Merge branch '5292-limit-group-managed-accounts' into 'master'

Limit functionality for group managed accounts See merge request gitlab-org/gitlab-ee!10059

Merge branch '5292-limit-group-managed-accounts' into 'master'
Limit functionality for group managed accounts See merge request gitlab-org/gitlab-ee!10059
0d4a2be5 · Nick Thomas · 5e7b7e85 · f27f035c · 0d4a2be5 · 0d4a2be5
Commit 0d4a2be5 authored Mar 21, 2019 by Nick Thomas
7 changed files
--- a/app/policies/identity_provider_policy.rb
+++ b/app/policies/identity_provider_policy.rb
@@ -13,3 +13,5 @@ class IdentityProviderPolicy < BasePolicy

  rule { protected_provider }.prevent(:unlink)
 end
+
+IdentityProviderPolicy.prepend(EE::IdentityProviderPolicy)
--- a/ee/app/models/ee/user.rb
+++ b/ee/app/models/ee/user.rb
@@ -246,6 +246,29 @@ module EE
      update_column :admin_email_unsubscribed_at, Time.now
    end

+    override :allow_password_authentication_for_web?
+    def allow_password_authentication_for_web?(*)
+      return false if group_managed_account?
+
+      super
+    end
+
+    override :allow_password_authentication_for_git?
+    def allow_password_authentication_for_git?(*)
+      return false if group_managed_account?
+
+      super
+    end
+
+    protected
+
+    override :password_required?
+    def password_required?(*)
+      return false if group_managed_account?
+
+      super
+    end
+
    private

    def namespace_union(select = :id)

--- a/ee/app/policies/ee/identity_provider_policy.rb
+++ b/ee/app/policies/ee/identity_provider_policy.rb
+# frozen_string_literal: true
+
+module EE
+  module IdentityProviderPolicy
+    extend ActiveSupport::Concern
+
+    prepended do
+      desc "User account is managed by group SAML"
+      condition(:group_managed_account, scope: :user) { @user.group_managed_account? }
+
+      rule { group_managed_account }.prevent_all
+    end
+  end
+end
--- a/ee/app/views/profiles/accounts/_group_saml_unlink_buttons.html.haml
+++ b/ee/app/views/profiles/accounts/_group_saml_unlink_buttons.html.haml
@@ -3,5 +3,9 @@
  .provider-btn-group
    .provider-btn-image
      = _("SAML for %{group_name}") % { group_name: group.name }
-    = link_to unlink_group_saml_providers_path(group), method: :delete, class: 'provider-btn' do
-      Disconnect
+    - if unlink_provider_allowed?(identity.saml_provider)
+      = link_to unlink_group_saml_providers_path(group), method: :delete, class: 'provider-btn' do
+        = s_('Profiles|Disconnect')
+    - else
+      %a.provider-btn
+        = s_('Profiles|Active')
--- a/ee/spec/factories/users.rb
+++ b/ee/spec/factories/users.rb
@@ -5,6 +5,10 @@ FactoryBot.modify do
    trait :auditor do
      auditor true
    end
+
+    trait :group_managed do
+      association :managing_group, factory: :group
+    end
  end

  factory :omniauth_user do

--- a/ee/spec/models/ee/user_spec.rb
+++ b/ee/spec/models/ee/user_spec.rb
@@ -380,16 +380,55 @@ describe EE::User do
  end

  describe '#group_managed_account?' do
+    subject { user.group_managed_account? }
+
    context 'when user has managing group linked' do
      before do
-        subject.managing_group = Group.new
+        user.managing_group = Group.new
      end

-      it { is_expected.to be_group_managed_account }
+      it { is_expected.to eq true }
    end

    context 'when user has no linked managing group' do
-      it { is_expected.not_to be_group_managed_account }
+      it { is_expected.to eq false }
+    end
+  end
+
+  describe '#password_required?' do
+    context 'when user has managing group linked' do
+      before do
+        user.managing_group = Group.new
+      end
+
+      it 'does not require password to be present' do
+        expect(user).not_to validate_presence_of(:password)
+        expect(user).not_to validate_presence_of(:password_confirmation)
+      end
+    end
+  end
+
+  describe '#allow_password_authentication_for_web?' do
+    context 'when user has managing group linked' do
+      before do
+        user.managing_group = Group.new
+      end
+
+      it 'is false' do
+        expect(user.allow_password_authentication_for_web?).to eq false
+      end
+    end
+  end
+
+  describe '#allow_password_authentication_for_git?' do
+    context 'when user has managing group linked' do
+      before do
+        user.managing_group = Group.new
+      end
+
+      it 'is false' do
+        expect(user.allow_password_authentication_for_git?).to eq false
+      end
    end
  end
 end
--- a/ee/spec/policies/identity_provider_policy_spec.rb
+++ b/ee/spec/policies/identity_provider_policy_spec.rb
+# frozen_string_literal: true
+require 'spec_helper'
+
+describe IdentityProviderPolicy do
+  subject(:policy) { described_class.new(user, :a_provider) }
+
+  describe '#rules' do
+    context 'when user is group managed' do
+      let(:user) { build_stubbed(:user, :group_managed) }
+
+      it { is_expected.not_to be_allowed(:link) }
+      it { is_expected.not_to be_allowed(:unlink) }
+    end
+  end
+end