Commit d85dcdb5 authored by James Lopez's avatar James Lopez

Add enforced_sso feature toggle

Adds the UI and a feature flag to enable enforced_sso per group.
parent 8e248366
...@@ -2702,6 +2702,7 @@ ActiveRecord::Schema.define(version: 20190131122559) do ...@@ -2702,6 +2702,7 @@ ActiveRecord::Schema.define(version: 20190131122559) do
t.boolean "enabled", null: false t.boolean "enabled", null: false
t.string "certificate_fingerprint", null: false t.string "certificate_fingerprint", null: false
t.string "sso_url", null: false t.string "sso_url", null: false
t.boolean "enforced_sso", default: false, null: false
t.index ["group_id"], name: "index_saml_providers_on_group_id", using: :btree t.index ["group_id"], name: "index_saml_providers_on_group_id", using: :btree
end end
......
...@@ -42,6 +42,9 @@ class Groups::SamlProvidersController < Groups::ApplicationController ...@@ -42,6 +42,9 @@ class Groups::SamlProvidersController < Groups::ApplicationController
def saml_provider_params def saml_provider_params
allowed_params = %i[sso_url certificate_fingerprint enabled] allowed_params = %i[sso_url certificate_fingerprint enabled]
allowed_params += [:enforced_sso] if Feature.enabled?(:enforced_sso, group)
params.require(:saml_provider).permit(allowed_params) params.require(:saml_provider).permit(allowed_params)
end end
end end
...@@ -8,6 +8,14 @@ ...@@ -8,6 +8,14 @@
= f.check_box :enabled, class: 'form-check-input' = f.check_box :enabled, class: 'form-check-input'
= f.label :enabled, class: 'form-check-label' do = f.label :enabled, class: 'form-check-label' do
= _("Enable SAML authentication for this group") = _("Enable SAML authentication for this group")
- if Feature.enabled?(:enforced_sso, group)
.form-group.row
= f.label :enforced_sso, _("Enforced SSO"), class: 'col-form-label col-sm-2'
.col-sm-10
.form-check
= f.check_box :enforced_sso, class: 'form-check-input'
= f.label :enforced_sso, class: 'form-check-label' do
= _("Enforce SSO-only authentication for this group")
.form-group.row .form-group.row
= f.label :sso_url, class: 'col-form-label col-sm-2' do = f.label :sso_url, class: 'col-form-label col-sm-2' do
= _("Identity provider single sign on URL") = _("Identity provider single sign on URL")
......
---
title: Allow SSO enforcement in group settings for GitLab.com
merge_request: 9240
author:
type: added
# frozen_string_literal: true
class AddEnforcedSsoToSamlProvider < ActiveRecord::Migration[5.0]
include Gitlab::Database::MigrationHelpers
DOWNTIME = false
disable_ddl_transaction!
def up
add_column_with_default :saml_providers,
:enforced_sso,
:boolean,
default: false,
allow_null: false
end
def down
remove_column(:saml_providers, :enforced_sso)
end
end
...@@ -2,7 +2,7 @@ require 'spec_helper' ...@@ -2,7 +2,7 @@ require 'spec_helper'
describe Groups::SamlProvidersController do describe Groups::SamlProvidersController do
let(:saml_provider) { create(:saml_provider, group: group) } let(:saml_provider) { create(:saml_provider, group: group) }
let(:group) { create(:group, :private) } let(:group) { create(:group, :private, parent_id: nil) }
let(:user) { create(:user) } let(:user) { create(:user) }
before do before do
...@@ -95,5 +95,29 @@ describe Groups::SamlProvidersController do ...@@ -95,5 +95,29 @@ describe Groups::SamlProvidersController do
end end
end end
end end
describe 'PUT #update' do
subject { put :update, params: { group_id: group, saml_provider: { enforced_sso: 'true' } } }
before do
group.add_owner(user)
end
context 'enforced sso enabled' do
it 'updates the flag' do
stub_feature_flags(enforced_sso: true)
expect { subject }.to change { saml_provider.reload.enforced_sso }.to(true)
end
end
context 'enforced sso disabled' do
it 'does not update the flag' do
stub_feature_flags(enforced_sso: false)
expect { subject }.not_to change { saml_provider.reload.enforced_sso }.from(false)
end
end
end
end end
end end
...@@ -94,6 +94,29 @@ describe 'SAML provider settings' do ...@@ -94,6 +94,29 @@ describe 'SAML provider settings' do
expect(login_url).to end_with "/groups/#{group.full_path}/-/saml/sso" expect(login_url).to end_with "/groups/#{group.full_path}/-/saml/sso"
end end
context 'enforced sso enabled' do
it 'updates the flag' do
stub_feature_flags(enforced_sso: true)
visit group_saml_providers_path(group)
find('input#saml_provider_enforced_sso').click
expect(page).to have_selector('#saml_provider_enforced_sso')
expect { submit }.to change { saml_provider.reload.enforced_sso }.to(true)
end
end
context 'enforced sso disabled' do
it 'does not update the flag' do
stub_feature_flags(enforced_sso: false)
visit group_saml_providers_path(group)
expect(page).not_to have_selector('#saml_provider_enforced_sso')
end
end
end end
describe 'test button' do describe 'test button' do
......
...@@ -3395,6 +3395,12 @@ msgstr "" ...@@ -3395,6 +3395,12 @@ msgstr ""
msgid "Ends at (UTC)" msgid "Ends at (UTC)"
msgstr "" msgstr ""
msgid "Enforce SSO-only authentication for this group"
msgstr ""
msgid "Enforced SSO"
msgstr ""
msgid "Enter in your Bitbucket Server URL and personal access token below" msgid "Enter in your Bitbucket Server URL and personal access token below"
msgstr "" msgstr ""
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment