Add latest changes from gitlab-org/security/gitlab@15-6-stable-ee

3 files changed, 5 insertions, 2 deletions

diff --git a/lib/gitlab/api_authentication/token_resolver.rb b/lib/gitlab/api_authentication/token_resolver.rb
index dd9039e37f6..afada055928 100644
--- a/lib/gitlab/api_authentication/token_resolver.rb
+++ b/lib/gitlab/api_authentication/token_resolver.rb
@@ -165,6 +165,8 @@ module Gitlab
       end
 
       def with_deploy_token(raw, &block)
+        raise ::Gitlab::Auth::UnauthorizedError if Gitlab::ExternalAuthorization.enabled?
+
         token = ::DeployToken.active.find_by_token(raw.password)
         return unless token
 
diff --git a/lib/gitlab/auth/auth_finders.rb b/lib/gitlab/auth/auth_finders.rb
index c994f179b66..16bee187c87 100644
--- a/lib/gitlab/auth/auth_finders.rb
+++ b/lib/gitlab/auth/auth_finders.rb
@@ -147,6 +147,7 @@ module Gitlab
       # deploy tokens are accepted with deploy token headers and basic auth headers
       def deploy_token_from_request
         return unless route_authentication_setting[:deploy_token_allowed]
+        return if Gitlab::ExternalAuthorization.enabled?
 
         token = current_request.env[DEPLOY_TOKEN_HEADER].presence || parsed_oauth_token
 
diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb
index 9a3f5fb844b..da2a81983ec 100644
--- a/lib/gitlab/git_access.rb
+++ b/lib/gitlab/git_access.rb
@@ -367,7 +367,7 @@ module Gitlab
     end
 
     def deploy_key?
-      actor.is_a?(DeployKey)
+      actor.is_a?(DeployKey) && !Gitlab::ExternalAuthorization.enabled?
     end
 
     def deploy_token
@@ -375,7 +375,7 @@ module Gitlab
     end
 
     def deploy_token?
-      actor.is_a?(DeployToken)
+      actor.is_a?(DeployToken) && !Gitlab::ExternalAuthorization.enabled?
     end
 
     def ci?