From 5e35f21605a15414258c5a857f75679f9df2c102 Mon Sep 17 00:00:00 2001
From: Jakub Zienkiewicz <jakub.zienkiewicz@edpauto.com>
Date: Mon, 29 Jul 2013 14:25:33 +0200
Subject: [PATCH 1/2] allow all git-upload-* commands for deploy keys

---
 lib/api/internal.rb                |  2 +-
 spec/requests/api/internal_spec.rb | 36 ++++++++++++++++++++++++++++++
 2 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/lib/api/internal.rb b/lib/api/internal.rb
index a602dc05418..bd28bef2ab2 100644
--- a/lib/api/internal.rb
+++ b/lib/api/internal.rb
@@ -26,7 +26,7 @@ module API
 
 
         if key.is_a? DeployKey
-          key.projects.include?(project) && git_cmd == 'git-upload-pack'
+          key.projects.include?(project) && git_cmd.starts_with?('git-upload-')
         else
           user = key.user
 
diff --git a/spec/requests/api/internal_spec.rb b/spec/requests/api/internal_spec.rb
index 5a43953d15c..028617aa08e 100644
--- a/spec/requests/api/internal_spec.rb
+++ b/spec/requests/api/internal_spec.rb
@@ -100,6 +100,32 @@ describe API::API do
         end
       end
     end
+
+    context "deploy key" do
+      let(:key) { create(:deploy_key) }
+
+      context "added to project" do
+        before do
+          key.projects << project
+        end
+
+        it do
+          archive(key, project)
+
+          response.status.should == 200
+          response.body.should == 'true'
+        end
+      end
+
+      context "not added to project" do
+        it do
+          archive(key, project)
+
+          response.status.should == 200
+          response.body.should == 'false'
+        end
+      end
+    end
   end
 
   def pull(key, project)
@@ -121,4 +147,14 @@ describe API::API do
       action: 'git-receive-pack'
     )
   end
+
+  def archive(key, project)
+    get(
+      api("/internal/allowed"),
+      ref: 'master',
+      key_id: key.id,
+      project: project.path_with_namespace,
+      action: 'git-upload-archive'
+    )
+  end
 end

From e03d01d036bf5f5257d767a1b6ab23f06787a421 Mon Sep 17 00:00:00 2001
From: Jakub Zienkiewicz <jakub.zienkiewicz@edpauto.com>
Date: Mon, 29 Jul 2013 16:05:08 +0200
Subject: [PATCH 2/2] extract server-side git commands to constants

---
 lib/api/internal.rb | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/lib/api/internal.rb b/lib/api/internal.rb
index bd28bef2ab2..79f8eb3a543 100644
--- a/lib/api/internal.rb
+++ b/lib/api/internal.rb
@@ -1,6 +1,10 @@
 module API
   # Internal access API
   class Internal < Grape::API
+
+    DOWNLOAD_COMMANDS = %w{ git-upload-pack git-upload-archive }
+    PUSH_COMMANDS = %w{ git-receive-pack }
+
     namespace 'internal' do
       #
       # Check if ssh key has access to project code
@@ -26,16 +30,16 @@ module API
 
 
         if key.is_a? DeployKey
-          key.projects.include?(project) && git_cmd.starts_with?('git-upload-')
+          key.projects.include?(project) && DOWNLOAD_COMMANDS.include?(git_cmd)
         else
           user = key.user
 
           return false if user.blocked?
 
           action = case git_cmd
-                   when 'git-upload-pack', 'git-upload-archive'
+                   when *DOWNLOAD_COMMANDS
                      then :download_code
-                   when 'git-receive-pack'
+                   when *PUSH_COMMANDS
                      then
                      if project.protected_branch?(params[:ref])
                        :push_code_to_protected_branches