Group Deploy Keys lack access validation methods
Context
While working on !60809 (closed), trying to implement specs for the GroupDepolyKeys it turned out that the backend code
of the GroupDeployKeys has very little test coverage which only tests for user access to the GroupDeployKeys but there seem to be no tests to check the GroupDeployKey's access to projects and methods like personal_access_token via ssh.
Functional concern
From what I see in the GroupDeployKey model compared to DeployKeys there seems to be a lack of methods like has_access_to? and can_push? to verify the key's access for Git operations.
I'd suggest to implement all git and ssh access related checks including tests for those before we tackle the UI and API exposure of GroupDeployKeys.
Checks that need to be implemented
GroupDeployKey check |
similar DeployKey check |
|---|---|
| expose a method to check if the GroupDeployKey has access to a project | DeployKey.has_access_to? |
| expose a method to check if the GroupDeployKey can push to a project | DeployKey.can_push_to? |
| its type can be checked to prevent API actions that deploy keys are not allowed to do, e.g. creation of PersonalAccessTokens |
https://gitlab.com/gitlab-org/gitlab/-/blob/master/lib/api/internal/base.rb#L225 and all other calls to .is_a?(DeployKey)
|
Proposal
Note: we will need to revisit how to implement the checks above after the GroupDeployKey re-modelling (#408933) is implemented.
Assigning severity4 here as the feature is not exposed to end-users yet.