-
-
Notifications
You must be signed in to change notification settings - Fork 905
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Allow using OIDC to fetch api tokens (#3716)
Implements rubygems/rfcs#49
- Loading branch information
Showing
126 changed files
with
3,644 additions
and
741 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,6 +4,7 @@ on: | |
push: | ||
branches: | ||
- master | ||
- oidc-api-tokens | ||
permissions: | ||
contents: read | ||
id-token: write | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
class RefreshOIDCProvider < BaseAction | ||
self.name = "Refresh OIDC Provider" | ||
self.visible = lambda { | ||
current_user.team_member?("rubygems-org") && view == :show | ||
} | ||
|
||
self.message = lambda { | ||
"Are you sure you would like to refresh #{record.issuer}?" | ||
} | ||
|
||
self.confirm_button_label = "Refresh" | ||
|
||
class ActionHandler < ActionHandler | ||
def handle_model(provider) | ||
connection = Faraday.new(provider.issuer, request: { timeout: 2 }) do |f| | ||
f.request :json | ||
f.response :logger, logger, headers: false, errors: true, bodies: true | ||
f.response :raise_error | ||
f.response :json | ||
end | ||
resp = connection.get("/.well-known/openid-configuration") | ||
|
||
provider.configuration = resp.body | ||
provider.jwks = connection.get(provider.configuration.jwks_uri).body | ||
|
||
provider.save! | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
class ArrayOfField < Avo::Fields::BaseField | ||
def initialize(name, field:, field_options: {}, **args, &block) | ||
super(name, **args, &nil) | ||
|
||
@make_field = lambda do |id:, index: nil, value: nil| | ||
items_holder = Avo::ItemsHolder.new | ||
items_holder.field(id, name: index&.to_s || self.name, as: field, required: -> { false }, value:, **field_options, &block) | ||
items_holder.items.sole.hydrate(view:, resource:) | ||
end | ||
end | ||
|
||
def value(...) | ||
value = super(...) | ||
Array.wrap(value) | ||
end | ||
|
||
def template_member | ||
@make_field[id: "#{id}[NEW_RECORD]"] | ||
end | ||
|
||
def fill_field(model, key, value, params) | ||
value = value.each_value.map do |v| | ||
template_member.fill_field(NestedField::Holder.new, :item, v, params).item | ||
end | ||
super(model, key, value, params) | ||
end | ||
|
||
def members | ||
value.each_with_index.map do |value, idx| | ||
id = "#{self.id}[#{idx}]" | ||
@make_field[id:, index: idx, value:] | ||
end | ||
end | ||
|
||
def to_permitted_param | ||
@make_field[id:].to_permitted_param | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,12 +1,9 @@ | ||
class JsonViewerField < Avo::Fields::BaseField | ||
class JsonViewerField < Avo::Fields::CodeField | ||
def initialize(name, **args, &) | ||
super(name, **args, &) | ||
@theme = args[:theme].present? ? args[:theme].to_s : "default" | ||
@height = args[:height].present? ? args[:height].to_s : "auto" | ||
@tab_size = args[:tab_size].presence || 2 | ||
@indent_with_tabs = args[:indent_with_tabs].presence || false | ||
@line_wrapping = args[:line_wrapping].presence || true | ||
super(name, **args, language: :javascript, line_wrapping: true, &) | ||
end | ||
|
||
attr_reader :height, :theme, :tab_size, :indent_with_tabs, :line_wrapping | ||
def value(...) | ||
super&.then { JSON.pretty_generate(_1.as_json) } | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
class NestedField < Avo::Fields::BaseField | ||
include Avo::Concerns::HasFields | ||
|
||
def initialize(name, stacked: true, **args, &block) | ||
@items_holder = Avo::ItemsHolder.new | ||
hide_on [:index] | ||
super(name, stacked:, **args, &nil) | ||
instance_exec(&block) if block | ||
end | ||
|
||
def fields(**_kwargs) | ||
@items_holder.items.grep Avo::Fields::BaseField | ||
