1 files changed, 26 insertions, 2 deletions

diff --git a/spec/lib/gitlab/auth_spec.rb b/spec/lib/gitlab/auth_spec.rb
index 54a853c9ce3..3164d2ebf04 100644
--- a/spec/lib/gitlab/auth_spec.rb
+++ b/spec/lib/gitlab/auth_spec.rb
@@ -133,6 +133,25 @@ describe Gitlab::Auth do
 
         gl_auth.find_for_git_client(user.username, token, project: nil, ip: 'ip')
       end
+
+      it 'grants deploy key write permissions' do
+        project = create(:project)
+        key = create(:deploy_key, can_push: true)
+        create(:deploy_keys_project, deploy_key: key, project: project)
+        token = Gitlab::LfsToken.new(key).token
+
+        expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: "lfs+deploy-key-#{key.id}")
+        expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: project, ip: 'ip')).to eq(Gitlab::Auth::Result.new(key, nil, :lfs_deploy_token, read_write_authentication_abilities))
+      end
+
+      it 'does not grant deploy key write permissions' do
+        project = create(:project)
+        key = create(:deploy_key, can_push: true)
+        token = Gitlab::LfsToken.new(key).token
+
+        expect(gl_auth).to receive(:rate_limit!).with('ip', success: true, login: "lfs+deploy-key-#{key.id}")
+        expect(gl_auth.find_for_git_client("lfs+deploy-key-#{key.id}", token, project: project, ip: 'ip')).to eq(Gitlab::Auth::Result.new(key, nil, :lfs_deploy_token, read_authentication_abilities))
+      end
     end
 
     context 'while using OAuth tokens as passwords' do
@@ -326,10 +345,15 @@ describe Gitlab::Auth do
     ]
   end
 
-  def full_authentication_abilities
+  def read_write_authentication_abilities
     read_authentication_abilities + [
       :push_code,
-      :create_container_image,
+      :create_container_image
+    ]
+  end
+
+  def full_authentication_abilities
+    read_write_authentication_abilities + [
       :admin_container_image
     ]
   end