Add prohibited outer forks flag for SAML provider

It will be used at Group SAML page to give group owners an option to disable forking projects outside of given group.

Add prohibited outer forks flag for SAML provider
It will be used at Group SAML page to give group owners an option to disable forking projects outside of given group.
ea75b0cf · Pavel Shutsin · 6b0599ac · ea75b0cf · ea75b0cf · ea75b0cf
Commit ea75b0cf authored Dec 18, 2019 by Pavel Shutsin
6 changed files
--- a/db/migrate/20191217165641_add_saml_provider_prohibited_outer_forks.rb
+++ b/db/migrate/20191217165641_add_saml_provider_prohibited_outer_forks.rb
+# frozen_string_literal: true
+
+class AddSamlProviderProhibitedOuterForks < ActiveRecord::Migration[5.2]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  disable_ddl_transaction!
+
+  def up
+    add_column_with_default :saml_providers, :prohibited_outer_forks, :boolean, default: false, allow_null: true
+  end
+
+  def down
+    remove_column :saml_providers, :prohibited_outer_forks
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -3735,6 +3735,7 @@ ActiveRecord::Schema.define(version: 2020_02_04_131054) do
    t.string "sso_url", null: false
    t.boolean "enforced_sso", default: false, null: false
    t.boolean "enforced_group_managed_accounts", default: false, null: false
+    t.boolean "prohibited_outer_forks", default: false, null: false
    t.index ["group_id"], name: "index_saml_providers_on_group_id"
  end


--- a/ee/app/controllers/groups/saml_providers_controller.rb
+++ b/ee/app/controllers/groups/saml_providers_controller.rb
@@ -48,7 +48,9 @@ class Groups::SamlProvidersController < Groups::ApplicationController
    allowed_params = %i[sso_url certificate_fingerprint enabled]

    allowed_params += [:enforced_sso] if Feature.enabled?(:enforced_sso, group)
-    allowed_params += [:enforced_group_managed_accounts] if Feature.enabled?(:group_managed_accounts, group)
+    if Feature.enabled?(:group_managed_accounts, group)
+      allowed_params += [:enforced_group_managed_accounts, :prohibited_outer_forks]
+    end

    params.require(:saml_provider).permit(allowed_params)
  end

--- a/ee/app/models/saml_provider.rb
+++ b/ee/app/models/saml_provider.rb
@@ -37,6 +37,10 @@ class SamlProvider < ApplicationRecord
    super && enforced_sso? && Feature.enabled?(:group_managed_accounts, group)
  end

+  def prohibited_outer_forks?
+    enforced_group_managed_accounts? && super
+  end
+
  class DefaultOptions
    include Gitlab::Routing


--- a/ee/changelogs/unreleased/34648-restrict-forking-outside-of-gma.yml
+++ b/ee/changelogs/unreleased/34648-restrict-forking-outside-of-gma.yml
+---
+title: Prepare DB structure for GMA forking changes
+merge_request: 22002
+author:
+type: other
--- a/ee/spec/models/saml_provider_spec.rb
+++ b/ee/spec/models/saml_provider_spec.rb
@@ -178,4 +178,40 @@ describe SamlProvider do
      end
    end
  end
+
+  describe '#prohibited_outer_forks?' do
+    context 'without enforced GMA' do
+      it 'is false when prohibited_outer_forks flag value is true' do
+        subject.prohibited_outer_forks = true
+
+        expect(subject.prohibited_outer_forks?).to be_falsey
+      end
+
+      it 'is false when prohibited_outer_forks flag value is false' do
+        subject.prohibited_outer_forks = false
+
+        expect(subject.prohibited_outer_forks?).to be_falsey
+      end
+    end
+
+    context 'when enforced GMA is enabled' do
+      before do
+        subject.enabled = true
+        subject.enforced_sso = true
+        subject.enforced_group_managed_accounts = true
+      end
+
+      it 'is true when prohibited_outer_forks flag value is true' do
+        subject.prohibited_outer_forks = true
+
+        expect(subject.prohibited_outer_forks?).to be_truthy
+      end
+
+      it 'is false when prohibited_outer_forks flag value is false' do
+        subject.prohibited_outer_forks = false
+
+        expect(subject.prohibited_outer_forks?).to be_falsey
+      end
+    end
+  end
 end