Commit d6dc088a authored by Gabriel Mazetto's avatar Gabriel Mazetto

LDAP synchronization block/unblock new states

parent 6e7db8e2
...@@ -37,15 +37,15 @@ module Gitlab ...@@ -37,15 +37,15 @@ module Gitlab
# Block user in GitLab if he/she was blocked in AD # Block user in GitLab if he/she was blocked in AD
if Gitlab::LDAP::Person.disabled_via_active_directory?(user.ldap_identity.extern_uid, adapter) if Gitlab::LDAP::Person.disabled_via_active_directory?(user.ldap_identity.extern_uid, adapter)
user.block user.ldap_block
false false
else else
user.activate if user.blocked? && !ldap_config.block_auto_created_users user.activate if (user.blocked? && !ldap_config.block_auto_created_users) || user.ldap_blocked?
true true
end end
else else
# Block the user if they no longer exist in LDAP/AD # Block the user if they no longer exist in LDAP/AD
user.block user.ldap_block
false false
end end
rescue rescue
......
...@@ -17,60 +17,55 @@ describe Gitlab::LDAP::Access, lib: true do ...@@ -17,60 +17,55 @@ describe Gitlab::LDAP::Access, lib: true do
it 'should block user in GitLab' do it 'should block user in GitLab' do
access.allowed? access.allowed?
expect(user).to be_blocked expect(user).to be_blocked
expect(user).to be_ldap_blocked
end end
end end
context 'when the user is found' do context 'when the user is found' do
before do before do
allow(Gitlab::LDAP::Person). allow(Gitlab::LDAP::Person).to receive(:find_by_dn).and_return(:ldap_user)
to receive(:find_by_dn).and_return(:ldap_user)
end end
context 'and the user is disabled via active directory' do context 'and the user is disabled via active directory' do
before do before do
allow(Gitlab::LDAP::Person). allow(Gitlab::LDAP::Person).to receive(:disabled_via_active_directory?).and_return(true)
to receive(:disabled_via_active_directory?).and_return(true)
end end
it { is_expected.to be_falsey } it { is_expected.to be_falsey }
it "should block user in GitLab" do it 'should block user in GitLab' do
access.allowed? access.allowed?
expect(user).to be_blocked expect(user).to be_blocked
expect(user).to be_ldap_blocked
end end
end end
context 'and has no disabled flag in active diretory' do context 'and has no disabled flag in active diretory' do
before do before do
user.block user.block
allow(Gitlab::LDAP::Person).to receive(:disabled_via_active_directory?).and_return(false)
allow(Gitlab::LDAP::Person).
to receive(:disabled_via_active_directory?).and_return(false)
end end
it { is_expected.to be_truthy } it { is_expected.to be_truthy }
context 'when auto-created users are blocked' do context 'when auto-created users are blocked' do
before do before do
allow_any_instance_of(Gitlab::LDAP::Config). allow_any_instance_of(Gitlab::LDAP::Config).to receive(:block_auto_created_users).and_return(true)
to receive(:block_auto_created_users).and_return(true)
end end
it "does not unblock user in GitLab" do it 'does not unblock user in GitLab' do
access.allowed? access.allowed?
expect(user).to be_blocked expect(user).to be_blocked
expect(user).not_to be_ldap_blocked # this block is handled by omniauth not by our internal logic
end end
end end
context "when auto-created users are not blocked" do context 'when auto-created users are not blocked' do
before do before do
allow_any_instance_of(Gitlab::LDAP::Config). allow_any_instance_of(Gitlab::LDAP::Config).to receive(:block_auto_created_users).and_return(false)
to receive(:block_auto_created_users).and_return(false)
end end
it "should unblock user in GitLab" do it 'should unblock user in GitLab' do
access.allowed? access.allowed?
expect(user).not_to be_blocked expect(user).not_to be_blocked
end end
...@@ -80,8 +75,7 @@ describe Gitlab::LDAP::Access, lib: true do ...@@ -80,8 +75,7 @@ describe Gitlab::LDAP::Access, lib: true do
context 'without ActiveDirectory enabled' do context 'without ActiveDirectory enabled' do
before do before do
allow(Gitlab::LDAP::Config).to receive(:enabled?).and_return(true) allow(Gitlab::LDAP::Config).to receive(:enabled?).and_return(true)
allow_any_instance_of(Gitlab::LDAP::Config). allow_any_instance_of(Gitlab::LDAP::Config).to receive(:active_directory).and_return(false)
to receive(:active_directory).and_return(false)
end end
it { is_expected.to be_truthy } it { is_expected.to be_truthy }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment