Commit 756c0a0a authored by Drew Blessing's avatar Drew Blessing Committed by Drew Blessing

Create Group SAML Group Sync as a Gold subscription feature

Group SAML Group Sync should only be available in Ultimate. The
feature was unreleased so there's no end-user impact.
parent 13e00158
...@@ -139,6 +139,7 @@ class License < ApplicationRecord ...@@ -139,6 +139,7 @@ class License < ApplicationRecord
personal_access_token_api_management personal_access_token_api_management
personal_access_token_expiration_policy personal_access_token_expiration_policy
enforce_pat_expiration enforce_pat_expiration
group_saml_group_sync
prometheus_alerts prometheus_alerts
pseudonymizer pseudonymizer
release_evidence_test_artifacts release_evidence_test_artifacts
......
...@@ -81,6 +81,10 @@ module EE ...@@ -81,6 +81,10 @@ module EE
@subject.saml_enabled? @subject.saml_enabled?
end end
condition(:group_saml_group_sync_available, scope: :subject) do
@subject.feature_available?(:group_saml_group_sync)
end
condition(:group_timelogs_available) do condition(:group_timelogs_available) do
@subject.feature_available?(:group_timelogs) @subject.feature_available?(:group_timelogs)
end end
...@@ -208,7 +212,9 @@ module EE ...@@ -208,7 +212,9 @@ module EE
rule { group_saml_config_enabled & group_saml_available & (admin | owner) }.enable :admin_group_saml rule { group_saml_config_enabled & group_saml_available & (admin | owner) }.enable :admin_group_saml
rule { group_saml_enabled & can?(:admin_group_saml) }.enable :admin_saml_group_links rule { group_saml_group_sync_available & group_saml_enabled & can?(:admin_group_saml) }.policy do
enable :admin_saml_group_links
end
rule { admin | (can_owners_manage_ldap & owner) }.policy do rule { admin | (can_owners_manage_ldap & owner) }.policy do
enable :admin_ldap_group_links enable :admin_ldap_group_links
......
...@@ -11,7 +11,7 @@ RSpec.describe Groups::SamlGroupLinksController do ...@@ -11,7 +11,7 @@ RSpec.describe Groups::SamlGroupLinksController do
end end
before do before do
stub_licensed_features(group_saml: true) stub_licensed_features(group_saml: true, group_saml_group_sync: true)
stub_feature_flags(saml_group_links: true) stub_feature_flags(saml_group_links: true)
sign_in(user) sign_in(user)
......
...@@ -13,7 +13,7 @@ RSpec.describe 'SAML group links' do ...@@ -13,7 +13,7 @@ RSpec.describe 'SAML group links' do
context 'when SAML group links is available' do context 'when SAML group links is available' do
before do before do
stub_licensed_features(group_saml: true) stub_licensed_features(group_saml: true, group_saml_group_sync: true)
stub_feature_flags(saml_group_links: true) stub_feature_flags(saml_group_links: true)
create(:saml_provider, group: group, enabled: true) create(:saml_provider, group: group, enabled: true)
......
...@@ -327,6 +327,34 @@ RSpec.describe GroupPolicy do ...@@ -327,6 +327,34 @@ RSpec.describe GroupPolicy do
stub_licensed_features(group_saml: true) stub_licensed_features(group_saml: true)
end end
context 'when group_saml_group_sync is not licensed' do
context 'with an enabled SAML provider' do
let_it_be(:saml_provider) { create(:saml_provider, group: group, enabled: true) }
context 'owner' do
let(:current_user) { owner }
it { is_expected.to be_disallowed(:admin_saml_group_links) }
end
context 'admin' do
let(:current_user) { admin }
it { is_expected.to be_disallowed(:admin_saml_group_links) }
end
end
end
context 'when group_saml_group_sync is licensed' do
before do
stub_application_setting(check_namespace_plan: true)
end
before_all do
create(:license, plan: License::ULTIMATE_PLAN)
create(:gitlab_subscription, :gold, namespace: group)
end
context 'without an enabled SAML provider' do context 'without an enabled SAML provider' do
context 'maintainer' do context 'maintainer' do
let(:current_user) { maintainer } let(:current_user) { maintainer }
...@@ -371,6 +399,7 @@ RSpec.describe GroupPolicy do ...@@ -371,6 +399,7 @@ RSpec.describe GroupPolicy do
it { is_expected.to be_allowed(:admin_saml_group_links) } it { is_expected.to be_allowed(:admin_saml_group_links) }
end end
end end
end
context 'with sso enforcement enabled' do context 'with sso enforcement enabled' do
let(:current_user) { guest } let(:current_user) { guest }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment