Add policy source claims to id_tokens

Martin Cavojrequested to merge
459001-add-job-source-claims-to-id-tokens-jwt into master

What does this MR do and why?

Add job_metadata with the job source to id_tokens claims. This can be used to verify whether a job comes from:

  • scan_execution_policy
  • pipeline_execution_policy
  • other source, based on the pipeline source

References

  1. Scope policy job options under a single key (!208845 - merged)

How to set up and validate locally

  1. Create a project
  2. Create a pipeline execution policy with the following config: 
    image: python:3.11-alpine
stages: [test]

test_policy_id_token:
  stage: test
  script:
    - python3 -c "import sys, json, base64; print(json.dumps(json.loads(base64.urlsafe_b64decode(sys.argv[1] + '=' * (-len(sys.argv[1]) % 4))), indent=2))" "$(echo $MY_ID_TOKEN | cut -d '.' -f2)"
  id_tokens:
    MY_ID_TOKEN:
      aud: https://example.com
  3. Run a pipeline and inspect the policy job output
  4. Verify that it includes the new policy source claims. For example: 
    "job_metadata": {
    "source": "pipeline_execution_policy"
}

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #459001

Edited by Martin Cavoj

Merge request reports