authorize: support naming and listing authorizations #365
Conversation
Over time, gemstash authorizations turn into a pile of opaque tokens and associated permissions. Keeping track of which token belongs to which developer or automated system is required to enabled proper revocation or rotation. Today, that requires the use of an external system, which has the added problem of duplicating the key itself. Support keeping this association within Gemstash itself by allowing for authorizations to be named. Also support listing authorizations, so it's easy to determine which key needs to be revoked, rotated, or otherwise updated. See the manpage updates for details on use. Resolve rubygems#364 Signed-off-by: Kyle Fazzari <kyrofa@ubuntu.com>
| Sequel.migration do | ||
| change do | ||
| alter_table :authorizations do | ||
| add_column :name, String, :size => 191 |
There was a problem hiding this comment.
Size seems oddly specific, am I missing something?
There was a problem hiding this comment.
Ha! We share that thought. I was honestly just duplicating the existing pattern for String columns in the authorizations table, because they're magic numbers there as well. This number means nothing to me. Would you prefer something different?
There was a problem hiding this comment.
I learned, by inspecting the git blame navigation: #64
| it "combined with --list results in an error" do | ||
| cli_options[:list] = true | ||
| expect { Gemstash::CLI::Authorize.new(cli).run }.to raise_error(Gemstash::CLI::Error) | ||
| expect(Gemstash::Authorization["auth-key"]).to be # Auth was not actually removed |
There was a problem hiding this comment.
TIL about this very bare form of Matcher.
There was a problem hiding this comment.
Same. I stole it from another test! One of the beautiful things about open source ❤️ .
spec/gemstash/cli/authorize_spec.rb
Outdated
| expect { Gemstash::CLI::Authorize.new(cli).run }.to raise_error(Gemstash::CLI::Error) | ||
| end | ||
|
|
||
| it "handles missing authorization" do |
There was a problem hiding this comment.
Perhaps this should express "raises an error on missing" so that we describe its behaviour.
There was a problem hiding this comment.
Wonderful, thank you! A thorough feature, well-described. @kyrofa, this is good.
Edit: if you please, add a CHANGELOG description, should you have one.
Signed-off-by: Kyle Fazzari <kyrofa@ubuntu.com>
Done, does that look right? |
Signed-off-by: Kyle Fazzari <kyrofa@ubuntu.com>
kyrofa
force-pushed
the
feature/364/gemstash-auth-names
branch
from
71e71a8 to
0086bef
Compare
Over time, gemstash authorizations turn into a pile of opaque tokens and associated permissions. Keeping track of which token belongs to which developer or automated system is required to enable proper revocation or rotation. Today, that requires the use of an external system, which has the added problem of duplicating the key itself.
This PR resolves #364, adding support for keeping this association within Gemstash itself by allowing for authorizations to be named. It also adds support for listing authorizations, so it's easy to determine which key needs to be revoked, rotated, or otherwise updated. See the manpage updates for details on use.