that by adding a `jti` claim to tokens - it's a
good claim to include. However, to reduce the risk of regressions in the
future, this proposes adding an integration test with a Buildkite-shaped
OIDC token.

The trait added to the OIDC::Provider factory is based on a real token
that I generated then anonymized. I only test the happy path with this
token - there's a buncha existing tests for various unhappy paths
(expired token, etc) using the Github Actions shaped OIDC token and
there's little value in replicating them.

Most of the added test is copy-pasted from the happy-path Github Actions
test further up the file.

Fixes rubygems#5412
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add integration test for assuming an API Key Role using a Buildkite OIDC token yob/rubygems.org
1 participant
@yob