Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authorization tokens are easy to lose track of #364

Closed
kyrofa opened this issue Sep 19, 2023 · 5 comments · Fixed by #365
Closed

Authorization tokens are easy to lose track of #364

kyrofa opened this issue Sep 19, 2023 · 5 comments · Fixed by #365

Comments

@kyrofa
Copy link
Contributor

kyrofa commented Sep 19, 2023

We've been using the private gem functionality of gemstash for a number of years now, with great success. However, as both our team and our CI systems have changed a little over time, we're hitting a pain point: we need to keep careful notes of which token belongs to each developer or system, so we can revoke tokens when they're no longer used. This feels like a feature that could be easily added to gemstash, and if we agree on a design I'd be happy to add it. I'm thinking something really simple:

  • The ability to name or label a given authorization.
  • The ability to list authorizations, with their names and capabilities

Thoughts?

@kyrofa kyrofa changed the title Authorization tokens are easy to lose Authorization tokens are easy to lose track of Sep 19, 2023
@kyrofa
Copy link
Contributor Author

kyrofa commented Sep 19, 2023

I see #165, for example, but it didn't appear to ever get any traction and appears dead at this point.

@indirect
Copy link
Member

Yeah, some sort of name or label sounds great! Thanks for offering.

@kyrofa
Copy link
Contributor Author

kyrofa commented Sep 19, 2023

Thanks for the feedback, @indirect! I realize I missed something above: a way to list the current authorizations, with their names and capabilities, to make sure you're revoking the right thing. Is that also something you'd support?

@indirect
Copy link
Member

Yeah, absolutely.

@kyrofa
Copy link
Contributor Author

kyrofa commented Sep 19, 2023

Alright, keep an eye out for a PR then. Thanks for the quick responses!

kyrofa added a commit to kyrofa/gemstash that referenced this issue Sep 25, 2023
Over time, gemstash authorizations turn into a pile of opaque tokens and
associated permissions. Keeping track of which token belongs to which
developer or automated system is required to enabled proper revocation
or rotation. Today, that requires the use of an external system, which
has the added problem of duplicating the key itself.

Support keeping this association within Gemstash itself by allowing for
authorizations to be named. Also support listing authorizations, so it's
easy to determine which key needs to be revoked, rotated, or otherwise
updated. See the manpage updates for details on use.

Resolve rubygems#364

Signed-off-by: Kyle Fazzari <kyrofa@ubuntu.com>
kyrofa added a commit to kyrofa/gemstash that referenced this issue Sep 25, 2023
Over time, gemstash authorizations turn into a pile of opaque tokens and
associated permissions. Keeping track of which token belongs to which
developer or automated system is required to enabled proper revocation
or rotation. Today, that requires the use of an external system, which
has the added problem of duplicating the key itself.

Support keeping this association within Gemstash itself by allowing for
authorizations to be named. Also support listing authorizations, so it's
easy to determine which key needs to be revoked, rotated, or otherwise
updated. See the manpage updates for details on use.

Resolve rubygems#364

Signed-off-by: Kyle Fazzari <kyrofa@ubuntu.com>
olleolleolle pushed a commit that referenced this issue Sep 27, 2023
Over time, gemstash authorizations turn into a pile of opaque tokens and
associated permissions. Keeping track of which token belongs to which
developer or automated system is required to enabled proper revocation
or rotation. Today, that requires the use of an external system, which
has the added problem of duplicating the key itself.

Support keeping this association within Gemstash itself by allowing for
authorizations to be named. Also support listing authorizations, so it's
easy to determine which key needs to be revoked, rotated, or otherwise
updated. See the manpage updates for details on use.

Resolve #364

Signed-off-by: Kyle Fazzari <kyrofa@ubuntu.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants