GitLab Backend Pairing, 26 Jul 2023

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: BE Pairing - 20230726 - EMEA/APAC - Enforcing SSO for MR Approvals

Description

Sam Figeroua discusses backend implementation of this epic: https://gitlab.com/groups/gitlab-org/-/epics/11084

High-level description: Before someone approves an MR, there should be re-authentication with SAML.

Similar feature: Password required for MR approvals: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/10364

A

To my computer, starting now, I.

B

Am sorry I.

A

Can repeat that? No no, it's okay, I just was getting excited, um so recording is going to get started. Okay, so we have uh hi Joseph Jesse.

A

uh We were gonna, did you come with any particular to pair on or you want to pair on other seminal something from somebody else, because we can. We have something we're starting on, but we can make sure we leave time if you have something else.

B

No nothing for myself just just yet to observe.

A

Cool okay, okay, Samuel: it is.

B

All right yeah, so the I'll just read it real quickly. The the objective is to get saml approval on Mrs or rather said before someone approves an MR. There should be a re-authentication with saml.

A

B

And I'm, currently just trying to wrap my head around how everything.

C

B

Works and yeah trying to come up with an implementation plan and seeing all the missing pieces I have of how how this actually works. Yeah.

A

Great, um do you have an issue you could send us, or did you put it in the channel somewhere.

B

uh I'm gonna grab it hold on actually right. Now, it's an epic.

B

There is an issue attached to it. Let me put it in chat.

B

A

Back to putting this in the notes, so I can include that in the.

B

Yeah, it's been there for quite a bit um was left dormant for a while. Most of the comments are about a year old.

A

uh Do you want to maybe screen share as we talk through it or yeah.

C

My first question is: how come it says right at the top. It was created six hours ago, but the comments.

B

Came back nine months, it was uh that's the magic of promoting an issue to an epic.

B

um Yeah, oh yeah, it is, there is an activity item. I was going to say: do we at least have an activity item for that we do yeah? Okay, uh let's see she. Where is it.

B

Right there's the issue yeah. It was uh promoted from issue to Epic and that's why uh it was confusing that way, um yeah so I'm. Splitting this plan was to split this up into the back end in the front end parts um and start with the back end: first yeah, so where I'm, initially kind of stuck on is figuring out. If I want to send a re-auth request, I'll have to as far as I've understood it is provided a a Good callback or there's a callback URL. That saml will redirect to once.

B

They're authenticated right, uh Jesse feel free to say, nay, when I say something wrong, um so, uh where I'm having trouble finding out in the code is where could I grab on to parameters that I've added, like, for example, I, would uh want to add a reference to the Mr that we're approving and sort of tag. The action as this is a foreign approval, um I tried getting into some of the callbacks. We have um I think we have an omni auth callbacks controller, but I didn't get very far with that.

A

Okay, so is the interaction here going to be that there is a user who is logged in, but they don't have a valid SSO saml SSO session. Is that the state that they're in.

B

um They could be in either either they're, not logged in or they are already logged in, but like the last login I think the time frame is still up for debate, but if they haven't logged like authenticated in the last five minutes, they would be asked to re-authenticate.

A

B

A

I think a lot of people are secure like it's not that they were saying: you're, not logged in you, gotta log in we're saying, like you.

B

A

Make sure that.

B

You're yeah, it's um I, think the the background for this came from an FDA regulation that, um for compliance reasons, they need to ensure that the person who's approving is actually that same person. So they want to sort of get around uh someone left their laptop on or try to reduce that uh yeah.

A

Got it okay, so this will be I assume like an additional setting just understand from the general context. There will be some like additional settings that an org might.

B

Yeah enable exactly.

B

Yeah, this would be like similar, like we already have uh required password to approve uh done in a similar way, and this would sort of add on to that and have a sample to approve.

A

um Yeah, okay, that makes sense um and okay. So this is going to be data behind the setting and uh we do we have access to the mr'd. We have it handy. The one with the email verification was added, I'm curious, how that was done.

B

um Email, or do you mean password password.

A

B

Other one: okay, the.

A

Other thing the.

B

A

B

A

B

A

That's just too darks.

B

I'm not sure added.

A

Is this is introduced in 12.0 there's a little link, oh for an issue if you go under the um uh they require user password to approve subheader in here. Do you see that, on this page here, I can send you in the chat.

A

If I use your password and then there's the version, history.

A

B

Searching for my zoom chat hold on I.

A

Know it's always takes me a long time.

A

Yeah and then that leads you to.

A

And then yeah, if you go to the 12 dot introduced and then the Mr related, merge requests, add a force authentication for or is that the one source of indication for approval.

