Skip to content

Draft: MR approval option "Require user password to approve" should ask for MFA

Erin Blake requested to merge erin.blake/gitlab:223765-mr-approval-option-require-user-password-to-approve-should-ask-for-mfa into master

What does this MR do?

This MR adds support for users who authenticate via MFA to re-authenticate through their provider when approving merge requests

See CFR Part 11 compliance for digitally signed change requests. Specifically, this.

This is a requirement to use GitLab for documentation control in GXP software.

  1. Check if current user has allow_password_authentication_for_web? enabled
    • If so, when the approval modal displays it will allow the user to enter a password
  2. Check if current user has enabled_button_based_providers
    • If so, when the approval modal displays it will allow the user to authenticate with any of the providers listed
  3. When the user selects a provider to authenticate with, POST users/auth/{provider} with the MR attached as a query parameter
    • Use the existence of the query parameter to route to the merge request approval endpoint after the {provider}#callback succeeds
    • Once the POST {group}/{project}/merge_requests/{merge_request_id}/approvals succeeds, re-route the user back to the merge request page with the approval updated

UX

2022-02-03_11.22.08

Numbered steps to set up and validate the change are strongly suggested.

  1. Enable Ultimate edition of Gitlab
  2. Run the mock idp for saml omniauth authentication (https://gitlab.com/gitlab-org/gitlab-development-kit/blob/8a491f7bcdc568f61ba8244bd96bc597dbe7df15/doc/howto/saml.md)
  3. Configure Merge Request approval password required (require_password_to_approve)
  4. Visit any project merge request and click Approve
  5. Modal should pop up with user options for authentication

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related issues

#223765 (comment 685647462)

Unanswered questions

  1. Can we use the users existing log in flow to force authentication directly?
  2. How to pick up the query parameter from the /users/auth/{provider} endpoint on the POST /users/auth/{provider}/callback to be used after successful authentication?
  3. Can we force the authentication in another window so the MR flow stays in tact?
Edited by Erin Blake

Merge request reports