Fix deploy token authentication for Go module proxy
What does this MR do and why?
Fixes deploy token authentication for the Go module proxy (?go-get=1 endpoint). Deploy tokens with read_repository scope now correctly return the full project path for nested subgroups.
Problem
When using deploy tokens to authenticate Go module requests for projects in nested subgroups (e.g., group/subgroup/project), GitLab incorrectly returned the 2-segment fallback path (group/subgroup) instead of the full project path. This caused go mod download to fail with 404 errors.
Root cause: The can_read_project? method checked for :read_project ability, but deploy tokens with read_repository scope only receive :download_code ability (see lib/gitlab/auth.rb). This caused the authorization to fail even though the deploy token had legitimate access.
Solution
Uses GitLab's declarative policy framework to properly authorize deploy tokens:
- Enable
:download_codeinProjectPolicyfor deploy tokens with project access (via the existingdownload_code_deploy_tokencondition) - Simplify the middleware to use
can_perform_action_on_project?(:download_code, project)instead of customdeploy_token&.has_access_to?logic
The middleware's two-step authorization ensures only deploy tokens with the correct scope can access the endpoint:
authentication_abilities_include?(:download_code)— checks the token hasread_repositoryscopecan_perform_action_on_project?(:download_code, project)— checks the policy allows access
This approach aligns with the direction of GitLab's authorization framework and avoids custom authorization mechanisms in the middleware.
How to test
- Create a project in a nested subgroup (e.g.,
group/subgroup/project) - Create a deploy token with
read_repositoryscope - Configure
.netrcwith the deploy token credentials - Run:
curl -u <token_username>:<token> "https://gitlab.example.com/group/subgroup/project?go-get=1" - Verify the response contains the full project path in the
go-importmeta tag
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist.
Related issues
Closes #536177 (closed)