Check SSO status on SSH/API activity and direct user to SSO
Problem to solve
While we're enforcing SSO, we should similarly enforce SSO outside of the GitLab UI. For the purposes of security, this gives enterprises a greater degree of control over protected resources.
We should perform the same check for SSH and API activity that we do in the UI:
- When a user interacts with a project with a parent group that's enforcing SSO:
- If the represented user (e.g. doing a git push, accessing the API with a PAT) does not meet the SSO login threshold, present them with an error.
Note from @jamedjo: "Add check to UserAccess and user_access_denied_reason.rb to be displayed from GitAccess#check_active_user!. UserAccess changes can either be in the policy (:push_code and :read_project) or could be in UserAccess directly."