Merge branch '12420-prevent-projects-from-being-shared-outside-a-gma-group-member' into 'master'

Prevent projects from being shared outside a GMA group - member restriction See merge request gitlab-org/gitlab!26163

Merge branch '12420-prevent-projects-from-being-shared-outside-a-gma-group-member' into 'master'
Prevent projects from being shared outside a GMA group - member restriction See merge request gitlab-org/gitlab!26163
44116428 · Douglas Barbosa Alexandre · 001de8dd · c37ebd26 · 44116428 · 44116428
Commit 44116428 authored Mar 05, 2020 by Douglas Barbosa Alexandre
6 changed files
--- a/ee/app/models/ee/project_member.rb
+++ b/ee/app/models/ee/project_member.rb
@@ -8,6 +8,7 @@ module EE
      extend ::Gitlab::Utils::Override

      validate :sso_enforcement, if: :group
+      validate :gma_enforcement, if: :group

      before_destroy :delete_member_branch_protection
    end
@@ -22,5 +23,11 @@ module EE
        project.protected_branches.push_access_by_user(user).destroy_all # rubocop: disable DestroyAll
      end
    end
+
+    def gma_enforcement
+      unless ::Gitlab::Auth::GroupSaml::GmaMembershipEnforcer.new(project).can_add_user?(user)
+        errors.add(:user, _('is not in the group enforcing Group Managed Account'))
+      end
+    end
  end
 end
--- a/ee/changelogs/unreleased/12420-prevent-projects-from-being-shared-outside-a-gma-group-member.yml
+++ b/ee/changelogs/unreleased/12420-prevent-projects-from-being-shared-outside-a-gma-group-member.yml
+---
+title: Prevent projects from being shared outside a group with managed accounts
+merge_request: 26163
+author:
+type: changed
--- a/ee/lib/gitlab/auth/group_saml/gma_membership_enforcer.rb
+++ b/ee/lib/gitlab/auth/group_saml/gma_membership_enforcer.rb
+# frozen_string_literal: true
+
+module Gitlab
+  module Auth
+    module GroupSaml
+      class GmaMembershipEnforcer
+        def initialize(project)
+          @project = project
+        end
+
+        def can_add_user?(user)
+          return true unless root_group&.enforced_group_managed_accounts?
+
+          root_group == user.managing_group
+        end
+
+        private
+
+        def root_group
+          @root_group ||= @project.root_ancestor
+        end
+      end
+    end
+  end
+end
--- a/ee/spec/lib/gitlab/auth/group_saml/gma_membership_enforcer_spec.rb
+++ b/ee/spec/lib/gitlab/auth/group_saml/gma_membership_enforcer_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Gitlab::Auth::GroupSaml::GmaMembershipEnforcer do
+  let_it_be(:group) { create(:group_with_managed_accounts, :private) }
+  let_it_be(:project) { create(:project, namespace: group)}
+
+  subject { described_class.new(project) }
+
+  before do
+    stub_licensed_features(group_saml: true)
+  end
+
+  context 'when user is group-managed' do
+    it 'allows adding user to project' do
+      managed_user = create(:user, :group_managed, managing_group: group)
+
+      expect(subject.can_add_user?(managed_user)).to be_truthy
+    end
+  end
+
+  context 'when user is not group-managed' do
+    it 'does not allow adding user to project' do
+      user = create(:user)
+
+      expect(subject.can_add_user?(user)).to be_falsey
+    end
+  end
+end
--- a/ee/spec/models/project_member_spec.rb
+++ b/ee/spec/models/project_member_spec.rb
@@ -7,4 +7,41 @@ describe ProjectMember do
  it_behaves_like 'member validations' do
    let(:entity) { create(:project, group: group)}
  end
+
+  context 'validates GMA enforcement' do
+    let(:group) { create(:group_with_managed_accounts, :private) }
+    let(:entity) { create(:project, namespace: group)}
+
+    before do
+      stub_feature_flags(group_managed_accounts: true)
+    end
+
+    context 'enforced group managed account enabled' do
+      before do
+        stub_licensed_features(group_saml: true)
+      end
+
+      it 'allows adding the project member' do
+        user = create(:user, :group_managed, managing_group: group)
+        member = entity.add_developer(user)
+
+        expect(member).to be_valid
+      end
+
+      it 'does not add the the project member' do
+        member = entity.add_developer(create(:user))
+
+        expect(member).not_to be_valid
+        expect(member.errors.messages[:user]).to include('is not in the group enforcing Group Managed Account')
+      end
+    end
+
+    context 'enforced group managed account disabled' do
+      it 'allows adding the group member' do
+        member = entity.add_developer(create(:user))
+
+        expect(member).to be_valid
+      end
+    end
+  end
 end
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -23557,6 +23557,9 @@ msgstr ""
 msgid "is not an email you own"
 msgstr ""

+msgid "is not in the group enforcing Group Managed Account"
+msgstr ""
+
 msgid "is too long (%{current_value}). The maximum size is %{max_size}."
 msgstr ""