Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Creating an API Key Role for Buildkite results in an access policy that requires Github Actions #5376

Open
yob opened this issue Jan 7, 2025 · 1 comment
Open

Creating an API Key Role for Buildkite results in an access policy that requires Github Actions #5376

yob opened this issue Jan 7, 2025 · 1 comment
Labels
bug

Comments

@yob
Copy link

yob commented Jan 7, 2025

I work for Buildkite, and have been experimenting with using an API Key Role for publishing a personal gem from CI (pdf-reader).

Clicking the link from the gem page (https://rubygems.org/profile/oidc/api_key_roles/new?rubygem=pdf-reader&scopes%5B%5D=push_rubygem), I was able to create an API Key Role from the gem page (starts with rg_oidc_akr_meof, now revoked), however after clicking the Create Api Key Role button and the page reloading, the policy has a principal for Github Actions:

2025-01-07_18-34

To fix it I can edit the token, then make a hidden form element visible and type in the Buildkite issuer:

2025-01-07_18-36

Then, clicking the Update Api Key Role button saves the correct value:

2025-01-07_18-37

Environment

Browser and its version: Firefox 133.0.3, Linux
@yob yob added the bug label Jan 7, 2025
This was referenced Jan 7, 2025
Closed
Merged
@yob
Copy link
Author

yob commented Jan 30, 2025

Oh, I think it might be this?

diff --git a/app/controllers/oidc/api_key_roles_controller.rb b/app/controllers/oidc/api_key_roles_controller.rb
index b0322f589..29d065b07 100644
--- a/app/controllers/oidc/api_key_roles_controller.rb
+++ b/app/controllers/oidc/api_key_roles_controller.rb
@@ -134,7 +134,7 @@ class OIDC::ApiKeyRolesController < ApplicationController
 
     return unless rubygem
     return unless (gh = helpers.link_to_github(rubygem)).presence
-    return unless (@api_key_role.provider = OIDC::Provider.github_actions)
+    return unless (@api_key_role.provider == OIDC::Provider.github_actions)
 
     statement.principal = { oidc: @api_key_role.provider.issuer }

For a gem that declares its source code is hosted on github (like pdf-reader, the one I tested with) then the api key roles controller sets the provider to Github Actions when rendering the new form.

Then the principal input is rendered on the form but hidden, so the user doesn't get a chance to see or change it.

I also note that OIDC::ApiKeyRole has a before validation callback (set_statement_principals) that will set a default principal when the new form is submitted.

I'm happy to open a PR with a fix and test case, and I think the == change above would do it... but would removing the hidden principal input from the form all together also work? Happy to follow your guidance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@yob