Beyond Identity: Add an option for admins to exclude groups and/or projects from the Beyond Identity check.

Summary

As part of [MVC] Beyond Identity integration (#431433 - closed), we added an option to validate GPG keys with Beyond Identity. When the Beyond Identity integration is enabled, any new key uploaded to a user’s profile is validated against Beyond Identity. Any key that does not pass validation is rejected and the user is required to upload a new key.

When users push commits to the GitLab instance where the Beyond Identity integration is enabled, a pre-receive check is performed that validates the signed commits against the GPG key stored in the user’s profile. Any commit that is signed with the validated key in the user’s profile will be accepted and pushed to the repository.

However, as part of [Post-MVC] Beyond Identity integration (&13257), there is a need for more granular options to allow skipping the Beyond Identity check in certain scenarios. Only an admin should be able to enable/disable options to skip the Beyond Identity check and this should be done from the Beyond Identity integration page.

On push, we will check if the project is excluded from the Beyond Identity check (see the red component in the diagram) and if the project is excluded, we will not be checking if commits are signed.

Note: For projects excluded from the Beyond Identity integration, the push will be accepted and there is no guarantee that the signed commits will be shown as verified. The conditions can be found in the Gitlab docs: https://docs.gitlab.com/ee/user/project/repository/signed_commits/

Configuration Options

• In the Beyond Identity Integration Page:
  • Add an option to exclude projects from the Beyond Identity check
    • The subtext should read: Projects included in this list will no longer require commits to be signed.
  • Add an option to exclude groups from the Beyond Identity check
    • The subtext should read: Groups included in this list will no longer require commits to be signed.