end | ||
|
||
def field(name, **kwargs, &) | ||
@items_holder.field(name, **kwargs, &) | ||
end | ||
|
||
def fill_field(model, key, value, params) | ||
value = value.to_h.to_h do |k, v| | ||
[k, get_field(k).fill_field(Holder.new, :item, v, params).item] | ||
end | ||
|
||
super(model, key, value, params) | ||
end | ||
|
||
def to_permitted_param | ||
{ super => fields.map(&:to_permitted_param) } | ||
end | ||
|
||
class Holder | ||
attr_accessor :item | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
class OIDCApiKeyRoleResource < Avo::BaseResource | ||
self.title = :token | ||
self.includes = [] | ||
self.model_class = ::OIDC::ApiKeyRole | ||
# self.search_query = -> do | ||
# scope.ransack(id_eq: params[:q], m: "or").result(distinct: false) | ||
# end | ||
|
||
field :token, as: :text, link_to_resource: true, readonly: true | ||
field :id, as: :id, link_to_resource: true, hide_on: :index | ||
# Fields generated from the model | ||
field :name, as: :text | ||
field :provider, as: :belongs_to | ||
field :user, as: :belongs_to | ||
field :api_key_permissions, as: :nested do | ||
field :valid_for, as: :text, format_using: :iso8601 | ||
field :scopes, as: :tags, suggestions: ApiKey::API_SCOPES.map { { label: _1, value: _1 } } | ||
field :gems, as: :tags, suggestions: -> { Rubygem.limit(10).pluck(:name).map { { value: _1, label: _1 } } } | ||
end | ||
field :access_policy, as: :nested do | ||
field :statements, as: :array_of, field: :nested do | ||
field :effect, as: :select, options: { "Allow" => "allow" }, default: "Allow" | ||
field :principal, as: :nested, field_options: { stacked: false } do | ||
field :oidc, as: :text | ||
end | ||
field :conditions, as: :array_of, field: :nested, field_options: { stacked: false } do | ||
field :operator, as: :select, options: OIDC::AccessPolicy::Statement::Condition::OPERATORS.index_by(&:titleize) | ||
field :claim, as: :text | ||
field :value, as: :text | ||
end | ||
end | ||
end | ||
|
||
field :id_tokens, as: :has_many | ||
# add fields here | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
class OIDCIdTokenResource < Avo::BaseResource | ||
self.title = :id | ||
self.includes = [] | ||
self.model_class = ::OIDC::IdToken | ||
# self.search_query = -> do | ||
# scope.ransack(id_eq: params[:q], m: "or").result(distinct: false) | ||
# end | ||
|
||
field :id, as: :id | ||
# Fields generated from the model | ||
field :api_key_role, as: :belongs_to | ||
field :provider, as: :has_one | ||
field :api_key, as: :has_one | ||
|
||
heading "JWT" | ||
field :claims, as: :key_value, stacked: true do | ||
model.jwt.fetch("claims") | ||
end | ||
field :header, as: :key_value, stacked: true do | ||
model.jwt.fetch("header") | ||
end | ||
# add fields here | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
class OIDCProviderResource < Avo::BaseResource | ||
self.title = :issuer | ||
self.includes = [] | ||
self.model_class = ::OIDC::Provider | ||
# self.search_query = -> do | ||
# scope.ransack(id_eq: params[:q], m: "or").result(distinct: false) | ||
# end | ||
|
||
action RefreshOIDCProvider | ||
|
||
# Fields generated from the model | ||
field :issuer, as: :text, link_to_resource: true | ||
field :configuration, as: :nested do | ||
visible_on = %i[edit new] | ||
OIDC::Provider::Configuration.then { (_1.required_attributes + _1.optional_attributes) - fields.map(&:id) }.each do |k| | ||
field k, as: (k.to_s.end_with?("s_supported") ? :tags : :text), visible: ->(_) { visible_on.include?(view) || value.send(k).present? } | ||
end | ||
end | ||
field :jwks, as: :array_of, field: :json_viewer, hide_on: :index | ||
field :api_key_roles, as: :has_many | ||
# add fields here | ||
field :id, as: :id | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.