Bypass 2FA setting not allowing dependency proxy pulls from users without 2FA in GitLab

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Summary

We have received a ticket from a customer about 2FA validations when trying to pull images from the dependency proxy.

The customer has 2FA enforced on the instance, but also uses SAML SSO with the option to Bypass two-factor authentication. This is working fine instance wide, meaning that users who have signed in to the IDP and provided 2FA on the IDP, are not required to required to also go through 2FA in GitLab.

However, for the dependency proxy the behavior is not the same. When pulling images from the dependency proxy, GitLab is trying to check if the user has 2FA configured at the GitLab instance level, even though the customer is using  Bypass two-factor authentication feature. In summary:

Case 1

• 2FA enforced instance wide.
• User with 2FA enabled.
• Bypass two-factor authentication configured.
• Dependency proxy pull result: Success.

Case 2

• 2FA enforced instance wide.
• User with 2FA disabled.
• Bypass two-factor authentication configured.
• Dependency proxy pull result: Fail.

Should Case 2 fail as well when Bypass two-factor authentication is configured and enabled? Since two factor is being bypassed at the instance level, it feels natural to also bypass and authorize requests to the dependency proxy.

Extra context: Case 2 fails with a CI job token. When using a PAT it succeeds.

Ideal Scenario:

• 2FA enforced instance wide.
• User with 2FA enabled or disabled.
• Bypass two-factor authentication configured.
• Dependency proxy pull result: Success.

Steps to reproduce

In a self-managed instance:

• Configure SAML between an IDP and GitLab.
• Configure 2FA for a user in the IDP.
• Configure Bypass two-factor authentication in the GitLab instance.
• Run a job to attempt to pull from the dependency proxy. This will fail confirming the unexpected behavior.
• Now configure 2FA for the user in GitLab.
• Run the same job again to pull from the dependency proxy. This will succeed.

Example Project

N/A

What is the current bug behavior?

• 2FA enforced instance wide.
• User with 2FA disabled.
• Bypass two-factor authentication configured.
• Dependency proxy pull result: Fail.

What is the expected correct behavior?

• 2FA enforced instance wide.
• User with 2FA enabled or disabled.
• Bypass two-factor authentication configured.
• Dependency proxy pull result: Success.

Relevant logs and/or screenshots