Skip to content

Duo Code Review fails when triggered via API with SAML SSO enabled

Summary

While #525123 (closed) resolved Duo Code Review failures for UI-triggered requests with SAML SSO (shipped in 17.11), API-triggered reviews still fail when SAML SSO enforcement is enabled on a group.

This impacts:

  • Automated Code Review setting (#506537 (closed), shipped in 18.0) - fail for SSO-enabled groups
  • CI/CD pipelines that programmatically assign @GitLabDuo for review
  • Bots and automation tools using GitLab API to request Duo reviews
  • Third-party integrations creating MR's / triggering code reviews via API

Steps to reproduce

  1. Enable SAML SSO enforcement on a group
  2. Use API (with CI_JOB_TOKEN, Personal Access Token, or Project Access Token) to create MR with automatic Duo code review
  3. Duo code review fails with error below:

image

Example Project

What is the current bug behavior?

When is created via API in a group with SAML SSO enabled:

  • Duo code review fails with error

What is the expected correct behavior?

Duo code review works

Relevant logs and/or screenshots

image

Root Cause Analysis: Per this analysis:

We aren't today enforcing SSO on API. The problem is that we are reliant on the presence of a client-side session/auth to trigger a Duo based operation. Which then uses sidekiq/async jobs. At some point in time those jobs may run past or after the session's length, so we need a way to extend or pass auth to those jobs or implement SSO for API.

  • Authentication team quote: "SSO currently only applies to Web sessions, and is not enforced on the API. API auth is based on access tokens. For Sidekiq/worker jobs, passing the session ID could work... The reason why API enforcement hasn't been actively tackled is, it's priority on the roadmap, and because it'd need essentially a redesign of SSO enforcement on GitLab.com"

Related Issues:

  • #525123 (closed) - Original issue (UI case resolved in 17.11)
  • #506537 (closed) - Automated Code Review (shipped 18.0, potentially affected)
  • #297389 - SSO enforcement for API (platform-wide, Backlog)
  • #504690 - Similar issue affecting release-cli with SSO
  • #359838 - Security concern: PAT bypassing SSO
  • Epic &5609 - SAML SSO Enforcement in API and CLI
Edited by ŁUKASZ KORBASIEWICZ