Skip to content

GitLab Admins should bypass Group SSO enforcement

Bogdan Denkovych requested to merge bdenkovych-gitlab-admin-should-bypass-group-sso-enforcement-issue-413568 into master

What does this MR do and why?

For SSO enforcement, there are 2 methods in the codebase we use.

::Gitlab::Auth::GroupSaml::SsoEnforcer#access_restricted? instance method. This method is strict. This method always returns true if SSO enforcement is enabled and current_user doesn't have active saml session.

::Gitlab::Auth::GroupSaml::SsoEnforcer.access_restricted? class method. That method wraps the instance method call to allow bypass SSO enforcement in certain cases, see this table for detail. This method also allows bypassing SSO enforcement for GitLab Admins.

In some cases, we started to use more strict SSO enforcement check[!115254 (merged), !121430 (merged), !120105 (comment 1383786131)]. This could cause issues like #413568 (closed). GitLab Admins should always bypass Group SSO enforcement. This MR moves user.can_read_all_resources? check to the instance method to fix that. Since the class method is a wrapper around the instance method, the class method behavior hasn't changed. Our existing tests confirm that.

Not only will this MR fix #413568 (closed), but also reduce the amount of false positive SSO alert messages on To-Do list page, see !120105 (comment 1383786131)

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Bogdan Denkovych

Merge request reports