Merge branch 'feature/require-2fa-for-all-entities-in-group' into 'master'

inherit require 2fa for all subgroups and projects See merge request gitlab-org/gitlab-ce!24965
author: Thong Kuah <tkuah@gitlab.com> 2019-06-14 00:46:30 +0000
committer: Thong Kuah <tkuah@gitlab.com> 2019-06-14 00:46:30 +0000
commit: 6de8cb7e9cf715e720fab9e7359ddb63c992af3b (patch)
tree: db642e4210cdfb6bf125c78ebbf0e883eac276ad /spec
parent: 7808259922906877f866d4b28fcd6994790ad8dd (diff)
parent: 7bfc4f999231385f2dc24cbb2d34b09cf5ae96c1 (diff)
download: gitlab-ce-6de8cb7e9cf715e720fab9e7359ddb63c992af3b.tar.gz
2 files changed, 101 insertions, 24 deletions
diff --git a/spec/models/group_spec.rb b/spec/models/group_spec.rb
index e6e7298a043..d7accbef6bd 100644
--- a/spec/models/group_spec.rb
+++ b/spec/models/group_spec.rb
@@ -603,40 +603,96 @@ describe Group do
   describe '#update_two_factor_requirement' do
     let(:user) { create(:user) }
 
-    before do
-      group.add_user(user, GroupMember::OWNER)
-    end
+    context 'group membership' do
+      before do
+        group.add_user(user, GroupMember::OWNER)
+      end
 
-    it 'is called when require_two_factor_authentication is changed' do
-      expect_any_instance_of(User).to receive(:update_two_factor_requirement)
+      it 'is called when require_two_factor_authentication is changed' do
+        expect_any_instance_of(User).to receive(:update_two_factor_requirement)
 
-      group.update!(require_two_factor_authentication: true)
-    end
+        group.update!(require_two_factor_authentication: true)
+      end
 
-    it 'is called when two_factor_grace_period is changed' do
-      expect_any_instance_of(User).to receive(:update_two_factor_requirement)
+      it 'is called when two_factor_grace_period is changed' do
+        expect_any_instance_of(User).to receive(:update_two_factor_requirement)
 
-      group.update!(two_factor_grace_period: 23)
-    end
+        group.update!(two_factor_grace_period: 23)
+      end
 
-    it 'is not called when other attributes are changed' do
-      expect_any_instance_of(User).not_to receive(:update_two_factor_requirement)
+      it 'is not called when other attributes are changed' do
+        expect_any_instance_of(User).not_to receive(:update_two_factor_requirement)
 
-      group.update!(description: 'foobar')
+        group.update!(description: 'foobar')
+      end
+
+      it 'calls #update_two_factor_requirement on each group member' do
+        other_user = create(:user)
+        group.add_user(other_user, GroupMember::OWNER)
+
+        calls = 0
+        allow_any_instance_of(User).to receive(:update_two_factor_requirement) do
+          calls += 1
+        end
+
+        group.update!(require_two_factor_authentication: true, two_factor_grace_period: 23)
+
+        expect(calls).to eq 2
+      end
     end
 
-    it 'calls #update_two_factor_requirement on each group member' do
-      other_user = create(:user)
-      group.add_user(other_user, GroupMember::OWNER)
+    context 'sub groups and projects', :nested_groups do
+      it 'enables two_factor_requirement for group member' do
+        group.add_user(user, GroupMember::OWNER)
 
-      calls = 0
-      allow_any_instance_of(User).to receive(:update_two_factor_requirement) do
-        calls += 1
+        group.update!(require_two_factor_authentication: true)
+
+        expect(user.reload.require_two_factor_authentication_from_group).to be_truthy
       end
 
-      group.update!(require_two_factor_authentication: true, two_factor_grace_period: 23)
+      context 'expanded group members', :nested_groups do
+        let(:indirect_user) { create(:user) }
+
+        it 'enables two_factor_requirement for subgroup member' do
+          subgroup = create(:group, :nested, parent: group)
+          subgroup.add_user(indirect_user, GroupMember::OWNER)
 
-      expect(calls).to eq 2
+          group.update!(require_two_factor_authentication: true)
+
+          expect(indirect_user.reload.require_two_factor_authentication_from_group).to be_truthy
+        end
+
+        it 'does not enable two_factor_requirement for ancestor group member' do
+          ancestor_group = create(:group)
+          ancestor_group.add_user(indirect_user, GroupMember::OWNER)
+          group.update!(parent: ancestor_group)
+
+          group.update!(require_two_factor_authentication: true)
+
+          expect(indirect_user.reload.require_two_factor_authentication_from_group).to be_falsey
+        end
+      end
+
+      context 'project members' do
+        it 'does not enable two_factor_requirement for child project member' do
+          project = create(:project, group: group)
+          project.add_maintainer(user)
+
+          group.update!(require_two_factor_authentication: true)
+
+          expect(user.reload.require_two_factor_authentication_from_group).to be_falsey
+        end
+
+        it 'does not enable two_factor_requirement for subgroup child project member', :nested_groups do
+          subgroup = create(:group, :nested, parent: group)
+          project = create(:project, group: subgroup)
+          project.add_maintainer(user)
+
+          group.update!(require_two_factor_authentication: true)
+
+          expect(user.reload.require_two_factor_authentication_from_group).to be_falsey
+        end
+      end
     end
   end
 
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index d1338e34bb8..c95bbb0b3f5 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -2655,9 +2655,9 @@ describe User do
       end
     end
 
-    context 'with 2FA requirement on nested parent group', :nested_groups do
+    context 'with 2FA requirement from expanded groups', :nested_groups do
       let!(:group1) { create :group, require_two_factor_authentication: true }
-      let!(:group1a) { create :group, require_two_factor_authentication: false, parent: group1 }
+      let!(:group1a) { create :group, parent: group1 }
 
       before do
         group1a.add_user(user, GroupMember::OWNER)
@@ -2685,6 +2685,27 @@ describe User do
       end
     end
 
+    context "with 2FA requirement from shared project's group" do
+      let!(:group1) { create :group, require_two_factor_authentication: true }
+      let!(:group2) { create :group }
+      let(:shared_project) { create(:project, namespace: group1) }
+
+      before do
+        shared_project.project_group_links.create!(
+          group: group2,
+          group_access: ProjectGroupLink.default_access
+        )
+
+        group2.add_user(user, GroupMember::OWNER)
+      end
+
+      it 'does not require 2FA' do
+        user.update_two_factor_requirement
+
+        expect(user.require_two_factor_authentication_from_group).to be false
+      end
+    end
+
     context 'without 2FA requirement on groups' do
       let(:group) { create :group }
author	Thong Kuah <tkuah@gitlab.com>	2019-06-14 00:46:30 +0000
committer	Thong Kuah <tkuah@gitlab.com>	2019-06-14 00:46:30 +0000
commit	6de8cb7e9cf715e720fab9e7359ddb63c992af3b (patch)
tree	db642e4210cdfb6bf125c78ebbf0e883eac276ad /spec
parent	7808259922906877f866d4b28fcd6994790ad8dd (diff)
parent	7bfc4f999231385f2dc24cbb2d34b09cf5ae96c1 (diff)
download	gitlab-ce-6de8cb7e9cf715e720fab9e7359ddb63c992af3b.tar.gz