5 files changed, 114 insertions, 32 deletions

diff --git a/app/services/groups/create_service.rb b/app/services/groups/create_service.rb
index ce583095168..cf843d92862 100644
--- a/app/services/groups/create_service.rb
+++ b/app/services/groups/create_service.rb
@@ -15,6 +15,8 @@ module Groups
 
       after_build_hook(@group, params)
 
+      inherit_group_shared_runners_settings
+
       unless can_use_visibility_level? && can_create_group?
         return @group
       end
@@ -28,9 +30,12 @@ module Groups
         @group.build_chat_team(name: response['name'], team_id: response['id'])
       end
 
-      if @group.save
-        @group.add_owner(current_user)
-        add_settings_record
+      Group.transaction do
+        if @group.save
+          @group.add_owner(current_user)
+          @group.create_namespace_settings
+          Service.create_from_active_default_integrations(@group, :group_id) if Feature.enabled?(:group_level_integrations)
+        end
       end
 
       @group
@@ -44,6 +49,7 @@ module Groups
 
     def remove_unallowed_params
       params.delete(:default_branch_protection) unless can?(current_user, :create_group_with_default_branch_protection)
+      params.delete(:allow_mfa_for_subgroups)
     end
 
     def create_chat_team?
@@ -84,8 +90,11 @@ module Groups
       params[:visibility_level] = Gitlab::CurrentSettings.current_application_settings.default_group_visibility
     end
 
-    def add_settings_record
-      @group.create_namespace_settings
+    def inherit_group_shared_runners_settings
+      return unless @group.parent
+
+      @group.shared_runners_enabled = @group.parent.shared_runners_enabled
+      @group.allow_descendants_override_disabled_shared_runners = @group.parent.allow_descendants_override_disabled_shared_runners
     end
   end
 end
diff --git a/app/services/groups/import_export/import_service.rb b/app/services/groups/import_export/import_service.rb
index a5c776f8fc2..a0ddc50e5e0 100644
--- a/app/services/groups/import_export/import_service.rb
+++ b/app/services/groups/import_export/import_service.rb
@@ -13,7 +13,7 @@ module Groups
       end
 
       def async_execute
-        group_import_state = GroupImportState.safe_find_or_create_by!(group: group)
+        group_import_state = GroupImportState.safe_find_or_create_by!(group: group, user: current_user)
         jid = GroupImportWorker.perform_async(current_user.id, group.id)
 
         if jid.present?
diff --git a/app/services/groups/transfer_service.rb b/app/services/groups/transfer_service.rb
index 2bd571f60af..aad574aeaf5 100644
--- a/app/services/groups/transfer_service.rb
+++ b/app/services/groups/transfer_service.rb
@@ -38,6 +38,7 @@ module Groups
     # Overridden in EE
     def post_update_hooks(updated_project_ids)
       refresh_project_authorizations
+      refresh_descendant_groups if @new_parent_group
     end
 
     def ensure_allowed_transfer
@@ -101,8 +102,13 @@ module Groups
         @group.visibility_level = @new_parent_group.visibility_level
       end
 
+      update_two_factor_authentication if @new_parent_group
+
       @group.parent = @new_parent_group
       @group.clear_memoization(:self_and_ancestors_ids)
+
+      inherit_group_shared_runners_settings
+
       @group.save!
     end
 
@@ -126,8 +132,26 @@ module Groups
       projects_to_update
         .update_all(visibility_level: @new_parent_group.visibility_level)
     end
+
+    def update_two_factor_authentication
+      return if namespace_parent_allows_two_factor_auth
+
+      @group.require_two_factor_authentication = false
+    end
+
+    def refresh_descendant_groups
+      return if namespace_parent_allows_two_factor_auth
+
+      if @group.descendants.where(require_two_factor_authentication: true).any?
+        DisallowTwoFactorForSubgroupsWorker.perform_async(@group.id)
+      end
+    end
     # rubocop: enable CodeReuse/ActiveRecord
 
+    def namespace_parent_allows_two_factor_auth
+      @new_parent_group.namespace_settings.allow_mfa_for_subgroups
+    end
+
     def ensure_ownership
       return if @new_parent_group
       return unless @group.owners.empty?
@@ -161,6 +185,17 @@ module Groups
         group_contains_npm_packages: s_('TransferGroup|Group contains projects with NPM packages.')
       }.freeze
     end
+
+    def inherit_group_shared_runners_settings
+      parent_setting = @group.parent&.shared_runners_setting
+      return unless parent_setting
+
+      if @group.shared_runners_setting_higher_than?(parent_setting)
+        result = Groups::UpdateSharedRunnersService.new(@group, current_user, shared_runners_setting: parent_setting).execute
+
+        raise TransferError, result[:message] unless result[:status] == :success
+      end
+    end
   end
 end
 
diff --git a/app/services/groups/update_service.rb b/app/services/groups/update_service.rb
index 81393681dc0..84385f5da25 100644
--- a/app/services/groups/update_service.rb
+++ b/app/services/groups/update_service.rb
@@ -4,6 +4,8 @@ module Groups
   class UpdateService < Groups::BaseService
     include UpdateVisibilityLevel
 
+    SETTINGS_PARAMS = [:allow_mfa_for_subgroups].freeze
+
     def execute
       reject_parent_id!
       remove_unallowed_params
@@ -19,8 +21,14 @@ module Groups
 
       return false unless valid_path_change_with_npm_packages?
 
