Adapt tests to refactoring

- Use smarter instance methods - Support multiple LDAP servers

Adapt tests to refactoring
- Use smarter instance methods - Support multiple LDAP servers
1bc99369 · Jan-Willem van der Meer · 4ef74844 · 1bc99369 · 1bc99369 · 1bc99369
Commit 1bc99369 authored Oct 07, 2014 by Jan-Willem van der Meer
5 changed files
--- a/lib/gitlab/ldap/access.rb
+++ b/lib/gitlab/ldap/access.rb
@@ -6,19 +6,19 @@
 module Gitlab
  module LDAP
    class Access
-      attr_reader :adapter, :provider
+      attr_reader :adapter, :provider, :user, :ldap_user

-      def self.open(provider, &block)
-        Gitlab::LDAP::Adapter.open(provider) do |adapter|
-          block.call(self.new(provider, adapter))
+      def self.open(user, &block)
+        Gitlab::LDAP::Adapter.open(user.provider) do |adapter|
+          block.call(self.new(user, adapter))
        end
      end

      def self.allowed?(user)
-        self.open(user.provider) do |access|
-          if access.allowed?(user)
-            access.update_permissions(user)
-            access.update_email(user)
+        self.open(user) do |access|
+          if access.allowed?
+            access.update_permissions
+            access.update_email
            user.last_credential_check_at = Time.now
            user.save
            true
@@ -28,12 +28,13 @@ module Gitlab
        end
      end

-      def initialize(provider, adapter=nil)
-        @provider = provider
+      def initialize(user, adapter=nil)
        @adapter = adapter
+        @user = user
+        @provider = user.provider
      end

-      def allowed?(user)
+      def allowed?
        if Gitlab::LDAP::Person.find_by_dn(user.extern_uid, adapter)
          !Gitlab::LDAP::Person.disabled_via_active_directory?(user.extern_uid, adapter)
        else
@@ -47,31 +48,28 @@ module Gitlab
        @adapter ||= Gitlab::LDAP::Adapter.new(provider)
      end

-      def get_ldap_user(user)
+      def ldap_user
        @ldap_user ||= Gitlab::LDAP::Person.find_by_dn(user.extern_uid, adapter)
      end

-      def update_permissions(user)
+      def update_permissions
        if sync_ssh_keys?
-          update_ssh_keys(user)
+          update_ssh_keys
        end

        # Skip updating group permissions
        # if instance does not use group_base setting
        return true unless group_base.present?

-        update_ldap_group_links(user)
+        update_ldap_group_links

        if admin_group.present?
-          update_admin_status(user)
+          update_admin_status
        end
      end

      # Update user ssh keys if they changed in LDAP
-      def update_ssh_keys(user)
-        # Get LDAP user entry
-        ldap_user = get_ldap_user(user)
-
+      def update_ssh_keys
        user.keys.ldap.where.not(key: ldap_user.ssh_keys).each do |deleted_key|
          Rails.logger.info "#{self.class.name}: removing LDAP SSH key #{deleted_key.key} from #{user.name} (#{user.id})"
          unless deleted_key.destroy
@@ -81,7 +79,7 @@ module Gitlab

        (ldap_user.ssh_keys - user.keys.ldap.pluck(:key)).each do |key|
          Rails.logger.info "#{self.class.name}: adding LDAP SSH key #{key.inspect} to #{user.name} (#{user.id})"
-          new_key = LDAPKey.new(title: "LDAP - #{ldap_config['sync_ssh_keys']}", key: key)
+          new_key = LDAPKey.new(title: "LDAP - #{ldap_config.ssh_sync_key}", key: key)
          new_key.user = user
          unless new_key.save
            Rails.logger.error "#{self.class.name}: failed to add LDAP SSH key #{key.inspect} to #{user.name} (#{user.id})\n"\
@@ -91,16 +89,12 @@ module Gitlab
      end

      # Update user email if it changed in LDAP
-      def update_email(user)
-        uid = user.extern_uid
-        ldap_user = get_ldap_user(user)
-        gitlab_user = ::User.where(provider: 'ldap', extern_uid: uid).last
-
-        if gitlab_user && ldap_user && ldap_user.email
+      def update_email
+        if ldap_user.try(:email)
          ldap_email = ldap_user.email.last.to_s.downcase

