chemlab 0.0.1

data/qa/specs/features/ee/browser_ui/1_manage/group/group_ldap_sync_spec.rb

@@ -0,0 +1,183 @@
+# frozen_string_literal: true
+
+module QA
+  context 'Manage', :orchestrated, :ldap_tls, :ldap_no_tls, :requires_admin do
+    describe 'LDAP Group sync' do
+      include Support::Api
+
+      before(:all) do
+        # Create the sandbox group as the LDAP user. Without this the admin user
+        # would own the sandbox group and then in subsequent tests the LDAP user
+        # would not have enough permission to push etc.
+        Resource::Sandbox.fabricate_via_api!
+
+        # Create an admin personal access token and use it for the remaining API calls
+        @original_personal_access_token = Runtime::Env.personal_access_token
+
+        Page::Main::Menu.perform do |menu|
+          menu.sign_out if menu.has_personal_area?
+        end
+
+        Runtime::Browser.visit(:gitlab, Page::Main::Login)
+        Page::Main::Login.perform(&:sign_in_using_admin_credentials)
+
+        Runtime::Env.personal_access_token = Resource::PersonalAccessToken.fabricate!.access_token
+        Page::Main::Menu.perform(&:sign_out)
+      end
+
+      after(:all) do
+        # Restore the original personal access token so that subsequent tests
+        # don't perform API calls as an admin user while logged in as a non-root
+        # LDAP user
+        Runtime::Env.personal_access_token = @original_personal_access_token
+      end
+
+      context 'using group cn method' do
+        let(:ldap_users) do
+          [
+            {
+              name: 'ENG User 1',
+              username: 'enguser1',
+              email: 'enguser1@example.org',
+              provider: 'ldapmain',
+              extern_uid: 'uid=enguser1,ou=people,ou=global groups,dc=example,dc=org'
+            },
+            {
+              name: 'ENG User 2',
+              username: 'enguser2',
+              email: 'enguser2@example.org',
+              provider: 'ldapmain',
+              extern_uid: 'uid=enguser2,ou=people,ou=global groups,dc=example,dc=org'
+            },
+            {
+              name: 'ENG User 3',
+              username: 'enguser3',
+              email: 'enguser3@example.org',
+              provider: 'ldapmain',
+              extern_uid: 'uid=enguser3,ou=people,ou=global groups,dc=example,dc=org'
+            }
+          ]
+        end
+        let(:owner_user) { 'enguser1' }
+        let(:sync_users) { ['ENG User 2', 'ENG User 3'] }
+
+        before do
+          @created_users = create_users_via_api(ldap_users)
+          group = create_group_and_add_user_via_api(owner_user, 'Synched-engineering-group', Resource::Members::AccessLevel::OWNER)
+          signin_and_visit_group_as_user(owner_user, group)
+
+          Page::Group::Menu.perform(&:go_to_ldap_sync_settings)
+
+          EE::Page::Group::Settings::LDAPSync.perform do |settings|
+            settings.set_sync_method('LDAP Group cn')
+            settings.set_group_cn('Engineering')
+            settings.click_add_sync_button
+          end
+
+          Page::Group::Menu.perform(&:click_group_members_item)
+        end
+
+        it 'has LDAP users synced' do
+          verify_users_synced(sync_users)
+        end
+      end
+
+      context 'user filter method' do
+        let(:ldap_users) do
+          [
+            {
+              name: 'HR User 1',
+              username: 'hruser1',
+              email: 'hruser1@example.org',
+              provider: 'ldapmain',
+              extern_uid: 'uid=hruser1,ou=people,ou=global groups,dc=example,dc=org'
+            },
+            {
+              name: 'HR User 2',
+              username: 'hruser2',
+              email: 'hruser2@example.org',
+              provider: 'ldapmain',
+              extern_uid: 'uid=hruser2,ou=people,ou=global groups,dc=example,dc=org'
+            },
+            {
+              name: 'HR User 3',
+              username: 'hruser3',
+              email: 'hruser3@example.org',
+              provider: 'ldapmain',
+              extern_uid: 'uid=hruser3,ou=people,ou=global groups,dc=example,dc=org'
+            }
+          ]
+        end
+        let(:owner_user) { 'hruser1' }
+        let(:sync_users) { ['HR User 2', 'HR User 3'] }
+
+        before do
+          @created_users = create_users_via_api(ldap_users)
+
+          group = create_group_and_add_user_via_api(owner_user, 'Synched-human-resources-group', Resource::Members::AccessLevel::OWNER)
+
+          signin_and_visit_group_as_user(owner_user, group)
+
+          Page::Group::Menu.perform(&:go_to_ldap_sync_settings)
+
+          EE::Page::Group::Settings::LDAPSync.perform do |settings|
+            settings.set_user_filter('(&(objectClass=person)(cn=HR*))')
+            settings.click_add_sync_button
+          end
+
+          Page::Group::Menu.perform(&:click_group_members_item)
+        end
+
+        it 'has LDAP users synced' do
+          verify_users_synced(sync_users)
+        end
+      end
+
+      def create_users_via_api(users)
+        created_users = {}
+
+        users.each do |user|
+          created_users[user[:username]] = Resource::User.fabricate_via_api! do |resource|
+            resource.username = user[:username]
+            resource.name = user[:name]
+            resource.email = user[:email]
+            resource.extern_uid = user[:extern_uid]
+            resource.provider = user[:provider]
+          end
+        end
+        created_users
+      end
+
+      def create_group_and_add_user_via_api(user_name, group_name, role)
+        group = Resource::Group.fabricate_via_api! do |resource|
+          resource.path = "#{group_name}-#{SecureRandom.hex(4)}"
+        end
+
+        group.add_member(@created_users[user_name], role)
+
+        group
+      end
+
+      def signin_and_visit_group_as_user(user_name, group)
+        user = Struct.new(:ldap_username, :ldap_password).new(user_name, 'password')
+
+        Runtime::Browser.visit(:gitlab, Page::Main::Login)
+        Page::Main::Login.perform do |login_page|
+          login_page.sign_in_using_ldap_credentials(user: user)
+        end
+
+        group.visit!
+      end
+
+      def verify_users_synced(expected_users)
+        EE::Page::Group::Members.perform do |members|
+          members.click_sync_now
+          users_synchronised = members.retry_until(reload: true) do
+            expected_users.map { |user| members.has_content?(user) }.all?
+          end
+          expect(users_synchronised).to be_truthy
+        end
+      end
+    end
+  end
+end

data/qa/specs/features/ee/browser_ui/1_manage/group/group_saml_enforced_sso_spec.rb

@@ -0,0 +1,115 @@
+# frozen_string_literal: true
+
+module QA
+  context 'Manage', :group_saml, :orchestrated do
+    describe 'Group SAML SSO - Enforced SSO' do
+      include Support::Api
+
+      before do
+        Support::Retrier.retry_on_exception do
+          Flow::Saml.remove_saml_idp_service(@saml_idp_service) if @saml_idp_service
+
+          @group = Resource::Sandbox.fabricate_via_api! do |sandbox_group|
+            sandbox_group.path = "saml_sso_group_#{SecureRandom.hex(8)}"
+          end
+
+          @developer_user = Resource::User.fabricate_via_api!
+
+          @group.add_member(@developer_user)
+
+          @saml_idp_service = Flow::Saml.run_saml_idp_service(@group.path)
+
+          @managed_group_url = setup_and_enable_enforce_sso
+
+          Flow::Saml.logout_from_idp(@saml_idp_service)
+
+          page.visit Runtime::Scenario.gitlab_address
+          Page::Main::Menu.perform(&:sign_out_if_signed_in)
+        end
+      end
+
+      it 'user clones and pushes to project within a group using Git HTTP' do
+        Flow::Login.sign_in
+
+        @project = Resource::Project.fabricate! do |project|
+          project.name = 'project-in-saml-enforced-group'
+          project.description = 'project in SAML enforced group for git clone test'
+          project.group = @group
+          project.initialize_with_readme = true
+        end
+
+        @project.visit!
+
+        expect do
+          Resource::Repository::ProjectPush.fabricate! do |project_push|
+            project_push.project = @project
+            project_push.branch_name = "new_branch"
+            project_push.user = @developer_user
+          end
+        end.not_to raise_error
+      end
+
+      after do
+        page.visit Runtime::Scenario.gitlab_address
+        %w[enforced_sso enforced_sso_requires_session group_administration_nav_item].each do |flag|
+          Runtime::Feature.remove(flag)
+        end
+
+        @group.remove_via_api!
+
+        Page::Main::Menu.perform(&:sign_out_if_signed_in)
+
+        Flow::Saml.remove_saml_idp_service(@saml_idp_service)
+      end
+    end
+
+    def setup_and_enable_enforce_sso
+      %w[enforced_sso enforced_sso_requires_session group_administration_nav_item].each do |flag|
+        Runtime::Feature.enable_and_verify(flag)
+      end
+
+      page.visit Runtime::Scenario.gitlab_address
+      Page::Main::Login.perform(&:sign_in_using_credentials) unless Page::Main::Menu.perform(&:signed_in?)
