Merge branch 'jej/group-saml-project-enforcement' into 'master'

ProjectPolicy can require active SAML SSO session for web access

See merge request gitlab-org/gitlab-ee!12109

app/policies/project_policy.rb

@@ -488,6 +488,10 @@ class ProjectPolicy < BasePolicy
   def team_access_level
     return -1 if @user.nil?
 
+    lookup_access_level!
+  end
+
+  def lookup_access_level!
     # NOTE: max_member_access has its own cache
     project.team.max_member_access(@user.id)
   end

ee/app/policies/ee/project_policy.rb

@@ -3,6 +3,7 @@
 module EE
   module ProjectPolicy
     extend ActiveSupport::Concern
+    extend ::Gitlab::Utils::Override
 
     READONLY_FEATURES_WHEN_ARCHIVED = %i[
       board
@@ -198,6 +199,10 @@ module EE
         ::Feature.enabled?(:build_service_proxy, @subject)
       end
 
+      condition(:needs_new_sso_session) do
+        ::Gitlab::Auth::GroupSaml::SsoEnforcer.group_access_restricted?(subject.group)
+      end
+
       rule { web_ide_terminal_available & can?(:create_pipeline) & can?(:maintainer_access) }.enable :create_web_ide_terminal
 
       # Design abilities could also be prevented in the issue policy.
@@ -210,6 +215,13 @@ module EE
 
       rule { build_service_proxy_enabled }.enable :build_service_proxy_enabled
     end
+
+    override :lookup_access_level!
+    def lookup_access_level!
+      return ::GroupMember::NO_ACCESS if needs_new_sso_session?
+
+      super
+    end
   end
 end
 

ee/changelogs/unreleased/jej-group-saml-project-enforcement.yml

+---
+title: SSO enforcement requires active SAML session for web access to project resources
+merge_request: 12109
+author:
+type: changed

ee/spec/policies/project_policy_spec.rb

@@ -202,6 +202,66 @@ describe ProjectPolicy do
         expect(described_class.new(auditor, project)).to be_allowed(:read_project)
       end
     end
+
+    context 'with sso enforcement enabled' do
+      let(:current_user) { create(:user) }
+      let(:group) { create(:group, :private) }
+      let(:saml_provider) { create(:saml_provider, group: group, enforced_sso: true) }
+      let!(:identity) { create(:group_saml_identity, user: current_user, saml_provider: saml_provider) }
+      let(:project) { create(:project, group: saml_provider.group) }
+
+      before do
+        group.add_guest(current_user)
+      end
+
+      context 'when the session has been set globally' do
+        around do |example|
+          Gitlab::Session.with_session({}) do
+            example.run
+          end
+        end
+
+        it 'prevents access without a SAML session' do
+          is_expected.not_to be_allowed(:read_project)
+        end
+
+        it 'allows access with a SAML session' do
+          Gitlab::Auth::GroupSaml::SsoEnforcer.new(saml_provider).update_session
+
+          is_expected.to be_allowed(:read_project)
+        end
+
+        context 'as an admin' do
+          let(:current_user) { admin }
+
+          it 'allows access' do
+            is_expected.to be_allowed(:read_project)
+          end
+        end
+
+        context 'as an owner' do
+          let(:current_user) { owner }
+
+          it 'prevents access without a SAML session' do
+            is_expected.not_to be_allowed(:read_project)
+          end
+        end
+
+        context 'in a personal namespace' do
+          let(:project) { create(:project, :public, namespace: owner.namespace) }
+
+          it 'allows access' do
+            is_expected.to be_allowed(:read_project)
+          end
+        end
+      end
+
+      context 'when there is no global session or sso state' do
+        it "allows access because we haven't yet restricted all use cases" do
+          is_expected.to be_allowed(:read_project)
+        end
+      end
+    end
   end
 
   describe 'read_vulnerability_feedback' do