SAML reauth banner for issues and merge requests dashboard

Displays a banner on the issues and merge requests dashboard when a user has one or more SAML groups that require SSO reauthentication. Changelog: added EE: true

SAML reauth banner for issues and merge requests dashboard
508604d2 · Drew Blessing · GitLab · 8231be89 · 508604d2 · 508604d2
--- a/app/helpers/dashboard_helper.rb
+++ b/app/helpers/dashboard_helper.rb
@@ -33,6 +33,10 @@ def feature_entry(title, href: nil, enabled: true, doc_href: nil)
      end
    end
  end
+
+  def user_groups_requiring_reauth
+    []
+  end
 end

 DashboardHelper.prepend_mod_with('DashboardHelper')
--- a/app/helpers/todos_helper.rb
+++ b/app/helpers/todos_helper.rb
@@ -254,6 +254,10 @@ def todo_author_display?(todo)
    !todo.build_failed? && !todo.unmergeable?
  end

+  def todo_groups_requiring_saml_reauth(_todos)
+    []
+  end
+
  private

  def todos_design_path(todo, path_options)

--- a/app/views/dashboard/issues.html.haml
+++ b/app/views/dashboard/issues.html.haml
@@ -6,6 +6,8 @@
  = auto_discovery_link_tag(:atom, safe_params.merge(rss_url_options).to_h, title: "#{current_user.name} issues")

 = render_dashboard_ultimate_trial(current_user)
+= render_if_exists 'shared/dashboard/saml_reauth_notice',
+  groups_requiring_saml_reauth: user_groups_requiring_reauth

 .page-title-holder.gl-display-flex.gl-align-items-center
  %h1.page-title.gl-font-size-h-display= _('Issues')

--- a/app/views/dashboard/merge_requests.html.haml
+++ b/app/views/dashboard/merge_requests.html.haml
@@ -11,6 +11,8 @@
  add_page_specific_style 'page_bundles/issuable_list'

 = render_dashboard_ultimate_trial(current_user)
+= render_if_exists 'shared/dashboard/saml_reauth_notice',
+  groups_requiring_saml_reauth: user_groups_requiring_reauth

 .page-title-holder.d-flex.align-items-start.flex-column.flex-sm-row.align-items-sm-center
  %h1.page-title.gl-font-size-h-display= title

--- a/app/views/dashboard/todos/index.html.haml
+++ b/app/views/dashboard/todos/index.html.haml
@@ -2,7 +2,10 @@

 = render_two_factor_auth_recovery_settings_check
 = render_dashboard_ultimate_trial(current_user)
-= render_if_exists 'dashboard/todos/saml_reauth_notice'
+
+= render_if_exists 'shared/dashboard/saml_reauth_notice',
+  groups_requiring_saml_reauth: todo_groups_requiring_saml_reauth(@todos)
+
 - add_page_specific_style 'page_bundles/todos'
 - add_page_specific_style 'page_bundles/issuable'
 - filter_by_done = params[:state] == 'done'

--- a/ee/app/helpers/ee/dashboard_helper.rb
+++ b/ee/app/helpers/ee/dashboard_helper.rb
@@ -31,6 +31,18 @@ def has_start_trial?
      !current_user.has_current_license? && current_user.can_admin_all_resources?
    end

+    override :user_groups_requiring_reauth
+    def user_groups_requiring_reauth
+      saml_providers = current_user.group_saml_identities.map(&:saml_provider)
+      return super unless saml_providers.any?
+
+      saml_providers.select! do |saml_provider|
+        ::Gitlab::Auth::GroupSaml::SsoEnforcer.new(saml_provider, user: current_user).access_restricted?
+      end
+
+      saml_providers.map(&:group)
+    end
+
    private

    def security_dashboard_available?

--- a/ee/app/helpers/ee/todos_helper.rb
+++ b/ee/app/helpers/ee/todos_helper.rb
@@ -36,9 +36,11 @@ def todo_action_name(todo)
      super
    end

+    override :todo_groups_requiring_saml_reauth
    def todo_groups_requiring_saml_reauth(todos)
-      groups = todos.filter_map { |todo| todo.group || todo.project.group }.uniq
+      return super unless todos&.any?

+      groups = todos.filter_map { |todo| todo.group || todo.project.group }.uniq
      ::Gitlab::Auth::GroupSaml::SsoEnforcer.access_restricted_groups(groups, user: current_user)
    end
  end

--- a/ee/app/views/dashboard/todos/_saml_reauth_notice.html.haml
+++ b/ee/app/views/dashboard/todos/_saml_reauth_notice.html.haml
- groups_requiring_saml_reauth = todo_groups_requiring_saml_reauth(@todos)
 - return unless groups_requiring_saml_reauth.any?

 = render Pajamas::AlertComponent.new(variant: :warning, dismissible: false) do |c|
  - c.with_body do
-    = s_('GroupSAML|Some to-do items may be hidden because your SAML session has expired. Select the group’s path to reauthenticate and view the hidden to-do items.')
+    = s_('GroupSAML|Some items may be hidden because your SAML session has expired. Select the group’s path to reauthenticate and view any hidden items.')
  - c.with_actions do
    .gl-display-flex.gl-flex-wrap
      - groups_requiring_saml_reauth.each do |group|

--- a/ee/spec/features/dashboards/issues_spec.rb
+++ b/ee/spec/features/dashboards/issues_spec.rb
@@ -3,8 +3,10 @@
 require 'spec_helper'

 RSpec.describe 'Dashboard issues', feature_category: :team_planning do
-  let(:user) { create(:user) }
-  let(:page_path) { issues_dashboard_path }
+  let_it_be(:user) { create(:user) }
+  let_it_be(:page_path) { issues_dashboard_path }

  it_behaves_like 'dashboard ultimate trial callout'
+
+  it_behaves_like 'dashboard SAML reauthentication banner'
 end
--- a/ee/spec/features/dashboards/merge_requests_spec.rb
+++ b/ee/spec/features/dashboards/merge_requests_spec.rb
@@ -3,8 +3,10 @@
 require 'spec_helper'

 RSpec.describe 'Dashboard merge requests', feature_category: :code_review_workflow do
-  let(:user) { create(:user) }
-  let(:page_path) { merge_requests_dashboard_path }
+  let_it_be(:user) { create(:user) }
+  let_it_be(:page_path) { merge_requests_dashboard_path }

  it_behaves_like 'dashboard ultimate trial callout'
+
+  it_behaves_like 'dashboard SAML reauthentication banner'
 end
--- a/ee/spec/features/dashboards/todos_spec.rb
+++ b/ee/spec/features/dashboards/todos_spec.rb
@@ -40,43 +40,10 @@
    end
  end

-  context 'when the user has todos in an SSO enforced group' do
-    let_it_be(:saml_provider) { create(:saml_provider, enabled: true, enforced_sso: true) }
-    let_it_be(:restricted_group) { create(:group, saml_provider: saml_provider) }
+  it_behaves_like 'dashboard SAML reauthentication banner' do
    let_it_be(:epic_todo) do
      create(:todo, group: restricted_group, user: user, target: create(:epic, group: restricted_group))
    end
-
-    before do
-      stub_licensed_features(group_saml: true)
-      create(:group_saml_identity, user: user, saml_provider: saml_provider)
-
-      restricted_group.add_owner(user)
-
-      sign_in(user)
-    end
-
-    context 'and the session is not active' do
-      it 'shows the user an alert', :aggregate_failures do
-        visit page_path
-
-        expect(page).to have_content(s_('GroupSAML|Some to-do items may be hidden because your SAML session has expired. Select the group’s path to reauthenticate and view the hidden to-do items.')) # rubocop:disable Layout/LineLength
-        expect(page).to have_link(restricted_group.path, href: /#{sso_group_saml_providers_path(restricted_group)}/)
-      end
-    end
-
-    context 'and the session is active' do
-      before do
-        dummy_session = { active_group_sso_sign_ins: { saml_provider.id => DateTime.now } }
-        allow(Gitlab::Session).to receive(:current).and_return(dummy_session)
-      end
-
-      it 'does not show the user an alert', :aggregate_failures do
-        visit page_path
-
-        expect(page).not_to have_content(s_('GroupSAML|Some to-do items may be hidden because your SAML session has expired. Select the group’s path to reauthenticate and view the hidden to-do items.')) # rubocop:disable Layout/LineLength
-      end
-    end
  end

  context 'when user has review request todo', :saas do

--- a/ee/spec/helpers/ee/dashboard_helper_spec.rb
+++ b/ee/spec/helpers/ee/dashboard_helper_spec.rb
@@ -28,4 +28,47 @@
      it { is_expected.to eq(output) }
    end
  end
+
+  describe '.user_groups_requiring_reauth', feature_category: :system_access do
+    subject(:user_groups_requiring_reauth) { helper.user_groups_requiring_reauth }
+
+    let!(:current_user) { create(:user) }
+
+    before do
+      allow(helper).to receive(:current_user).and_return(current_user)
+    end
+
+    context 'when the user has no Group SAML identities' do
+      it 'returns an empty array' do
+        expect(user_groups_requiring_reauth).to match_array([])
+      end
+    end
+
+    context 'when the user has Group SAML identities' do
+      let_it_be(:saml_provider) { create(:saml_provider, group: create(:group), enforced_sso: true) }
+
+      before do
+        stub_licensed_features(group_saml: true)
+        create(:group_saml_identity, user: current_user, saml_provider: saml_provider)
+      end
+
+      context 'when access is not restricted' do
+        it 'returns an empty array' do
+          expect(user_groups_requiring_reauth).to match_array([])
+        end
+      end
+
+      context 'when access is restricted' do
+        before do
+          allow_next_instance_of(::Gitlab::Auth::GroupSaml::SsoEnforcer) do |instance|
+            allow(instance).to receive(:access_restricted?).and_return(true)
+          end
+        end
+
+        it 'returns the group that the SAML provider belongs to' do
+          expect(user_groups_requiring_reauth).to match_array(saml_provider.group)
+        end
+      end
+    end
+  end
 end
--- a/ee/spec/helpers/ee/todos_helper_spec.rb
+++ b/ee/spec/helpers/ee/todos_helper_spec.rb
@@ -224,4 +224,42 @@
      it { expect(helper.todo_action_name(todo)).to eq(expected_action_name) }
    end
  end
+
+  describe '.todo_groups_requiring_saml_reauth', feature_category: :system_access do
+    subject(:todo_groups_requiring_saml_reauth) { helper.todo_groups_requiring_saml_reauth([issue_todo, group_todo]) }
+
+    let_it_be(:current_user) { create(:user) }
+
+    let_it_be(:group1) { create(:group) }
+    let_it_be(:project) { create(:project, group: group1) }
+    let_it_be(:issue) { create(:issue, title: 'Issue 1') }
+    let_it_be(:issue_todo) do
+      create(:todo, target: issue, project: project)
+    end
+
+    let_it_be(:group2) { create(:group) }
+    let_it_be(:group_todo) do
+      create(:todo, target: group2, group: group2, project: nil, user: current_user)
+    end
+
+    before do
+      allow(helper).to receive(:current_user).and_return(current_user)
+    end
+
+    context 'when access is not restricted' do
+      it 'returns an empty array' do
+        expect(todo_groups_requiring_saml_reauth).to match_array([])
+      end
+    end
+
+    context 'when access is restricted' do
+      before do
+        allow(::Gitlab::Auth::GroupSaml::SsoEnforcer).to receive(:access_restricted_groups).and_return([group1, group2])
+      end
+
+      it 'returns the todo groups' do
+        expect(todo_groups_requiring_saml_reauth).to match_array([group1, group2])
+      end
+    end
+  end
 end
--- a/ee/spec/support/shared_examples/features/dashboard_saml_reauth_banner_shared_examples.rb
+++ b/ee/spec/support/shared_examples/features/dashboard_saml_reauth_banner_shared_examples.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.shared_examples_for 'dashboard SAML reauthentication banner' do
+  let_it_be(:restricted_group) { create(:group, :private) }
+  let_it_be(:saml_provider) { create(:saml_provider, group: restricted_group, enabled: true, enforced_sso: true) }
+
+  before do
+    stub_licensed_features(group_saml: true)
+  end
+
+  before_all do
+    create(:group_saml_identity, user: user, saml_provider: saml_provider)
+
+    restricted_group.add_developer(user)
+
+    sign_in(user)
+  end
+
+  context 'and the session is not active' do
+    it 'shows the user an alert', :aggregate_failures do
+      visit page_path
+
+      expect(page).to have_content(
+        s_('GroupSAML|Some items may be hidden because your SAML session has expired. Select the group’s path to reauthenticate and view any hidden items.') # rubocop:disable Layout/LineLength -- Single string
+      )
+
+      expect(page).to have_link(restricted_group.path, href: /#{sso_group_saml_providers_path(restricted_group)}/)
+    end
+  end
+
+  context 'and the session is active' do
+    before do
+      dummy_session = { active_group_sso_sign_ins: { saml_provider.id => DateTime.now } }
+      allow(Gitlab::Session).to receive(:current).and_return(dummy_session)
+    end
+
+    it 'does not show the user an alert', :aggregate_failures do
+      visit page_path
+
+      expect(page).not_to have_content(
+        s_('GroupSAML|Some items may be hidden because your SAML session has expired. Select the group’s path to reauthenticate and view any hidden items.') # rubocop:disable Layout/LineLength -- Single string
+      )
+    end
+  end
+end
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -23595,7 +23595,7 @@ msgstr ""
 msgid "GroupSAML|Some branches are inaccessible because your SAML session has expired. To access the branches, select the group’s path to reauthenticate."
 msgstr ""
  
-msgid "GroupSAML|Some to-do items may be hidden because your SAML session has expired. Select the group’s path to reauthenticate and view the hidden to-do items."
+msgid "GroupSAML|Some items may be hidden because your SAML session has expired. Select the group’s path to reauthenticate and view any hidden items."
 msgstr ""
  
 msgid "GroupSAML|The SCIM token is now hidden. To see the value of the token again, you need to %{linkStart}reset it%{linkEnd}."
--- a/spec/helpers/dashboard_helper_spec.rb
+++ b/spec/helpers/dashboard_helper_spec.rb
@@ -75,4 +75,10 @@

    it { is_expected.to eq(false) }
  end
+
+  describe '.user_groups_requiring_reauth', feature_category: :system_access do
+    it 'returns an empty array' do
+      expect(helper.user_groups_requiring_reauth).to match_array([])
+    end
+  end
 end
--- a/spec/helpers/todos_helper_spec.rb
+++ b/spec/helpers/todos_helper_spec.rb
@@ -443,4 +443,10 @@
      end
    end
  end
+
+  describe '.todo_groups_requiring_saml_reauth', feature_category: :system_access do
+    it 'returns an empty array' do
+      expect(helper.todo_groups_requiring_saml_reauth([])).to match_array([])
+    end
+  end
 end