Merge branch 'security-prevent-deploy-key-pushing-to-archived-project-17-2' into '17-2-stable-ee'

Prevent deploy keys from pushing code to an archived project See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4488 Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> Approved-by: Ethan Urie <eurie@gitlab.com> Co-authored-by: Tiger <twatson@gitlab.com>

Merge branch 'security-prevent-deploy-key-pushing-to-archived-project-17-2' into '17-2-stable-ee'
a780b2f3 · GitLab Release Tools Bot · d2c23cb7 · 0a5dc2f0 · a780b2f3 · a780b2f3
Commit a780b2f3 authored 4 months ago by GitLab Release Tools Bot
--- a/lib/gitlab/git_access.rb
+++ b/lib/gitlab/git_access.rb
@@ -27,6 +27,7 @@ class GitAccess
      upload_pack_disabled_over_http: 'Pulling over HTTP is not allowed.',
      receive_pack_disabled_over_http: 'Pushing over HTTP is not allowed.',
      read_only: 'The repository is temporarily read-only. Please try again later.',
+      archived: "You can't push code to an archived project.",
      cannot_push_to_read_only: "You can't push code to a read-only GitLab instance.",
      push_code: 'You are not allowed to push code to this project.'
    }.freeze
@@ -324,6 +325,10 @@ def check_push_access!
        raise ForbiddenError, error_message(:read_only)
      end
  
+      if project&.archived?
+        raise ForbiddenError, error_message(:archived)
+      end
+
      if deploy_key?
        unless deploy_key.can_push_to?(project)
          raise ForbiddenError, error_message(:deploy_key_upload)

--- a/spec/lib/gitlab/git_access_spec.rb
+++ b/spec/lib/gitlab/git_access_spec.rb
@@ -1127,6 +1127,16 @@ def self.run_permission_checks(permissions_matrix)
    end
  end
  
+  context 'when the project is archived' do
+    let(:project) { create(:project, :repository, :archived) }
+
+    it 'denies push access' do
+      project.add_maintainer(user)
+
+      expect { push_access_check }.to raise_forbidden(described_class::ERROR_MESSAGES[:archived])
+    end
+  end
+
  describe 'deploy key permissions' do
    let(:key) { create(:deploy_key, user: user) }
    let(:actor) { key }
@@ -1138,6 +1148,14 @@ def self.run_permission_checks(permissions_matrix)
        end
  
        it { expect { push_access_check }.not_to raise_error }
+
+        context 'when project is archived' do
+          before do
+            project.update!(archived: true)
+          end
+
+          it { expect { push_access_check }.to raise_forbidden(described_class::ERROR_MESSAGES[:archived]) }
+        end
      end
  
      context 'when unauthorized' do