Commit 084f5d6e authored by Heinrich Lee Yu's avatar Heinrich Lee Yu

Merge branch 'jej/ensure-can-unlink-group-saml-when-disabled' into 'master'

Ensure users can unlink Group SAML when the group has SAML disabled

Closes #217817

See merge request gitlab-org/gitlab!32655
parents 2834ebbb bca8b4fb
...@@ -5,7 +5,9 @@ class Groups::SsoController < Groups::ApplicationController ...@@ -5,7 +5,9 @@ class Groups::SsoController < Groups::ApplicationController
skip_before_action :group skip_before_action :group
before_action :authenticate_user!, only: [:unlink] before_action :authenticate_user!, only: [:unlink]
before_action :require_configured_provider! before_action :require_group_saml_instance!
before_action :require_licensed_group!, except: [:unlink]
before_action :require_saml_provider!
before_action :require_enabled_provider!, except: [:unlink] before_action :require_enabled_provider!, except: [:unlink]
before_action :check_user_can_sign_in_with_provider, only: [:saml] before_action :check_user_can_sign_in_with_provider, only: [:saml]
before_action :redirect_if_group_moved before_action :redirect_if_group_moved
...@@ -112,20 +114,20 @@ class Groups::SsoController < Groups::ApplicationController ...@@ -112,20 +114,20 @@ class Groups::SsoController < Groups::ApplicationController
Gitlab::Auth::GroupSaml::SsoEnforcer.new(unauthenticated_group.saml_provider).update_session Gitlab::Auth::GroupSaml::SsoEnforcer.new(unauthenticated_group.saml_provider).update_session
end end
def require_configured_provider! def require_group_saml_instance!
unless unauthenticated_group&.feature_available?(:group_saml) && Gitlab::Auth::GroupSaml::Config.enabled? route_not_found unless Gitlab::Auth::GroupSaml::Config.enabled?
return route_not_found
end end
return if unauthenticated_group.saml_provider def require_licensed_group!
route_not_found unless unauthenticated_group&.feature_available?(:group_saml)
end
redirect_settings_or_not_found def require_saml_provider!
redirect_settings_or_not_found unless unauthenticated_group.saml_provider
end end
def require_enabled_provider! def require_enabled_provider!
return if unauthenticated_group.saml_provider&.enabled? redirect_settings_or_not_found unless unauthenticated_group.saml_provider&.enabled?
redirect_settings_or_not_found
end end
def redirect_settings_or_not_found def redirect_settings_or_not_found
......
---
title: Ensure users can unlink Group SAML when the group has SAML disabled
merge_request: 32655
author:
type: fixed
...@@ -62,6 +62,25 @@ describe Groups::SsoController do ...@@ -62,6 +62,25 @@ describe Groups::SsoController do
end end
end end
context 'when SAML trial has expired' do
before do
create(:group_saml_identity, saml_provider: saml_provider, user: user)
stub_licensed_features(group_saml: false)
end
it 'DELETE /unlink still allows account unlinking' do
expect do
delete :unlink, params: { group_id: group }
end.to change(Identity, :count).by(-1)
end
it 'GET /saml renders 404' do
get :saml, params: { group_id: group }
expect(response).to have_gitlab_http_status(:not_found)
end
end
context 'when user is not signed in' do context 'when user is not signed in' do
it 'acts as route not found' do it 'acts as route not found' do
sign_out(user) sign_out(user)
......
...@@ -10,8 +10,9 @@ describe 'Profile > Account' do ...@@ -10,8 +10,9 @@ describe 'Profile > Account' do
end end
describe "Disconnect Group SAML", :js do describe "Disconnect Group SAML", :js do
let(:group) { create(:group, :private, name: 'Test Group') } let_it_be(:group) { create(:group, :private, name: 'Test Group') }
let(:saml_provider) { create(:saml_provider, group: group) } let_it_be(:saml_provider) { create(:saml_provider, group: group) }
let_it_be(:unlink_label) { "SAML for Test Group" }
def enable_group_saml def enable_group_saml
stub_licensed_features(group_saml: true) stub_licensed_features(group_saml: true)
...@@ -33,16 +34,52 @@ describe 'Profile > Account' do ...@@ -33,16 +34,52 @@ describe 'Profile > Account' do
it 'unlinks account' do it 'unlinks account' do
visit profile_account_path visit profile_account_path
unlink_label = "SAML for Test Group"
expect(page).to have_content unlink_label expect(page).to have_content unlink_label
click_link "Disconnect" click_link "Disconnect"
expect(current_path).to eq profile_account_path expect(current_path).to eq profile_account_path
expect(page).not_to have_content(unlink_label) expect(page).not_to have_content(unlink_label)
end
it 'removes access to the group' do
visit profile_account_path
click_link "Disconnect"
visit group_path(group) visit group_path(group)
expect(page).to have_content('Page Not Found') expect(page).to have_content('Page Not Found')
end end
context 'group has disabled SAML' do
before do
saml_provider.update!(enabled: false)
end
it 'lets members distrust and unlink authentication' do
visit profile_account_path
expect(page).to have_content unlink_label
click_link "Disconnect"
expect(current_path).to eq profile_account_path
expect(page).not_to have_content(unlink_label)
end
end
context 'group trial has expired' do
before do
stub_licensed_features(group_saml: false)
end
it 'lets members distrust and unlink authentication' do
visit profile_account_path
expect(page).to have_content unlink_label
click_link "Disconnect"
expect(current_path).to eq profile_account_path
expect(page).not_to have_content(unlink_label)
end
end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment