Fix JWT token expiration when memoized before timeout is set

Hordur Freyr Yngvasonrequested to merge
fix-jwt-token-memoization-before-timeout into master

What does this MR do and why?

The JWT job token (encoded_jwt) is memoized on the build object. When pre_assign_runner_checks runs before the job transitions to running, it can trigger token generation via:

  • has_valid_build_dependencies? -> scoped_variables -> kubernetes_variables_from_job
  • secrets_provider_not_found? (EE) -> scoped_variables -> kubernetes_variables_from_job

The kubernetes_variables_from_job method calls job.try(:token), which memoizes the JWT with the current timeout_value. However, at this point update_timeout_state hasn't run yet (it runs during pending->running transition), so timeout_value may be nil, resulting in a JWT with only ~6 minutes TTL (60s default + 5min leeway) instead of the job's actual timeout.

This fix clears the encoded_jwt memoization in present_build! (which runs after the job has transitioned to running and timeout is set), ensuring the token is regenerated with the correct expiration.

This particularly affects jobs with needs: dependencies, as they are more likely to trigger the dependency validation code path.

References

#581924 (closed)

Screenshots or screen recordings

Before After

How to set up and validate locally

Minimal reproducer:

# .gitlab-ci.yml
setup:
  script: echo "Setup done"

trigger-child:
  trigger:
    include: child.yml
    strategy: depend

and child pipeline:

# child.yml
child-job:
  image: ruby
  needs:
    - pipeline: $CI_UPSTREAM_PIPELINE_ID
      job: setup
  script: ruby -e "require 'base64'; puts Base64.encode64(ENV['CI_JOB_TOKEN'])"
  timeout: 1h

Then copy the encoded string into a variable s in a gdk rails console and run:

jwt = ::Ci::JobToken::Jwt.decode(Base64.decode64(s)).instance_variable_get(:@jwt)
puts (Time.at(jwt.payload["exp"]) - Time.now) / 60

Expected results:

  • On master: You get under 6 minutes
  • On this branch: You get on the order of 60 minutes (depending on how quick you are)

This should be over 60 because we have a 1h timeout and then some leeway. But on master, I get just 6 minutes!

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Hordur Freyr Yngvason

Merge request reports