Merge branch...

Merge branch '12420-prevent-projects-from-being-shared-outside-a-gma-group-member-fork' into 'master'

Resolve "Prevent projects from being shared outside a GMA group" - adding member to forked project

Closes #12420

See merge request gitlab-org/gitlab!26186

ee/changelogs/unreleased/12420-prevent-projects-from-being-shared-outside-a-gma-group-member-fo.yml

+---
+title: Prevent projects from being shared outside a group with managed accounts for forked projects
+merge_request: 26186
+author:
+type: changed

ee/lib/gitlab/auth/group_saml/gma_membership_enforcer.rb

@@ -9,15 +9,27 @@ module Gitlab
         end
 
         def can_add_user?(user)
-          return true unless root_group&.enforced_group_managed_accounts?
-
-          root_group == user.managing_group
+          check_project_membership(user) && check_source_project_membership(user)
         end
 
         private
 
-        def root_group
-          @root_group ||= @project.root_ancestor
+        attr_reader :project
+
+        def check_project_membership(user)
+          check_group_managed_account(project.root_ancestor, user)
+        end
+
+        def check_source_project_membership(user)
+          return true unless project.forked?
+
+          check_group_managed_account(project.forked_from_project.root_ancestor, user)
+        end
+
+        def check_group_managed_account(root_ancestor, user)
+          return true unless root_ancestor.is_a?(Group) && root_ancestor.enforced_group_managed_accounts?
+
+          root_ancestor == user.managing_group
         end
       end
     end

ee/spec/lib/gitlab/auth/group_saml/gma_membership_enforcer_spec.rb

@@ -3,8 +3,12 @@
 require 'spec_helper'
 
 describe Gitlab::Auth::GroupSaml::GmaMembershipEnforcer do
+  include ProjectForksHelper
+
   let_it_be(:group) { create(:group_with_managed_accounts, :private) }
   let_it_be(:project) { create(:project, namespace: group)}
+  let_it_be(:managed_user) { create(:user, :group_managed, managing_group: group) }
+  let_it_be(:managed_user_for_project) { create(:user, :group_managed, managing_group: group) }
 
   subject { described_class.new(project) }
 
@@ -14,8 +18,6 @@ describe Gitlab::Auth::GroupSaml::GmaMembershipEnforcer do
 
   context 'when user is group-managed' do
     it 'allows adding user to project' do
-      managed_user = create(:user, :group_managed, managing_group: group)
-
       expect(subject.can_add_user?(managed_user)).to be_truthy
     end
   end
@@ -27,4 +29,48 @@ describe Gitlab::Auth::GroupSaml::GmaMembershipEnforcer do
       expect(subject.can_add_user?(user)).to be_falsey
     end
   end
+
+  context 'when the project is forked' do
+    subject { described_class.new(fork_project(project, managed_user_for_project)) }
+
+    before do
+      project.add_developer(managed_user_for_project)
+    end
+
+    context 'when user is group-managed' do
+      it 'allows adding user to project' do
+        expect(subject.can_add_user?(managed_user)).to be_truthy
+      end
+    end
+
+    context 'when user is not group-managed' do
+      it 'does not allow adding user to project' do
+        expect(subject.can_add_user?(create(:user))).to be_falsey
+      end
+    end
+  end
+
+  context 'when project is forked from namespace to group' do
+    let(:project) { create(:project) }
+    let(:forked_project) { create(:project, namespace: group) }
+
+    subject { described_class.new(forked_project) }
+
+    before do
+      project.add_developer(managed_user_for_project)
+      fork_project(project, managed_user_for_project, namespace: group, target_project: forked_project)
+    end
+
+    context 'when user is group-managed' do
+      it 'allows adding user to project' do
+        expect(subject.can_add_user?(managed_user)).to be_truthy
+      end
+    end
+
+    context 'when user is not group-managed' do
+      it 'does not allow adding user to project' do
+        expect(subject.can_add_user?(create(:user))).to be_falsey
+      end
+    end
+  end
 end