SSO Enforcement requires sign in within 7 days

Adds SSO session timeout of 7 days using existing timestamp stored when
signing in via group level SAML.

Uses a feature flag, :enforced_sso_expiry, to allow us to gradually roll
out the change.

ee/changelogs/unreleased/jej-sso-enforcment-expiry.yml

+---
+title: SSO Enforcement requires sign in within 7 days
+merge_request: 29786
+author:
+type: changed

ee/lib/gitlab/auth/group_saml/sso_enforcer.rb

@@ -4,6 +4,8 @@ module Gitlab
   module Auth
     module GroupSaml
       class SsoEnforcer
+        DEFAULT_SESSION_TIMEOUT = 7.days
+
         attr_reader :saml_provider
 
         def initialize(saml_provider)
@@ -15,7 +17,11 @@ module Gitlab
         end
 
         def active_session?
-          SsoState.new(saml_provider.id).active?
+          if ::Feature.enabled?(:enforced_sso_expiry, group)
+            SsoState.new(saml_provider.id).active_since?(DEFAULT_SESSION_TIMEOUT.ago)
+          else
+            SsoState.new(saml_provider.id).active?
+          end
         end
 
         def access_restricted?

ee/lib/gitlab/auth/group_saml/sso_state.rb

@@ -13,7 +13,15 @@ module Gitlab
         end
 
         def active?
-          !session_available? || active_session_data[saml_provider_id]
+          sessionless? || latest_sign_in
+        end
+
+        def active_since?(cutoff)
+          return active? unless cutoff
+          return true if sessionless?
+          return false unless latest_sign_in
+
+          latest_sign_in > cutoff
         end
 
         def update_active(value)
@@ -26,8 +34,12 @@ module Gitlab
           Gitlab::NamespacedSessionStore.new(SESSION_STORE_KEY)
         end
 
-        def session_available?
-          active_session_data.initiated?
+        def sessionless?
+          !active_session_data.initiated?
+        end
+
+        def latest_sign_in
+          active_session_data[saml_provider_id]
         end
       end
     end

ee/spec/lib/gitlab/auth/group_saml/sso_enforcer_spec.rb

@@ -42,6 +42,27 @@ describe Gitlab::Auth::GroupSaml::SsoEnforcer do
 
       expect(subject).to be_active_session
     end
+
+    describe 'enforced sso expiry' do
+      before do
+        stub_feature_flags(enforced_sso_requires_session: { enabled: true, thing: saml_provider.group })
+      end
+
+      it 'returns true if a sign in is recently recorded' do
+        subject.update_session
+
+        expect(subject).to be_active_session
+      end
+
+      it 'returns false if the sign in predates the session timeout' do
+        subject.update_session
+
+        days_after_timeout = Gitlab::Auth::GroupSaml::SsoEnforcer::DEFAULT_SESSION_TIMEOUT + 2.days
+        Timecop.freeze(days_after_timeout) do
+          expect(subject).not_to be_active_session
+        end
+      end
+    end
   end
 
   describe '#allows_access?' do

ee/spec/lib/gitlab/auth/group_saml/sso_state_spec.rb

@@ -27,4 +27,34 @@ describe Gitlab::Auth::GroupSaml::SsoState do
       end
     end
   end
+
+  describe '#active_since?' do
+    let(:cutoff) { 1.week.ago }
+
+    it 'is always active in a sessionless request' do
+      is_expected.to be_active_since(cutoff)
+    end
+
+    it 'is inactive if never signed in' do
+      Gitlab::Session.with_session({}) do
+        is_expected.not_to be_active_since(cutoff)
+      end
+    end
+
+    it 'is active if signed in since the cut off' do
+      time_after_cut_off = cutoff + 2.days
+
+      Gitlab::Session.with_session(active_group_sso_sign_ins: { saml_provider_id => time_after_cut_off }) do
+        is_expected.to be_active_since(cutoff)
+      end
+    end
+
+    it 'is inactive if signed in before the cut off' do
+      time_before_cut_off = cutoff - 2.days
+
+      Gitlab::Session.with_session(active_group_sso_sign_ins: { saml_provider_id => time_before_cut_off }) do
+        is_expected.not_to be_active_since(cutoff)
+      end
+    end
+  end
 end