1 files changed, 15 insertions, 0 deletions

diff --git a/app/models/deploy_token.rb b/app/models/deploy_token.rb
index 5fa9f2ef9f9..326d3fb8470 100644
--- a/app/models/deploy_token.rb
+++ b/app/models/deploy_token.rb
@@ -10,6 +10,7 @@ class DeployToken < ApplicationRecord
   AVAILABLE_SCOPES = %i(read_repository read_registry write_registry
                         read_package_registry write_package_registry).freeze
   GITLAB_DEPLOY_TOKEN_NAME = 'gitlab-deploy-token'
+  REQUIRED_DEPENDENCY_PROXY_SCOPES = %i[read_registry write_registry].freeze
 
   default_value_for(:expires_at) { Forever.date }
 
@@ -46,6 +47,12 @@ class DeployToken < ApplicationRecord
     active.find_by(name: GITLAB_DEPLOY_TOKEN_NAME)
   end
 
+  def valid_for_dependency_proxy?
+    group_type? &&
+      active? &&
+      REQUIRED_DEPENDENCY_PROXY_SCOPES.all? { |scope| scope.in?(scopes) }
+  end
+
   def revoke!
     update!(revoked: true)
   end
@@ -73,6 +80,14 @@ class DeployToken < ApplicationRecord
     holder.has_access_to?(requested_project)
   end
 
+  def has_access_to_group?(requested_group)
+    return false unless active?
+    return false unless group_type?
+    return false unless holder
+
+    holder.has_access_to_group?(requested_group)
+  end
+
   # This is temporal. Currently we limit DeployToken
   # to a single project or group, later we're going to
   # extend that to be for multiple projects and namespaces.