From 3f2dd7621b364f99d200a982e502d26d27e4225a Mon Sep 17 00:00:00 2001 From: Brian Williams Date: Fri, 28 Apr 2023 08:43:02 -0500 Subject: [PATCH 1/2] Add `ref_path` to CI job JWTs Add `ref_path` with the fully qualified ref to CI job JWTs in order to avoid ambiguity. Branches and tags might have the same name, which would result in a collision when trying to use only the `ref` field. For example, if both a tag and branch exist named `v0.0.1`, we'd have these fields: - Branch: `{ ref: 'v0.0.1', ref_path: 'refs/heads/v0.0.1' }` - Tag: `{ ref: 'v0.0.1', ref_path: 'refs/tags/v0.0.1' }` Changelog: added --- .../index.md | 2 ++ doc/ci/secrets/id_token_authentication.md | 2 ++ lib/gitlab/ci/jwt.rb | 11 ++++++++++- spec/lib/gitlab/ci/jwt_spec.rb | 17 +++++++++++------ 4 files changed, 25 insertions(+), 7 deletions(-) diff --git a/doc/ci/examples/authenticating-with-hashicorp-vault/index.md b/doc/ci/examples/authenticating-with-hashicorp-vault/index.md index f59bb8ed9310c1..bfc5e82edd8e35 100644 --- a/doc/ci/examples/authenticating-with-hashicorp-vault/index.md +++ b/doc/ci/examples/authenticating-with-hashicorp-vault/index.md @@ -51,6 +51,7 @@ The following fields are included in the JWT: | `job_id` | Always | ID of this job | | `ref` | Always | Git ref for this job | | `ref_type` | Always | Git ref type, either `branch` or `tag` | +| `ref_path` | Always | Fully qualified ref for the job. Ex: `refs/heads/main` | | `ref_protected` | Always | `true` if this Git ref is protected, `false` otherwise | | `environment` | Job specifies an environment | Environment this job specifies ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9) | | `environment_protected` | Job specifies an environment | `true` if specified environment is protected, `false` otherwise ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9) | @@ -78,6 +79,7 @@ Example JWT payload: "job_id": "1212", "ref": "auto-deploy-2020-04-01", "ref_type": "branch", + "ref_path": "refs/heads/auto-deploy-2020-04-01", "ref_protected": "true", "environment": "production", "environment_protected": "true" diff --git a/doc/ci/secrets/id_token_authentication.md b/doc/ci/secrets/id_token_authentication.md index 177398a6acc642..0c570095345d85 100644 --- a/doc/ci/secrets/id_token_authentication.md +++ b/doc/ci/secrets/id_token_authentication.md @@ -63,6 +63,7 @@ The token also includes custom claims provided by GitLab: | `job_id` | Always | ID of the job. | | `ref` | Always | Git ref for the job. | | `ref_type` | Always | Git ref type, either `branch` or `tag`. | +| `ref_path` | Always | Fully qualified ref for the job. Ex: `refs/heads/main` | | `ref_protected` | Always | `true` if the Git ref is protected, `false` otherwise. | | `environment` | Job specifies an environment | Environment this job deploys to ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9). | | `environment_protected` | Job specifies an environment | `true` if deployed environment is protected, `false` otherwise ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9). | @@ -85,6 +86,7 @@ The token also includes custom claims provided by GitLab: "job_id": "302", "ref": "feature-branch-1", "ref_type": "branch", + "ref_path": "refs/heads/feature-branch-1", "ref_protected": "false", "environment": "test-environment2", "environment_protected": "false", diff --git a/lib/gitlab/ci/jwt.rb b/lib/gitlab/ci/jwt.rb index d82ca875e765ec..e8be32cd1cadea 100644 --- a/lib/gitlab/ci/jwt.rb +++ b/lib/gitlab/ci/jwt.rb @@ -58,6 +58,7 @@ def custom_claims job_id: build.id.to_s, ref: source_ref, ref_type: ref_type, + ref_path: source_ref_path, ref_protected: build.protected.to_s } @@ -102,8 +103,16 @@ def user build.user end + def pipeline + build.pipeline + end + def source_ref - build.pipeline.source_ref + pipeline.source_ref + end + + def source_ref_path + pipeline.source_ref_path end def ref_type diff --git a/spec/lib/gitlab/ci/jwt_spec.rb b/spec/lib/gitlab/ci/jwt_spec.rb index 147801b62173c5..a6de5b9879cde2 100644 --- a/spec/lib/gitlab/ci/jwt_spec.rb +++ b/spec/lib/gitlab/ci/jwt_spec.rb @@ -58,26 +58,31 @@ expect { payload }.not_to raise_error end - describe 'ref type' do - context 'branches' do + describe 'references' do + context 'with a branch pipepline' do it 'is "branch"' do expect(payload[:ref_type]).to eq('branch') + expect(payload[:ref_path]).to eq('refs/heads/auto-deploy-2020-03-19') end end - context 'tags' do - let(:build) { build_stubbed(:ci_build, :on_tag, project: project) } + context 'with a tag pipeline' do + let(:pipeline) { build_stubbed(:ci_pipeline, ref: 'auto-deploy-2020-03-19', tag: true) } + let(:build) { build_stubbed(:ci_build, :on_tag, project: project, pipeline: pipeline) } it 'is "tag"' do expect(payload[:ref_type]).to eq('tag') + expect(payload[:ref_path]).to eq('refs/tags/auto-deploy-2020-03-19') end end - context 'merge requests' do - let(:pipeline) { build_stubbed(:ci_pipeline, :detached_merge_request_pipeline) } + context 'with a merge request pipeline' do + let(:merge_request) { build_stubbed(:merge_request, source_branch: 'feature-branch') } + let(:pipeline) { build_stubbed(:ci_pipeline, :detached_merge_request_pipeline, merge_request: merge_request) } it 'is "branch"' do expect(payload[:ref_type]).to eq('branch') + expect(payload[:ref_path]).to eq('refs/heads/feature-branch') end end end -- GitLab From 0cff6ac797f0ee058cea768196e8b15efa8085d8 Mon Sep 17 00:00:00 2001 From: Marcel Amirault Date: Mon, 1 May 2023 12:45:35 +0000 Subject: [PATCH 2/2] Apply documentation suggestions --- doc/ci/examples/authenticating-with-hashicorp-vault/index.md | 2 +- doc/ci/secrets/id_token_authentication.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/doc/ci/examples/authenticating-with-hashicorp-vault/index.md b/doc/ci/examples/authenticating-with-hashicorp-vault/index.md index bfc5e82edd8e35..4e8218a4cc06a6 100644 --- a/doc/ci/examples/authenticating-with-hashicorp-vault/index.md +++ b/doc/ci/examples/authenticating-with-hashicorp-vault/index.md @@ -51,7 +51,7 @@ The following fields are included in the JWT: | `job_id` | Always | ID of this job | | `ref` | Always | Git ref for this job | | `ref_type` | Always | Git ref type, either `branch` or `tag` | -| `ref_path` | Always | Fully qualified ref for the job. Ex: `refs/heads/main` | +| `ref_path` | Always | Fully qualified ref for the job. For example, `refs/heads/main`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119075) in GitLab 16.0. | | `ref_protected` | Always | `true` if this Git ref is protected, `false` otherwise | | `environment` | Job specifies an environment | Environment this job specifies ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9) | | `environment_protected` | Job specifies an environment | `true` if specified environment is protected, `false` otherwise ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9) | diff --git a/doc/ci/secrets/id_token_authentication.md b/doc/ci/secrets/id_token_authentication.md index 0c570095345d85..c5b19797a05a94 100644 --- a/doc/ci/secrets/id_token_authentication.md +++ b/doc/ci/secrets/id_token_authentication.md @@ -63,7 +63,7 @@ The token also includes custom claims provided by GitLab: | `job_id` | Always | ID of the job. | | `ref` | Always | Git ref for the job. | | `ref_type` | Always | Git ref type, either `branch` or `tag`. | -| `ref_path` | Always | Fully qualified ref for the job. Ex: `refs/heads/main` | +| `ref_path` | Always | Fully qualified ref for the job. For example, `refs/heads/main`. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/119075) in GitLab 16.0. | | `ref_protected` | Always | `true` if the Git ref is protected, `false` otherwise. | | `environment` | Job specifies an environment | Environment this job deploys to ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9). | | `environment_protected` | Job specifies an environment | `true` if deployed environment is protected, `false` otherwise ([introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/294440) in GitLab 13.9). | -- GitLab