Merge branch 'qa-saml-group-git-http-access-test' into 'master'

Add test for git http operations for SSO enforced SAML group See merge request gitlab-org/gitlab-ee!13570

Merge branch 'qa-saml-group-git-http-access-test' into 'master'
Add test for git http operations for SSO enforced SAML group See merge request gitlab-org/gitlab-ee!13570
81a5108b · Sanad Liaquat · cd344b26 · 4bba1ad6 · 81a5108b · 81a5108b
Commit 81a5108b authored Jun 12, 2019 by Sanad Liaquat
5 changed files
--- a/ee/app/views/groups/saml_providers/_form.html.haml
+++ b/ee/app/views/groups/saml_providers/_form.html.haml
@@ -20,7 +20,7 @@
        .form-text= s_('GroupSAML|Enforce SSO-only authentication for this group.')
        %label.toggle-wrapper.mb-0.js-group-saml-enforced-sso-toggle-area
          %button{ type: 'button',
-            class: "js-project-feature-toggle js-group-saml-enforced-sso-toggle project-feature-toggle d-inline #{'is-checked' if saml_provider.enforced_sso?}",
+            class: "js-project-feature-toggle js-group-saml-enforced-sso-toggle project-feature-toggle d-inline qa-enforced-sso-toggle-button #{'is-checked' if saml_provider.enforced_sso?}",
            "aria-label": s_("GroupSAML|Enforced SSO") }
            = f.hidden_field :enforced_sso, { class: 'js-group-saml-enforced-sso-input js-project-feature-toggle-input'}
            %span.toggle-icon

--- a/qa/qa/ee/page/group/settings/saml_sso.rb
+++ b/qa/qa/ee/page/group/settings/saml_sso.rb
@@ -9,6 +9,7 @@ module QA
            view 'ee/app/views/groups/saml_providers/_form.html.haml' do
              element :identity_provider_sso_field
              element :certificate_fingerprint_field
+              element :enforced_sso_toggle_button
              element :save_changes_button
            end
@@ -28,6 +29,10 @@ module QA
              fill_element :certificate_fingerprint_field, fingerprint
            end
+            def enforce_sso
+              click_element :enforced_sso_toggle_button unless find_element(:enforced_sso_toggle_button)[:class].include?('is-checked')
+            end
            def click_save_changes
              click_element :save_changes_button
            end

--- a/qa/qa/resource/project.rb
+++ b/qa/qa/resource/project.rb
@@ -18,7 +18,11 @@ module QA
      end
      attribute :path_with_namespace do
-        "#{group.sandbox.path}/#{group.path}/#{name}" if group
+        "#{sandbox_path}#{group.path}/#{name}" if group
+      end
+      def sandbox_path
+        group.respond_to?('sandbox') ? "#{group.sandbox.path}/" : ''
      end
      attribute :repository_ssh_location do

--- a/qa/qa/resource/sandbox.rb
+++ b/qa/qa/resource/sandbox.rb
@@ -44,6 +44,10 @@ module QA
        "/groups/#{path}"
      end
+      def api_members_path
+        "#{api_get_path}/members"
+      end
      def api_post_path
        '/groups'
      end

--- a/qa/qa/specs/features/browser_ui/1_manage/ee_group/group_saml_sso_spec.rb
+++ b/qa/qa/specs/features/browser_ui/1_manage/ee_group/group_saml_sso_spec.rb
@@ -3,58 +3,136 @@
 module QA
  context 'Manage', :orchestrated, :group_saml do
    describe 'Group SAML SSO' do
+      include Support::Api
+      before(:all) do
+        @group = Resource::Sandbox.fabricate!
+      end
      before do
-        Runtime::Browser.visit(:gitlab, Page::Main::Login)
+        unless Page::Main::Menu.perform(&:has_personal_area?)
-        Page::Main::Login.act { sign_in_using_credentials }
+          Runtime::Browser.visit(:gitlab, Page::Main::Login)
+          Page::Main::Login.perform(&:sign_in_using_credentials)
-        Resource::Sandbox.fabricate_via_browser_ui!
+        end
+        @group.visit!
      end
      it 'User logs in to group with SAML SSO' do
-        EE::Page::Group::Menu.act { go_to_saml_sso_group_settings }
+        EE::Page::Group::Menu.perform(&:go_to_saml_sso_group_settings)
+        EE::Page::Group::Settings::SamlSSO.perform do |page|
+          page.set_id_provider_sso_url(QA::EE::Runtime::Saml.idp_sso_url)
+          page.set_cert_fingerprint(QA::EE::Runtime::Saml.idp_certificate_fingerprint)
+          page.click_save_changes
-        EE::Page::Group::Settings::SamlSSO.act do
+          page.click_user_login_url_link
-          set_id_provider_sso_url(QA::EE::Runtime::Saml.idp_sso_url)
-          set_cert_fingerprint(QA::EE::Runtime::Saml.idp_certificate_fingerprint)
-          click_save_changes
-          click_user_login_url_link
        end
-        EE::Page::Group::SamlSSOSignIn.act { click_signin }
+        EE::Page::Group::SamlSSOSignIn.perform(&:click_signin)
        login_to_idp_if_required_and_expect_success
-        EE::Page::Group::Menu.act { go_to_saml_sso_group_settings }
+        EE::Page::Group::Menu.perform(&:go_to_saml_sso_group_settings)
-        EE::Page::Group::Settings::SamlSSO.act { click_user_login_url_link }
+        EE::Page::Group::Settings::SamlSSO.perform(&:click_user_login_url_link)
-        EE::Page::Group::SamlSSOSignIn.act { click_signin }
+        EE::Page::Group::SamlSSOSignIn.perform(&:click_signin)
        expect(page).to have_content("Already signed in with SAML for #{Runtime::Env.sandbox_name}")
      end
      it 'Lets group admin test settings' do
-        EE::Page::Group::Menu.act { go_to_saml_sso_group_settings }
+        EE::Page::Group::Menu.perform(&:go_to_saml_sso_group_settings)
-        EE::Page::Group::Settings::SamlSSO.act do
+        EE::Page::Group::Settings::SamlSSO.perform do |page|
-          set_id_provider_sso_url(QA::EE::Runtime::Saml.idp_sso_url)
+          page.set_id_provider_sso_url(QA::EE::Runtime::Saml.idp_sso_url)
-          set_cert_fingerprint(QA::EE::Runtime::Saml.idp_certificate_fingerprint)
+          page.set_cert_fingerprint(QA::EE::Runtime::Saml.idp_certificate_fingerprint)
-          click_save_changes
+          page.click_save_changes
-          click_test_button
+          page.click_test_button
        end
        login_to_idp_if_required_and_expect_success
        expect(page).to have_content("Test SAML SSO")
      end
+      context 'Enforced SSO' do
+        before do
+          Runtime::Feature.enable("enforced_sso")
+          Runtime::Feature.enable("enforced_sso_requires_session")
+        end
+        it 'user clones and pushes to project within a group using Git HTTP' do
+          branch_name = "new_branch"
+          user = Resource::User.new.tap do |user|
+            user.name = 'SAML Developer'
+            user.username = 'saml_dev'
+          end
+          create_user_via_api(user)
+          add_user_to_group_via_api(user.username, @group, '30')
+          EE::Page::Group::Menu.perform(&:go_to_saml_sso_group_settings)
+          EE::Page::Group::Settings::SamlSSO.perform do |page|
+            page.enforce_sso
+            page.set_id_provider_sso_url(QA::EE::Runtime::Saml.idp_sso_url)
+            page.set_cert_fingerprint(QA::EE::Runtime::Saml.idp_certificate_fingerprint)
+            page.click_save_changes
+          end
+          @project = Resource::Project.fabricate! do |project|
+            project.name = 'project-in-saml-enforced-group'
+            project.description = 'project in SAML enforced gorup for git clone test'
+            project.group = @group
+            project.initialize_with_readme = true
+          end
+          @project.visit!
+          Resource::Repository::ProjectPush.fabricate! do |push|
+            push.project = @project
+            push.branch_name = branch_name
+            push.user = user
+          end
+        end
+      end
+      after(:all) do
+        remove_group(@group)
+      end
    end
    def login_to_idp_if_required_and_expect_success
      Vendor::SAMLIdp::Page::Login.perform { |login_page| login_page.login_if_required }
      expect(page).to have_content("SAML for #{Runtime::Env.sandbox_name} was added to your connected accounts")
-        .or have_content("Already signed in with SAML for #{Runtime::Env.sandbox_name}")
+                        .or have_content("Already signed in with SAML for #{Runtime::Env.sandbox_name}")
+    end
+    def remove_group(group)
+      api_client = Runtime::API::Client.new(:gitlab)
+      delete Runtime::API::Request.new(api_client, "/groups/#{group.path}").url
+    end
+    def create_user_via_api(user)
+      Resource::User.fabricate_via_api! do |resource|
+        resource.username = user.username
+        resource.name = user.name
+        resource.email = user.email
+        resource.password = user.password
+      end
+    end
+    def add_user_to_group_via_api(username, group, access_level)
+      api_client = Runtime::API::Client.new(:gitlab)
+      response = get Runtime::API::Request.new(api_client, "/users?username=#{username}").url
+      post Runtime::API::Request.new(api_client, group.api_members_path).url, { user_id: parse_body(response).first[:id], access_level: access_level }
    end
  end
 end