Step-up auth: Enforce for subgroup creation based on parent group requirements

Proposal

Extend step-up authentication enforcement to group creation actions (:new and :create) by checking parent group requirements. When creating a subgroup, users should be required to authenticate with step-up auth if the parent group has it enabled.

🛠️ with ❤️ at Siemens

Problem Statement

Currently, step-up authentication enforcement is skipped for :new and :create actions in GroupsController because the before_action :group hasn't executed yet, so @group is not available. This creates a security gap where users can create subgroups without step-up authentication even when the parent group requires it.

Proposed Solution

Enforce step-up auth for group creation by checking params[:parent_id]:

Implementation approach:

• Remove :new and :create from the except clause in the before_action :enforce_step_up_auth_for_namespace
• Use the existing enforce_step_up_auth_for_namespace override that checks params[:parent_id] (already implemented in app/controllers/groups_controller.rb:425-432)
• Add test coverage for subgroup creation with parent group step-up auth requirements

Related code:

• app/controllers/groups_controller.rb:33 - Current before_action that skips :new and :create
• app/controllers/groups_controller.rb:425-432 - Existing method override that handles params[:parent_id]

Success Criteria

• Users creating a subgroup under a parent with step-up auth enabled are prompted for step-up authentication
• Top-level group creation (no parent) is not affected
• Feature tests added for subgroup creation scenarios
• TODO comment removed from groups_controller.rb:31-32

What does success look like, and how can we measure that?

Security Metrics:

• Parent group step-up auth requirements are inherited by subgroup creation flows
• No bypass scenarios exist for subgroup creation

User Impact:

• Seamless security inheritance from parent to child groups