Can view SAML SSO page using token

Adds Auth::GroupSaml::TokenActor for use in SamlProviderPolicy

ee/app/controllers/groups/sso_controller.rb

@@ -60,7 +60,12 @@ class Groups::SsoController < Groups::ApplicationController
   end
 
   def check_user_can_sign_in_with_provider
-    route_not_found unless can?(current_user, :sign_in_with_saml_provider, @unauthenticated_group.saml_provider)
+    actor = saml_discovery_token_actor || current_user
+    route_not_found unless can?(actor, :sign_in_with_saml_provider, @unauthenticated_group.saml_provider)
+  end
+
+  def saml_discovery_token_actor
+    Gitlab::Auth::GroupSaml::TokenActor.new(params[:token]) if params[:token]
   end
 
   def redirect_if_group_moved

ee/app/policies/saml_provider_policy.rb

 # frozen_string_literal: true
 
 class SamlProviderPolicy < BasePolicy
-  rule { ~anonymous }.enable :sign_in_with_saml_provider
+  delegate { @subject.group }
+
+  def actor
+    @user
+  end
+
+  condition(:public_group, scope: :subject) { @subject.group.public? }
+
+  condition(:signed_in, scope: :user) { actor.is_a?(::User) }
+
+  condition(:token_grants_private_access) do
+    actor.is_a?(Gitlab::Auth::GroupSaml::TokenActor) && actor.valid_for?(@subject.group)
+  end
+
+  condition(:can_discover_group?) do
+    public_group? || token_grants_private_access? || signed_in?
+  end
+
+  rule { can_discover_group? }.enable :sign_in_with_saml_provider
 end

ee/lib/gitlab/auth/group_saml/token_actor.rb

+# frozen_string_literal: true
+
+module Gitlab
+  module Auth
+    module GroupSaml
+      class TokenActor
+        def initialize(token)
+          @token = token
+        end
+
+        def valid_for?(group)
+          group.saml_discovery_token.present? && group.saml_discovery_token == @token
+        end
+      end
+    end
+  end
+end

ee/spec/lib/gitlab/auth/group_saml/token_actor_spec.rb

+# frozen_string_literal: true
+require 'spec_helper'
+
+describe Gitlab::Auth::GroupSaml::TokenActor do
+  let(:saml_provider) { create(:saml_provider) }
+  let(:group) { saml_provider.group }
+
+  subject { described_class.new(token) }
+
+  context 'valid token' do
+    let(:token) { group.saml_discovery_token }
+
+    it 'is valid for the group' do
+      expect(subject).to be_valid_for(group)
+    end
+  end
+
+  context 'invalid token' do
+    let(:token) { 'abcdef' }
+
+    it 'is invalid for the group' do
+      expect(subject).not_to be_valid_for(group)
+    end
+  end
+
+  context 'missing token' do
+    let(:token) { nil }
+
+    it 'is invalid for the group' do
+      expect(subject).not_to be_valid_for(group)
+    end
+  end
+
+  context 'when geo prevents saml_provider from having a token' do
+    let(:token) { nil }
+    let(:group) { double(:group, saml_discovery_token: nil) }
+
+    it 'prevents nil token from allowing access' do
+      expect(subject).not_to be_valid_for(group)
+    end
+  end
+end

ee/spec/policies/saml_provider_policy_spec.rb

+# frozen_string_literal: true
+require 'spec_helper'
+
+describe SamlProviderPolicy do
+  let(:group_visibility) { :public }
+  let(:group) { create(:group, group_visibility) }
+  let(:saml_provider) { create(:saml_provider, group: group) }
+
+  context 'with a user' do
+    let(:user) { create(:user) }
+
+    subject { described_class.new(user, saml_provider) }
+
+    it 'allows access to public groups' do
+      is_expected.to be_allowed(:sign_in_with_saml_provider)
+    end
+
+    it 'allows access to private groups' do
+      group.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE)
+
+      is_expected.to be_allowed(:sign_in_with_saml_provider)
+    end
+  end
+
+  context 'with a token actor' do
+    subject { described_class.new(token_actor, saml_provider) }
+
+    context 'valid token' do
+      let(:token_actor) { Gitlab::Auth::GroupSaml::TokenActor.new(group.saml_discovery_token) }
+
+      it 'allows access to public groups' do
+        is_expected.to be_allowed(:sign_in_with_saml_provider)
+      end
+
+      it 'allows access to private groups' do
+        group.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE)
+
+        is_expected.to be_allowed(:sign_in_with_saml_provider)
+      end
+    end
+
+    context 'invalid or missing token' do
+      let(:token_actor) { Gitlab::Auth::GroupSaml::TokenActor.new("xyz") }
+
+      it 'allows anonymous access to public groups' do
+        is_expected.to be_allowed(:sign_in_with_saml_provider)
+      end
+
+      it 'prevents access to private groups' do
+        group.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE)
+
+        is_expected.not_to be_allowed(:sign_in_with_saml_provider)
+      end
+    end
+  end
+
+  context 'without a user or actor' do
+    subject { described_class.new(nil, saml_provider) }
+
+    it 'allows access to public groups' do
+      is_expected.to be_allowed(:sign_in_with_saml_provider)
+    end
+
+    it 'prevents access to private groups' do
+      group.update!(visibility_level: Gitlab::VisibilityLevel::PRIVATE)
+
+      is_expected.not_to be_allowed(:sign_in_with_saml_provider)
+    end
+  end
+end