Enforce project SSO restriction for group owners

Ensures that Group SAML SSO session enforcement applies to projects, even when the user has been granted owner permission from the group. Avoids a simple 'prevent :read_project' as that would break admin access as well as preventing public access.

Enforce project SSO restriction for group owners
Ensures that Group SAML SSO session enforcement applies to projects, even when the user has been granted owner permission from the group. Avoids a simple 'prevent :read_project' as that would break admin access as well as preventing public access.
579a84ea · James Edwards-Jones · 81e6c18e · 579a84ea · 579a84ea · 579a84ea
Commit 579a84ea authored Oct 05, 2019 by James Edwards-Jones
4 changed files
--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -254,6 +254,14 @@ module EE
          .default_project_deletion_protection
      end

+      rule { needs_new_sso_session & ~admin }.policy do
+        prevent :guest_access
+        prevent :reporter_access
+        prevent :developer_access
+        prevent :maintainer_access
+        prevent :owner_access
+      end
+
      rule { ip_enforcement_prevents_access }.policy do
        prevent :read_project
      end

--- a/ee/changelogs/unreleased/jej-respect-sso-enforcement-on-projects-for-owners.yml
+++ b/ee/changelogs/unreleased/jej-respect-sso-enforcement-on-projects-for-owners.yml
+---
+title: Respect Group SSO Enforcement on projects where the user is an owner
+merge_request: 18154
+author:
+type: fixed
--- a/ee/spec/policies/group_policy_spec.rb
+++ b/ee/spec/policies/group_policy_spec.rb
@@ -98,6 +98,16 @@ describe GroupPolicy do
          is_expected.not_to be_allowed(:read_group)
        end

+        context 'as a group owner' do
+          before do
+            group.add_owner(current_user)
+          end
+
+          it 'prevents access without a SAML session' do
+            is_expected.not_to allow_action(:read_group)
+          end
+        end
+
        it 'allows access with a SAML session' do
          Gitlab::Auth::GroupSaml::SsoEnforcer.new(saml_provider).update_session


--- a/ee/spec/policies/project_policy_spec.rb
+++ b/ee/spec/policies/project_policy_spec.rb
@@ -242,15 +242,26 @@ describe ProjectPolicy do
          let(:current_user) { admin }

          it 'allows access' do
-            is_expected.to be_allowed(:read_project)
+            is_expected.to allow_action(:read_project)
          end
        end

-        context 'as an owner' do
-          let(:current_user) { owner }
+        context 'as a group owner' do
+          before do
+            group.add_owner(current_user)
+          end

          it 'prevents access without a SAML session' do
-            is_expected.not_to be_allowed(:read_project)
+            is_expected.not_to allow_action(:read_project)
+          end
+        end
+
+        context 'with public access' do
+          let(:group) { create(:group, :public) }
+          let(:project) { create(:project, :public, group: saml_provider.group) }
+
+          it 'allows access desipte group enforcement' do
+            is_expected.to allow_action(:read_project)
          end
        end