Add check for inviting groups outside of group with enforced sso

This commit blocks the possibility of inviting group to a project in a particular case: 1. when project is in the group, that enforces SSO 2. when group that is supposed to be invited was created outside this group This is the first part of changes described in https://gitlab.com/gitlab-org/gitlab/issues/12420.

Add check for inviting groups outside of group with enforced sso
This commit blocks the possibility of inviting group to a project in a particular case: 1. when project is in the group, that enforces SSO 2. when group that is supposed to be invited was created outside this group This is the first part of changes described in https://gitlab.com/gitlab-org/gitlab/issues/12420.
6ba731ca · Małgorzata Ksionek · Stan Hu · f610a080 · 6ba731ca · 6ba731ca
Commit 6ba731ca authored Feb 27, 2020 by Małgorzata Ksionek Committed by Stan Hu Mar 03, 2020
5 changed files
--- a/ee/app/models/ee/group.rb
+++ b/ee/app/models/ee/group.rb
@@ -44,7 +44,7 @@ module EE

      has_one :deletion_schedule, class_name: 'GroupDeletionSchedule'
      delegate :deleting_user, :marked_for_deletion_on, to: :deletion_schedule, allow_nil: true
-      delegate :enforced_group_managed_accounts?, to: :saml_provider, allow_nil: true
+      delegate :enforced_group_managed_accounts?, :enforced_sso?, to: :saml_provider, allow_nil: true

      belongs_to :file_template_project, class_name: "Project"


--- a/ee/app/services/ee/projects/group_links/create_service.rb
+++ b/ee/app/services/ee/projects/group_links/create_service.rb
@@ -8,6 +8,8 @@ module EE

        override :execute
        def execute(group)
+          return error(error_message, 409) unless group_allowed_to_be_shared_with?(group)
+
          result = super

          log_audit_event(result[:link]) if result[:status] == :success
@@ -16,6 +18,16 @@ module EE

        private

+        def group_allowed_to_be_shared_with?(group)
+          return true unless project.root_ancestor.kind == 'group' && project.root_ancestor.enforced_sso?
+
+          group.root_ancestor == project.root_ancestor
+        end
+
+        def error_message
+          _('This group cannot be invited to a project inside a group with enforced SSO')
+        end
+
        def log_audit_event(group_link)
          ::AuditEventService.new(
            current_user,

--- a/ee/changelogs/unreleased/12420-prevent-projects-from-being-shared-outside-a-gma-group.yml
+++ b/ee/changelogs/unreleased/12420-prevent-projects-from-being-shared-outside-a-gma-group.yml
+---
+title: "Prevent 'Invite group' for groups outside a group-managed account group"
+merge_request: 26081
+author:
+type: changed
--- a/ee/spec/services/projects/group_links/create_service_spec.rb
+++ b/ee/spec/services/projects/group_links/create_service_spec.rb
@@ -3,9 +3,9 @@
 require 'spec_helper'

 describe Projects::GroupLinks::CreateService, '#execute' do
-  let!(:user) { create :user }
-  let!(:project) { create :project }
-  let!(:group) { create(:group, visibility_level: 0) }
+  let(:user) { create :user }
+  let(:project) { create :project }
+  let(:group) { create(:group, visibility_level: 0) }
  let(:opts) do
    {
      link_group_access: '30',
@@ -37,6 +37,53 @@ describe Projects::GroupLinks::CreateService, '#execute' do
    end
  end

+  context 'when project is in sso enforced group' do
+    let(:saml_provider) { create(:saml_provider, enforced_sso: true) }
+    let(:root_group) { saml_provider.group }
+    let(:project) { create(:project, :private, group: root_group) }
+    let(:subject) { described_class.new(project, user, opts) }
+
+    before do
+      group_to_invite.add_developer(user)
+      stub_licensed_features(group_saml: true)
+    end
+
+    context 'when invited group is outside top group' do
+      let(:group_to_invite) { create(:group) }
+
+      it 'does not add group to project' do
+        expect { subject.execute(group_to_invite) }.not_to change { project.project_group_links.count }
+      end
+    end
+
+    context 'when invited group is in the top group' do
+      let(:group_to_invite) { create(:group, parent: root_group) }
+
+      it 'adds group to project' do
+        expect { subject.execute(group_to_invite) }.to change { project.project_group_links.count }.from(0).to(1)
+      end
+    end
+
+    context 'when project is deeper in the hierarchy and group is in the top group' do
+      let(:group_to_invite) { create(:group, parent: root_group) }
+      let(:nested_group) { create(:group, parent: root_group) }
+      let(:nested_group_2) { create(:group, parent: nested_group_2) }
+      let(:project) { create(:project, :private, group: nested_group) }
+
+      it 'adds group to project' do
+        expect { subject.execute(group_to_invite) }.to change { project.project_group_links.count }.from(0).to(1)
+      end
+
+      context 'when invited group is outside top group' do
+        let(:group_to_invite) { create(:group) }
+
+        it 'does not add group to project' do
+          expect { subject.execute(group_to_invite) }.not_to change { project.project_group_links.count }
+        end
+      end
+    end
+  end
+
  def create_group_link(user, project, group, opts)
    group.add_developer(user)
    described_class.new(project, user, opts).execute(group)

--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -19907,6 +19907,9 @@ msgstr ""
 msgid "This group"
 msgstr ""

+msgid "This group cannot be invited to a project inside a group with enforced SSO"
+msgstr ""
+
 msgid "This group does not provide any group Runners yet."
 msgstr ""