Merge branch 'security-fix-private-instance-keys-endpoint-access' into 'master'

Require sign in for .keys endpoint on non-public instances

See merge request gitlab-org/security/gitlab!1653

app/controllers/users_controller.rb

@@ -20,7 +20,7 @@ class UsersController < ApplicationController
 
   skip_before_action :authenticate_user!
   prepend_before_action(only: [:show]) { authenticate_sessionless_user!(:rss) }
-  before_action :user, except: [:exists, :ssh_keys]
+  before_action :user, except: [:exists]
   before_action :authorize_read_user_profile!,
                 only: [:calendar, :calendar_activities, :groups, :projects, :contributed, :starred, :snippets, :followers, :following]
 
@@ -44,12 +44,7 @@ class UsersController < ApplicationController
 
   # Get all keys of a user(params[:username]) in a text format
   # Helpful for sysadmins to put in respective servers
-  #
-  # Uses `UserFinder` rather than `find_routable!` because this endpoint should
-  # be publicly available regardless of instance visibility settings.
   def ssh_keys
-    user = UserFinder.new(params[:username]).find_by_username
-
     render plain: user.all_ssh_keys.join("\n")
   end
 

spec/requests/users_controller_spec.rb

@@ -274,7 +274,11 @@ RSpec.describe UsersController do
             stub_application_setting(restricted_visibility_levels: [Gitlab::VisibilityLevel::PUBLIC])
           end
 
-          it_behaves_like 'renders all public keys'
+          it 'redirects to sign in' do
+            get "/#{user.username}.keys"
+
+            expect(response).to redirect_to(new_user_session_path)
+          end
         end
       end
     end