Skip to content

Allow Service Account to be added to SSO-enforced group

Drew Blessing requested to merge dblessing_serv_acct_sso_enforce_fix into master

What does this MR do and why?

Fixes #417300 (closed)

Allow Service Account to be added to SSO-enforced group

Service Accounts cannot sign-in interactively, and they're meant to be used regardless of SSO enforcement settings. This change allows a Service Account to be added as a member via the API and UI even when SSO is enforced.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After
Screen_Recording_2023-09-06_at_3.35.35_PM Screen_Recording_2023-09-06_at_3.32.05_PM

Database

Before

SELECT
    users.*
FROM
    users
    JOIN identities ON identities.user_id = users.id
WHERE
    users.state IN ( 'blocked', 'banned', 'ldap_blocked' ) AND
    identities.saml_provider_id = 112
ORDER BY
    users.id DESC;

After

SELECT
    users.*
FROM
    (
        (
            SELECT
                users.*
            FROM
                users
                JOIN identities ON identities.user_id = users.id
            WHERE
                users.state IN ( 'blocked', 'banned', 'ldap_blocked' ) AND
                identities.saml_provider_id = 112
        )
        UNION
        (
            SELECT
                users.*
            FROM
                users
                JOIN user_details AS user_detail ON user_detail.user_id = users.id
            WHERE
                users.state IN ( 'blocked', 'banned', 'ldap_blocked' ) AND
                users.user_type = 13 AND
                user_detail.provisioned_by_group_id = 1028
        )
    ) AS users
WHERE
    users.state IN ( 'blocked', 'banned', 'ldap_blocked' )
ORDER BY
    users.id DESC;

Explain

Before

https://postgres.ai/console/gitlab/gitlab-production-tunnel-pg12/sessions/22101/commands/71475

After

https://postgres.ai/console/gitlab/gitlab-production-tunnel-pg12/sessions/22101/commands/71470

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Set up a Group with Group SAML following https://docs.gitlab.com/ee/user/group/saml_sso/
  2. Make sure to select "Enforce SSO-only authentication for web activity for this group" in SAML SSO settings for the group.
  3. Create a service account for the group - https://docs.gitlab.com/ee/api/groups.html#create-service-account-user
  4. Add the account as a member of the group through the API:
    MY_TOKEN=<paste-valid-token-here>
    curl --request POST --header "PRIVATE-TOKEN: $MY_TOKEN" \
    --header "Content-Type:application/json" \
    --data '{ "user_id": "<service-acct-id>", "access_level": 20 }' \
    "https://gdk.test:3443/api/v4/groups/<group-id>/members"
  5. Prior to this MR, observe error:
    {"message":{"user":["is not linked to a SAML account"]}}
  6. After this MR, observe a successful response:
    {"access_level":20,"created_at":"2023-07-11T18:58:53.247Z","created_by":{"id":1,"username":"root","name":"Administrator","state":"active"},"expires_at":null,"id":79,"username":"service_account_group_33_087942a596ce3bd9cd21704dc3c2a455","name":"Service account user","state":"active","email":"service_account_group_33_087942a596ce3bd9cd21704dc3c2a455@noreply.gdk.test","membership_state":"active"}
  7. Ensure the service account user is removed from the group and repeat via the UI. Navigate to the group > Members > Invite members and search for service to see service accounts. Prior to this MR, no service accounts would appear when SSO is enforced. After, service accounts are searchable.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Drew Blessing

Merge request reports

Loading