Commit d5b77d24 authored by Douwe Maan's avatar Douwe Maan

Merge branch 'jej/sso-page-for-group-saml' into 'master'

Group SAML SSO Page (But not the parts to make the sign in button work)

See merge request gitlab-org/gitlab-ee!5508
parents 3972b2d0 043b76fd
...@@ -886,6 +886,7 @@ test: ...@@ -886,6 +886,7 @@ test:
external_providers: [] external_providers: []
providers: providers:
- { name: 'group_saml' }
- { name: 'cas3', - { name: 'cas3',
label: 'cas3', label: 'cas3',
args: { url: 'https://sso.example.com', args: { url: 'https://sso.example.com',
......
class Groups::SsoController < Groups::ApplicationController
skip_before_action :group
before_action :unauthenticated_group
before_action :check_group_saml_configured
before_action :check_group_saml_available!
before_action :check_group_saml_beta_enabled
before_action :require_configured_provider
before_action :check_user_can_sign_in_with_provider
before_action :redirect_if_group_moved
layout 'devise'
def saml
@group_path = params[:group_id]
@group_name = @unauthenticated_group.full_name
end
private
def check_group_saml_available!
route_not_found unless @unauthenticated_group.feature_available?(:group_saml)
end
def check_group_saml_configured
route_not_found unless Gitlab::Auth::GroupSaml::Config.enabled?
end
def check_group_saml_beta_enabled
route_not_found unless Gitlab::Utils.to_boolean(cookies['enable_group_saml'])
end
def unauthenticated_group
@unauthenticated_group = Group.find_by_full_path(params[:group_id], follow_redirects: true)
route_not_found unless @unauthenticated_group
end
def require_configured_provider
return if @unauthenticated_group.saml_provider
if can?(current_user, :admin_group_saml, @unauthenticated_group)
flash[:notice] = 'SAML sign on has not been configured for this group'
redirect_to [@unauthenticated_group, :saml_providers]
else
route_not_found
end
end
def check_user_can_sign_in_with_provider
route_not_found unless can?(current_user, :sign_in_with_saml_provider, @unauthenticated_group.saml_provider)
end
def redirect_if_group_moved
ensure_canonical_path(@unauthenticated_group, params[:group_id])
end
end
...@@ -12,6 +12,10 @@ module EE ...@@ -12,6 +12,10 @@ module EE
group_saml_enabled? && !group.subgroup? && can?(current_user, :admin_group_saml, group) group_saml_enabled? && !group.subgroup? && can?(current_user, :admin_group_saml, group)
end end
def saml_link_for_provider(text, provider, *args)
saml_link(text, provider.group.full_path, *args)
end
def saml_link(text, group_path, redirect: nil, html_class: 'btn') def saml_link(text, group_path, redirect: nil, html_class: 'btn')
redirect ||= group_path(group_path) redirect ||= group_path(group_path)
url = omniauth_authorize_path(:user, :group_saml, group_path: group_path, redirect_to: redirect) url = omniauth_authorize_path(:user, :group_saml, group_path: group_path, redirect_to: redirect)
......
class SamlProviderPolicy < BasePolicy
rule { ~anonymous }.enable :sign_in_with_saml_provider
end
- page_title = _('SAML SSO for %{group_name}') % { group_name: @group_name }
= render 'devise/shared/tab_single', tab_title: _('SAML SSO')
.login-box
.login-body
%h4= _("Sign in to %{group_name}") % { group_name: @group_name }
%p= _("This group allows you to sign in with your %{group_name} Single Sign-On account. This will redirect you to an external sign in page.") % { group_name: @group_name }
= saml_link _('Sign in with Single Sign-On'), @group_path, html_class: 'btn btn-save btn-block'
---
title: Adds SSO page for GitLab.com per group SAML beta
merge_request: 5508
author:
type: changed
require 'spec_helper'
describe Groups::SsoController do
include CookieHelper
let(:user) { create(:user) }
let(:group) { create(:group, :private, name: 'our-group') }
let(:enable_group_saml_cookie) { 'true' }
before do
request.cookies['enable_group_saml'] = enable_group_saml_cookie
stub_licensed_features(group_saml: true)
allow(Devise).to receive(:omniauth_providers).and_return(%i(group_saml))
sign_in(user)
end
context 'SAML configured' do
let!(:saml_provider) { create(:saml_provider, group: group) }
it 'has status 200' do
get :saml, group_id: group
expect(response).to have_gitlab_http_status(200)
end
it 'passes group name to the view' do
get :saml, group_id: group
expect(assigns[:group_name]).to eq 'our-group'
end
context 'when beta cookie not set' do
let(:enable_group_saml_cookie) { 'false' }
it 'renders 404' do
get :saml, group_id: group
expect(response).to have_gitlab_http_status(404)
end
end
context 'when user is not signed in' do
it 'acts as route not found' do
sign_out(user)
get :saml, group_id: group
expect(response).to redirect_to(new_user_session_path)
end
end
context 'when group has moved' do
let(:redirect_route) { group.redirect_routes.create(path: 'old-path') }
it 'redirects to new location' do
get :saml, group_id: redirect_route.path
expect(response).to redirect_to(sso_group_saml_providers_path(group))
end
end
end
context 'saml_provider is unconfigured for the group' do
context 'when user cannot configure Group SAML' do
it 'renders 404' do
get :saml, group_id: group
expect(response).to have_gitlab_http_status(404)
end
end
context 'when user can admin group_saml' do
before do
group.add_owner(user)
end
it 'redirects to the Group SAML config page' do
get :saml, group_id: group
expect(response).to redirect_to(group_saml_providers_path)
end
it 'sets a flash message explaining that setup is required' do
get :saml, group_id: group
expect(flash[:notice]).to match /not been configured/
end
end
end
context 'group does not exist' do
it 'renders 404' do
get :saml, group_id: 'not-a-group'
expect(response).to have_gitlab_http_status(404)
end
context 'when user is not signed in' do
it 'acts as route not found' do
sign_out(user)
get :saml, group_id: 'not-a-group'
expect(response).to redirect_to(new_user_session_path)
end
end
end
end
...@@ -5,6 +5,7 @@ feature 'SAML provider settings' do ...@@ -5,6 +5,7 @@ feature 'SAML provider settings' do
let(:user) { create(:user) } let(:user) { create(:user) }
let(:group) { create(:group) } let(:group) { create(:group) }
let(:callback_path) { "/groups/#{group.path}/-/saml/callback" }
before do before do
set_beta_cookie set_beta_cookie
...@@ -22,7 +23,6 @@ feature 'SAML provider settings' do ...@@ -22,7 +23,6 @@ feature 'SAML provider settings' do
end end
def stub_saml_config def stub_saml_config
stub_saml_authorize_path_helpers
stub_licensed_features(group_saml: true) stub_licensed_features(group_saml: true)
allow(Devise).to receive(:omniauth_providers).and_return(%i(group_saml)) allow(Devise).to receive(:omniauth_providers).and_return(%i(group_saml))
end end
...@@ -78,4 +78,90 @@ feature 'SAML provider settings' do ...@@ -78,4 +78,90 @@ feature 'SAML provider settings' do
end end
end end
end end
describe '#sso' do
context 'with no SAML provider configured' do
it 'acts as if the group was not found' do
visit sso_group_saml_providers_path(group)
expect(current_path).to eq(new_user_session_path)
end
context 'as owner' do
before do
sign_in(user)
end
it 'redirects to settings page with warning' do
visit sso_group_saml_providers_path(group)
expect(current_path).to eq group_saml_providers_path(group)
expect(page).to have_content 'SAML sign on has not been configured for this group'
end
end
end
context 'with existing SAML provider' do
let!(:saml_provider) { create(:saml_provider, group: group) }
before do
allow_any_instance_of(OmniAuth::Strategies::GroupSaml).to receive(:callback_url) { callback_path }
end
context 'when not signed in' do
it "doesn't show sso page" do
visit sso_group_saml_providers_path(group)
expect(current_path).to eq(new_user_session_path)
end
end
context 'when signed in' do
before do
sign_in(user)
visit sso_group_saml_providers_path(group)
end
it 'Sign in button redirects to auth flow and back to group' do
click_link 'Sign in with Single Sign-On'
expect(current_path).to eq callback_path
end
end
context 'for a private group' do
let(:group) { create(:group, :private) }
context 'when not signed in' do
it "doesn't show sso page" do
visit sso_group_saml_providers_path(group)
expect(current_path).to eq(new_user_session_path)
end
end
context 'when signed in' do
before do
sign_in(user)
visit sso_group_saml_providers_path(group)
end
it 'displays sign in button' do
expect(current_path).to eq sso_group_saml_providers_path(group)
within '.login-box' do
expect(page).to have_link 'Sign in with Single Sign-On'
end
end
it "doesn't leak group information" do
expect(page).not_to have_selector('.group-avatar')
expect(page).not_to have_selector('.nav-sidebar')
end
end
end
end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment