Deploy key cannot be used with the wiki when project repository is disabled
Summary
Deploy keys cannot be used for performing Git operations on wikis when the associated project repository is disabled.
As currently implemented, deploy key authorization checks the repository_access_level
on a project. When this repository acess level is disabled, Git operations are not allowed. Since Git acess for wikis inherits this functionality, Git operations also don't work for wikis when repository_access_level
is disabled.
Projects have a separate wiki_access_level
which should be used in the case of wikis. This will make sure that Git access for wikis is decoupled from repositories.
Steps to reproduce
- Setup a deploy key on your test project
- Disable the repository in project settings
- Make sure that the wiki is enabled in project settings
- Use the deploy key to perform a Git clone on the wiki
- Git access should be denied.
What is the current bug behavior?
Git operations on wikis are denied with the below error message:
remote: You are not allowed to download files from this wiki.
What is the expected correct behavior?
Git operations should work for wikis even when the project repository is disabled.
Implementation Guide
The problem seems to be in https://gitlab.com/gitlab-org/gitlab/blob/6e994ff9/lib/gitlab/git_access.rb#L110. There, we check the access level value of the repository feature when the user is using a deploy key. But this is wrong in the context of wikis because we should be checking wiki_access_level
.
But there is another problem. When the wiki is a group wiki, that line of code would also fail, which means that no group wiki can be cloned using a deploy key.
The fix would be something like:
# lib/gitlab/git_access.rb
def deploy_key_can_download_code?
authentication_abilities.include?(:download_code) &&
deploy_key? &&
deploy_key.has_access_to?(container) &&
right_feature_access_level?
end
def right_feature_access_level?
project? && project&.repository_access_level != ::Featurable::DISABLED
end
# lib/gitlab/git_access_wiki.rb
override :right_feature_access_level?
def right_feature_access_level?
project? && project&.wiki_access_level != ::Featurable::DISABLED
end
# ee/lib/ee/gitlab/git_access_wiki.rb
override :right_feature_access_level?
def right_feature_access_level?
return super unless container.is_a?(GroupWiki)
# There is no access_level feature yet for group wikis
# but, if we don't override this here, users won't be able to clone
# group wikis using deploy tokens
#
# Once https://gitlab.com/gitlab-org/gitlab/-/issues/208412 is
# implemented we can add the access_level to this checking.
group?
end