jenkinsci / oidc-provider-plugin

OpenID Connect Provider Plugin for Jenkins
https://plugins.jenkins.io/oidc-provider/
MIT License
22 stars 13 forks source link

GIT_URL and GIT_COMMIT are not replaced in claims #43

Open gczuczy opened 7 months ago

gczuczy commented 7 months ago

Jenkins and plugins versions report

Environment ```text enkins: 2.440.2 OS: Linux - 5.15.133+ Java: 17.0.10 - Eclipse Adoptium (OpenJDK 64-Bit Server VM) --- Parameterized-Remote-Trigger:3.2.0 ace-editor:1.1 active-directory:2.35 analysis-model-api:12.3.3 ansicolor:1.0.4 ant:497.v94e7d9fffa_b_9 antisamy-markup-formatter:162.v0e6ec0fcfcf6 apache-httpcomponents-client-4-api:4.5.14-208.v438351942757 apache-httpcomponents-client-5-api:5.3.1-1.0 artifactory:4.0.6 asm-api:9.7-33.v4d23ef79fcc8 audit-trail:361.v82cde86c784e authentication-tokens:1.53.v1c90fd9191a_b_ aws-credentials:231.v08a_59f17d742 aws-java-sdk-ec2:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-minimal:1.12.696-451.v0651a_da_9ca_ec badge:1.9.1 basic-branch-build-strategies:81.v05e333931c7d blackduck-detect:9.0.0 blueocean:1.27.12 blueocean-autofavorite:1.2.5 blueocean-bitbucket-pipeline:1.27.12 blueocean-commons:1.27.12 blueocean-config:1.27.12 blueocean-core-js:1.27.12 blueocean-dashboard:1.27.12 blueocean-display-url:2.4.2 blueocean-events:1.27.12 blueocean-git-pipeline:1.27.12 blueocean-github-pipeline:1.27.12 blueocean-i18n:1.27.12 blueocean-jwt:1.27.12 blueocean-personalization:1.27.12 blueocean-pipeline-api-impl:1.27.12 blueocean-pipeline-editor:1.27.12 blueocean-pipeline-scm-api:1.27.12 blueocean-rest:1.27.12 blueocean-rest-impl:1.27.12 blueocean-web:1.27.12 bootstrap4-api:4.6.0-6 bootstrap5-api:5.3.3-1 bouncycastle-api:2.30.1.77-225.v26ea_c9455fd9 branch-api:2.1163.va_f1064e4a_a_f3 build-timestamp:1.0.3 caffeine-api:3.1.8-133.v17b_1ff2e0599 checkmarx:2024.2.3 checks-api:2.2.0 cloud-stats:336.v788e4055508b_ cloudbees-bitbucket-branch-source:883.v041fa_695e9c2 cloudbees-folder:6.901.vb_4c7a_da_75da_3 cobertura:1.17 code-coverage-api:4.99.0 command-launcher:107.v773860566e2e commons-lang3-api:3.13.0-62.v7d18e55f51e2 commons-text-api:1.11.0-109.vfe16c66636eb_ config-file-provider:973.vb_a_80ecb_9a_4d0 configuration-as-code:1775.v810dc950b_514 copyartifact:722.v0662a_9b_e22a_c coverage:1.14.0 credentials:1337.v60b_d7b_c7b_c9f credentials-binding:657.v2b_19db_7d6e6d dashboard-view:2.508.va_74654f026d1 data-tables-api:2.0.5-1 dependency-check-jenkins-plugin:5.5.0 dependency-track:4.3.1 disk-usage:1.2 display-url-api:2.200.vb_9327d658781 docker-commons:439.va_3cb_0a_6a_fb_29 docker-workflow:572.v950f58993843 durable-task:555.v6802fe0f0b_82 echarts-api:5.5.0-1 email-ext:1806.v856a_01a_fa_39a_ embeddable-build-status:487.va_0ef04c898a_2 envinject:2.908.v66a_774b_31d93 envinject-api:1.199.v3ce31253ed13 extended-read-permission:53.v6499940139e5 external-monitor-job:215.v2e88e894db_f8 favorite:2.208.v91d65b_7792a_c font-awesome-api:6.5.2-1 forensics-api:2.4.0 generic-webhook-trigger:2.2.0 git:5.2.1 git-client:4.7.0 git-server:114.v068a_c7cc2574 git-tag-message:1.7.1 github:1.38.0 github-api:1.318-461.v7a_c09c9fa_d63 github-autostatus:3.6.2 github-branch-source:1787.v8b_8cd49a_f8f1 github-label-filter:1.0.0 github-oauth:597.ve0c3480fcb_d0 github-pr-comment-build:103.vc8919acf2a6b global-slack-notifier:1.5 golang:1.4 google-metadata-plugin:0.5 google-oauth-plugin:1.330.vf5e86021cb_ec google-storage-plugin:1.360.v6ca_38618b_41f gradle:2.11 greenballs:1.15.1 groovy-postbuild:228.vcdb_cf7265066 gson-api:2.10.1-15.v0d99f670e0a_7 h2-api:11.1.4.199-12.v9f4244395f7a_ handlebars:3.0.8 handy-uri-templates-2-api:2.1.8-30.v7e777411b_148 hashicorp-vault-plugin:367.v8a_1ee1cccf3a htmlpublisher:1.33 http_request:1.18 influxdb:3.6.1 instance-identity:185.v303dc7c645f9 ionicons-api:70.v2959a_b_74e3cf ivy:2.5 jackson2-api:2.17.0-379.v02de8ec9f64c jacoco:3.3.6 jakarta-activation-api:2.1.3-1 jakarta-mail-api:2.1.3-1 javadoc:243.vb_b_503b_b_45537 javax-activation-api:1.2.0-6 javax-mail-api:1.6.2-9 jaxb:2.3.9-1 jdk-tool:73.vddf737284550 jenkins-design-language:1.27.12 jersey2-api:2.42-147.va_28a_44603b_d5 jira:3.13 jjwt-api:0.11.5-112.ve82dfb_224b_a_d job-dsl:1.87 joda-time-api:2.12.7-29.v5a_b_e3a_82269a_ jquery-detached:1.2.1 jquery3-api:3.7.1-2 jsch:0.2.16-86.v42e010d9484b_ json-api:20240303-41.v94e11e6de726 json-path-api:2.9.0-58.v62e3e85b_a_655 junit:1265.v65b_14fa_f12f0 kubernetes:4203.v1dd44f5b_1cf9 kubernetes-client-api:6.10.0-240.v57880ce8b_0b_2 kubernetes-credentials:0.11 ldap:725.v3cb_b_711b_1a_ef lockable-resources:1255.vf48745da_35d0 mailer:472.vf7c289a_4b_420 mask-passwords:173.v6a_077a_291eb_5 matrix-auth:3.2.2 matrix-project:822.824.v14451b_c0fd42 maven-plugin:3.23 mercurial:1260.vdfb_723cdcc81 metrics:4.2.21-449.v6960d7c54c69 mina-sshd-api-common:2.12.1-101.v85b_e08b_780dd mina-sshd-api-core:2.12.1-101.v85b_e08b_780dd momentjs:1.1.1 multibranch-build-strategy-extension:51.v88f14e2a_4075 naginator:1.449.ve19751d70eb_0 nodejs:1.6.1 oauth-credentials:0.646.v02b_66dc03d2e oidc-provider:62.vd67c19f76766 okhttp-api:4.11.0-172.vda_da_1feeb_c6e openstack-cloud:2.65 pam-auth:1.10 parameterized-scheduler:262.v00f3d90585cc parameterized-trigger:787.v665fcf2a_830b_ percentage-du-node-column:0.1.0 performance:957.v658a_7065b_92a_ pipeline-build-step:540.vb_e8849e1a_b_d8 pipeline-github:2.8-159.09e4403bc62f pipeline-githubnotify-step:49.vf37bf92d2bc8 pipeline-graph-analysis:216.vfd8b_ece330ca_ pipeline-groovy-lib:704.vc58b_8890a_384 pipeline-input-step:495.ve9c153f6067b_ pipeline-maven:1396.veb_f07b_2fc1d8 pipeline-maven-api:1396.veb_f07b_2fc1d8 pipeline-milestone-step:119.vdfdc43fc3b_9a_ pipeline-model-api:2.2198.v41dd8ef6dd56 pipeline-model-definition:2.2198.v41dd8ef6dd56 pipeline-model-extensions:2.2198.v41dd8ef6dd56 pipeline-rest-api:2.34 pipeline-stage-step:312.v8cd10304c27a_ pipeline-stage-tags-metadata:2.2198.v41dd8ef6dd56 pipeline-stage-view:2.34 pipeline-utility-steps:2.16.2 plain-credentials:179.vc5cb_98f6db_38 plugin-util-api:4.1.0 popper-api:1.16.1-3 popper2-api:2.11.6-4 prism-api:1.29.0-13 pubsub-light:1.18 rebuild:332.va_1ee476d8f6d resource-disposer:0.23 robot:3.5.1 role-strategy:717.v6a_69a_fe98974 run-condition:1.7 saferestart:0.7 saml:4.464.vea_cb_75d7f5e0 scm-api:690.vfc8b_54395023 script-security:1335.vf07d9ce377a_e sidebar-link:2.4.1 simple-theme-plugin:176.v39740c03a_a_f5 slack:684.v833089650554 snakeyaml-api:2.2-111.vc6598e30cc65 sonar:2.17.2 sse-gateway:1.26 ssh-agent:367.vf9076cd4ee21 ssh-credentials:337.v395d2403ccd4 ssh-slaves:2.948.vb_8050d697fec sshd:3.322.v159e91f6a_550 startup-trigger-plugin:2.9.4 strict-crumb-issuer:2.1.1 structs:337.v1b_04ea_4df7c8 timestamper:1.26 token-macro:400.v35420b_922dcb_ trilead-api:2.142.v748523a_76693 variant:60.v7290fc0eb_b_cd view-job-filters:369.ve0513a_a_f5524 warnings-ng:11.3.0 webhook-step:342.v620877effe14 windows-slaves:1.8.1 workflow-aggregator:596.v8c21c963d92d workflow-api:1291.v51fd2a_625da_7 workflow-basic-steps:1058.vcb_fc1e3a_21a_9 workflow-cps:3894.vd0f0248b_a_fc4 workflow-cps-global-lib:612.v55f2f80781ef workflow-cps-global-lib-http:2.48.0 workflow-durable-task-step:1336.v768003e07199 workflow-job:1400.v7fd111b_ec82f workflow-multibranch:773.vc4fe1378f1d5 workflow-scm-step:427.v4ca_6512e7df1 workflow-step-api:657.v03b_e8115821b_ workflow-support:896.v175a_a_9c5b_78f ws-cleanup:0.45 ```

What Operating System are you using (both controller, and any agents involved in the problem)?

Linux

Reproduction steps

  1. Add a build-scoped claim template, which is referencing ${GIT_URL} and another for ${GIT_COMMIT}
  2. observe claim in the generated token, it will not be substituted:

Expected Results

Having the URL of the repository and the commit sha in the claims

Actual Results

11:13:05  + echo ****
11:13:05  + jwt -show -
11:13:05  Header:
11:13:05  {
11:13:05      "alg": "RS256",
11:13:05      "kid": "x-test-id"
11:13:05  }
11:13:05  Claims:
11:13:05  {
11:13:05      "aud": "test",
11:13:05      "build_number": 24,
11:13:05      "changebranch": "test-pr",
11:13:05      "changeid": "1",
11:13:05      "exp": 1714385584,
11:13:05      "git_commit": "${GIT_COMMIT}",
11:13:05      "git_url": "${GIT_URL}",
11:13:05      "github_repo": "${GITHUB_REPO}",
11:13:05      "iat": 1714381984,

Anything else?

Documentation said that his is supposed to be working, however apparently it's not working.

Are you interested in contributing a fix?

No response

jglick commented 4 months ago

Documentation said that his is supposed to be working

What specifically said this was supposed to be working? I am not aware of anything that would automatically set such environment variables on a build.