Add feature flag for environment details in CI JWT

https://gitlab.com/gitlab-org/gitlab/-/merge_requests/53431

Add feature flag for environment details in CI JWT
https://gitlab.com/gitlab-org/gitlab/-/merge_requests/53431
a174be9e · Tiger · Tiger Watson · 4d2cd304 · 4d2cd304 · a174be9e
Commit a174be9e authored Feb 11, 2021 by Tiger Committed by Tiger Watson Feb 14, 2021
5 changed files
--- a/changelogs/unreleased/294440-add-environment-details-to-jwt.yml
+++ b/changelogs/unreleased/294440-add-environment-details-to-jwt.yml
---
-title: Add environment to custom JWT claims
-merge_request: 53431
-author:
-type: added
--- a/config/feature_flags/development/ci_jwt_include_environment.yml
+++ b/config/feature_flags/development/ci_jwt_include_environment.yml
+---
+name: ci_jwt_include_environment
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/53431
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/321206
+milestone: '13.9'
+type: development
+group: group::configure
+default_enabled: false
--- a/doc/ci/examples/authenticating-with-hashicorp-vault/index.md
+++ b/doc/ci/examples/authenticating-with-hashicorp-vault/index.md
@@ -53,9 +53,7 @@ The JWT's payload looks like this:
  "job_id": "1212",                              #
  "ref": "auto-deploy-2020-04-01",               # Git ref for this job
  "ref_type": "branch",                          # Git ref type, branch or tag
-  "ref_protected": "true",                       # true if this git ref is protected, false otherwise
-  "environment": "production",                   # Environment this job deploys to, if present
-  "environment_protected": "true"                # true if deployed environment is protected, false otherwise
+  "ref_protected": "true"                        # true if this git ref is protected, false otherwise
 }
 ```


--- a/lib/gitlab/ci/jwt.rb
+++ b/lib/gitlab/ci/jwt.rb
@@ -60,7 +60,7 @@ module Gitlab
          ref_protected: build.protected.to_s
        }

-        if environment.present?
+        if include_environment_claims?
          fields.merge!(
            environment: environment.name,
            environment_protected: environment_protected?.to_s
@@ -119,6 +119,10 @@ module Gitlab
      def environment_protected?
        false # Overridden in EE
      end
+
+      def include_environment_claims?
+        Feature.enabled?(:ci_jwt_include_environment) && environment.present?
+      end
    end
  end
 end

--- a/spec/lib/gitlab/ci/jwt_spec.rb
+++ b/spec/lib/gitlab/ci/jwt_spec.rb
@@ -114,6 +114,17 @@ RSpec.describe Gitlab::Ci::Jwt do
        expect(payload[:environment]).to eq('production')
        expect(payload[:environment_protected]).to eq('false')
      end
+
+      context ':ci_jwt_include_environment feature flag is disabled' do
+        before do
+          stub_feature_flags(ci_jwt_include_environment: false)
+        end
+
+        it 'does not include environment attributes' do
+          expect(payload).not_to have_key(:environment)
+          expect(payload).not_to have_key(:environment_protected)
+        end
+      end
    end
  end