Add latest changes from gitlab-org/gitlab@master

2 files changed, 16 insertions, 1 deletions

diff --git a/lib/gitlab/auth/auth_finders.rb b/lib/gitlab/auth/auth_finders.rb
index 6210aca739a..33cbb070c2f 100644
--- a/lib/gitlab/auth/auth_finders.rb
+++ b/lib/gitlab/auth/auth_finders.rb
@@ -21,6 +21,7 @@ module Gitlab
       prepend_if_ee('::EE::Gitlab::Auth::AuthFinders') # rubocop: disable Cop/InjectEnterpriseEditionModule
 
       include Gitlab::Utils::StrongMemoize
+      include ActionController::HttpAuthentication::Basic
 
       PRIVATE_TOKEN_HEADER = 'HTTP_PRIVATE_TOKEN'
       PRIVATE_TOKEN_PARAM = :private_token
@@ -67,6 +68,19 @@ module Gitlab
         job.user
       end
 
+      def find_user_from_basic_auth_job
+        return unless has_basic_credentials?(current_request)
+
+        login, password = user_name_and_password(current_request)
+        return unless login.present? && password.present?
+        return unless ::Ci::Build::CI_REGISTRY_USER == login
+
+        job = ::Ci::Build.find_by_token(password)
+        raise UnauthorizedError unless job
+
+        job.user
+      end
+
       # We only allow Private Access Tokens with `api` scope to be used by web
       # requests on RSS feeds or ICS files for backwards compatibility.
       # It is also used by GraphQL/API requests.
diff --git a/lib/gitlab/auth/request_authenticator.rb b/lib/gitlab/auth/request_authenticator.rb
index 9b1b7b8e879..34ccff588f4 100644
--- a/lib/gitlab/auth/request_authenticator.rb
+++ b/lib/gitlab/auth/request_authenticator.rb
@@ -32,7 +32,8 @@ module Gitlab
       def find_sessionless_user(request_format)
         find_user_from_web_access_token(request_format) ||
           find_user_from_feed_token(request_format) ||
-          find_user_from_static_object_token(request_format)
+          find_user_from_static_object_token(request_format) ||
+          find_user_from_basic_auth_job
       rescue Gitlab::Auth::AuthenticationError
         nil
       end