Merge branch 'mk-add-group-ldap-sync-to-api' into 'master'

Add LDAP sync endpoint to Groups API Closes #2304 See merge request !2785

Merge branch 'mk-add-group-ldap-sync-to-api' into 'master'
Add LDAP sync endpoint to Groups API Closes #2304 See merge request !2785
afa2cb2b · Douwe Maan · 48f41ee0 · ff550f47 · afa2cb2b · afa2cb2b
Commit afa2cb2b authored Sep 01, 2017 by Douwe Maan
5 changed files
--- a/app/controllers/groups/ldaps_controller.rb
+++ b/app/controllers/groups/ldaps_controller.rb
 class Groups::LdapsController < Groups::ApplicationController
  before_action :group
  before_action :authorize_admin_group!
+  before_action :check_enabled_extras!
  def sync
-    @group.pending_ldap_sync
+    if @group.pending_ldap_sync
-    LdapGroupSyncWorker.perform_async(@group.id)
+      LdapGroupSyncWorker.perform_async(@group.id)
+      message = 'The group sync has been scheduled'
+    else
+      message = 'The group sync is already scheduled'
+    end
-    redirect_to group_group_members_path(@group), notice: 'The group sync has been scheduled'
+    redirect_to group_group_members_path(@group), notice: message
+  end
+  private
+  def check_enabled_extras!
+    render_404 unless Gitlab::LDAP::Config.enabled_extras?
  end
 end
--- a/changelogs/unreleased-ee/mk-add-group-ldap-sync-to-api.yml
+++ b/changelogs/unreleased-ee/mk-add-group-ldap-sync-to-api.yml
+---
+title: Add LDAP sync endpoint to Groups API
+merge_request: 2785
+author:
+type: added
--- a/doc/api/groups.md
+++ b/doc/api/groups.md
@@ -395,7 +395,7 @@ Example response:
 ## Remove group
-Removes group with all projects inside.
+Removes group with all projects inside. Only available to group owners and administrators.
 ```
 DELETE /groups/:id
@@ -424,6 +424,18 @@ GET /groups?search=foobar
 ]
 ```
+## Sync group with LDAP
+Syncs the group with its linked LDAP group. Only available to group owners and administrators.
+```
+POST /groups/:id/ldap_sync
+```
+Parameters:
+- `id` (required) - The ID or path of a user group
 ## Group members
 Please consult the [Group Members](members.md) documentation.

--- a/lib/api/groups.rb
+++ b/lib/api/groups.rb
@@ -153,6 +153,7 @@ module API
        destroy_conditionally!(group) do |group|
          ::Groups::DestroyService.new(group, current_user).execute
        end
+        status 204
      end
      desc 'Get a list of projects in this group.' do
@@ -200,6 +201,19 @@ module API
          render_api_error!("Failed to transfer project #{project.errors.messages}", 400)
        end
      end
+      desc 'Sync a group with LDAP.'
+      post ":id/ldap_sync" do
+        not_found! unless Gitlab::LDAP::Config.enabled_extras?
+        group = find_group!(params[:id])
+        authorize! :admin_group, group
+        if group.pending_ldap_sync
+          LdapGroupSyncWorker.perform_async(group.id)
+        end
+        status 202
+      end
    end
  end
 end
--- a/spec/requests/api/groups_spec.rb
+++ b/spec/requests/api/groups_spec.rb
@@ -670,4 +670,96 @@ describe API::Groups do
      end
    end
  end
+  describe 'POST /groups/:id/ldap_sync' do
+    context 'when LDAP config enabled_extras is true' do
+      before do
+        allow(Gitlab::LDAP::Config).to receive(:enabled_extras?).and_return(true)
+      end
+      context 'when authenticated as the group owner' do
+        context 'when the group is ready to sync' do
+          it 'returns 202 Accepted' do
+            ldap_sync(group1.id, user1, :disable!)
+            expect(response).to have_http_status(202)
+          end
+          it 'queues a sync job' do
+            expect { ldap_sync(group1.id, user1, :fake!) }.to change(LdapGroupSyncWorker.jobs, :size).by(1)
+          end
+          it 'sets the ldap_sync state to pending' do
+            ldap_sync(group1.id, user1, :disable!)
+            expect(group1.reload.ldap_sync_pending?).to be_truthy
+          end
+        end
+        context 'when the group is already pending a sync' do
+          before do
+            group1.pending_ldap_sync!
+          end
+          it 'returns 202 Accepted' do
+            ldap_sync(group1.id, user1, :disable!)
+            expect(response).to have_http_status(202)
+          end
+          it 'does not queue a sync job' do
+            expect { ldap_sync(group1.id, user1, :fake!) }.not_to change(LdapGroupSyncWorker.jobs, :size)
+          end
+          it 'does not change the ldap_sync state' do
+            expect do
+              ldap_sync(group1.id, user1, :disable!)
+            end.not_to change { group1.reload.ldap_sync_status }
+          end
+        end
+        it 'returns 404 for a non existing group' do
+          ldap_sync(1328, user1, :disable!)
+          expect(response).to have_http_status(404)
+        end
+      end
+      context 'when authenticated as the admin' do
+        it 'returns 202 Accepted' do
+          ldap_sync(group1.id, admin, :disable!)
+          expect(response).to have_http_status(202)
+        end
+      end
+      context 'when authenticated as a non-owner user that can see the group' do
+        it 'returns 403' do
+          ldap_sync(group1.id, user2, :disable!)
+          expect(response).to have_http_status(403)
+        end
+      end
+      context 'when authenticated as an user that cannot see the group' do
+        it 'returns 404' do
+          ldap_sync(group2.id, user1, :disable!)
+          expect(response).to have_http_status(404)
+        end
+      end
+    end
+    context 'when LDAP config enabled_extras is false' do
+      before do
+        allow(Gitlab::LDAP::Config).to receive(:enabled_extras?).and_return(false)
+      end
+      it 'returns 404 (same as CE would)' do
+        ldap_sync(group1.id, admin, :disable!)
+        expect(response).to have_http_status(404)
+      end
+    end
+  end
+  def ldap_sync(group_id, user, sidekiq_testing_method)
+    Sidekiq::Testing.send(sidekiq_testing_method) do
+      post api("/groups/#{group_id}/ldap_sync", user)
+    end
+  end
 end