Add policy source claims to id_tokens
What does this MR do and why?
Add job_metadata with the job source to id_tokens claims.
This can be used to verify whether a job comes from:
- scan_execution_policy
- pipeline_execution_policy
- other source, based on the pipeline source
References
- #459001 - Duplicate of #534500 (closed)
- Scope policy job options under a single key (!208845 - merged)
- The structure
job_metadata: { source }was proposed in #459001 (comment 2788595118) to have a single attribute that is extendable in the future
Screenshots
| Project job | PEP job | SEP job |
|---|---|---|
|
|
|
How to set up and validate locally
- Create a project
- Create a pipeline execution policy with the following config:
image: python:3.11-alpine stages: [test] test_policy_id_token: stage: test script: - python3 -c "import sys, json, base64; print(json.dumps(json.loads(base64.urlsafe_b64decode(sys.argv[1] + '=' * (-len(sys.argv[1]) % 4))), indent=2))" "$(echo $MY_ID_TOKEN | cut -d '.' -f2)" id_tokens: MY_ID_TOKEN: aud: https://example.com - Run a pipeline and inspect the policy job output
- Verify that it includes the new policy source claims. For example:
"job_source": "pipeline_execution_policy" "job_source_policy": { "config_uri": "http://gitlab.localdev:3000/gitlab-org/pep/id-tokens-claims/.gitlab/security-policies/policy.yml@refs/heads/main", "config_sha": "ab035e64eca9a7a85bd62e485d3593f52a2804ac" },
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #459001
Edited by Martin Cavoj