Commit b1a5f2a1 authored by Sanad Liaquat's avatar Sanad Liaquat Committed by Ramya Authappan

Remove GMA specs and update SAML SSO specs

parent 81fdc1f7
......@@ -18,7 +18,9 @@ module QA
end
end
def enable_saml_sso(group, saml_idp_service, default_membership_role = 'Guest')
def enable_saml_sso(group, saml_idp_service, enforce_sso: false, default_membership_role: 'Guest')
Runtime::Feature.enable(:group_administration_nav_item)
page.visit Runtime::Scenario.gitlab_address
Page::Main::Login.perform(&:sign_in_using_credentials) unless Page::Main::Menu.perform(&:signed_in?)
......@@ -27,6 +29,7 @@ module QA
Support::Retrier.retry_on_exception do
EE::Page::Group::Settings::SamlSSO.perform do |saml_sso|
saml_sso.enforce_sso if enforce_sso
saml_sso.set_id_provider_sso_url(saml_idp_service.idp_sso_url)
saml_sso.set_cert_fingerprint(saml_idp_service.idp_certificate_fingerprint)
saml_sso.set_default_membership_role(default_membership_role)
......
# frozen_string_literal: true
module QA
# TODO: Remove :requires_admin meta when the `Runtime::Feature.enable` method call is removed
RSpec.describe 'Manage', :group_saml, :orchestrated, :requires_admin do
describe 'Group SAML SSO - Enforced SSO' do
include Support::Api
let!(:group) do
Resource::Sandbox.fabricate_via_api! do |sandbox_group|
sandbox_group.path = "saml_sso_group_#{SecureRandom.hex(8)}"
end
end
let!(:saml_idp_service) { Flow::Saml.run_saml_idp_service(group.path) }
let!(:developer_user) { Resource::User.fabricate_via_api! }
let!(:project) do
Resource::Project.fabricate! do |project|
project.name = 'project-in-saml-enforced-group'
project.description = 'project in SAML enforced group for git clone test'
project.group = group
project.initialize_with_readme = true
end
end
before do
Runtime::Feature.enable(:invite_members_group_modal, group: group)
group.add_member(developer_user)
Flow::Saml.enable_saml_sso(group, saml_idp_service, enforce_sso: true)
Flow::Saml.logout_from_idp(saml_idp_service)
page.visit Runtime::Scenario.gitlab_address
Page::Main::Menu.perform(&:sign_out_if_signed_in)
end
it 'user clones and pushes to project within a group using Git HTTP', testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/675' do
expect do
Resource::Repository::ProjectPush.fabricate! do |project_push|
project_push.project = project
project_push.branch_name = "new_branch"
project_push.user = developer_user
end
end.not_to raise_error
end
after do
page.visit Runtime::Scenario.gitlab_address
Runtime::Feature.remove(:group_administration_nav_item)
group.remove_via_api!
Page::Main::Menu.perform(&:sign_out_if_signed_in)
Flow::Saml.remove_saml_idp_service(saml_idp_service)
end
end
end
end
# frozen_string_literal: true
module QA
RSpec.describe 'Manage', :group_saml, :orchestrated, :requires_admin do
describe 'Group SAML SSO - Enforced SSO' do
include Support::Api
let!(:group) do
Resource::Sandbox.fabricate_via_api! do |sandbox_group|
sandbox_group.path = "saml_sso_group_#{SecureRandom.hex(8)}"
end
end
let(:idp_user) { Struct.new(:username, :password).new('user3', 'user3pass') }
# The user that signs in via the IDP with username `user3` and password `user3pass`
# will have `user_3` as username in GitLab
let(:user) do
QA::Resource::User.new.tap do |user|
user.username = 'user_3'
user.email = 'user_3@example.com'
end
end
let!(:saml_idp_service) { Flow::Saml.run_saml_idp_service(group.path) }
let!(:group_sso_url) { Flow::Saml.enable_saml_sso(group, saml_idp_service, enforce_sso: true) }
before do
Page::Main::Menu.perform(&:sign_out_if_signed_in)
Flow::Saml.logout_from_idp(saml_idp_service)
end
it 'creates a new account automatically and allows to leave group and join again', testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/1756' do
# When the user signs in via IDP for the first time
visit_group_sso_url
EE::Page::Group::SamlSSOSignIn.perform(&:click_sign_in)
Flow::Saml.login_to_idp_if_required(idp_user.username, idp_user.password)
expect(page).to have_text("You have to confirm your email address before continuing")
QA::Flow::User.confirm_user(user.email)
visit_group_sso_url
EE::Page::Group::SamlSSOSignIn.perform(&:click_sign_in)
expect(page).to have_text("Signed in with SAML")
Page::Group::Show.perform(&:leave_group)
expect(page).to have_text("You left")
Page::Main::Menu.perform(&:sign_out)
Flow::Saml.logout_from_idp(saml_idp_service)
# When the user exists with a linked identity
visit_group_sso_url
EE::Page::Group::SamlSSOSignIn.perform(&:click_sign_in)
Flow::Saml.login_to_idp_if_required(idp_user.username, idp_user.password)
expect(page).to have_text("Login to a GitLab account to link with your SAML identity")
Flow::Saml.logout_from_idp(saml_idp_service)
# When the user is removed and so their linked identity is also removed
user.remove_via_api!
