diff --git a/doc/ci/examples/authenticating-with-hashicorp-vault/index.md b/doc/ci/examples/authenticating-with-hashicorp-vault/index.md index f59bb8ed9310c1efb0a924d2b27608c8a0241558..4e8218a4cc06a6f3eea4f28c526a5d467d50da47 100644 --- a/doc/ci/examples/authenticating-with-hashicorp-vault/index.md +++ b/doc/ci/examples/authenticating-with-hashicorp-vault/index.md @@ -51,6 +51,7 @@ The following fields are included in the JWT: | `job_id` | Always | ID of this job | | `ref` | Always | Git ref for this job | | `ref_type` | Always | Git ref type, either `branch` or `tag` | +| `ref_path` | Always | Fully qualified ref for the job. For example, `refs/heads/main`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119075) in GitLab 16.0. | | `ref_protected` | Always | `true` if this Git ref is protected, `false` otherwise | | `environment` | Job specifies an environment | Environment this job specifies ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9) | | `environment_protected` | Job specifies an environment | `true` if specified environment is protected, `false` otherwise ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9) | @@ -78,6 +79,7 @@ Example JWT payload: "job_id": "1212", "ref": "auto-deploy-2020-04-01", "ref_type": "branch", + "ref_path": "refs/heads/auto-deploy-2020-04-01", "ref_protected": "true", "environment": "production", "environment_protected": "true" diff --git a/doc/ci/secrets/id_token_authentication.md b/doc/ci/secrets/id_token_authentication.md index 177398a6acc6422405f8b52ddbd09fb05507facd..c5b19797a05a94a33d83b4cacd2a2cf7135d7f80 100644 --- a/doc/ci/secrets/id_token_authentication.md +++ b/doc/ci/secrets/id_token_authentication.md @@ -63,6 +63,7 @@ The token also includes custom claims provided by GitLab: | `job_id` | Always | ID of the job. | | `ref` | Always | Git ref for the job. | | `ref_type` | Always | Git ref type, either `branch` or `tag`. | +| `ref_path` | Always | Fully qualified ref for the job. For example, `refs/heads/main`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119075) in GitLab 16.0. | | `ref_protected` | Always | `true` if the Git ref is protected, `false` otherwise. | | `environment` | Job specifies an environment | Environment this job deploys to ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9). | | `environment_protected` | Job specifies an environment | `true` if deployed environment is protected, `false` otherwise ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9). | @@ -85,6 +86,7 @@ The token also includes custom claims provided by GitLab: "job_id": "302", "ref": "feature-branch-1", "ref_type": "branch", + "ref_path": "refs/heads/feature-branch-1", "ref_protected": "false", "environment": "test-environment2", "environment_protected": "false", diff --git a/lib/gitlab/ci/jwt.rb b/lib/gitlab/ci/jwt.rb index d82ca875e765ec40f163e4ec1a2fff5d2d510d53..e8be32cd1cadea9bb58d4b09232ee338be37de2b 100644 --- a/lib/gitlab/ci/jwt.rb +++ b/lib/gitlab/ci/jwt.rb @@ -58,6 +58,7 @@ def custom_claims job_id: build.id.to_s, ref: source_ref, ref_type: ref_type, + ref_path: source_ref_path, ref_protected: build.protected.to_s } @@ -102,8 +103,16 @@ def user build.user end + def pipeline + build.pipeline + end + def source_ref - build.pipeline.source_ref + pipeline.source_ref + end + + def source_ref_path + pipeline.source_ref_path end def ref_type diff --git a/spec/lib/gitlab/ci/jwt_spec.rb b/spec/lib/gitlab/ci/jwt_spec.rb index 147801b62173c5f8d38d1618451b0f03e9aecec3..a6de5b9879cde2c34479f929e703630b00bcff94 100644 --- a/spec/lib/gitlab/ci/jwt_spec.rb +++ b/spec/lib/gitlab/ci/jwt_spec.rb @@ -58,26 +58,31 @@ expect { payload }.not_to raise_error end - describe 'ref type' do - context 'branches' do + describe 'references' do + context 'with a branch pipepline' do it 'is "branch"' do expect(payload[:ref_type]).to eq('branch') + expect(payload[:ref_path]).to eq('refs/heads/auto-deploy-2020-03-19') end end - context 'tags' do - let(:build) { build_stubbed(:ci_build, :on_tag, project: project) } + context 'with a tag pipeline' do + let(:pipeline) { build_stubbed(:ci_pipeline, ref: 'auto-deploy-2020-03-19', tag: true) } + let(:build) { build_stubbed(:ci_build, :on_tag, project: project, pipeline: pipeline) } it 'is "tag"' do expect(payload[:ref_type]).to eq('tag') + expect(payload[:ref_path]).to eq('refs/tags/auto-deploy-2020-03-19') end end - context 'merge requests' do - let(:pipeline) { build_stubbed(:ci_pipeline, :detached_merge_request_pipeline) } + context 'with a merge request pipeline' do + let(:merge_request) { build_stubbed(:merge_request, source_branch: 'feature-branch') } + let(:pipeline) { build_stubbed(:ci_pipeline, :detached_merge_request_pipeline, merge_request: merge_request) } it 'is "branch"' do expect(payload[:ref_type]).to eq('branch') + expect(payload[:ref_path]).to eq('refs/heads/feature-branch') end end end