1 files changed, 75 insertions, 3 deletions

diff --git a/spec/lib/gitlab/ci/jwt_v2_spec.rb b/spec/lib/gitlab/ci/jwt_v2_spec.rb
index 5eeab658a8e..528be4b5da7 100644
--- a/spec/lib/gitlab/ci/jwt_v2_spec.rb
+++ b/spec/lib/gitlab/ci/jwt_v2_spec.rb
@@ -2,11 +2,18 @@
 
 require 'spec_helper'
 
-RSpec.describe Gitlab::Ci::JwtV2 do
+RSpec.describe Gitlab::Ci::JwtV2, feature_category: :continuous_integration do
   let(:namespace) { build_stubbed(:namespace) }
   let(:project) { build_stubbed(:project, namespace: namespace) }
-  let(:user) { build_stubbed(:user) }
+  let(:user) do
+    build_stubbed(
+      :user,
+      identities: [build_stubbed(:identity, extern_uid: '1', provider: 'github')]
+    )
+  end
+
   let(:pipeline) { build_stubbed(:ci_pipeline, ref: 'auto-deploy-2020-03-19') }
+  let(:runner) { build_stubbed(:ci_runner) }
   let(:aud) { described_class::DEFAULT_AUD }
 
   let(:build) do
@@ -14,7 +21,8 @@ RSpec.describe Gitlab::Ci::JwtV2 do
       :ci_build,
       project: project,
       user: user,
-      pipeline: pipeline
+      pipeline: pipeline,
+      runner: runner
     )
   end
 
@@ -33,6 +41,18 @@ RSpec.describe Gitlab::Ci::JwtV2 do
       end
     end
 
+    it 'includes user identities when enabled' do
+      expect(user).to receive(:pass_user_identities_to_ci_jwt).and_return(true)
+      identities = payload[:user_identities].map { |identity| identity.slice(:extern_uid, :provider) }
+      expect(identities).to eq([{ extern_uid: '1', provider: 'github' }])
+    end
+
+    it 'does not include user identities when disabled' do
+      expect(user).to receive(:pass_user_identities_to_ci_jwt).and_return(false)
+
+      expect(payload).not_to include(:user_identities)
+    end
+
     context 'when given an aud' do
       let(:aud) { 'AWS' }
 
@@ -40,5 +60,57 @@ RSpec.describe Gitlab::Ci::JwtV2 do
         expect(payload[:aud]).to eq('AWS')
       end
     end
+
+    describe 'custom claims' do
+      describe 'runner_id' do
+        it 'is the ID of the runner executing the job' do
+          expect(payload[:runner_id]).to eq(runner.id)
+        end
+
+        context 'when build is not associated with a runner' do
+          let(:runner) { nil }
+
+          it 'is nil' do
+            expect(payload[:runner_id]).to be_nil
+          end
+        end
+      end
+
+      describe 'runner_environment' do
+        context 'when runner is gitlab-hosted' do
+          before do
+            allow(runner).to receive(:gitlab_hosted?).and_return(true)
+          end
+
+          it "is #{described_class::GITLAB_HOSTED_RUNNER}" do
+            expect(payload[:runner_environment]).to eq(described_class::GITLAB_HOSTED_RUNNER)
+          end
+        end
+
+        context 'when runner is self-hosted' do
+          before do
+            allow(runner).to receive(:gitlab_hosted?).and_return(false)
+          end
+
+          it "is #{described_class::SELF_HOSTED_RUNNER}" do
+            expect(payload[:runner_environment]).to eq(described_class::SELF_HOSTED_RUNNER)
+          end
+        end
+
+        context 'when build is not associated with a runner' do
+          let(:runner) { nil }
+
+          it 'is nil' do
+            expect(payload[:runner_environment]).to be_nil
+          end
+        end
+      end
+
+      describe 'sha' do
+        it 'is the commit revision the project is built for' do
+          expect(payload[:sha]).to eq(pipeline.sha)
+        end
+      end
+    end
   end
 end