visit_group_sso_url
EE::Page::Group::SamlSSOSignIn.perform(&:click_sign_in)
Flow::Saml.login_to_idp_if_required(idp_user.username, idp_user.password)
expect(page).to have_text("You have to confirm your email address before continuing")
end
after do
Runtime::Feature.remove(:group_administration_nav_item)
user.remove_via_api!
group.remove_via_api!
Flow::Saml.remove_saml_idp_service(saml_idp_service)
page.visit Runtime::Scenario.gitlab_address
Page::Main::Menu.perform(&:sign_out_if_signed_in)
end
end
def visit_group_sso_url
Runtime::Logger.debug(%Q[Visiting managed_group_url at "#{group_sso_url}"])
page.visit group_sso_url
Support::Waiter.wait_until { current_url == group_sso_url }
end
end
end
# frozen_string_literal: true
module QA
# TODO: Remove :requires_admin meta when the `Runtime::Feature.enable` method call is removed
RSpec.describe 'Manage', :group_saml, :orchestrated, :requires_admin do
describe 'Group SAML SSO - Enforced SSO' do
include Support::Api
before do
Support::Retrier.retry_on_exception do
Flow::Saml.remove_saml_idp_service(@saml_idp_service) if @saml_idp_service
@group = Resource::Sandbox.fabricate_via_api! do |sandbox_group|
sandbox_group.path = "saml_sso_group_#{SecureRandom.hex(8)}"
end
Runtime::Feature.enable(:invite_members_group_modal, group: @group)
@developer_user = Resource::User.fabricate_via_api!
@group.add_member(@developer_user)
@saml_idp_service = Flow::Saml.run_saml_idp_service(@group.path)
@managed_group_url = setup_and_enable_enforce_sso
Flow::Saml.logout_from_idp(@saml_idp_service)
page.visit Runtime::Scenario.gitlab_address
Page::Main::Menu.perform(&:sign_out_if_signed_in)
end
end
it 'user clones and pushes to project within a group using Git HTTP', testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/675' do
Flow::Login.sign_in
@project = Resource::Project.fabricate! do |project|
project.name = 'project-in-saml-enforced-group'
project.description = 'project in SAML enforced group for git clone test'
project.group = @group
project.initialize_with_readme = true
end
@project.visit!
expect do
Resource::Repository::ProjectPush.fabricate! do |project_push|
project_push.project = @project
project_push.branch_name = "new_branch"
project_push.user = @developer_user
end
end.not_to raise_error
end
after do
page.visit Runtime::Scenario.gitlab_address
Runtime::Feature.remove(:group_administration_nav_item)
@group.remove_via_api!
Page::Main::Menu.perform(&:sign_out_if_signed_in)
Flow::Saml.remove_saml_idp_service(@saml_idp_service)
end
end
def setup_and_enable_enforce_sso
Runtime::Feature.enable(:group_administration_nav_item)
page.visit Runtime::Scenario.gitlab_address
Page::Main::Login.perform(&:sign_in_using_credentials) unless Page::Main::Menu.perform(&:signed_in?)
