Merge branch 'dblessing_saml_group_sync_minimal_access' into 'master'

Allow Minimal Access role for top-level SAML Group Links See merge request gitlab-org/gitlab!72825

Merge branch 'dblessing_saml_group_sync_minimal_access' into 'master'
Allow Minimal Access role for top-level SAML Group Links See merge request gitlab-org/gitlab!72825
7d962989 · Savas Vedova · 11e0e676 · 2b2a80a2 · 7d962989 · 7d962989
Commit 7d962989 authored Nov 17, 2021 by Savas Vedova
3 changed files
--- a/ee/app/models/saml_group_link.rb
+++ b/ee/app/models/saml_group_link.rb
@@ -4,15 +4,23 @@ class SamlGroupLink < ApplicationRecord
  include StripAttribute
  belongs_to :group
-  enum access_level: ::Gitlab::Access.options_with_owner
+  enum access_level: ::Gitlab::Access.options_with_minimal_access
  strip_attributes! :saml_group_name
  validates :group, :access_level, presence: true
  validates :saml_group_name, presence: true, uniqueness: { scope: [:group_id] }, length: { maximum: 255 }
+  validate :access_level_allowed
  scope :by_id_and_group_id, ->(id, group_id) { where(id: id, group_id: group_id) }
  scope :by_saml_group_name, -> (name) { where(saml_group_name: name) }
  scope :by_group_id, ->(group_id) { where(group_id: group_id) }
  scope :preload_group, -> { preload(group: :route) }
+  def access_level_allowed
+    return unless group
+    return if access_level.in?(group.access_level_roles.keys)
+    errors.add(:access_level, "is invalid")
+  end
 end
--- a/ee/app/views/groups/saml_group_links/_form.html.haml
+++ b/ee/app/views/groups/saml_group_links/_form.html.haml
@@ -13,7 +13,7 @@
        .col-sm-2.col-form-label
          = f.label :access_level, "Access Level"
        .col-sm-10
-          = f.select :access_level, options_for_select(SamlGroupLink.access_levels.keys), {}, class: 'form-control'
+          = f.select :access_level, options_for_select(group.access_level_roles.keys), {}, class: 'form-control'
          .form-text.text-muted
            = s_('GroupSAML|Role to assign members of this SAML group.')

--- a/ee/spec/models/saml_group_link_spec.rb
+++ b/ee/spec/models/saml_group_link_spec.rb
@@ -12,7 +12,7 @@ RSpec.describe SamlGroupLink do
    it { is_expected.to validate_presence_of(:access_level) }
    it { is_expected.to validate_presence_of(:saml_group_name) }
    it { is_expected.to validate_length_of(:saml_group_name).is_at_most(255) }
-    it { is_expected.to define_enum_for(:access_level).with_values(Gitlab::Access.options_with_owner) }
+    it { is_expected.to define_enum_for(:access_level).with_values(Gitlab::Access.options_with_minimal_access) }
    context 'group name uniqueness' do
      before do
@@ -30,6 +30,27 @@ RSpec.describe SamlGroupLink do
        expect(saml_group_link.saml_group_name).to eq('group')
      end
    end
+    context 'minimal access role' do
+      let_it_be(:top_level_group) { create(:group) }
+      let_it_be(:subgroup) { create(:group, parent: top_level_group) }
+      def saml_group_link(group:)
+        build(:saml_group_link, group: group, access_level: 'Minimal Access')
+      end
+      before do
+        stub_licensed_features(minimal_access_role: true)
+      end
+      it 'allows the role at the top level group' do
+        expect(saml_group_link(group: top_level_group)).to be_valid
+      end
+      it 'does not allow the role for subgroups' do
+        expect(saml_group_link(group: subgroup)).not_to be_valid
+      end
+    end
  end
  describe '.by_id_and_group_id' do