Merge branch 'skip-sso-validation-when-creating-group-access-tokens' into 'master'

Allow creating a group access token for a group with SSO enforcement See merge request gitlab-org/gitlab!75023

Merge branch 'skip-sso-validation-when-creating-group-access-tokens' into 'master'
Allow creating a group access token for a group with SSO enforcement See merge request gitlab-org/gitlab!75023
e38bb5d6 · Douglas Barbosa Alexandre · f202e1f7 · 96150fbc · e38bb5d6 · e38bb5d6
Commit e38bb5d6 authored Dec 01, 2021 by Douglas Barbosa Alexandre
6 changed files
--- a/ee/app/models/ee/group_member.rb
+++ b/ee/app/models/ee/group_member.rb
@@ -8,7 +8,7 @@ module EE
    prepended do
      include UsageStatistics

-      validate :sso_enforcement, if: :group
+      validate :sso_enforcement, if: -> { group && user }
      validate :group_domain_limitations, if: :group_has_domain_limitations?

      scope :by_group_ids, ->(group_ids) { where(source_id: group_ids) }

--- a/ee/app/models/ee/project_member.rb
+++ b/ee/app/models/ee/project_member.rb
@@ -7,7 +7,7 @@ module EE
    prepended do
      extend ::Gitlab::Utils::Override

-      validate :sso_enforcement, if: :group, unless: :project_bot
+      validate :sso_enforcement, if: -> { group && user }
      validate :gma_enforcement, if: :group, unless: :project_bot
      validate :group_domain_limitations, if: -> { group && group_has_domain_limitations? }, on: :create


--- a/ee/lib/gitlab/auth/group_saml/membership_enforcer.rb
+++ b/ee/lib/gitlab/auth/group_saml/membership_enforcer.rb
@@ -9,7 +9,8 @@ module Gitlab
        end

        def can_add_user?(user)
-          return true unless root_group&.saml_provider&.enforced_sso?
+          return true unless root_group.saml_provider&.enforced_sso?
+          return true if user.project_bot?

          GroupSamlIdentityFinder.new(user: user).find_linked(group: root_group)
        end
@@ -17,7 +18,7 @@ module Gitlab
        private

        def root_group
-          @root_group ||= @group&.root_ancestor
+          @root_group ||= @group.root_ancestor
        end
      end
    end

--- a/ee/spec/lib/gitlab/auth/group_saml/membership_enforcer_spec.rb
+++ b/ee/spec/lib/gitlab/auth/group_saml/membership_enforcer_spec.rb
@@ -10,13 +10,19 @@ RSpec.describe Gitlab::Auth::GroupSaml::MembershipEnforcer do
    allow_any_instance_of(SamlProvider).to receive(:enforced_sso?).and_return(true)
  end

-  it 'allows adding the group member' do
+  it 'allows adding a user linked to the SAML account as member' do
    expect(described_class.new(group).can_add_user?(user)).to be_truthy
  end

-  it 'does not add the group member' do
+  it 'does not allow adding a user not linked to the SAML account as member' do
    non_saml_user = create(:user)

    expect(described_class.new(group).can_add_user?(non_saml_user)).to be_falsey
  end
+
+  it 'allows adding a project bot as member' do
+    project_bot = create(:user, :project_bot)
+
+    expect(described_class.new(group).can_add_user?(project_bot)).to be_truthy
+  end
 end
--- a/ee/spec/models/project_member_spec.rb
+++ b/ee/spec/models/project_member_spec.rb
@@ -42,36 +42,6 @@ RSpec.describe ProjectMember do
      end
    end

-    context "for SSO enforced groups" do
-      let(:group) { create(:group, :private) }
-      let!(:saml_provider) { create(:saml_provider, group: group, enforced_sso: true) }
-      let(:identity) { create(:group_saml_identity, saml_provider: saml_provider) }
-
-      before do
-        stub_licensed_features(group_saml: true)
-      end
-
-      it 'allows adding a user linked to the SAML account as project member' do
-        sso_user = identity.user
-        member = entity.add_developer(sso_user)
-
-        expect(member).to be_valid
-      end
-
-      it 'does not allow adding a user not linked to the SAML account as a project member' do
-        member = entity.add_developer(create(:user))
-
-        expect(member).not_to be_valid
-        expect(member.errors.messages[:user]).to include('is not linked to a SAML account')
-      end
-
-      it 'allows adding a project bot' do
-        member = entity.add_developer(create(:user, :project_bot))
-
-        expect(member).to be_valid
-      end
-    end
-
    context 'enforced group managed account disabled' do
      it 'allows adding any user as project member' do
        member = entity.add_developer(create(:user))
@@ -79,14 +49,6 @@ RSpec.describe ProjectMember do
        expect(member).to be_valid
      end
    end
-
-    context 'enforced SSO disabled' do
-      it 'allows adding any user as project member' do
-        member = entity.add_developer(create(:user))
-
-        expect(member).to be_valid
-      end
-    end
  end

  describe '#group_domain_validations' do

--- a/ee/spec/support/shared_examples/models/member_shared_examples.rb
+++ b/ee/spec/support/shared_examples/models/member_shared_examples.rb
@@ -13,19 +13,25 @@ RSpec.shared_examples 'member validations' do
          allow_any_instance_of(SamlProvider).to receive(:enforced_sso?).and_return(true)
        end

-        it 'allows adding the group member' do
+        it 'allows adding a user linked to the SAML account as member' do
          member = entity.add_user(user, Member::DEVELOPER)

          expect(member).to be_valid
        end

-        it 'does not add the group member' do
+        it 'does not allow adding a user not linked to the SAML account as member' do
          member = entity.add_user(create(:user), Member::DEVELOPER)

          expect(member).not_to be_valid
          expect(member.errors.messages[:user]).to eq(['is not linked to a SAML account'])
        end

+        it 'allows adding a project bot as member' do
+          member = entity.add_user(create(:user, :project_bot), Member::DEVELOPER)
+
+          expect(member).to be_valid
+        end
+
        context 'subgroups' do
          let!(:subgroup) { create(:group, parent: group) }