B

This might be the one yeah.

A

B

Years ago uh that's been a while yeah yeah.

A

Okay, so there's adding setting.

A

um And you can, let me know also if you would rather investigate this in a different way I just for me. This is how I feel like I always start if I'm like what other features do we have that are similar to this.

B

A

Me see how they did it and.

B

A

um And then go from there, but that's not always the right approach.

A

uh uh In the API API.

B

I wonder if this is still like that.

A

So there doesn't exist anymore.

A

Google setting I think you're dead based here. It's an unusual Thera font.

C

A

Of your phone case, it's kind of interesting.

A

A

Where's the password One require password to approve.

A

What are you looking for in here.

B

uh I just want to see.

A

Okay eligible for approval by.

B

Yeah, if there was.

B

Something changed there, but that's probably role-based. Now that I look at it and not the session based.

A

Eligible for approval, by do you want to go into that method and see or yeah.

B

We can we can check that out. um That's on merge request.

B

A

Boom enter yeah, that's the test. I know it's in the approvable module or concern.

A

B

A

Yeah, that's real, based, okay, it's real base, although I will say one thing I run into with respect to saml enforcement. That's tricky is you know, user.can is making a policy check right in.

B

A

Of our policy classes in either app policies or ee policies, yeah.

B

A

Of those policy classes do check for an active saml.

B

A

Which isn't exactly what you want, because you're not looking for an active saml uh session? You want to just prompt saml authentication, um but it is possible that that does a check they check for more than just roll is basically I'm trying to say those policy.

B

A

They check for sometimes app, you know settings and things like that. So there's just sometimes too much in there.

C

uh I, don't know if it's going to be relevant but I think maybe the method is also overridden in EE. There's ee have models concerns ee approval, which overrides the same method.

C

All right might not even matter for this conversation, but.

A

It's always good keeping.

B

A

Yeah approval feature available interesting.

A

What is approval? This is like the Rabbit Hole. What is approval feature available.

A

Merge request of careers. Oh okay, all.

B

Right, let's see.

A

B

B

B

I've noticed in the um an omni auth callback controller that there is, uh there seems to be methods to fetch some params from the auth.

B

Or and it returns, it looks like we use that for some track and things and to Mark if something's a trial like an ultimate trial.

B

B

Where I've had trouble, trying to figure out was how to sort of inject a different flow, um because the usual flow is it logs you in and redirects back where you wanted to go right or where.

A

B

uh Wherever I think, we have store location for um where we store it.

C

B

Think we use that.

B

Something rings a bell: there um yeah we have or not, I.

A

Was looking for SSO enforcement? Redirect RB is what I was thinking of.

B

Say that again, there's.

A

A file in SSO enforcement redirect RB. It's actually just looking at this for an unrelated issue report on this call, so it's top of mind um but yeah. That's the file so.

C

A

um If you look at the URL params at the bottom of this, like the last method in here.

B

A

We take the full path and we say that as the redirect. So when we, when somebody's redirected for SSO reasons, we.

B

A

As the parameter of the full path of where they were trying to go, and then we just like redirect them back there after they SSO successfully.

B

B

um One other thing: I've tried to wrap my head around, but couldn't come to a conclusion.

B

Yet is how do I make sure that this this approval is part of a response from saml and not just someone calling the same URL like if they would know what to pick um not on saying that out loud Maybe, yeah I could add some sort of token, but um yeah I want I want to be able to make sure that someone calling the approve actually happened, like in the response from a saml and not just them, calling the method.

A

um Will there will be some I believe there's an attribute on the user like we know when the user lasts asked with saml? Don't we um I don't have to help my head and know what that attribute would be um if it's like last login at or whatever, but assuming it's on the user themselves, yeah.

B

A

Could look at current user and say: oh this, this user lasts off within this amount of time via Samuel, and so we know that they are eligible.

A

Do you feel like I, don't know I usually like to do features like this? Do you feel, like writing, like a high level test, could help us get started with it, or would you rather kind of dig more into the actual implementation, because.

C

Sometimes I feel.

A

Like it's hard to like figure out the like how's, it all gonna work in terms of they're.

B

A

Really understanding the full flow, that's gonna happen, um I mean we'll, have different methods of doing these things.

B

Approach button.

B

Yeah, usually I try to get the pieces in my head to understand where the change needs to be made and then try to start from there in small parts.

A

Okay, so kind of like more of an starting with the more internal.

B

A

B

Usually try to yeah it's hard, keep everything in my head at once. That's becomes overwhelming quickly or like.

B

All right, um let's see.

B

A

Yeah I'm still trying to figure out and I can look through the Mr more closely with for the password auth piece.

