Give forbidden if project for the build was deleted

Closes #25309

lib/ci/api/builds.rb

@@ -41,7 +41,7 @@ module Ci
         put ":id" do
           authenticate_runner!
           build = Ci::Build.where(runner_id: current_runner.id).running.find(params[:id])
-          forbidden!('Build has been erased!') if build.erased?
+          authenticate_build!(build, verify_token: false)
 
           update_runner_info
 
@@ -71,9 +71,7 @@ module Ci
         #   PATCH /builds/:id/trace.txt
         patch ":id/trace.txt" do
           build = Ci::Build.find_by_id(params[:id])
-          not_found! unless build
-          authenticate_build_token!(build)
-          forbidden!('Build has been erased!') if build.erased?
+          authenticate_build!(build)
 
           error!('400 Missing header Content-Range', 400) unless request.headers.has_key?('Content-Range')
           content_range = request.headers['Content-Range']
@@ -104,8 +102,7 @@ module Ci
           Gitlab::Workhorse.verify_api_request!(headers)
           not_allowed! unless Gitlab.config.artifacts.enabled
           build = Ci::Build.find_by_id(params[:id])
-          not_found! unless build
-          authenticate_build_token!(build)
+          authenticate_build!(build)
           forbidden!('build is not running') unless build.running?
 
           if params[:filesize]
@@ -142,10 +139,8 @@ module Ci
           require_gitlab_workhorse!
           not_allowed! unless Gitlab.config.artifacts.enabled
           build = Ci::Build.find_by_id(params[:id])
-          not_found! unless build
-          authenticate_build_token!(build)
+          authenticate_build!(build)
           forbidden!('Build is not running!') unless build.running?
-          forbidden!('Build has been erased!') if build.erased?
 
           artifacts_upload_path = ArtifactUploader.artifacts_upload_path
           artifacts = uploaded_file(:file, artifacts_upload_path)
@@ -176,8 +171,7 @@ module Ci
         #   GET /builds/:id/artifacts
         get ":id/artifacts" do
           build = Ci::Build.find_by_id(params[:id])
-          not_found! unless build
-          authenticate_build_token!(build)
+          authenticate_build!(build)
           artifacts_file = build.artifacts_file
 
           unless artifacts_file.file_storage?
@@ -202,8 +196,7 @@ module Ci
         #   DELETE /builds/:id/artifacts
         delete ":id/artifacts" do
           build = Ci::Build.find_by_id(params[:id])
-          not_found! unless build
-          authenticate_build_token!(build)
+          authenticate_build!(build)
 
           build.erase_artifacts!
         end

lib/ci/api/helpers.rb

@@ -13,8 +13,11 @@ module Ci
         forbidden! unless current_runner
       end
 
-      def authenticate_build_token!(build)
-        forbidden! unless build_token_valid?(build)
+      def authenticate_build!(build, verify_token: true)
+        not_found! unless build
+        forbidden! if verify_token && !build_token_valid?(build)
+        forbidden!('Project has been deleted!') unless build.project
+        forbidden!('Build has been erased!') if build.erased?
       end
 
       def runner_registration_token_valid?

spec/requests/ci/api/builds_spec.rb

@@ -329,6 +329,25 @@ describe Ci::API::Builds do
             end
           end
         end
+
+        context 'when project for the build has been deleted' do
+          let(:build) do
+            create(:ci_build,
+                   :pending,
+                   :trace,
+                   runner_id: runner.id,
+                   pipeline: pipeline)
+          end
+
+          it 'responds with forbidden' do
+            expect(response.status).to eq 403
+          end
+
+          def initial_patch_the_trace
+            build.project.update(pending_delete: true)
+            super
+          end
+        end
       end
 
       context 'when Runner makes a force-patch' do