+
+      Support::Retrier.retry_on_exception do
+        Flow::Saml.visit_saml_sso_settings(@group)
+        ensure_enforced_sso_button_shown
+
+        managed_group_url = EE::Page::Group::Settings::SamlSSO.perform do |saml_sso|
+          saml_sso.enforce_sso
+
+          saml_sso.set_id_provider_sso_url(@saml_idp_service.idp_sso_url)
+          saml_sso.set_cert_fingerprint(@saml_idp_service.idp_certificate_fingerprint)
+
+          saml_sso.click_save_changes
+
+          saml_sso.user_login_url_link_text
+        end
+
+        Flow::Saml.visit_saml_sso_settings(@group, direct: true)
+        ensure_enforced_sso_button_shown
+
+        unless EE::Page::Group::Settings::SamlSSO.perform(&:enforce_sso_enabled?)
+          QA::Runtime::Logger.debug "Enforced SSO not setup correctly. About to raise failure."
+          QA::Runtime::Logger.debug Capybara::Screenshot.screenshot_and_save_page
+          QA::Runtime::Logger.debug Runtime::Feature.get_features
+
+          raise "Enforced SSO not setup correctly"
+        end
+
+        managed_group_url
+      end
+    end
+
+    def ensure_enforced_sso_button_shown
+      # Sometimes, the toggle button for SAML SSO does not appear and only appears after a refresh
+      # This issue can only be reproduced manually if you are too quick to go to the group setting page
+      # after enabling the feature flags.
+      Support::Retrier.retry_until(sleep_interval: 1, raise_on_failure: true) do
+        condition_met = EE::Page::Group::Settings::SamlSSO.perform(&:has_enforced_sso_button?)
+        page.refresh unless condition_met
+        condition_met
+      end
+    end
+  end
+end

data/qa/specs/features/ee/browser_ui/1_manage/group/group_saml_group_managed_accounts_spec.rb

@@ -0,0 +1,178 @@
+# frozen_string_literal: true
+
+module QA
+  context 'Manage', :group_saml, :orchestrated, :requires_admin, quarantine: { issue: 'https://gitlab.com/gitlab-org/gitlab/issues/202260', type: :bug } do
+    describe 'Group SAML SSO - Group managed accounts' do
+      include Support::Api
+
+      before(:all) do
+        # Create a new user (with no existing SAML identities) who will be added as owner to the SAML group.
+        @owner_user = Resource::User.fabricate_via_api!
+
+        Flow::Login.sign_in(as: @owner_user)
+
+        @group = Resource::Sandbox.fabricate_via_api! do |sandbox_group|
+          sandbox_group.path = "saml_sso_group_#{SecureRandom.hex(8)}"
+        end
+
+        @saml_idp_service = Flow::Saml.run_saml_idp_service(@group.path)
+
+        @api_client = Runtime::API::Client.new(:gitlab, personal_access_token: Runtime::Env.admin_personal_access_token)
+
+        @developer_user = Resource::User.fabricate_via_api!
+
+        @group.add_member(@owner_user, QA::Resource::Members::AccessLevel::OWNER)
+
+        @group.add_member(@developer_user)
+
+        @managed_group_url = Flow::Saml.enable_saml_sso(@group, @saml_idp_service)
+
+        @saml_linked_for_admin = false
+
+        setup_and_enable_group_managed_accounts
+
+        Page::Main::Menu.perform(&:sign_out_if_signed_in)
+
+        Flow::Saml.logout_from_idp(@saml_idp_service)
+      end
+
+      it 'removes existing users from the group, forces existing users to create a new account and allows to leave group' do
+        expect(@group.list_members.map { |item| item["username"] }).not_to include(@developer_user.username)
+
+        visit_managed_group_url
+
+        EE::Page::Group::SamlSSOSignIn.perform(&:click_sign_in)
+
+        Flow::Saml.login_to_idp_if_required('user3', 'user3pass')
+
+        expect(page).to have_text("uses group managed accounts. You need to create a new GitLab account which will be managed by")
+
+        Support::Retrier.retry_until(raise_on_failure: true) do
+          @idp_user_email = EE::Page::Group::SamlSSOSignUp.perform(&:current_email)
+
+          remove_user_if_exists(@idp_user_email)
+
+          @new_username = EE::Page::Group::SamlSSOSignUp.perform(&:current_username)
+
+          EE::Page::Group::SamlSSOSignUp.perform(&:click_register_button)
+
+          page.has_no_content?("Email has already been taken")
+        end
+
+        expect(page).to have_text("Sign up was successful! Please confirm your email to sign in.")
+
+        QA::Flow::User.confirm_user(@new_username)
+
+        visit_managed_group_url
+
+        EE::Page::Group::SamlSSOSignIn.perform(&:click_sign_in)
+
+        expect(page).to have_text("Signed in with SAML")
+
+        Page::Group::Show.perform(&:leave_group)
+
+        expect(page).to have_text("You left")
+
+        Page::Main::Menu.perform(&:sign_out)
+
+        visit_managed_group_url
+
+        EE::Page::Group::SamlSSOSignIn.perform(&:click_sign_in)
+
+        expect(page).to have_text("uses group managed accounts. You need to create a new GitLab account which will be managed by")
+      end
+
+      after(:all) do
+        page.visit Runtime::Scenario.gitlab_address
+
+        %w[enforced_sso enforced_sso_requires_session group_managed_accounts sign_up_on_sso group_scim group_administration_nav_item].each do |flag|
+          Runtime::Feature.remove(flag)
+        end
+
+        remove_user_if_exists(@idp_user_email)
+
+        @group.remove_via_api!
+
+        Flow::Saml.remove_saml_idp_service(@saml_idp_service)
+
+        page.visit Runtime::Scenario.gitlab_address
+        Page::Main::Menu.perform(&:sign_out_if_signed_in)
+      end
+    end
+
+    def remove_user_if_exists(username_or_email)
+      QA::Runtime::Logger.debug("Attempting to remove user \"#{username_or_email}\" via API")
+
+      return if username_or_email.nil?
+
+      response = parse_body(get(Runtime::API::Request.new(@api_client, "/users?search=#{username_or_email}").url))
+
+      if response.any?
+        raise "GET /users?search=#{username_or_email} returned multiple results. response: #{response}" if response.size > 1
+
+        delete_response = delete Runtime::API::Request.new(@api_client, "/users/#{response.first[:id]}").url
+
+        QA::Runtime::Logger.debug("DELETE \"#{username_or_email}\" response code: #{delete_response.code} message: #{delete_response.body}")
+      else
+        QA::Runtime::Logger.debug("GET /users?search=#{username_or_email} returned empty response: #{response}")
+      end
+    end
+
+    def setup_and_enable_group_managed_accounts
+      %w[enforced_sso enforced_sso_requires_session group_managed_accounts sign_up_on_sso group_scim group_administration_nav_item].each do |flag|
+        Runtime::Feature.enable_and_verify(flag)
+      end
+
+      Support::Retrier.retry_on_exception do
+        # We need to logout from IDP. This is required if this is a retry.
+        Flow::Saml.logout_from_idp(@saml_idp_service)
+
+        page.visit Runtime::Scenario.gitlab_address
+
+        Page::Main::Menu.perform(&:sign_out_if_signed_in)
+
+        # The first time you have to be signed in as admin
+        unless @saml_linked_for_admin
+          Flow::Login.sign_in(as: @owner_user)
+          @saml_linked_for_admin = true
+        end
+
+        # We must sign in with SAML before enabling Group Managed Accounts
+        visit_managed_group_url
+
+        EE::Page::Group::SamlSSOSignIn.perform(&:click_sign_in)
+
+        Flow::Saml.login_to_idp_if_required('user1', 'user1pass')
+
+        Flow::Saml.visit_saml_sso_settings(@group)
+
+        EE::Page::Group::Settings::SamlSSO.perform do |saml_sso|
+          # Once the feature flags are enabled, it takes some time for the toggle buttons to show on the UI.
+          # This issue does not happen manually. Only happens with the test as they are too fast.
+          Support::Retrier.retry_until(sleep_interval: 1, raise_on_failure: true) do
+            condition_met = saml_sso.has_enforced_sso_button? && saml_sso.has_group_managed_accounts_button?
+            page.refresh unless condition_met
+
+            condition_met
+          end
+
+          saml_sso.enforce_sso
+          saml_sso.enable_group_managed_accounts
+          saml_sso.click_save_changes
+
+          saml_sso.user_login_url_link_text
+        end
+
+        Flow::Saml.visit_saml_sso_settings(@group, direct: true)
+        raise "Group managed accounts not setup correctly" unless EE::Page::Group::Settings::SamlSSO.perform(&:group_managed_accounts_enabled?)
+      end
+    end
+
+    def visit_managed_group_url
+      Runtime::Logger.debug(%Q[Visiting managed_group_url at "#{@managed_group_url}"])
+
+      page.visit @managed_group_url
+      Support::Waiter.wait_until { current_url == @managed_group_url }
+    end
+  end
+end