Merge branch 'ee_admins_from_ldap_group' into 'master'

synchronise admins from LDAP group

from http://feedback.gitlab.com/forums/176466-general/suggestions/5738973-make-all-members-of-ldap-group-gitlab-admins :
> Make all members of LDAP group GitLab admins
>
> In GitLab EE it would be nice if you could make everyone in a certain LDAP group GitLab administrators.
>
> For instance, you would have a LDAP group 'GitLab admins' and anyone added to that group would automatically become admin in GitLab.

config/gitlab.yml.example

@@ -162,6 +162,11 @@ production: &base
     #
     group_base: ''
 
+    # LDAP group of users who should be admins in GitLab
+    #
+    #   Ex. GLAdmins
+    #
+    admin_group: ''
 
   ## OmniAuth settings
   omniauth:

lib/gitlab/ldap/access.rb

@@ -48,6 +48,9 @@ module Gitlab
             remove_user_from_groups(user.id, ldap_group.cn)
           end
         end
+        if Gitlab.config.ldap['admin_group'].present?
+          update_admin_status(user)
+        end
       end
 
       # Update user email if it changed in LDAP
@@ -91,6 +94,21 @@ module Gitlab
           group.users_groups.where(user_id: user_id).destroy_all
         end
       end
+
+      def update_admin_status(user)
+        admin_group = Gitlab::LDAP::Group.find_by_cn(Gitlab.config.ldap['admin_group'], adapter)
+        if admin_group.has_member?(Gitlab::LDAP::Person.find_by_dn(user.extern_uid, adapter))
+          unless user.admin?
+            user.admin = true
+            user.save
+          end
+        else
+          if user.admin?
+            user.admin = false
+            user.save
+          end
+        end
+      end
     end
   end
 end

spec/lib/gitlab/ldap/ldap_access_spec.rb

@@ -92,4 +92,51 @@ describe Gitlab::LDAP::Access do
       end
     end
   end
+
+  describe :update_admin_status do
+    let(:gitlab_user) { create(:user, provider: 'ldap', extern_uid: "admin2")}
+    let(:gitlab_admin) { create(:admin, provider: 'ldap', extern_uid: "admin2")}
+
+    before do
+      Gitlab.config.ldap['admin_group'] = "GLAdmins"
+      ldap_user_entry = Net::LDAP::Entry.new
+      Gitlab::LDAP::Adapter.any_instance.stub(:user) { Gitlab::LDAP::Person.new(ldap_user_entry) }
+      Gitlab::LDAP::Person.any_instance.stub(:uid) { 'admin2' }
+    end
+
+    it "should give admin privileges to an User" do
+      admin_group = Net::LDAP::Entry.from_single_ldif_string(
+%Q{dn: cn=#{Gitlab.config.ldap['admin_group']},ou=groups,dc=bar,dc=com
+cn: #{Gitlab.config.ldap['admin_group']}
+description: GitLab admins
+gidnumber: 42
+memberuid: admin1
+memberuid: admin2
+memberuid: admin3
+objectclass: top
+objectclass: posixGroup
+})
+      Gitlab::LDAP::Adapter.any_instance.stub(:group) { Gitlab::LDAP::Group.new(admin_group) }
+      expect(gitlab_user.admin?).to be false
+      access.update_admin_status(gitlab_user)
+      expect(gitlab_user.admin?).to be true
+    end
+
+    it "should remove admin privileges from an User" do
+      admin_group = Net::LDAP::Entry.from_single_ldif_string(
+%Q{dn: cn=#{Gitlab.config.ldap['admin_group']},ou=groups,dc=bar,dc=com
+cn: #{Gitlab.config.ldap['admin_group']}
+description: GitLab admins
+gidnumber: 42
+memberuid: admin1
+memberuid: admin3
+objectclass: top
+objectclass: posixGroup
+})
+      Gitlab::LDAP::Adapter.any_instance.stub(:group) { Gitlab::LDAP::Group.new(admin_group) }
+      expect(gitlab_admin.admin?).to be true
+      access.update_admin_status(gitlab_admin)
+      expect(gitlab_admin.admin?).to be false
+    end
+  end
 end