diff options
Diffstat (limited to 'doc/administration/troubleshooting/gitlab_rails_cheat_sheet.md')
-rw-r--r-- | doc/administration/troubleshooting/gitlab_rails_cheat_sheet.md | 38 |
1 files changed, 37 insertions, 1 deletions
diff --git a/doc/administration/troubleshooting/gitlab_rails_cheat_sheet.md b/doc/administration/troubleshooting/gitlab_rails_cheat_sheet.md index 6b1cf2d1194..588be73e786 100644 --- a/doc/administration/troubleshooting/gitlab_rails_cheat_sheet.md +++ b/doc/administration/troubleshooting/gitlab_rails_cheat_sheet.md @@ -305,6 +305,42 @@ p.statistics.refresh! pp p.statistics # compare with earlier values ``` +### Identify deploy keys associated with blocked and non-member users + +When the user who created a deploy key is blocked or removed from the project, the key +can no longer be used to push to protected branches in a private project (see [issue #329742](https://gitlab.com/gitlab-org/gitlab/-/issues/329742)). +The following script identifies unusable deploy keys: + +```ruby +ghost_user_id = User.ghost.id + +DeployKeysProject.with_write_access.find_each do |deploy_key_mapping| + project = deploy_key_mapping.project + deploy_key = deploy_key_mapping.deploy_key + user = deploy_key.user + + access_checker = Gitlab::DeployKeyAccess.new(deploy_key, container: project) + + # can_push_for_ref? tests if deploy_key can push to default branch, which is likely to be protected + can_push = access_checker.can_do_action?(:push_code) + can_push_to_default = access_checker.can_push_for_ref?(project.repository.root_ref) + + next if access_checker.allowed? && can_push && can_push_to_default + + if user.nil? || user.id == ghost_user_id + username = 'none' + state = '-' + else + username = user.username + user_state = user.state + end + + puts "Deploy key: #{deploy_key.id}, Project: #{project.full_path}, Can push?: " + (can_push ? 'YES' : 'NO') + + ", Can push to default branch #{project.repository.root_ref}?: " + (can_push_to_default ? 'YES' : 'NO') + + ", User: #{username}, User state: #{user_state}" +end +``` + ## Wikis ### Recreate @@ -537,7 +573,7 @@ inactive_users.each do |user| end ``` -### Find Max permissions for project/group +### Find a user's max permissions for project/group ```ruby user = User.find_by_username 'username' |