Add checking forked project members membership in group managed account

Add translation method Add different behaviour for forked project Add changelog entry Fix ambigous name Check for namespace kind Add cr remarks Fix badly merged files Add cr remarks Add cr remarks Fix badly merged files

Add checking forked project members membership in group managed account
Add translation method Add different behaviour for forked project Add changelog entry Fix ambigous name Check for namespace kind Add cr remarks Fix badly merged files Add cr remarks Add cr remarks Fix badly merged files
5d1cc96c · Małgorzata Ksionek · f33f8847 · 5d1cc96c · 5d1cc96c · 5d1cc96c
Commit 5d1cc96c authored Feb 28, 2020 by Małgorzata Ksionek
3 changed files
--- a/ee/changelogs/unreleased/12420-prevent-projects-from-being-shared-outside-a-gma-group-member.yml
+++ b/ee/changelogs/unreleased/12420-prevent-projects-from-being-shared-outside-a-gma-group-member.yml
 ---
-title: Prevent projects from being shared outside a group with managed accounts
-merge_request: 26163
+title: Prevent projects from being shared outside a group with managed accounts for forked projects
+merge_request: 26186
 author:
 type: changed
--- a/ee/lib/gitlab/auth/group_saml/gma_membership_enforcer.rb
+++ b/ee/lib/gitlab/auth/group_saml/gma_membership_enforcer.rb
@@ -9,15 +9,27 @@ module Gitlab
        end

        def can_add_user?(user)
-          return true unless root_group&.enforced_group_managed_accounts?
+          can_add_user_to_main_project = check_group_membership(user, project)
+          can_add_user_to_source_project = project.forked? ? check_group_membership(user, project.forked_from_project) : true

-          root_group == user.managing_group
+          can_add_user_to_main_project && can_add_user_to_source_project
        end

        private

-        def root_group
-          @root_group ||= @project.root_ancestor
+        attr_reader :project
+
+        def check_group_membership(user, given_project)
+          root_ancestor = project_root_ancestor(given_project)
+
+          return true unless root_ancestor.kind == 'group'
+          return true unless root_ancestor.enforced_group_managed_accounts?
+
+          root_ancestor == user.managing_group
+        end
+
+        def project_root_ancestor(given_project)
+          given_project.root_ancestor
        end
      end
    end

--- a/ee/spec/lib/gitlab/auth/group_saml/gma_membership_enforcer_spec.rb
+++ b/ee/spec/lib/gitlab/auth/group_saml/gma_membership_enforcer_spec.rb
@@ -3,8 +3,11 @@
 require 'spec_helper'

 describe Gitlab::Auth::GroupSaml::GmaMembershipEnforcer do
+  include ProjectForksHelper
  let_it_be(:group) { create(:group_with_managed_accounts, :private) }
  let_it_be(:project) { create(:project, namespace: group)}
+  let_it_be(:managed_user) { create(:user, :group_managed, managing_group: group) }
+  let_it_be(:managed_user_for_project) { create(:user, :group_managed, managing_group: group) }

  subject { described_class.new(project) }

@@ -14,8 +17,6 @@ describe Gitlab::Auth::GroupSaml::GmaMembershipEnforcer do

  context 'when user is group-managed' do
    it 'allows adding user to project' do
-      managed_user = create(:user, :group_managed, managing_group: group)
-
      expect(subject.can_add_user?(managed_user)).to be_truthy
    end
  end
@@ -27,4 +28,46 @@ describe Gitlab::Auth::GroupSaml::GmaMembershipEnforcer do
      expect(subject.can_add_user?(user)).to be_falsey
    end
  end
+
+  context 'when the project is forked' do
+    let(:forked_project) { fork_project(project, managed_user_for_project) }
+
+    before do
+      project.add_developer(managed_user_for_project)
+    end
+
+    context 'when user is group-managed' do
+      it 'allows adding user to project' do
+        expect(described_class.new(forked_project).can_add_user?(managed_user)).to be_truthy
+      end
+    end
+
+    context 'when user is not group-managed' do
+      it 'does not allow adding user to project' do
+        expect(described_class.new(forked_project).can_add_user?(create(:user))).to be_falsey
+      end
+    end
+  end
+
+  context 'when project is forked from namespace to group' do
+    let(:project) { create(:project) }
+    let(:forked_project) { create(:project, namespace: group) }
+
+    before do
+      project.add_developer(managed_user_for_project)
+      fork_project(project, managed_user_for_project, namespace: group, target_project: forked_project)
+    end
+
+    context 'when user is group-managed' do
+      it 'allows adding user to project' do
+        expect(described_class.new(forked_project).can_add_user?(managed_user)).to be_truthy
+      end
+    end
+
+    context 'when user is not group-managed' do
+      it 'does not allow adding user to project' do
+        expect(described_class.new(forked_project).can_add_user?(create(:user))).to be_falsey
+      end
+    end
+  end
 end