IP allow-list bypass when using Deploy Keys/Tokens to access the Dependency Proxy

🛡 Context

This issue was discovered when investigating the blast radius of https://gitlab.com/gitlab-com/gl-infra/production/-/issues/7149.

All related issues are confidential so this one is confidential too.

🔥 Problem

Groups access can be restricted by IP. See https://docs.gitlab.com/ee/user/group/#restrict-group-access-by-ip-address.

That restriction doesn't seem to be applied with Deploy Token pulling images through the Dependency Proxy.

We had a similar issue with the Container Registry access. See https://gitlab.com/gitlab-org/gitlab/-/issues/363651.

👣 Steps to reproduce

1. Have GDK ready with registry support and a premium tier license.
2. Create a Group.
3. Enforce IP 200.200.200.200 or any IP that your computer doesn't have.
4. Create a Group deploy token.
5. Set up the Dependency Proxy.
6. Pull a dummy image (such as alpine:latest) through the Dependency Proxy.

   $ docker pull <dependency_proxy_prefix>/alpine:latest

7. The pull operation is allowed and works. 💥

🚒 Solution

Apply a solution similar to https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/2470:

• The dependency proxy authentication service should check for the read_dependency_proxy permission on the group policy using the target group.
• The group policy should be updated with lines similar to these.
  • Use that condition to allow read_dependency_proxy. Similar to these.
• Update the EE group policy to prevent read_dependency_proxy when the IP restriction is triggered.

Because this can break the dependency proxy access, we need to be cautions on how to deploy this. This is the same situation as in https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/2470, thus we can use the same approach on deployment.