When a namespace GitLab Subscription expires, disable SSO

Currently, if a GitLab.com group's subscription expires (changes
to Free/No Plan or a tier where Group SAML is not available) and
they have SSO enforcement turned on, users will lose access to their
group. This change automatically turns off enforced SSO when the
SSO feature is no longer available to the group.

changelogs/unreleased/dblessing_disable_enforced_sso_plan_expires.yml

+---
+title: When a namespace GitLab Subscription expires, disable SSO enforcement
+merge_request: 21135
+author:
+type: fixed

ee/app/models/saml_provider.rb

@@ -30,7 +30,7 @@ class SamlProvider < ApplicationRecord
   end
 
   def enforced_sso?
-    enabled? && super && ::Feature.enabled?(:enforced_sso, group)
+    enabled? && super && group.feature_available?(:group_saml) && ::Feature.enabled?(:enforced_sso, group)
   end
 
   def enforced_group_managed_accounts?

ee/spec/controllers/concerns/routable_actions_spec.rb

@@ -34,6 +34,7 @@ describe RoutableActions do
       let(:user) { identity.user }
 
       before do
+        stub_licensed_features(group_saml: true)
         sign_in(user)
       end
 

ee/spec/controllers/groups/groups_controller_spec.rb

@@ -80,6 +80,7 @@ describe GroupsController do
     let(:guest_user) { identity.user }
 
     before do
+      stub_licensed_features(group_saml: true)
       group.add_guest(guest_user)
       sign_in(guest_user)
     end

ee/spec/controllers/groups/security/credentials_controller_spec.rb

@@ -25,7 +25,7 @@ describe Groups::Security::CredentialsController do
 
     context 'when `credentials_inventory` feature is enabled' do
       before do
-        stub_licensed_features(credentials_inventory: true)
+        stub_licensed_features(credentials_inventory: true, group_saml: true)
       end
 
       context 'for a group that enforces group managed accounts' do

ee/spec/features/groups/groups_security_credentials_spec.rb

@@ -20,7 +20,7 @@ describe 'Groups::Security::Credentials' do
 
   context 'licensed' do
     before do
-      stub_licensed_features(credentials_inventory: true)
+      stub_licensed_features(credentials_inventory: true, group_saml: true)
     end
 
     context 'links' do

ee/spec/lib/gitlab/auth/group_saml/sso_enforcer_spec.rb

@@ -6,6 +6,10 @@ describe Gitlab::Auth::GroupSaml::SsoEnforcer do
   let(:saml_provider) { build_stubbed(:saml_provider, enforced_sso: true) }
   let(:session) { {} }
 
+  before do
+    stub_licensed_features(group_saml: true)
+  end
+
   around do |example|
     Gitlab::Session.with_session(session) do
       example.run

ee/spec/models/identity_spec.rb

@@ -8,6 +8,10 @@ describe Identity do
   end
 
   context 'with saml_provider' do
+    before do
+      stub_licensed_features(group_saml: true)
+    end
+
     it 'allows user to have records with different groups' do
       _identity_one = create(:identity, provider: 'group_saml', saml_provider: create(:saml_provider))
       identity_two = create(:identity, provider: 'group_saml', saml_provider: create(:saml_provider))

ee/spec/models/saml_provider_spec.rb

@@ -3,6 +3,14 @@
 require 'spec_helper'
 
 describe SamlProvider do
+  let(:group) { create(:group) }
+
+  subject(:saml_provider) { create(:saml_provider, group: group) }
+
+  before do
+    stub_licensed_features(group_saml: true)
+  end
+
   describe "Associations" do
     it { is_expected.to belong_to :group }
     it { is_expected.to have_many :identities }
@@ -55,8 +63,6 @@ describe SamlProvider do
   end
 
   describe 'Default values' do
-    subject(:saml_provider) { described_class.new }
-
     it 'defaults enabled to true' do
       expect(subject).to be_enabled
     end
@@ -66,8 +72,6 @@ describe SamlProvider do
     let(:group) { create(:group, path: 'foo-group') }
     let(:settings) { subject.settings }
 
-    subject(:saml_provider) { create(:saml_provider, group: group) }
-
     before do
       stub_default_url_options(protocol: "https")
     end
@@ -117,6 +121,13 @@ describe SamlProvider do
           expect(subject).not_to be_enforced_sso
         end
       end
+
+      it 'does not enforce SSO when the feature is unavailable' do
+        stub_licensed_features(group_saml: false)
+        subject.enforced_sso = true
+
+        expect(subject).not_to be_enforced_sso
+      end
     end
 
     context 'when provider is disabled' do

ee/spec/policies/group_policy_spec.rb

@@ -141,6 +141,10 @@ describe GroupPolicy do
 
       let_it_be(:saml_provider) { create(:saml_provider, group: group, enforced_sso: true) }
 
+      before do
+        stub_licensed_features(group_saml: true)
+      end
+
       context 'when the session has been set globally' do
         around do |example|
           Gitlab::Session.with_session({}) do

ee/spec/policies/project_policy_spec.rb

@@ -16,6 +16,7 @@ describe ProjectPolicy do
   subject { described_class.new(current_user, project) }
 
   before do
+    stub_licensed_features(group_saml: true)
     project.add_maintainer(maintainer)
     project.add_developer(developer)
     project.add_reporter(reporter)

ee/spec/support/shared_examples/services/group_saml/saml_provider/base_service_shared_examples.rb

@@ -12,6 +12,10 @@ RSpec.shared_examples 'base SamlProvider service' do
 
   let(:fingerprint) { '11:22:33:44:55:66:77:88:99:11:22:33:44:55:66:77:88:99' }
 
+  before do
+    stub_licensed_features(group_saml: true)
+  end
+
   it 'updates SAML provider with given params' do
     expect do
       service.execute