Improve feature spec coverage for Enforced SSO Access

Also remove the tests from end-to-end level

Improve feature spec coverage for Enforced SSO Access
Also remove the tests from end-to-end level
f3a0d244 · Sanad Liaquat · Mark Lapierre · 0f9003c7 · f3a0d244 · f3a0d244
Commit f3a0d244 authored Apr 09, 2020 by Sanad Liaquat Committed by Mark Lapierre Apr 09, 2020
2 changed files
--- a/ee/spec/features/groups/saml_enforcement_spec.rb
+++ b/ee/spec/features/groups/saml_enforcement_spec.rb
@@ -4,6 +4,9 @@ require 'spec_helper'

 describe 'SAML access enforcement' do
  let(:group) { create(:group, :private, name: 'The Group Name') }
+  let(:sub_group) { create(:group, :private, name: 'The Subgroup Name', parent: group) }
+  let(:project) { create(:project, :private, name: 'The Project Name', namespace: group) }
+  let(:sub_group_project) { create(:project, name: 'The Subgroup Project Name', group: sub_group) }
  let(:saml_provider) { create(:saml_provider, group: group, enforced_sso: true) }
  let(:identity) { create(:group_saml_identity, saml_provider: saml_provider) }
  let(:user) { identity.user }
@@ -16,27 +19,85 @@ describe 'SAML access enforcement' do
  end

  context 'without SAML session' do
-    it 'prevents access to group resources via SSO redirect' do
-      visit group_path(group)
+    shared_examples 'resource access' do
+      before do
+        visit resource_path
+      end

-      expect(page).to have_content("SAML SSO Sign in to \"#{group.name}\"")
-      expect(current_url).to match(/groups\/#{group.to_param}\/-\/saml\/sso\?redirect=.+&token=/)
+      it 'prevents access to resource via SSO redirect' do
+        expect(page).to have_content("SAML SSO Sign in to \"#{group.name}\"")
+        expect(current_url).to match(/groups\/#{group.to_param}\/-\/saml\/sso\?redirect=.+&token=/)
+      end
+    end
+
+    context 'group resources' do
+      it_behaves_like 'resource access' do
+        let(:resource_path) { group_path(group) }
+      end
+    end
+
+    context 'subgroup resources' do
+      it_behaves_like 'resource access' do
+        let(:resource_path) { group_path(sub_group) }
+      end
+    end
+
+    context 'project resources' do
+      it_behaves_like 'resource access' do
+        let(:resource_path) { project_path(project) }
+      end
+    end
+
+    context 'subgroup project resources' do
+      it_behaves_like 'resource access' do
+        let(:resource_path) { project_path(sub_group_project) }
+      end
    end
  end

  context 'with active SAML login from session' do
-    before do
-      dummy_session = { active_group_sso_sign_ins: { saml_provider.id => DateTime.now } }
-      allow(Gitlab::Session).to receive(:current).and_return(dummy_session)
+    shared_examples 'resource access' do
+      before do
+        dummy_session = { active_group_sso_sign_ins: { saml_provider.id => DateTime.now } }
+        allow(Gitlab::Session).to receive(:current).and_return(dummy_session)
+
+        visit resource_path
+      end
+
+      it 'allows access to resource' do
+        expect(page).not_to have_content('Page Not Found')
+        expect(page).not_to have_content('SAML SSO Sign')
+        expect(page).to have_content(resource_name)
+        expect(current_path).to eq(resource_path)
+      end
+    end
+
+    context 'group resources' do
+      it_behaves_like 'resource access' do
+        let(:resource_path) { group_path(group) }
+        let(:resource_name) { group.name }
+      end
    end

-    it 'allows access to group resources' do
-      visit group_path(group)
+    context 'subgroup resources' do
+      it_behaves_like 'resource access' do
+        let(:resource_path) { group_path(sub_group) }
+        let(:resource_name) { sub_group.name }
+      end
+    end
+
+    context 'project resources' do
+      it_behaves_like 'resource access' do
+        let(:resource_path) { project_path(project) }
+        let(:resource_name) { project.name }
+      end
+    end

-      expect(page).not_to have_content('Page Not Found')
-      expect(page).not_to have_content('SAML SSO Sign')
-      expect(page).to have_content(group.name)
-      expect(current_path).to eq(group_path(group))
+    context 'subgroup project resources' do
+      it_behaves_like 'resource access' do
+        let(:resource_path) { project_path(sub_group_project) }
+        let(:resource_name) { sub_group_project.name }
+      end
    end
  end
 end
--- a/qa/qa/specs/features/ee/browser_ui/1_manage/group/group_saml_enforced_sso_spec.rb
+++ b/qa/qa/specs/features/ee/browser_ui/1_manage/group/group_saml_enforced_sso_spec.rb
@@ -5,7 +5,7 @@ module QA
    describe 'Group SAML SSO - Enforced SSO' do
      include Support::Api

-      before(:all) do
+      before do
        Support::Retrier.retry_on_exception do
          Flow::Saml.remove_saml_idp_service(@saml_idp_service) if @saml_idp_service

@@ -20,85 +20,11 @@ module QA
          @saml_idp_service = Flow::Saml.run_saml_idp_service(@group.path)

          @managed_group_url = setup_and_enable_enforce_sso
-        end
-      end
-
-      before do
-        Flow::Saml.logout_from_idp(@saml_idp_service)
-
-        page.visit Runtime::Scenario.gitlab_address
-        Page::Main::Menu.perform(&:sign_out_if_signed_in)
-      end
-
-      context 'Access', quarantine: { issue: 'https://gitlab.com/gitlab-org/gitlab/issues/205455', type: :flaky } do
-        let(:project) do
-          Resource::Project.fabricate! do |project|
-            project.name = 'project-in-saml-enforced-group-for-access-test'
-            project.description = 'project in SAML enforced group for access test'
-            project.group = @group
-            project.initialize_with_readme = true
-            project.visibility = 'private'
-          end
-        end
-
-        let(:sub_group) do
-          Resource::Group.fabricate_via_api! do |group|
-            group.sandbox = @group
-            group.path = "saml-sub-group"
-          end
-        end
-
-        let(:sub_group_project) do
-          Resource::Project.fabricate! do |project|
-            project.name = 'sub-group-project-in-saml-enforced-group-for-access-test'
-            project.description = 'Sub Group project in SAML enforced group for access test'
-            project.group = sub_group
-            project.initialize_with_readme = true
-            project.visibility = 'private'
-          end
-        end

-        shared_examples 'user access' do
-          it 'is not allowed without SSO' do
-            Page::Main::Login.perform do |login|
-              login.sign_in_using_credentials(user: user)
-            end
+          Flow::Saml.logout_from_idp(@saml_idp_service)

-            expected_single_signon_text = 'group allows you to sign in with your Single Sign-On Account'
-
-            @group.visit!
-
-            expect(page).to have_content(expected_single_signon_text)
-
-            sub_group.visit!
-
-            expect(page).to have_content(expected_single_signon_text)
-
-            project.visit!
-
-            expect(page).to have_content(expected_single_signon_text)
-
-            sub_group_project.visit!
-
-            expect(page).to have_content(expected_single_signon_text)
-          end
-        end
-
-        before(:all) do
-          @owner_user = Resource::User.fabricate_via_api!
-
-          @group.add_member(@owner_user, Resource::Members::AccessLevel::OWNER)
-        end
-
-        after(:all) do
-          @group.remove_member(@owner_user) if @owner_user
-        end
-
-        it_behaves_like 'user access' do
-          let(:user) { @developer_user }
-        end
-        it_behaves_like 'user access' do
-          let(:user) { @owner_user }
+          page.visit Runtime::Scenario.gitlab_address
+          Page::Main::Menu.perform(&:sign_out_if_signed_in)
        end
      end

@@ -123,7 +49,7 @@ module QA
        end.not_to raise_error
      end

-      after(:all) do
+      after do
        page.visit Runtime::Scenario.gitlab_address
        %w[enforced_sso enforced_sso_requires_session].each do |flag|
          Runtime::Feature.remove(flag)