Commit 44116428 authored by Douglas Barbosa Alexandre's avatar Douglas Barbosa Alexandre

Merge branch '12420-prevent-projects-from-being-shared-outside-a-gma-group-member' into 'master'

Prevent projects from being shared outside a GMA group - member restriction

See merge request gitlab-org/gitlab!26163
parents 001de8dd c37ebd26
......@@ -8,6 +8,7 @@ module EE
extend ::Gitlab::Utils::Override
validate :sso_enforcement, if: :group
validate :gma_enforcement, if: :group
before_destroy :delete_member_branch_protection
end
......@@ -22,5 +23,11 @@ module EE
project.protected_branches.push_access_by_user(user).destroy_all # rubocop: disable DestroyAll
end
end
def gma_enforcement
unless ::Gitlab::Auth::GroupSaml::GmaMembershipEnforcer.new(project).can_add_user?(user)
errors.add(:user, _('is not in the group enforcing Group Managed Account'))
end
end
end
end
---
title: Prevent projects from being shared outside a group with managed accounts
merge_request: 26163
author:
type: changed
# frozen_string_literal: true
module Gitlab
module Auth
module GroupSaml
class GmaMembershipEnforcer
def initialize(project)
@project = project
end
def can_add_user?(user)
return true unless root_group&.enforced_group_managed_accounts?
root_group == user.managing_group
end
private
def root_group
@root_group ||= @project.root_ancestor
end
end
end
end
end
# frozen_string_literal: true
require 'spec_helper'
describe Gitlab::Auth::GroupSaml::GmaMembershipEnforcer do
let_it_be(:group) { create(:group_with_managed_accounts, :private) }
let_it_be(:project) { create(:project, namespace: group)}
subject { described_class.new(project) }
before do
stub_licensed_features(group_saml: true)
end
context 'when user is group-managed' do
it 'allows adding user to project' do
managed_user = create(:user, :group_managed, managing_group: group)
expect(subject.can_add_user?(managed_user)).to be_truthy
end
end
context 'when user is not group-managed' do
it 'does not allow adding user to project' do
user = create(:user)
expect(subject.can_add_user?(user)).to be_falsey
end
end
end
......@@ -7,4 +7,41 @@ describe ProjectMember do
it_behaves_like 'member validations' do
let(:entity) { create(:project, group: group)}
end
context 'validates GMA enforcement' do
let(:group) { create(:group_with_managed_accounts, :private) }
let(:entity) { create(:project, namespace: group)}
before do
stub_feature_flags(group_managed_accounts: true)
end
context 'enforced group managed account enabled' do
before do
stub_licensed_features(group_saml: true)
end
it 'allows adding the project member' do
user = create(:user, :group_managed, managing_group: group)
member = entity.add_developer(user)
expect(member).to be_valid
end
it 'does not add the the project member' do
member = entity.add_developer(create(:user))
expect(member).not_to be_valid
expect(member.errors.messages[:user]).to include('is not in the group enforcing Group Managed Account')
end
end
context 'enforced group managed account disabled' do
it 'allows adding the group member' do
member = entity.add_developer(create(:user))
expect(member).to be_valid
end
end
end
end
......@@ -23557,6 +23557,9 @@ msgstr ""
msgid "is not an email you own"
msgstr ""
msgid "is not in the group enforcing Group Managed Account"
msgstr ""
msgid "is too long (%{current_value}). The maximum size is %{max_size}."
msgstr ""
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment