Add latest changes from gitlab-org/gitlab@13-6-stable-eev13.6.0-rc42

1 files changed, 14 insertions, 2 deletions

diff --git a/lib/gitlab/ci/jwt.rb b/lib/gitlab/ci/jwt.rb
index 491facd0a43..a8943eadf4f 100644
--- a/lib/gitlab/ci/jwt.rb
+++ b/lib/gitlab/ci/jwt.rb
@@ -6,6 +6,8 @@ module Gitlab
       NOT_BEFORE_TIME = 5
       DEFAULT_EXPIRE_TIME = 60 * 5
 
+      NoSigningKeyError = Class.new(StandardError)
+
       def self.for_build(build)
         self.new(build, ttl: build.metadata_timeout).encoded
       end
@@ -27,7 +29,7 @@ module Gitlab
 
       private
 
-      attr_reader :build, :ttl, :key_data
+      attr_reader :build, :ttl
 
       def reserved_claims
         now = Time.now.to_i
@@ -60,7 +62,17 @@ module Gitlab
       end
 
       def key
-        @key ||= OpenSSL::PKey::RSA.new(Rails.application.secrets.openid_connect_signing_key)
+        @key ||= begin
+                   key_data = if Feature.enabled?(:ci_jwt_signing_key, build.project, default_enabled: true)
+                                Gitlab::CurrentSettings.ci_jwt_signing_key
+                              else
+                                Rails.application.secrets.openid_connect_signing_key
+                              end
+
+                   raise NoSigningKeyError unless key_data
+
+                   OpenSSL::PKey::RSA.new(key_data)
+                 end
       end
 
       def public_key