Commit 6673c101 authored by Małgorzata Ksionek's avatar Małgorzata Ksionek

Add serving new namespace setting field

WIP
parent 474f3967
...@@ -560,12 +560,16 @@ class Group < Namespace ...@@ -560,12 +560,16 @@ class Group < Namespace
access_level_roles.values access_level_roles.values
end end
def update_two_factor_requirement_for_members
members_with_descendants.find_each(&:update_two_factor_requirement)
end
private private
def update_two_factor_requirement def update_two_factor_requirement
return unless saved_change_to_require_two_factor_authentication? || saved_change_to_two_factor_grace_period? return unless saved_change_to_require_two_factor_authentication? || saved_change_to_two_factor_grace_period?
members_with_descendants.find_each(&:update_two_factor_requirement) update_two_factor_requirement_for_members
end end
def path_changed_hook def path_changed_hook
......
...@@ -4,6 +4,8 @@ module Groups ...@@ -4,6 +4,8 @@ module Groups
class UpdateService < Groups::BaseService class UpdateService < Groups::BaseService
include UpdateVisibilityLevel include UpdateVisibilityLevel
SETTINGS_PARAMS = [:allow_mfa_for_subgroups].freeze
def execute def execute
reject_parent_id! reject_parent_id!
remove_unallowed_params remove_unallowed_params
...@@ -20,7 +22,7 @@ module Groups ...@@ -20,7 +22,7 @@ module Groups
return false unless valid_path_change_with_npm_packages? return false unless valid_path_change_with_npm_packages?
return false unless update_shared_runners return false unless update_shared_runners
handle_changes
before_assignment_hook(group, params) before_assignment_hook(group, params)
handle_namespace_settings handle_namespace_settings
...@@ -101,6 +103,21 @@ module Groups ...@@ -101,6 +103,21 @@ module Groups
params.delete(:default_branch_protection) unless can?(current_user, :update_default_branch_protection, group) params.delete(:default_branch_protection) unless can?(current_user, :update_default_branch_protection, group)
end end
def handle_changes
handle_settings_update
end
def handle_settings_update
settings_params = params.slice(*allowed_settings_params)
allowed_settings_params.each { |param| params.delete(param) }
::NamespaceSettings::UpdateService.new(current_user, group, settings_params).execute
end
def allowed_settings_params
@allowed_settings_params ||= SETTINGS_PARAMS
end
def valid_share_with_group_lock_change? def valid_share_with_group_lock_change?
return true unless changing_share_with_group_lock? return true unless changing_share_with_group_lock?
return true if can?(current_user, :change_share_with_group_lock, group) return true if can?(current_user, :change_share_with_group_lock, group)
......
...@@ -18,6 +18,18 @@ module NamespaceSettings ...@@ -18,6 +18,18 @@ module NamespaceSettings
else else
group.build_namespace_settings(settings_params) group.build_namespace_settings(settings_params)
end end
after_update
end
def after_update
settings = group.namespace_settings
return if settings.allow_mfa_for_subgroups
if settings.previous_changes.include?(:allow_mfa_for_subgroups)
# enque in batches
TodosDestroyer::GroupPrivateWorker.perform_in(Todo::WAIT_FOR_DELETE, group.id)
end
end end
end end
end end
......
# frozen_string_literal: true
class Disallow2FAWorker # rubocop:disable Scalability/IdempotentWorker
include ApplicationWorker
include ExceptionBacktrace
feature_category :subgroups
def perform(group_id)
begin
group = Group.find(group_id)
rescue ActiveRecord::RecordNotFound
return
end
group.update_two_factor_requirement_for_members
end
end
# frozen_string_literal: true
class Disallow2FAWorker # rubocop:disable Scalability/IdempotentWorker
include ApplicationWorker
include ExceptionBacktrace
INTERVAL = 2.seconds.to_i
feature_category :subgroups
def perform(group_id)
begin
group = Group.find(group_id)
rescue ActiveRecord::RecordNotFound
return
end
subgroups = group.subgroups.where(require_two_factor_authentication: true)
subgroups.update_all(require_two_factor_authentication: false)
subgroups.find_each(batch_size: 100).with_index do |subgroup, index| # rubocop: disable CodeReuse/ActiveRecord
delay = index * INTERVAL
with_context(subgroup) do
Update2FAForSubgroupsMembersWorker.perform_in(delay, subgroup.id)
end
end
end
end
...@@ -4,6 +4,7 @@ module EE ...@@ -4,6 +4,7 @@ module EE
module Groups module Groups
module UpdateService module UpdateService
extend ::Gitlab::Utils::Override extend ::Gitlab::Utils::Override
EE_SETTINGS_PARAMS = [:prevent_forking_outside_group].freeze
override :execute override :execute
def execute def execute
...@@ -90,10 +91,11 @@ module EE ...@@ -90,10 +91,11 @@ module EE
end end
end end
override :handle_changes
def handle_changes def handle_changes
handle_allowed_email_domains_update handle_allowed_email_domains_update
handle_ip_restriction_update handle_ip_restriction_update
handle_settings_update super
end end
def handle_ip_restriction_update def handle_ip_restriction_update
...@@ -112,11 +114,9 @@ module EE ...@@ -112,11 +114,9 @@ module EE
AllowedEmailDomains::UpdateService.new(current_user, group, comma_separated_domains).execute AllowedEmailDomains::UpdateService.new(current_user, group, comma_separated_domains).execute
end end
def handle_settings_update override :allowed_settings_params
settings_params = params.slice(:prevent_forking_outside_group) def allowed_settings_params
params.delete(:prevent_forking_outside_group) @allowed_settings_params ||= ::Groups::UpdateService::SETTINGS_PARAMS + EE_SETTINGS_PARAMS
::NamespaceSettings::UpdateService.new(current_user, group, settings_params).execute
end end
def log_audit_event def log_audit_event
......
...@@ -7,7 +7,6 @@ FactoryBot.define do ...@@ -7,7 +7,6 @@ FactoryBot.define do
type { 'Group' } type { 'Group' }
owner { nil } owner { nil }
project_creation_level { ::Gitlab::Access::MAINTAINER_PROJECT_ACCESS } project_creation_level { ::Gitlab::Access::MAINTAINER_PROJECT_ACCESS }
association :namespace_settings, factory: :namespace_settings
after(:create) do |group| after(:create) do |group|
if group.owner if group.owner
......
...@@ -308,6 +308,19 @@ RSpec.describe Groups::UpdateService do ...@@ -308,6 +308,19 @@ RSpec.describe Groups::UpdateService do
end end
end end
context 'changes allowing subgroups to establish own 2FA' do
let(:group) { create(:group) }
let(:params) { { allow_mfa_for_subgroups: false } }
subject { described_class.new(group, user, params).execute }
it 'changes settings' do
subject
expect(group.namespace_settings.reload.allow_mfa_for_subgroups).to eq(false)
end
end
def update_group(group, user, opts) def update_group(group, user, opts)
Groups::UpdateService.new(group, user, opts).execute Groups::UpdateService.new(group, user, opts).execute
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment