Fix deploy keys not working with LFS auth check (!65205) · Merge requests · GitLab.org / GitLab

Stan Hu requested to merge sh-fix-deploy-key-lfs into master Jul 01, 2021

When a deploy key is presented to the initial auth check, a temporary LFS deploy token is assigned to the request, regardless if the user has access to the project.

When the LFS client presents this token, Gitlab::Auth::Result#lfs_deploy_token? returns true if the deploy key has access to the project. If it does, then the LFS auth check succeeds, and LFS downloads proceed normally.

However, if Gitlab::Auth::Result#lfs_deploy_token? returns false, LfsRequest#lfs_download_access? will then call user_can_download_code? to check if the given deploy key has access to download the repository code.

The introduction of !62733 (merged) assumed that anything passed to ProjectPolicy would include the PolicyActor module. Since DeployKey did not, the auth check would fail with undefined method from_ci_job_token?.

We fix this by including the default PolicyActor and adding specific policies in ProjectPolicy for deploy keys to read or write to a repository.

Relates to #334910 (closed)

Edited Jul 01, 2021 by Stan Hu

Fix deploy keys not working with LFS auth check

Merge request reports