List public ssh keys by id or username without authentication

4 files changed, 22 insertions, 29 deletions

diff --git a/changelogs/unreleased/features-unauth-access-ssh-keys.yml b/changelogs/unreleased/features-unauth-access-ssh-keys.yml
new file mode 100644
index 00000000000..bae2bcfaabd
--- /dev/null
+++ b/changelogs/unreleased/features-unauth-access-ssh-keys.yml
@@ -0,0 +1,5 @@
+---
+title: Enable unauthenticated access to public SSH keys via the API
+merge_request: 20118
+author: Ronald Claveau
+type: changed
diff --git a/doc/api/users.md b/doc/api/users.md
index 762ea53edee..433f5d30449 100644
--- a/doc/api/users.md
+++ b/doc/api/users.md
@@ -556,7 +556,7 @@ Parameters:
 
 ## List SSH keys for user
 
-Get a list of a specified user's SSH keys. Available only for admin
+Get a list of a specified user's SSH keys.
 
 ```
 GET /users/:id/keys
diff --git a/lib/api/users.rb b/lib/api/users.rb
index ac09ca7f7b7..e96887948b1 100644
--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@@ -254,7 +254,7 @@ module API
       end
       # rubocop: enable CodeReuse/ActiveRecord
 
-      desc 'Get the SSH keys of a specified user. Available only for admins.' do
+      desc 'Get the SSH keys of a specified user.' do
         success Entities::SSHKey
       end
       params do
@@ -263,10 +263,8 @@ module API
       end
       # rubocop: disable CodeReuse/ActiveRecord
       get ':id/keys' do
-        authenticated_as_admin!
-
         user = User.find_by(id: params[:id])
-        not_found!('User') unless user
+        not_found!('User') unless user && can?(current_user, :read_user, user)
 
         present paginate(user.keys), with: Entities::SSHKey
       end
diff --git a/spec/requests/api/users_spec.rb b/spec/requests/api/users_spec.rb
index b7d62df0663..09c1d016081 100644
--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@@ -785,35 +785,25 @@ describe API::Users do
   end
 
   describe 'GET /user/:id/keys' do
-    before do
-      admin
-    end
+    it 'returns 404 for non-existing user' do
+      user_id = not_existing_user_id
 
-    context 'when unauthenticated' do
-      it 'returns authentication error' do
-        get api("/users/#{user.id}/keys")
-        expect(response).to have_gitlab_http_status(401)
-      end
-    end
+      get api("/users/#{user_id}/keys")
 
-    context 'when authenticated' do
-      it 'returns 404 for non-existing user' do
-        get api('/users/999999/keys', admin)
-        expect(response).to have_gitlab_http_status(404)
-        expect(json_response['message']).to eq('404 User Not Found')
-      end
+      expect(response).to have_gitlab_http_status(404)
+      expect(json_response['message']).to eq('404 User Not Found')
+    end
 
-      it 'returns array of ssh keys' do
-        user.keys << key
-        user.save
+    it 'returns array of ssh keys' do
+      user.keys << key
+      user.save
 
-        get api("/users/#{user.id}/keys", admin)
+      get api("/users/#{user.id}/keys")
 
-        expect(response).to have_gitlab_http_status(200)
-        expect(response).to include_pagination_headers
-        expect(json_response).to be_an Array
-        expect(json_response.first['title']).to eq(key.title)
-      end
+      expect(response).to have_gitlab_http_status(200)
+      expect(response).to include_pagination_headers
+      expect(json_response).to be_an Array
+      expect(json_response.first['title']).to eq(key.title)
     end
   end