feat(secrethub): add project and org. name to OIDC token claims (#303)

## 📝 Description

Adds `prj` (project name) and `org` (organization name) claims to the
OIDC token. More in the [public
discussion](#204).

See also [this task](renderedtext/tasks#7975).

## ✅ Checklist
- [x] I have tested this change
- [x] This change requires documentation update

Author: dexyk

Makefile

@@ -199,6 +199,10 @@ console.bash:
 	docker compose $(DOCKER_COMPOSE_OPTS) build --build-arg BUILDKIT_INLINE_CACHE=$(BUILDKIT_INLINE_CACHE) --build-arg MIX_ENV=$(MIX_ENV) app
 	docker compose $(DOCKER_COMPOSE_OPTS) run $(DOCKER_COMPOSE_RUN_OPTS) --rm app /bin/bash
 
+console.sh:
+	docker compose $(DOCKER_COMPOSE_OPTS) build --build-arg BUILDKIT_INLINE_CACHE=$(BUILDKIT_INLINE_CACHE) --build-arg MIX_ENV=$(MIX_ENV) app
+	docker compose $(DOCKER_COMPOSE_OPTS) run $(DOCKER_COMPOSE_RUN_OPTS) --rm app /bin/sh
+
 #
 # The default test.ex.setup target does nothing.
 # Each application's Makefile should override it as it sees fit.

docs/docs/reference/openid.md

@@ -2,7 +2,7 @@
 description: OpenID Connect (OIDC) token reference
 ---
 
-# OIDC Tokens 
+# OIDC Tokens
 
 import Tabs from '@theme/Tabs';
 import TabItem from '@theme/TabItem';
@@ -23,9 +23,9 @@ Sure, here is the reordered list presented in a table with three columns: Claim,
 
 | Claim       | Description                                               | Example                              |
 |-------------|-----------------------------------------------------------|--------------------------------------|
-| iss         | The issuer of the token. The full URL of the organization | `https://<org-url>.semaphoreci.com` |
-| aud         | The intended audience of the token. The full URL of the organization | `https://<org-url>.semaphoreci.com` |
-| sub         | The subject of the token. A combination of org, project, repository, and git reference for which this token was issued<br/>Template:<br/> `org:<org-url>:`<br/>`project:{project-id}:`<br/>`repo:{repo-name}:`<br/>`ref_type:{branch or pr or tag}:`<br/>`ref:{git_reference}` | `org:{org-name}:`<br/>`project:936a5312-a3b8-4921-8b3f-2cec8baac574:`<br/>`repo:web:`<br/>`ref_type:branch:`<br/>`ref:refs/heads/main` |
+| iss         | The issuer of the token. The full URL of the organization | `https://<org-name>.semaphoreci.com` |
+| aud         | The intended audience of the token. The full URL of the organization | `https://<org-name>.semaphoreci.com` |
+| sub         | The subject of the token. A combination of org, project, repository, and git reference for which this token was issued<br/>Template:<br/> `org:<org-name>:`<br/>`project:{project-id}:`<br/>`repo:{repo-name}:`<br/>`ref_type:{branch or pr or tag}:`<br/>`ref:{git_reference}` | `org:{org-name}:`<br/>`project:936a5312-a3b8-4921-8b3f-2cec8baac574:`<br/>`repo:web:`<br/>`ref_type:branch:`<br/>`ref:refs/heads/main` |
 | exp         | The UNIX timestamp when the token expires  | `1660317851` |
 | iat         | The UNIX timestamp when the token was issued | `1660317851` |
 | nbf         | The UNIX timestamp before which the token is not valid | `1660317851` |
@@ -38,7 +38,9 @@ Sure, here is the reordered list presented in a table with three columns: Claim,
 | tag         | The name of the git tag for which the token was issued    | `v1.0.0`   |
 | repo        | The name of the repository for which the token was issued | `web` |
 | repo_slug   | Specifies the repository's name in the format `owner_name/repository_name` for the current Semaphore project. It is associated with the environment variable `SEMAPHORE_GIT_REPO_SLUG` | `semaphoreci/docs`  |
-| org_id      | The organization ID of the owner of the project for which the token was issued | `d7dd33ad-9317-498c-9cc6-51c250749be7` |
+| org         | The organization name for which the token was issued | `semaphore` |
+| org_id      | The organization ID for which the token was issued | `d7dd33ad-9317-498c-9cc6-51c250749be7` |
+| prj         | The project name for which the token was issued | `docs` |
 | prj_id      | The project ID for which the token was issued | `1e1fcfb5-09c0-487e-b051-2d0b5514c42a` |
 | wf_id       | The ID of the workflow for which the token was issued | `1be81412-6ab8-4fc0-9d0d-7af33335a6ec` |
 | ppl_id      | The pipeline ID for which the token was issued | `1e1fcfb5-09c0-487e-b051-2d0b5514c42a` |

secrethub/Makefile

@@ -4,7 +4,7 @@ include ../Makefile
 
 DOCKER_BUILD_PATH=..
 APP_NAME=secrethub
-TMP_REPO_DIR=/tmp/internal_api
+TMP_REPO_DIR?=/tmp/internal_api
 INTERNAL_API_BRANCH ?= master
 PUBLIC_API_BRANCH ?= master
 PROTOC_TAG=1.12.1-3.17.3-0.7.1

secrethub/lib/internal_api/secrethub.pb.ex

@@ -719,7 +719,8 @@ defmodule InternalApi.Secrethub.GenerateOpenIDConnectTokenRequest do
           job_type: String.t(),
           git_pull_request_branch: String.t(),
           repo_slug: String.t(),
-          triggerer: String.t()
+          triggerer: String.t(),
+          project_name: String.t()
         }
 
   defstruct [
@@ -741,7 +742,8 @@ defmodule InternalApi.Secrethub.GenerateOpenIDConnectTokenRequest do
     :job_type,
     :git_pull_request_branch,
     :repo_slug,
-    :triggerer
+    :triggerer,
+    :project_name
   ]
 
   field :org_id, 1, type: :string
@@ -763,6 +765,7 @@ defmodule InternalApi.Secrethub.GenerateOpenIDConnectTokenRequest do
   field :git_pull_request_branch, 17, type: :string
   field :repo_slug, 18, type: :string
   field :triggerer, 19, type: :string
+  field :project_name, 20, type: :string
 end
 
 defmodule InternalApi.Secrethub.GenerateOpenIDConnectTokenResponse do

secrethub/lib/secrethub/open_id_connect/jwt.ex

@@ -99,7 +99,9 @@ defmodule Secrethub.OpenIDConnect.JWT do
     domain = Application.fetch_env!(:secrethub, :domain)
 
     common_claims = %{
+      "org" => req.org_username,
       "org_id" => req.org_id,
+      "prj" => req.project_name,
       "prj_id" => req.project_id,
       "wf_id" => req.workflow_id,
       "ppl_id" => req.pipeline_id,

secrethub/lib/secrethub/open_id_connect/jwt_claim.ex

@@ -242,6 +242,22 @@ defmodule Secrethub.OpenIDConnect.JWTClaim do
         is_mandatory: false,
         is_active: true
       },
+      "org" => %__MODULE__{
+        name: "org",
+        description: "Organization name",
+        is_system_claim: true,
+        is_aws_tag: false,
+        is_mandatory: false,
+        is_active: false
+      },
+      "prj" => %__MODULE__{
+        name: "prj",
+        description: "Project name associated with the workflow",
+        is_system_claim: true,
+        is_aws_tag: false,
+        is_mandatory: false,
+        is_active: false
+      },
       "https://aws.amazon.com/tags" => %__MODULE__{
         name: "https://aws.amazon.com/tags",
         description:

secrethub/lib/secrethub/open_id_connect/jwt_configuration.ex

@@ -115,7 +115,7 @@ defmodule Secrethub.OpenIDConnect.JWTConfiguration do
         create_default_org_config(org_id)
 
       config ->
-        {:ok, config}
+        {:ok, populate_missing_standard_claims(config)}
     end
   end
 
@@ -163,7 +163,7 @@ defmodule Secrethub.OpenIDConnect.JWTConfiguration do
 
     case Repo.one(query) do
       nil -> get_org_config(org_id)
-      config -> {:ok, config}
+      config -> {:ok, populate_missing_standard_claims(config)}
     end
   end
 
@@ -229,7 +229,9 @@ defmodule Secrethub.OpenIDConnect.JWTConfiguration do
     updated_claims =
       Enum.map(claims, fn claim -> enforce_default_claim_values(claim, standard_claims) end)
 
-    put_change(changeset, :claims, updated_claims)
+    missing_claims = find_missing_standard_claims(updated_claims)
+
+    put_change(changeset, :claims, updated_claims ++ missing_claims)
   end
 
   defp enforce_default_claim_values(claim = %{"name" => name}, standard_claims)
@@ -292,4 +294,29 @@ defmodule Secrethub.OpenIDConnect.JWTConfiguration do
   end
 
   defp filter_supported_fields(claim), do: claim
+
+  # Populates missing standard claims (from JWTClaim) in the JWTConfig
+  defp populate_missing_standard_claims(config = %{claims: claims}) do
+    missing_claims = find_missing_standard_claims(claims)
+
+    %{config | claims: claims ++ missing_claims}
+  end
+
+  defp find_missing_standard_claims(claims) do
+    standard_claims = Secrethub.OpenIDConnect.JWTClaim.standard_claims()
+    present_claim_names = MapSet.new(Enum.map(claims, & &1["name"]))
+
+    standard_claims
+    |> Enum.reject(fn {name, _claim} -> name in present_claim_names end)
+    |> Enum.map(fn {_name, claim} ->
+      %{
+        "name" => claim.name,
+        "description" => claim.description,
+        "is_system_claim" => claim.is_system_claim,
+        "is_aws_tag" => claim.is_aws_tag,
+        "is_mandatory" => claim.is_mandatory,
+        "is_active" => claim.is_active
+      }
+    end)
+  end
 end

secrethub/test/secrethub/internal_grpc_api_test.exs

@@ -809,7 +809,8 @@ defmodule Secrethub.InternalGrpcApi.Test do
           workflow_id: Ecto.UUID.generate(),
           pipeline_id: Ecto.UUID.generate(),
           job_id: Ecto.UUID.generate(),
-          job_type: "pipeline_job"
+          job_type: "pipeline_job",
+          project_name: "my-project"
         )
 
       {:ok, channel} = GRPC.Stub.connect("localhost:50051")
@@ -826,13 +827,16 @@ defmodule Secrethub.InternalGrpcApi.Test do
       assert_in_delta Map.get(jwt.fields, "exp") + req.expires_in, now, 5
 
       assert Map.get(jwt.fields, "prj_id") == req.project_id
+      assert Map.get(jwt.fields, "org_id") == org_id
       assert Map.get(jwt.fields, "wf_id") == req.workflow_id
       assert Map.get(jwt.fields, "ppl_id") == req.pipeline_id
       assert Map.get(jwt.fields, "job_id") == req.job_id
       assert Map.get(jwt.fields, "job_type") == req.job_type
       assert Map.get(jwt.fields, "aud") == "https://testera.localhost"
       assert Map.get(jwt.fields, "iss") == "https://testera.localhost"
       assert Map.get(jwt.fields, "sub") == "project:front:pipeline:semaphore.yml"
+      assert Map.get(jwt.fields, "prj") == req.project_name
+      assert Map.get(jwt.fields, "org") == req.org_username
       refute Map.has_key?(jwt.fields, "https://aws.amazon.com/tags")
     end
 
@@ -925,7 +929,8 @@ defmodule Secrethub.InternalGrpcApi.Test do
           git_ref_type: "branch",
           job_type: "debug_job",
           repo_slug: "renderedtext/front",
-          triggerer: "h:f-i:f"
+          triggerer: "h:f-i:f",
+          project_name: "front"
         )
 
       with_mock Secrethub, on_prem?: fn -> true end do
@@ -946,6 +951,9 @@ defmodule Secrethub.InternalGrpcApi.Test do
         # Project related claims should be present
         assert Map.get(jwt.fields, "prj_id") == req.project_id
         assert Map.get(jwt.fields, "job_type") == req.job_type
+        assert Map.get(jwt.fields, "org_id") == org_id
+        refute Map.has_key?(jwt.fields, "prj")
+        refute Map.has_key?(jwt.fields, "org")
 
         # AWS tags should be filtered
         aws_tags = Map.get(jwt.fields, "https://aws.amazon.com/tags")
@@ -1128,17 +1136,19 @@ defmodule Secrethub.InternalGrpcApi.Test do
           project_id: project_id
         )
 
-      {:ok, get_response} = SecretService.Stub.get_jwt_config(channel, get_req)
-      [stored_claim] = get_response.claims
-      refute is_nil(stored_claim), "Expected original valid claim to still be present"
-      assert stored_claim.name == "test_claim"
-      assert stored_claim.description == "Test claim"
-      assert stored_claim.is_active == true
-      # can't update for non system claims
-      assert stored_claim.is_mandatory == false
-      assert stored_claim.is_aws_tag == false
-      # can't update for non system claims
-      assert stored_claim.is_system_claim == false
+      {:ok, response} = SecretService.Stub.get_jwt_config(channel, get_req)
+
+      assert Enum.any?(response.claims, fn claim ->
+               claim == %InternalApi.Secrethub.ClaimConfig{
+                 name: "test_claim",
+                 description: "Test claim",
+                 is_active: true,
+                 # can't update for non system claims
+                 is_mandatory: false,
+                 is_aws_tag: false,
+                 is_system_claim: false
+               }
+             end)
     end
   end
 
@@ -1190,18 +1200,17 @@ defmodule Secrethub.InternalGrpcApi.Test do
       assert response.project_id == project_id
       assert response.is_active == true
 
-      [stored_claim] = response.claims
-
-      assert stored_claim.name == expected_claim.name,
-             "Expected claim name to be #{expected_claim.name}, got #{stored_claim.name}"
-
-      assert stored_claim.description == expected_claim.description
-      assert stored_claim.is_active == expected_claim.is_active
-      # can't update for non system claims
-      assert stored_claim.is_mandatory == false
-      assert stored_claim.is_aws_tag == expected_claim.is_aws_tag
-      # can't update for non system claims
-      assert stored_claim.is_system_claim == false
+      assert Enum.any?(response.claims, fn claim ->
+               Map.take(claim, Map.keys(expected_claim)) == %InternalApi.Secrethub.ClaimConfig{
+                 name: expected_claim.name,
+                 description: expected_claim.description,
+                 is_active: expected_claim.is_active,
+                 # can't update for non system claims
+                 is_mandatory: false,
+                 is_aws_tag: false,
+                 is_system_claim: false
+               }
+             end)
     end
 
     test "returns org config for non-existent project", %{org_id: org_id, channel: channel} do
@@ -1239,15 +1248,18 @@ defmodule Secrethub.InternalGrpcApi.Test do
       assert response.org_id == org_id
       refute is_nil(response.project_id), "Expected project_id not to be nil"
 
-      [stored_claim] = response.claims
-      assert stored_claim.name == "sub2"
-      assert stored_claim.description == "Subject identifier"
-      assert stored_claim.is_active == true
-      # can't update for non system claims
-      assert stored_claim.is_mandatory == false
-      assert stored_claim.is_aws_tag == false
-      # can't update for non system claims
-      assert stored_claim.is_system_claim == false
+      expected_claim = %{
+        name: "sub2",
+        description: "Subject identifier",
+        is_active: true,
+        is_mandatory: false,
+        is_aws_tag: false,
+        is_system_claim: false
+      }
+
+      assert Enum.any?(response.claims, fn claim ->
+               Map.take(claim, Map.keys(expected_claim)) == expected_claim
+             end)
     end
 
     test ".get_jwt_config returns error for empty org_id" do