Merge branch 'dm-ldap-group-sync-filter-eep' into 'master'

Only enable LDAP group sync filter method on EEP Closes #3698 See merge request gitlab-org/gitlab-ee!3106

Merge branch 'dm-ldap-group-sync-filter-eep' into 'master'
Only enable LDAP group sync filter method on EEP Closes #3698 See merge request gitlab-org/gitlab-ee!3106
35f094b0 · Robert Speicher · 8061d73c · 2dae609e · 35f094b0 · 35f094b0
Commit 35f094b0 authored Oct 10, 2017 by Robert Speicher
25 changed files
--- a/app/assets/javascripts/groups/ldap_group_links.js
+++ b/app/assets/javascripts/groups/ldap_group_links.js
@@ -2,6 +2,8 @@ document.addEventListener('DOMContentLoaded', () => {
  const showGroupLink = () => {
    const $cnLink = $('.cn-link');
    const $filterLink = $('.filter-link');
+    if (!$cnLink.length || !$filterLink.length) return;
    const $checkedSync = $('input[name="sync_method"]:checked').val() === 'group';
    $cnLink.toggle($checkedSync);

--- a/app/controllers/groups/ldap_group_links_controller.rb
+++ b/app/controllers/groups/ldap_group_links_controller.rb
@@ -43,6 +43,9 @@ class Groups::LdapGroupLinksController < Groups::ApplicationController
  end
  def ldap_group_link_params
-    params.require(:ldap_group_link).permit(:cn, :filter, :group_access, :provider)
+    attrs = %i[cn group_access provider]
+    attrs << :filter if ::License.feature_available?(:ldap_group_sync_filter)
+    params.require(:ldap_group_link).permit(attrs)
  end
 end
--- a/app/controllers/groups/ldaps_controller.rb
+++ b/app/controllers/groups/ldaps_controller.rb
@@ -17,6 +17,6 @@ class Groups::LdapsController < Groups::ApplicationController
  private
  def check_enabled_extras!
-    render_404 unless Gitlab::LDAP::Config.enabled_extras?
+    render_404 unless Gitlab::LDAP::Config.group_sync_enabled?
  end
 end
--- a/app/models/group.rb
+++ b/app/models/group.rb
@@ -230,20 +230,12 @@ class Group < Namespace
    ldap_group_links.first.try(:cn)
  end
-  def ldap_filter
-    ldap_group_links.first.try(:filter)
-  end
  def ldap_access
    ldap_group_links.first.try(:group_access)
  end
-  def ldap_cn_or_filter_present?
-    ldap_cn.present? || ldap_filter.present?
-  end
  def ldap_synced?
-    Gitlab.config.ldap.enabled && ldap_cn_or_filter_present?
+    Gitlab.config.ldap.enabled && ldap_group_links.any?(&:active?)
  end
  def post_create_hook

--- a/app/models/ldap_group_link.rb
+++ b/app/models/ldap_group_link.rb
@@ -43,6 +43,14 @@ class LdapGroupLink < ActiveRecord::Base
    config.label
  end
+  def active?
+    if filter.present?
+      ::License.feature_available?(:ldap_group_sync_filter)
+    elsif cn.present?
+      ::License.feature_available?(:ldap_group_sync)
+    end
+  end
  private
  def nullify_blank_attributes

--- a/app/models/license.rb
+++ b/app/models/license.rb
@@ -18,10 +18,11 @@ class License < ActiveRecord::Base
    issue_board_milestone
    issue_weights
    jenkins_integration
-    ldap_extras
+    ldap_group_sync
    merge_request_approvers
    merge_request_rebase
    merge_request_squash
+    multiple_ldap_servers
    multiple_issue_assignees
    multiple_issue_boards
    push_rules
@@ -42,6 +43,7 @@ class License < ActiveRecord::Base
    geo
    group_issue_boards
    jira_dev_panel_integration
+    ldap_group_sync_filter
    object_storage
    service_desk
    variable_environment_scope
@@ -108,7 +110,9 @@ class License < ActiveRecord::Base
    elastic_search
    extended_audit_events
    geo
-    ldap_extras
+    ldap_group_sync
+    ldap_group_sync_filter
+    multiple_ldap_servers
    object_storage
    repository_size_limit
  ].freeze

--- a/app/views/admin/groups/_form.html.haml
+++ b/app/views/admin/groups/_form.html.haml
@@ -36,7 +36,7 @@
      = f.submit 'Save changes', class: "btn btn-save"
      = link_to  'Cancel', admin_group_path(@group), class: "btn btn-cancel"
- if ldap_enabled? && @group.persisted?
+- if @group.persisted? && Gitlab::LDAP::Config.group_sync_enabled?
  %h3.page-title LDAP synchronizations
  = render 'ldap_group_links/form', group: @group
  = render 'ldap_group_links/ldap_group_links', group: @group
--- a/app/views/admin/groups/show.html.haml
+++ b/app/views/admin/groups/show.html.haml
@@ -62,11 +62,11 @@
        = render partial: "namespaces/shared_runner_status", locals: { namespace: @group }
+    - if Gitlab::LDAP::Config.group_sync_enabled? && @group.ldap_synced?
      .panel.panel-default
        .panel-heading Active synchronizations
        %ul.well-list
-        - if @group.ldap_group_links.any?
+          - @group.ldap_group_links.select(&:active?).each do |ldap_group_link|
-          - @group.ldap_group_links.each do |ldap_group_link|
            %li
              %strong= ldap_group_link.cn ? "Group: #{ldap_group_link.cn}" : "Filter: #{truncate(ldap_group_link.filter, length: 40)}"
              as

--- a/app/views/groups/group_members/_ldap_sync.html.haml
+++ b/app/views/groups/group_members/_ldap_sync.html.haml
@@ -3,7 +3,7 @@
    The members of this group are managed using LDAP and cannot be added or removed here.
    Because LDAP permissions in GitLab get updated one user at a time and because GitLab caches LDAP check results, changes on your LDAP server or in this group's LDAP sync settings may take up to #{Gitlab.config.ldap['sync_time']}s to show in the list below.
    %ul
-      - @group.ldap_group_links.each do |ldap_group_link|
+      - @group.ldap_group_links.select(&:active?).each do |ldap_group_link|
        %li
          People in
          %code= ldap_group_link.cn ? "cn: #{ldap_group_link.cn}" : "filter: #{truncate(ldap_group_link.filter, length: 70)}"

--- a/app/views/groups/ldap_group_links/index.html.haml
+++ b/app/views/groups/ldap_group_links/index.html.haml
- page_title 'LDAP Syncrhonizations'
+- page_title 'LDAP Synchronization'
 %h3.page-title LDAP synchronizations
 = render 'ldap_group_links/form', group: @group
 = render 'ldap_group_links/ldap_group_links', group: @group
--- a/app/views/ldap_group_links/_form.html.haml
+++ b/app/views/ldap_group_links/_form.html.haml
@@ -9,6 +9,7 @@
        .col-sm-10
          = f.select :provider, ldap_server_select_options, {}, class: 'form-control'
+      - if ::License.feature_available?(:ldap_group_sync_filter)
        .form-group.row
          = f.label :cn, class: 'control-label col-sm-2' do
            Sync method
@@ -32,6 +33,7 @@
            %br
            If you select an LDAP group you do not belong to you will lose ownership of #{group.name}.
+      - if ::License.feature_available?(:ldap_group_sync_filter)
        .form-group.row.filter-link
          = f.label :filter, class: 'control-label col-sm-2' do
            LDAP User filter

--- a/app/views/ldap_group_links/_ldap_group_link.html.haml
+++ b/app/views/ldap_group_links/_ldap_group_link.html.haml
@@ -13,3 +13,6 @@
      Config for LDAP server
      %code= ldap_group_link.provider
      is not present in GitLab
+  - unless ldap_group_link.active?
+    (Inactive because syncing with an LDAP user filter is not included in the current license)
--- a/app/workers/ldap_all_groups_sync_worker.rb
+++ b/app/workers/ldap_all_groups_sync_worker.rb
@@ -3,7 +3,7 @@ class LdapAllGroupsSyncWorker
  include CronjobQueue
  def perform
-    return unless Gitlab::LDAP::Config.enabled_extras?
+    return unless Gitlab::LDAP::Config.group_sync_enabled?
    logger.info 'Started LDAP group sync'
    EE::Gitlab::LDAP::Sync::Groups.execute

