SSO status check for Git activity blocking (release-cli) API request in CI/CD

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Summary

Similarly to Group SAML - Scheduled Pipelines Cannot Find Va... (#339888 - closed), when the Enforce SSO-only authentication for Git and Dependency Proxy activity for this group option (see end of this docs section) is enabled, what was described for git activity in that older issue seems to apply to API requests as well:

A user that is close to their 24 hour session expiry, executes an action (say a git push), that executes a pipeline. This pipeline's git actions could run right after the 24 hour expiry and hence the pipeline fails because there is no valid SSO session by then.

In 🎫 #582121 (internal) we have a user running into this problem when using the release-cli tool to publish releases. With Do not check SSO session for Git operations ori... (!76909 - merged) we already fixed this, but apparently only for actual git activity and not API requests. As per the SSO enforcement docs:

When the Enforce SSO-only authentication for Git and Dependency Proxy activity for this group option is enabled, any API endpoint that involves Git activity is under SSO enforcement. For example, creating or deleting a branch, commit, or tag.

Steps to reproduce

Due to the nature of SSO expiry making it rather tedious/complicated, we haven't actually reproduced this. But it seems fairly obvious from a code analysis that this is the same kind of issue as the older one. The steps would be:

1. Wait until shortly before SSO session timeout
2. Start CI job that uses release-cli
3. Observe error response
4. Refresh SSO session
5. Restart CI job
6. Observe job now running successfully

What is the current bug behavior?

Intermittent job failures where release-cli reports a Cannot find valid SSO session. Please login via your group's SSO error that can be resolved by retrying after an SSO refresh.

What is the expected correct behavior?

Because this is running in a CI job, the API requests authenticated by the CI_JOB_TOKEN should not be subject to the SSO timeout just like git activity.

Relevant logs and/or screenshots

Redacted snippet from a job log:

Executing "step_release" stage of the job script
00:02
$ release-cli create --description "# @namespace/project-123-456" --tag-name "@namespace/project-123-456" --ref "f8d85091d5820d03ff540025e1c6f7e918f8afd7"
time="2024-11-07T14:09:58Z" level=info msg="Creating Release..." catalog-publish=false cli=release-cli command=create name= project-id=48437406 ref=f8d85091d5820d03ff540025e1c6f7e918f8afd7 server-url="https://gitlab.com" tag-message= tag-name=@namespace/project-123-456 version=0.19.0
time="2024-11-07T14:09:58Z" level=fatal msg="run app" cli=release-cli error="failed to create release: API Error Response status_code: 500 message: Cannot find valid SSO session. Please login via your group's SSO at https://gitlab.com/groups/namespace/-/saml/sso?token=12345" version=0.19.0

Output of checks

This bug happens on GitLab.com

Possible fixes

It's a bit confusing to us why !76909 (merged) didn't already fix this, but maybe request_from_ci_build? really only allows git requests through from within CI, and not API requests?