+      return false unless update_shared_runners
+
+      handle_changes
+
       before_assignment_hook(group, params)
 
+      handle_namespace_settings
+
       group.assign_attributes(params)
 
       begin
@@ -38,6 +46,18 @@ module Groups
 
     private
 
+    def handle_namespace_settings
+      settings_params = params.slice(*::NamespaceSetting::NAMESPACE_SETTINGS_PARAMS)
+
+      return if settings_params.empty?
+
+      ::NamespaceSetting::NAMESPACE_SETTINGS_PARAMS.each do |nsp|
+        params.delete(nsp)
+      end
+
+      ::NamespaceSettings::UpdateService.new(current_user, group, settings_params).execute
+    end
+
     def valid_path_change_with_npm_packages?
       return true unless group.packages_feature_enabled?
       return true if params[:path].blank?
@@ -73,6 +93,18 @@ module Groups
         # don't enqueue immediately to prevent todos removal in case of a mistake
         TodosDestroyer::GroupPrivateWorker.perform_in(Todo::WAIT_FOR_DELETE, group.id)
       end
+
+      update_two_factor_requirement_for_subgroups
+    end
+
+    def update_two_factor_requirement_for_subgroups
+      settings = group.namespace_settings
+      return if settings.allow_mfa_for_subgroups
+
+      if settings.previous_changes.include?(:allow_mfa_for_subgroups)
+        # enque in batches members update
+        DisallowTwoFactorForSubgroupsWorker.perform_async(group.id)
+      end
     end
 
     def reject_parent_id!
@@ -85,6 +117,21 @@ module Groups
       params.delete(:default_branch_protection) unless can?(current_user, :update_default_branch_protection, group)
     end
 
+    def handle_changes
+      handle_settings_update
+    end
+
+    def handle_settings_update
+      settings_params = params.slice(*allowed_settings_params)
+      allowed_settings_params.each { |param| params.delete(param) }
+
+      ::NamespaceSettings::UpdateService.new(current_user, group, settings_params).execute
+    end
+
+    def allowed_settings_params
+      SETTINGS_PARAMS
+    end
+
     def valid_share_with_group_lock_change?
       return true unless changing_share_with_group_lock?
       return true if can?(current_user, :change_share_with_group_lock, group)
@@ -98,6 +145,17 @@ module Groups
 
       params[:share_with_group_lock] != group.share_with_group_lock
     end
+
+    def update_shared_runners
+      return true if params[:shared_runners_setting].nil?
+
+      result = Groups::UpdateSharedRunnersService.new(group, current_user, shared_runners_setting: params.delete(:shared_runners_setting)).execute
+
+      return true if result[:status] == :success
+
+      group.errors.add(:update_shared_runners, result[:message])
+      false
+    end
   end
 end
 
diff --git a/app/services/groups/update_shared_runners_service.rb b/app/services/groups/update_shared_runners_service.rb
index 63f57104510..639c5bf6ae0 100644
--- a/app/services/groups/update_shared_runners_service.rb
+++ b/app/services/groups/update_shared_runners_service.rb
@@ -7,44 +7,24 @@ module Groups
 
       validate_params
 
-      enable_or_disable_shared_runners!
-      allow_or_disallow_descendants_override_disabled_shared_runners!
+      update_shared_runners
 
       success
 
-    rescue Group::UpdateSharedRunnersError => error
+    rescue ActiveRecord::RecordInvalid, ArgumentError => error
       error(error.message)
     end
 
     private
 
     def validate_params
-      if Gitlab::Utils.to_boolean(params[:shared_runners_enabled]) && !params[:allow_descendants_override_disabled_shared_runners].nil?
-        raise Group::UpdateSharedRunnersError, 'Cannot set shared_runners_enabled to true and allow_descendants_override_disabled_shared_runners'
+      unless Namespace::SHARED_RUNNERS_SETTINGS.include?(params[:shared_runners_setting])
+        raise ArgumentError, "state must be one of: #{Namespace::SHARED_RUNNERS_SETTINGS.join(', ')}"
       end
     end
 
-    def enable_or_disable_shared_runners!
-      return if params[:shared_runners_enabled].nil?
-
-      if Gitlab::Utils.to_boolean(params[:shared_runners_enabled])
-        group.enable_shared_runners!
-      else
-        group.disable_shared_runners!
-      end
-    end
-
-    def allow_or_disallow_descendants_override_disabled_shared_runners!
-      return if params[:allow_descendants_override_disabled_shared_runners].nil?
-
-      # Needs to reset group because if both params are present could result in error
-      group.reset
-
-      if Gitlab::Utils.to_boolean(params[:allow_descendants_override_disabled_shared_runners])
-        group.allow_descendants_override_disabled_shared_runners!
-      else
-        group.disallow_descendants_override_disabled_shared_runners!
-      end
+    def update_shared_runners
+      group.update_shared_runners_setting!(params[:shared_runners_setting])
     end
   end
 end