Merge branch '339888-group-saml-scheduled-pipelines-cannot-find-valid-sso-session' into 'master'

Do not check SSO session for Git operations originating from CI/CD jobs See merge request gitlab-org/gitlab!76909

Merge branch '339888-group-saml-scheduled-pipelines-cannot-find-valid-sso-session' into 'master'
Do not check SSO session for Git operations originating from CI/CD jobs See merge request gitlab-org/gitlab!76909
84804e8c · Stan Hu · 454afb79 · fc84cab8 · 84804e8c · 84804e8c
Commit 84804e8c authored Dec 22, 2021 by Stan Hu
3 changed files
--- a/doc/user/group/saml_sso/index.md
+++ b/doc/user/group/saml_sso/index.md
@@ -110,6 +110,7 @@ The certificate [fingerprint algorithm](../../../integration/saml.md#notes-on-co
 > - [Improved](https://gitlab.com/gitlab-org/gitlab/-/issues/292811) in GitLab 13.8, with an updated timeout experience.
 > - [Improved](https://gitlab.com/gitlab-org/gitlab/-/issues/211962) in GitLab 13.8 with allowing group owners to not go through SSO.
 > - [Improved](https://gitlab.com/gitlab-org/gitlab/-/issues/9152) in GitLab 13.11 with enforcing open SSO session to use Git if this setting is switched on.
+> - [Improved](https://gitlab.com/gitlab-org/gitlab/-/issues/339888) in GitLab 14.7 to not enforce SSO checks for Git activity originating from CI/CD jobs.
 With this option enabled, users (except users with the Owner role) must access GitLab using your group GitLab single sign-on URL to access group resources. Users added manually as members can't access group resources.
@@ -127,6 +128,7 @@ SSO has the following effects when enabled:
  even if the project is forked.
 - For Git activity over SSH and HTTPS, users must have at least one active session signed-in through SSO before they can push to or
  pull from a GitLab repository.
+- Git activity originating from CI/CD jobs do not have the SSO check enforced.
 - Credentials that are not tied to regular users (for example, access tokens and deploy keys) do not have the SSO check enforced.
 - Users must be signed-in through SSO before they can pull images using the [Dependency Proxy](../../packages/dependency_proxy/index.md).
 <!-- Add bullet for API activity when https://gitlab.com/gitlab-org/gitlab/-/issues/9152 is complete -->

--- a/ee/lib/ee/gitlab/git_access.rb
+++ b/ee/lib/ee/gitlab/git_access.rb
@@ -119,6 +119,7 @@ module EE
      def check_sso_session!
        return true unless user && container
+        return if request_from_ci_build?
        return unless ::Gitlab::Auth::GroupSaml::SessionEnforcer.new(user, containing_group).access_restricted?

--- a/ee/spec/lib/gitlab/git_access_spec.rb
+++ b/ee/spec/lib/gitlab/git_access_spec.rb
@@ -14,6 +14,7 @@ RSpec.describe Gitlab::GitAccess do
  let(:repository) { project.repository }
  let(:repository_path) { "#{project.full_path}.git" }
  let(:protocol) { 'web' }
+  let(:auth_result_type) { nil }
  let(:authentication_abilities) { %i[read_project download_code push_code] }
  let(:redirected_path) { nil }
@@ -963,6 +964,7 @@ RSpec.describe Gitlab::GitAccess do
      context 'user without a sso session' do
        let(:access_restricted?) { true }
+        context 'when the request is made directly by the user' do
          before do
            expect(Gitlab::Auth::GroupSaml::SessionEnforcer).to receive(:new).with(user, group).twice.and_return(double(access_restricted?: access_restricted?))
          end
@@ -990,6 +992,30 @@ RSpec.describe Gitlab::GitAccess do
            end
          end
        end
+        context 'when the request is made from CI builds' do
+          let(:protocol) { 'http' }
+          let(:auth_result_type) { :build }
+          it 'allows pull and push changes' do
+            aggregate_failures do
+              expect { pull_changes }.not_to raise_error
+              expect { push_changes }.not_to raise_error
+            end
+          end
+          context 'when legacy CI credentials are used' do
+            let(:auth_result_type) { :ci }
+            it 'allows pull and push changes' do
+              aggregate_failures do
+                expect { pull_changes }.not_to raise_error
+                expect { push_changes }.not_to raise_error
+              end
+            end
+          end
+        end
+      end
    end
  end
@@ -1052,7 +1078,8 @@ RSpec.describe Gitlab::GitAccess do
      protocol,
      authentication_abilities: authentication_abilities,
      repository_path: repository_path,
-      redirected_path: redirected_path
+      redirected_path: redirected_path,
+      auth_result_type: auth_result_type
    )
  end