Allow using OIDC to fetch api tokens

[segiddins]

Implements rubygems/rfcs#49

[codecov]

Codecov Report

Merging #3716 (e005ff2) into master (7e19c19) will decrease coverage by 0.01%.
The diff coverage is 98.97%.

@@            Coverage Diff             @@
##           master    #3716      +/-   ##
==========================================
- Coverage   98.92%   98.92%   -0.01%     
==========================================
  Files         229      260      +31     
  Lines        5570     6026     +456     
==========================================
+ Hits         5510     5961     +451     
- Misses         60       65       +5     

Files Changed	Coverage Δ
...nts/avo/fields/json_viewer_field/edit_component.rb	0.00% <0.00%> (ø)
app/controllers/concerns/avo_auditable.rb	89.47% <ø> (-0.53%)	⬇️
lib/types/array_of.rb	90.00% <90.00%> (ø)
app/models/oidc/api_key_role.rb	96.96% <96.96%> (ø)
...ontrollers/api/v1/oidc/api_key_roles_controller.rb	97.22% <97.22%> (ø)
app/avo/actions/base_action.rb	96.55% <100.00%> (+0.06%)	⬆️
app/avo/actions/refresh_oidc_provider.rb	100.00% <100.00%> (ø)
app/avo/fields/array_of_field.rb	100.00% <100.00%> (ø)
app/avo/fields/json_viewer_field.rb	100.00% <100.00%> (ø)
app/avo/fields/nested_field.rb	100.00% <100.00%> (ø)
... and 38 more

[indirect]

Are there docs somewhere for how to use this, either as a maintainer or as a developer publishing gems? I'm ok merging this without, but I do think we should have docs to point people at when we ask them to help us test it!

[jenshenny]

Looks good! Put down a few initial questions.

[jenshenny]

The create provider page is a bit overwhelming. I can see that this form won't be used often, however could we separate the common required attributes from the optional ones?

As an aside, continuing from the point that this form won't be used often... I feel like the provider model feels very abstract/confusing and felt like hardcoding the provider information would have been fine since the majority would use GH actions and there might a few additional ones. However, the model is created already so transitioning to something more hardcoded might not be worth it.

nit: _1 is nifty, though I would prefer to have it be named so it's more readable.

[segiddins]

@jenshenny given this is the admin interface, I'm not too concerned

[jenshenny]

Agreed it's not blocking. Just raising that this can be iterated on so other admins are able to create/modify providers more easily when it comes to that point.

[segiddins]

The modification is done automatically via an action that fetches from the well-known URLs

[jenshenny]

To my knowledge, if api_key_role belongs to a provider, wouldn't it be redundant (and error prone) to have an id token be associated with a provider as you can access the provider through api key role.

[segiddins]

so right now it's there because of the JTI uniqueness validation, but I can work around that

[jenshenny]

Haven't tested all the way so that the OIDC flow returns a API key yet but I'm guessing that index table will contain OIDC generated API keys and "manually" created keys. To avoid confusion between the two (they work and are created differently from each other), I believe it'll be better to have a section with just "manually" created keys and another section for api keys generated for each api key role (with the expiry date)?

[segiddins]

they work identically to each other, the only difference is how they are created

for now, im avoiding touching the HTML pages, wanting to wait until we're satisfied with the bones of this and ready to roll it out to GA to do that work

[jenshenny]

Ah I see that the key name is namespaced by the name of the API key role so a user can differentiate it by that. I would want to see these keys under a API key role section at some point where I can see all keys up to the last x days (user can only see keys that are active and can't see soft deleted keys right now, it'll be even better show the api key role to a specific gem push)

Curious if this is what you had in mind.

Eg.

#API Key roles

##<name>
Scopes:
Expiry:
Gems:

<list of keys>

[segiddins]

honestly, I haven't thought about the HTML yet, my plan is to start on that once this ships

[jenshenny]

Gotcha, sounds great! I think this is necessary enough to be included in the first release and not for GA.

