Merge branch 'jej/respect-sso-enforcement-on-projects-for-owners' into 'master'

Respect Group SSO Enforcement on projects where the user is an owner Closes #33302 See merge request gitlab-org/gitlab!18154

Merge branch 'jej/respect-sso-enforcement-on-projects-for-owners' into 'master'
Respect Group SSO Enforcement on projects where the user is an owner Closes #33302 See merge request gitlab-org/gitlab!18154
d7743902 · Jan Provaznik · c63d0262 · 579a84ea · d7743902 · d7743902
Commit d7743902 authored Oct 08, 2019 by Jan Provaznik
5 changed files
--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -254,6 +254,14 @@ module EE
          .default_project_deletion_protection
      end

+      rule { needs_new_sso_session & ~admin }.policy do
+        prevent :guest_access
+        prevent :reporter_access
+        prevent :developer_access
+        prevent :maintainer_access
+        prevent :owner_access
+      end
+
      rule { ip_enforcement_prevents_access }.policy do
        prevent :read_project
      end

--- a/ee/changelogs/unreleased/jej-respect-sso-enforcement-on-projects-for-owners.yml
+++ b/ee/changelogs/unreleased/jej-respect-sso-enforcement-on-projects-for-owners.yml
+---
+title: Respect Group SSO Enforcement on projects where the user is an owner
+merge_request: 18154
+author:
+type: fixed
--- a/ee/spec/policies/group_policy_spec.rb
+++ b/ee/spec/policies/group_policy_spec.rb
@@ -93,6 +93,16 @@ describe GroupPolicy do
          is_expected.not_to be_allowed(:read_group)
        end

+        context 'as a group owner' do
+          before do
+            group.add_owner(current_user)
+          end
+
+          it 'prevents access without a SAML session' do
+            is_expected.not_to allow_action(:read_group)
+          end
+        end
+
        it 'allows access with a SAML session' do
          Gitlab::Auth::GroupSaml::SsoEnforcer.new(saml_provider).update_session


--- a/ee/spec/policies/project_policy_spec.rb
+++ b/ee/spec/policies/project_policy_spec.rb
@@ -242,15 +242,26 @@ describe ProjectPolicy do
          let(:current_user) { admin }

          it 'allows access' do
-            is_expected.to be_allowed(:read_project)
+            is_expected.to allow_action(:read_project)
          end
        end

-        context 'as an owner' do
-          let(:current_user) { owner }
+        context 'as a group owner' do
+          before do
+            group.add_owner(current_user)
+          end

          it 'prevents access without a SAML session' do
-            is_expected.not_to be_allowed(:read_project)
+            is_expected.not_to allow_action(:read_project)
+          end
+        end
+
+        context 'with public access' do
+          let(:group) { create(:group, :public) }
+          let(:project) { create(:project, :public, group: saml_provider.group) }
+
+          it 'allows access desipte group enforcement' do
+            is_expected.to allow_action(:read_project)
          end
        end


--- a/spec/support/matchers/policy_matchers.rb
+++ b/spec/support/matchers/policy_matchers.rb
+# frozen_string_literal: true
+
+RSpec::Matchers.define :allow_action do |action|
+  match do |policy|
+    expect(policy).to be_allowed(action)
+  end
+
+  failure_message do |policy|
+    policy.debug(action, debug_output = +'')
+    "expected #{policy} to allow #{action}\n\n#{debug_output}"
+  end
+
+  failure_message_when_negated do |policy|
+    policy.debug(action, debug_output = +'')
+    "expected #{policy} not to allow #{action}\n\n#{debug_output}"
+  end
+end