Merge branch 'dblessing_disable_enforced_sso_plan_expires' into 'master'

When a namespace GitLab Subscription expires, disable SSO enforcement

Closes #34287

See merge request gitlab-org/gitlab!21135

changelogs/unreleased/dblessing_disable_enforced_sso_plan_expires.yml

+---
+title: When a namespace GitLab Subscription expires, disable SSO enforcement
+merge_request: 21135
+author:
+type: fixed

ee/app/models/saml_provider.rb

@@ -30,7 +30,7 @@ class SamlProvider < ApplicationRecord
   end
 
   def enforced_sso?
-    enabled? && super && ::Feature.enabled?(:enforced_sso, group)
+    enabled? && super && group.feature_available?(:group_saml) && ::Feature.enabled?(:enforced_sso, group)
   end
 
   def enforced_group_managed_accounts?

ee/spec/controllers/concerns/routable_actions_spec.rb

@@ -34,6 +34,7 @@ describe RoutableActions do
       let(:user) { identity.user }
 
       before do
+        stub_licensed_features(group_saml: true)
         sign_in(user)
       end
 

ee/spec/controllers/groups/groups_controller_spec.rb

@@ -80,6 +80,7 @@ describe GroupsController do
     let(:guest_user) { identity.user }
 
     before do
+      stub_licensed_features(group_saml: true)
       group.add_guest(guest_user)
       sign_in(guest_user)
     end

ee/spec/controllers/groups/security/credentials_controller_spec.rb

@@ -25,7 +25,7 @@ describe Groups::Security::CredentialsController do
 
     context 'when `credentials_inventory` feature is enabled' do
       before do
-        stub_licensed_features(credentials_inventory: true)
+        stub_licensed_features(credentials_inventory: true, group_saml: true)
       end
 
       context 'for a group that enforces group managed accounts' do

ee/spec/features/groups/groups_security_credentials_spec.rb

@@ -20,7 +20,7 @@ describe 'Groups::Security::Credentials' do
 
   context 'licensed' do
     before do
-      stub_licensed_features(credentials_inventory: true)
+      stub_licensed_features(credentials_inventory: true, group_saml: true)
     end
 
     context 'links' do

ee/spec/lib/gitlab/auth/group_saml/sso_enforcer_spec.rb

@@ -6,6 +6,10 @@ describe Gitlab::Auth::GroupSaml::SsoEnforcer do
   let(:saml_provider) { build_stubbed(:saml_provider, enforced_sso: true) }
   let(:session) { {} }
 
+  before do
+    stub_licensed_features(group_saml: true)
+  end
+
   around do |example|
     Gitlab::Session.with_session(session) do
       example.run

ee/spec/models/identity_spec.rb

@@ -8,6 +8,10 @@ describe Identity do
   end
 
   context 'with saml_provider' do
+    before do
+      stub_licensed_features(group_saml: true)
+    end
+
     it 'allows user to have records with different groups' do
       _identity_one = create(:identity, provider: 'group_saml', saml_provider: create(:saml_provider))
       identity_two = create(:identity, provider: 'group_saml', saml_provider: create(:saml_provider))

ee/spec/models/saml_provider_spec.rb

@@ -3,6 +3,14 @@
 require 'spec_helper'
 
 describe SamlProvider do
+  let(:group) { create(:group) }
+
+  subject(:saml_provider) { create(:saml_provider, group: group) }
+
+  before do
+    stub_licensed_features(group_saml: true)
+  end
+
   describe "Associations" do
     it { is_expected.to belong_to :group }
     it { is_expected.to have_many :identities }
@@ -55,8 +63,6 @@ describe SamlProvider do
   end
 
   describe 'Default values' do
-    subject(:saml_provider) { described_class.new }
-
     it 'defaults enabled to true' do
       expect(subject).to be_enabled
     end
@@ -66,8 +72,6 @@ describe SamlProvider do
     let(:group) { create(:group, path: 'foo-group') }
     let(:settings) { subject.settings }
 
-    subject(:saml_provider) { create(:saml_provider, group: group) }
-
     before do
       stub_default_url_options(protocol: "https")
     end
@@ -117,6 +121,13 @@ describe SamlProvider do
           expect(subject).not_to be_enforced_sso
         end
       end
+
+      it 'does not enforce SSO when the feature is unavailable' do
+        stub_licensed_features(group_saml: false)
+        subject.enforced_sso = true
+
+        expect(subject).not_to be_enforced_sso
+      end
     end
 
     context 'when provider is disabled' do

ee/spec/policies/group_policy_spec.rb

@@ -141,6 +141,10 @@ describe GroupPolicy do
 
       let_it_be(:saml_provider) { create(:saml_provider, group: group, enforced_sso: true) }
 
+      before do
+        stub_licensed_features(group_saml: true)
+      end
+
       context 'when the session has been set globally' do
         around do |example|
           Gitlab::Session.with_session({}) do

ee/spec/policies/project_policy_spec.rb

@@ -16,6 +16,7 @@ describe ProjectPolicy do
   subject { described_class.new(current_user, project) }
 
   before do
+    stub_licensed_features(group_saml: true)
     project.add_maintainer(maintainer)
     project.add_developer(developer)
     project.add_reporter(reporter)

ee/spec/support/shared_examples/services/group_saml/saml_provider/base_service_shared_examples.rb

@@ -12,6 +12,10 @@ RSpec.shared_examples 'base SamlProvider service' do
 
   let(:fingerprint) { '11:22:33:44:55:66:77:88:99:11:22:33:44:55:66:77:88:99' }
 
+  before do
+    stub_licensed_features(group_saml: true)
+  end
+
   it 'updates SAML provider with given params' do
     expect do
       service.execute