--- a/app/workers/ldap_group_sync_worker.rb
+++ b/app/workers/ldap_group_sync_worker.rb
@@ -3,7 +3,7 @@ class LdapGroupSyncWorker
  include DedicatedSidekiqQueue
  def perform(group_ids, provider = nil)
-    return unless Gitlab::LDAP::Config.enabled_extras?
+    return unless Gitlab::LDAP::Config.group_sync_enabled?
    groups = Group.where(id: Array(group_ids))

--- a/app/workers/ldap_sync_worker.rb
+++ b/app/workers/ldap_sync_worker.rb
@@ -3,7 +3,7 @@ class LdapSyncWorker
  include CronjobQueue
  def perform
-    return unless Gitlab::LDAP::Config.enabled_extras?
+    return unless Gitlab::LDAP::Config.group_sync_enabled?
    Rails.logger.info "Performing daily LDAP sync task."
    User.ldap.find_each(batch_size: 100).each do |ldap_user|

--- a/doc/administration/auth/ldap-ee.md
+++ b/doc/administration/auth/ldap-ee.md
@@ -54,7 +54,7 @@ new groups they might be added to when the user logs in. That way they don't nee
 to wait for the hourly sync to be granted access to the groups that they are in
 in LDAP.
-We can also add a GitLab group to sync with one or multiple LDAP groups or we can
+In GitLab Enterprise Edition Premium, we can also add a GitLab group to sync with one or multiple LDAP groups or we can
 also add a filter. The filter must comply with the syntax defined in [RFC 2254](https://tools.ietf.org/search/rfc2254).
 A group sync process will run every hour on the hour, and `group_base` must be set

--- a/ee/app/views/groups/ee/_settings_nav.html.haml
+++ b/ee/app/views/groups/ee/_settings_nav.html.haml
- if Gitlab::LDAP::Config.enabled_extras? && can?(current_user, :admin_ldap_group_links, @group)
+- if Gitlab::LDAP::Config.group_sync_enabled? && can?(current_user, :admin_ldap_group_links, @group)
  = nav_link(path: 'ldap_group_links#index') do
    = link_to group_ldap_group_links_path(@group), title: 'LDAP Group' do
      %span
-        LDAP Group
+        LDAP Synchronization
 - if @group.feature_available?(:group_webhooks) || show_promotions?
  = nav_link(path: 'hooks#index') do

--- a/ee/lib/ee/gitlab/ldap/config.rb
+++ b/ee/lib/ee/gitlab/ldap/config.rb
@@ -5,8 +5,8 @@ module EE
        extend ActiveSupport::Concern
        class_methods do
-          def enabled_extras?
+          def group_sync_enabled?
-            enabled? && ::License.feature_available?(:ldap_extras)
+            enabled? && ::License.feature_available?(:ldap_group_sync)
          end
        end
      end

--- a/ee/lib/ee/gitlab/ldap/sync/group.rb
+++ b/ee/lib/ee/gitlab/ldap/sync/group.rb
@@ -74,6 +74,8 @@ module EE
            access_levels = AccessLevels.new
            # Only iterate over group links for the current provider
            group.ldap_group_links.with_provider(provider).each do |group_link|
+              next unless group_link.active?
              update_access_levels(access_levels, group_link)
            end

--- a/lib/api/groups.rb
+++ b/lib/api/groups.rb
@@ -213,7 +213,7 @@ module API
      desc 'Sync a group with LDAP.'
      post ":id/ldap_sync" do
-        not_found! unless Gitlab::LDAP::Config.enabled_extras?
+        not_found! unless Gitlab::LDAP::Config.group_sync_enabled?
        group = find_group!(params[:id])
        authorize! :admin_group, group

--- a/lib/gitlab/ldap/config.rb
+++ b/lib/gitlab/ldap/config.rb
@@ -27,7 +27,7 @@ module Gitlab
      def self.available_servers
        return [] unless enabled?
-        enabled_extras? ? servers : Array.wrap(servers.first)
+        ::License.feature_available?(:multiple_ldap_servers) ? servers : Array.wrap(servers.first)
      end
      def self.providers

--- a/spec/ee/spec/lib/ee/gitlab/ldap/sync/group_spec.rb
+++ b/spec/ee/spec/lib/ee/gitlab/ldap/sync/group_spec.rb
@@ -381,6 +381,10 @@ describe EE::Gitlab::LDAP::Sync::Group do
  end
  context 'filter' do
+    before do
+      stub_licensed_features(ldap_group_sync_filter: true)
+    end
    describe '#update_permissions' do
      before do
        # Safe-check because some permissions are removed when `Group#ldap_synced?`

--- a/spec/features/groups/group_settings_spec.rb
+++ b/spec/features/groups/group_settings_spec.rb
@@ -19,7 +19,7 @@ feature 'Edit group settings' do
      scenario 'is able to navigate to LDAP group section' do
        visit edit_group_path(group)
-        expect(find('.nav-sidebar')).to have_content('LDAP Group')
+        expect(find('.nav-sidebar')).to have_content('LDAP Synchronization')
      end
      context 'with owners not being able to manage LDAP' do
@@ -28,7 +28,7 @@ feature 'Edit group settings' do
          visit edit_group_path(group)
-          expect(find('.nav-sidebar')).not_to have_content('LDAP Group')
+          expect(find('.nav-sidebar')).not_to have_content('LDAP Synchronization')
        end
      end
    end

--- a/spec/features/groups/ldap_group_links_spec.rb
+++ b/spec/features/groups/ldap_group_links_spec.rb
@@ -12,6 +12,11 @@ feature 'Edit group settings', :js do
  context 'LDAP sync method' do
    before do
      allow(Gitlab.config.ldap).to receive(:enabled).and_return(true)
+    end
+    context 'when the LDAP group sync filter feature is available' do
+      before do
+        stub_licensed_features(ldap_group_sync_filter: true)
        visit group_ldap_group_links_path(group)
      end
@@ -31,4 +36,25 @@ feature 'Edit group settings', :js do
        expect(page).not_to have_content('This query must use valid LDAP Search Filter Syntax')
      end
    end
+    context 'when the LDAP group sync filter feature is available' do
+      before do
+        stub_licensed_features(ldap_group_sync_filter: false)
+        visit group_ldap_group_links_path(group)
+      end
+      scenario 'does not show the LDAP search method switcher' do
+        expect(page).not_to have_field('sync_method_filter')
+      end
+      scenario 'shows the LDAP group section' do
+        expect(page).to have_content("Synchronize #{group.name}'s members with this LDAP group")
+      end
+      scenario 'does not shows the LDAP filter section' do
+        expect(page).not_to have_content('This query must use valid LDAP Search Filter Syntax')
+      end
+    end
+  end
 end
--- a/spec/requests/api/groups_spec.rb
+++ b/spec/requests/api/groups_spec.rb
@@ -700,9 +700,13 @@ describe API::Groups do
  end
  describe 'POST /groups/:id/ldap_sync' do
-    context 'when LDAP config enabled_extras is true' do
    before do
-        allow(Gitlab::LDAP::Config).to receive(:enabled_extras?).and_return(true)
+      allow(Gitlab::LDAP::Config).to receive(:enabled?).and_return(true)
+    end
+    context 'when the ldap_group_sync feature is available' do
+      before do
+        stub_licensed_features(ldap_group_sync: true)
      end
      context 'when authenticated as the group owner' do
@@ -772,9 +776,9 @@ describe API::Groups do
      end
    end
-    context 'when LDAP config enabled_extras is false' do
+    context 'when the ldap_group_sync feature is not available' do
      before do
-        allow(Gitlab::LDAP::Config).to receive(:enabled_extras?).and_return(false)
+        stub_licensed_features(ldap_group_sync: false)
      end
      it 'returns 404 (same as CE would)' do