API::Ci::Helpers::Runner#authenticate_job! should use Ci::AuthJobFinder
Problem
The lib/api/runner.rb
endpoints use a legacy authentication mechanism authenticate_job!
. This mechanism is almost a duplication of Ci::AuthJobFinder
logic.
The Ci::AuthJobFinder
should be treated as the SSoT algorithm to find a valid job based on a CI_JOB_TOKEN.
Proposal
- Reuse
Ci::AuthJobFinder
insideauthenticate_job!
helper. - Ensure that the
current_job
matches the authenticated job returned byCi::AuthJobFinder
because CI_JOB_TOKEN for these endpoints can only be used to deal with the same job. - Rescue and handle errors from
Ci::AuthJobFinder
by returning the right response status. - Align the condition
Ci::AuthJobFinder#validate_running_job!
withAPI::Ci::Helpers::Runner#processing_on_runner?
.
We should also aim to set route_setting :authentication, job_token_allowed: true
for those endpoints.
Edited by Fabio Pitino