Allow user SSH public key endpoint to be publicly accessible again

A regression caused the User SSH public key endpoint to require
authentication when instance public visibility was restricted.
This endpoint should be available without authentication, matching
the behavior of the /api/v4/users/:id/keys endpoint.

app/controllers/users_controller.rb

@@ -17,7 +17,7 @@ class UsersController < ApplicationController
 
   skip_before_action :authenticate_user!
   prepend_before_action(only: [:show]) { authenticate_sessionless_user!(:rss) }
-  before_action :user, except: [:exists, :suggests]
+  before_action :user, except: [:exists, :suggests, :ssh_keys]
   before_action :authorize_read_user_profile!,
                 only: [:calendar, :calendar_activities, :groups, :projects, :contributed, :starred, :snippets]
 
@@ -41,7 +41,12 @@ class UsersController < ApplicationController
 
   # Get all keys of a user(params[:username]) in a text format
   # Helpful for sysadmins to put in respective servers
+  #
+  # Uses `UserFinder` rather than `find_routable!` because this endpoint should
+  # be publicly available regardless of instance visibility settings.
   def ssh_keys
+    user = UserFinder.new(params[:username]).find_by_username
+
     render plain: user.all_ssh_keys.join("\n")
   end
 

changelogs/unreleased/dblessing_fix_ssh_key_regression.yml

+---
+title: Allow user SSH public key endpoint to be publicly accessible again
+merge_request: 52227
+author:
+type: fixed

spec/requests/users_controller_spec.rb

@@ -268,6 +268,14 @@ RSpec.describe UsersController do
         end
 
         it_behaves_like 'renders all public keys'
+
+        context 'when public visibility is restricted' do
+          before do
+            stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
+          end
+
+          it_behaves_like 'renders all public keys'
+        end
       end
     end
   end