Add CI_JOB_JWT_V2 with iss and aud format changes

Add aud to JWT. Change iss format to include protocol Change sub from job_id to a string that contains project:ref_type:ref Update spec to validate iss, sub, and aud changes. Add alpha tag to Predefined Variables documentation. Changelog: changed MR: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/72555

Add CI_JOB_JWT_V2 with iss and aud format changes
Add aud to JWT. Change iss format to include protocol Change sub from job_id to a string that contains project:ref_type:ref Update spec to validate iss, sub, and aud changes. Add alpha tag to Predefined Variables documentation. Changelog: changed MR: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/72555
25081011 · Brad Downey · Matthias Käppler · 30cfc3c3 · 25081011 · 25081011
Commit 25081011 authored Dec 20, 2021 by Brad Downey Committed by Matthias Käppler Dec 20, 2021
7 changed files
--- a/app/models/ci/build.rb
+++ b/app/models/ci/build.rb
@@ -1165,7 +1165,10 @@ module Ci
        break variables unless Feature.enabled?(:ci_job_jwt, project, default_enabled: true)

        jwt = Gitlab::Ci::Jwt.for_build(self)
+        jwt_v2 = Gitlab::Ci::JwtV2.for_build(self)
        variables.append(key: 'CI_JOB_JWT', value: jwt, public: false, masked: true)
+        variables.append(key: 'CI_JOB_JWT_V1', value: jwt, public: false, masked: true)
+        variables.append(key: 'CI_JOB_JWT_V2', value: jwt_v2, public: false, masked: true)
      rescue OpenSSL::PKey::RSAError, Gitlab::Ci::Jwt::NoSigningKeyError => e
        Gitlab::ErrorTracking.track_exception(e)
      end

--- a/doc/ci/variables/predefined_variables.md
+++ b/doc/ci/variables/predefined_variables.md
@@ -60,6 +60,8 @@ There are also [Kubernetes-specific deployment variables](../../user/project/clu
 | `CI_JOB_ID`                              | 9.0    | all    | The internal ID of the job, unique across all jobs in the GitLab instance. |
 | `CI_JOB_IMAGE`                           | 12.9   | 12.9   | The name of the Docker image running the job. |
 | `CI_JOB_JWT`                             | 12.10  | all    | A RS256 JSON web token to authenticate with third party systems that support JWT authentication, for example [HashiCorp's Vault](../secrets/index.md). |
+| `CI_JOB_JWT_V1`                          | 14.6   | all    | The same value as `CI_JOB_JWT`. |
+| `CI_JOB_JWT_V2`                          | 14.6   | all    | [**alpha:**](https://about.gitlab.com/handbook/product/gitlab-the-product/#alpha-beta-ga) A newly formatted RS256 JSON web token to increase compatibility. Similar to `CI_JOB_JWT`, except the issuer (`iss`) claim is changed from `gitlab.com` to `https://gitlab.com`, `sub` has changed from `job_id` to a string that contains the project path, and an `aud` claim is added. Format is subject to change. |
 | `CI_JOB_MANUAL`                          | 8.12   | all    | `true` if a job was started manually. |
 | `CI_JOB_NAME`                            | 9.0    | 0.5    | The name of the job. |
 | `CI_JOB_STAGE`                           | 9.0    | 0.5    | The name of the job's stage. |

--- a/lib/gitlab/ci/jwt_v2.rb
+++ b/lib/gitlab/ci/jwt_v2.rb
+# frozen_string_literal: true
+
+module Gitlab
+  module Ci
+    class JwtV2 < Jwt
+      private
+
+      def reserved_claims
+        super.merge(
+          iss: Settings.gitlab.base_url,
+          sub:  "project_path:#{project.full_path}:ref_type:#{ref_type}:ref:#{source_ref}",
+          aud: Settings.gitlab.base_url
+        )
+      end
+    end
+  end
+end
--- a/spec/lib/gitlab/ci/jwt_v2_spec.rb
+++ b/spec/lib/gitlab/ci/jwt_v2_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::Ci::JwtV2 do
+  let(:namespace) { build_stubbed(:namespace) }
+  let(:project) { build_stubbed(:project, namespace: namespace) }
+  let(:user) { build_stubbed(:user) }
+  let(:pipeline) { build_stubbed(:ci_pipeline, ref: 'auto-deploy-2020-03-19') }
+  let(:build) do
+    build_stubbed(
+      :ci_build,
+      project: project,
+      user: user,
+      pipeline: pipeline
+    )
+  end
+
+  subject(:ci_job_jwt_v2) { described_class.new(build, ttl: 30) }
+
+  it { is_expected.to be_a Gitlab::Ci::Jwt }
+
+  describe '#payload' do
+    subject(:payload) { ci_job_jwt_v2.payload }
+
+    it 'has correct values for the standard JWT attributes' do
+      aggregate_failures do
+        expect(payload[:iss]).to eq(Settings.gitlab.base_url)
+        expect(payload[:aud]).to eq(Settings.gitlab.base_url)
+        expect(payload[:sub]).to eq("project_path:#{project.full_path}:ref_type:branch:ref:#{pipeline.source_ref}")
+      end
+    end
+  end
+end
--- a/spec/models/ci/build_spec.rb
+++ b/spec/models/ci/build_spec.rb
@@ -2645,6 +2645,8 @@ RSpec.describe Ci::Build do
          { key: 'CI_DEPENDENCY_PROXY_USER', value: 'gitlab-ci-token', public: true, masked: false },
          { key: 'CI_DEPENDENCY_PROXY_PASSWORD', value: 'my-token', public: false, masked: true },
          { key: 'CI_JOB_JWT', value: 'ci.job.jwt', public: false, masked: true },
+          { key: 'CI_JOB_JWT_V1', value: 'ci.job.jwt', public: false, masked: true },
+          { key: 'CI_JOB_JWT_V2', value: 'ci.job.jwtv2', public: false, masked: true },
          { key: 'CI_JOB_NAME', value: 'test', public: true, masked: false },
          { key: 'CI_JOB_STAGE', value: 'test', public: true, masked: false },
          { key: 'CI_NODE_TOTAL', value: '1', public: true, masked: false },
@@ -2712,6 +2714,7 @@ RSpec.describe Ci::Build do

      before do
        allow(Gitlab::Ci::Jwt).to receive(:for_build).and_return('ci.job.jwt')
+        allow(Gitlab::Ci::JwtV2).to receive(:for_build).and_return('ci.job.jwtv2')
        build.set_token('my-token')
        build.yaml_variables = []
      end
@@ -2763,6 +2766,8 @@ RSpec.describe Ci::Build do
          let(:build_yaml_var) { { key: 'yaml', value: 'value', public: true, masked: false } }
          let(:dependency_proxy_var) { { key: 'dependency_proxy', value: 'value', public: true, masked: false } }
          let(:job_jwt_var) { { key: 'CI_JOB_JWT', value: 'ci.job.jwt', public: false, masked: true } }
+          let(:job_jwt_var_v1) { { key: 'CI_JOB_JWT_V1', value: 'ci.job.jwt', public: false, masked: true } }
+          let(:job_jwt_var_v2) { { key: 'CI_JOB_JWT_V2', value: 'ci.job.jwtv2', public: false, masked: true } }
          let(:job_dependency_var) { { key: 'job_dependency', value: 'value', public: true, masked: false } }

          before do

--- a/spec/models/group_spec.rb
+++ b/spec/models/group_spec.rb
@@ -63,6 +63,7 @@ RSpec.describe Group do

  describe 'validations' do
    it { is_expected.to validate_presence_of :name }
+    it { is_expected.not_to allow_value('colon:in:path').for(:path) } # This is to validate that a specially crafted name cannot bypass a pattern match. See !72555
    it { is_expected.to allow_value('group test_4').for(:name) }
    it { is_expected.not_to allow_value('test/../foo').for(:name) }
    it { is_expected.not_to allow_value('<script>alert("Attack!")</script>').for(:name) }

--- a/spec/models/project_spec.rb
+++ b/spec/models/project_spec.rb
@@ -379,6 +379,7 @@ RSpec.describe Project, factory_default: :keep do
    it { is_expected.to validate_presence_of(:name) }
    it { is_expected.to validate_uniqueness_of(:name).scoped_to(:namespace_id) }
    it { is_expected.to validate_length_of(:name).is_at_most(255) }
+    it { is_expected.not_to allow_value('colon:in:path').for(:path) } # This is to validate that a specially crafted name cannot bypass a pattern match. See !72555
    it { is_expected.to validate_presence_of(:path) }
    it { is_expected.to validate_length_of(:path).is_at_most(255) }
    it { is_expected.to validate_length_of(:description).is_at_most(2000) }