Web IDE Endpoints do not Redirect to SSO Provider when missing valid session

MR: Web IDE: handle SSO redirect during authorization (!175618 - merged)

Summary

The Web IDE endpoints are protected by SAML, but when logged in (but not authenticated via SAML) they return a 404 rather than redirecting the user to the SSO provider (Okta in my case).

Steps to reproduce

  • I visited the Web IDE first thing in the morning for a SSO-protected project <-- received a 404
  • I went to gitlab.com and verified I was logged in
  • I then went to the namespace / project within the main UI and was redirected to our SSO Provider (Okta in this case).
  • I then refreshed the first page (the Web IDE) and it successfully opened up the Web IDE.

Example Project

What is the current bug behavior?

Customer receives a 404 error message when visiting the Web IDE while not authentication via SAML SSO.

What is the expected correct behavior?

If the user is logged in, but not authenicated via SAML SSO, the user should be redirected to their SSO Provider.

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info 

(For installations with omnibus-gitlab package run and paste the output of: \\\\\\\`sudo gitlab-rake gitlab:env:info\\\\\\\`) (For installations from source run and paste the output of: \\\\\\\`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production\\\\\\\`)

Results of GitLab application Check

Expand for output related to the GitLab application check 

(For installations with omnibus-gitlab package run and paste the output of: \\\`sudo gitlab-rake gitlab:check SANITIZE=true\\\`) (For installations from source run and paste the output of: \\\`sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true\\\`) (we will only investigate if the tests are passing)

Possible fixes

  • Currently, the IDE controller does not handle SSO during authorization check
  • We can use the find_routables! method from the RoutableActions to check if the user has access to read the project that handles SSO redirection if needed.
  • The complexity of this work comes with attempting to reproduce this bug in the GDK. We can instead rely on unit tests for this, example here.
Edited by Cindy Halim