Support::Retrier.retry_on_exception do
Flow::Saml.visit_saml_sso_settings(@group)
ensure_enforced_sso_checkbox_shown
managed_group_url = EE::Page::Group::Settings::SamlSSO.perform do |saml_sso|
saml_sso.enforce_sso
saml_sso.set_id_provider_sso_url(@saml_idp_service.idp_sso_url)
saml_sso.set_cert_fingerprint(@saml_idp_service.idp_certificate_fingerprint)
saml_sso.click_save_changes
saml_sso.user_login_url_link_text
end
Flow::Saml.visit_saml_sso_settings(@group, direct: true)
ensure_enforced_sso_checkbox_shown
unless EE::Page::Group::Settings::SamlSSO.perform(&:enforce_sso_enabled?)
QA::Runtime::Logger.debug "Enforced SSO not setup correctly. About to raise failure."
QA::Runtime::Logger.debug Capybara::Screenshot.screenshot_and_save_page
QA::Runtime::Logger.debug Runtime::Feature.get_features
raise "Enforced SSO not setup correctly"
end
managed_group_url
end
end
def ensure_enforced_sso_checkbox_shown
# Sometimes, the checkbox for SAML SSO does not appear and only appears after a refresh
# This issue can only be reproduced manually if you are too quick to go to the group setting page
# after enabling the feature flags.
Support::Retrier.retry_until(sleep_interval: 1, raise_on_failure: true) do
condition_met = EE::Page::Group::Settings::SamlSSO.perform(&:has_enforced_sso_checkbox?)
page.refresh unless condition_met
condition_met
end
end
end
end
# frozen_string_literal: true
module QA
RSpec.describe 'Manage', :group_saml, :orchestrated, :requires_admin, quarantine: { issue: 'https://gitlab.com/gitlab-org/gitlab/issues/202260', type: :bug } do
describe 'Group SAML SSO - Group managed accounts' do
include Support::Api
before(:all) do
# Create a new user (with no existing SAML identities) who will be added as owner to the SAML group.
@owner_user = Resource::User.fabricate_via_api!
Flow::Login.sign_in(as: @owner_user)
@group = Resource::Sandbox.fabricate_via_api! do |sandbox_group|
sandbox_group.path = "saml_sso_group_#{SecureRandom.hex(8)}"
end
Runtime::Feature.enable(:invite_members_group_modal, group: @group)
@saml_idp_service = Flow::Saml.run_saml_idp_service(@group.path)
@api_client = Runtime::API::Client.as_admin
@developer_user = Resource::User.fabricate_via_api!
@group.add_member(@owner_user, QA::Resource::Members::AccessLevel::OWNER)
@group.add_member(@developer_user)
@managed_group_url = Flow::Saml.enable_saml_sso(@group, @saml_idp_service)
@saml_linked_for_admin = false
setup_and_enable_group_managed_accounts
Page::Main::Menu.perform(&:sign_out_if_signed_in)
Flow::Saml.logout_from_idp(@saml_idp_service)
end
it 'removes existing users from the group, forces existing users to create a new account and allows to leave group', testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/1766' do
expect(@group.list_members.map { |item| item["username"] }).not_to include(@developer_user.username)
visit_managed_group_url
EE::Page::Group::SamlSSOSignIn.perform(&:click_sign_in)
Flow::Saml.login_to_idp_if_required('user3', 'user3pass')
expect(page).to have_text("uses group managed accounts. You need to create a new GitLab account which will be managed by")
Support::Retrier.retry_until(raise_on_failure: true) do
@idp_user_email = EE::Page::Group::SamlSSOSignUp.perform(&:current_email)
remove_user_if_exists(@idp_user_email)
@new_username = EE::Page::Group::SamlSSOSignUp.perform(&:current_username)
EE::Page::Group::SamlSSOSignUp.perform(&:click_register_button)
page.has_no_content?("Email has already been taken")
end
expect(page).to have_text("Sign up was successful! Please confirm your email to sign in.")
