Draft: Step-up auth: Group protection (enforcement logic) [4/4]
-
Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA. As a benefit of being a GitLab Community Contributor, you receive complimentary access to GitLab Duo.
What does this MR do and why?
Step-up auth: Protect group routes with step-up-enabled oauth provider
Step-up authentication is a security feature that requires additional verification for accessing sensitive data or performing critical actions.
In a previous MR, we introduced step-up authentication for the admin mode, see !171643 (merged).
In this MR, we extend the step-up authentication for group-specific routes. When a namespace (group) is protected with step-up authentication, then only group-specific routes for this group require step-up authentication.
This commit includes the following aspects:
- Introduced a new concern
EnforcesNamespaceStepUpAuthenticationto encapsulate step-up authentication logic for namespaces. - Updated the
Groups::ApplicationControllerto include new concern, ensuring all group-specific routes are protected. - Created a new controller
Groups::StepUpAuthsControllerto handle step-up authentication flows for groups. - Modified existing controllers to integrate with the step-up authentication flow.
- Added a new view for step-up authentication when users attempt to access group routes that require step-up auth.
Changelog: added
References
- Step-up authentication for groups that this MR is built on top of: Draft: Step-up auth: Require oauth provider for... (!176295 - closed)
Screenshots or screen recordings
| Before | After |
|---|---|
How to set up and validate locally
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #474650