1 files changed, 39 insertions, 3 deletions

diff --git a/spec/requests/api/ci/runner/jobs_artifacts_spec.rb b/spec/requests/api/ci/runner/jobs_artifacts_spec.rb
index 9369b6aa464..017a12a4a40 100644
--- a/spec/requests/api/ci/runner/jobs_artifacts_spec.rb
+++ b/spec/requests/api/ci/runner/jobs_artifacts_spec.rb
@@ -127,7 +127,7 @@ RSpec.describe API::Ci::Runner, :clean_gitlab_redis_shared_state do
               authorize_artifacts_with_token_in_params
             end
 
-            it_behaves_like 'API::CI::Runner application context metadata', '/api/:version/jobs/:id/artifacts/authorize' do
+            it_behaves_like 'API::CI::Runner application context metadata', 'POST /api/:version/jobs/:id/artifacts/authorize' do
               let(:send_request) { subject }
             end
 
@@ -180,6 +180,18 @@ RSpec.describe API::Ci::Runner, :clean_gitlab_redis_shared_state do
                 it_behaves_like 'authorizes local file'
               end
             end
+
+            context 'when job does not exist anymore' do
+              before do
+                allow(job).to receive(:id).and_return(non_existing_record_id)
+              end
+
+              it 'returns 403 Forbidden' do
+                subject
+
+                expect(response).to have_gitlab_http_status(:forbidden)
+              end
+            end
           end
         end
 
@@ -262,7 +274,7 @@ RSpec.describe API::Ci::Runner, :clean_gitlab_redis_shared_state do
       end
 
       describe 'POST /api/v4/jobs/:id/artifacts' do
-        it_behaves_like 'API::CI::Runner application context metadata', '/api/:version/jobs/:id/artifacts' do
+        it_behaves_like 'API::CI::Runner application context metadata', 'POST /api/:version/jobs/:id/artifacts' do
           let(:send_request) do
             upload_artifacts(file_upload, headers_with_token)
           end
@@ -321,6 +333,18 @@ RSpec.describe API::Ci::Runner, :clean_gitlab_redis_shared_state do
             end
           end
 
+          context 'when job does not exist anymore' do
+            before do
+              allow(job).to receive(:id).and_return(non_existing_record_id)
+            end
+
+            it 'returns 403 Forbidden' do
+              upload_artifacts(file_upload, headers_with_token)
+
+              expect(response).to have_gitlab_http_status(:forbidden)
+            end
+          end
+
           context 'when job is running' do
             shared_examples 'successful artifacts upload' do
               it 'updates successfully' do
@@ -784,7 +808,7 @@ RSpec.describe API::Ci::Runner, :clean_gitlab_redis_shared_state do
       describe 'GET /api/v4/jobs/:id/artifacts' do
         let(:token) { job.token }
 
-        it_behaves_like 'API::CI::Runner application context metadata', '/api/:version/jobs/:id/artifacts' do
+        it_behaves_like 'API::CI::Runner application context metadata', 'GET /api/:version/jobs/:id/artifacts' do
           let(:send_request) { download_artifact }
         end
 
@@ -867,6 +891,18 @@ RSpec.describe API::Ci::Runner, :clean_gitlab_redis_shared_state do
           end
         end
 
+        context 'when job does not exist anymore' do
+          before do
+            allow(job).to receive(:id).and_return(non_existing_record_id)
+          end
+
+          it 'responds with 403 Forbidden' do
+            get api("/jobs/#{job.id}/artifacts"), params: { token: token }, headers: headers
+
+            expect(response).to have_gitlab_http_status(:forbidden)
+          end
+        end
+
         def download_artifact(params = {}, request_headers = headers)
           params = params.merge(token: token)
           job.reload