Merge branch 'allow-job-identiy-self' into 'master'

Allow a job token to identify himself on /job

See merge request gitlab-org/gitlab!51727

changelogs/unreleased/51727-allow-job-identiy-self.yml

+---
+title: Add API endpoint for fetching a single job by CI_JOB_TOKEN
+merge_request: 51727
+author: ahmet2mir
+type: added

doc/api/README.md

@@ -211,6 +211,7 @@ to authenticate with the API:
   - [Package Registry for PyPI](../user/packages/pypi_repository/index.md#authenticate-with-a-ci-job-token)
   - [Package Registry for generic packages](../user/packages/generic_packages/index.md#publish-a-generic-package-by-using-cicd)
 - [Get job artifacts](job_artifacts.md#get-job-artifacts)
+- [Get job token's job](jobs.md#get-job-tokens-job)
 - [Pipeline triggers](pipeline_triggers.md) (using the `token=` parameter)
 - [Release creation](releases/index.md#create-a-release)
 - [Terraform plan](../user/infrastructure/index.md)

doc/api/api_resources.md

@@ -146,6 +146,7 @@ The following API resources are available outside of project and group contexts
 | [Instance clusters](instance_clusters.md)          | `/admin/clusters`                                                       |
 | [Issues](issues.md)                                | `/issues` (also available for groups and projects)                      |
 | [Issues Statistics](issues_statistics.md)          | `/issues_statistics` (also available for groups and projects)           |
+| [Jobs](jobs.md)                                    | `/job`                                                                  |
 | [Keys](keys.md)                                    | `/keys`                                                                 |
 | [License](license.md) **(FREE SELF)**              | `/license`                                                              |
 | [Markdown](markdown.md)                            | `/markdown`                                                             |

doc/api/jobs.md

@@ -380,6 +380,76 @@ Example of response
 ]
 ```
 
+## Get job token's job
+
+Retrieve the job that generated a job token.
+
+```plaintext
+GET /job
+```
+
+Examples
+
+```shell
+curl --header "JOB-TOKEN: <your_job_token>" "https://gitlab.example.com/api/v4/job"
+curl "https://gitlab.example.com/api/v4/job?job_token=<your_job_token>"
+```
+
+Example of response
+
+```json
+{
+  "commit": {
+    "author_email": "admin@example.com",
+    "author_name": "Administrator",
+    "created_at": "2015-12-24T16:51:14.000+01:00",
+    "id": "0ff3ae198f8601a285adcf5c0fff204ee6fba5fd",
+    "message": "Test the CI integration.",
+    "short_id": "0ff3ae19",
+    "title": "Test the CI integration."
+  },
+  "coverage": null,
+  "allow_failure": false,
+  "created_at": "2015-12-24T15:51:21.880Z",
+  "started_at": "2015-12-24T17:54:30.733Z",
+  "finished_at": "2015-12-24T17:54:31.198Z",
+  "duration": 0.465,
+  "artifacts_expire_at": "2016-01-23T17:54:31.198Z",
+  "id": 8,
+  "name": "rubocop",
+  "pipeline": {
+    "id": 6,
+    "ref": "master",
+    "sha": "0ff3ae198f8601a285adcf5c0fff204ee6fba5fd",
+    "status": "pending"
+  },
+  "ref": "master",
+  "artifacts": [],
+  "runner": null,
+  "stage": "test",
+  "status": "failed",
+  "tag": false,
+  "web_url": "https://example.com/foo/bar/-/jobs/8",
+  "user": {
+    "id": 1,
+    "name": "Administrator",
+    "username": "root",
+    "state": "active",
+    "avatar_url": "http://www.gravatar.com/avatar/e64c7d89f26bd1972efa854d13d7dd61?s=80&d=identicon",
+    "web_url": "http://gitlab.dev/root",
+    "created_at": "2015-12-21T13:14:24.077Z",
+    "bio": null,
+    "location": null,
+    "public_email": "",
+    "skype": "",
+    "linkedin": "",
+    "twitter": "",
+    "website_url": "",
+    "organization": ""
+  }
+}
+```
+
 ## Get a single job
 
 Get a single job of a project

lib/api/jobs.rb

@@ -8,10 +8,11 @@ module API
 
     feature_category :continuous_integration
 
-    params do
-      requires :id, type: String, desc: 'The ID of a project'
-    end
     resource :projects, requirements: API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
+      params do
+        requires :id, type: String, desc: 'The ID of a project'
+      end
+
       helpers do
         params :optional_scope do
           optional :scope, types: [String, Array[String]], desc: 'The scope of builds to show',
@@ -168,6 +169,20 @@ module API
       end
     end
 
+    resource :job do
+      desc 'Get current project using job token' do
+        success Entities::Ci::Job
+      end
+      route_setting :authentication, job_token_allowed: true
+      get do
+        # current_authenticated_job will be nil if user is using
+        # a valid authentication that is not CI_JOB_TOKEN
+        not_found!('Job') unless current_authenticated_job
+
+        present current_authenticated_job, with: Entities::Ci::Job
+      end
+    end
+
     helpers do
       # rubocop: disable CodeReuse/ActiveRecord
       def filter_builds(builds, scope)

spec/requests/api/jobs_spec.rb

@@ -3,6 +3,9 @@
 require 'spec_helper'
 
 RSpec.describe API::Jobs do
+  include HttpBasicAuthHelpers
+  include DependencyProxyHelpers
+
   using RSpec::Parameterized::TableSyntax
   include HttpIOHelpers
 
@@ -16,20 +19,150 @@ RSpec.describe API::Jobs do
                          ref: project.default_branch)
   end
 
-  let!(:job) do
-    create(:ci_build, :success, :tags, pipeline: pipeline,
-                                artifacts_expire_at: 1.day.since)
-  end
-
   let(:user) { create(:user) }
   let(:api_user) { user }
   let(:reporter) { create(:project_member, :reporter, project: project).user }
   let(:guest) { create(:project_member, :guest, project: project).user }
 
+  let(:running_job) do
+    create(:ci_build, :running, project: project,
+                                user: user,
+                                pipeline: pipeline,
+                                artifacts_expire_at: 1.day.since)
+  end
+
+  let!(:job) do
+    create(:ci_build, :success, :tags, pipeline: pipeline,
+                                artifacts_expire_at: 1.day.since)
+  end
+
   before do
     project.add_developer(user)
   end
 
+  shared_examples 'returns common pipeline data' do
+    it 'returns common pipeline data' do
+      expect(json_response['pipeline']).not_to be_empty
+      expect(json_response['pipeline']['id']).to eq jobx.pipeline.id
+      expect(json_response['pipeline']['ref']).to eq jobx.pipeline.ref
+      expect(json_response['pipeline']['sha']).to eq jobx.pipeline.sha
+      expect(json_response['pipeline']['status']).to eq jobx.pipeline.status
+    end
+  end
+
+  shared_examples 'returns common job data' do
+    it 'returns common job data' do
+      expect(response).to have_gitlab_http_status(:ok)
+      expect(json_response['id']).to eq(jobx.id)
+      expect(json_response['status']).to eq(jobx.status)
+      expect(json_response['stage']).to eq(jobx.stage)
+      expect(json_response['name']).to eq(jobx.name)
+      expect(json_response['ref']).to eq(jobx.ref)
+      expect(json_response['tag']).to eq(jobx.tag)
+      expect(json_response['coverage']).to eq(jobx.coverage)
+      expect(json_response['allow_failure']).to eq(jobx.allow_failure)
