Do not check SSO session for git operations originating from CI

This MR makes change such that SSO session check is not made for git operations originating from CI pipelines Changelog: fixed EE: true

Do not check SSO session for git operations originating from CI
f933afa9 · Manoj M J · b3f5e1e5 · f933afa9 · f933afa9 · f933afa9
Commit f933afa9 authored 3 years ago by Manoj M J
--- a/doc/user/group/saml_sso/index.md
+++ b/doc/user/group/saml_sso/index.md
@@ -127,6 +127,7 @@ SSO has the following effects when enabled:
  even if the project is forked.
 - For Git activity over SSH and HTTPS, users must have at least one active session signed-in through SSO before they can push to or
  pull from a GitLab repository.
+- SSO check is not enforced for Git activity originating from CI builds.
 - Credentials that are not tied to regular users (for example, access tokens and deploy keys) do not have the SSO check enforced.
 - Users must be signed-in through SSO before they can pull images using the [Dependency Proxy](../../packages/dependency_proxy/index.md).
 <!-- Add bullet for API activity when https://gitlab.com/gitlab-org/gitlab/-/issues/9152 is complete -->

--- a/ee/lib/ee/gitlab/git_access.rb
+++ b/ee/lib/ee/gitlab/git_access.rb
@@ -119,6 +119,7 @@ def check_otp_session!
  
      def check_sso_session!
        return true unless user && container
+        return if request_from_ci_build?
  
        return unless ::Gitlab::Auth::GroupSaml::SessionEnforcer.new(user, containing_group).access_restricted?
  

--- a/ee/spec/lib/gitlab/git_access_spec.rb
+++ b/ee/spec/lib/gitlab/git_access_spec.rb
@@ -14,6 +14,7 @@
  let(:repository) { project.repository }
  let(:repository_path) { "#{project.full_path}.git" }
  let(:protocol) { 'web' }
+  let(:auth_result_type) { nil }
  let(:authentication_abilities) { %i[read_project download_code push_code] }
  let(:redirected_path) { nil }
  
@@ -963,29 +964,54 @@ def stub_redis
      context 'user without a sso session' do
        let(:access_restricted?) { true }
  
-        before do
-          expect(Gitlab::Auth::GroupSaml::SessionEnforcer).to receive(:new).with(user, group).twice.and_return(double(access_restricted?: access_restricted?))
-        end
+        context 'when the request is made directly by the user' do
+          before do
+            expect(Gitlab::Auth::GroupSaml::SessionEnforcer).to receive(:new).with(user, group).twice.and_return(double(access_restricted?: access_restricted?))
+          end
  
-        it 'does not allow pull or push changes with proper url in the message' do
-          aggregate_failures do
-            address = "http://localhost/groups/#{group.name}/-/saml/sso?token=#{group.saml_discovery_token}"
+          it 'does not allow pull or push changes with proper url in the message' do
+            aggregate_failures do
+              address = "http://localhost/groups/#{group.name}/-/saml/sso?token=#{group.saml_discovery_token}"
+
+              expect { pull_changes }.to raise_error(Gitlab::GitAccess::ForbiddenError, /#{Regexp.quote(address)}/)
+              expect { push_changes }.to raise_error(Gitlab::GitAccess::ForbiddenError, /#{Regexp.quote(address)}/)
+            end
+          end
+
+          context 'with a subgroup' do
+            let_it_be(:root_group) { create(:group) }
+            let_it_be(:group) { create(:group, parent: root_group) }
  
-            expect { pull_changes }.to raise_error(Gitlab::GitAccess::ForbiddenError, /#{Regexp.quote(address)}/)
-            expect { push_changes }.to raise_error(Gitlab::GitAccess::ForbiddenError, /#{Regexp.quote(address)}/)
+            it 'does not allow pull or push changes with proper url in the message' do
+              aggregate_failures do
+                address = "http://localhost/groups/#{root_group.name}/-/saml/sso?token=#{root_group.saml_discovery_token}"
+
+                expect { pull_changes }.to raise_error(Gitlab::GitAccess::ForbiddenError, /#{Regexp.quote(address)}/)
+                expect { push_changes }.to raise_error(Gitlab::GitAccess::ForbiddenError, /#{Regexp.quote(address)}/)
+              end
+            end
          end
        end
  
-        context 'with a subgroup' do
-          let_it_be(:root_group) { create(:group) }
-          let_it_be(:group) { create(:group, parent: root_group) }
+        context 'when the request is made from CI builds' do
+          let(:protocol) { 'http' }
+          let(:auth_result_type) { :build }
  
-          it 'does not allow pull or push changes with proper url in the message' do
+          it 'allows pull and push changes' do
            aggregate_failures do
-              address = "http://localhost/groups/#{root_group.name}/-/saml/sso?token=#{root_group.saml_discovery_token}"
+              expect { pull_changes }.not_to raise_error
+              expect { push_changes }.not_to raise_error
+            end
+          end
  
-              expect { pull_changes }.to raise_error(Gitlab::GitAccess::ForbiddenError, /#{Regexp.quote(address)}/)
-              expect { push_changes }.to raise_error(Gitlab::GitAccess::ForbiddenError, /#{Regexp.quote(address)}/)
+          context 'when legacy CI credentials are used' do
+            let(:auth_result_type) { :ci }
+
+            it 'allows pull and push changes' do
+              aggregate_failures do
+                expect { pull_changes }.not_to raise_error
+                expect { push_changes }.not_to raise_error
+              end
            end
          end
        end
@@ -1052,7 +1078,8 @@ def access
      protocol,
      authentication_abilities: authentication_abilities,
      repository_path: repository_path,
-      redirected_path: redirected_path
+      redirected_path: redirected_path,
+      auth_result_type: auth_result_type
    )
  end