GroupSAML metadata uses feature flag

Also adds tests for that feature flag, pushing it over
the danger-review limit requiring longer commit message.

app/helpers/accounts_helper.rb

@@ -5,3 +5,5 @@ module AccountsHelper
     current_user.incoming_email_token && Gitlab::IncomingEmail.supports_issue_creation?
   end
 end
+
+AccountsHelper.prepend(EE::AccountsHelper)

ee/app/helpers/ee/accounts_helper.rb

+# frozen_string_literal: true
+
+module EE
+  module AccountsHelper
+    def group_saml_metadata_enabled?(group)
+      ::Feature.enabled?(:group_saml_metadata_available, group)
+    end
+  end
+end

ee/app/views/groups/saml_providers/_info.html.haml

@@ -21,11 +21,12 @@
   .well-segment.borderless
     = render 'info_row', field: :issuer, label_text: 'Identifier'
     .form-text.text-muted= _('Also called "Issuer" or "Relying party trust identifier"')
-  .well-segment.borderless
-    %label= _("GitLab metadata URL")
-    - metadata_url = user_group_saml_omniauth_metadata_url(@group)
-    %div= link_to metadata_url, metadata_url
-    .form-text.text-muted= _("Used to help configure your identity provider")
+  - if group_saml_metadata_enabled?(@group)
+    .well-segment.borderless
+      %label= _("GitLab metadata URL")
+      - metadata_url = user_group_saml_omniauth_metadata_url(@group)
+      %div= link_to metadata_url, metadata_url
+      .form-text.text-muted= _("Used to help configure your identity provider")
   - if @saml_provider.persisted?
     .well-segment.borderless
       %label= _("GitLab single sign on URL")

ee/lib/omni_auth/strategies/group_saml.rb

@@ -5,7 +5,7 @@ module OmniAuth
       option :callback_path, ->(env) { callback?(env) }
 
       def setup_phase
-        if on_subpath?(:metadata)
+        if metadata_phase?
           require_discovery_token
         else
           require_saml_provider
@@ -23,7 +23,7 @@ module OmniAuth
       # Prevent access to SLO endpoints. These make less sense at
       # group level and would need additional work to securely support
       def other_phase
-        if on_subpath?(:metadata)
+        if metadata_phase?
           super
         else
           call_app!
@@ -40,6 +40,14 @@ module OmniAuth
 
       private
 
+      def metadata_phase?
+        on_subpath?(:metadata) && metadata_enabled?
+      end
+
+      def metadata_enabled?
+        Feature.enabled?(:group_saml_metadata_available)
+      end
+
       def group_lookup
         @group_lookup ||= Gitlab::Auth::GroupSaml::GroupLookup.new(env)
       end

ee/spec/features/groups/saml_providers_spec.rb

@@ -51,6 +51,14 @@ describe 'SAML provider settings' do
       expect(response_headers['Content-Type']).to have_content("application/xml")
     end
 
+    it 'does not show metadata link when feature disabled' do
+      stub_feature_flags(group_saml_metadata_available: false)
+
+      visit group_saml_providers_path(group)
+
+      expect(page).not_to have_content('metadata')
+    end
+
     it 'allows creation of new provider' do
       visit group_saml_providers_path(group)
 

ee/spec/lib/omni_auth/strategies/group_saml_spec.rb

@@ -125,6 +125,14 @@ describe OmniAuth::Strategies::GroupSaml, type: :strategy do
       end.to raise_error(ActionController::RoutingError)
     end
 
+    it 'returns 404 when feature disabled' do
+      stub_feature_flags(group_saml_metadata_available: false)
+
+      post '/users/auth/group_saml/metadata', group_path: 'my-group', token: group.saml_discovery_token
+
+      expect(last_response.status).to eq 404
+    end
+
     it 'returns metadata when a valid token is provided' do
       post '/users/auth/group_saml/metadata', group_path: 'my-group', token: group.saml_discovery_token