Can't access subgroups packages with a group deploy token

Summary

Given

• group/subgroup/project
• a package on the project
• a deploy token linked with group
• the group level API url with subgroup

The deploy token can't get properly authenticated and gets rejected

This is due to the group_policy.rb that will grant the read_group permission only for the directly linked group (group) but not any of the subgroups.

These requests will fail in a unauthorized or not found response depending how the permission rejection is handled.

Yet, according to the documentation:

A deploy token created at the group level can be used across all projects that belong either to the specific group or to one of its subgroups.

these requests should be accepted.

Steps to reproduce

1. Create a private group G
2. Create a private subgroup SG
3. Upload a nuget package to SG
4. Create a deploy token for G
5. Locally, in a folder, have this nuget.config file:

   <?xml version="1.0" encoding="utf-8"?>
   <configuration>
       <packageSources>
           <add key="gitlab" value="http://host/api/v4/groups/<SG_ID>/-/packages/nuget/index.json" />
       </packageSources>
       <packageSourceCredentials>
           <gitlab>
               <add key="Username" value="<deploy_token_username>" />
               <add key="ClearTextPassword" value="<deploy_token_password>" />
           </gitlab>
       </packageSourceCredentials>
   </configuration>

6. Try to pull the package from (3.)

   $ nuget install Package.Deeply.Nested.In.Groups -source gitlab
   Feeds used:
     http://gdk.test:8000/api/v4/groups/118/-/packages/nuget/index.json
   
   Installing package 'Package.Deeply.Nested.In.Groups' to '/Users/bananas/projects/sandbox/nuget/pullFromGroup'.
   MSBuild auto-detection: using msbuild version '15.0' from '/Library/Frameworks/Mono.framework/Versions/6.12.0/lib/mono/msbuild/15.0/bin'.
   Using credentials from config. UserName: gitlab+deploy-token-3
   The remote server indicated that the previous request was forbidden. Please provide credentials for: http://gdk.test:8000/api/v4/groups/118/-/packages/nuget/index.json
   UserName:

=> the request is rejected with 403 Forbidden 💥

What is the current bug behavior?

• The request is rejected.

What is the expected correct behavior?

• The request should be accepted.

Possible fixes

Credits to @sabrams

• Create a #has_access_to_group? function on GroupDeployToken similar to this one
• Update the Maven specs to tests the urls with group and subgroup with a deploy token linked to group
• Update the Nuget specs to tests the urls with group and subgroup with a deploy token linked to group