Implement 'read_repo' for DeployTokens

This will allow to download a repo using the token from the DeployToken

1 files changed, 27 insertions, 0 deletions

diff --git a/spec/lib/gitlab/git_access_spec.rb b/spec/lib/gitlab/git_access_spec.rb
index c870997e274..928825c21fa 100644
--- a/spec/lib/gitlab/git_access_spec.rb
+++ b/spec/lib/gitlab/git_access_spec.rb
@@ -145,6 +145,33 @@ describe Gitlab::GitAccess do
             expect { push_access_check }.to raise_unauthorized(described_class::ERROR_MESSAGES[:auth_upload])
           end
         end
+
+        context 'when actor is DeployToken' do
+          context 'when DeployToken is active and belongs to project' do
+            let(:actor) { create(:deploy_token, :read_repo, project: project) }
+
+            it 'allows pull access' do
+              expect { pull_access_check }.not_to raise_error
+            end
+          end
+
+          context 'when DeployToken has been revoked' do
+            let(:actor) { create(:deploy_token, :read_repo, project: project) }
+
+            it 'blocks pull access' do
+              actor.revoke!
+              expect { pull_access_check }.to raise_not_found
+            end
+          end
+
+          context 'when DeployToken does not belong to project' do
+            let(:actor) { create(:deploy_token, :read_repo) }
+
+            it 'blocks pull access' do
+              expect { pull_access_check }.to raise_not_found
+            end
+          end
+        end
       end
 
       context 'when actor is nil' do