Merge branch 'fix_git_access_saml_issue' into 'master'

Fix wrong token in sso url in git message See merge request gitlab-org/gitlab!58691

Merge branch 'fix_git_access_saml_issue' into 'master'
Fix wrong token in sso url in git message See merge request gitlab-org/gitlab!58691
fcf7be7d · Mikołaj Wawrzyniak · 87765223 · 3b994ba8 · fcf7be7d · fcf7be7d
Commit fcf7be7d authored Apr 08, 2021 by Mikołaj Wawrzyniak
Show whitespace changes
Inline Side-by-side

Showing with 17 additions and 2 deletions

ee/lib/ee/gitlab/git_access.rb ee/lib/ee/gitlab/git_access.rb +2 -1

ee/spec/lib/gitlab/git_access_spec.rb ee/spec/lib/gitlab/git_access_spec.rb +15 -1

No files found.
--- a/ee/lib/ee/gitlab/git_access.rb
+++ b/ee/lib/ee/gitlab/git_access.rb
@@ -122,7 +122,8 @@ module EE
        return unless ::Gitlab::Auth::GroupSaml::SessionEnforcer.new(user, containing_group).access_restricted?
-        group_saml_url = Rails.application.routes.url_helpers.sso_group_saml_providers_url(containing_group, token: containing_group.saml_discovery_token)
+        root_group = containing_group.root_ancestor
+        group_saml_url = Rails.application.routes.url_helpers.sso_group_saml_providers_url(root_group, token: root_group.saml_discovery_token)
        raise ::Gitlab::GitAccess::ForbiddenError, "Cannot find valid SSO session. Please login via your group's SSO at #{group_saml_url}"
      end

--- a/ee/spec/lib/gitlab/git_access_spec.rb
+++ b/ee/spec/lib/gitlab/git_access_spec.rb
@@ -954,12 +954,26 @@ RSpec.describe Gitlab::GitAccess do
        it 'does not allow pull or push changes with proper url in the message' do
          aggregate_failures do
-            address = "http://localhost/groups/#{group.name}/-/saml/sso"
+            address = "http://localhost/groups/#{group.name}/-/saml/sso?token=#{group.saml_discovery_token}"
            expect { pull_changes }.to raise_error(Gitlab::GitAccess::ForbiddenError, /#{Regexp.quote(address)}/)
            expect { push_changes }.to raise_error(Gitlab::GitAccess::ForbiddenError, /#{Regexp.quote(address)}/)
          end
        end
+        context 'with a subgroup' do
+          let_it_be(:root_group) { create(:group) }
+          let_it_be(:group) { create(:group, parent: root_group) }
+          it 'does not allow pull or push changes with proper url in the message' do
+            aggregate_failures do
+              address = "http://localhost/groups/#{root_group.name}/-/saml/sso?token=#{root_group.saml_discovery_token}"
+              expect { pull_changes }.to raise_error(Gitlab::GitAccess::ForbiddenError, /#{Regexp.quote(address)}/)
+              expect { push_changes }.to raise_error(Gitlab::GitAccess::ForbiddenError, /#{Regexp.quote(address)}/)
+            end
+          end
+        end
      end
    end
  end