Commit 3e4a5749 authored by Stan Hu's avatar Stan Hu

Fix deploy keys not working with LFS auth check

When a deploy key is presented to the initial auth check, a temporary
LFS deploy token is assigned to the request, regardless if the user has
access to the project.

When the LFS client presents this token,
`Gitlab::Auth::Result#lfs_deploy_token?` returns `true` if the deploy
key has access to the project. If it does, then the LFS auth check
succeeds, and LFS downloads proceed normally.

However, if `Gitlab::Auth::Result#lfs_deploy_token?` returns false,
`LfsRequest#lfs_download_access?` will then call
`user_can_download_code?` to check if the given deploy key has access to
download the repository code.

The introduction of
https://gitlab.com/gitlab-org/gitlab/-/merge_requests/62733 assumed that
anything passed to `ProjectPolicy` would include the `PolicyActor`
module. Since `DeployKey` did not, the auth check would fail with
`undefined method from_ci_job_token?`.

We fix this by delegating the `PolicyActor` methods to the user and
adding specific policies in `ProjectPolicy` for deploy keys to read or
write to a repository.

Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/334910

Changelog: fixed
parent 8a0c7e25
......@@ -3,6 +3,7 @@
class DeployKey < Key
include FromUnion
include IgnorableColumns
include PolicyActor
has_many :deploy_keys_projects, inverse_of: :deploy_key, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
has_many :projects, through: :deploy_keys_projects
......
......@@ -69,6 +69,16 @@ class ProjectPolicy < BasePolicy
project.merge_requests_allowing_push_to_user(user).any?
end
desc "Deploy key with read access"
condition(:download_code_deploy_key) do
user.is_a?(DeployKey) && user.has_access_to?(project)
end
desc "Deploy token with write access"
condition(:push_code_deploy_key) do
user.is_a?(DeployKey) && user.can_push_to?(project)
end
desc "Deploy token with read_package_registry scope"
condition(:read_package_registry_deploy_token) do
user.is_a?(DeployToken) && user.has_access_to?(project) && user.read_package_registry
......@@ -616,6 +626,14 @@ class ProjectPolicy < BasePolicy
prevent :move_design
end
rule { download_code_deploy_key }.policy do
enable :download_code
end
rule { push_code_deploy_key }.policy do
enable :push_code
end
rule { read_package_registry_deploy_token }.policy do
enable :read_package
enable :read_project
......
......@@ -93,4 +93,46 @@ RSpec.describe DeployKey, :mailer do
end
end
end
describe 'PolicyActor methods' do
let_it_be(:user) { create(:user) }
let_it_be(:deploy_key) { create(:deploy_key, user: user) }
let_it_be(:project) { create(:project, creator: user, namespace: user.namespace) }
let(:methods) { PolicyActor.instance_methods }
subject { deploy_key }
it 'responds to all PolicyActor methods' do
methods.each do |method|
expect(subject.respond_to?(method)).to be true
end
end
describe '#can?' do
it { expect(user.can?(:read_project, project)).to be true }
context 'when a read deploy key is enabled in the project' do
let!(:deploy_keys_project) { create(:deploy_keys_project, project: project, deploy_key: deploy_key) }
it { expect(subject.can?(:read_project, project)).to be false }
it { expect(subject.can?(:download_code, project)).to be true }
it { expect(subject.can?(:push_code, project)).to be false }
end
context 'when a write deploy key is enabled in the project' do
let!(:deploy_keys_project) { create(:deploy_keys_project, :write_access, project: project, deploy_key: deploy_key) }
it { expect(subject.can?(:read_project, project)).to be false }
it { expect(subject.can?(:download_code, project)).to be true }
it { expect(subject.can?(:push_code, project)).to be true }
end
context 'when the deploy key is not enabled in the project' do
it { expect(subject.can?(:read_project, project)).to be false }
it { expect(subject.can?(:download_code, project)).to be false }
it { expect(subject.can?(:push_code, project)).to be false }
end
end
end
end
......@@ -795,6 +795,37 @@ RSpec.describe ProjectPolicy do
end
end
context 'deploy key access' do
context 'private project' do
let(:project) { private_project }
let!(:deploy_key) { create(:deploy_key, user: owner) }
subject { described_class.new(deploy_key, project) }
context 'when a read deploy key is enabled in the project' do
let!(:deploy_keys_project) { create(:deploy_keys_project, project: project, deploy_key: deploy_key) }
it { is_expected.to be_allowed(:download_code) }
it { is_expected.to be_disallowed(:push_code) }
it { is_expected.to be_disallowed(:read_project) }
end
context 'when a write deploy key is enabled in the project' do
let!(:deploy_keys_project) { create(:deploy_keys_project, :write_access, project: project, deploy_key: deploy_key) }
it { is_expected.to be_allowed(:download_code) }
it { is_expected.to be_allowed(:push_code) }
it { is_expected.to be_disallowed(:read_project) }
end
context 'when the deploy key is not enabled in the project' do
it { is_expected.to be_disallowed(:download_code) }
it { is_expected.to be_disallowed(:push_code) }
it { is_expected.to be_disallowed(:read_project) }
end
end
end
context 'deploy token access' do
let!(:project_deploy_token) do
create(:project_deploy_token, project: project, deploy_token: deploy_token)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment