Fix `#current_authenticate_job` with `.authenticate_with`

Properly get the job from the `namespace_inheritable`

Fix `#current_authenticate_job` with `.authenticate_with`
Properly get the job from the `namespace_inheritable`
5bd0917d · David Fernandez · Sean McGivern · e1cda699 · 5bd0917d · 5bd0917d
Commit 5bd0917d authored Mar 23, 2021 by David Fernandez Committed by Sean McGivern Mar 23, 2021
7 changed files
--- a/changelogs/unreleased/299685-fix-packages-build-info-when-pushed-with-job-token.yml
+++ b/changelogs/unreleased/299685-fix-packages-build-info-when-pushed-with-job-token.yml
+---
+title: Fix `#current_authenticated_job` when used with `.authenticate_with` in Grape APIs
+merge_request: 56564
+author:
+type: fixed
--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -48,7 +48,11 @@ module API
    # Returns the job associated with the token provided for
    # authentication, if any
    def current_authenticated_job
-      @current_authenticated_job
+      if try(:namespace_inheritable, :authentication)
+        ci_build_from_namespace_inheritable
+      else
+        @current_authenticated_job # rubocop:disable Gitlab/ModuleWithInstanceVariables
+      end
    end

    # rubocop:disable Gitlab/ModuleWithInstanceVariables

--- a/lib/api/helpers/authentication.rb
+++ b/lib/api/helpers/authentication.rb
@@ -52,6 +52,11 @@ module API
            token&.user
          end

+          def ci_build_from_namespace_inheritable
+            token = token_from_namespace_inheritable
+            token if token.is_a?(::Ci::Build)
+          end
+
          private

          def find_token_from_raw_credentials(token_types, raw)

--- a/spec/lib/api/helpers/authentication_spec.rb
+++ b/spec/lib/api/helpers/authentication_spec.rb
@@ -7,6 +7,7 @@ RSpec.describe API::Helpers::Authentication do
  let_it_be(:project, reload: true) { create(:project, :public) }
  let_it_be(:personal_access_token) { create(:personal_access_token, user: user) }
  let_it_be(:deploy_token) { create(:deploy_token, read_package_registry: true, write_package_registry: true) }
+  let_it_be(:ci_build) { create(:ci_build, :running, user: user) }

  describe 'class methods' do
    subject { Class.new.include(described_class::ClassMethods).new }
@@ -176,6 +177,20 @@ RSpec.describe API::Helpers::Authentication do
      end
    end

+    describe '#ci_build_from_namespace_inheritable' do
+      subject { object.ci_build_from_namespace_inheritable }
+
+      it 'returns #token_from_namespace_inheritable if it is a ci build' do
+        expect(object).to receive(:token_from_namespace_inheritable).and_return(ci_build)
+        expect(subject).to be(ci_build)
+      end
+
+      it 'returns nil if #token_from_namespace_inheritable is not a ci build' do
+        expect(object).to receive(:token_from_namespace_inheritable).and_return(personal_access_token)
+        expect(subject).to eq(nil)
+      end
+    end
+
    describe '#user_from_namespace_inheritable' do
      subject { object.user_from_namespace_inheritable }


--- a/spec/requests/api/nuget_project_packages_spec.rb
+++ b/spec/requests/api/nuget_project_packages_spec.rb
@@ -188,6 +188,10 @@ RSpec.describe API::NugetProjectPackages do

    it_behaves_like 'deploy token for package uploads'

+    it_behaves_like 'job token for package uploads', authorize_endpoint: true do
+      let_it_be(:job) { create(:ci_build, :running, user: user) }
+    end
+
    it_behaves_like 'rejects nuget access with unknown target id'

    it_behaves_like 'rejects nuget access with invalid target id'
@@ -251,6 +255,10 @@ RSpec.describe API::NugetProjectPackages do

    it_behaves_like 'deploy token for package uploads'

+    it_behaves_like 'job token for package uploads' do
+      let_it_be(:job) { create(:ci_build, :running, user: user) }
+    end
+
    it_behaves_like 'rejects nuget access with unknown target id'

    it_behaves_like 'rejects nuget access with invalid target id'

--- a/spec/requests/api/pypi_packages_spec.rb
+++ b/spec/requests/api/pypi_packages_spec.rb
@@ -118,7 +118,7 @@ RSpec.describe API::PypiPackages do

    it_behaves_like 'deploy token for package uploads'

-    it_behaves_like 'job token for package uploads'
+    it_behaves_like 'job token for package uploads', authorize_endpoint: true

    it_behaves_like 'rejects PyPI access with unknown project id'
  end

--- a/spec/support/shared_examples/requests/api/packages_shared_examples.rb
+++ b/spec/support/shared_examples/requests/api/packages_shared_examples.rb
@@ -100,7 +100,7 @@ RSpec.shared_examples 'job token for package GET requests' do
  end
 end

-RSpec.shared_examples 'job token for package uploads' do
+RSpec.shared_examples 'job token for package uploads' do |authorize_endpoint: false|
  context 'with job token headers' do
    let(:headers) { basic_auth_header(::Gitlab::Auth::CI_JOB_USER, job.token).merge(workhorse_headers) }

@@ -111,6 +111,17 @@ RSpec.shared_examples 'job token for package uploads' do

    context 'valid token' do
      it_behaves_like 'returning response status', :success
+
+      unless authorize_endpoint
+        it 'creates a package with build info' do
+          expect { subject }.to change { Packages::Package.count }.by(1)
+
+          pkg = ::Packages::Package.order_created
+                                   .last
+
+          expect(pkg.build_infos).to be
+        end
+      end
    end

    context 'invalid token' do