Add forking limitations

Add changelog and strings file Fix rubocop offences Add cr remarks Add forking limitations Add cr remarks Add changelog entry Add cr remarks

Add forking limitations
Add changelog and strings file Fix rubocop offences Add cr remarks Add forking limitations Add cr remarks Add changelog entry Add cr remarks
57636695 · Małgorzata Ksionek · f33f8847 · 57636695 · 57636695 · 57636695
Commit 57636695 authored Feb 27, 2020 by Małgorzata Ksionek
3 changed files
--- a/ee/app/services/ee/projects/group_links/create_service.rb
+++ b/ee/app/services/ee/projects/group_links/create_service.rb
@@ -8,7 +8,7 @@ module EE

        override :execute
        def execute(group)
-          return error(error_message, 409) unless group_allowed_to_be_shared_with?(group)
+          return error(error_message, 409) unless allowed_to_be_shared_with?(group)

          result = super

@@ -18,10 +18,17 @@ module EE

        private

-        def group_allowed_to_be_shared_with?(group)
-          return true unless project.root_ancestor.kind == 'group' && project.root_ancestor.enforced_sso?
+        def allowed_to_be_shared_with?(group)
+          project_can_be_shared_with_group = project_can_be_shared_with_group?(group, project)
+          source_project_can_be_shared_with_group = project.forked? ? project_can_be_shared_with_group?(group, project.forked_from_project) : true

-          group.root_ancestor == project.root_ancestor
+          project_can_be_shared_with_group && source_project_can_be_shared_with_group
+        end
+
+        def project_can_be_shared_with_group?(group, given_project)
+          return true unless given_project.root_ancestor.kind == 'group' && given_project.root_ancestor.enforced_sso?
+
+          group.root_ancestor == given_project.root_ancestor
        end

        def error_message

--- a/ee/changelogs/unreleased/12420-prevent-projects-from-being-shared-outside-a-gma-group-forking.yml
+++ b/ee/changelogs/unreleased/12420-prevent-projects-from-being-shared-outside-a-gma-group-forking.yml
+---
+title: Restrict inviting outside group to a project forked from a group with enforced SSO
+merge_request: 26456
+author:
+type: changed
--- a/ee/spec/services/projects/group_links/create_service_spec.rb
+++ b/ee/spec/services/projects/group_links/create_service_spec.rb
@@ -3,6 +3,8 @@
 require 'spec_helper'

 describe Projects::GroupLinks::CreateService, '#execute' do
+  include ProjectForksHelper
+
  let(:user) { create :user }
  let(:project) { create :project }
  let(:group) { create(:group, visibility_level: 0) }
@@ -40,6 +42,8 @@ describe Projects::GroupLinks::CreateService, '#execute' do
  context 'when project is in sso enforced group' do
    let(:saml_provider) { create(:saml_provider, enforced_sso: true) }
    let(:root_group) { saml_provider.group }
+    let(:identity) { create(:group_saml_identity, saml_provider: saml_provider) }
+    let(:user) { identity.user }
    let(:project) { create(:project, :private, group: root_group) }
    let(:subject) { described_class.new(project, user, opts) }

@@ -82,6 +86,75 @@ describe Projects::GroupLinks::CreateService, '#execute' do
        end
      end
    end
+
+    context 'when project is forked from group with enforced SSO' do
+      let(:forked_project) { create(:project) }
+
+      before do
+        root_group.add_developer(user)
+
+        fork_project(project, user, target_project: forked_project)
+      end
+
+      context 'when invited group is outside top group' do
+        let(:group_to_invite) { create(:group) }
+
+        it 'does not add group to project' do
+          expect { described_class.new(forked_project, user, opts).execute(group_to_invite) }.not_to change { forked_project.project_group_links.count }
+        end
+
+        it 'returns error status and message' do
+          result = described_class.new(forked_project, user, opts).execute(group_to_invite)
+
+          expect(result[:message]).to eq('This group cannot be invited to a project inside a group with enforced SSO')
+          expect(result[:status]).to eq(:error)
+        end
+      end
+
+      context 'when invited group is in the top group' do
+        let(:group_to_invite) { create(:group, parent: root_group) }
+
+        it 'adds group to project' do
+          expect { described_class.new(forked_project, user, opts).execute(group_to_invite) }.to change { forked_project.project_group_links.count }.from(0).to(1)
+
+          group_link = forked_project.project_group_links.first
+
+          expect(group_link.group_id).to eq(group_to_invite.id)
+          expect(group_link.project_id).to eq(forked_project.id)
+        end
+      end
+    end
+
+    context 'when project is forked to group with enforced sso' do
+      let(:source_project) { create(:project) }
+
+      before do
+        source_project.add_developer(user)
+
+        fork_project(source_project, user, target_project: project)
+      end
+
+      context 'when invited group is outside top group' do
+        let(:group_to_invite) { create(:group) }
+
+        it 'does not add group to project' do
+          expect { subject.execute(group_to_invite) }.not_to change { project.project_group_links.count }
+        end
+      end
+
+      context 'when invited group is in the top group' do
+        let(:group_to_invite) { create(:group, parent: root_group) }
+
+        it 'adds group to project' do
+          expect { subject.execute(group_to_invite) }.to change { project.project_group_links.count }.from(0).to(1)
+
+          group_link = project.project_group_links.first
+
+          expect(group_link.group_id).to eq(group_to_invite.id)
+          expect(group_link.project_id).to eq(project.id)
+        end
+      end
+    end
  end

  def create_group_link(user, project, group, opts)