Merge branch '5291-allow-sso-enforcement-in-group-settings-for-gitlab-com' into 'master'

Resolve "Allow SSO enforcement in group settings for GitLab.com"

Closes #5291

See merge request gitlab-org/gitlab-ee!9240

db/schema.rb

@@ -2702,6 +2702,7 @@ ActiveRecord::Schema.define(version: 20190131122559) do
     t.boolean "enabled", null: false
     t.string "certificate_fingerprint", null: false
     t.string "sso_url", null: false
+    t.boolean "enforced_sso", default: false, null: false
     t.index ["group_id"], name: "index_saml_providers_on_group_id", using: :btree
   end
 

ee/app/controllers/groups/saml_providers_controller.rb

@@ -42,6 +42,9 @@ class Groups::SamlProvidersController < Groups::ApplicationController
 
   def saml_provider_params
     allowed_params = %i[sso_url certificate_fingerprint enabled]
+
+    allowed_params += [:enforced_sso] if Feature.enabled?(:enforced_sso, group)
+
     params.require(:saml_provider).permit(allowed_params)
   end
 end

ee/app/views/groups/saml_providers/_form.html.haml

@@ -8,6 +8,14 @@
           = f.check_box :enabled, class: 'form-check-input'
           = f.label :enabled, class: 'form-check-label' do
             = _("Enable SAML authentication for this group")
+    - if Feature.enabled?(:enforced_sso, group)
+      .form-group.row
+        = f.label :enforced_sso, _("Enforced SSO"), class: 'col-form-label col-sm-2'
+        .col-sm-10
+          .form-check
+            = f.check_box :enforced_sso, class: 'form-check-input'
+            = f.label :enforced_sso, class: 'form-check-label' do
+              = _("Enforce SSO-only authentication for this group")
     .form-group.row
       = f.label :sso_url, class: 'col-form-label col-sm-2' do
         = _("Identity provider single sign on URL")

ee/changelogs/unreleased/5291-allow-sso-enforcement-in-group-settings-for-gitlab-com.yml

+---
+title: Allow SSO enforcement in group settings for GitLab.com
+merge_request: 9240
+author:
+type: added

ee/db/migrate/20190121140418_add_enforced_sso_to_saml_provider.rb

+# frozen_string_literal: true
+
+class AddEnforcedSsoToSamlProvider < ActiveRecord::Migration[5.0]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  disable_ddl_transaction!
+
+  def up
+    add_column_with_default :saml_providers,
+                            :enforced_sso,
+                            :boolean,
+                            default: false,
+                            allow_null: false
+  end
+
+  def down
+    remove_column(:saml_providers, :enforced_sso)
+  end
+end

ee/spec/controllers/groups/saml_providers_controller_spec.rb

@@ -2,7 +2,7 @@ require 'spec_helper'
 
 describe Groups::SamlProvidersController do
   let(:saml_provider) { create(:saml_provider, group: group) }
-  let(:group) { create(:group, :private) }
+  let(:group) { create(:group, :private, parent_id: nil) }
   let(:user) { create(:user) }
 
   before do
@@ -95,5 +95,29 @@ describe Groups::SamlProvidersController do
         end
       end
     end
+
+    describe 'PUT #update' do
+      subject { put :update, params: { group_id: group, saml_provider: { enforced_sso: 'true' } } }
+
+      before do
+        group.add_owner(user)
+      end
+
+      context 'enforced sso enabled' do
+        it 'updates the flag' do
+          stub_feature_flags(enforced_sso: true)
+
+          expect { subject }.to change { saml_provider.reload.enforced_sso }.to(true)
+        end
+      end
+
+      context 'enforced sso disabled' do
+        it 'does not update the flag' do
+          stub_feature_flags(enforced_sso: false)
+
+          expect { subject }.not_to change { saml_provider.reload.enforced_sso }.from(false)
+        end
+      end
+    end
   end
 end

ee/spec/features/groups/saml_providers_spec.rb

@@ -94,6 +94,29 @@ describe 'SAML provider settings' do
 
         expect(login_url).to end_with "/groups/#{group.full_path}/-/saml/sso"
       end
+
+      context 'enforced sso enabled' do
+        it 'updates the flag' do
+          stub_feature_flags(enforced_sso: true)
+
+          visit group_saml_providers_path(group)
+
+          find('input#saml_provider_enforced_sso').click
+
+          expect(page).to have_selector('#saml_provider_enforced_sso')
+          expect { submit }.to change { saml_provider.reload.enforced_sso }.to(true)
+        end
+      end
+
+      context 'enforced sso disabled' do
+        it 'does not update the flag' do
+          stub_feature_flags(enforced_sso: false)
+
+          visit group_saml_providers_path(group)
+
+          expect(page).not_to have_selector('#saml_provider_enforced_sso')
+        end
+      end
     end
 
     describe 'test button' do

locale/gitlab.pot

@@ -3395,6 +3395,12 @@ msgstr ""
 msgid "Ends at (UTC)"
 msgstr ""
 
+msgid "Enforce SSO-only authentication for this group"
+msgstr ""
+
+msgid "Enforced SSO"
+msgstr ""
+
 msgid "Enter in your Bitbucket Server URL and personal access token below"
 msgstr ""