Commit 6ba731ca authored by Małgorzata Ksionek's avatar Małgorzata Ksionek Committed by Stan Hu

Add check for inviting groups outside of group with enforced sso

This commit blocks the possibility of inviting group to a project in a
particular case:

1. when project is in the group, that enforces SSO
2. when group that is supposed to be invited was created outside this
group

This is the first part of changes described in
https://gitlab.com/gitlab-org/gitlab/issues/12420.
parent f610a080
......@@ -44,7 +44,7 @@ module EE
has_one :deletion_schedule, class_name: 'GroupDeletionSchedule'
delegate :deleting_user, :marked_for_deletion_on, to: :deletion_schedule, allow_nil: true
delegate :enforced_group_managed_accounts?, to: :saml_provider, allow_nil: true
delegate :enforced_group_managed_accounts?, :enforced_sso?, to: :saml_provider, allow_nil: true
belongs_to :file_template_project, class_name: "Project"
......
......@@ -8,6 +8,8 @@ module EE
override :execute
def execute(group)
return error(error_message, 409) unless group_allowed_to_be_shared_with?(group)
result = super
log_audit_event(result[:link]) if result[:status] == :success
......@@ -16,6 +18,16 @@ module EE
private
def group_allowed_to_be_shared_with?(group)
return true unless project.root_ancestor.kind == 'group' && project.root_ancestor.enforced_sso?
group.root_ancestor == project.root_ancestor
end
def error_message
_('This group cannot be invited to a project inside a group with enforced SSO')
end
def log_audit_event(group_link)
::AuditEventService.new(
current_user,
......
---
title: "Prevent 'Invite group' for groups outside a group-managed account group"
merge_request: 26081
author:
type: changed
......@@ -3,9 +3,9 @@
require 'spec_helper'
describe Projects::GroupLinks::CreateService, '#execute' do
let!(:user) { create :user }
let!(:project) { create :project }
let!(:group) { create(:group, visibility_level: 0) }
let(:user) { create :user }
let(:project) { create :project }
let(:group) { create(:group, visibility_level: 0) }
let(:opts) do
{
link_group_access: '30',
......@@ -37,6 +37,53 @@ describe Projects::GroupLinks::CreateService, '#execute' do
end
end
context 'when project is in sso enforced group' do
let(:saml_provider) { create(:saml_provider, enforced_sso: true) }
let(:root_group) { saml_provider.group }
let(:project) { create(:project, :private, group: root_group) }
let(:subject) { described_class.new(project, user, opts) }
before do
group_to_invite.add_developer(user)
stub_licensed_features(group_saml: true)
end
context 'when invited group is outside top group' do
let(:group_to_invite) { create(:group) }
it 'does not add group to project' do
expect { subject.execute(group_to_invite) }.not_to change { project.project_group_links.count }
end
end
context 'when invited group is in the top group' do
let(:group_to_invite) { create(:group, parent: root_group) }
it 'adds group to project' do
expect { subject.execute(group_to_invite) }.to change { project.project_group_links.count }.from(0).to(1)
end
end
context 'when project is deeper in the hierarchy and group is in the top group' do
let(:group_to_invite) { create(:group, parent: root_group) }
let(:nested_group) { create(:group, parent: root_group) }
let(:nested_group_2) { create(:group, parent: nested_group_2) }
let(:project) { create(:project, :private, group: nested_group) }
it 'adds group to project' do
expect { subject.execute(group_to_invite) }.to change { project.project_group_links.count }.from(0).to(1)
end
context 'when invited group is outside top group' do
let(:group_to_invite) { create(:group) }
it 'does not add group to project' do
expect { subject.execute(group_to_invite) }.not_to change { project.project_group_links.count }
end
end
end
end
def create_group_link(user, project, group, opts)
group.add_developer(user)
described_class.new(project, user, opts).execute(group)
......
......@@ -19907,6 +19907,9 @@ msgstr ""
msgid "This group"
msgstr ""
msgid "This group cannot be invited to a project inside a group with enforced SSO"
msgstr ""
msgid "This group does not provide any group Runners yet."
msgstr ""
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment