Dependency Proxy: add group access scope checks supporting all user types

🔥 Problem

Add scope checks when using Dependency Proxy wi... (!129697 - merged) introduced a problem as not all user types were considered during permissions evaluation.

See #431371 (comment 1641298850).

🚒 Solution

Implement Add scope checks when using Dependency Proxy wi... (!129697 - merged) changes but keep user types access that previously had access to the dependency proxy (For example service_account)

From #431371 (comment 1641298850):

I think I see the issue, previously there were some general checks on permissions such as access_level(for_any_session: true) >= GroupMember::GUEST and this would work across different user types.

In other words, previously, we had either a current_user or a deploy_token. The problem is that current_user could come from different user types.

With Add scope checks when using Dependency Proxy wi... (!129697 - merged), the current_user has been categorized in specific user types (human or bot) and by doing so, we left behind some other user types (service_account).

I think we need to update the flow if checks as the MR goals was to check the scopes on group access tokens:

if deploy_token?
  process_deploy_token
elsif group_access_token?
  process_group_access_token
else
  access_level(for_any_session: true) >= GroupMember::GUEST
end

(3.) would be a fallback to keep the support to other user types.

Edited Nov 09, 2023 by David Fernandez