Commit 7d962989 authored by Savas Vedova's avatar Savas Vedova

Merge branch 'dblessing_saml_group_sync_minimal_access' into 'master'

Allow Minimal Access role for top-level SAML Group Links

See merge request gitlab-org/gitlab!72825
parents 11e0e676 2b2a80a2
...@@ -4,15 +4,23 @@ class SamlGroupLink < ApplicationRecord ...@@ -4,15 +4,23 @@ class SamlGroupLink < ApplicationRecord
include StripAttribute include StripAttribute
belongs_to :group belongs_to :group
enum access_level: ::Gitlab::Access.options_with_owner enum access_level: ::Gitlab::Access.options_with_minimal_access
strip_attributes! :saml_group_name strip_attributes! :saml_group_name
validates :group, :access_level, presence: true validates :group, :access_level, presence: true
validates :saml_group_name, presence: true, uniqueness: { scope: [:group_id] }, length: { maximum: 255 } validates :saml_group_name, presence: true, uniqueness: { scope: [:group_id] }, length: { maximum: 255 }
validate :access_level_allowed
scope :by_id_and_group_id, ->(id, group_id) { where(id: id, group_id: group_id) } scope :by_id_and_group_id, ->(id, group_id) { where(id: id, group_id: group_id) }
scope :by_saml_group_name, -> (name) { where(saml_group_name: name) } scope :by_saml_group_name, -> (name) { where(saml_group_name: name) }
scope :by_group_id, ->(group_id) { where(group_id: group_id) } scope :by_group_id, ->(group_id) { where(group_id: group_id) }
scope :preload_group, -> { preload(group: :route) } scope :preload_group, -> { preload(group: :route) }
def access_level_allowed
return unless group
return if access_level.in?(group.access_level_roles.keys)
errors.add(:access_level, "is invalid")
end
end end
...@@ -13,7 +13,7 @@ ...@@ -13,7 +13,7 @@
.col-sm-2.col-form-label .col-sm-2.col-form-label
= f.label :access_level, "Access Level" = f.label :access_level, "Access Level"
.col-sm-10 .col-sm-10
= f.select :access_level, options_for_select(SamlGroupLink.access_levels.keys), {}, class: 'form-control' = f.select :access_level, options_for_select(group.access_level_roles.keys), {}, class: 'form-control'
.form-text.text-muted .form-text.text-muted
= s_('GroupSAML|Role to assign members of this SAML group.') = s_('GroupSAML|Role to assign members of this SAML group.')
......
...@@ -12,7 +12,7 @@ RSpec.describe SamlGroupLink do ...@@ -12,7 +12,7 @@ RSpec.describe SamlGroupLink do
it { is_expected.to validate_presence_of(:access_level) } it { is_expected.to validate_presence_of(:access_level) }
it { is_expected.to validate_presence_of(:saml_group_name) } it { is_expected.to validate_presence_of(:saml_group_name) }
it { is_expected.to validate_length_of(:saml_group_name).is_at_most(255) } it { is_expected.to validate_length_of(:saml_group_name).is_at_most(255) }
it { is_expected.to define_enum_for(:access_level).with_values(Gitlab::Access.options_with_owner) } it { is_expected.to define_enum_for(:access_level).with_values(Gitlab::Access.options_with_minimal_access) }
context 'group name uniqueness' do context 'group name uniqueness' do
before do before do
...@@ -30,6 +30,27 @@ RSpec.describe SamlGroupLink do ...@@ -30,6 +30,27 @@ RSpec.describe SamlGroupLink do
expect(saml_group_link.saml_group_name).to eq('group') expect(saml_group_link.saml_group_name).to eq('group')
end end
end end
context 'minimal access role' do
let_it_be(:top_level_group) { create(:group) }
let_it_be(:subgroup) { create(:group, parent: top_level_group) }
def saml_group_link(group:)
build(:saml_group_link, group: group, access_level: 'Minimal Access')
end
before do
stub_licensed_features(minimal_access_role: true)
end
it 'allows the role at the top level group' do
expect(saml_group_link(group: top_level_group)).to be_valid
end
it 'does not allow the role for subgroups' do
expect(saml_group_link(group: subgroup)).not_to be_valid
end
end
end end
describe '.by_id_and_group_id' do describe '.by_id_and_group_id' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment