Step-up auth: Add GraphQL API endpoint for group protection setting (!204475) · Merge requests · GitLab.org / GitLab

Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA. As a benefit of being a GitLab Community Contributor, you receive complimentary access to GitLab Duo.

What does this MR do and why?

Completes the GraphQL API implementation for step-up authentication by adding comprehensive CRUD operations for the namespace setting. This provides GraphQL API parity with the REST API endpoints for managing step-up authentication requirements per namespace.

Key additions:

Add namespaceSettings field to NamespaceType with proper authorization
Extend Groups::Update mutation with step_up_auth_required_oauth_provider argument
Implement feature flag support for omniauth_step_up_auth_for_namespace
Add comprehensive test coverage for query and mutation operations
Fix authorization checks using Ability.allowed? for proper GraphQL context

The implementation ensures that only users with admin_group permissions can view and modify the step-up authentication settings, consistent with the security model established in the REST API.

Test coverage includes:

Query scenarios for different permission levels
Mutation operations for setting and clearing providers
Feature flag behavior validation
Subgroup inheritance testing

🛠️ with ❤️ at Siemens

References

Builds on REST API endpoint work: Step-up auth: Add REST API endpoint for group p... (!203429 - merged)
Related issue: Step-up auth: Group-based OIDC Step-up Authenti... (#556943)

Screenshots or screen recordings

This is a backend GraphQL API implementation. No UI changes are included in this MR.

Before	After
No GraphQL API support for step-up auth namespace settings	Full GraphQL CRUD operations available

	Update successfully
	Update with error

How to set up and validate locally

Part 1: Prepare your local GitLab gdk instance

Follow the setup steps described in the previous MR.

Part 2: Test the GraphQL API

Enable the step-up authentication feature flag in Rails console:
```
Feature.enable(:omniauth_step_up_auth_for_namespace)
```

Configure an OAuth provider with step-up auth support in config/gitlab.yml:

omniauth:
  enabled: true
  providers:
    - name: 'openid_connect'
      label: 'OpenID Connect'
      step_up_auth:
        namespace:
          id_token:
            required:
              acr: 'gold'

Start GitLab and access GraphQL tool at http://127.0.0.1:3000/-/graphql-explorer

Test the GraphQL query to retrieve namespace settings:

query GetNamespaceSettings($fullPath: ID!) {
  namespace(fullPath: $fullPath) {
    namespaceSettings {
      stepUpAuthRequiredOauthProvider
    }
  }
}

Test the GraphQL mutation to update the setting:

mutation UpdateGroupStepUpAuth($fullPath: ID!, $provider: String) {
  groupUpdate(
    input: {
      fullPath: $fullPath
      stepUpAuthRequiredOauthProvider: $provider
    }
  ) {
    group {
      namespaceSettings {
        stepUpAuthRequiredOauthProvider
      }
    }
    errors
  }
}

Verify authorization by testing with different user permission levels (owner, maintainer, developer)
Test feature flag behavior by disabling the flag and ensuring queries return null values

Run the comprehensive test suite:

bundle exec rspec spec/requests/api/graphql/namespaces/general_settings_spec.rb
bundle exec rspec spec/requests/api/graphql/mutations/groups/update_spec.rb -e "step-up auth"

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

MR Checklist (@gerardo-navarro)

Related to #556943

Edited Sep 29, 2025 by Gerardo Navarro

Step-up auth: Add GraphQL API endpoint for group protection setting