Merge branch 'jej/sso-page-for-group-saml' into 'master'

Group SAML SSO Page (But not the parts to make the sign in button work) See merge request gitlab-org/gitlab-ee!5508

Merge branch 'jej/sso-page-for-group-saml' into 'master'
Group SAML SSO Page (But not the parts to make the sign in button work) See merge request gitlab-org/gitlab-ee!5508
d5b77d24 · Douwe Maan · 3972b2d0 · 043b76fd · d5b77d24 · d5b77d24
Commit d5b77d24 authored May 04, 2018 by Douwe Maan
8 changed files
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -886,6 +886,7 @@ test:
    external_providers: []

    providers:
+      - { name: 'group_saml' }
      - { name: 'cas3',
          label: 'cas3',
          args: { url: 'https://sso.example.com',

--- a/ee/app/controllers/groups/sso_controller.rb
+++ b/ee/app/controllers/groups/sso_controller.rb
+class Groups::SsoController < Groups::ApplicationController
+  skip_before_action :group
+  before_action :unauthenticated_group
+  before_action :check_group_saml_configured
+  before_action :check_group_saml_available!
+  before_action :check_group_saml_beta_enabled
+  before_action :require_configured_provider
+  before_action :check_user_can_sign_in_with_provider
+  before_action :redirect_if_group_moved
+
+  layout 'devise'
+
+  def saml
+    @group_path = params[:group_id]
+    @group_name = @unauthenticated_group.full_name
+  end
+
+  private
+
+  def check_group_saml_available!
+    route_not_found unless @unauthenticated_group.feature_available?(:group_saml)
+  end
+
+  def check_group_saml_configured
+    route_not_found unless Gitlab::Auth::GroupSaml::Config.enabled?
+  end
+
+  def check_group_saml_beta_enabled
+    route_not_found unless Gitlab::Utils.to_boolean(cookies['enable_group_saml'])
+  end
+
+  def unauthenticated_group
+    @unauthenticated_group = Group.find_by_full_path(params[:group_id], follow_redirects: true)
+
+    route_not_found unless @unauthenticated_group
+  end
+
+  def require_configured_provider
+    return if @unauthenticated_group.saml_provider
+
+    if can?(current_user, :admin_group_saml, @unauthenticated_group)
+      flash[:notice] = 'SAML sign on has not been configured for this group'
+
+      redirect_to [@unauthenticated_group, :saml_providers]
+    else
+      route_not_found
+    end
+  end
+
+  def check_user_can_sign_in_with_provider
+    route_not_found unless can?(current_user, :sign_in_with_saml_provider, @unauthenticated_group.saml_provider)
+  end
+
+  def redirect_if_group_moved
+    ensure_canonical_path(@unauthenticated_group, params[:group_id])
+  end
+end
--- a/ee/app/helpers/ee/saml_providers_helper.rb
+++ b/ee/app/helpers/ee/saml_providers_helper.rb
@@ -12,6 +12,10 @@ module EE
      group_saml_enabled? && !group.subgroup? && can?(current_user, :admin_group_saml, group)
    end

+    def saml_link_for_provider(text, provider, *args)
+      saml_link(text, provider.group.full_path, *args)
+    end
+
    def saml_link(text, group_path, redirect: nil, html_class: 'btn')
      redirect ||= group_path(group_path)
      url = omniauth_authorize_path(:user, :group_saml, group_path: group_path, redirect_to: redirect)

--- a/ee/app/policies/saml_provider_policy.rb
+++ b/ee/app/policies/saml_provider_policy.rb
+class SamlProviderPolicy < BasePolicy
+  rule { ~anonymous }.enable :sign_in_with_saml_provider
+end
--- a/ee/app/views/groups/sso/saml.html.haml
+++ b/ee/app/views/groups/sso/saml.html.haml
+- page_title = _('SAML SSO for %{group_name}') % { group_name: @group_name }
+
+= render 'devise/shared/tab_single', tab_title: _('SAML SSO')
+.login-box
+  .login-body
+    %h4= _("Sign in to %{group_name}") % { group_name: @group_name }
+
+    %p= _("This group allows you to sign in with your %{group_name} Single Sign-On account. This will redirect you to an external sign in page.") % { group_name: @group_name }
+
+    = saml_link _('Sign in with Single Sign-On'), @group_path, html_class: 'btn btn-save btn-block'
--- a/ee/changelogs/unreleased/jej-sso-page-for-group-saml.yml
+++ b/ee/changelogs/unreleased/jej-sso-page-for-group-saml.yml
+---
+title: Adds SSO page for GitLab.com per group SAML beta
+merge_request: 5508
+author:
+type: changed
--- a/ee/spec/controllers/groups/sso_controller_spec.rb
+++ b/ee/spec/controllers/groups/sso_controller_spec.rb
+require 'spec_helper'
+
+describe Groups::SsoController do
+  include CookieHelper
+
+  let(:user) { create(:user) }
+  let(:group) { create(:group, :private, name: 'our-group') }
+  let(:enable_group_saml_cookie) { 'true' }
+
+  before do
+    request.cookies['enable_group_saml'] = enable_group_saml_cookie
+    stub_licensed_features(group_saml: true)
+    allow(Devise).to receive(:omniauth_providers).and_return(%i(group_saml))
+    sign_in(user)
+  end
+
+  context 'SAML configured' do
+    let!(:saml_provider) { create(:saml_provider, group: group) }
+
+    it 'has status 200' do
+      get :saml, group_id: group
+
+      expect(response).to have_gitlab_http_status(200)
+    end
+
+    it 'passes group name to the view' do
+      get :saml, group_id: group
+
+      expect(assigns[:group_name]).to eq 'our-group'
+    end
+
+    context 'when beta cookie not set' do
+      let(:enable_group_saml_cookie) { 'false' }
+
+      it 'renders 404' do
+        get :saml, group_id: group
+
+        expect(response).to have_gitlab_http_status(404)
+      end
+    end
+
+    context 'when user is not signed in' do
+      it 'acts as route not found' do
+        sign_out(user)
+
+        get :saml, group_id: group
+
+        expect(response).to redirect_to(new_user_session_path)
+      end
+    end
+
+    context 'when group has moved' do
+      let(:redirect_route) { group.redirect_routes.create(path: 'old-path') }
+
+      it 'redirects to new location' do
+        get :saml, group_id: redirect_route.path
+
+        expect(response).to redirect_to(sso_group_saml_providers_path(group))
+      end
+    end
+  end
+
+  context 'saml_provider is unconfigured for the group' do
+    context 'when user cannot configure Group SAML' do
+      it 'renders 404' do
+        get :saml, group_id: group
+
+        expect(response).to have_gitlab_http_status(404)
+      end
+    end
+
+    context 'when user can admin group_saml' do
+      before do
+        group.add_owner(user)
+      end
+
+      it 'redirects to the Group SAML config page' do
+        get :saml, group_id: group
+
+        expect(response).to redirect_to(group_saml_providers_path)
+      end
+
+      it 'sets a flash message explaining that setup is required' do
+        get :saml, group_id: group
+
+        expect(flash[:notice]).to match /not been configured/
+      end
+    end
+  end
+
+  context 'group does not exist' do
+    it 'renders 404' do
+      get :saml, group_id: 'not-a-group'
+
+      expect(response).to have_gitlab_http_status(404)
+    end
+
+    context 'when user is not signed in' do
+      it 'acts as route not found' do
+        sign_out(user)
+
+        get :saml, group_id: 'not-a-group'
+
+        expect(response).to redirect_to(new_user_session_path)
+      end
+    end
+  end
+end
--- a/ee/spec/features/groups/saml_providers_spec.rb
+++ b/ee/spec/features/groups/saml_providers_spec.rb
@@ -5,6 +5,7 @@ feature 'SAML provider settings' do

  let(:user) { create(:user) }
  let(:group) { create(:group) }
+  let(:callback_path) { "/groups/#{group.path}/-/saml/callback" }

  before do
    set_beta_cookie
@@ -22,7 +23,6 @@ feature 'SAML provider settings' do
  end

  def stub_saml_config
-    stub_saml_authorize_path_helpers
    stub_licensed_features(group_saml: true)
    allow(Devise).to receive(:omniauth_providers).and_return(%i(group_saml))
  end
@@ -78,4 +78,90 @@ feature 'SAML provider settings' do
      end
    end
  end
+
+  describe '#sso' do
+    context 'with no SAML provider configured' do
+      it 'acts as if the group was not found' do
+        visit sso_group_saml_providers_path(group)
+
+        expect(current_path).to eq(new_user_session_path)
+      end
+
+      context 'as owner' do
+        before do
+          sign_in(user)
+        end
+
+        it 'redirects to settings page with warning' do
+          visit sso_group_saml_providers_path(group)
+
+          expect(current_path).to eq group_saml_providers_path(group)
+          expect(page).to have_content 'SAML sign on has not been configured for this group'
+        end
+      end
+    end
+
+    context 'with existing SAML provider' do
+      let!(:saml_provider) { create(:saml_provider, group: group) }
+
+      before do
+        allow_any_instance_of(OmniAuth::Strategies::GroupSaml).to receive(:callback_url) { callback_path }
+      end
+
+      context 'when not signed in' do
+        it "doesn't show sso page" do
+          visit sso_group_saml_providers_path(group)
+
+          expect(current_path).to eq(new_user_session_path)
+        end
+      end
+
+      context 'when signed in' do
+        before do
+          sign_in(user)
+
+          visit sso_group_saml_providers_path(group)
+        end
+
+        it 'Sign in button redirects to auth flow and back to group' do
+          click_link 'Sign in with Single Sign-On'
+
+          expect(current_path).to eq callback_path
+        end
+      end
+
+      context 'for a private group' do
+        let(:group) { create(:group, :private) }
+
+        context 'when not signed in' do
+          it "doesn't show sso page" do
+            visit sso_group_saml_providers_path(group)
+
+            expect(current_path).to eq(new_user_session_path)
+          end
+        end
+
+        context 'when signed in' do
+          before do
+            sign_in(user)
+
+            visit sso_group_saml_providers_path(group)
+          end
+
+          it 'displays sign in button' do
+            expect(current_path).to eq sso_group_saml_providers_path(group)
+
+            within '.login-box' do
+              expect(page).to have_link 'Sign in with Single Sign-On'
+            end
+          end
+
+          it "doesn't leak group information" do
+            expect(page).not_to have_selector('.group-avatar')
+            expect(page).not_to have_selector('.nav-sidebar')
+          end
+        end
+      end
+    end
+  end
 end