Add checking project members membership in group managed account

Add translation method

Add MR number

Add cr remarks

Add cr remarks

Add cr remarks

Add cr remarks

ee/app/models/ee/project_member.rb

@@ -8,6 +8,7 @@ module EE
       extend ::Gitlab::Utils::Override
 
       validate :sso_enforcement, if: :group
+      validate :gma_enforcement, if: :group
 
       before_destroy :delete_member_branch_protection
     end
@@ -22,5 +23,11 @@ module EE
         project.protected_branches.push_access_by_user(user).destroy_all # rubocop: disable DestroyAll
       end
     end
+
+    def gma_enforcement
+      unless ::Gitlab::Auth::GroupSaml::GmaMembershipEnforcer.new(project).can_add_user?(user)
+        errors.add(:user, _('is not in the group enforcing Group Managed Account'))
+      end
+    end
   end
 end

ee/changelogs/unreleased/12420-prevent-projects-from-being-shared-outside-a-gma-group-member.yml

+---
+title: Prevent projects from being shared outside a group with managed accounts
+merge_request: 26163
+author:
+type: changed

ee/lib/gitlab/auth/group_saml/gma_membership_enforcer.rb

+# frozen_string_literal: true
+
+module Gitlab
+  module Auth
+    module GroupSaml
+      class GmaMembershipEnforcer
+        def initialize(project)
+          @project = project
+        end
+
+        def can_add_user?(user)
+          return true unless root_group&.enforced_group_managed_accounts?
+
+          root_group == user.managing_group
+        end
+
+        private
+
+        def root_group
+          @root_group ||= @project.root_ancestor
+        end
+      end
+    end
+  end
+end

ee/spec/lib/gitlab/auth/group_saml/gma_membership_enforcer_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Gitlab::Auth::GroupSaml::GmaMembershipEnforcer do
+  let_it_be(:group) { create(:group_with_managed_accounts, :private) }
+  let_it_be(:project) { create(:project, namespace: group)}
+
+  subject { described_class.new(project) }
+
+  before do
+    stub_licensed_features(group_saml: true)
+  end
+
+  context 'when user is group-managed' do
+    it 'allows adding user to project' do
+      managed_user = create(:user, :group_managed, managing_group: group)
+
+      expect(subject.can_add_user?(managed_user)).to be_truthy
+    end
+  end
+
+  context 'when user is not group-managed' do
+    it 'does not allow adding user to project' do
+      user = create(:user)
+
+      expect(subject.can_add_user?(user)).to be_falsey
+    end
+  end
+end

ee/spec/models/project_member_spec.rb

@@ -7,4 +7,41 @@ describe ProjectMember do
   it_behaves_like 'member validations' do
     let(:entity) { create(:project, group: group)}
   end
+
+  context 'validates GMA enforcement' do
+    let(:group) { create(:group_with_managed_accounts, :private) }
+    let(:entity) { create(:project, namespace: group)}
+
+    before do
+      stub_feature_flags(group_managed_accounts: true)
+    end
+
+    context 'enforced group managed account enabled' do
+      before do
+        stub_licensed_features(group_saml: true)
+      end
+
+      it 'allows adding the project member' do
+        user = create(:user, :group_managed, managing_group: group)
+        member = entity.add_developer(user)
+
+        expect(member).to be_valid
+      end
+
+      it 'does not add the the project member' do
+        member = entity.add_developer(create(:user))
+
+        expect(member).not_to be_valid
+        expect(member.errors.messages[:user]).to include('is not in the group enforcing Group Managed Account')
+      end
+    end
+
+    context 'enforced group managed account disabled' do
+      it 'allows adding the group member' do
+        member = entity.add_developer(create(:user))
+
+        expect(member).to be_valid
+      end
+    end
+  end
 end

locale/gitlab.pot

@@ -23480,6 +23480,9 @@ msgstr ""
 msgid "is not an email you own"
 msgstr ""
 
+msgid "is not in the group enforcing Group Managed Account"
+msgstr ""
+
 msgid "is too long (%{current_value}). The maximum size is %{max_size}."
 msgstr ""