Skip to content

Draft: Add policy source claims to id_tokens

Martin Čavojrequested to merge
459001-add-job-source-claims-to-id-tokens-jwt into 459001-add-job-source-claims-to-id-tokens-sep

What does this MR do and why?

Add job_metadata to id_tokens claims which include:

  • Job source
  • Policy configuration URI
  • Policy configuration SHA

References

Other related MRs:

  1. Scope policy job options under a single key (!208845 - merged)
  2. Add PEP source to job options (!190625)
  3. Draft: Add SEP policy source to job options (!209673)
  4. 👉 This one: Draft: Add policy source claims to id_tokens (!209823)

How to set up and validate locally

  1. Create a project
  2. Create a pipeline execution policy with the following config: 
    image: python:3.11-alpine
stages: [test]

test_policy_id_token:
  stage: test
  script:
    - python3 -c "import sys, json, base64; print(json.dumps(json.loads(base64.urlsafe_b64decode(sys.argv[1] + '=' * (-len(sys.argv[1]) % 4))), indent=2))" "$(echo $MY_ID_TOKEN | cut -d '.' -f2)"
  id_tokens:
    MY_ID_TOKEN:
      aud: https://example.com
  3. Run a pipeline and inspect the policy job output
  4. Verify that it includes the new policy source claims. For example: 
    "job_metadata": {
    "source": "pipeline_execution_policy",
    "policy_ref_uri": "http://gitlab.localdev:3000/gitlab-org/pep/id-tokens-claims/.gitlab/security-policies/policy.yml@refs/heads/main",
    "policy_ref_sha": "d34de0f3acfad27f2b69861c73e6abd4e291fd58"
}

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #459001

Edited by Martin Čavoj

Merge request reports