SSO enforcement: Sessionless activity does not need to be allowed for Owner without session
What does this MR do and why?
Fixes https://gitlab.com/gitlab-org/gitlab/-/issues/441754
Currently, when Enforce SSO-only authentication for Git and Dependency Proxy activity for this group
is enabled, this is not applied to group owners. As a hardening exercise, we would like to correct this so that even group owners must have an active SSO session when running Git and Dependency Proxy operations.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
Before | After |
---|---|
How to set up and validate locally
- Ensure Group SAML is set up locally
- Create a top-level group
test-group
- Enable SAML SSO for
test-group
; set default role toMaintainer
(or anything exceptOwner
) - Enable Enforce SSO-only authentication for Git and Dependency Proxy activity for
test-group
- Create a sub-group
test-group
➡ test-subgroup
- Create a project in
test-subgroup
and ensure it is initialized with a README :test-group
➡ test-subgroup
➡ test-subgroup-project
- Use SSO to sign in as
user1
- Add an SSH key for
user1
- you may need to create a second SSH key if you use your primary ssh key forroot
:ssh-keygen -t ed25519 -C "secondary@example.com" -f /Users/myusername/.ssh/secondary_ed25519
- Clone the project using the new SSH key:
GIT_SSH_COMMAND='ssh -i /Users/myusername/.ssh/secondary_ed25519 -o IdentitiesOnly=yes' git clone ssh://git@gdk.test:2222/test-group/test-subgroup/test-subgroup-project.git
- Sign out as
user1
in your web browser to ensure the SSO session is cleared - Sign back in as
root
- Navigate to
test-subgroup
➡ Members - Invite
user1
as a direct member withOwner
role - In the project git repo, update README.md with some text:
echo "\nDo capybaras make good pets?\n" >> README.md
- Commit the update:
git add README.md && git commit -m 'asking important questions'
- Push the update:
GIT_SSH_COMMAND='ssh -i /Users/myusername/.ssh/secondary_ed25519 -o IdentitiesOnly=yes' git push
- You should receive the error:
ERROR: Cannot find valid SSO session.
- If you like, switch GitLab to the
master
branch; you should be able to push the commit without any errors
Edited by Bogdan Denkovych