Merge branch 'qa-shl-fix-group-manage-accounts-specs' into 'master'

Remove GMA specs and update SAML SSO specs See merge request gitlab-org/gitlab!57809

Merge branch 'qa-shl-fix-group-manage-accounts-specs' into 'master'
Remove GMA specs and update SAML SSO specs See merge request gitlab-org/gitlab!57809
f9b7a318 · Ramya Authappan · 4315c370 · b1a5f2a1 · f9b7a318 · f9b7a318
Commit f9b7a318 authored May 02, 2021 by Ramya Authappan
6 changed files
--- a/qa/qa/flow/saml.rb
+++ b/qa/qa/flow/saml.rb
@@ -18,7 +18,9 @@ module QA
        end
      end

-      def enable_saml_sso(group, saml_idp_service, default_membership_role = 'Guest')
+      def enable_saml_sso(group, saml_idp_service, enforce_sso: false, default_membership_role: 'Guest')
+        Runtime::Feature.enable(:group_administration_nav_item)
+
        page.visit Runtime::Scenario.gitlab_address

        Page::Main::Login.perform(&:sign_in_using_credentials) unless Page::Main::Menu.perform(&:signed_in?)
@@ -27,6 +29,7 @@ module QA

        Support::Retrier.retry_on_exception do
          EE::Page::Group::Settings::SamlSSO.perform do |saml_sso|
+            saml_sso.enforce_sso if enforce_sso
            saml_sso.set_id_provider_sso_url(saml_idp_service.idp_sso_url)
            saml_sso.set_cert_fingerprint(saml_idp_service.idp_certificate_fingerprint)
            saml_sso.set_default_membership_role(default_membership_role)

--- a/qa/qa/specs/features/ee/browser_ui/1_manage/group/group_saml_enforced_sso_git_access_spec.rb
+++ b/qa/qa/specs/features/ee/browser_ui/1_manage/group/group_saml_enforced_sso_git_access_spec.rb
+# frozen_string_literal: true
+
+module QA
+  # TODO: Remove :requires_admin meta when the `Runtime::Feature.enable` method call is removed
+  RSpec.describe 'Manage', :group_saml, :orchestrated, :requires_admin do
+    describe 'Group SAML SSO - Enforced SSO' do
+      include Support::Api
+
+      let!(:group) do
+        Resource::Sandbox.fabricate_via_api! do |sandbox_group|
+          sandbox_group.path = "saml_sso_group_#{SecureRandom.hex(8)}"
+        end
+      end
+
+      let!(:saml_idp_service) { Flow::Saml.run_saml_idp_service(group.path) }
+
+      let!(:developer_user) { Resource::User.fabricate_via_api! }
+
+      let!(:project) do
+        Resource::Project.fabricate! do |project|
+          project.name = 'project-in-saml-enforced-group'
+          project.description = 'project in SAML enforced group for git clone test'
+          project.group = group
+          project.initialize_with_readme = true
+        end
+      end
+
+      before do
+        Runtime::Feature.enable(:invite_members_group_modal, group: group)
+
+        group.add_member(developer_user)
+
+        Flow::Saml.enable_saml_sso(group, saml_idp_service, enforce_sso: true)
+
+        Flow::Saml.logout_from_idp(saml_idp_service)
+
+        page.visit Runtime::Scenario.gitlab_address
+        Page::Main::Menu.perform(&:sign_out_if_signed_in)
+      end
+
+      it 'user clones and pushes to project within a group using Git HTTP', testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/675' do
+        expect do
+          Resource::Repository::ProjectPush.fabricate! do |project_push|
+            project_push.project = project
+            project_push.branch_name = "new_branch"
+            project_push.user = developer_user
+          end
+        end.not_to raise_error
+      end
+
+      after do
+        page.visit Runtime::Scenario.gitlab_address
+        Runtime::Feature.remove(:group_administration_nav_item)
+
+        group.remove_via_api!
+
+        Page::Main::Menu.perform(&:sign_out_if_signed_in)
+
+        Flow::Saml.remove_saml_idp_service(saml_idp_service)
+      end
+    end
+  end
+end
--- a/qa/qa/specs/features/ee/browser_ui/1_manage/group/group_saml_enforced_sso_new_account_spec.rb
+++ b/qa/qa/specs/features/ee/browser_ui/1_manage/group/group_saml_enforced_sso_new_account_spec.rb
+# frozen_string_literal: true
+
+module QA
+  RSpec.describe 'Manage', :group_saml, :orchestrated, :requires_admin do
+    describe 'Group SAML SSO - Enforced SSO' do
+      include Support::Api
+
+      let!(:group) do
+        Resource::Sandbox.fabricate_via_api! do |sandbox_group|
+          sandbox_group.path = "saml_sso_group_#{SecureRandom.hex(8)}"
+        end
+      end
+
+      let(:idp_user) { Struct.new(:username, :password).new('user3', 'user3pass') }
+
+      # The user that signs in via the IDP with username `user3` and password `user3pass`
+      # will have `user_3` as username in GitLab
+      let(:user) do
+        QA::Resource::User.new.tap do |user|
+          user.username = 'user_3'
+          user.email = 'user_3@example.com'
+        end
+      end
+
+      let!(:saml_idp_service) { Flow::Saml.run_saml_idp_service(group.path) }
+
+      let!(:group_sso_url) { Flow::Saml.enable_saml_sso(group, saml_idp_service, enforce_sso: true) }
+
+      before do
+        Page::Main::Menu.perform(&:sign_out_if_signed_in)
+
+        Flow::Saml.logout_from_idp(saml_idp_service)
+      end
+
+      it 'creates a new account automatically and allows to leave group and join again', testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/1756' do
+        # When the user signs in via IDP for the first time
+
+        visit_group_sso_url
+
+        EE::Page::Group::SamlSSOSignIn.perform(&:click_sign_in)
+
+        Flow::Saml.login_to_idp_if_required(idp_user.username, idp_user.password)
+
+        expect(page).to have_text("You have to confirm your email address before continuing")
+
+        QA::Flow::User.confirm_user(user.email)
+
+        visit_group_sso_url
+
+        EE::Page::Group::SamlSSOSignIn.perform(&:click_sign_in)
+
+        expect(page).to have_text("Signed in with SAML")
+
+        Page::Group::Show.perform(&:leave_group)
+
+        expect(page).to have_text("You left")
+
+        Page::Main::Menu.perform(&:sign_out)
+
+        Flow::Saml.logout_from_idp(saml_idp_service)
+
+        # When the user exists with a linked identity
+
+        visit_group_sso_url
+
+        EE::Page::Group::SamlSSOSignIn.perform(&:click_sign_in)
+
+        Flow::Saml.login_to_idp_if_required(idp_user.username, idp_user.password)
+
+        expect(page).to have_text("Login to a GitLab account to link with your SAML identity")
+
+        Flow::Saml.logout_from_idp(saml_idp_service)
+
+        # When the user is removed and so their linked identity is also removed
+
+        user.remove_via_api!
+
+        visit_group_sso_url
+
+        EE::Page::Group::SamlSSOSignIn.perform(&:click_sign_in)
+
+        Flow::Saml.login_to_idp_if_required(idp_user.username, idp_user.password)
+
+        expect(page).to have_text("You have to confirm your email address before continuing")
+      end
+
+      after do
+        Runtime::Feature.remove(:group_administration_nav_item)
+
+        user.remove_via_api!
+
+        group.remove_via_api!
+
+        Flow::Saml.remove_saml_idp_service(saml_idp_service)
+
+        page.visit Runtime::Scenario.gitlab_address
+        Page::Main::Menu.perform(&:sign_out_if_signed_in)
+      end
+    end
+
+    def visit_group_sso_url
+      Runtime::Logger.debug(%Q[Visiting managed_group_url at "#{group_sso_url}"])
+
+      page.visit group_sso_url
+      Support::Waiter.wait_until { current_url == group_sso_url }
+    end
+  end
+end
--- a/qa/qa/specs/features/ee/browser_ui/1_manage/group/group_saml_enforced_sso_spec.rb
+++ b/qa/qa/specs/features/ee/browser_ui/1_manage/group/group_saml_enforced_sso_spec.rb
-# frozen_string_literal: true
-
-module QA
-  # TODO: Remove :requires_admin meta when the `Runtime::Feature.enable` method call is removed
-  RSpec.describe 'Manage', :group_saml, :orchestrated, :requires_admin do
-    describe 'Group SAML SSO - Enforced SSO' do
-      include Support::Api
-
-      before do
-        Support::Retrier.retry_on_exception do
-          Flow::Saml.remove_saml_idp_service(@saml_idp_service) if @saml_idp_service
-
-          @group = Resource::Sandbox.fabricate_via_api! do |sandbox_group|
-            sandbox_group.path = "saml_sso_group_#{SecureRandom.hex(8)}"
-          end
-
-          Runtime::Feature.enable(:invite_members_group_modal, group: @group)
-
-          @developer_user = Resource::User.fabricate_via_api!
-
-          @group.add_member(@developer_user)
-
-          @saml_idp_service = Flow::Saml.run_saml_idp_service(@group.path)
-
-          @managed_group_url = setup_and_enable_enforce_sso
-
-          Flow::Saml.logout_from_idp(@saml_idp_service)
-
-          page.visit Runtime::Scenario.gitlab_address
-          Page::Main::Menu.perform(&:sign_out_if_signed_in)
-        end
-      end
-
-      it 'user clones and pushes to project within a group using Git HTTP', testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/675' do
-        Flow::Login.sign_in
-
-        @project = Resource::Project.fabricate! do |project|
-          project.name = 'project-in-saml-enforced-group'
-          project.description = 'project in SAML enforced group for git clone test'
-          project.group = @group
-          project.initialize_with_readme = true
-        end
-
-        @project.visit!
-
-        expect do
-          Resource::Repository::ProjectPush.fabricate! do |project_push|
-            project_push.project = @project
-            project_push.branch_name = "new_branch"
-            project_push.user = @developer_user
-          end
-        end.not_to raise_error
-      end
-
-      after do
-        page.visit Runtime::Scenario.gitlab_address
-        Runtime::Feature.remove(:group_administration_nav_item)
-
-        @group.remove_via_api!
-
-        Page::Main::Menu.perform(&:sign_out_if_signed_in)
-
-        Flow::Saml.remove_saml_idp_service(@saml_idp_service)
-      end
-    end
-
-    def setup_and_enable_enforce_sso
-      Runtime::Feature.enable(:group_administration_nav_item)
-
-      page.visit Runtime::Scenario.gitlab_address
-      Page::Main::Login.perform(&:sign_in_using_credentials) unless Page::Main::Menu.perform(&:signed_in?)
-
-      Support::Retrier.retry_on_exception do
-        Flow::Saml.visit_saml_sso_settings(@group)
-        ensure_enforced_sso_checkbox_shown
-
-        managed_group_url = EE::Page::Group::Settings::SamlSSO.perform do |saml_sso|
-          saml_sso.enforce_sso
-
-          saml_sso.set_id_provider_sso_url(@saml_idp_service.idp_sso_url)
-          saml_sso.set_cert_fingerprint(@saml_idp_service.idp_certificate_fingerprint)
-
-          saml_sso.click_save_changes
-
-          saml_sso.user_login_url_link_text
-        end
-
-        Flow::Saml.visit_saml_sso_settings(@group, direct: true)
-        ensure_enforced_sso_checkbox_shown
-
-        unless EE::Page::Group::Settings::SamlSSO.perform(&:enforce_sso_enabled?)
-          QA::Runtime::Logger.debug "Enforced SSO not setup correctly. About to raise failure."
-          QA::Runtime::Logger.debug Capybara::Screenshot.screenshot_and_save_page
-          QA::Runtime::Logger.debug Runtime::Feature.get_features
-
-          raise "Enforced SSO not setup correctly"
-        end
-
-        managed_group_url
-      end
-    end
-
-    def ensure_enforced_sso_checkbox_shown
-      # Sometimes, the checkbox for SAML SSO does not appear and only appears after a refresh
-      # This issue can only be reproduced manually if you are too quick to go to the group setting page
-      # after enabling the feature flags.
-      Support::Retrier.retry_until(sleep_interval: 1, raise_on_failure: true) do
-        condition_met = EE::Page::Group::Settings::SamlSSO.perform(&:has_enforced_sso_checkbox?)
-        page.refresh unless condition_met
-        condition_met
-      end
-    end
-  end
-end
--- a/qa/qa/specs/features/ee/browser_ui/1_manage/group/group_saml_group_managed_accounts_spec.rb
+++ b/qa/qa/specs/features/ee/browser_ui/1_manage/group/group_saml_group_managed_accounts_spec.rb
-# frozen_string_literal: true
-
-module QA
-  RSpec.describe 'Manage', :group_saml, :orchestrated, :requires_admin, quarantine: { issue: 'https://gitlab.com/gitlab-org/gitlab/issues/202260', type: :bug } do
-    describe 'Group SAML SSO - Group managed accounts' do
-      include Support::Api
-
-      before(:all) do
-        # Create a new user (with no existing SAML identities) who will be added as owner to the SAML group.
-        @owner_user = Resource::User.fabricate_via_api!
-
-        Flow::Login.sign_in(as: @owner_user)
-
-        @group = Resource::Sandbox.fabricate_via_api! do |sandbox_group|
-          sandbox_group.path = "saml_sso_group_#{SecureRandom.hex(8)}"
-        end
-
-        Runtime::Feature.enable(:invite_members_group_modal, group: @group)
-
-        @saml_idp_service = Flow::Saml.run_saml_idp_service(@group.path)
-
-        @api_client = Runtime::API::Client.as_admin
-
-        @developer_user = Resource::User.fabricate_via_api!
-
-        @group.add_member(@owner_user, QA::Resource::Members::AccessLevel::OWNER)
-
-        @group.add_member(@developer_user)
-
-        @managed_group_url = Flow::Saml.enable_saml_sso(@group, @saml_idp_service)
-
-        @saml_linked_for_admin = false
-
-        setup_and_enable_group_managed_accounts
-
-        Page::Main::Menu.perform(&:sign_out_if_signed_in)
-
-        Flow::Saml.logout_from_idp(@saml_idp_service)
-      end
-
-      it 'removes existing users from the group, forces existing users to create a new account and allows to leave group', testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/1766' do
-        expect(@group.list_members.map { |item| item["username"] }).not_to include(@developer_user.username)
-
-        visit_managed_group_url
-
-        EE::Page::Group::SamlSSOSignIn.perform(&:click_sign_in)
-
-        Flow::Saml.login_to_idp_if_required('user3', 'user3pass')
-
-        expect(page).to have_text("uses group managed accounts. You need to create a new GitLab account which will be managed by")
-
-        Support::Retrier.retry_until(raise_on_failure: true) do
-          @idp_user_email = EE::Page::Group::SamlSSOSignUp.perform(&:current_email)
-
-          remove_user_if_exists(@idp_user_email)
-
-          @new_username = EE::Page::Group::SamlSSOSignUp.perform(&:current_username)
-
-          EE::Page::Group::SamlSSOSignUp.perform(&:click_register_button)
-
-          page.has_no_content?("Email has already been taken")
-        end
-
-        expect(page).to have_text("Sign up was successful! Please confirm your email to sign in.")
-
-        QA::Flow::User.confirm_user(@new_username)
-
-        visit_managed_group_url
-
-        EE::Page::Group::SamlSSOSignIn.perform(&:click_sign_in)
-
-        expect(page).to have_text("Signed in with SAML")
-
-        Page::Group::Show.perform(&:leave_group)
-
-        expect(page).to have_text("You left")
-
-        Page::Main::Menu.perform(&:sign_out)
-
-        visit_managed_group_url
-
-        EE::Page::Group::SamlSSOSignIn.perform(&:click_sign_in)
-
-        expect(page).to have_text("uses group managed accounts. You need to create a new GitLab account which will be managed by")
-      end
-
-      after(:all) do
-        page.visit Runtime::Scenario.gitlab_address
-
-        [:group_managed_accounts, :sign_up_on_sso, :group_scim, :group_administration_nav_item].each do |flag|
-          Runtime::Feature.remove(flag)
-        end
-
-        remove_user_if_exists(@idp_user_email)
-
-        @group.remove_via_api!
-
-        Flow::Saml.remove_saml_idp_service(@saml_idp_service)
-
-        page.visit Runtime::Scenario.gitlab_address
-        Page::Main::Menu.perform(&:sign_out_if_signed_in)
-      end
-    end
-
-    def remove_user_if_exists(username_or_email)
-      QA::Runtime::Logger.debug("Attempting to remove user \"#{username_or_email}\" via API")
-
-      return if username_or_email.nil?
-
-      response = parse_body(get(Runtime::API::Request.new(@api_client, "/users?search=#{username_or_email}").url))
-
-      if response.any?
-        raise "GET /users?search=#{username_or_email} returned multiple results. response: #{response}" if response.size > 1
-
-        delete_response = delete Runtime::API::Request.new(@api_client, "/users/#{response.first[:id]}").url
-
-        QA::Runtime::Logger.debug("DELETE \"#{username_or_email}\" response code: #{delete_response.code} message: #{delete_response.body}")
-      else
-        QA::Runtime::Logger.debug("GET /users?search=#{username_or_email} returned empty response: #{response}")
-      end
-    end
-
-    def setup_and_enable_group_managed_accounts
-      [:group_managed_accounts, :sign_up_on_sso, :group_scim, :group_administration_nav_item].each do |flag|
-        Runtime::Feature.enable(flag)
-      end
-
-      Support::Retrier.retry_on_exception do
-        # We need to logout from IDP. This is required if this is a retry.
-        Flow::Saml.logout_from_idp(@saml_idp_service)
-
-        page.visit Runtime::Scenario.gitlab_address
-
-        Page::Main::Menu.perform(&:sign_out_if_signed_in)
-
-        # The first time you have to be signed in as admin
-        unless @saml_linked_for_admin
-          Flow::Login.sign_in(as: @owner_user)
-          @saml_linked_for_admin = true
-        end
-
-        # We must sign in with SAML before enabling Group Managed Accounts
-        visit_managed_group_url
-
-        EE::Page::Group::SamlSSOSignIn.perform(&:click_sign_in)
-
-        Flow::Saml.login_to_idp_if_required('user1', 'user1pass')
-
-        Flow::Saml.visit_saml_sso_settings(@group)
-
-        EE::Page::Group::Settings::SamlSSO.perform do |saml_sso|
-          # Once the feature flags are enabled, it takes some time for the toggle buttons to show on the UI.
-          # This issue does not happen manually. Only happens with the test as they are too fast.
-          Support::Retrier.retry_until(sleep_interval: 1, raise_on_failure: true) do
-            condition_met = saml_sso.has_enforced_sso_checkbox? && saml_sso.has_group_managed_accounts_checkbox?
-            page.refresh unless condition_met
-
-            condition_met
-          end
-
-          saml_sso.enforce_sso
-          saml_sso.enable_group_managed_accounts
-          saml_sso.click_save_changes
-
-          saml_sso.user_login_url_link_text
-        end
-
-        Flow::Saml.visit_saml_sso_settings(@group, direct: true)
-        raise "Group managed accounts not setup correctly" unless EE::Page::Group::Settings::SamlSSO.perform(&:group_managed_accounts_enabled?)
-      end
-    end
-
-    def visit_managed_group_url
-      Runtime::Logger.debug(%Q[Visiting managed_group_url at "#{@managed_group_url}"])
-
-      page.visit @managed_group_url
-      Support::Waiter.wait_until { current_url == @managed_group_url }
-    end
-  end
-end
--- a/qa/qa/specs/features/ee/browser_ui/1_manage/group/group_saml_non_enforced_sso_spec.rb
+++ b/qa/qa/specs/features/ee/browser_ui/1_manage/group/group_saml_non_enforced_sso_spec.rb
@@ -30,7 +30,7 @@ module QA
        let(:default_membership_role) { 'Developer' }

        it 'adds the new member with access level as set in SAML SSO configuration', testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/968' do
-          managed_group_url = Flow::Saml.enable_saml_sso(@group, @saml_idp_service, default_membership_role)
+          managed_group_url = Flow::Saml.enable_saml_sso(@group, @saml_idp_service, default_membership_role: default_membership_role)
          Page::Main::Menu.perform(&:sign_out_if_signed_in)

          Flow::Login.while_signed_in(as: user) do