Add environment to custom JWT claims

Allows Vault users to restrict secrets to individual environments without requiring a dedicated branch.

Add environment to custom JWT claims
Allows Vault users to restrict secrets to individual environments without requiring a dedicated branch.
4d2cd304 · Tiger · Tiger Watson · 92757043 · 4d2cd304 · 4d2cd304
Commit 4d2cd304 authored Feb 05, 2021 by Tiger Committed by Tiger Watson Feb 14, 2021
6 changed files
--- a/changelogs/unreleased/294440-add-environment-details-to-jwt.yml
+++ b/changelogs/unreleased/294440-add-environment-details-to-jwt.yml
+---
+title: Add environment to custom JWT claims
+merge_request: 53431
+author:
+type: added
--- a/doc/ci/examples/authenticating-with-hashicorp-vault/index.md
+++ b/doc/ci/examples/authenticating-with-hashicorp-vault/index.md
@@ -53,7 +53,9 @@ The JWT's payload looks like this:
  "job_id": "1212",                              #
  "ref": "auto-deploy-2020-04-01",               # Git ref for this job
  "ref_type": "branch",                          # Git ref type, branch or tag
-  "ref_protected": "true"                        # true if this git ref is protected, false otherwise
+  "ref_protected": "true",                       # true if this git ref is protected, false otherwise
+  "environment": "production",                   # Environment this job deploys to, if present
+  "environment_protected": "true"                # true if deployed environment is protected, false otherwise
 }
 ```


--- a/ee/lib/ee/gitlab/ci/jwt.rb
+++ b/ee/lib/ee/gitlab/ci/jwt.rb
+# frozen_string_literal: true
+
+module EE
+  module Gitlab
+    module Ci
+      module Jwt
+        extend ::Gitlab::Utils::Override
+
+        private
+
+        override :environment_protected?
+        def environment_protected?
+          environment.protected?
+        end
+      end
+    end
+  end
+end
--- a/ee/spec/lib/ee/gitlab/ci/jwt_spec.rb
+++ b/ee/spec/lib/ee/gitlab/ci/jwt_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::Ci::Jwt do
+  let(:namespace) { build_stubbed(:namespace) }
+  let(:project) { build_stubbed(:project, namespace: namespace) }
+  let(:user) { build_stubbed(:user) }
+  let(:pipeline) { build_stubbed(:ci_pipeline, ref: 'auto-deploy-2020-03-19') }
+  let(:environment) { build_stubbed(:environment, project: project, name: 'production') }
+  let(:build) do
+    build_stubbed(
+      :ci_build,
+      project: project,
+      user: user,
+      pipeline: pipeline,
+      environment: environment.name
+    )
+  end
+
+  describe '#payload' do
+    before do
+      allow(build).to receive(:persisted_environment).and_return(environment)
+    end
+
+    subject(:payload) { described_class.new(build, ttl: 30).payload }
+
+    describe 'environment_protected' do
+      it 'is false when environment is not protected' do
+        expect(environment).to receive(:protected?).and_return(false)
+
+        expect(payload[:environment_protected]).to eq('false')
+      end
+
+      it 'is true when environment is protected' do
+        expect(environment).to receive(:protected?).and_return(true)
+
+        expect(payload[:environment_protected]).to eq('true')
+      end
+    end
+  end
+end
--- a/lib/gitlab/ci/jwt.rb
+++ b/lib/gitlab/ci/jwt.rb
@@ -45,7 +45,7 @@ module Gitlab
      end

      def custom_claims
-        {
+        fields = {
          namespace_id: namespace.id.to_s,
          namespace_path: namespace.full_path,
          project_id: project.id.to_s,
@@ -59,6 +59,15 @@ module Gitlab
          ref_type: ref_type,
          ref_protected: build.protected.to_s
        }
+
+        if environment.present?
+          fields.merge!(
+            environment: environment.name,
+            environment_protected: environment_protected?.to_s
+          )
+        end
+
+        fields
      end

      def key
@@ -102,6 +111,16 @@ module Gitlab
      def ref_type
        ::Ci::BuildRunnerPresenter.new(build).ref_type
      end
+
+      def environment
+        build.persisted_environment
+      end
+
+      def environment_protected?
+        false # Overridden in EE
+      end
    end
  end
 end
+
+Gitlab::Ci::Jwt.prepend_if_ee('::EE::Gitlab::Ci::Jwt')
--- a/spec/lib/gitlab/ci/jwt_spec.rb
+++ b/spec/lib/gitlab/ci/jwt_spec.rb
@@ -44,6 +44,9 @@ RSpec.describe Gitlab::Ci::Jwt do
        expect(payload[:pipeline_id]).to eq(pipeline.id.to_s)
        expect(payload[:job_id]).to eq(build.id.to_s)
        expect(payload[:ref]).to eq(pipeline.source_ref)
+        expect(payload[:ref_protected]).to eq(build.protected.to_s)
+        expect(payload[:environment]).to be_nil
+        expect(payload[:environment_protected]).to be_nil
      end
    end

@@ -90,6 +93,28 @@ RSpec.describe Gitlab::Ci::Jwt do
        expect(payload[:ref_protected]).to eq('true')
      end
    end
+
+    describe 'environment' do
+      let(:environment) { build_stubbed(:environment, project: project, name: 'production') }
+      let(:build) do
+        build_stubbed(
+          :ci_build,
+          project: project,
+          user: user,
+          pipeline: pipeline,
+          environment: environment.name
+        )
+      end
+
+      before do
+        allow(build).to receive(:persisted_environment).and_return(environment)
+      end
+
+      it 'has correct values for environment attributes' do
+        expect(payload[:environment]).to eq('production')
+        expect(payload[:environment_protected]).to eq('false')
+      end
+    end
  end

  describe '.for_build' do