QA::Flow::User.confirm_user(@new_username)
visit_managed_group_url
EE::Page::Group::SamlSSOSignIn.perform(&:click_sign_in)
expect(page).to have_text("Signed in with SAML")
Page::Group::Show.perform(&:leave_group)
expect(page).to have_text("You left")
Page::Main::Menu.perform(&:sign_out)
visit_managed_group_url
EE::Page::Group::SamlSSOSignIn.perform(&:click_sign_in)
expect(page).to have_text("uses group managed accounts. You need to create a new GitLab account which will be managed by")
end
after(:all) do
page.visit Runtime::Scenario.gitlab_address
[:group_managed_accounts, :sign_up_on_sso, :group_scim, :group_administration_nav_item].each do |flag|
Runtime::Feature.remove(flag)
end
remove_user_if_exists(@idp_user_email)
@group.remove_via_api!
Flow::Saml.remove_saml_idp_service(@saml_idp_service)
page.visit Runtime::Scenario.gitlab_address
Page::Main::Menu.perform(&:sign_out_if_signed_in)
end
end
def remove_user_if_exists(username_or_email)
QA::Runtime::Logger.debug("Attempting to remove user \"#{username_or_email}\" via API")
return if username_or_email.nil?
response = parse_body(get(Runtime::API::Request.new(@api_client, "/users?search=#{username_or_email}").url))
if response.any?
raise "GET /users?search=#{username_or_email} returned multiple results. response: #{response}" if response.size > 1
delete_response = delete Runtime::API::Request.new(@api_client, "/users/#{response.first[:id]}").url
QA::Runtime::Logger.debug("DELETE \"#{username_or_email}\" response code: #{delete_response.code} message: #{delete_response.body}")
else
QA::Runtime::Logger.debug("GET /users?search=#{username_or_email} returned empty response: #{response}")
end
end
def setup_and_enable_group_managed_accounts
[:group_managed_accounts, :sign_up_on_sso, :group_scim, :group_administration_nav_item].each do |flag|
Runtime::Feature.enable(flag)
end
Support::Retrier.retry_on_exception do
# We need to logout from IDP. This is required if this is a retry.
Flow::Saml.logout_from_idp(@saml_idp_service)
page.visit Runtime::Scenario.gitlab_address
Page::Main::Menu.perform(&:sign_out_if_signed_in)
# The first time you have to be signed in as admin
unless @saml_linked_for_admin
Flow::Login.sign_in(as: @owner_user)
@saml_linked_for_admin = true
end
# We must sign in with SAML before enabling Group Managed Accounts
visit_managed_group_url
EE::Page::Group::SamlSSOSignIn.perform(&:click_sign_in)
Flow::Saml.login_to_idp_if_required('user1', 'user1pass')
Flow::Saml.visit_saml_sso_settings(@group)
EE::Page::Group::Settings::SamlSSO.perform do |saml_sso|
# Once the feature flags are enabled, it takes some time for the toggle buttons to show on the UI.
# This issue does not happen manually. Only happens with the test as they are too fast.
Support::Retrier.retry_until(sleep_interval: 1, raise_on_failure: true) do
condition_met = saml_sso.has_enforced_sso_checkbox? && saml_sso.has_group_managed_accounts_checkbox?
page.refresh unless condition_met
condition_met
end
saml_sso.enforce_sso
saml_sso.enable_group_managed_accounts
saml_sso.click_save_changes
saml_sso.user_login_url_link_text
end
Flow::Saml.visit_saml_sso_settings(@group, direct: true)
raise "Group managed accounts not setup correctly" unless EE::Page::Group::Settings::SamlSSO.perform(&:group_managed_accounts_enabled?)
end
end
def visit_managed_group_url
Runtime::Logger.debug(%Q[Visiting managed_group_url at "#{@managed_group_url}"])
page.visit @managed_group_url
Support::Waiter.wait_until { current_url == @managed_group_url }
end
end
end
......@@ -30,7 +30,7 @@ module QA
let(:default_membership_role) { 'Developer' }
it 'adds the new member with access level as set in SAML SSO configuration', testcase: 'https://gitlab.com/gitlab-org/quality/testcases/-/issues/968' do
managed_group_url = Flow::Saml.enable_saml_sso(@group, @saml_idp_service, default_membership_role)
managed_group_url = Flow::Saml.enable_saml_sso(@group, @saml_idp_service, default_membership_role: default_membership_role)
Page::Main::Menu.perform(&:sign_out_if_signed_in)
Flow::Login.while_signed_in(as: user) do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment