Commit c37ebd26 authored by Małgorzata Ksionek's avatar Małgorzata Ksionek

Add checking project members membership in group managed account

Add translation method

Add MR number

Add cr remarks

Add cr remarks

Add cr remarks

Add cr remarks
parent 48ab0172
...@@ -8,6 +8,7 @@ module EE ...@@ -8,6 +8,7 @@ module EE
extend ::Gitlab::Utils::Override extend ::Gitlab::Utils::Override
validate :sso_enforcement, if: :group validate :sso_enforcement, if: :group
validate :gma_enforcement, if: :group
before_destroy :delete_member_branch_protection before_destroy :delete_member_branch_protection
end end
...@@ -22,5 +23,11 @@ module EE ...@@ -22,5 +23,11 @@ module EE
project.protected_branches.push_access_by_user(user).destroy_all # rubocop: disable DestroyAll project.protected_branches.push_access_by_user(user).destroy_all # rubocop: disable DestroyAll
end end
end end
def gma_enforcement
unless ::Gitlab::Auth::GroupSaml::GmaMembershipEnforcer.new(project).can_add_user?(user)
errors.add(:user, _('is not in the group enforcing Group Managed Account'))
end
end
end end
end end
---
title: Prevent projects from being shared outside a group with managed accounts
merge_request: 26163
author:
type: changed
# frozen_string_literal: true
module Gitlab
module Auth
module GroupSaml
class GmaMembershipEnforcer
def initialize(project)
@project = project
end
def can_add_user?(user)
return true unless root_group&.enforced_group_managed_accounts?
root_group == user.managing_group
end
private
def root_group
@root_group ||= @project.root_ancestor
end
end
end
end
end
# frozen_string_literal: true
require 'spec_helper'
describe Gitlab::Auth::GroupSaml::GmaMembershipEnforcer do
let_it_be(:group) { create(:group_with_managed_accounts, :private) }
let_it_be(:project) { create(:project, namespace: group)}
subject { described_class.new(project) }
before do
stub_licensed_features(group_saml: true)
end
context 'when user is group-managed' do
it 'allows adding user to project' do
managed_user = create(:user, :group_managed, managing_group: group)
expect(subject.can_add_user?(managed_user)).to be_truthy
end
end
context 'when user is not group-managed' do
it 'does not allow adding user to project' do
user = create(:user)
expect(subject.can_add_user?(user)).to be_falsey
end
end
end
...@@ -7,4 +7,41 @@ describe ProjectMember do ...@@ -7,4 +7,41 @@ describe ProjectMember do
it_behaves_like 'member validations' do it_behaves_like 'member validations' do
let(:entity) { create(:project, group: group)} let(:entity) { create(:project, group: group)}
end end
context 'validates GMA enforcement' do
let(:group) { create(:group_with_managed_accounts, :private) }
let(:entity) { create(:project, namespace: group)}
before do
stub_feature_flags(group_managed_accounts: true)
end
context 'enforced group managed account enabled' do
before do
stub_licensed_features(group_saml: true)
end
it 'allows adding the project member' do
user = create(:user, :group_managed, managing_group: group)
member = entity.add_developer(user)
expect(member).to be_valid
end
it 'does not add the the project member' do
member = entity.add_developer(create(:user))
expect(member).not_to be_valid
expect(member.errors.messages[:user]).to include('is not in the group enforcing Group Managed Account')
end
end
context 'enforced group managed account disabled' do
it 'allows adding the group member' do
member = entity.add_developer(create(:user))
expect(member).to be_valid
end
end
end
end end
...@@ -23480,6 +23480,9 @@ msgstr "" ...@@ -23480,6 +23480,9 @@ msgstr ""
msgid "is not an email you own" msgid "is not an email you own"
msgstr "" msgstr ""
msgid "is not in the group enforcing Group Managed Account"
msgstr ""
msgid "is too long (%{current_value}). The maximum size is %{max_size}." msgid "is too long (%{current_value}). The maximum size is %{max_size}."
msgstr "" msgstr ""
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment