When a namespace GitLab Subscription expires, disable SSO

Currently, if a GitLab.com group's subscription expires (changes to Free/No Plan or a tier where Group SAML is not available) and they have SSO enforcement turned on, users will lose access to their group. This change automatically turns off enforced SSO when the SSO feature is no longer available to the group.

When a namespace GitLab Subscription expires, disable SSO
Currently, if a GitLab.com group's subscription expires (changes to Free/No Plan or a tier where Group SAML is not available) and they have SSO enforcement turned on, users will lose access to their group. This change automatically turns off enforced SSO when the SSO feature is no longer available to the group.
f34d845e · Drew Blessing · bd2736fb · f34d845e · f34d845e · f34d845e
Commit f34d845e authored Dec 03, 2019 by Drew Blessing
12 changed files
--- a/changelogs/unreleased/dblessing_disable_enforced_sso_plan_expires.yml
+++ b/changelogs/unreleased/dblessing_disable_enforced_sso_plan_expires.yml
+---
+title: When a namespace GitLab Subscription expires, disable SSO enforcement
+merge_request: 21135
+author:
+type: fixed
--- a/ee/app/models/saml_provider.rb
+++ b/ee/app/models/saml_provider.rb
@@ -30,7 +30,7 @@ class SamlProvider < ApplicationRecord
  end

  def enforced_sso?
-    enabled? && super && ::Feature.enabled?(:enforced_sso, group)
+    enabled? && super && group.feature_available?(:group_saml) && ::Feature.enabled?(:enforced_sso, group)
  end

  def enforced_group_managed_accounts?

--- a/ee/spec/controllers/concerns/routable_actions_spec.rb
+++ b/ee/spec/controllers/concerns/routable_actions_spec.rb
@@ -34,6 +34,7 @@ describe RoutableActions do
      let(:user) { identity.user }

      before do
+        stub_licensed_features(group_saml: true)
        sign_in(user)
      end


--- a/ee/spec/controllers/groups/groups_controller_spec.rb
+++ b/ee/spec/controllers/groups/groups_controller_spec.rb
@@ -80,6 +80,7 @@ describe GroupsController do
    let(:guest_user) { identity.user }

    before do
+      stub_licensed_features(group_saml: true)
      group.add_guest(guest_user)
      sign_in(guest_user)
    end

--- a/ee/spec/controllers/groups/security/credentials_controller_spec.rb
+++ b/ee/spec/controllers/groups/security/credentials_controller_spec.rb
@@ -25,7 +25,7 @@ describe Groups::Security::CredentialsController do

    context 'when `credentials_inventory` feature is enabled' do
      before do
-        stub_licensed_features(credentials_inventory: true)
+        stub_licensed_features(credentials_inventory: true, group_saml: true)
      end

      context 'for a group that enforces group managed accounts' do

--- a/ee/spec/features/groups/groups_security_credentials_spec.rb
+++ b/ee/spec/features/groups/groups_security_credentials_spec.rb
@@ -20,7 +20,7 @@ describe 'Groups::Security::Credentials' do

  context 'licensed' do
    before do
-      stub_licensed_features(credentials_inventory: true)
+      stub_licensed_features(credentials_inventory: true, group_saml: true)
    end

    context 'links' do

--- a/ee/spec/lib/gitlab/auth/group_saml/sso_enforcer_spec.rb
+++ b/ee/spec/lib/gitlab/auth/group_saml/sso_enforcer_spec.rb
@@ -6,6 +6,10 @@ describe Gitlab::Auth::GroupSaml::SsoEnforcer do
  let(:saml_provider) { build_stubbed(:saml_provider, enforced_sso: true) }
  let(:session) { {} }

+  before do
+    stub_licensed_features(group_saml: true)
+  end
+
  around do |example|
    Gitlab::Session.with_session(session) do
      example.run

--- a/ee/spec/models/identity_spec.rb
+++ b/ee/spec/models/identity_spec.rb
@@ -8,6 +8,10 @@ describe Identity do
  end

  context 'with saml_provider' do
+    before do
+      stub_licensed_features(group_saml: true)
+    end
+
    it 'allows user to have records with different groups' do
      _identity_one = create(:identity, provider: 'group_saml', saml_provider: create(:saml_provider))
      identity_two = create(:identity, provider: 'group_saml', saml_provider: create(:saml_provider))

--- a/ee/spec/models/saml_provider_spec.rb
+++ b/ee/spec/models/saml_provider_spec.rb
@@ -3,6 +3,14 @@
 require 'spec_helper'

 describe SamlProvider do
+  let(:group) { create(:group) }
+
+  subject(:saml_provider) { create(:saml_provider, group: group) }
+
+  before do
+    stub_licensed_features(group_saml: true)
+  end
+
  describe "Associations" do
    it { is_expected.to belong_to :group }
    it { is_expected.to have_many :identities }
@@ -55,8 +63,6 @@ describe SamlProvider do
  end

  describe 'Default values' do
-    subject(:saml_provider) { described_class.new }
-
    it 'defaults enabled to true' do
      expect(subject).to be_enabled
    end
@@ -66,8 +72,6 @@ describe SamlProvider do
    let(:group) { create(:group, path: 'foo-group') }
    let(:settings) { subject.settings }

-    subject(:saml_provider) { create(:saml_provider, group: group) }
-
    before do
      stub_default_url_options(protocol: "https")
    end
@@ -117,6 +121,13 @@ describe SamlProvider do
          expect(subject).not_to be_enforced_sso
        end
      end
+
+      it 'does not enforce SSO when the feature is unavailable' do
+        stub_licensed_features(group_saml: false)
+        subject.enforced_sso = true
+
+        expect(subject).not_to be_enforced_sso
+      end
    end

    context 'when provider is disabled' do

--- a/ee/spec/policies/group_policy_spec.rb
+++ b/ee/spec/policies/group_policy_spec.rb
@@ -141,6 +141,10 @@ describe GroupPolicy do

      let_it_be(:saml_provider) { create(:saml_provider, group: group, enforced_sso: true) }

+      before do
+        stub_licensed_features(group_saml: true)
+      end
+
      context 'when the session has been set globally' do
        around do |example|
          Gitlab::Session.with_session({}) do

--- a/ee/spec/policies/project_policy_spec.rb
+++ b/ee/spec/policies/project_policy_spec.rb
@@ -16,6 +16,7 @@ describe ProjectPolicy do
  subject { described_class.new(current_user, project) }

  before do
+    stub_licensed_features(group_saml: true)
    project.add_maintainer(maintainer)
    project.add_developer(developer)
    project.add_reporter(reporter)

--- a/ee/spec/support/shared_examples/services/group_saml/saml_provider/base_service_shared_examples.rb
+++ b/ee/spec/support/shared_examples/services/group_saml/saml_provider/base_service_shared_examples.rb
@@ -12,6 +12,10 @@ RSpec.shared_examples 'base SamlProvider service' do

  let(:fingerprint) { '11:22:33:44:55:66:77:88:99:11:22:33:44:55:66:77:88:99' }

+  before do
+    stub_licensed_features(group_saml: true)
+  end
+
  it 'updates SAML provider with given params' do
    expect do
      service.execute