Merge branch '34648-restrict-forking-outside-of-gma' into 'master'

Add prohibited outer forks flag for SAML provider See merge request gitlab-org/gitlab!22002

Merge branch '34648-restrict-forking-outside-of-gma' into 'master'
Add prohibited outer forks flag for SAML provider See merge request gitlab-org/gitlab!22002
5c651fbf · Rémy Coutable · 5b459de0 · ea75b0cf · 5c651fbf · 5c651fbf
Commit 5c651fbf authored Feb 06, 2020 by Rémy Coutable
6 changed files
--- a/db/migrate/20191217165641_add_saml_provider_prohibited_outer_forks.rb
+++ b/db/migrate/20191217165641_add_saml_provider_prohibited_outer_forks.rb
+# frozen_string_literal: true
+
+class AddSamlProviderProhibitedOuterForks < ActiveRecord::Migration[5.2]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  disable_ddl_transaction!
+
+  def up
+    add_column_with_default :saml_providers, :prohibited_outer_forks, :boolean, default: false, allow_null: true
+  end
+
+  def down
+    remove_column :saml_providers, :prohibited_outer_forks
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -3744,6 +3744,7 @@ ActiveRecord::Schema.define(version: 2020_02_04_131054) do
    t.string "sso_url", null: false
    t.boolean "enforced_sso", default: false, null: false
    t.boolean "enforced_group_managed_accounts", default: false, null: false
+    t.boolean "prohibited_outer_forks", default: false, null: false
    t.index ["group_id"], name: "index_saml_providers_on_group_id"
  end


--- a/ee/app/controllers/groups/saml_providers_controller.rb
+++ b/ee/app/controllers/groups/saml_providers_controller.rb
@@ -48,7 +48,9 @@ class Groups::SamlProvidersController < Groups::ApplicationController
    allowed_params = %i[sso_url certificate_fingerprint enabled]

    allowed_params += [:enforced_sso] if Feature.enabled?(:enforced_sso, group)
-    allowed_params += [:enforced_group_managed_accounts] if Feature.enabled?(:group_managed_accounts, group)
+    if Feature.enabled?(:group_managed_accounts, group)
+      allowed_params += [:enforced_group_managed_accounts, :prohibited_outer_forks]
+    end

    params.require(:saml_provider).permit(allowed_params)
  end

--- a/ee/app/models/saml_provider.rb
+++ b/ee/app/models/saml_provider.rb
@@ -37,6 +37,10 @@ class SamlProvider < ApplicationRecord
    super && enforced_sso? && Feature.enabled?(:group_managed_accounts, group)
  end

+  def prohibited_outer_forks?
+    enforced_group_managed_accounts? && super
+  end
+
  class DefaultOptions
    include Gitlab::Routing


--- a/ee/changelogs/unreleased/34648-restrict-forking-outside-of-gma.yml
+++ b/ee/changelogs/unreleased/34648-restrict-forking-outside-of-gma.yml
+---
+title: Prepare DB structure for GMA forking changes
+merge_request: 22002
+author:
+type: other
--- a/ee/spec/models/saml_provider_spec.rb
+++ b/ee/spec/models/saml_provider_spec.rb
@@ -178,4 +178,40 @@ describe SamlProvider do
      end
    end
  end
+
+  describe '#prohibited_outer_forks?' do
+    context 'without enforced GMA' do
+      it 'is false when prohibited_outer_forks flag value is true' do
+        subject.prohibited_outer_forks = true
+
+        expect(subject.prohibited_outer_forks?).to be_falsey
+      end
+
+      it 'is false when prohibited_outer_forks flag value is false' do
+        subject.prohibited_outer_forks = false
+
+        expect(subject.prohibited_outer_forks?).to be_falsey
+      end
+    end
+
+    context 'when enforced GMA is enabled' do
+      before do
+        subject.enabled = true
+        subject.enforced_sso = true
+        subject.enforced_group_managed_accounts = true
+      end
+
+      it 'is true when prohibited_outer_forks flag value is true' do
+        subject.prohibited_outer_forks = true
+
+        expect(subject.prohibited_outer_forks?).to be_truthy
+      end
+
+      it 'is false when prohibited_outer_forks flag value is false' do
+        subject.prohibited_outer_forks = false
+
+        expect(subject.prohibited_outer_forks?).to be_falsey
+      end
+    end
+  end
 end