Merge branch '294440-add-environment-details-to-jwt' into 'master'

Add environment to custom JWT claims [RUN ALL RSPEC] [RUN AS-IF-FOSS] See merge request gitlab-org/gitlab!53431

Merge branch '294440-add-environment-details-to-jwt' into 'master'
Add environment to custom JWT claims [RUN ALL RSPEC] [RUN AS-IF-FOSS] See merge request gitlab-org/gitlab!53431
bd7e8e18 · Dylan Griffith · 6ade2ca4 · a174be9e · bd7e8e18 · bd7e8e18
Commit bd7e8e18 authored Feb 14, 2021 by Dylan Griffith
5 changed files
--- a/config/feature_flags/development/ci_jwt_include_environment.yml
+++ b/config/feature_flags/development/ci_jwt_include_environment.yml
+---
+name: ci_jwt_include_environment
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/53431
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/321206
+milestone: '13.9'
+type: development
+group: group::configure
+default_enabled: false
--- a/ee/lib/ee/gitlab/ci/jwt.rb
+++ b/ee/lib/ee/gitlab/ci/jwt.rb
+# frozen_string_literal: true
+
+module EE
+  module Gitlab
+    module Ci
+      module Jwt
+        extend ::Gitlab::Utils::Override
+
+        private
+
+        override :environment_protected?
+        def environment_protected?
+          environment.protected?
+        end
+      end
+    end
+  end
+end
--- a/ee/spec/lib/ee/gitlab/ci/jwt_spec.rb
+++ b/ee/spec/lib/ee/gitlab/ci/jwt_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Gitlab::Ci::Jwt do
+  let(:namespace) { build_stubbed(:namespace) }
+  let(:project) { build_stubbed(:project, namespace: namespace) }
+  let(:user) { build_stubbed(:user) }
+  let(:pipeline) { build_stubbed(:ci_pipeline, ref: 'auto-deploy-2020-03-19') }
+  let(:environment) { build_stubbed(:environment, project: project, name: 'production') }
+  let(:build) do
+    build_stubbed(
+      :ci_build,
+      project: project,
+      user: user,
+      pipeline: pipeline,
+      environment: environment.name
+    )
+  end
+
+  describe '#payload' do
+    before do
+      allow(build).to receive(:persisted_environment).and_return(environment)
+    end
+
+    subject(:payload) { described_class.new(build, ttl: 30).payload }
+
+    describe 'environment_protected' do
+      it 'is false when environment is not protected' do
+        expect(environment).to receive(:protected?).and_return(false)
+
+        expect(payload[:environment_protected]).to eq('false')
+      end
+
+      it 'is true when environment is protected' do
+        expect(environment).to receive(:protected?).and_return(true)
+
+        expect(payload[:environment_protected]).to eq('true')
+      end
+    end
+  end
+end
--- a/lib/gitlab/ci/jwt.rb
+++ b/lib/gitlab/ci/jwt.rb
@@ -45,7 +45,7 @@ module Gitlab
      end

      def custom_claims
-        {
+        fields = {
          namespace_id: namespace.id.to_s,
          namespace_path: namespace.full_path,
          project_id: project.id.to_s,
@@ -59,6 +59,15 @@ module Gitlab
          ref_type: ref_type,
          ref_protected: build.protected.to_s
        }
+
+        if include_environment_claims?
+          fields.merge!(
+            environment: environment.name,
+            environment_protected: environment_protected?.to_s
+          )
+        end
+
+        fields
      end

      def key
@@ -102,6 +111,20 @@ module Gitlab
      def ref_type
        ::Ci::BuildRunnerPresenter.new(build).ref_type
      end
+
+      def environment
+        build.persisted_environment
+      end
+
+      def environment_protected?
+        false # Overridden in EE
+      end
+
+      def include_environment_claims?
+        Feature.enabled?(:ci_jwt_include_environment) && environment.present?
+      end
    end
  end
 end
+
+Gitlab::Ci::Jwt.prepend_if_ee('::EE::Gitlab::Ci::Jwt')
--- a/spec/lib/gitlab/ci/jwt_spec.rb
+++ b/spec/lib/gitlab/ci/jwt_spec.rb
@@ -44,6 +44,9 @@ RSpec.describe Gitlab::Ci::Jwt do
        expect(payload[:pipeline_id]).to eq(pipeline.id.to_s)
        expect(payload[:job_id]).to eq(build.id.to_s)
        expect(payload[:ref]).to eq(pipeline.source_ref)
+        expect(payload[:ref_protected]).to eq(build.protected.to_s)
+        expect(payload[:environment]).to be_nil
+        expect(payload[:environment_protected]).to be_nil
      end
    end

@@ -90,6 +93,39 @@ RSpec.describe Gitlab::Ci::Jwt do
        expect(payload[:ref_protected]).to eq('true')
      end
    end
+
+    describe 'environment' do
+      let(:environment) { build_stubbed(:environment, project: project, name: 'production') }
+      let(:build) do
+        build_stubbed(
+          :ci_build,
+          project: project,
+          user: user,
+          pipeline: pipeline,
+          environment: environment.name
+        )
+      end
+
+      before do
+        allow(build).to receive(:persisted_environment).and_return(environment)
+      end
+
+      it 'has correct values for environment attributes' do
+        expect(payload[:environment]).to eq('production')
+        expect(payload[:environment_protected]).to eq('false')
+      end
+
+      context ':ci_jwt_include_environment feature flag is disabled' do
+        before do
+          stub_feature_flags(ci_jwt_include_environment: false)
+        end
+
+        it 'does not include environment attributes' do
+          expect(payload).not_to have_key(:environment)
+          expect(payload).not_to have_key(:environment_protected)
+        end
+      end
+    end
  end

  describe '.for_build' do