SSO enforcement shouldn't require SSO for non-members and public groups

Resolves #386920 Changelog: fixed EE: true

SSO enforcement shouldn't require SSO for non-members and public groups
f251c7bf · Bogdan Denkovych · 9eb3f6e0 · f251c7bf · f251c7bf · f251c7bf
Verified Commit f251c7bf authored 1 year ago by Bogdan Denkovych
--- a/ee/app/policies/ee/group_policy.rb
+++ b/ee/app/policies/ee/group_policy.rb
@@ -8,6 +8,7 @@ module GroupPolicy
    prepended do
      include CrudPolicyHelpers

+      condition(:group_member, scope: :subject) { @user && @user.is_a?(User) && @subject.member?(@user) }
      condition(:ldap_synced, scope: :subject) { @subject.ldap_synced? }
      condition(:saml_group_links_enabled, scope: :subject) do
        @subject.root_ancestor.saml_group_links_enabled?
@@ -88,7 +89,7 @@ module GroupPolicy
      end

      condition(:needs_new_sso_session, scope: :subject) do
-        ::Gitlab::Auth::GroupSaml::SsoEnforcer.group_access_restricted?(@subject, user: @user)
+        ::Gitlab::Auth::GroupSaml::SsoEnforcer.group_access_restricted?(@subject, user: @user) && (@subject.private? || group_member?)
      end

      condition(:no_active_sso_session, scope: :subject) do

--- a/ee/spec/controllers/concerns/routable_actions_spec.rb
+++ b/ee/spec/controllers/concerns/routable_actions_spec.rb
@@ -178,15 +178,11 @@ def request_params(routable)
        ref(:project)    | 'public'  | true  | ref(:member_without_identity) | false | nil   | 'SSO Enforced'
        ref(:project)    | 'public'  | true  | ref(:member_without_identity) | true  | nil   | 'SSO Enforced'

-        # SSO should not be enforced. It will be fixed by https://gitlab.com/gitlab-org/gitlab/-/issues/386920
-        ref(:root_group) | 'public'  | true  | ref(:non_member)              | nil   | nil   | 'SSO Enforced'
-        # SSO should not be enforced. It will be fixed by https://gitlab.com/gitlab-org/gitlab/-/issues/386920
-        ref(:subgroup)   | 'public'  | true  | ref(:non_member)              | nil   | nil   | 'SSO Enforced'
+        ref(:root_group) | 'public'  | true  | ref(:non_member)              | nil   | nil   | 'SSO Not enforced'
+        ref(:subgroup)   | 'public'  | true  | ref(:non_member)              | nil   | nil   | 'SSO Not enforced'
        ref(:project)    | 'public'  | true  | ref(:non_member)              | nil   | nil   | 'SSO Not enforced'
-        # SSO should not be enforced. It will be fixed by https://gitlab.com/gitlab-org/gitlab/-/issues/386920
-        ref(:root_group) | 'public'  | true  | ref(:not_signed_in_user)      | nil   | nil   | 'SSO Enforced'
-        # SSO should not be enforced. It will be fixed by https://gitlab.com/gitlab-org/gitlab/-/issues/386920
-        ref(:subgroup)   | 'public'  | true  | ref(:not_signed_in_user)      | nil   | nil   | 'SSO Enforced'
+        ref(:root_group) | 'public'  | true  | ref(:not_signed_in_user)      | nil   | nil   | 'SSO Not enforced'
+        ref(:subgroup)   | 'public'  | true  | ref(:not_signed_in_user)      | nil   | nil   | 'SSO Not enforced'
        ref(:project)    | 'public'  | true  | ref(:not_signed_in_user)      | nil   | nil   | 'SSO Not enforced'
      end


--- a/ee/spec/policies/group_policy_spec.rb
+++ b/ee/spec/policies/group_policy_spec.rb
@@ -813,14 +813,10 @@ def stub_group_saml_config(enabled)
          ref(:subgroup)   | 'public'  | true  | ref(:member_without_identity) | false | nil   | true | true  | nil  | 'allows to read group'
          ref(:subgroup)   | 'public'  | true  | ref(:member_without_identity) | false | nil   | nil  | nil   | true | 'allows to read group'

-          # SSO should not be enforced. It will be fixed by https://gitlab.com/gitlab-org/gitlab/-/issues/386920
-          ref(:root_group) | 'public'  | true  | ref(:non_member)              | nil   | nil   | nil  | nil   | nil  | 'does not allow read group'
-          # SSO should not be enforced. It will be fixed by https://gitlab.com/gitlab-org/gitlab/-/issues/386920
-          ref(:root_group) | 'public'  | true  | ref(:not_signed_in_user)      | nil   | nil   | nil  | nil   | nil  | 'does not allow read group'
-          # SSO should not be enforced. It will be fixed by https://gitlab.com/gitlab-org/gitlab/-/issues/386920
-          ref(:subgroup)   | 'public'  | true  | ref(:non_member)              | nil   | nil   | nil  | nil   | nil  | 'does not allow read group'
-          # SSO should not be enforced. It will be fixed by https://gitlab.com/gitlab-org/gitlab/-/issues/386920
-          ref(:subgroup)   | 'public'  | true  | ref(:not_signed_in_user)      | nil   | nil   | nil  | nil   | nil  | 'does not allow read group'
+          ref(:root_group) | 'public'  | true  | ref(:non_member)              | nil   | nil   | nil  | nil   | nil  | 'allows to read group'
+          ref(:root_group) | 'public'  | true  | ref(:not_signed_in_user)      | nil   | nil   | nil  | nil   | nil  | 'allows to read group'
+          ref(:subgroup)   | 'public'  | true  | ref(:non_member)              | nil   | nil   | nil  | nil   | nil  | 'allows to read group'
+          ref(:subgroup)   | 'public'  | true  | ref(:not_signed_in_user)      | nil   | nil   | nil  | nil   | nil  | 'allows to read group'
        end

        with_them do