Step-up auth: Add REST API endpoint for group protection setting
-
Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA. As a benefit of being a GitLab Community Contributor, you receive complimentary access to GitLab Duo.
What does this MR do and why?
Extends Groups REST API to expose and manage the step_up_auth_required_oauth_provider namespace setting, enabling programmatic configuration of step-up authentication requirements.
Adds conditional attribute exposure in GroupDetail entity with proper feature flag (omniauth_step_up_auth_for_namespace) and admin permission checks. The implementation follows existing namespace settings patterns and provides complete CRUD operations via GET/PUT endpoints.
This enables infrastructure-as-code security management and automation of step-up authentication policies across GitLab groups, addressing the gap between UI functionality and programmatic access.
References
- Related issue: #556943
- Foundation MR: !199423 (merged)
- Feature flag:
omniauth_step_up_auth_for_namespace
Screenshots or screen recordings
This MR adds REST API functionality without UI changes. The API responses can be tested via curl or API clients.
| Before | After |
|---|---|
curl -H "PRIVATE-TOKEN: token" "http://localhost:3000/api/v4/groups/GROUP_ID" | jq '.step_up_auth_required_oauth_provider'Response: Attribute not present |
curl -H "PRIVATE-TOKEN: token" "http://localhost:3000/api/v4/groups/GROUP_ID" | jq '.step_up_auth_required_oauth_provider'Response: null or "openid_connect"
|
How to set up and validate locally
Part 1: Prepare your local GitLab gdk instance
Follow the setup steps described in the previous MR.
Part 2: Test the REST API
- Create a test group and ensure that your personal access token can access this group (you need the api scope)
- Test GET request to retrieve current setting:
curl --header "PRIVATE-TOKEN: your-token" \ "http://localhost:3000/api/v4/groups/GROUP_ID" - Test PUT request to update setting:
curl --request PUT --header "PRIVATE-TOKEN: your-token" \ --header "Content-Type: application/json" \ --data '{"step_up_auth_required_oauth_provider":"openid_connect"}' \ "http://localhost:3000/api/v4/groups/GROUP_ID" - Test clearing the setting:
curl --request PUT --header "PRIVATE-TOKEN: your-token" \ --header "Content-Type: application/json" \ --data '{"step_up_auth_required_oauth_provider":""}' \ "http://localhost:3000/api/v4/groups/GROUP_ID" - Verify attribute is only exposed with permissions and feature flag enabled
- Test validation with invalid provider names
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
MR Checklist (@gerardo-navarro)
-
Changelog entry added, if necessary -
Documentation created/updated via this MR -
Documentation reviewed by technical writer or follow-up review issue created -
Tests added for this feature/bug -
Tested in all supported browsers -
Conforms to the code review guidelines -
Conforms to the style guides -
Conforms to the javascript style guides -
Conforms to the database guides -
Conforms to the merge request performance guidelines -
API changes follow GitLab REST API conventions and include proper validation -
Feature flag controls are properly implemented and tested -
Security considerations for authentication settings are addressed