Commit 4d2cd304 authored by Tiger's avatar Tiger Committed by Tiger Watson

Add environment to custom JWT claims

Allows Vault users to restrict secrets to individual
environments without requiring a dedicated branch.
parent 92757043
---
title: Add environment to custom JWT claims
merge_request: 53431
author:
type: added
......@@ -53,7 +53,9 @@ The JWT's payload looks like this:
"job_id": "1212", #
"ref": "auto-deploy-2020-04-01", # Git ref for this job
"ref_type": "branch", # Git ref type, branch or tag
"ref_protected": "true" # true if this git ref is protected, false otherwise
"ref_protected": "true", # true if this git ref is protected, false otherwise
"environment": "production", # Environment this job deploys to, if present
"environment_protected": "true" # true if deployed environment is protected, false otherwise
}
```
......
# frozen_string_literal: true
module EE
module Gitlab
module Ci
module Jwt
extend ::Gitlab::Utils::Override
private
override :environment_protected?
def environment_protected?
environment.protected?
end
end
end
end
end
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe Gitlab::Ci::Jwt do
let(:namespace) { build_stubbed(:namespace) }
let(:project) { build_stubbed(:project, namespace: namespace) }
let(:user) { build_stubbed(:user) }
let(:pipeline) { build_stubbed(:ci_pipeline, ref: 'auto-deploy-2020-03-19') }
let(:environment) { build_stubbed(:environment, project: project, name: 'production') }
let(:build) do
build_stubbed(
:ci_build,
project: project,
user: user,
pipeline: pipeline,
environment: environment.name
)
end
describe '#payload' do
before do
allow(build).to receive(:persisted_environment).and_return(environment)
end
subject(:payload) { described_class.new(build, ttl: 30).payload }
describe 'environment_protected' do
it 'is false when environment is not protected' do
expect(environment).to receive(:protected?).and_return(false)
expect(payload[:environment_protected]).to eq('false')
end
it 'is true when environment is protected' do
expect(environment).to receive(:protected?).and_return(true)
expect(payload[:environment_protected]).to eq('true')
end
end
end
end
......@@ -45,7 +45,7 @@ module Gitlab
end
def custom_claims
{
fields = {
namespace_id: namespace.id.to_s,
namespace_path: namespace.full_path,
project_id: project.id.to_s,
......@@ -59,6 +59,15 @@ module Gitlab
ref_type: ref_type,
ref_protected: build.protected.to_s
}
if environment.present?
fields.merge!(
environment: environment.name,
environment_protected: environment_protected?.to_s
)
end
fields
end
def key
......@@ -102,6 +111,16 @@ module Gitlab
def ref_type
::Ci::BuildRunnerPresenter.new(build).ref_type
end
def environment
build.persisted_environment
end
def environment_protected?
false # Overridden in EE
end
end
end
end
Gitlab::Ci::Jwt.prepend_if_ee('::EE::Gitlab::Ci::Jwt')
......@@ -44,6 +44,9 @@ RSpec.describe Gitlab::Ci::Jwt do
expect(payload[:pipeline_id]).to eq(pipeline.id.to_s)
expect(payload[:job_id]).to eq(build.id.to_s)
expect(payload[:ref]).to eq(pipeline.source_ref)
expect(payload[:ref_protected]).to eq(build.protected.to_s)
expect(payload[:environment]).to be_nil
expect(payload[:environment_protected]).to be_nil
end
end
......@@ -90,6 +93,28 @@ RSpec.describe Gitlab::Ci::Jwt do
expect(payload[:ref_protected]).to eq('true')
end
end
describe 'environment' do
let(:environment) { build_stubbed(:environment, project: project, name: 'production') }
let(:build) do
build_stubbed(
:ci_build,
project: project,
user: user,
pipeline: pipeline,
environment: environment.name
)
end
before do
allow(build).to receive(:persisted_environment).and_return(environment)
end
it 'has correct values for environment attributes' do
expect(payload[:environment]).to eq('production')
expect(payload[:environment_protected]).to eq('false')
end
end
end
describe '.for_build' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment