Commit f3a0d244 authored by Sanad Liaquat's avatar Sanad Liaquat Committed by Mark Lapierre

Improve feature spec coverage for Enforced SSO Access

Also remove the tests from end-to-end level
parent 0f9003c7
......@@ -4,6 +4,9 @@ require 'spec_helper'
describe 'SAML access enforcement' do
let(:group) { create(:group, :private, name: 'The Group Name') }
let(:sub_group) { create(:group, :private, name: 'The Subgroup Name', parent: group) }
let(:project) { create(:project, :private, name: 'The Project Name', namespace: group) }
let(:sub_group_project) { create(:project, name: 'The Subgroup Project Name', group: sub_group) }
let(:saml_provider) { create(:saml_provider, group: group, enforced_sso: true) }
let(:identity) { create(:group_saml_identity, saml_provider: saml_provider) }
let(:user) { identity.user }
......@@ -16,27 +19,85 @@ describe 'SAML access enforcement' do
end
context 'without SAML session' do
it 'prevents access to group resources via SSO redirect' do
visit group_path(group)
shared_examples 'resource access' do
before do
visit resource_path
end
it 'prevents access to resource via SSO redirect' do
expect(page).to have_content("SAML SSO Sign in to \"#{group.name}\"")
expect(current_url).to match(/groups\/#{group.to_param}\/-\/saml\/sso\?redirect=.+&token=/)
end
end
context 'group resources' do
it_behaves_like 'resource access' do
let(:resource_path) { group_path(group) }
end
end
context 'subgroup resources' do
it_behaves_like 'resource access' do
let(:resource_path) { group_path(sub_group) }
end
end
context 'project resources' do
it_behaves_like 'resource access' do
let(:resource_path) { project_path(project) }
end
end
context 'subgroup project resources' do
it_behaves_like 'resource access' do
let(:resource_path) { project_path(sub_group_project) }
end
end
end
context 'with active SAML login from session' do
shared_examples 'resource access' do
before do
dummy_session = { active_group_sso_sign_ins: { saml_provider.id => DateTime.now } }
allow(Gitlab::Session).to receive(:current).and_return(dummy_session)
end
it 'allows access to group resources' do
visit group_path(group)
visit resource_path
end
it 'allows access to resource' do
expect(page).not_to have_content('Page Not Found')
expect(page).not_to have_content('SAML SSO Sign')
expect(page).to have_content(group.name)
expect(current_path).to eq(group_path(group))
expect(page).to have_content(resource_name)
expect(current_path).to eq(resource_path)
end
end
context 'group resources' do
it_behaves_like 'resource access' do
let(:resource_path) { group_path(group) }
let(:resource_name) { group.name }
end
end
context 'subgroup resources' do
it_behaves_like 'resource access' do
let(:resource_path) { group_path(sub_group) }
let(:resource_name) { sub_group.name }
end
end
context 'project resources' do
it_behaves_like 'resource access' do
let(:resource_path) { project_path(project) }
let(:resource_name) { project.name }
end
end
context 'subgroup project resources' do
it_behaves_like 'resource access' do
let(:resource_path) { project_path(sub_group_project) }
let(:resource_name) { sub_group_project.name }
end
end
end
end
......@@ -5,7 +5,7 @@ module QA
describe 'Group SAML SSO - Enforced SSO' do
include Support::Api
before(:all) do
before do
Support::Retrier.retry_on_exception do
Flow::Saml.remove_saml_idp_service(@saml_idp_service) if @saml_idp_service
......@@ -20,86 +20,12 @@ module QA
@saml_idp_service = Flow::Saml.run_saml_idp_service(@group.path)
@managed_group_url = setup_and_enable_enforce_sso
end
end
before do
Flow::Saml.logout_from_idp(@saml_idp_service)
page.visit Runtime::Scenario.gitlab_address
Page::Main::Menu.perform(&:sign_out_if_signed_in)
end
context 'Access', quarantine: { issue: 'https://gitlab.com/gitlab-org/gitlab/issues/205455', type: :flaky } do
let(:project) do
Resource::Project.fabricate! do |project|
project.name = 'project-in-saml-enforced-group-for-access-test'
project.description = 'project in SAML enforced group for access test'
project.group = @group
project.initialize_with_readme = true
project.visibility = 'private'
end
end
let(:sub_group) do
Resource::Group.fabricate_via_api! do |group|
group.sandbox = @group
group.path = "saml-sub-group"
end
end
let(:sub_group_project) do
Resource::Project.fabricate! do |project|
project.name = 'sub-group-project-in-saml-enforced-group-for-access-test'
project.description = 'Sub Group project in SAML enforced group for access test'
project.group = sub_group
project.initialize_with_readme = true
project.visibility = 'private'
end
end
shared_examples 'user access' do
it 'is not allowed without SSO' do
Page::Main::Login.perform do |login|
login.sign_in_using_credentials(user: user)
end
expected_single_signon_text = 'group allows you to sign in with your Single Sign-On Account'
@group.visit!
expect(page).to have_content(expected_single_signon_text)
sub_group.visit!
expect(page).to have_content(expected_single_signon_text)
project.visit!
expect(page).to have_content(expected_single_signon_text)
sub_group_project.visit!
expect(page).to have_content(expected_single_signon_text)
end
end
before(:all) do
@owner_user = Resource::User.fabricate_via_api!
@group.add_member(@owner_user, Resource::Members::AccessLevel::OWNER)
end
after(:all) do
@group.remove_member(@owner_user) if @owner_user
end
it_behaves_like 'user access' do
let(:user) { @developer_user }
end
it_behaves_like 'user access' do
let(:user) { @owner_user }
end
end
it 'user clones and pushes to project within a group using Git HTTP' do
......@@ -123,7 +49,7 @@ module QA
end.not_to raise_error
end
after(:all) do
after do
page.visit Runtime::Scenario.gitlab_address
%w[enforced_sso enforced_sso_requires_session].each do |flag|
Runtime::Feature.remove(flag)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment