From 6482cb90724351dc2ea0943fb1611af99b7ac206 Mon Sep 17 00:00:00 2001 From: Gerardo Navarro Date: Mon, 1 Sep 2025 17:15:25 +0200 Subject: [PATCH 1/4] Step-up auth: Add REST API support for Groups endpoint Extends Groups REST API to expose and manage the step_up_auth_required_oauth_provider namespace setting, enabling programmatic configuration via GET/PUT operations. Adds conditional attribute exposure in GroupDetail entity with proper feature flag and permission checks. Follows existing namespace settings pattern like prevent_sharing_groups_outside_hierarchy. The API provides feature parity with the UI implementation and supports infrastructure-as-code security management. Only root groups with admin permissions can access this setting when the omniauth_step_up_auth_for_namespace feature flag is enabled. This builds on the step-up authentication namespace setting foundation from https://gitlab.com/gitlab-org/gitlab/-/merge_requests/199423 . Changelog: added --- doc/api/groups.md | 1 + doc/api/openapi/openapi_v2.yaml | 8 + lib/api/entities/group_detail.rb | 12 ++ lib/api/helpers/groups_helpers.rb | 4 + spec/lib/api/entities/group_detail_spec.rb | 52 +++++++ spec/requests/api/groups_spec.rb | 162 +++++++++++++++++++++ 6 files changed, 239 insertions(+) diff --git a/doc/api/groups.md b/doc/api/groups.md index bac4353cbe78fd..7ea10c01a4bd4e 100644 --- a/doc/api/groups.md +++ b/doc/api/groups.md @@ -1809,6 +1809,7 @@ PUT /groups/:id | `require_two_factor_authentication` | boolean | no | Require all users in this group to set up two-factor authentication. | | `shared_runners_setting` | string | no | See [Options for `shared_runners_setting`](#options-for-shared_runners_setting). Enable or disable instance runners for a group's subgroups and projects. | | `share_with_group_lock` | boolean | no | Prevent sharing a project with another group within this group. | +| `step_up_auth_required_oauth_provider` | string | no | OAuth provider required for step-up authentication. Pass empty string to disable. Only available on top-level groups. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/556943) in GitLab 18.4. Available when `omniauth_step_up_auth_for_namespace` feature flag is enabled. | | `subgroup_creation_level` | string | no | Allowed to [create subgroups](../user/group/subgroups/_index.md#create-a-subgroup). Can be `owner` (users with the Owner role), or `maintainer` (users with the Maintainer role). | | `two_factor_grace_period` | integer | no | Time before Two-factor authentication is enforced (in hours). | | `visibility` | string | no | The visibility level of the group. Can be `private`, `internal`, or `public`. | diff --git a/doc/api/openapi/openapi_v2.yaml b/doc/api/openapi/openapi_v2.yaml index d2d49d755d102c..b8bcfb5bcc2c1c 100644 --- a/doc/api/openapi/openapi_v2.yaml +++ b/doc/api/openapi/openapi_v2.yaml @@ -47750,6 +47750,10 @@ definitions: type: boolean description: Prevent sharing groups within this namespace with any groups outside the namespace. Only available on top-level groups. + step_up_auth_required_oauth_provider: + type: string + description: OAuth provider required for step-up authentication. Only available + on top-level groups. Pass empty string to disable. lock_math_rendering_limits_enabled: type: boolean description: Indicates if math rendering limits are locked for all descendent @@ -47950,6 +47954,10 @@ definitions: type: string prevent_sharing_groups_outside_hierarchy: type: string + step_up_auth_required_oauth_provider: + type: string + description: OAuth provider required for step-up authentication. Only available + on top-level groups. projects: "$ref": "#/definitions/API_Entities_Project" shared_projects: diff --git a/lib/api/entities/group_detail.rb b/lib/api/entities/group_detail.rb index 9f3ced7d717e04..dfffa7ef3913ae 100644 --- a/lib/api/entities/group_detail.rb +++ b/lib/api/entities/group_detail.rb @@ -10,6 +10,18 @@ class GroupDetail < Group expose :enabled_git_access_protocol, if: ->(group, options) { group.root? && options[:user_can_admin_group] } expose :prevent_sharing_groups_outside_hierarchy, if: ->(group) { group.root? && group.namespace_settings.present? } + expose :step_up_auth_required_oauth_provider, + documentation: { + type: 'string', + desc: 'OAuth provider required for step-up authentication. Only available on top-level groups.' + }, + if: ->(group, options) { + ::Feature.enabled?(:omniauth_step_up_auth_for_namespace, group) && + group.namespace_settings.present? && + options[:user_can_admin_group] + } do |group| + group.namespace_settings.step_up_auth_required_oauth_provider + end expose :projects, if: ->(_, options) { options[:with_projects] }, diff --git a/lib/api/helpers/groups_helpers.rb b/lib/api/helpers/groups_helpers.rb index d4487d7b3aa9c4..2ef92dd9ca996f 100644 --- a/lib/api/helpers/groups_helpers.rb +++ b/lib/api/helpers/groups_helpers.rb @@ -46,6 +46,10 @@ module GroupsHelpers params :optional_update_params do optional :prevent_sharing_groups_outside_hierarchy, type: Boolean, desc: 'Prevent sharing groups within this namespace with any groups outside the namespace. Only available on top-level groups.' + optional :step_up_auth_required_oauth_provider, + type: String, + allow_blank: true, + desc: 'OAuth provider required for step-up authentication. Only available on top-level groups. Pass empty string to disable.' optional :lock_math_rendering_limits_enabled, type: Boolean, desc: 'Indicates if math rendering limits are locked for all descendent groups.' optional :math_rendering_limits_enabled, type: Boolean, desc: 'Indicates if math rendering limits are used for this group.' optional :max_artifacts_size, type: Integer, desc: "Set the maximum file size for each job's artifacts" diff --git a/spec/lib/api/entities/group_detail_spec.rb b/spec/lib/api/entities/group_detail_spec.rb index f3200b28c4dda6..b76eff310d3726 100644 --- a/spec/lib/api/entities/group_detail_spec.rb +++ b/spec/lib/api/entities/group_detail_spec.rb @@ -47,5 +47,57 @@ end end end + + describe '#step_up_auth_required_oauth_provider' do + let(:group) { root_group } + let(:options) { { user_can_admin_group: true } } + + it { is_expected.to include(:step_up_auth_required_oauth_provider) } + + context 'when user_can_admin_group is false' do + let(:options) { { user_can_admin_group: false } } + + it { is_expected.not_to include(:step_up_auth_required_oauth_provider) } + end + + context 'when namespace setting is blank' do + before do + allow(group).to receive(:namespace_settings).and_return(nil) + end + + it { is_expected.not_to include(:step_up_auth_required_oauth_provider) } + end + + context 'when step-up auth required oauth provider is set in namespace setting' do + let(:openid_connect_config) do + GitlabSettings::Options.new( + name: 'openid_connect', + step_up_auth: { + namespace: { + id_token: { + required: { claim_1: 'gold' } + } + } + } + ) + end + + before do + stub_omniauth_setting(enabled: true, providers: [openid_connect_config]) + + group.namespace_settings.update!(step_up_auth_required_oauth_provider: 'openid_connect') + end + + it { is_expected.to include step_up_auth_required_oauth_provider: 'openid_connect' } + end + + context 'when feature flag :omniauth_step_up_auth_for_namespace is disabled' do + before do + stub_feature_flags(omniauth_step_up_auth_for_namespace: false) + end + + it { is_expected.not_to include(:step_up_auth_required_oauth_provider) } + end + end end end diff --git a/spec/requests/api/groups_spec.rb b/spec/requests/api/groups_spec.rb index c556b2a86a394c..c3285d516212a2 100644 --- a/spec/requests/api/groups_spec.rb +++ b/spec/requests/api/groups_spec.rb @@ -1037,6 +1037,60 @@ def request expect(response_groups).to contain_exactly(group1.id, group_with_deletion_on.id, group_without_deletion.id) end end + + context 'step_up_auth_required_oauth_provider attribute' do + before do + allow(::Gitlab::Auth::Oidc::StepUpAuthentication) + .to receive(:enabled_providers) + .and_return(['openid_connect']) + end + + context 'when user has admin_group permission' do + it 'includes step_up_auth_required_oauth_provider' do + group1.update!(step_up_auth_required_oauth_provider: 'openid_connect') + + get api("/groups/#{group1.id}", user1) + + expect(response).to have_gitlab_http_status(:ok) + expect(json_response).to include('step_up_auth_required_oauth_provider' => 'openid_connect') + end + + it 'returns nil when not configured' do + get api("/groups/#{group1.id}", user1) + + expect(response).to have_gitlab_http_status(:ok) + expect(json_response).to include('step_up_auth_required_oauth_provider' => nil) + end + end + + context 'when user lacks admin_group permission' do + let(:guest) { create(:user, guest_of: group1) } + + it 'excludes step_up_auth_required_oauth_provider' do + group1.update!(step_up_auth_required_oauth_provider: 'openid_connect') + + get api("/groups/#{group1.id}", guest) + + expect(response).to have_gitlab_http_status(:ok) + expect(json_response).not_to include('step_up_auth_required_oauth_provider') + end + end + + context 'when feature flag is disabled' do + before do + stub_feature_flags(omniauth_step_up_auth_for_namespace: false) + end + + it 'excludes step_up_auth_required_oauth_provider' do + group1.update!(step_up_auth_required_oauth_provider: 'openid_connect') + + get api("/groups/#{group1.id}", user1) + + expect(response).to have_gitlab_http_status(:ok) + expect(json_response).not_to include('step_up_auth_required_oauth_provider') + end + end + end end describe 'PUT /groups/:id' do @@ -1153,6 +1207,7 @@ def make_upload_request expect(json_response['avatar_url']).to end_with('dk.png') expect(json_response['math_rendering_limits_enabled']).to eq(false) expect(json_response['lock_math_rendering_limits_enabled']).to eq(true) + expect(json_response['step_up_auth_required_oauth_provider']).to be_nil end context 'when updating :emails_disabled' do @@ -1303,6 +1358,113 @@ def make_upload_request end end + context 'updating the `step_up_auth_required_oauth_provider` attribute' do + let(:ommiauth_provider_config) do + GitlabSettings::Options.new( + name: "openid_connect", + step_up_auth: { + namespace: { + id_token: { + required: { + acr: 'gold' + } + } + } + } + ) + end + + before do + stub_omniauth_setting(enabled: true, providers: [ommiauth_provider_config]) + # allow(::Gitlab::Auth::Oidc::StepUpAuthentication) + # .to receive(:enabled_providers) + # .and_return(['openid_connect']) + end + + context 'when user has admin_group permission' do + it 'updates step_up_auth_required_oauth_provider' do + put api("/groups/#{group1.id}", user1), params: { + step_up_auth_required_oauth_provider: 'openid_connect' + } + + expect(response).to have_gitlab_http_status(:ok) + expect(json_response).to include('step_up_auth_required_oauth_provider' => 'openid_connect') + expect(group1.reload.step_up_auth_required_oauth_provider).to eq('openid_connect') + end + + it 'clears setting when empty string provided' do + group1.update!(step_up_auth_required_oauth_provider: 'openid_connect') + + put api("/groups/#{group1.id}", user1), params: { + step_up_auth_required_oauth_provider: '' + } + + expect(response).to have_gitlab_http_status(:ok) + expect(json_response).to include('step_up_auth_required_oauth_provider' => nil) + expect(group1.reload.step_up_auth_required_oauth_provider).to be_nil + end + + it 'returns validation error for invalid provider' do + put api("/groups/#{group1.id}", user1), params: { + step_up_auth_required_oauth_provider: 'invalid_provider' + } + + expect(response).to have_gitlab_http_status(:bad_request) + expect(json_response['message']['namespace_settings.step_up_auth_required_oauth_provider']) + .to include('is not included in the list') + end + end + + context 'when user lacks admin_group permission' do + let(:developer) { create(:user, developer_of: group1) } + + before do + group1.add_developer(developer) + end + + it 'returns forbidden' do + put api("/groups/#{group1.id}", developer), params: { + step_up_auth_required_oauth_provider: 'openid_connect' + } + + expect(response).to have_gitlab_http_status(:forbidden) + end + end + + context 'when feature flag is disabled' do + before do + stub_feature_flags(omniauth_step_up_auth_for_namespace: false) + end + + it 'ignores the parameter' do + put api("/groups/#{group1.id}", user1), params: { + step_up_auth_required_oauth_provider: 'openid_connect', + description: 'Updated description' + } + + expect(response).to have_gitlab_http_status(:ok) + expect(group1.reload.step_up_auth_required_oauth_provider).to be_nil + expect(group1.description).to eq('Updated description') + end + end + + describe 'validation' do + it 'validates provider is in allowed list' do + allow(::Gitlab::Auth::Oidc::StepUpAuthentication) + .to receive(:enabled_providers) + .and_return(['openid_connect']) + + put api("/groups/#{group1.id}", user1), params: { + step_up_auth_required_oauth_provider: 'invalid' + } + + expect(response).to have_gitlab_http_status(:bad_request) + expect(json_response['message']['namespace_settings.step_up_auth_required_oauth_provider']) + .to include('is not included in the list') + end + end + end + context 'malicious group name' do subject { put api("/groups/#{group1.id}", user1), params: { name: "" } } -- GitLab From 135580cb2647f8ba97e11077d5077a111f50b4d4 Mon Sep 17 00:00:00 2001 From: Gerardo Navarro Date: Mon, 8 Sep 2025 23:11:26 +0200 Subject: [PATCH 2/4] refactor: Apply suggestions from @rliu-gl - Remove leftover comments, see https://gitlab.com/gitlab-org/gitlab/-/merge_requests/203429#note_2737174539 - Correct the description labels, see https://gitlab.com/gitlab-org/gitlab/-/merge_requests/203429#note_2742327640 --- doc/api/groups.md | 2 +- doc/api/openapi/openapi_v2.yaml | 17 ++++++++--------- lib/api/entities/group_detail.rb | 2 +- lib/api/helpers/groups_helpers.rb | 2 +- spec/requests/api/groups_spec.rb | 26 ++++++++++++++++---------- 5 files changed, 27 insertions(+), 22 deletions(-) diff --git a/doc/api/groups.md b/doc/api/groups.md index 7ea10c01a4bd4e..26d28cd039924d 100644 --- a/doc/api/groups.md +++ b/doc/api/groups.md @@ -1809,7 +1809,7 @@ PUT /groups/:id | `require_two_factor_authentication` | boolean | no | Require all users in this group to set up two-factor authentication. | | `shared_runners_setting` | string | no | See [Options for `shared_runners_setting`](#options-for-shared_runners_setting). Enable or disable instance runners for a group's subgroups and projects. | | `share_with_group_lock` | boolean | no | Prevent sharing a project with another group within this group. | -| `step_up_auth_required_oauth_provider` | string | no | OAuth provider required for step-up authentication. Pass empty string to disable. Only available on top-level groups. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/556943) in GitLab 18.4. Available when `omniauth_step_up_auth_for_namespace` feature flag is enabled. | +| `step_up_auth_required_oauth_provider` | string | no | OAuth provider required for step-up authentication. Pass empty string to disable. [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/556943) in GitLab 18.4. Available when `omniauth_step_up_auth_for_namespace` feature flag is enabled. | | `subgroup_creation_level` | string | no | Allowed to [create subgroups](../user/group/subgroups/_index.md#create-a-subgroup). Can be `owner` (users with the Owner role), or `maintainer` (users with the Maintainer role). | | `two_factor_grace_period` | integer | no | Time before Two-factor authentication is enforced (in hours). | | `visibility` | string | no | The visibility level of the group. Can be `private`, `internal`, or `public`. | diff --git a/doc/api/openapi/openapi_v2.yaml b/doc/api/openapi/openapi_v2.yaml index b8bcfb5bcc2c1c..e0f25313611068 100644 --- a/doc/api/openapi/openapi_v2.yaml +++ b/doc/api/openapi/openapi_v2.yaml @@ -38926,10 +38926,10 @@ paths: default: main enum: - main + - geo - ci - sec - embedding - - geo required: false - in: path name: id @@ -39034,10 +39034,10 @@ paths: default: main enum: - main + - geo - ci - sec - embedding - - geo required: false - in: query name: job_class_name @@ -47752,8 +47752,8 @@ definitions: outside the namespace. Only available on top-level groups. step_up_auth_required_oauth_provider: type: string - description: OAuth provider required for step-up authentication. Only available - on top-level groups. Pass empty string to disable. + description: OAuth provider required for step-up