Expose new properties on `/deploy_keys` API endpoint

app/models/deploy_key.rb

@@ -7,12 +7,16 @@ class DeployKey < Key
 
   has_many :deploy_keys_projects, inverse_of: :deploy_key, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent
   has_many :projects, through: :deploy_keys_projects
+
+  has_many :deploy_keys_projects_with_write_access, -> { with_write_access }, class_name: "DeployKeysProject"
+  has_many :projects_with_write_access, -> { includes(:route) }, class_name: 'Project', through: :deploy_keys_projects_with_write_access, source: :project
   has_many :protected_branch_push_access_levels, class_name: '::ProtectedBranch::PushAccessLevel'
 
   scope :in_projects, ->(projects) { joins(:deploy_keys_projects).where(deploy_keys_projects: { project_id: projects }) }
   scope :with_write_access, -> { joins(:deploy_keys_projects).merge(DeployKeysProject.with_write_access) }
   scope :are_public, -> { where(public: true) }
   scope :with_projects, -> { includes(deploy_keys_projects: { project: [:route, namespace: :route] }) }
+  scope :including_projects_with_write_access, -> { includes(:projects_with_write_access) }
 
   accepts_nested_attributes_for :deploy_keys_projects
 
@@ -52,10 +56,6 @@ class DeployKey < Key
     end
   end
 
-  def projects_with_write_access
-    Project.with_route.where(id: deploy_keys_projects.with_write_access.select(:project_id))
-  end
-
   def self.with_write_access_for_project(project, deploy_key: nil)
     query = in_projects(project).with_write_access
     query = query.where(id: deploy_key) if deploy_key

doc/api/deploy_keys.md

@@ -15,8 +15,16 @@ endpoint requires an administrator role and is not available on GitLab.com.
 GET /deploy_keys
 ```
 
+Supported attributes:
+
+| Attribute   | Type     | Required | Description           |
+|:------------|:---------|:---------|:----------------------|
+| `public` | boolean | **{dotted-circle}** No | Only return deploy keys that are public. Defaults to `false`. |
+
+Example request:
+
 ```shell
-curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/deploy_keys"
+curl --header "PRIVATE-TOKEN: <your_access_token>" "https://gitlab.example.com/api/v4/deploy_keys?public=true"
 ```
 
 Example response:
@@ -27,13 +35,36 @@ Example response:
     "id": 1,
     "title": "Public key",
     "key": "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAiPWx6WM4lhHNedGfBpPJNPpZ7yKu+dnn1SJejgt4596k6YjzGGphH2TUxwKzxcKDKKezwkpfnxPkSMkuEspGRt/aZZ9wa++Oi7Qkr8prgHc4soW6NUlfDzpvZK2H5E7eQaSeP3SAwGmQKUFHCddNaP0L+hM7zhFNzjFvpaMgJw0=",
-    "created_at": "2013-10-02T10:12:29Z"
+    "fingerprint": "7f:72:08:7d:0e:47:48:ec:37:79:b2:76:68:b5:87:65",
+    "created_at": "2013-10-02T10:12:29Z",
+    "projects_with_write_access": [
+      {
+        "id": 73,
+        "description": null,
+        "name": "project2",
+        "name_with_namespace": "Sidney Jones / project2",
+        "path": "project2",
+        "path_with_namespace": "sidney_jones/project2",
+        "created_at": "2021-10-25T18:33:17.550Z"
+      },
+      {
+        "id": 74,
+        "description": null,
+        "name": "project3",
+        "name_with_namespace": "Sidney Jones / project3",
+        "path": "project3",
+        "path_with_namespace": "sidney_jones/project3",
+        "created_at": "2021-10-25T18:33:17.666Z"
+      }
+    ]
   },
   {
     "id": 3,
     "title": "Another Public key",
     "key": "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAiPWx6WM4lhHNedGfBpPJNPpZ7yKu+dnn1SJejgt4596k6YjzGGphH2TUxwKzxcKDKKezwkpfnxPkSMkuEspGRt/aZZ9wa++Oi7Qkr8prgHc4soW6NUlfDzpvZK2H5E7eQaSeP3SAwGmQKUFHCddNaP0L+hM7zhFNzjFvpaMgJw0=",
-    "created_at": "2013-10-02T11:12:29Z"
+    "fingerprint": "64:d3:73:d4:83:70:ab:41:96:68:d5:3d:a5:b0:34:ea",
+    "created_at": "2013-10-02T11:12:29Z",
+    "projects_with_write_access": []
   }
 ]
 ```

lib/api/deploy_keys.rb

@@ -23,11 +23,14 @@ module API
     desc 'Return all deploy keys'
     params do
       use :pagination
+      optional :public, type: Boolean, default: false, desc: "Only return deploy keys that are public"
     end
     get "deploy_keys" do
       authenticated_as_admin!
 
