Skip to content

feat: support omniauth for admin mode

What does this MR do?

Building on top of !16981 (merged), enable re-authentication for OmniAuth providers (see screenshots below).

To be able to support the OmniAuth flow:

  • Adds a new admin mode requested session field that is used to divide the flow in a first request admin mode step, and then the actual enable admin mode step
  • Allow non-web authentication flows to ignore the first step by providing a flag skip_request: to CurrentUserMode#enable_admin_mode! (default false)
  • Move current_user_mode helper in controllers to its own concern for code reuse
  • Add a new User#matches_identity? method to make sure that the user making the second OmniAuth authentication for admin mode is the same user that requested it originally

Protecting the admin session endpoints by adding them to the default ruleset of rack-attack is tracked independently in #36872 (closed)

  • Check approach with Gitlab's chaps
  • Improve UI
    • hide password-form when user has no password in Gitlab, only external
    • add notification message when grace period for admin mode enable expires
  • Add specs for omniauth_callbacks_controller_spec.rb
  • Hide everything behind feature flag
  • Review new code paths and add extra specs
  • Ensure that it works in other auth cases (ldap? oauth?)

Related #31326 (closed)

Security review #34190 (closed)

The development of this MR is sponsored by Siemens (/cc @bufferoverflow)

Screenshots

image image image image

Does this MR meet the acceptance criteria?

Conformity

Performance and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by 🤖 GitLab Bot 🤖

Merge request reports

Loading