authentication. Pass empty + string to disable. lock_math_rendering_limits_enabled: type: boolean description: Indicates if math rendering limits are locked for all descendent @@ -47956,8 +47956,7 @@ definitions: type: string step_up_auth_required_oauth_provider: type: string - description: OAuth provider required for step-up authentication. Only available - on top-level groups. + description: OAuth provider required for step-up authentication. projects: "$ref": "#/definitions/API_Entities_Project" shared_projects: @@ -66538,10 +66537,10 @@ definitions: description: The name of the database enum: - main + - geo - ci - sec - embedding - - geo default: main description: Resume a batched background migration putApiV4AdminBatchedBackgroundMigrationsIdPause: @@ -66552,10 +66551,10 @@ definitions: description: The name of the database enum: - main + - geo - ci - sec - embedding - - geo default: main description: Pause a batched background migration postApiV4AdminCiVariables: @@ -66743,10 +66742,10 @@ definitions: description: The name of the database enum: - main + - geo - ci - sec - embedding - - geo default: main description: Mark the migration as successfully executed API_Entities_System_BroadcastMessage: diff --git a/lib/api/entities/group_detail.rb b/lib/api/entities/group_detail.rb index dfffa7ef3913ae..0e735b97b52c9a 100644 --- a/lib/api/entities/group_detail.rb +++ b/lib/api/entities/group_detail.rb @@ -13,7 +13,7 @@ class GroupDetail < Group expose :step_up_auth_required_oauth_provider, documentation: { type: 'string', - desc: 'OAuth provider required for step-up authentication. Only available on top-level groups.' + desc: 'OAuth provider required for step-up authentication.' }, if: ->(group, options) { ::Feature.enabled?(:omniauth_step_up_auth_for_namespace, group) && diff --git a/lib/api/helpers/groups_helpers.rb b/lib/api/helpers/groups_helpers.rb index 2ef92dd9ca996f..299744ca442786 100644 --- a/lib/api/helpers/groups_helpers.rb +++ b/lib/api/helpers/groups_helpers.rb @@ -49,7 +49,7 @@ module GroupsHelpers optional :step_up_auth_required_oauth_provider, type: String, allow_blank: true, - desc: 'OAuth provider required for step-up authentication. Only available on top-level groups. Pass empty string to disable.' + desc: 'OAuth provider required for step-up authentication. Pass empty string to disable.' optional :lock_math_rendering_limits_enabled, type: Boolean, desc: 'Indicates if math rendering limits are locked for all descendent groups.' optional :math_rendering_limits_enabled, type: Boolean, desc: 'Indicates if math rendering limits are used for this group.' optional :max_artifacts_size, type: Integer, desc: "Set the maximum file size for each job's artifacts" diff --git a/spec/requests/api/groups_spec.rb b/spec/requests/api/groups_spec.rb index c3285d516212a2..5ed0914c5812fa 100644 --- a/spec/requests/api/groups_spec.rb +++ b/spec/requests/api/groups_spec.rb @@ -1039,10 +1039,23 @@ def request end context 'step_up_auth_required_oauth_provider attribute' do + let(:ommiauth_provider_config) do + GitlabSettings::Options.new( + name: "openid_connect", + step_up_auth: { + namespace: { + id_token: { + required: { + acr: 'gold' + } + } + } + } + ) + end + before do - allow(::Gitlab::Auth::Oidc::StepUpAuthentication) - .to receive(:enabled_providers) - .and_return(['openid_connect']) + stub_omniauth_setting(enabled: true, providers: [ommiauth_provider_config]) end context 'when user has admin_group permission' do @@ -1376,9 +1389,6 @@ def make_upload_request before do stub_omniauth_setting(enabled: true, providers: [ommiauth_provider_config]) - # allow(::Gitlab::Auth::Oidc::StepUpAuthentication) - # .to receive(:enabled_providers) - # .and_return(['openid_connect']) end context 'when user has admin_group permission' do @@ -1450,10 +1460,6 @@ def make_upload_request describe 'validation' do it 'validates provider is in allowed list' do - allow(::Gitlab::Auth::Oidc::StepUpAuthentication) - .to receive(:enabled_providers) - .and_return(['openid_connect']) - put api("/groups/#{group1.id}", user1), params: { step_up_auth_required_oauth_provider: 'invalid' } -- GitLab From 32c17283c945a064920f14848dafe4d9080ea628 Mon Sep 17 00:00:00 2001 From: Gerardo Navarro Date: Wed, 17 Sep 2025 16:34:35 +0200 Subject: [PATCH 3/4] ci: Fix pipline regarding openapi docs - https://gitlab.com/gitlab-community/gitlab-org/gitlab/-/jobs/11372083811 --- doc/api/openapi/openapi_v2.