+      expect(Time.parse(json_response['created_at'])).to be_like_time(jobx.created_at)
+      expect(Time.parse(json_response['started_at'])).to be_like_time(jobx.started_at)
+      expect(Time.parse(json_response['artifacts_expire_at'])).to be_like_time(jobx.artifacts_expire_at)
+      expect(json_response['artifacts_file']).to be_nil
+      expect(json_response['artifacts']).to be_an Array
+      expect(json_response['artifacts']).to be_empty
+      expect(json_response['web_url']).to be_present
+    end
+  end
+
+  shared_examples 'returns unauthorized' do
+    it 'returns unauthorized' do
+      expect(response).to have_gitlab_http_status(:unauthorized)
+    end
+  end
+
+  describe 'GET /job' do
+    shared_context 'with auth headers' do
+      let(:headers_with_token) { header }
+      let(:params_with_token) { {} }
+    end
+
+    shared_context 'with auth params' do
+      let(:headers_with_token) { {} }
+      let(:params_with_token) { param }
+    end
+
+    shared_context 'without auth' do
+      let(:headers_with_token) { {} }
+      let(:params_with_token) { {} }
+    end
+
+    before do |example|
+      unless example.metadata[:skip_before_request]
+        get api('/job'), headers: headers_with_token, params: params_with_token
+      end
+    end
+
+    context 'with job token authentication header' do
+      include_context 'with auth headers' do
+        let(:header) { { API::Helpers::Runner::JOB_TOKEN_HEADER => running_job.token } }
+      end
+
+      it_behaves_like 'returns common job data' do
+        let(:jobx) { running_job }
+      end
+
+      it 'returns specific job data' do
+        expect(json_response['finished_at']).to be_nil
+      end
+
+      it_behaves_like 'returns common pipeline data' do
+        let(:jobx) { running_job }
+      end
+    end
+
+    context 'with job token authentication params' do
+      include_context 'with auth params' do
+        let(:param) { { job_token: running_job.token } }
+      end
+
+      it_behaves_like 'returns common job data' do
+        let(:jobx) { running_job }
+      end
+
+      it 'returns specific job data' do
+        expect(json_response['finished_at']).to be_nil
+      end
+
+      it_behaves_like 'returns common pipeline data' do
+        let(:jobx) { running_job }
+      end
+    end
+
+    context 'with non running job' do
+      include_context 'with auth headers' do
+        let(:header) { { API::Helpers::Runner::JOB_TOKEN_HEADER => job.token } }
+      end
+
+      it_behaves_like 'returns unauthorized'
+    end
+
+    context 'with basic auth header' do
+      let(:personal_access_token) { create(:personal_access_token, user: user) }
+      let(:token) { personal_access_token.token}
+
+      include_context 'with auth headers' do
+        let(:header) { { Gitlab::Auth::AuthFinders::PRIVATE_TOKEN_HEADER => token } }
+      end
+
+      it 'does not return a job' do
+        expect(response).to have_gitlab_http_status(:not_found)
+      end
+    end
+
+    context 'without authentication' do
+      include_context 'without auth'
+
+      it_behaves_like 'returns unauthorized'
+    end
+  end
+
   describe 'GET /projects/:id/jobs' do
     let(:query) { {} }
 
@@ -150,39 +283,21 @@ RSpec.describe API::Jobs do
     end
 
     context 'authorized user' do
+      it_behaves_like 'returns common job data' do
+        let(:jobx) { job }
+      end
+
       it 'returns specific job data' do
-        expect(response).to have_gitlab_http_status(:ok)
-        expect(json_response['id']).to eq(job.id)
-        expect(json_response['status']).to eq(job.status)
-        expect(json_response['stage']).to eq(job.stage)
-        expect(json_response['name']).to eq(job.name)
-        expect(json_response['ref']).to eq(job.ref)
-        expect(json_response['tag']).to eq(job.tag)
-        expect(json_response['coverage']).to eq(job.coverage)
-        expect(json_response['allow_failure']).to eq(job.allow_failure)
-        expect(Time.parse(json_response['created_at'])).to be_like_time(job.created_at)
-        expect(Time.parse(json_response['started_at'])).to be_like_time(job.started_at)
         expect(Time.parse(json_response['finished_at'])).to be_like_time(job.finished_at)
-        expect(Time.parse(json_response['artifacts_expire_at'])).to be_like_time(job.artifacts_expire_at)
-        expect(json_response['artifacts_file']).to be_nil
-        expect(json_response['artifacts']).to be_an Array
-        expect(json_response['artifacts']).to be_empty
         expect(json_response['duration']).to eq(job.duration)
-        expect(json_response['web_url']).to be_present
       end
 
       it_behaves_like 'a job with artifacts and trace', result_is_array: false do
         let(:api_endpoint) { "/projects/#{project.id}/jobs/#{second_job.id}" }
       end
 
-      it 'returns pipeline data' do
-        json_job = json_response
-
-        expect(json_job['pipeline']).not_to be_empty
-        expect(json_job['pipeline']['id']).to eq job.pipeline.id
-        expect(json_job['pipeline']['ref']).to eq job.pipeline.ref
-        expect(json_job['pipeline']['sha']).to eq job.pipeline.sha
-        expect(json_job['pipeline']['status']).to eq job.pipeline.status
+      it_behaves_like 'returns common pipeline data' do
+        let(:jobx) { job }
       end
     end