SSO enforcement for project resources

Adds a check to ProjectPolicy to ensure that there is an active
SAML session when SSO is being enforced.

Builds upon changes in GroupPolicy, but because so many policies
delegate to ProjectPolicy there is much more impact from this MR.

app/policies/project_policy.rb

@@ -488,6 +488,10 @@ class ProjectPolicy < BasePolicy
   def team_access_level
     return -1 if @user.nil?
 
+    lookup_access_level!
+  end
+
+  def lookup_access_level!
     # NOTE: max_member_access has its own cache
     project.team.max_member_access(@user.id)
   end

ee/app/policies/ee/project_policy.rb

@@ -3,6 +3,7 @@
 module EE
   module ProjectPolicy
     extend ActiveSupport::Concern
+    extend ::Gitlab::Utils::Override
 
     READONLY_FEATURES_WHEN_ARCHIVED = %i[
       board
@@ -198,6 +199,10 @@ module EE
         ::Feature.enabled?(:build_service_proxy, @subject)
       end
 
+      condition(:needs_new_sso_session) do
+        ::Gitlab::Auth::GroupSaml::SsoEnforcer.group_access_restricted?(subject.group)
+      end
+
       rule { web_ide_terminal_available & can?(:create_pipeline) & can?(:maintainer_access) }.enable :create_web_ide_terminal
 
       # Design abilities could also be prevented in the issue policy.
@@ -210,6 +215,13 @@ module EE
 
       rule { build_service_proxy_enabled }.enable :build_service_proxy_enabled
     end
+
+    override :lookup_access_level!
+    def lookup_access_level!
+      return ::GroupMember::NO_ACCESS if needs_new_sso_session?
+
+      super
+    end
   end
 end
 

ee/changelogs/unreleased/jej-group-saml-project-enforcement.yml

+---
+title: SSO enforcement requires active SAML session for web access to project resources
+merge_request: 12109
+author:
+type: changed

ee/spec/policies/project_policy_spec.rb

@@ -202,6 +202,66 @@ describe ProjectPolicy do
         expect(described_class.new(auditor, project)).to be_allowed(:read_project)
       end
     end
+
+    context 'with sso enforcement enabled' do
+      let(:current_user) { create(:user) }
+      let(:group) { create(:group, :private) }
+      let(:saml_provider) { create(:saml_provider, group: group, enforced_sso: true) }
+      let!(:identity) { create(:group_saml_identity, user: current_user, saml_provider: saml_provider) }
+      let(:project) { create(:project, group: saml_provider.group) }
+
+      before do
+        group.add_guest(current_user)
+      end
+
+      context 'when the session has been set globally' do
+        around do |example|
+          Gitlab::Session.with_session({}) do
+            example.run
+          end
+        end
+
+        it 'prevents access without a SAML session' do
+          is_expected.not_to be_allowed(:read_project)
+        end
+
+        it 'allows access with a SAML session' do
+          Gitlab::Auth::GroupSaml::SsoEnforcer.new(saml_provider).update_session
+
+          is_expected.to be_allowed(:read_project)
+        end
+
+        context 'as an admin' do
+          let(:current_user) { admin }
+
+          it 'allows access' do
+            is_expected.to be_allowed(:read_project)
+          end
+        end
+
+        context 'as an owner' do
+          let(:current_user) { owner }
+
+          it 'prevents access without a SAML session' do
+            is_expected.not_to be_allowed(:read_project)
+          end
+        end
+
+        context 'in a personal namespace' do
+          let(:project) { create(:project, :public, namespace: owner.namespace) }
+
+          it 'allows access' do
+            is_expected.to be_allowed(:read_project)
+          end
+        end
+      end
+
+      context 'when there is no global session or sso state' do
+        it "allows access because we haven't yet restricted all use cases" do
+          is_expected.to be_allowed(:read_project)
+        end
+      end
+    end
   end
 
   describe 'read_vulnerability_feedback' do