Skip to content

Add Job Project claims to CI ID Tokens

Jayakrishnan Mallisseryrequested to merge
jay-add-target-project-claims-toci-id-tokens into master

Why this MR?

  • To solve this issue

  • In this commit we patched a security vulnerability related to CI ID tokens for Merge Request Pipelines originating from forked projects but running inside target project

  • Before the security patch was made, we had project_ related claims like project_id:, project_path:, namespace_id:, namespace_path: which ALWAYS returned the project inside which the build and it's pipeline is running.

  • The security vulnerability was patched by updating the value of these project_ related claims to refer to the forked project and NOT the target project, if the pipeline is of a Merge Request originating from forked projects EVEN it's pipeline is running inside target project.

  • Because of the change above, now we have a situation wherein there is no reliable way from the JWT payload to tell inside which project the pipeline and job ran. In the specific case of Merge Request Pipelines originating from forked projects but running inside target project, the project_ related claims DO NOT refer to the actual project inside which the pipeline ran, but rather it refers to the source project of the Merge Request. This inconsistency is causing the problem mentioned in this point. i.e. there is no reliable way from the JWT payload to tell inside which project the pipeline and job ran

  • To solve this, we need to add a new set of claims called job_project_ claims - job_project_id:, job_project_path:, job_namespace_id:, job_namespace_path:. These 4 additional claims will always reliably have the values corresponding to the project in which the pipeline is created WITHOUT any exception.

  • Only for the specific case of Merge Request Pipelines originating from forked projects but running inside target project, the values of job_project_ claims differ from the corresponding values of project_ claims. For all other cases, the project (Read as source_project) and target_project are one and the same

  • Also, need to update the existing doc on ID token payload

What does this MR do ?

  • Add 4 new claims to CI ID Tokens - job_project_id:, job_project_path:, job_namespace_id:, job_namespace_path: such that it always returns the values corresponding to the project inside which the CI job ran.
  • Only for the specific case of Merge Request Pipelines originating from forked projects but running inside target project, the values of job_project_ claims differ from the corresponding values of project_ claims. For all other cases, the values of target_project_ claims will match the corresponding values of project_ claims.
  • Update our docs on CI ID Tokens payload. Add information on the newly added claims and extra information on existing claims which were lacking.
  • Refactor - Rename ProjectTokenClaims to UserProjectTokenClaims as it has both user and project claims. The main public method is split into two sub methods user_claims and project_claims as in our new use case, we only need the subset of project_claims without the user_claims,

Screenshots

Before After
before after

References

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Jayakrishnan Mallissery

Merge request reports