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/doc/api/openapi/openapi_v2.yaml b/doc/api/openapi/openapi_v2.yaml index e0f25313611068..8e04165d6b4162 100644 --- a/doc/api/openapi/openapi_v2.yaml +++ b/doc/api/openapi/openapi_v2.yaml @@ -38926,10 +38926,10 @@ paths: default: main enum: - main - - geo - ci - sec - embedding + - geo required: false - in: path name: id @@ -39034,10 +39034,10 @@ paths: default: main enum: - main - - geo - ci - sec - embedding + - geo required: false - in: query name: job_class_name @@ -66537,10 +66537,10 @@ definitions: description: The name of the database enum: - main - - geo - ci - sec - embedding + - geo default: main description: Resume a batched background migration putApiV4AdminBatchedBackgroundMigrationsIdPause: @@ -66551,10 +66551,10 @@ definitions: description: The name of the database enum: - main - - geo - ci - sec - embedding + - geo default: main description: Pause a batched background migration postApiV4AdminCiVariables: @@ -66742,10 +66742,10 @@ definitions: description: The name of the database enum: - main - - geo - ci - sec - embedding + - geo default: main description: Mark the migration as successfully executed API_Entities_System_BroadcastMessage: -- GitLab From c32757600d86ec85f4c1297f0daae7a6f90abbd3 Mon Sep 17 00:00:00 2001 From: Gerardo Navarro Date: Wed, 17 Sep 2025 16:57:56 +0200 Subject: [PATCH 4/4] refactor: Apply suggestions from @lwanko - Aligning provider config across specs, see https://gitlab.com/gitlab-org/gitlab/-/merge_requests/203429#note_2754471268 - Remove unnecessary test case, see https://gitlab.com/gitlab-org/gitlab/-/merge_requests/203429#note_2754471311 - Remove unnecessary test case, see https://gitlab.com/gitlab-org/gitlab/-/merge_requests/203429#note_2754471289 --- spec/lib/api/entities/group_detail_spec.rb | 2 +- spec/requests/api/groups_spec.rb | 24 ---------------------- 2 files changed, 1 insertion(+), 25 deletions(-) diff --git a/spec/lib/api/entities/group_detail_spec.rb b/spec/lib/api/entities/group_detail_spec.rb index b76eff310d3726..55cbfc34afc3b7 100644 --- a/spec/lib/api/entities/group_detail_spec.rb +++ b/spec/lib/api/entities/group_detail_spec.rb @@ -75,7 +75,7 @@ step_up_auth: { namespace: { id_token: { - required: { claim_1: 'gold' } + required: { acr: 'gold' } } } } diff --git a/spec/requests/api/groups_spec.rb b/spec/requests/api/groups_spec.rb index 5ed0914c5812fa..bfcf884ebcc0d3 100644 --- a/spec/requests/api/groups_spec.rb +++ b/spec/requests/api/groups_spec.rb @@ -1402,18 +1402,6 @@ def make_upload_request expect(group1.reload.step_up_auth_required_oauth_provider).to eq('openid_connect') end - it 'clears setting when empty string provided' do - group1.update!(step_up_auth_required_oauth_provider: 'openid_connect') - - put api("/groups/#{group1.id}", user1), params: { - step_up_auth_required_oauth_provider: '' - } - - expect(response).to have_gitlab_http_status(:ok) - expect(json_response).to include('step_up_auth_required_oauth_provider' => nil) - expect(group1.reload.step_up_auth_required_oauth_provider).to be_nil - end - it 'returns validation error for invalid provider' do put api("/groups/#{group1.id}", user1), params: { step_up_auth_required_oauth_provider: 'invalid_provider' @@ -1457,18 +1445,6 @@ def make_upload_request expect(group1.description).to eq('Updated description') end end - - describe 'validation' do - it 'validates provider is in allowed list' do - put api("/groups/#{group1.id}", user1), params: { - step_up_auth_required_oauth_provider: 'invalid' - } - - expect(response).to have_gitlab_http_status(:bad_request) - expect(json_response['message']['namespace_settings.step_up_auth_required_oauth_provider']) - .to include('is not included in the list') - end - end end context 'malicious group name' do -- GitLab