Merge branch 'jej/graphql-sso-enforcement' into 'master'

GraphQL group access avoids SSO session checks Closes #35795 See merge request gitlab-org/gitlab!21922

Merge branch 'jej/graphql-sso-enforcement' into 'master'
GraphQL group access avoids SSO session checks Closes #35795 See merge request gitlab-org/gitlab!21922
11021060 · James Lopez · 75365338 · c028b811 · 11021060 · 11021060
Commit 11021060 authored Dec 18, 2019 by James Lopez
3 changed files
--- a/app/controllers/graphql_controller.rb
+++ b/app/controllers/graphql_controller.rb
@@ -3,6 +3,7 @@
 class GraphqlController < ApplicationController
  # Unauthenticated users have access to the API for public data
  skip_before_action :authenticate_user!
+  skip_around_action :set_session_storage

  # Allow missing CSRF tokens, this would mean that if a CSRF is invalid or missing,
  # the user won't be authenticated but can proceed as an anonymous user.

--- a/ee/changelogs/unreleased/jej-graphql-sso-enforcement.yml
+++ b/ee/changelogs/unreleased/jej-graphql-sso-enforcement.yml
+---
+title: Fix GraphQL access to groups with SAML SSO Enforcement
+merge_request: 21922
+author:
+type: fixed
--- a/ee/spec/requests/api/graphql/group_query_spec.rb
+++ b/ee/spec/requests/api/graphql/group_query_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'getting group information' do
+  include GraphqlHelpers
+
+  let(:user) { create(:user) }
+
+  describe "Query group(fullPath)" do
+    def group_query(group)
+      graphql_query_for('group', 'fullPath' => group.full_path)
+    end
+
+    context 'when Group SSO is enforced' do
+      let(:group) { create(:group, :private) }
+
+      before do
+        stub_feature_flags(enforced_sso_requires_session: true)
+        saml_provider = create(:saml_provider, enforced_sso: true, group: group)
+        create(:group_saml_identity, saml_provider: saml_provider, user: user)
+        group.add_guest(user)
+      end
+
+      it 'returns null data when not authorized' do
+        post_graphql(group_query(group))
+
+        expect(graphql_data['group']).to be_nil
+      end
+
+      it 'allows access via session' do
+        post_graphql(group_query(group), current_user: user)
+
+        expect(response).to have_gitlab_http_status(200)
+        expect(graphql_data['group']['id']).to eq(group.to_global_id.to_s)
+      end
+
+      it 'allows access via bearer token' do
+        token = create(:personal_access_token, user: user).token
+        post_graphql(group_query(group), headers: { 'Authorization' => "Bearer #{token}" })
+
+        expect(response).to have_gitlab_http_status(200)
+        expect(graphql_data['group']['id']).to eq(group.to_global_id.to_s)
+      end
+    end
+  end
+end