[segiddins]

and here it is :)

[jenshenny]

Was able to test this out! Super cool to see this in action ✨ Thanks for putting in all this work

[jenshenny]

Ah I see that the key name is namespaced by the name of the API key role so a user can differentiate it by that. I would want to see these keys under a API key role section at some point where I can see all keys up to the last x days (user can only see keys that are active and can't see soft deleted keys right now, it'll be even better show the api key role to a specific gem push)

Curious if this is what you had in mind.

Eg.

#API Key roles

##<name>
Scopes:
Expiry:
Gems:

<list of keys>

[segiddins]

• fill out test methods

[segiddins]

• fill out test methods

[segiddins]

• fill out test methods

[segiddins]

• fill out test methods

[segiddins]

• test the model

[segiddins]

so right now it's there because of the JTI uniqueness validation, but I can work around that

[segiddins]

they work identically to each other, the only difference is how they are created

for now, im avoiding touching the HTML pages, wanting to wait until we're satisfied with the bones of this and ready to roll it out to GA to do that work

[segiddins]

honestly, I haven't thought about the HTML yet, my plan is to start on that once this ships

[jenshenny]

I have some comments regarding the UX of the basic views.

The PR is getting kind of large though. I would be 👍 in merging everything except 73bf7c9 and have another PR for the views. I would also be open to making the enhancements to the views too! Just let me know.

[jenshenny]

Suggested change

	api_key_roles: OIDC API Key Roles
	show:
	api_key_role_name: "API Key Role %{name}"
	api_key_roles: OIDC API key roles
	show:
	api_key_role_name: "API key role %{name}"

[jenshenny]

Would users understand what an API key role actually is? It reveals too much of the implementation details. I would prefer provider or issuer even though it does conflict with some fields in the model.

Suggested change

	api_key_roles: OIDC API Key Roles
	show:
	api_key_role_name: "API Key Role %{name}"
	api_key_roles: API key provider (OIDC)
	show:
	api_key_role_name: "API key provider %{name}"

[jenshenny]

When this is setup on prod, could we name the issuer Github Actions? is provider.issuer the same as provider.configuration.issuer? If so, could we remove provider.issuer and add a name attribute and store it as Github Actions.

[jenshenny]

It's a bit hard to tell that the link goes to the show page. Can we add a Details button on the side of each row like the edit button in API keys?

[jenshenny]

Showing the raw json is a bit hard to read. Why not use the scopes, valid_for and gems from OIDC::ApiKeyPermissions?

[jenshenny]

nit: I would prefer to have the api_key_roles index view on the same page rather than having it separate. The button placement looks a bit off.

[jenshenny]

This is pretty overwhelming. I think we can just get by with expired_at, created_at, and jti.

[jenshenny]

Instead of Jti for this, could we set it to JWT ID?

[jenshenny]

This is fine for now, but for GA, I don't want to show raw json.

[segiddins]

I mean, i didnt want to do the HTML in this PR but it seemed like it was a blocker

[jenshenny]

Apologies if it sounded like the HTML was a blocker for this PR specifically 😅 To rephrase my original comment, I agree with your plan to work on it after this PR was merged, as long as the views are going to be created before any announcements of the alpha release are sent out.

[segiddins]

@jenshenny reverted the HTML, will revisit it as soon as this merges (will keep going on the same branch so we can use the same shipit env for it).

I don't plan on announcing the alpha -- the goal is to get a handful of folks (e.g. those on the rubygems / rubygems.org teams) using the feature before announcing it at all / opening it up for wider adoption. That way, we can make any adjustments as needed before committing to the API in any way.

[jenshenny]

I don't plan on announcing the alpha -- the goal is to get a handful of folks (e.g. those on the rubygems / rubygems.org teams) using the feature before announcing it at all / opening it up for wider adoption. That way, we can make any adjustments as needed before committing to the API in any way.

Oh ok, I misunderstood what alpha entails - that makes sense, thanks for clarifying!