Skip to content

Dependency Proxy SSO access

Steve Abrams requested to merge 294018-dependency-proxy-sso into master

🏘 Context

The Dependency Proxy is a pull-through-cache, allowing users to pull container images from DockerHub through GitLab.

Currently, users cannot access the Dependency Proxy if Group SAML is enabled for their group.

This MR updates the permissions to properly find the users SAML/SSO session when using the Dependency Proxy.

🔬 The details

The dependency proxy functionality checks user authorization using the declarative policy framework, just like most of the rest of GitLab (things like Ability.allowed? and can?). When dealing with group saml/sso, the EE::GroupPolicy class checks the sso session here by using ::Gitlab::Auth::GroupSaml::SsoEnforcer. The problem is that SsoEnforcer expects a user session, but such a session is not persisted by CLIs like docker or Git. If access is prevented by SsoEnforcer, all group permissions are disabled and the user's member access level in the group is set to NO_ACCESS.

Fortunately, as I just mentioned, Git runs into the same problem and we have already solved this problem for the Git CLI with ::Gitlab::Auth::GroupSaml::SessionEnforcer. SessionEnforcer will take a user and find whether or not they have a currently active session, in other words, checking that they are logged in via SSO.

In the case of the dependency proxy, we are able to authenticate the user using standard credentials or personal access tokens, so we can look up their sessions using SessionEnforcer. Thus, by updating the dependency proxy permissions to check against SessionEnforcer, we can enable SSO access for the dependency proxy.

📣 What does this MR do?

  • Updates the group policy to find a user session using GroupSaml::SessionEnforcer instead of GroupSaml::SsoEnforcer when handling client based api requests (in this case the dependency proxy).

📸 Screenshots or Screencasts (strongly suggested)

Before change - Unable to pull through group with enforced SSO enabled

→ docker pull gdk.test:3443/dp-test/dependency_proxy/containers/alpine:latest
Error response from daemon: error parsing HTTP 404 response body: unexpected end of JSON input: ""
With change - Able to pull through group with enforced SSO enabled

→ docker pull gdk.test:3443/dp-test/dependency_proxy/containers/alpine:latest
latest: Pulling from dp-test/dependency_proxy/containers/alpine
Digest: sha256:1775bebec23e1f3ce486989bfc9ff3c4e951690df84aa9f926497d82f2ffca9d
Status: Image is up to date for gdk.test:3443/dp-test/dependency_proxy/containers/alpine:latest

💻 How to setup and validate locally (strongly suggested)

  1. Set up your GDK with the Dependency Proxy

  2. Set up your GDK to enable group SAML

  3. Create private group

  4. Log in a new user to the group using the local saml provider (username is user1 password is user1pass)

  5. Ensure that user is a reporter or higher for the group

  6. Create a personal access token for that user

  7. Log in to the dependency proxy using the PAT:

    # use your localhost host name and ssh port
    docker login gdk.test:3443
    username: <username>
    password: <personal_access_token>
  8. Pull an image through the dependency proxy for your group:

    docker pull gdk.test:3443/<full_group_path>/dependency_proxy/containers/alpine:latest
  9. The image should pull successfully.

Does this MR meet the acceptance criteria?


Availability and Testing


Does this MR contain changes to processing or storing of credentials or tokens, authorization and authentication methods or other items described in the security review guidelines? If not, then delete this Security section.

  • [-] Label as security and @ mention @gitlab-com/gl-security/appsec
  • [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • [-] Security reports checked/validated by a reviewer from the AppSec team

Related to #294018 (closed)

Edited by Steve Abrams

Merge request reports