Leaked CI_JOB_TOKEN can be used for triggering pipelines in public projects despite scoping

Problem

Ci inbound job token scope which restricts whether a project can access your project only applies to private projects currently.

This makes sense for certain read permissions which are unrestricted for registered users on public projects. However, not all register users are allowed to write to projects or read secrets for a public project or trigger pipelines and therefore public projects also need to be prevented from taking certain actions if they are not allowed based on token scoping configurations.

The api endpoint to trigger pipelines, a write endpoint, can be accessed via the CI_JOB_TOKEN.

Example attack

User A (the malicious user) has developer access only to project A.

User B has owner access to project A and B.

The CI_JOB_TOKEN is leaked for user B and User A sees it.

User A can trigger a pipeline to deploy the application for public project B.

Detailed Steps: #405369 (comment 1382293144)

Proposal

The simplest thing to do is remove the exclusions for public and internal projects:

diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 68f126574476..889becc1fccf 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -655,7 +655,7 @@ class ProjectPolicy < BasePolicy
     enable :read_project_for_iids
   end

-  rule { ~public_project & ~internal_access & ~project_allowed_for_job_token }.prevent_all
+  rule { ~project_allowed_for_job_token }.prevent_all

   rule { can?(:public_access) }.policy do
     enable :read_package

This is the new proposal, as the previous one will break too much for the customers

we could align CI_JOB_TOKEN access with general access to the repo (Project->Settings->Visibility, project features, permissions). As in, the CI_JOB_TOKEN would respect project permissions settings. Details in #405369 (comment 1463412587)