Merge branch '12420-prevent-projects-from-being-shared-outside-a-gma-group' into 'master'

Resolve Prevent projects from being shared outside a GMA group - sharing with group See merge request gitlab-org/gitlab!26081

Merge branch '12420-prevent-projects-from-being-shared-outside-a-gma-group' into 'master'
Resolve Prevent projects from being shared outside a GMA group - sharing with group See merge request gitlab-org/gitlab!26081
25fbeff0 · Stan Hu · ea7591a6 · 6ba731ca · 25fbeff0 · 25fbeff0
Commit 25fbeff0 authored Mar 03, 2020 by Stan Hu
5 changed files
--- a/ee/app/models/ee/group.rb
+++ b/ee/app/models/ee/group.rb
@@ -44,7 +44,7 @@ module EE

      has_one :deletion_schedule, class_name: 'GroupDeletionSchedule'
      delegate :deleting_user, :marked_for_deletion_on, to: :deletion_schedule, allow_nil: true
-      delegate :enforced_group_managed_accounts?, to: :saml_provider, allow_nil: true
+      delegate :enforced_group_managed_accounts?, :enforced_sso?, to: :saml_provider, allow_nil: true

      belongs_to :file_template_project, class_name: "Project"


--- a/ee/app/services/ee/projects/group_links/create_service.rb
+++ b/ee/app/services/ee/projects/group_links/create_service.rb
@@ -8,6 +8,8 @@ module EE

        override :execute
        def execute(group)
+          return error(error_message, 409) unless group_allowed_to_be_shared_with?(group)
+
          result = super

          log_audit_event(result[:link]) if result[:status] == :success
@@ -16,6 +18,16 @@ module EE

        private

+        def group_allowed_to_be_shared_with?(group)
+          return true unless project.root_ancestor.kind == 'group' && project.root_ancestor.enforced_sso?
+
+          group.root_ancestor == project.root_ancestor
+        end
+
+        def error_message
+          _('This group cannot be invited to a project inside a group with enforced SSO')
+        end
+
        def log_audit_event(group_link)
          ::AuditEventService.new(
            current_user,

--- a/ee/changelogs/unreleased/12420-prevent-projects-from-being-shared-outside-a-gma-group.yml
+++ b/ee/changelogs/unreleased/12420-prevent-projects-from-being-shared-outside-a-gma-group.yml
+---
+title: "Prevent 'Invite group' for groups outside a group-managed account group"
+merge_request: 26081
+author:
+type: changed
--- a/ee/spec/services/projects/group_links/create_service_spec.rb
+++ b/ee/spec/services/projects/group_links/create_service_spec.rb
@@ -3,9 +3,9 @@
 require 'spec_helper'

 describe Projects::GroupLinks::CreateService, '#execute' do
-  let!(:user) { create :user }
-  let!(:project) { create :project }
-  let!(:group) { create(:group, visibility_level: 0) }
+  let(:user) { create :user }
+  let(:project) { create :project }
+  let(:group) { create(:group, visibility_level: 0) }
  let(:opts) do
    {
      link_group_access: '30',
@@ -37,6 +37,53 @@ describe Projects::GroupLinks::CreateService, '#execute' do
    end
  end

+  context 'when project is in sso enforced group' do
+    let(:saml_provider) { create(:saml_provider, enforced_sso: true) }
+    let(:root_group) { saml_provider.group }
+    let(:project) { create(:project, :private, group: root_group) }
+    let(:subject) { described_class.new(project, user, opts) }
+
+    before do
+      group_to_invite.add_developer(user)
+      stub_licensed_features(group_saml: true)
+    end
+
+    context 'when invited group is outside top group' do
+      let(:group_to_invite) { create(:group) }
+
+      it 'does not add group to project' do
+        expect { subject.execute(group_to_invite) }.not_to change { project.project_group_links.count }
+      end
+    end
+
+    context 'when invited group is in the top group' do
+      let(:group_to_invite) { create(:group, parent: root_group) }
+
+      it 'adds group to project' do
+        expect { subject.execute(group_to_invite) }.to change { project.project_group_links.count }.from(0).to(1)
+      end
+    end
+
+    context 'when project is deeper in the hierarchy and group is in the top group' do
+      let(:group_to_invite) { create(:group, parent: root_group) }
+      let(:nested_group) { create(:group, parent: root_group) }
+      let(:nested_group_2) { create(:group, parent: nested_group_2) }
+      let(:project) { create(:project, :private, group: nested_group) }
+
+      it 'adds group to project' do
+        expect { subject.execute(group_to_invite) }.to change { project.project_group_links.count }.from(0).to(1)
+      end
+
+      context 'when invited group is outside top group' do
+        let(:group_to_invite) { create(:group) }
+
+        it 'does not add group to project' do
+          expect { subject.execute(group_to_invite) }.not_to change { project.project_group_links.count }
+        end
+      end
+    end
+  end
+
  def create_group_link(user, project, group, opts)
    group.add_developer(user)
    described_class.new(project, user, opts).execute(group)

--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -19907,6 +19907,9 @@ msgstr ""
 msgid "This group"
 msgstr ""

+msgid "This group cannot be invited to a project inside a group with enforced SSO"
+msgstr ""
+
 msgid "This group does not provide any group Runners yet."
 msgstr ""