Allow `$CI_JOB_TOKEN` to access the "Download a single artifact file" endpoints of the Jobs Artifacts API

Merged Eric Engestrom requested to merge 1ace/gitlab:job-artifacts-api-CI_JOB_TOKEN into master

What does this MR do?

While trying to use the API endpoint, @calebw pointed out to me that these two routes don't allow the use of $CI_JOB_TOKEN the same way the other two do, so with this MR I'm suggesting we add that.

It looks like when this ability was added in e2135248, these two endpoints didn't exist yet. /cc @ayufan

When they were added in 401f65c4, @azzsteve didn't include access for $CI_JOB_TOKEN; @steveazz, was this intentional, or did you simply forget to add this line?

Does this MR meet the acceptance criteria?


Availability and Testing

This MR touches access levels and as such, it needs the security label and review from @gitlab-com/gl-security/appsec.

Note that I'm simply piggy-backing on the work done by other people and setting these two download API endpoints to the same access level as the other two. That said, there might have been good reasons not to do this; @steveazz might know.


If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team

Closes #233795 (closed)

Edited by Eric Engestrom