Merge branch '37898-job-token-authentication-should-be-allowed-at-core-tier' into 'master'

Enable Job-Token authentication in GitLab Core

Closes #37898

See merge request gitlab-org/gitlab!21120

doc/api/README.md

@@ -82,7 +82,7 @@ There are four ways to authenticate with the GitLab API:
 1. [OAuth2 tokens](#oauth2-tokens)
 1. [Personal access tokens](#personal-access-tokens)
 1. [Session cookie](#session-cookie)
-1. [GitLab CI job token](#gitlab-ci-job-token-premium) **(PREMIUM)**
+1. [GitLab CI job token](#gitlab-ci-job-token) **(Specific endpoints only)**
 
 For admins who want to authenticate with the API as a specific user, or who want to build applications or scripts that do so, two options are available:
 
@@ -152,13 +152,14 @@ The primary user of this authentication method is the web frontend of GitLab its
 which can use the API as the authenticated user to get a list of their projects,
 for example, without needing to explicitly pass an access token.
 
-### GitLab CI job token **(PREMIUM)**
+### GitLab CI job token
 
 With a few API endpoints you can use a [GitLab CI job token](../user/project/new_ci_build_permissions_model.md#job-token)
 to authenticate with the API:
 
 - [Get job artifacts](jobs.md#get-job-artifacts)
 - [Pipeline triggers](pipeline_triggers.md)
+- [Release creation](releases/index.md#create-a-release)
 
 ### Impersonation tokens
 

ee/lib/ee/gitlab/auth/user_auth_finders.rb

@@ -7,28 +7,11 @@ module EE
         extend ActiveSupport::Concern
         extend ::Gitlab::Utils::Override
 
-        JOB_TOKEN_HEADER = "HTTP_JOB_TOKEN".freeze
-        JOB_TOKEN_PARAM = :job_token
-
         def find_user_from_bearer_token
           find_user_from_job_bearer_token ||
             find_user_from_access_token
         end
 
-        def find_user_from_job_token
-          return unless route_authentication_setting[:job_token_allowed]
-
-          token = (params[JOB_TOKEN_PARAM] || env[JOB_TOKEN_HEADER]).to_s
-          return unless token.present?
-
-          job = ::Ci::Build.find_by_token(token)
-          raise ::Gitlab::Auth::UnauthorizedError unless job
-
-          @current_authenticated_job = job # rubocop:disable Gitlab/ModuleWithInstanceVariables
-
-          job.user
-        end
-
         override :find_oauth_access_token
         def find_oauth_access_token
           return if scim_request?

lib/api/api_guard.rb

@@ -63,7 +63,9 @@ module API
       end
 
       def find_user_from_sources
-        find_user_from_access_token || find_user_from_warden
+        find_user_from_access_token ||
+          find_user_from_job_token ||
+          find_user_from_warden
       end
 
       private

lib/gitlab/auth/user_auth_finders.rb

@@ -24,6 +24,8 @@ module Gitlab
 
       PRIVATE_TOKEN_HEADER = 'HTTP_PRIVATE_TOKEN'
       PRIVATE_TOKEN_PARAM = :private_token
+      JOB_TOKEN_HEADER = "HTTP_JOB_TOKEN".freeze
+      JOB_TOKEN_PARAM = :job_token
 
       # Check the Rails session for valid authentication details
       def find_user_from_warden
@@ -50,6 +52,20 @@ module Gitlab
         User.find_by_feed_token(token) || raise(UnauthorizedError)
       end
 
+      def find_user_from_job_token
+        return unless route_authentication_setting[:job_token_allowed]
+
+        token = (params[JOB_TOKEN_PARAM] || env[JOB_TOKEN_HEADER]).to_s
+        return unless token.present?
+
+        job = ::Ci::Build.find_by_token(token)
+        raise ::Gitlab::Auth::UnauthorizedError unless job
+
+        @current_authenticated_job = job # rubocop:disable Gitlab/ModuleWithInstanceVariables
+
+        job.user
+      end
+
       # We only allow Private Access Tokens with `api` scope to be used by web
       # requests on RSS feeds or ICS files for backwards compatibility.
       # It is also used by GraphQL/API requests.