Redirect group searches when SSO restricted
What does this MR do and why?
Notes for reviewer:
- I originally implemented this for group and project searches, but in testing found that only group searches have this issue. Project search does not appear to be restricted by Group SSO.
- Global searches cannot be handled in this manner and will be handled separately
This MR introduces a redirect for group search when the SSO login has expired for the group. This is behind a derisk feature flag
References
Please include cross links to any resources that are relevant to this MR. This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.
- Related to #398572 (closed)
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
Group search results when logged in
Before | After |
---|---|
![]() |
![]() |
How to set up and validate locally
gdk requires a good bit of setup to get this working, I don't think Advanced search is required, but I have it setup to test this
- enable ff:
search_group_sso_redirect
- setup elasticsearch (advanced search) in gdk
- Setup HTTPS in gdk: https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/doc/howto/nginx.md
- Setup SAML in gdk: https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/doc/howto/saml.md#saml
- note DO NOT configure the group yet
- Simulate SaaS in gdk: https://docs.gitlab.com/ee/development/ee_features.html#simulate-a-saas-instance
- I added an
env.runit
file in the root gdk directory (not gitlab) - restart gitlab
- I added an
- setup a private group, make sure code is there and is searchable
- add a non-admin user to the group as a developer+ role
- login with that user
- search at the group level, make sure you get results
- follow guide to add SAML to the group: https://gitlab.com/gitlab-org/gitlab-development-kit/-/blob/main/doc/howto/saml.md#configuring-the-group
- re-run the search, make sure you are redirected to SSO login screen (this is the fix)
Merge request reports
Activity
changed milestone to %17.9
assigned to @terrichu
added pipelinetier-1 label
added backend label
Reviewer roulette
Category Reviewer Maintainer backend @tyleramos
(UTC-5, same timezone as author)
@pskorupa
(UTC+1, 6 hours ahead of author)
Please refer to documentation page for guidance on how you can benefit from the Reviewer Roulette, or use the GitLab Review Workload Dashboard to find other available reviewers.
If needed, you can retry the
danger-review
job that generated this comment.Generated by
DangerEdited by ****removed backend label
added 1 commit
- 9ea78bc9 - Redirect group searches when SSO enabled and expired
- Resolved by Dmitry Gruzd
@sam.figueroa would you mind an initial backend review? I'd like to make sure I'm using the SSO class correctly and saw you originally implemented it. Please send over to
@dgruzd
from my team as maintainer once everything looks good.
requested review from @sam.figueroa
added backend label
Generated bygitlab_quality-test_tooling
.
Slow tests detected in this merge request. These slow tests might be related to this merge request's changes.Click to expand
Job File Name Duration Expected duration #8947757731 ee/spec/features/search/zoekt/search_spec.rb#L33
Zoekt search finds files with a regex search and allows filtering down again by project 87.04 s < 50.13 s added rspec:slow test detected label
added workflowin review label and removed workflowin dev label
added feature flag label
- Resolved by Dmitry Gruzd
mentioned in merge request !179114 (merged)
added 585 commits
-
53707251...b4193c77 - 582 commits from branch
master
- 24bab027 - Redirect group searches when SSO enabled and expired
- f3f82608 - Adjust check and add feature flag
- 873c1897 - Use SsoEnforcer::access_restricted? and update specs
Toggle commit list-
53707251...b4193c77 - 582 commits from branch
requested review from @sam.figueroa
- Resolved by Dmitry Gruzd
requested review from @dgruzd
added pipeline:mr-approved label
added pipelinetier-2 label and removed pipelinetier-1 label
Before you set this MR to auto-merge
This merge request will progress on pipeline tiers until it reaches the last tier: pipelinetier-3. We will trigger a new pipeline for each transition to a higher tier.
Before you set this MR to auto-merge, please check the following:
- You are the last maintainer of this merge request
- The latest pipeline for this merge request is pipelinetier-3 (You can find which tier it is in the pipeline name)
- This pipeline is recent enough (created in the last 8 hours)
If all the criteria above apply, please set auto-merge for this merge request.
See pipeline tiers and merging a merge request for more details.
E2E Test Result Summary
allure-report-publisher
generated test report!e2e-test-on-gdk:
test report for 873c1897expand test summary
+------------------------------------------------------------------+ | suites summary | +-------------+--------+--------+---------+-------+-------+--------+ | | passed | failed | skipped | flaky | total | result | +-------------+--------+--------+---------+-------+-------+--------+ | Verify | 104 | 0 | 40 | 2 | 144 | ✅ | | Govern | 158 | 0 | 26 | 0 | 184 | ✅ | | Create | 276 | 0 | 40 | 0 | 316 | ✅ | | Plan | 164 | 0 | 16 | 0 | 180 | ✅ | | Package | 48 | 0 | 28 | 0 | 76 | ✅ | | Data Stores | 66 | 0 | 20 | 0 | 86 | ✅ | | Analytics | 4 | 0 | 0 | 0 | 4 | ✅ | | Monitor | 16 | 0 | 24 | 0 | 40 | ✅ | | Fulfillment | 4 | 0 | 14 | 0 | 18 | ✅ | | Secure | 8 | 0 | 6 | 0 | 14 | ✅ | | Ai-powered | 0 | 0 | 4 | 0 | 4 | ➖ | | Manage | 2 | 0 | 18 | 0 | 20 | ✅ | | Configure | 0 | 0 | 6 | 0 | 6 | ➖ | | ModelOps | 0 | 0 | 2 | 0 | 2 | ➖ | | Release | 10 | 0 | 2 | 0 | 12 | ✅ | | Growth | 0 | 0 | 4 | 0 | 4 | ➖ | +-------------+--------+--------+---------+-------+-------+--------+ | Total | 860 | 0 | 250 | 2 | 1110 | ✅ | +-------------+--------+--------+---------+-------+-------+--------+
e2e-test-on-cng:
test report for 873c1897expand test summary
+------------------------------------------------------------------+ | suites summary | +-------------+--------+--------+---------+-------+-------+--------+ | | passed | failed | skipped | flaky | total | result | +-------------+--------+--------+---------+-------+-------+--------+ | Data Stores | 33 | 0 | 10 | 0 | 43 | ✅ | | Create | 143 | 0 | 19 | 0 | 162 | ✅ | | Verify | 53 | 0 | 19 | 0 | 72 | ✅ | | Plan | 86 | 0 | 8 | 0 | 94 | ✅ | | Govern | 84 | 0 | 10 | 0 | 94 | ✅ | | Fulfillment | 2 | 0 | 7 | 0 | 9 | ✅ | | Release | 5 | 0 | 1 | 0 | 6 | ✅ | | Package | 29 | 0 | 15 | 0 | 44 | ✅ | | Manage | 1 | 0 | 9 | 0 | 10 | ✅ | | Secure | 2 | 0 | 5 | 0 | 7 | ✅ | | Ai-powered | 0 | 0 | 2 | 0 | 2 | ➖ | | Monitor | 8 | 0 | 12 | 0 | 20 | ✅ | | Configure | 0 | 0 | 3 | 0 | 3 | ➖ | | Analytics | 2 | 0 | 0 | 0 | 2 | ✅ | | Growth | 0 | 0 | 2 | 0 | 2 | ➖ | | ModelOps | 0 | 0 | 1 | 0 | 1 | ➖ | +-------------+--------+--------+---------+-------+-------+--------+ | Total | 448 | 0 | 123 | 0 | 571 | ✅ | +-------------+--------+--------+---------+-------+-------+--------+
Edited by ****added pipelinetier-3 pipeline:run-e2e-omnibus-once labels and removed pipelinetier-2 label
started a merge train
mentioned in commit 40179c4a
mentioned in incident gitlab-org/quality/engineering-productivity/master-broken-incidents#10249 (closed)
added workflowstaging-canary label and removed workflowin review label
added workflowcanary label and removed workflowstaging-canary label
added workflowstaging label and removed workflowcanary label
added workflowproduction label and removed workflowstaging label
added workflowpost-deploy-db-staging label and removed workflowproduction label
added backportskip label
mentioned in merge request !180750 (merged)