A

um We require password what part where in the code is that happening or where are we checking that the password is valid in that approval flow.

B

Now I can take a look at that.

C

B

There's an approval password, okay,.

A

So it's the merge request. Approval service is ultimately where we're gonna be processing. This logic right.

B

A

So maybe we start in there and we figure out what attribute of the user, because I don't think it's going to param we're going to get passed in right.

B

A

Be approval for the saml off like I think the way this seems to work is that the user has like typed in their password and then we pass that to approval service and we're like okay. Is this the right password, if so, allow them to approve? But we in a saml context, are knocking another password that we're just going to know whether they have successfully Sam lost or not.

A

And I don't think that's going to come in the form of a parameter, I suppose it could.

A

But I believe when a user, this is where I should know the answer.

C

To this I believe when.

A

Users successfully samoas, we save that state in such a way that we shouldn't have to like pass parameters around to know. Oh this samlath worked. We should be able to like look at the user object or look at the session information and um pull it from there.

B

B

Let's take some notes, Here and we have the.

C

So I feel like that, if, if we can get hold of that time, the the time of the last authentication, that's a good approach to take the only question being from a feature point of view like. Is it acceptable if the user like SSO login and then they immediately go to the Mr Page and press merge?

C

Is that acceptable that they can get away with that from a feature perspective? Okay,.

B

C

Need to ask them again.

B

And the future is if they it's like the first. Let me let me check well this feature in this iteration. It doesn't matter as much but like the ultimate uh implementation would be that they would have to like the first time in their session. They try to approve something they need to log in and if they don't, uh let's say they don't log in and again for the next 10 minutes uh or their session is older than 10 minutes, then they would have to do it again.

B

uh But like after the first one after the first approved like in the next 10 minutes, they could improve any without re-authenticating again, so they sort of have like a grace period like we know you just had a saml off. So it's it's fine for the next 10 minutes and if you take longer than that you step away, then we'll need to re-auth.

C

And then it's acceptable if they've, if they've just logged in, is it within 10 minutes and they haven't.

C

B

Would assume that yeah yeah.

C

I mean, if that's the case, that's a lot simpler.

B

A

Okay, I just put in this file path. Sorry to make you the chat again, if you want to look just in SSO enforcer, RB, um I'll,.

B

A

That is I think that's the class that we're gonna wanna look into um to know when the user lost Sam will off um we're already here. I, don't think so.

A

um If you'll see there's like active session question mark um in there, um and so it's looking at session information, but it does, you know so default session. Timeout is it is one day ago yeah, so you're gonna want to do something different, but I feel like this might be what you're looking for in terms of where to pull information about when the user lasts, say, I'm all off.

B

Yeah, it's looks like we can pass a time frame here. Any arbitrary one.

B

A

Seems like a bad name and like I I think what this method is asking is: has this user logged in in this period of time, but.

B

A

Know, given it's foreign naming situation.

B

B

Yeah weird name but yeah.

B

B

C

B

I guess we have a latest signing, we can go from there.

A

It's odd that it says true. If sessionless no active session data initiated.

A

Figure that out later.

B

um I think it's because of the weird wording and.

B

Maybe if this was uh let's see.

B

This was this way worded this way it might be different. I, don't know.

A

Expire, oh so this means inactive.

B

Yeah like if it's has it been active since one day, and if the sign is more than one day away, then yeah, it's too old, basically yeah, because you're passing in a cutoff date.

B

A

Yeah, but when time is greater, I love uh comparison. So it comes to time because it's so confusing when, when your latest sign in is greater than the cutoff. That means it's more recent right.

B

A

It was one hour ago, one hour ago, is greater than 24 hours ago, when you're using comparison, operators yeah.

B

A

B

Thing that trips me up is if it has a latest sign and already no, if not sorry, never mind I tripped up on unless.

A

C

So do we know, what's in that active session data like right in the last messages like sign in right, active session data for this same? What what is that? Is that a timestamp or is it an object.

C

Because that's what's being used for the comparison right, the return on the last method there yeah, like probably three. What is that thing.

A

B

A

Look at it namespace session, store.

C

Elf was a constant, wasn't it where it was being called.

C

It's like default default session expiry or something.

A

um Yeah you mean default session, timeout.

C

A

Sso enforcer, RB.

A

Yeah so I feel like if you want to, if you want to start on the inside out and just do the logic, the very like lowest level logic. First, wouldn't that be starting with this service. The merge requests, approval service and, in there saying, if this setting is set, make sure that active sense cut off of arbitrary timestamp 15 minutes ago. Whatever is true and then allow it, and that's kind of this, like the most low level piece.

B

I think that sounds.

B

C

It's my spot. There.

B

B

I think we yeah- this is supposed to be in the future, so.

A

Oh, it is yeah, that's.

C

A

Something that I forget to inquire about when I first start working on a feature who gets this feature and then yep I'm like oh, so this is. This is EE. It's a an ultimate feature. Is it a premium feature? It's all the above yeah.

B

This as far as I know, it's supposed to be ultimate.

B

um I am hunting.

B

B

Now, I don't see it listed here right now, but I'm from memory. I think this was supposed to be okay there. It is uh premium at least yeah.

A

So premium and all.

B

Oh, no, sorry that was read too quickly.

A

What do you mean yeah, it does say like it's.

B

um uh This just says: I haven't pretty.

A

Much, oh, it's extremium and she said oops.

B

A

This is a good question to ask in terms of.

B

A

B

Camel off do we have I'm, not sure if that isn't the premium feature itself.

A

I think it's premium. The question is, is it ultimate.

B

Oh yeah ultimate.

A

I know like in my I, don't know if you experienced this I feel like a lot of the features. I've worked on, there's kind of a push to make the ultimate features um like they're, trying to like add more differentiation between premium and ultimate, because ultimate is quite a lot more expensive.

B

A

B

A

Like well, that can make a difference. The appeal of the plan yeah.

B

Almost anything I work on in compliance is usually an ultimate features, so I I, don't even question it.

A

Okay, that's good to know, that's good to know. Yeah.

B

Because, like basically, everything is always an ultimate feature, so yeah, yes, yeah I, might need to double check. That, though, because this is uh this came from a different direction, so.

A

Yes, another question I was going to ask is so this was promoted to an epic? Is that? Because you anticipate that it will be multiple Mrs to write this feature or just that you're splitting it between back end and front end and.

B

A

Would you split it up.

B

Yeah uh I was anticipating that it probably will be multiple Mrs.

B

B

Yeah, like you said, front-end and back end, will be a different split. Basically, um so I wanted to have that split up in itself already and um the the back end part.

B

uh It's like sort of the I was probably because I was looking at the the bigger picture, together with the the FDA compliance request, where the people also had to uh like sign their name or something uh that was like the initial uh request they had to like type in their name and then authenticate, and they had to have their name in there with it. Whoa.

A

B

Yeah, that's like a really obscure I read through the the requirements documents like okay, anyone can type any name in there. Okay, maybe saml is the better approach there. So I can't just say: I'm John, Doe yeah, yeah um yeah.

B

That was sort of why I was already anticipating. Maybe it's a little bit more complicated there yeah.

A

B

A

Yeah, certainly whenever adding well I always have with myself on Mrs like this, like you know, you're gonna do a database migration because you have data setting, and so the question I always ask myself is: do I just bundle that, in with the whole feature or do I just create the settings in its own Mr, because I know I'm gonna.

B

A

It and just and hopefully that's like an easy peasy merge because you're just like hey I'm, adding a setting and everyone's like cool, that's very simple. But then you have.

B

A

That whole flow right, then you're managing multiple Mrs at a time potentially there's dependencies and that gets complicated. So.

B

Yeah you're doing yeah, that's the trade-off right. One one Mr might be easier to review, but then yeah uh yeah.

A

You're managing.

B

That whole shebang um yeah, so that's the that's true, that's the other part is that there's going to be a setting for this as well, um people are gonna have to be able to enable it or not in the group settings.

B

A

Another and for self-managed, is there an interest in it being an instance-wide setting or because there is instance-wide saml.

B

um True, that's a good point. I'm going to add that to the questions.

A

Is this a group setting? Is this a instant settings above.

B

Yeah I'll have to figure that out as well good point.

A

I'm curious about your note-taking situation. What is your like organizational structure, or how do you do these.

B

Notes well, I, just usually I just throw something into a a temp file and then, if it's more important, I'll move it to um to roam file.

A

Oh interesting you're around aroma.

B

A

B

Roller and usually I'll try to I'll try to use it to um like have a a list of things. I need um every day when I have too many tabs open I'll try to figure out like I'll. Have, uh let's see all right uh like this, I'll have just a link to like a day daily list and then, like things, I've used that day. uh Those will go like on this link list.

A

I, like I I, keep a Google doc with all of my special links.

B

A

It's similar, but I've never considered doing it by that you like what is the organization thought there.

B

um The the thought is well: if I do it by date, I see how recent something is um and I can sort of group it by what was I working on in that point and then I'll I'll be able to like figure out like okay.

B

This is something uh I was working on a while back and then I can sort of hone in on where I might have been doing that, um and it's just uh I, don't think too much about it way to lock them, because if I try to categorize them, I'll spend all day just categorizing everything uh yeah, so I try to do it just by that date and then, if I need anything extra on it um like in in Rome, I can just add these hashes and it'll tag them and then it'll collate everything I have on there together.

B

So every time you link something in Rome, it'll, try to Auto find auto like links and grab other things that have been linked. The same way um in these references, so that's kind of cool I like.

A

Using it for that.

B

Over a simple Google doc, yeah.

A

Cool yeah I know people, love Rome, but I I haven't used it before. So it's cool to see how you're, using it yeah.

B

If you don't want to, if you just want to try out the sort of same logic, obsidian is like a local ish version. I call the local version of Rome. It just has very similar features, but you can run it locally. It's just a Mac app.

A

Oh cool yeah I always find with my special notes, doc that I will look for I. Just don't it's not very findable like I'll. It's such a wall of text but I'm. Looking for something.

C

A

Just like blue underlines everywhere I'm just like.

B

Yeah I, don't like Google docs for I've used, tried using it for notes and everything but I, just even the king of search Google, and you think it's only doesn't work very well in other apps. They try to find something on Google, Docs or on drive. It seems to fall apart more than yeah. Then it should yeah.

B

It's weird that it's not the same level of search, that is for the web.

C

B

On Drive yeah, yeah, probably different priorities.

A

B

All right, okay,.

A

uh We have some questions, we have fewer answers, um that's.

B

Usually, how it goes in the initial phase: yeah yeah.

A

Exactly uh and I guess, because I think the other question that you needed final approval on our thought on is like the. What is the time right like what is the window of time when somebody can have.

B

A

And yeah because oh actually.

A

I was gonna, ask like so does that then mean that is this only available for groups with saml enforcement, because if it's, if it was on a group without thermal enforcement, then there could be non-saml users, which means that none of those users could approve Mrs anymore.

B

You know it makes sense to only have it there right.

A

Oh, that's just some additional I guess logic to think about in terms of when you introduce the setting like, maybe you they can't enable this setting unless they have saml enforced as well. So that would be.

B

A

Active record validation.

B

A

A

It's 80s here too. This really knows a lot about Samwell.

C

B

All the experts that.

A

Doesn't even can know.

A

You're, like Drew, is our official person who knows everything about Samuel and not even Drew knows everything, so you just have to use the powers of our brains combined.

B

Yeah I, don't I, don't doubt that not everyone could follow Samuel in their heads. Just too much um I started looking at last week, I was felt very overwhelmed with all the sub classes and even more sub classes. Yeah yeah.

A

Well then, I sign your Rome notes that you had on your to-do for yesterday to um set up Sam Olaf with GDK. Were you able to do that? Okay,.

B

um I haven't started that yet no I.

A

B

A

Because we also could help you do that um if you wanted I've done that a few times, it's pretty I think the docs are pretty good, but also I've done it a few times. So maybe I'm.

B

A

B

uh That's right, yeah.

A

Groups, hammer yep see you around.

B

Here, I, don't even think I have those prerequisite yet.

A

Oh yes, this is a fun one.

B

B

Yeah I need a local search as well.

A

And what I learned doing this is that GDK yaml there are a lot of places. Do you run your GDK on localhost 3000 right now,.

B

A

Yeah there are a lot of places in gdk.yaml that just like assume that, and so then, when you change over to gdk.test, uh it will oh.

C

A

Interesting, it's now recommending gdk.localhost, which that's a change since I last set this up.

B

A

It on gdk.test um it was a lot easier to manually, update because.

C

He's knotting all right: we.

A

Need to yeah no.

C

No that's what uh daughter status I. It looks like a recent change.

A

Although there's.

B

A stuffed monkey banging on my window.

A

B

My daughter's going off the kindergarten she always hands me her stuffed monkey to watch out for while she's gone.

A

That's so sweet yeah.

B

All right, okay, I'm gonna, take this opportunity to jump off and.

A

B

Try to get this running and, if I run into something I'll, take you up on your opportunity and walk through that.

A

Okay yeah just one note: I noticed that you're not on master or main or whatever. The primary branch is for GDK I, wonder if that's why it's showing different information than what's latest.

B

um Oh yeah, that is.

A

2019., which is very old, yeah I, was also thinking. It's like 2019 is the last thing. It might be main I think it might be Maine.

B

A

B

Let me just sack it comes apart, all right, yeah. Let me update that link checkpoint.

C

A

Good luck with that! Let us know if you have issues um you found the right people to talk to about CML so appreciate.

B

All right, thanks for so far.

C

I'll see you.

B

Guys soon, bye.

C