Commit 84b17662 authored by James Fargher's avatar James Fargher

Merge branch 'jej/remove-sso-enforcement-flags' into 'master'

Remove :enforced_sso and :enforced_sso_requires_session feature flags

Closes #11757 and #9672

See merge request gitlab-org/gitlab!31769
parents d9a8622f 9d449b1c
...@@ -45,9 +45,8 @@ class Groups::SamlProvidersController < Groups::ApplicationController ...@@ -45,9 +45,8 @@ class Groups::SamlProvidersController < Groups::ApplicationController
end end
def saml_provider_params def saml_provider_params
allowed_params = %i[sso_url certificate_fingerprint enabled] allowed_params = %i[sso_url certificate_fingerprint enabled enforced_sso]
allowed_params += [:enforced_sso] if Feature.enabled?(:enforced_sso, group)
if Feature.enabled?(:group_managed_accounts, group) if Feature.enabled?(:group_managed_accounts, group)
allowed_params += [:enforced_group_managed_accounts, :prohibited_outer_forks] allowed_params += [:enforced_group_managed_accounts, :prohibited_outer_forks]
end end
......
...@@ -30,7 +30,7 @@ class SamlProvider < ApplicationRecord ...@@ -30,7 +30,7 @@ class SamlProvider < ApplicationRecord
end end
def enforced_sso? def enforced_sso?
enabled? && super && group.feature_available?(:group_saml) && ::Feature.enabled?(:enforced_sso, group) enabled? && super && group.feature_available?(:group_saml)
end end
def enforced_group_managed_accounts? def enforced_group_managed_accounts?
......
...@@ -6,15 +6,14 @@ ...@@ -6,15 +6,14 @@
= render "shared/buttons/project_feature_toggle", is_checked: saml_provider.enabled?, label: s_("GroupSAML|Toggle SAML authentication"), class_list: "js-project-feature-toggle project-feature-toggle d-inline" do = render "shared/buttons/project_feature_toggle", is_checked: saml_provider.enabled?, label: s_("GroupSAML|Toggle SAML authentication"), class_list: "js-project-feature-toggle project-feature-toggle d-inline" do
= f.hidden_field :enabled, { class: 'js-group-saml-enabled-input js-project-feature-toggle-input'} = f.hidden_field :enabled, { class: 'js-group-saml-enabled-input js-project-feature-toggle-input'}
%span.d-inline.font-weight-normal.align-text-bottom.ml-3= s_('GroupSAML|Enable SAML authentication for this group.') %span.d-inline.font-weight-normal.align-text-bottom.ml-3= s_('GroupSAML|Enable SAML authentication for this group.')
- if Feature.enabled?(:enforced_sso, group) .form-group
.form-group %label.toggle-wrapper.mb-0.js-group-saml-enforced-sso-toggle-area
%label.toggle-wrapper.mb-0.js-group-saml-enforced-sso-toggle-area = render "shared/buttons/project_feature_toggle", is_checked: saml_provider.enforced_sso, disabled: !saml_provider.enabled?, label: s_("GroupSAML|Enforced SSO"), class_list: "js-project-feature-toggle js-group-saml-enforced-sso-toggle project-feature-toggle d-inline", data: { qa_selector: 'enforced_sso_toggle_button' } do
= render "shared/buttons/project_feature_toggle", is_checked: saml_provider.enforced_sso, disabled: !saml_provider.enabled?, label: s_("GroupSAML|Enforced SSO"), class_list: "js-project-feature-toggle js-group-saml-enforced-sso-toggle project-feature-toggle d-inline", data: { qa_selector: 'enforced_sso_toggle_button' } do = f.hidden_field :enforced_sso, { class: 'js-group-saml-enforced-sso-input js-project-feature-toggle-input'}
= f.hidden_field :enforced_sso, { class: 'js-group-saml-enforced-sso-input js-project-feature-toggle-input'} %span.form-text.d-inline.font-weight-normal.align-text-bottom.ml-3= s_('GroupSAML|Enforce SSO-only authentication for this group.')
%span.form-text.d-inline.font-weight-normal.align-text-bottom.ml-3= Feature.enabled?(:enforced_sso_requires_session, group) ? s_('GroupSAML|Enforce SSO-only authentication for this group.') : s_('GroupSAML|Enforce SSO-only membership for this group.') .form-text.text-muted.js-helper-text{ style: "display: #{'none' if saml_provider.enabled?} #{'block' unless saml_provider.enabled?}" }
.form-text.text-muted.js-helper-text{ style: "display: #{'none' if saml_provider.enabled?} #{'block' unless saml_provider.enabled?}" } %span
%span = s_('GroupSAML|To be able to enable enforced SSO, you first need to enable SAML authentication.')
= s_('GroupSAML|To be able to enable enforced SSO, you first need to enable SAML authentication.')
- if Feature.enabled?(:group_managed_accounts, group) - if Feature.enabled?(:group_managed_accounts, group)
.form-group .form-group
%label.toggle-wrapper.mb-0.js-group-saml-enforced-group-managed-accounts-toggle-area %label.toggle-wrapper.mb-0.js-group-saml-enforced-group-managed-accounts-toggle-area
......
...@@ -9,7 +9,6 @@ module Gitlab ...@@ -9,7 +9,6 @@ module Gitlab
end end
def can_add_user?(user) def can_add_user?(user)
return true unless ::Feature.enabled?(:enforced_sso, @group)
return true unless root_group&.saml_provider&.enforced_sso? return true unless root_group&.saml_provider&.enforced_sso?
GroupSamlIdentityFinder.new(user: user).find_linked(group: root_group) GroupSamlIdentityFinder.new(user: user).find_linked(group: root_group)
......
...@@ -25,13 +25,12 @@ module Gitlab ...@@ -25,13 +25,12 @@ module Gitlab
end end
def access_restricted? def access_restricted?
saml_enforced? && !active_session? && ::Feature.enabled?(:enforced_sso_requires_session, group) saml_enforced? && !active_session?
end end
def self.group_access_restricted?(group) def self.group_access_restricted?(group)
return false unless group return false unless group
return false unless group.root_ancestor return false unless group.root_ancestor
return false unless ::Feature.enabled?(:enforced_sso_requires_session, group.root_ancestor)
saml_provider = group.root_ancestor.saml_provider saml_provider = group.root_ancestor.saml_provider
......
...@@ -122,30 +122,11 @@ describe Groups::SamlProvidersController do ...@@ -122,30 +122,11 @@ describe Groups::SamlProvidersController do
group.add_owner(user) group.add_owner(user)
end end
context 'enforced_sso feature flag enabled' do it 'updates the setting' do
before do expect do
stub_feature_flags(enforced_sso: true) subject
end saml_provider.reload
end.to change { saml_provider.enforced_sso? }.to(true)
it 'updates the flags' do
expect do
subject
saml_provider.reload
end.to change { saml_provider.enforced_sso? }.to(true)
end
end
context 'enforced_sso feature flag disabled' do
before do
stub_feature_flags(enforced_sso: false)
end
it 'does not update the setting' do
expect do
subject
saml_provider.reload
end.not_to change { saml_provider.enforced_sso? }.from(false)
end
end end
context 'enabling group managed when owner has linked identity' do context 'enabling group managed when owner has linked identity' do
......
...@@ -52,7 +52,6 @@ describe 'Groups > Members > List members' do ...@@ -52,7 +52,6 @@ describe 'Groups > Members > List members' do
let(:session) { { active_group_sso_sign_ins: { saml_provider.id => DateTime.now } } } let(:session) { { active_group_sso_sign_ins: { saml_provider.id => DateTime.now } } }
before do before do
stub_feature_flags(enforced_sso: true, group_saml: true)
stub_licensed_features(group_saml: true) stub_licensed_features(group_saml: true)
allow(Gitlab::Session).to receive(:current).and_return(session) allow(Gitlab::Session).to receive(:current).and_return(session)
......
...@@ -94,26 +94,12 @@ describe 'SAML provider settings' do ...@@ -94,26 +94,12 @@ describe 'SAML provider settings' do
expect(login_url).to end_with "?token=#{group.reload.saml_discovery_token}" expect(login_url).to end_with "?token=#{group.reload.saml_discovery_token}"
end end
context 'enforced sso enabled', :js do it 'updates the enforced sso setting', :js do
it 'updates the flag' do visit group_saml_providers_path(group)
stub_feature_flags(enforced_sso: true)
visit group_saml_providers_path(group)
find('.js-group-saml-enforced-sso-toggle').click
expect { submit }.to change { saml_provider.reload.enforced_sso }.to(true)
end
end
context 'enforced sso disabled' do find('.js-group-saml-enforced-sso-toggle').click
it 'does not update the flag' do
stub_feature_flags(enforced_sso: false)
visit group_saml_providers_path(group) expect { submit }.to change { saml_provider.reload.enforced_sso }.to(true)
expect(page).not_to have_selector('.js-group-saml-enforced-sso-toggle')
end
end end
context 'enforced_group_managed_accounts enabled', :js do context 'enforced_group_managed_accounts enabled', :js do
......
...@@ -23,7 +23,7 @@ describe 'Group SAML SSO', :js do ...@@ -23,7 +23,7 @@ describe 'Group SAML SSO', :js do
end end
before do before do
stub_feature_flags(enforced_sso: true, group_managed_accounts: true, sign_up_on_sso: true, convert_user_to_group_managed_accounts: true) stub_feature_flags(group_managed_accounts: true, sign_up_on_sso: true, convert_user_to_group_managed_accounts: true)
stub_licensed_features(group_saml: true) stub_licensed_features(group_saml: true)
allow(Devise).to receive(:omniauth_providers).and_return(%i(group_saml)) allow(Devise).to receive(:omniauth_providers).and_return(%i(group_saml))
......
...@@ -45,7 +45,7 @@ describe Gitlab::Auth::GroupSaml::SsoEnforcer do ...@@ -45,7 +45,7 @@ describe Gitlab::Auth::GroupSaml::SsoEnforcer do
describe 'enforced sso expiry' do describe 'enforced sso expiry' do
before do before do
stub_feature_flags(enforced_sso_requires_session: saml_provider.group) stub_feature_flags(enforced_sso_expiry: saml_provider.group)
end end
it 'returns true if a sign in is recently recorded' do it 'returns true if a sign in is recently recorded' do
...@@ -88,12 +88,6 @@ describe Gitlab::Auth::GroupSaml::SsoEnforcer do ...@@ -88,12 +88,6 @@ describe Gitlab::Auth::GroupSaml::SsoEnforcer do
end end
end end
it 'allows access when the sso enforcement feature is disabled' do
stub_feature_flags(enforced_sso: false)
expect(subject).not_to be_access_restricted
end
it 'prevents access when sso enforcement active but there is no session' do it 'prevents access when sso enforcement active but there is no session' do
expect(subject).to be_access_restricted expect(subject).to be_access_restricted
end end
...@@ -109,10 +103,6 @@ describe Gitlab::Auth::GroupSaml::SsoEnforcer do ...@@ -109,10 +103,6 @@ describe Gitlab::Auth::GroupSaml::SsoEnforcer do
let(:root_group) { create(:group, saml_provider: create(:saml_provider, enabled: true, enforced_sso: true)) } let(:root_group) { create(:group, saml_provider: create(:saml_provider, enabled: true, enforced_sso: true)) }
context 'is restricted' do context 'is restricted' do
before do
stub_feature_flags(enforced_sso_requires_session: root_group)
end
it 'for a group' do it 'for a group' do
expect(described_class).to be_group_access_restricted(root_group) expect(described_class).to be_group_access_restricted(root_group)
end end
...@@ -130,17 +120,10 @@ describe Gitlab::Auth::GroupSaml::SsoEnforcer do ...@@ -130,17 +120,10 @@ describe Gitlab::Auth::GroupSaml::SsoEnforcer do
end end
end end
context 'is not restricted' do context 'for a group without a saml_provider configured' do
it 'for the group without configured saml_provider' do let(:root_group) { create(:group) }
group = create(:group)
stub_feature_flags(enforced_sso_requires_session: group)
expect(described_class).not_to be_group_access_restricted(group)
end
it 'for the group without the feature flag' do
stub_feature_flags(enforced_sso_requires_session: false)
it 'is not restricted' do
expect(described_class).not_to be_group_access_restricted(root_group) expect(described_class).not_to be_group_access_restricted(root_group)
end end
end end
......
...@@ -110,18 +110,6 @@ describe SamlProvider do ...@@ -110,18 +110,6 @@ describe SamlProvider do
expect(subject).not_to be_enforced_sso expect(subject).not_to be_enforced_sso
end end
context 'and feature flag is disabled' do
before do
stub_feature_flags(enforced_sso: false)
end
it 'is false' do
subject.enforced_sso = true
expect(subject).not_to be_enforced_sso
end
end
it 'does not enforce SSO when the feature is unavailable' do it 'does not enforce SSO when the feature is unavailable' do
stub_licensed_features(group_saml: false) stub_licensed_features(group_saml: false)
subject.enforced_sso = true subject.enforced_sso = true
......
...@@ -17,7 +17,6 @@ describe 'getting group information' do ...@@ -17,7 +17,6 @@ describe 'getting group information' do
before do before do
stub_licensed_features(group_saml: true) stub_licensed_features(group_saml: true)
stub_feature_flags(enforced_sso_requires_session: true)
saml_provider = create(:saml_provider, enforced_sso: true, group: group) saml_provider = create(:saml_provider, enforced_sso: true, group: group)
create(:group_saml_identity, saml_provider: saml_provider, user: user) create(:group_saml_identity, saml_provider: saml_provider, user: user)
group.add_guest(user) group.add_guest(user)
......
...@@ -814,7 +814,6 @@ describe API::Projects do ...@@ -814,7 +814,6 @@ describe API::Projects do
end end
before do before do
stub_feature_flags(enforced_sso_requires_session: false)
stub_licensed_features(group_saml: true) stub_licensed_features(group_saml: true)
end end
......
...@@ -21,10 +21,6 @@ describe JwtController do ...@@ -21,10 +21,6 @@ describe JwtController do
let!(:saml_provider) { create(:saml_provider, enforced_sso: true, group: group) } let!(:saml_provider) { create(:saml_provider, enforced_sso: true, group: group) }
let!(:identity) { create(:group_saml_identity, saml_provider: saml_provider, user: user) } let!(:identity) { create(:group_saml_identity, saml_provider: saml_provider, user: user) }
before do
stub_feature_flags(enforced_sso_requires_session: true)
end
it 'allows access' do it 'allows access' do
get '/jwt/auth', params: parameters, headers: headers get '/jwt/auth', params: parameters, headers: headers
......
...@@ -8,10 +8,6 @@ RSpec.shared_examples 'member validations' do ...@@ -8,10 +8,6 @@ RSpec.shared_examples 'member validations' do
let(:group) { identity.saml_provider.group } let(:group) { identity.saml_provider.group }
let(:entity) { group } let(:entity) { group }
before do
stub_feature_flags(enforced_sso: true)
end
context 'enforced SSO enabled' do context 'enforced SSO enabled' do
before do before do
allow_any_instance_of(SamlProvider).to receive(:enforced_sso?).and_return(true) allow_any_instance_of(SamlProvider).to receive(:enforced_sso?).and_return(true)
...@@ -37,17 +33,7 @@ RSpec.shared_examples 'member validations' do ...@@ -37,17 +33,7 @@ RSpec.shared_examples 'member validations' do
entity.update(group: subgroup) if entity.is_a?(Project) entity.update(group: subgroup) if entity.is_a?(Project)
end end
it 'allows adding a group member without SSO enforced on subgroup' do
stub_feature_flags(enforced_sso: false, group: subgroup)
member = described_class.add_user(entity, create(:user), ProjectMember::DEVELOPER)
expect(member).to be_valid
end
it 'does not allow adding a group member with SSO enforced on subgroup' do it 'does not allow adding a group member with SSO enforced on subgroup' do
stub_feature_flags(enforced_sso: true, group: subgroup)
member = described_class.add_user(entity, create(:user), ProjectMember::DEVELOPER) member = described_class.add_user(entity, create(:user), ProjectMember::DEVELOPER)
expect(member).not_to be_valid expect(member).not_to be_valid
......
...@@ -10694,9 +10694,6 @@ msgstr "" ...@@ -10694,9 +10694,6 @@ msgstr ""
msgid "GroupSAML|Enforce SSO-only authentication for this group." msgid "GroupSAML|Enforce SSO-only authentication for this group."
msgstr "" msgstr ""
msgid "GroupSAML|Enforce SSO-only membership for this group."
msgstr ""
msgid "GroupSAML|Enforce users to have dedicated group managed accounts for this group." msgid "GroupSAML|Enforce users to have dedicated group managed accounts for this group."
msgstr "" msgstr ""
......
...@@ -51,7 +51,7 @@ module QA ...@@ -51,7 +51,7 @@ module QA
after do after do
page.visit Runtime::Scenario.gitlab_address page.visit Runtime::Scenario.gitlab_address
%w[enforced_sso enforced_sso_requires_session group_administration_nav_item].each do |flag| %w[group_administration_nav_item].each do |flag|
Runtime::Feature.remove(flag) Runtime::Feature.remove(flag)
end end
...@@ -64,7 +64,7 @@ module QA ...@@ -64,7 +64,7 @@ module QA
end end
def setup_and_enable_enforce_sso def setup_and_enable_enforce_sso
%w[enforced_sso enforced_sso_requires_session group_administration_nav_item].each do |flag| %w[group_administration_nav_item].each do |flag|
Runtime::Feature.enable_and_verify(flag) Runtime::Feature.enable_and_verify(flag)
end end
......
...@@ -85,7 +85,7 @@ module QA ...@@ -85,7 +85,7 @@ module QA
after(:all) do after(:all) do
page.visit Runtime::Scenario.gitlab_address page.visit Runtime::Scenario.gitlab_address
%w[enforced_sso enforced_sso_requires_session group_managed_accounts sign_up_on_sso group_scim group_administration_nav_item].each do |flag| %w[group_managed_accounts sign_up_on_sso group_scim group_administration_nav_item].each do |flag|
Runtime::Feature.remove(flag) Runtime::Feature.remove(flag)
end end
...@@ -119,7 +119,7 @@ module QA ...@@ -119,7 +119,7 @@ module QA
end end
def setup_and_enable_group_managed_accounts def setup_and_enable_group_managed_accounts
%w[enforced_sso enforced_sso_requires_session group_managed_accounts sign_up_on_sso group_scim group_administration_nav_item].each do |flag| %w[group_managed_accounts sign_up_on_sso group_scim group_administration_nav_item].each do |flag|
Runtime::Feature.enable_and_verify(flag) Runtime::Feature.enable_and_verify(flag)
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment