Step-up auth: Protect content in global search results

Problem Statement / Context

When step-up authentication is enabled for a group, users expect that sensitive content from that group is protected consistently across all access points. However, global search results may inadvertently leak information from protected groups by displaying titles, descriptions, and content snippets.

Current Limitations:

  • Global search results display titles and descriptions from step-up auth protected groups (e.g., "Q4 Financial Results Discussion")
  • Code search shows file contents and paths from protected projects
  • Issue and MR search reveals sensitive information in titles and descriptions
  • This creates inconsistent security behavior where direct group access is protected but content leaks through search

User Impact:

  • Organizations using step-up auth for sensitive groups cannot fully protect their content
  • Users heavily relying on search may find the feature incomplete and abandon it
  • Security and compliance requirements may not be met due to information leakage through search results

Proposal

Implement content protection for step-up authentication enabled groups in global search results, ensuring that search results from protected groups are secured until the user completes step-up authentication.

🛠️ with ❤️ at Siemens

Proposed Solution

Implement filtering/redaction of search results from step-up auth protected groups:

Option 1: Filter out results

  • Don't show any search results from protected groups until step-up auth is completed
  • Pros: Simplest to implement, no information leakage
  • Cons: Users may not know protected content exists

Option 2: Show metadata only (Recommended)

  • Display that matches exist but redact titles/descriptions
  • Example: "3 results in [Protected Group] - authentication required to view"
  • Include a link to trigger step-up authentication
  • Pros: Users know content exists, clear call-to-action
  • Cons: More complex UI implementation

Option 3: Trigger step-up on access

  • Show the result but require step-up auth when the user clicks to view it
  • Pros: Best discoverability
  • Cons: Information leakage through titles/descriptions in search results

Affected Search Types:

  1. Issue Search

    • Issue titles and descriptions
    • Labels, milestones, assignees

  2. Merge Request Search

    • MR titles and descriptions
    • Source/target branch names

  3. Code Search

    • File contents and paths
    • Code snippets in results

  4. Wiki Search

    • Wiki page titles and content

  5. Milestone/Label Search

    • Names that may contain sensitive information

Technical Approach

  1. Central Filter Service

    • Create a service to check if content belongs to a step-up auth protected group
    • Apply filtering before results are returned to the user

  2. Search Result Decorator

    • Wrap search results with step-up auth status
    • Redact content fields while preserving result count

  3. UI Components

    • Display redacted results with authentication prompt
    • Provide inline step-up auth trigger

What does success look like, and how can we measure that?

User Impact Metrics:

  • Zero information leakage from step-up auth protected groups through search
  • User satisfaction with consistent security behavior
  • Feature adoption rates remain stable after implementation

Technical Metrics:

  • All search result titles/descriptions from protected groups are filtered/redacted
  • Search performance impact < 5% additional latency
  • No false positives (results incorrectly filtered)

Related Resources

  • Parent Epic: Step-Up Authentication (#16818 (closed))
  • Related Issue: #547659 (closed) - Review community contribution of expanding step-up auth beyond Admin Mode
  • Companion Issue: Step-up Authentication: Protect content in dashboard views

Implementation Plan

Technical Considerations

  • Implement filtering at the search service layer, not UI layer
  • Consider caching step-up auth status per user session
  • Ensure compatibility with Elasticsearch/Advanced Search
  • Handle edge cases: cross-group search, permission changes during session

Checklist

  • Design RFC for search result protection strategy
  • Implement step-up auth content filter service
  • Add feature flag step_up_auth_search_protection
  • Filter issue search results
    • Redact issue titles and descriptions
    • Hide labels/milestones if they contain sensitive info
  • Filter merge request search results
    • Redact MR titles and descriptions
    • Consider branch name handling
  • Filter code search results
    • Redact file paths and content snippets
  • Filter wiki search results
  • Implement redacted result UI component
    • Show result count from protected groups
    • Add step-up auth trigger link
  • Add unit and integration tests
  • Add E2E tests for search protection
  • Update search documentation
  • Performance testing and optimization
Edited by 🤖 GitLab Bot 🤖