-      present paginate(DeployKey.all), with: Entities::DeployKey
+      deploy_keys = params[:public] ? DeployKey.are_public : DeployKey.all
+
+      present paginate(deploy_keys.including_projects_with_write_access), with: Entities::DeployKey, include_projects_with_write_access: true
     end
 
     params do

lib/api/entities/deploy_key.rb

@@ -4,6 +4,9 @@ module API
   module Entities
     class DeployKey < Entities::SSHKey
       expose :key
+      expose :fingerprint
+
+      expose :projects_with_write_access, using: Entities::ProjectIdentity, if: -> (_, options) { options[:include_projects_with_write_access] }
     end
   end
 end

spec/fixtures/api/schemas/public_api/v4/deploy_key.json

+{
+  "type": "object",
+  "required": [
+    "id",
+    "title",
+    "created_at",
+    "expires_at",
+    "key",
+    "fingerprint",
+    "projects_with_write_access"
+  ],
+  "properties": {
+    "id": { "type": "integer" },
+    "title": { "type": "string" },
+    "created_at": { "type": "string", "format": "date-time" },
+    "expires_at": { "type": ["string", "null"], "format": "date-time" },
+    "key": { "type": "string" },
+    "fingerprint": { "type": "string" },
+    "projects_with_write_access": {
+      "type": "array",
+      "items": { "$ref": "project/identity.json" }
+    }
+  },
+  "additionalProperties": false
+}

spec/fixtures/api/schemas/public_api/v4/deploy_keys.json

+{
+  "type": "array",
+  "items": { "$ref": "deploy_key.json" }
+}

spec/models/deploy_key_spec.rb

@@ -5,6 +5,17 @@ require 'spec_helper'
 RSpec.describe DeployKey, :mailer do
   describe "Associations" do
     it { is_expected.to have_many(:deploy_keys_projects) }
+    it do
+      is_expected.to have_many(:deploy_keys_projects_with_write_access)
+        .conditions(can_push: true)
+        .class_name('DeployKeysProject')
+    end
+    it do
+      is_expected.to have_many(:projects_with_write_access)
+        .class_name('Project')
+        .through(:deploy_keys_projects_with_write_access)
+        .source(:project)
+    end
     it { is_expected.to have_many(:projects) }
     it { is_expected.to have_many(:protected_branch_push_access_levels) }
   end

spec/requests/api/deploy_keys_spec.rb

@@ -8,8 +8,9 @@ RSpec.describe API::DeployKeys do
   let_it_be(:admin)       { create(:admin) }
   let_it_be(:project)     { create(:project, creator_id: user.id) }
   let_it_be(:project2)    { create(:project, creator_id: user.id) }
-
-  let(:deploy_key) { create(:deploy_key, public: true) }
+  let_it_be(:project3)    { create(:project, creator_id: user.id) }
+  let_it_be(:deploy_key) { create(:deploy_key, public: true) }
+  let_it_be(:deploy_key_private) { create(:deploy_key, public: false) }
 
   let!(:deploy_keys_project) do
     create(:deploy_keys_project, project: project, deploy_key: deploy_key)
@@ -33,13 +34,56 @@ RSpec.describe API::DeployKeys do
     end
 
     context 'when authenticated as admin' do
+      let_it_be(:pat) { create(:personal_access_token, user: admin) }
+
+      def make_api_request(params = {})
+        get api('/deploy_keys', personal_access_token: pat), params: params
+      end
+
       it 'returns all deploy keys' do
-        get api('/deploy_keys', admin)
+        make_api_request
 
         expect(response).to have_gitlab_http_status(:ok)
         expect(response).to include_pagination_headers
+        expect(response).to match_response_schema('public_api/v4/deploy_keys')
         expect(json_response).to be_an Array
-        expect(json_response.first['id']).to eq(deploy_keys_project.deploy_key.id)
+
+        expect(json_response[0]['id']).to eq(deploy_key.id)
+        expect(json_response[1]['id']).to eq(deploy_key_private.id)
+      end
+
+      it 'avoids N+1 database queries', :use_sql_query_cache, :request_store do
+        create(:deploy_keys_project, :write_access, project: project2, deploy_key: deploy_key)
+
+        control = ActiveRecord::QueryRecorder.new(skip_cached: false) { make_api_request }
+
+        deploy_key2 = create(:deploy_key, public: true)
+        create(:deploy_keys_project, :write_access, project: project3, deploy_key: deploy_key2)
+
+        expect { make_api_request }.not_to exceed_all_query_limit(control)
+      end
+
+      context 'when `public` parameter is `true`' do
+        it 'only returns public deploy keys' do
+          make_api_request({ public: true })
+
+          expect(json_response.length).to eq(1)
+          expect(json_response.first['id']).to eq(deploy_key.id)
+        end
+      end
+
+      context 'projects_with_write_access' do
+        let!(:deploy_keys_project2) { create(:deploy_keys_project, :write_access, project: project2, deploy_key: deploy_key) }
+        let!(:deploy_keys_project3) { create(:deploy_keys_project, :write_access, project: project3, deploy_key: deploy_key) }
+
+        it 'returns projects with write access' do
+          make_api_request
+
+          response_projects_with_write_access = json_response.first['projects_with_write_access']
+
+          expect(response_projects_with_write_access[0]['id']).to eq(project2.id)
+          expect(response_projects_with_write_access[1]['id']).to eq(project3.id)
+        end
       end
     end
   end
@@ -58,6 +102,7 @@ RSpec.describe API::DeployKeys do
       expect(response).to include_pagination_headers
       expect(json_response).to be_an Array
       expect(json_response.first['title']).to eq(deploy_key.title)
+      expect(json_response.first).not_to have_key(:projects_with_write_access)
     end
 
     it 'returns multiple deploy keys without N + 1' do
@@ -77,6 +122,7 @@ RSpec.describe API::DeployKeys do
 
       expect(response).to have_gitlab_http_status(:ok)
       expect(json_response['title']).to eq(deploy_key.title)
+      expect(json_response).not_to have_key(:projects_with_write_access)
     end
 
     it 'returns 404 Not Found with invalid ID' do