Add group managed accounts flag & feature flag

This flag will be used for enabling\disabling
group managed accounts enforcement

db/schema.rb

@@ -2718,6 +2718,7 @@ ActiveRecord::Schema.define(version: 20190220150130) do
     t.string "certificate_fingerprint", null: false
     t.string "sso_url", null: false
     t.boolean "enforced_sso", default: false, null: false
+    t.boolean "enforced_group_managed_accounts", default: false, null: false
     t.index ["group_id"], name: "index_saml_providers_on_group_id", using: :btree
   end
 

ee/app/controllers/groups/saml_providers_controller.rb

@@ -44,6 +44,7 @@ class Groups::SamlProvidersController < Groups::ApplicationController
     allowed_params = %i[sso_url certificate_fingerprint enabled]
 
     allowed_params += [:enforced_sso] if Feature.enabled?(:enforced_sso, group)
+    allowed_params += [:enforced_group_managed_accounts] if Feature.enabled?(:group_managed_accounts, group)
 
     params.require(:saml_provider).permit(allowed_params)
   end

ee/app/views/groups/saml_providers/_form.html.haml

@@ -16,6 +16,14 @@
             = f.check_box :enforced_sso, class: 'form-check-input'
             = f.label :enforced_sso, class: 'form-check-label' do
               = _("Enforce SSO-only authentication for this group")
+    - if Feature.enabled?(:group_managed_accounts, group)
+      .form-group.row
+        = f.label :enforced_group_managed_accounts, _("Group managed accounts"), class: 'col-form-label col-sm-2'
+        .col-sm-10
+          .form-check
+            = f.check_box :enforced_group_managed_accounts, class: 'form-check-input'
+            = f.label :enforced_group_managed_accounts, class: 'form-check-label' do
+              = _("Enforce users to have dedicated group managed accounts for this group")
     .form-group.row
       = f.label :sso_url, class: 'col-form-label col-sm-2' do
         = _("Identity provider single sign on URL")

ee/db/migrate/20190220112238_add_saml_provider_group_managed_accounts_flag.rb

+# frozen_string_literal: true
+
+# See http://doc.gitlab.com/ce/development/migration_style_guide.html
+# for more information on how to write migrations for GitLab.
+
+class AddSamlProviderGroupManagedAccountsFlag < ActiveRecord::Migration[5.0]
+  include Gitlab::Database::MigrationHelpers
+
+  # Set this constant to true if this migration requires downtime.
+  DOWNTIME = false
+
+  disable_ddl_transaction!
+
+  def up
+    add_column_with_default :saml_providers, :enforced_group_managed_accounts, :boolean, default: false, allow_null: false
+  end
+
+  def down
+    remove_column :saml_providers, :enforced_group_managed_accounts
+  end
+end

ee/spec/controllers/groups/saml_providers_controller_spec.rb

@@ -97,25 +97,61 @@ describe Groups::SamlProvidersController do
     end
 
     describe 'PUT #update' do
-      subject { put :update, params: { group_id: group, saml_provider: { enforced_sso: 'true' } } }
+      subject { put :update, params: { group_id: group, saml_provider: { enforced_sso: 'true', enforced_group_managed_accounts: 'true' } } }
 
       before do
         group.add_owner(user)
       end
 
-      context 'enforced sso enabled' do
-        it 'updates the flag' do
+      context 'enforced_sso feature flag enabled' do
+        before do
           stub_feature_flags(enforced_sso: true)
+        end
 
-          expect { subject }.to change { saml_provider.reload.enforced_sso }.to(true)
+        it 'updates the flags' do
+          expect do
+            subject
+            saml_provider.reload
+          end.to change { saml_provider.enforced_sso? }.to(true)
         end
       end
 
-      context 'enforced sso disabled' do
-        it 'does not update the flag' do
+      context 'enforced_sso feature flag disabled' do
+        before do
           stub_feature_flags(enforced_sso: false)
+        end
+
+        it 'does not update the setting' do
+          expect do
+            subject
+            saml_provider.reload
+          end.not_to change { saml_provider.enforced_sso? }.from(false)
+        end
+      end
+
+      context 'group_managed_accounts feature flag enabled' do
+        before do
+          stub_feature_flags(group_managed_accounts: true)
+        end
+
+        it 'updates the flags' do
+          expect do
+            subject
+            saml_provider.reload
+          end.to change { saml_provider.enforced_group_managed_accounts? }.to(true)
+        end
+      end
+
+      context 'group_managed_accounts feature flag disabled' do
+        before do
+          stub_feature_flags(group_managed_accounts: false)
+        end
 
-          expect { subject }.not_to change { saml_provider.reload.enforced_sso }.from(false)
+        it 'does not update the setting' do
+          expect do
+            subject
+            saml_provider.reload
+          end.not_to change { saml_provider.enforced_group_managed_accounts? }.from(false)
         end
       end
     end

locale/gitlab.pot

@@ -3611,6 +3611,9 @@ msgstr ""
 msgid "Enforce SSO-only authentication for this group"
 msgstr ""
 
+msgid "Enforce users to have dedicated group managed accounts for this group"
+msgstr ""
+
 msgid "Enforced SSO"
 msgstr ""
 
@@ -4885,6 +4888,9 @@ msgstr ""
 msgid "Group maintainers can register group runners in the %{link}"
 msgstr ""
 
+msgid "Group managed accounts"
+msgstr ""
+
 msgid "Group name"
 msgstr ""