Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
f3a0d244
Commit
f3a0d244
authored
Apr 09, 2020
by
Sanad Liaquat
Committed by
Mark Lapierre
Apr 09, 2020
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Improve feature spec coverage for Enforced SSO Access
Also remove the tests from end-to-end level
parent
0f9003c7
Changes
2
Show whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
79 additions
and
92 deletions
+79
-92
ee/spec/features/groups/saml_enforcement_spec.rb
ee/spec/features/groups/saml_enforcement_spec.rb
+74
-13
qa/qa/specs/features/ee/browser_ui/1_manage/group/group_saml_enforced_sso_spec.rb
...browser_ui/1_manage/group/group_saml_enforced_sso_spec.rb
+5
-79
No files found.
ee/spec/features/groups/saml_enforcement_spec.rb
View file @
f3a0d244
...
...
@@ -4,6 +4,9 @@ require 'spec_helper'
describe
'SAML access enforcement'
do
let
(
:group
)
{
create
(
:group
,
:private
,
name:
'The Group Name'
)
}
let
(
:sub_group
)
{
create
(
:group
,
:private
,
name:
'The Subgroup Name'
,
parent:
group
)
}
let
(
:project
)
{
create
(
:project
,
:private
,
name:
'The Project Name'
,
namespace:
group
)
}
let
(
:sub_group_project
)
{
create
(
:project
,
name:
'The Subgroup Project Name'
,
group:
sub_group
)
}
let
(
:saml_provider
)
{
create
(
:saml_provider
,
group:
group
,
enforced_sso:
true
)
}
let
(
:identity
)
{
create
(
:group_saml_identity
,
saml_provider:
saml_provider
)
}
let
(
:user
)
{
identity
.
user
}
...
...
@@ -16,27 +19,85 @@ describe 'SAML access enforcement' do
end
context
'without SAML session'
do
it
'prevents access to group resources via SSO redirect'
do
visit
group_path
(
group
)
shared_examples
'resource access'
do
before
do
visit
resource_path
end
it
'prevents access to resource via SSO redirect'
do
expect
(
page
).
to
have_content
(
"SAML SSO Sign in to
\"
#{
group
.
name
}
\"
"
)
expect
(
current_url
).
to
match
(
/groups\/
#{
group
.
to_param
}
\/-\/saml\/sso\?redirect=.+&token=/
)
end
end
context
'group resources'
do
it_behaves_like
'resource access'
do
let
(
:resource_path
)
{
group_path
(
group
)
}
end
end
context
'subgroup resources'
do
it_behaves_like
'resource access'
do
let
(
:resource_path
)
{
group_path
(
sub_group
)
}
end
end
context
'project resources'
do
it_behaves_like
'resource access'
do
let
(
:resource_path
)
{
project_path
(
project
)
}
end
end
context
'subgroup project resources'
do
it_behaves_like
'resource access'
do
let
(
:resource_path
)
{
project_path
(
sub_group_project
)
}
end
end
end
context
'with active SAML login from session'
do
shared_examples
'resource access'
do
before
do
dummy_session
=
{
active_group_sso_sign_ins:
{
saml_provider
.
id
=>
DateTime
.
now
}
}
allow
(
Gitlab
::
Session
).
to
receive
(
:current
).
and_return
(
dummy_session
)
end
it
'allows access to group resources'
do
visit
group_path
(
group
)
visit
resource_path
end
it
'allows access to resource'
do
expect
(
page
).
not_to
have_content
(
'Page Not Found'
)
expect
(
page
).
not_to
have_content
(
'SAML SSO Sign'
)
expect
(
page
).
to
have_content
(
group
.
name
)
expect
(
current_path
).
to
eq
(
group_path
(
group
))
expect
(
page
).
to
have_content
(
resource_name
)
expect
(
current_path
).
to
eq
(
resource_path
)
end
end
context
'group resources'
do
it_behaves_like
'resource access'
do
let
(
:resource_path
)
{
group_path
(
group
)
}
let
(
:resource_name
)
{
group
.
name
}
end
end
context
'subgroup resources'
do
it_behaves_like
'resource access'
do
let
(
:resource_path
)
{
group_path
(
sub_group
)
}
let
(
:resource_name
)
{
sub_group
.
name
}
end
end
context
'project resources'
do
it_behaves_like
'resource access'
do
let
(
:resource_path
)
{
project_path
(
project
)
}
let
(
:resource_name
)
{
project
.
name
}
end
end
context
'subgroup project resources'
do
it_behaves_like
'resource access'
do
let
(
:resource_path
)
{
project_path
(
sub_group_project
)
}
let
(
:resource_name
)
{
sub_group_project
.
name
}
end
end
end
end
qa/qa/specs/features/ee/browser_ui/1_manage/group/group_saml_enforced_sso_spec.rb
View file @
f3a0d244
...
...
@@ -5,7 +5,7 @@ module QA
describe
'Group SAML SSO - Enforced SSO'
do
include
Support
::
Api
before
(
:all
)
do
before
do
Support
::
Retrier
.
retry_on_exception
do
Flow
::
Saml
.
remove_saml_idp_service
(
@saml_idp_service
)
if
@saml_idp_service
...
...
@@ -20,86 +20,12 @@ module QA
@saml_idp_service
=
Flow
::
Saml
.
run_saml_idp_service
(
@group
.
path
)
@managed_group_url
=
setup_and_enable_enforce_sso
end
end
before
do
Flow
::
Saml
.
logout_from_idp
(
@saml_idp_service
)
page
.
visit
Runtime
::
Scenario
.
gitlab_address
Page
::
Main
::
Menu
.
perform
(
&
:sign_out_if_signed_in
)
end
context
'Access'
,
quarantine:
{
issue:
'https://gitlab.com/gitlab-org/gitlab/issues/205455'
,
type: :flaky
}
do
let
(
:project
)
do
Resource
::
Project
.
fabricate!
do
|
project
|
project
.
name
=
'project-in-saml-enforced-group-for-access-test'
project
.
description
=
'project in SAML enforced group for access test'
project
.
group
=
@group
project
.
initialize_with_readme
=
true
project
.
visibility
=
'private'
end
end
let
(
:sub_group
)
do
Resource
::
Group
.
fabricate_via_api!
do
|
group
|
group
.
sandbox
=
@group
group
.
path
=
"saml-sub-group"
end
end
let
(
:sub_group_project
)
do
Resource
::
Project
.
fabricate!
do
|
project
|
project
.
name
=
'sub-group-project-in-saml-enforced-group-for-access-test'
project
.
description
=
'Sub Group project in SAML enforced group for access test'
project
.
group
=
sub_group
project
.
initialize_with_readme
=
true
project
.
visibility
=
'private'
end
end
shared_examples
'user access'
do
it
'is not allowed without SSO'
do
Page
::
Main
::
Login
.
perform
do
|
login
|
login
.
sign_in_using_credentials
(
user:
user
)
end
expected_single_signon_text
=
'group allows you to sign in with your Single Sign-On Account'
@group
.
visit!
expect
(
page
).
to
have_content
(
expected_single_signon_text
)
sub_group
.
visit!
expect
(
page
).
to
have_content
(
expected_single_signon_text
)
project
.
visit!
expect
(
page
).
to
have_content
(
expected_single_signon_text
)
sub_group_project
.
visit!
expect
(
page
).
to
have_content
(
expected_single_signon_text
)
end
end
before
(
:all
)
do
@owner_user
=
Resource
::
User
.
fabricate_via_api!
@group
.
add_member
(
@owner_user
,
Resource
::
Members
::
AccessLevel
::
OWNER
)
end
after
(
:all
)
do
@group
.
remove_member
(
@owner_user
)
if
@owner_user
end
it_behaves_like
'user access'
do
let
(
:user
)
{
@developer_user
}
end
it_behaves_like
'user access'
do
let
(
:user
)
{
@owner_user
}
end
end
it
'user clones and pushes to project within a group using Git HTTP'
do
...
...
@@ -123,7 +49,7 @@ module QA
end
.
not_to
raise_error
end
after
(
:all
)
do
after
do
page
.
visit
Runtime
::
Scenario
.
gitlab_address
%w[enforced_sso enforced_sso_requires_session]
.
each
do
|
flag
|
Runtime
::
Feature
.
remove
(
flag
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment