Merge branch 'sh-fix-deploy-key-lfs' into 'master'

Fix deploy keys not working with LFS auth check See merge request gitlab-org/gitlab!65205

Merge branch 'sh-fix-deploy-key-lfs' into 'master'
Fix deploy keys not working with LFS auth check See merge request gitlab-org/gitlab!65205
ca1abe0f · Stan Hu · 54075699 · 1ce09d3c · ca1abe0f · ca1abe0f
Commit ca1abe0f authored Jul 02, 2021 by Stan Hu
4 changed files
--- a/app/models/deploy_key.rb
+++ b/app/models/deploy_key.rb
@@ -3,6 +3,7 @@
 class DeployKey < Key
  include FromUnion
  include IgnorableColumns
+  include PolicyActor

  has_many :deploy_keys_projects, inverse_of: :deploy_key, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
  has_many :projects, through: :deploy_keys_projects

--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -69,6 +69,16 @@ class ProjectPolicy < BasePolicy
    project.merge_requests_allowing_push_to_user(user).any?
  end

+  desc "Deploy key with read access"
+  condition(:download_code_deploy_key) do
+    user.is_a?(DeployKey) && user.has_access_to?(project)
+  end
+
+  desc "Deploy key with write access"
+  condition(:push_code_deploy_key) do
+    user.is_a?(DeployKey) && user.can_push_to?(project)
+  end
+
  desc "Deploy token with read_package_registry scope"
  condition(:read_package_registry_deploy_token) do
    user.is_a?(DeployToken) && user.has_access_to?(project) && user.read_package_registry
@@ -616,6 +626,14 @@ class ProjectPolicy < BasePolicy
    prevent :move_design
  end

+  rule { download_code_deploy_key }.policy do
+    enable :download_code
+  end
+
+  rule { push_code_deploy_key }.policy do
+    enable :push_code
+  end
+
  rule { read_package_registry_deploy_token }.policy do
    enable :read_package
    enable :read_project

--- a/spec/models/deploy_key_spec.rb
+++ b/spec/models/deploy_key_spec.rb
@@ -93,4 +93,46 @@ RSpec.describe DeployKey, :mailer do
      end
    end
  end
+
+  describe 'PolicyActor methods' do
+    let_it_be(:user) { create(:user) }
+    let_it_be(:deploy_key) { create(:deploy_key, user: user) }
+    let_it_be(:project) { create(:project, creator: user, namespace: user.namespace) }
+
+    let(:methods) { PolicyActor.instance_methods }
+
+    subject { deploy_key }
+
+    it 'responds to all PolicyActor methods' do
+      methods.each do |method|
+        expect(subject.respond_to?(method)).to be true
+      end
+    end
+
+    describe '#can?' do
+      it { expect(user.can?(:read_project, project)).to be true }
+
+      context 'when a read deploy key is enabled in the project' do
+        let!(:deploy_keys_project) { create(:deploy_keys_project, project: project, deploy_key: deploy_key) }
+
+        it { expect(subject.can?(:read_project, project)).to be false }
+        it { expect(subject.can?(:download_code, project)).to be true }
+        it { expect(subject.can?(:push_code, project)).to be false }
+      end
+
+      context 'when a write deploy key is enabled in the project' do
+        let!(:deploy_keys_project) { create(:deploy_keys_project, :write_access, project: project, deploy_key: deploy_key) }
+
+        it { expect(subject.can?(:read_project, project)).to be false }
+        it { expect(subject.can?(:download_code, project)).to be true }
+        it { expect(subject.can?(:push_code, project)).to be true }
+      end
+
+      context 'when the deploy key is not enabled in the project' do
+        it { expect(subject.can?(:read_project, project)).to be false }
+        it { expect(subject.can?(:download_code, project)).to be false }
+        it { expect(subject.can?(:push_code, project)).to be false }
+      end
+    end
+  end
 end
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -795,6 +795,37 @@ RSpec.describe ProjectPolicy do
    end
  end

+  context 'deploy key access' do
+    context 'private project' do
+      let(:project) { private_project }
+      let!(:deploy_key) { create(:deploy_key, user: owner) }
+
+      subject { described_class.new(deploy_key, project) }
+
+      context 'when a read deploy key is enabled in the project' do
+        let!(:deploy_keys_project) { create(:deploy_keys_project, project: project, deploy_key: deploy_key) }
+
+        it { is_expected.to be_allowed(:download_code) }
+        it { is_expected.to be_disallowed(:push_code) }
+        it { is_expected.to be_disallowed(:read_project) }
+      end
+
+      context 'when a write deploy key is enabled in the project' do
+        let!(:deploy_keys_project) { create(:deploy_keys_project, :write_access, project: project, deploy_key: deploy_key) }
+
+        it { is_expected.to be_allowed(:download_code) }
+        it { is_expected.to be_allowed(:push_code) }
+        it { is_expected.to be_disallowed(:read_project) }
+      end
+
+      context 'when the deploy key is not enabled in the project' do
+        it { is_expected.to be_disallowed(:download_code) }
+        it { is_expected.to be_disallowed(:push_code) }
+        it { is_expected.to be_disallowed(:read_project) }
+      end
+    end
+  end
+
  context 'deploy token access' do
    let!(:project_deploy_token) do
      create(:project_deploy_token, project: project, deploy_token: deploy_token)