Merge branch 'dblessing_saml_group_sync_ultimate' into 'master'

Create Group SAML Group Sync as a Gold subscription feature

See merge request gitlab-org/gitlab!46490

ee/app/models/license.rb

@@ -139,6 +139,7 @@ class License < ApplicationRecord
     personal_access_token_api_management
     personal_access_token_expiration_policy
     enforce_pat_expiration
+    group_saml_group_sync
     prometheus_alerts
     pseudonymizer
     release_evidence_test_artifacts

ee/app/policies/ee/group_policy.rb

@@ -81,6 +81,10 @@ module EE
         @subject.saml_enabled?
       end
 
+      condition(:group_saml_group_sync_available, scope: :subject) do
+        @subject.feature_available?(:group_saml_group_sync)
+      end
+
       condition(:group_timelogs_available) do
         @subject.feature_available?(:group_timelogs)
       end
@@ -208,7 +212,9 @@ module EE
 
       rule { group_saml_config_enabled & group_saml_available & (admin | owner) }.enable :admin_group_saml
 
-      rule { group_saml_enabled & can?(:admin_group_saml) }.enable :admin_saml_group_links
+      rule { group_saml_group_sync_available & group_saml_enabled & can?(:admin_group_saml) }.policy do
+        enable :admin_saml_group_links
+      end
 
       rule { admin | (can_owners_manage_ldap & owner) }.policy do
         enable :admin_ldap_group_links

ee/spec/controllers/groups/saml_group_links_controller_spec.rb

@@ -11,7 +11,7 @@ RSpec.describe Groups::SamlGroupLinksController do
   end
 
   before do
-    stub_licensed_features(group_saml: true)
+    stub_licensed_features(group_saml: true, group_saml_group_sync: true)
     stub_feature_flags(saml_group_links: true)
 
     sign_in(user)

ee/spec/features/groups/saml_group_links_spec.rb

@@ -13,7 +13,7 @@ RSpec.describe 'SAML group links' do
 
   context 'when SAML group links is available' do
     before do
-      stub_licensed_features(group_saml: true)
+      stub_licensed_features(group_saml: true, group_saml_group_sync: true)
       stub_feature_flags(saml_group_links: true)
 
       create(:saml_provider, group: group, enabled: true)

ee/spec/policies/group_policy_spec.rb

@@ -327,48 +327,77 @@ RSpec.describe GroupPolicy do
         stub_licensed_features(group_saml: true)
       end
 
-      context 'without an enabled SAML provider' do
-        context 'maintainer' do
-          let(:current_user) { maintainer }
+      context 'when group_saml_group_sync is not licensed' do
+        context 'with an enabled SAML provider' do
+          let_it_be(:saml_provider) { create(:saml_provider, group: group, enabled: true) }
 
-          it { is_expected.to be_disallowed(:admin_group_saml) }
-          it { is_expected.to be_disallowed(:admin_saml_group_links) }
-        end
+          context 'owner' do
+            let(:current_user) { owner }
 
-        context 'owner' do
-          let(:current_user) { owner }
+            it { is_expected.to be_disallowed(:admin_saml_group_links) }
+          end
 
-          it { is_expected.to be_allowed(:admin_group_saml) }
-          it { is_expected.to be_disallowed(:admin_saml_group_links) }
+          context 'admin' do
+            let(:current_user) { admin }
+
+            it { is_expected.to be_disallowed(:admin_saml_group_links) }
+          end
         end
+      end
 
-        context 'admin' do
-          let(:current_user) { admin }
+      context 'when group_saml_group_sync is licensed' do
+        before do
+          stub_application_setting(check_namespace_plan: true)
+        end
 
-          it { is_expected.to be_allowed(:admin_group_saml) }
-          it { is_expected.to be_disallowed(:admin_saml_group_links) }
+        before_all do
+          create(:license, plan: License::ULTIMATE_PLAN)
+          create(:gitlab_subscription, :gold, namespace: group)
         end
-      end
 
-      context 'with an enabled SAML provider' do
-        let_it_be(:saml_provider) { create(:saml_provider, group: group, enabled: true) }
+        context 'without an enabled SAML provider' do
+          context 'maintainer' do
+            let(:current_user) { maintainer }
 
-        context 'maintainer' do
-          let(:current_user) { maintainer }
+            it { is_expected.to be_disallowed(:admin_group_saml) }
+            it { is_expected.to be_disallowed(:admin_saml_group_links) }
+          end
 
-          it { is_expected.to be_disallowed(:admin_saml_group_links) }
-        end
+          context 'owner' do
+            let(:current_user) { owner }
 
-        context 'owner' do
-          let(:current_user) { owner }
+            it { is_expected.to be_allowed(:admin_group_saml) }
+            it { is_expected.to be_disallowed(:admin_saml_group_links) }
+          end
+
+          context 'admin' do
+            let(:current_user) { admin }
 
-          it { is_expected.to be_allowed(:admin_saml_group_links) }
+            it { is_expected.to be_allowed(:admin_group_saml) }
+            it { is_expected.to be_disallowed(:admin_saml_group_links) }
+          end
         end
 
-        context 'admin' do
-          let(:current_user) { admin }
+        context 'with an enabled SAML provider' do
+          let_it_be(:saml_provider) { create(:saml_provider, group: group, enabled: true) }
+
+          context 'maintainer' do
+            let(:current_user) { maintainer }
+
+            it { is_expected.to be_disallowed(:admin_saml_group_links) }
+          end
 
-          it { is_expected.to be_allowed(:admin_saml_group_links) }
+          context 'owner' do
+            let(:current_user) { owner }
+
+            it { is_expected.to be_allowed(:admin_saml_group_links) }
+          end
+
+          context 'admin' do
+            let(:current_user) { admin }
+
+            it { is_expected.to be_allowed(:admin_saml_group_links) }
+          end
         end
       end