Respect Group SSO Enforcement on projects where the user is an owner (!18154) · Merge requests · GitLab.org / GitLab

James Edwards-Jones requested to merge jej/respect-sso-enforcement-on-projects-for-owners into master Oct 05, 2019

What

Prevents group owners from accessing projects when SSO enforcement is enabled but they haven't signed in with SSO.

Fix existing flawed test that was passing because it was structured to work with projects in a personal namespace rather than group owners.

Why

SSO Enforcement is meant to restrict access for users who haven't signed in that group's SAML identity provider. This wasn't the case for owners since the owner access check calls group.has_owner?(@user) rather than the methods where we included the enforcement check.

This flaw doesn't occur for groups because we had an additional check preventing access there, but the approach we took there would have prevented public access and admin access causing tests to fail if applied to projects.

Closes #33302 (closed)

Acceptance criteria

Changelog entry
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

Label as security and @ mention @gitlab-com/gl-security/appsec
Security reports checked/validated by a reviewer from the AppSec team

Edited Oct 05, 2019 by James Edwards-Jones

Respect Group SSO Enforcement on projects where the user is an owner

What

Why

Acceptance criteria

Security

Merge request reports