Merge branch 'jej/group-saml-discovery-token' into 'master'

Add saml_discovery_token unauthenticated access See merge request gitlab-org/gitlab-ee!8016

Merge branch 'jej/group-saml-discovery-token' into 'master'
Add saml_discovery_token unauthenticated access See merge request gitlab-org/gitlab-ee!8016
ceb5c2b1 · Kamil Trzciński · 9beaa911 · 3c02a24c · ceb5c2b1 · ceb5c2b1
Commit ceb5c2b1 authored Nov 16, 2018 by Kamil Trzciński
4 changed files
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -1761,6 +1761,7 @@ ActiveRecord::Schema.define(version: 20181107054254) do
    t.string "runners_token"
    t.datetime_with_timezone "trial_ends_on"
    t.integer "file_template_project_id"
+    t.string "saml_discovery_token"
    t.index ["created_at"], name: "index_namespaces_on_created_at", using: :btree
    t.index ["ldap_sync_last_successful_update_at"], name: "index_namespaces_on_ldap_sync_last_successful_update_at", using: :btree
    t.index ["ldap_sync_last_update_at"], name: "index_namespaces_on_ldap_sync_last_update_at", using: :btree

--- a/ee/app/models/ee/group.rb
+++ b/ee/app/models/ee/group.rb
@@ -8,6 +8,10 @@ module EE
    extend ::Gitlab::Utils::Override

    prepended do
+      include TokenAuthenticatable
+
+      add_authentication_token_field :saml_discovery_token, unique: false, token_generator: -> { Devise.friendly_token(8) }
+
      has_many :epics

      has_one :saml_provider
@@ -112,6 +116,12 @@ module EE
      update_column(:ldap_sync_error, ::Gitlab::UrlSanitizer.sanitize(error_message))
    end

+    # This token conveys that the anonymous user is allowed to know of the group
+    # Used to avoid revealing that a group exists on a given path
+    def saml_discovery_token
+      ensure_saml_discovery_token!
+    end
+
    def project_creation_level
      super || ::Gitlab::CurrentSettings.default_project_creation
    end

--- a/ee/db/migrate/20180520211048_add_discovery_token_to_namespaces.rb
+++ b/ee/db/migrate/20180520211048_add_discovery_token_to_namespaces.rb
+# frozen_string_literal: true
+
+class AddDiscoveryTokenToNamespaces < ActiveRecord::Migration
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  def change
+    add_column :namespaces, :saml_discovery_token, :string
+  end
+end
--- a/ee/spec/models/group_spec.rb
+++ b/ee/spec/models/group_spec.rb
@@ -292,4 +292,37 @@ describe Group do
      end
    end
  end
+
+  describe '#saml_discovery_token' do
+    it 'returns existing tokens' do
+      group = create(:group, saml_discovery_token: 'existing')
+
+      expect(group.saml_discovery_token).to eq 'existing'
+    end
+
+    context 'when missing on read' do
+      it 'generates a token' do
+        expect(group.saml_discovery_token.length).to eq 8
+      end
+
+      it 'saves the generated token' do
+        expect { group.saml_discovery_token }.to change { group.reload.read_attribute(:saml_discovery_token) }
+      end
+
+      context 'in read only mode' do
+        before do
+          allow(Gitlab::Database).to receive(:read_only?).and_return(true)
+          allow(group).to receive(:create_or_update).and_raise(ActiveRecord::ReadOnlyRecord)
+        end
+
+        it "doesn't raise an error as that could expose group existance" do
+          expect { group.saml_discovery_token }.not_to raise_error
+        end
+
+        it 'returns a random value to prevent access' do
+          expect(group.saml_discovery_token).not_to be_blank
+        end
+      end
+    end
+  end
 end