Commit ca1abe0f authored by Stan Hu's avatar Stan Hu

Merge branch 'sh-fix-deploy-key-lfs' into 'master'

Fix deploy keys not working with LFS auth check

See merge request gitlab-org/gitlab!65205
parents 54075699 1ce09d3c
...@@ -3,6 +3,7 @@ ...@@ -3,6 +3,7 @@
class DeployKey < Key class DeployKey < Key
include FromUnion include FromUnion
include IgnorableColumns include IgnorableColumns
include PolicyActor
has_many :deploy_keys_projects, inverse_of: :deploy_key, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent has_many :deploy_keys_projects, inverse_of: :deploy_key, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
has_many :projects, through: :deploy_keys_projects has_many :projects, through: :deploy_keys_projects
......
...@@ -69,6 +69,16 @@ class ProjectPolicy < BasePolicy ...@@ -69,6 +69,16 @@ class ProjectPolicy < BasePolicy
project.merge_requests_allowing_push_to_user(user).any? project.merge_requests_allowing_push_to_user(user).any?
end end
desc "Deploy key with read access"
condition(:download_code_deploy_key) do
user.is_a?(DeployKey) && user.has_access_to?(project)
end
desc "Deploy key with write access"
condition(:push_code_deploy_key) do
user.is_a?(DeployKey) && user.can_push_to?(project)
end
desc "Deploy token with read_package_registry scope" desc "Deploy token with read_package_registry scope"
condition(:read_package_registry_deploy_token) do condition(:read_package_registry_deploy_token) do
user.is_a?(DeployToken) && user.has_access_to?(project) && user.read_package_registry user.is_a?(DeployToken) && user.has_access_to?(project) && user.read_package_registry
...@@ -616,6 +626,14 @@ class ProjectPolicy < BasePolicy ...@@ -616,6 +626,14 @@ class ProjectPolicy < BasePolicy
prevent :move_design prevent :move_design
end end
rule { download_code_deploy_key }.policy do
enable :download_code
end
rule { push_code_deploy_key }.policy do
enable :push_code
end
rule { read_package_registry_deploy_token }.policy do rule { read_package_registry_deploy_token }.policy do
enable :read_package enable :read_package
enable :read_project enable :read_project
......
...@@ -93,4 +93,46 @@ RSpec.describe DeployKey, :mailer do ...@@ -93,4 +93,46 @@ RSpec.describe DeployKey, :mailer do
end end
end end
end end
describe 'PolicyActor methods' do
let_it_be(:user) { create(:user) }
let_it_be(:deploy_key) { create(:deploy_key, user: user) }
let_it_be(:project) { create(:project, creator: user, namespace: user.namespace) }
let(:methods) { PolicyActor.instance_methods }
subject { deploy_key }
it 'responds to all PolicyActor methods' do
methods.each do |method|
expect(subject.respond_to?(method)).to be true
end
end
describe '#can?' do
it { expect(user.can?(:read_project, project)).to be true }
context 'when a read deploy key is enabled in the project' do
let!(:deploy_keys_project) { create(:deploy_keys_project, project: project, deploy_key: deploy_key) }
it { expect(subject.can?(:read_project, project)).to be false }
it { expect(subject.can?(:download_code, project)).to be true }
it { expect(subject.can?(:push_code, project)).to be false }
end
context 'when a write deploy key is enabled in the project' do
let!(:deploy_keys_project) { create(:deploy_keys_project, :write_access, project: project, deploy_key: deploy_key) }
it { expect(subject.can?(:read_project, project)).to be false }
it { expect(subject.can?(:download_code, project)).to be true }
it { expect(subject.can?(:push_code, project)).to be true }
end
context 'when the deploy key is not enabled in the project' do
it { expect(subject.can?(:read_project, project)).to be false }
it { expect(subject.can?(:download_code, project)).to be false }
it { expect(subject.can?(:push_code, project)).to be false }
end
end
end
end end
...@@ -795,6 +795,37 @@ RSpec.describe ProjectPolicy do ...@@ -795,6 +795,37 @@ RSpec.describe ProjectPolicy do
end end
end end
context 'deploy key access' do
context 'private project' do
let(:project) { private_project }
let!(:deploy_key) { create(:deploy_key, user: owner) }
subject { described_class.new(deploy_key, project) }
context 'when a read deploy key is enabled in the project' do
let!(:deploy_keys_project) { create(:deploy_keys_project, project: project, deploy_key: deploy_key) }
it { is_expected.to be_allowed(:download_code) }
it { is_expected.to be_disallowed(:push_code) }
it { is_expected.to be_disallowed(:read_project) }
end
context 'when a write deploy key is enabled in the project' do
let!(:deploy_keys_project) { create(:deploy_keys_project, :write_access, project: project, deploy_key: deploy_key) }
it { is_expected.to be_allowed(:download_code) }
it { is_expected.to be_allowed(:push_code) }
it { is_expected.to be_disallowed(:read_project) }
end
context 'when the deploy key is not enabled in the project' do
it { is_expected.to be_disallowed(:download_code) }
it { is_expected.to be_disallowed(:push_code) }
it { is_expected.to be_disallowed(:read_project) }
end
end
end
context 'deploy token access' do context 'deploy token access' do
let!(:project_deploy_token) do let!(:project_deploy_token) do
create(:project_deploy_token, project: project, deploy_token: deploy_token) create(:project_deploy_token, project: project, deploy_token: deploy_token)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment