Fix deploy token authentication for Go module proxy

What does this MR do and why?

Fixes deploy token authentication for the Go module proxy (?go-get=1 endpoint). Deploy tokens with read_repository scope now correctly return the full project path for nested subgroups.

Problem

When using deploy tokens to authenticate Go module requests for projects in nested subgroups (e.g., group/subgroup/project), GitLab incorrectly returned the 2-segment fallback path (group/subgroup) instead of the full project path. This caused go mod download to fail with 404 errors.

Root cause: The can_read_project? method checked for :read_project ability, but deploy tokens with read_repository scope only receive :download_code ability (see lib/gitlab/auth.rb). This caused the authorization to fail even though the deploy token had legitimate access.

Solution

Uses GitLab's declarative policy framework to properly authorize deploy tokens:

  1. Enable :download_code in ProjectPolicy for deploy tokens with project access (via the existing download_code_deploy_token condition)
  2. Simplify the middleware to use can_perform_action_on_project?(:download_code, project) instead of custom deploy_token&.has_access_to? logic

The middleware's two-step authorization ensures only deploy tokens with the correct scope can access the endpoint:

  1. authentication_abilities_include?(:download_code) — checks the token has read_repository scope
  2. can_perform_action_on_project?(:download_code, project) — checks the policy allows access

This approach aligns with the direction of GitLab's authorization framework and avoids custom authorization mechanisms in the middleware.

How to test

  1. Create a project in a nested subgroup (e.g., group/subgroup/project)
  2. Create a deploy token with read_repository scope
  3. Configure .netrc with the deploy token credentials
  4. Run: curl -u <token_username>:<token> "https://gitlab.example.com/group/subgroup/project?go-get=1"
  5. Verify the response contains the full project path in the go-import meta tag

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist.

Closes #536177 (closed)

Edited by Kerri Miller

Merge request reports

Loading