Merge branch 'ldap_block_when_missing' into 'master'

Block LDAP user when they are no longer found in the LDAP server

Currently, if a user is deleted from LDAP the `Gitlab::Ldap::Access.allowed?` method will return `false`, but the user will not be blocked. This means that the user would be able to continue using GitLab if they are already logged in, or when performing Git over SSH operations.

After this change, users will be blocked when they no longer exist in LDAP. There is still a one hour LDAP check cache time in effect, so the change is not immediate. This is noted in the documentation.

cc/ @DouweM @dzaporozhets 

See merge request !2022

CHANGELOG

@@ -23,6 +23,7 @@ v 8.3.0 (unreleased)
   - Run custom Git hooks when branch is created or deleted.
   - Fix bug when simultaneously accepting multiple MRs results in MRs that are of "merged" status, but not merged to the target branch
   - Add languages page to graphs
+  - Block LDAP user when they are no longer found in the LDAP server
 
 v 8.2.3
   - Fix application settings cache not expiring after changes (Stan Hu)

doc/integration/ldap.md

@@ -13,6 +13,12 @@ An LDAP user who is allowed to change their email on the LDAP server can [take o
 
 We recommend against using GitLab LDAP integration if your LDAP users are allowed to change their 'mail', 'email' or 'userPrincipalName'  attribute on the LDAP server.
 
+If a user is deleted from the LDAP server, they will be blocked in GitLab as well.
+Users will be immediately blocked from logging in. However, there is an LDAP check
+cache time of one hour. The means users that are already logged in or are using Git
+over SSH will still be able to access GitLab for up to one hour. Manually block
+the user in the GitLab Admin area to immediately block all access.
+
 ## Configuring GitLab for LDAP integration
 
 To enable GitLab LDAP integration you need to add your LDAP server settings in `/etc/gitlab/gitlab.rb` or `/home/git/gitlab/config/gitlab.yml`.
@@ -192,4 +198,4 @@ Not supported by GitLab's configuration options.
 When setting `method: ssl`, the underlying authentication method used by 
 `omniauth-ldap` is `simple_tls`.  This method establishes TLS encryption with 
 the LDAP server before any LDAP-protocol data is exchanged but no validation of
-the LDAP server's SSL certificate is performed.
\ No newline at end of file
+the LDAP server's SSL certificate is performed.

lib/gitlab/ldap/access.rb

@@ -37,13 +37,15 @@ module Gitlab
 
           # Block user in GitLab if he/she was blocked in AD
           if Gitlab::LDAP::Person.disabled_via_active_directory?(user.ldap_identity.extern_uid, adapter)
-            user.block unless user.blocked?
+            user.block
             false
           else
             user.activate if user.blocked? && !ldap_config.block_auto_created_users
             true
           end
         else
+          # Block the user if they no longer exist in LDAP/AD
+          user.block 
           false
         end
       rescue

spec/lib/gitlab/ldap/access_spec.rb

@@ -13,6 +13,11 @@ describe Gitlab::LDAP::Access do
       end
 
       it { is_expected.to be_falsey }
+      
+      it 'should block user in GitLab' do
+        access.allowed?
+        expect(user).to be_blocked
+      end
     end
 
     context 'when the user is found' do