-          if (gitlab_user.email != ldap_email)
-            gitlab_user.update(email: ldap_email)
+          if (user.email != ldap_email)
+            user.update(email: ldap_email)
          else
            false
          end
@@ -109,8 +103,8 @@ module Gitlab
        end
      end

-      def update_admin_status(user)
-        admin_group = Gitlab::LDAP::Group.find_by_cn(ldap_config['admin_group'], adapter)
+      def update_admin_status
+        admin_group = Gitlab::LDAP::Group.find_by_cn(ldap_config.admin_group, adapter)
        if admin_group.has_member?(Gitlab::LDAP::Person.find_by_dn(user.extern_uid, adapter))
          unless user.admin?
            user.admin = true
@@ -125,9 +119,9 @@ module Gitlab
      end

      # Loop throug all ldap conneted groups, and update the users link with it
-      def update_ldap_group_links(user)
+      def update_ldap_group_links
        gitlab_groups_with_ldap_link.each do |group|
-          active_group_links = group.ldap_group_links.where(cn: cns_with_access(get_ldap_user(user)))
+          active_group_links = group.ldap_group_links.where(cn: cns_with_access)

          if active_group_links.any?
            group.add_users([user.id], fetch_group_access(group, user, active_group_links))
@@ -144,7 +138,7 @@ module Gitlab
      end

      # returns a collection of cn strings to which the user has access
-      def cns_with_access(ldap_user)
+      def cns_with_access
        @ldap_groups_with_access ||= ldap_groups.select do |ldap_group|
          ldap_group.has_member?(ldap_user)
        end.map(&:cn)

--- a/lib/gitlab/ldap/person.rb
+++ b/lib/gitlab/ldap/person.rb
@@ -6,24 +6,24 @@ module Gitlab
      # Source: http://ctogonewild.com/2009/09/03/bitmask-searches-in-ldap/
      AD_USER_DISABLED = Net::LDAP::Filter.ex("userAccountControl:1.2.840.113556.1.4.803", "2")

-      def self.find_by_uid(uid, adapter=nil)
-        adapter ||= Gitlab::LDAP::Adapter.new
+      attr_accessor :entry, :provider
+
+      def self.find_by_uid(uid, adapter)
        adapter.user(Gitlab.config.ldap.uid, uid)
      end

-      def self.find_by_dn(dn, adapter=nil)
-        adapter ||= Gitlab::LDAP::Adapter.new
+      def self.find_by_dn(dn, adapter)
        adapter.user('dn', dn)
      end

-      def self.disabled_via_active_directory?(dn, adapter=nil)
-        adapter ||= Gitlab::LDAP::Adapter.new
+      def self.disabled_via_active_directory?(dn, adapter)
        adapter.dn_matches_filter?(dn, AD_USER_DISABLED)
      end

-      def initialize(entry)
+      def initialize(entry, provider)
        Rails.logger.debug { "Instantiating #{self.class.name} with LDIF:\n#{entry.to_ldif}" }
        @entry = entry
+        @provider = provider
      end

      def name
@@ -47,9 +47,8 @@ module Gitlab
      end

      def ssh_keys
-        ssh_keys_attribute = Gitlab.config.ldap['sync_ssh_keys'].to_sym
-        if entry.respond_to?(ssh_keys_attribute)
-          entry[ssh_keys_attribute]
+        if config.sync_ssh_keys? && entry.respond_to?(config.ssh_sync_key)
+          entry[config.ssh_sync_key.to_sym]
        else
          []
        end
@@ -61,12 +60,12 @@ module Gitlab
        @entry
      end

-      def adapter
-        @adapter ||= Gitlab::LDAP::Adapter.new
-      end
+      # def adapter
+      #   @adapter ||= Gitlab::LDAP::Adapter.new
+      # end

      def config
-        @config ||= Gitlab.config.ldap
+        @config ||= Gitlab::LDAP::Config.new(provider)
      end
    end
  end

--- a/lib/gitlab/ldap/user.rb
+++ b/lib/gitlab/ldap/user.rb
@@ -14,8 +14,9 @@ module Gitlab
        def authenticate(login, password)
          # Check user against LDAP backend if user is not authenticated
          # Only check with valid login and password to prevent anonymous bind results
-          return nil unless ldap_conf.enabled && login.present? && password.present?
+          return nil unless ldap_conf.enabled? && login.present? && password.present?

+          binding.pry
          ldap_user = adapter.bind_as(
            filter: user_filter(login),
            size: 1,

--- a/spec/factories.rb
+++ b/spec/factories.rb
@@ -24,6 +24,11 @@ FactoryGirl.define do
      admin true
    end

+    trait :ldap do
+      provider 'ldapmain'
+      extern_uid 'my-ldap-id'
+    end
+
    factory :admin, traits: [:admin]
  end


--- a/spec/lib/gitlab/ldap/access_spec.rb
+++ b/spec/lib/gitlab/ldap/access_spec.rb
 require 'spec_helper'

 describe Gitlab::LDAP::Access do
-  let(:access) { Gitlab::LDAP::Access.new 'ldapmain' }
-  let(:user) { create(:user) }
+  let(:access) { Gitlab::LDAP::Access.new user }
+  let(:user) { create(:user, :ldap) }

  describe :allowed? do
-    subject { access.allowed?(user) }
+    subject { access.allowed? }

    context 'when the user cannot be found' do
      before { Gitlab::LDAP::Person.stub(find_by_dn: nil) }
@@ -31,161 +31,131 @@ describe Gitlab::LDAP::Access do
  end

  describe :update_permissions do
-    subject { access.update_permissions(user) }
+    subject { access.update_permissions }

-    before do
-      Gitlab.config.ldap['enabled'] = true
-      Gitlab.config.ldap['sync_ssh_keys'] = false
-      Gitlab.config.ldap['group_base'] = 'something'
-      Gitlab.config.ldap['admin_group'] = ''
-    end
+    it "syncs ssh keys if enabled by configuration" do
+      access.stub sync_ssh_keys?: true
+      expect(access).to receive(:update_ssh_keys).once

-    after do
-      Gitlab.config.ldap['enabled'] = false
+      subject
    end

-    it "syncs ssh keys if enabled by configuration" do
-      Gitlab.config.ldap['sync_ssh_keys'] = true
-      expect(access).to receive(:update_ssh_keys).with(user).once
+    it "does update group permissions with a group base configured" do
+      access.stub group_base: 'my-group-base'
+      expect(access).to receive(:update_ldap_group_links)

      subject
    end

    it "does not update group permissions without a group base configured" do
-      Gitlab.config.ldap['group_base'] = ''
-      expect(access).not_to receive(:update_ldap_group_links).with(user)
+      access.stub group_base: ''
+      expect(access).not_to receive(:update_ldap_group_links)

      subject
    end

    it "does update admin group permissions if admin group is configured" do
-      Gitlab.config.ldap['admin_group'] = 'NSA'
-
-      access.stub(:update_ldap_group_links)
-      expect(access).to receive(:update_admin_status).with(user)
+      access.stub admin_group: 'my-admin-group'
+      access.stub :update_ldap_group_links
+      expect(access).to receive(:update_admin_status)

      subject
    end
  end

  describe :update_ssh_keys do
-    let(:user_ldap) { create(:user, provider: 'ldap', extern_uid: "66049")}
    let(:ssh_key) { 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrSQHff6a1rMqBdHFt+FwIbytMZ+hJKN3KLkTtOWtSvNIriGhnTdn4rs+tjD/w+z+revytyWnMDM9dS7J8vQi006B16+hc9Xf82crqRoPRDnBytgAFFQY1G/55ql2zdfsC5yvpDOFzuwIJq5dNGsojS82t6HNmmKPq130fzsenFnj5v1pl3OJvk513oduUyKiZBGTroWTn7H/eOPtu7s9MD7pAdEjqYKFLeaKmyidiLmLqQlCRj3Tl2U9oyFg4PYNc0bL5FZJ/Z6t0Ds3i/a2RanQiKxrvgu3GSnUKMx7WIX373baL4jeM7cprRGiOY/1NcS+1cAjfJ8oaxQF/1dYj' }
-    let(:key_ldap) { LDAPKey.new(title: 'used to be a ldap key', key: ssh_key) }
+    let(:ssh_key_attribute_name) { 'sshpublickey' }
+    let(:entry) {
+      Net::LDAP::Entry.from_single_ldif_string("dn: cn=foo, dc=bar, dc=com\n#{ssh_key_attribute_name}: #{ssh_key}") }

    before do
-      @old_value = Gitlab.config.ldap['sync_ssh_keys']
-      key_attribute_name = 'sshpublickey'
-      Gitlab.config.ldap['sync_ssh_keys'] = key_attribute_name
-    end
-
-    after do
-      Gitlab.config.ldap['sync_ssh_keys'] = @old_value
+      Gitlab::LDAP::Config.any_instance.stub(ssh_sync_key: ssh_key_attribute_name)
+      access.stub sync_ssh_keys?: true
    end

    it "should add a SSH key if it is in LDAP but not in gitlab" do
-      entry = Net::LDAP::Entry.from_single_ldif_string("dn: cn=foo, dc=bar, dc=com\n#{Gitlab.config.ldap['sync_ssh_keys']}: #{ssh_key}")
-      Gitlab::LDAP::Adapter.any_instance.stub(:user) { Gitlab::LDAP::Person.new(entry) }
+      entry = Net::LDAP::Entry.from_single_ldif_string("dn: cn=foo, dc=bar, dc=com\n#{ssh_key_attribute_name}: #{ssh_key}")
+      Gitlab::LDAP::Adapter.any_instance.stub(:user) { Gitlab::LDAP::Person.new(entry, 'ldapmain') }

-      expect(user_ldap.keys.size).to be(0)
-      access.update_ssh_keys(user_ldap)
-      user_ldap.reload
-      expect(user_ldap.keys.size).to be(1)
+      expect{ access.update_ssh_keys }.to change(user.keys, :count).from(0).to(1)
    end

    it "should add a SSH key and give it a proper name" do
-      entry = Net::LDAP::Entry.from_single_ldif_string("dn: cn=foo, dc=bar, dc=com\n#{Gitlab.config.ldap['sync_ssh_keys']}: #{ssh_key}")
-      Gitlab::LDAP::Adapter.any_instance.stub(:user) { Gitlab::LDAP::Person.new(entry) }
+      entry = Net::LDAP::Entry.from_single_ldif_string("dn: cn=foo, dc=bar, dc=com\n#{ssh_key_attribute_name}: #{ssh_key}")
+      Gitlab::LDAP::Adapter.any_instance.stub(:user) { Gitlab::LDAP::Person.new(entry, 'ldapmain') }

-      access.update_ssh_keys(user_ldap)
-      expect(user_ldap.keys.last.title).to match(/LDAP/)
-      expect(user_ldap.keys.last.title).to match(/#{Gitlab.config.ldap['sync_ssh_keys']}/)
+      access.update_ssh_keys
+      expect(user.keys.last.title).to match(/LDAP/)
+      expect(user.keys.last.title).to match(/#{access.ldap_config.ssh_sync_key}/)
    end

    it "should not add a SSH key if it is invalid" do
-      entry = Net::LDAP::Entry.from_single_ldif_string("dn: cn=foo, dc=bar, dc=com\n#{Gitlab.config.ldap['sync_ssh_keys']}: I am not a valid key")
-      Gitlab::LDAP::Adapter.any_instance.stub(:user) { Gitlab::LDAP::Person.new(entry) }
+      entry = Net::LDAP::Entry.from_single_ldif_string("dn: cn=foo, dc=bar, dc=com\n#{ssh_key_attribute_name}: I am not a valid key")
+      Gitlab::LDAP::Adapter.any_instance.stub(:user) { Gitlab::LDAP::Person.new(entry, 'ldapmain') }

-      expect(user_ldap.keys.size).to be(0)
-      access.update_ssh_keys(user_ldap)
-      expect(user_ldap.keys.size).to be(0)
+      expect{ access.update_ssh_keys }.to_not change(user.keys, :count)
    end

    context 'user has at least one LDAPKey' do
+      before { user.keys.ldap.create key: ssh_key, title: 'to be removed' }
+
      it "should remove a SSH key if it is no longer in LDAP" do
-        entry = Net::LDAP::Entry.from_single_ldif_string("dn: cn=foo, dc=bar, dc=com\n#{Gitlab.config.ldap['sync_ssh_keys']}:\n")
-        Gitlab::LDAP::Adapter.any_instance.stub(:user) { Gitlab::LDAP::Person.new(entry) }
-        key_ldap.save
-        user_ldap.keys << key_ldap
-
-        expect(user_ldap.keys.size).to be(1)
-        access.update_ssh_keys(user_ldap)
-        expect(user_ldap.keys.size).to be(0)
+        entry = Net::LDAP::Entry.from_single_ldif_string("dn: cn=foo, dc=bar, dc=com\n#{ssh_key_attribute_name}:\n")
+        Gitlab::LDAP::Adapter.any_instance.stub(:user) { Gitlab::LDAP::Person.new(entry, 'ldapmain') }
+
+        expect{ access.update_ssh_keys }.to change(user.keys, :count).from(1).to(0)
      end

-      it "should remove a SSH key if the ldap attribute was removes" do
+      it "should remove a SSH key if the ldap attribute was removed" do
        entry = Net::LDAP::Entry.from_single_ldif_string("dn: cn=foo, dc=bar, dc=com")
-        Gitlab::LDAP::Adapter.any_instance.stub(:user) { Gitlab::LDAP::Person.new(entry) }
-        key_ldap.save
-        user_ldap.keys << key_ldap
-        expect(user_ldap.keys.size).to be(1)
-        access.update_ssh_keys(user_ldap)
-        expect(user_ldap.keys.size).to be(0)
+        Gitlab::LDAP::Adapter.any_instance.stub(:user) { Gitlab::LDAP::Person.new(entry, 'ldapmain') }
+
+        expect{ access.update_ssh_keys }.to change(user.keys, :count).from(1).to(0)
      end
    end
  end

  describe :update_user_email do
-    let(:user_ldap) { create(:user, provider: 'ldap', extern_uid: "66048")}
+    let(:entry) { Net::LDAP::Entry.new }
+
+    before do
+      access.stub ldap_user: Gitlab::LDAP::Person.new(entry, user.provider)
+    end

    it "should not update email if email attribute is not set" do
-      entry = Net::LDAP::Entry.new
-      Gitlab::LDAP::Adapter.any_instance.stub(:user) { Gitlab::LDAP::Person.new(entry) }
-      updated = access.update_email(user_ldap)
-      updated.should == false
+      expect{ access.update_email }.to_not change(user, :unconfirmed_email)
    end

    it "should not update the email if the user has the same email in GitLab and in LDAP" do
-      entry = Net::LDAP::Entry.new
-      entry['mail'] = [user_ldap.email]
-      Gitlab::LDAP::Adapter.any_instance.stub(:user) { Gitlab::LDAP::Person.new(entry) }
-      updated = access.update_email(user_ldap)
-      updated.should == false
+      entry['mail'] = [user.email]
+      expect{ access.update_email }.to_not change(user, :unconfirmed_email)
    end

    it "should not update the email if the user has the same email GitLab and in LDAP, but with upper case in LDAP" do
-      entry = Net::LDAP::Entry.new
-      entry['mail'] = [user_ldap.email.upcase]
-      Gitlab::LDAP::Adapter.any_instance.stub(:user) { Gitlab::LDAP::Person.new(entry) }
-      updated = access.update_email(user_ldap)
-      updated.should == false
+      entry['mail'] = [user.email.upcase]
+      expect{ access.update_email }.to_not change(user, :unconfirmed_email)
    end

    it "should update the email if the user email is different" do
-      entry = Net::LDAP::Entry.new
      entry['mail'] = ["new_email@example.com"]
-      Gitlab::LDAP::Adapter.any_instance.stub(:user) { Gitlab::LDAP::Person.new(entry) }
-      updated = access.update_email(user_ldap)
-      updated.should == true
+      expect{ access.update_email }.to change(user, :unconfirmed_email)
    end
  end


  describe :update_admin_status do
-    let(:gitlab_user) { create(:user, provider: 'ldap', extern_uid: "admin2")}
-    let(:gitlab_admin) { create(:admin, provider: 'ldap', extern_uid: "admin2")}
-
    before do
-      Gitlab.config.ldap['admin_group'] = "GLAdmins"
+      access.stub(admin_group: "GLAdmins")
      ldap_user_entry = Net::LDAP::Entry.new
-      Gitlab::LDAP::Adapter.any_instance.stub(:user) { Gitlab::LDAP::Person.new(ldap_user_entry) }
+      Gitlab::LDAP::Adapter.any_instance.stub(:user) { Gitlab::LDAP::Person.new(ldap_user_entry, user.provider) }
      Gitlab::LDAP::Person.any_instance.stub(:uid) { 'admin2' }
    end

    it "should give admin privileges to an User" do
      admin_group = Net::LDAP::Entry.from_single_ldif_string(
-%Q{dn: cn=#{Gitlab.config.ldap['admin_group']},ou=groups,dc=bar,dc=com
-cn: #{Gitlab.config.ldap['admin_group']}
+%Q{dn: cn=#{access.admin_group},ou=groups,dc=bar,dc=com
+cn: #{access.admin_group}
 description: GitLab admins
 gidnumber: 42
 memberuid: admin1
@@ -195,15 +165,15 @@ objectclass: top
 objectclass: posixGroup
 })
      Gitlab::LDAP::Adapter.any_instance.stub(:group) { Gitlab::LDAP::Group.new(admin_group) }
-      expect(gitlab_user.admin?).to be false
-      access.update_admin_status(gitlab_user)
-      expect(gitlab_user.admin?).to be true
+
+      expect{ access.update_admin_status }.to change(user, :admin?).to(true)
    end

    it "should remove admin privileges from an User" do
+      user.update_attribute(:admin, true)
      admin_group = Net::LDAP::Entry.from_single_ldif_string(
-%Q{dn: cn=#{Gitlab.config.ldap['admin_group']},ou=groups,dc=bar,dc=com
-cn: #{Gitlab.config.ldap['admin_group']}
+%Q{dn: cn=#{access.admin_group},ou=groups,dc=bar,dc=com
+cn: #{access.admin_group}
 description: GitLab admins
 gidnumber: 42
 memberuid: admin1
@@ -212,9 +182,7 @@ objectclass: top
 objectclass: posixGroup
 })
      Gitlab::LDAP::Adapter.any_instance.stub(:group) { Gitlab::LDAP::Group.new(admin_group) }
-      expect(gitlab_admin.admin?).to be true
-      access.update_admin_status(gitlab_admin)
-      expect(gitlab_admin.admin?).to be false
+      expect{ access.update_admin_status }.to change(user, :admin?).to(false)
    end
  end

@@ -225,17 +193,17 @@ objectclass: posixGroup
    let(:gitlab_group_2) { create :group }

    before do
-      access.stub(:get_ldap_user)
      access.stub(cns_with_access: cns_with_access)
    end

    context "non existing access for group-1, allowed via ldap-group1 as MASTER" do
      before do
-        gitlab_group_1.ldap_group_links.create cn: 'ldap-group1', group_access: Gitlab::Access::MASTER
+        gitlab_group_1.ldap_group_links.create({
+          cn: 'ldap-group1', group_access: Gitlab::Access::MASTER })
      end

      it "gives the user master access for group 1" do
-        access.update_ldap_group_links(user)
+        access.update_ldap_group_links
        expect( gitlab_group_1.has_master?(user) ).to be_true
      end
    end
@@ -243,11 +211,12 @@ objectclass: posixGroup
    context "existing access as guest for group-1, allowed via ldap-group1 as DEVELOPER" do
      before do
        gitlab_group_1.users_groups.guests.create(user_id: user.id)
-        gitlab_group_1.ldap_group_links.create cn: 'ldap-group1', group_access: Gitlab::Access::MASTER
+        gitlab_group_1.ldap_group_links.create({
+          cn: 'ldap-group1', group_access: Gitlab::Access::MASTER })
      end

      it "upgrades the users access to master for group 1" do
-        expect { access.update_ldap_group_links(user) }.to \
+        expect { access.update_ldap_group_links }.to \
          change{ gitlab_group_1.has_master?(user) }.from(false).to(true)
      end
    end
@@ -255,11 +224,12 @@ objectclass: posixGroup
    context "existing access as MASTER for group-1, allowed via ldap-group1 as DEVELOPER" do
      before do
        gitlab_group_1.users_groups.masters.create(user_id: user.id)
-        gitlab_group_1.ldap_group_links.create cn: 'ldap-group1', group_access: Gitlab::Access::DEVELOPER
+        gitlab_group_1.ldap_group_links.create({
+          cn: 'ldap-group1', group_access: Gitlab::Access::DEVELOPER })
      end

      it "keeps the users master access for group 1" do
-        expect { access.update_ldap_group_links(user) }.not_to \
+        expect { access.update_ldap_group_links }.not_to \
          change{ gitlab_group_1.has_master?(user) }
      end
    end
@@ -272,7 +242,7 @@ objectclass: posixGroup
      end

      it "removes user from gitlab_group_1" do
-        expect { access.update_ldap_group_links(user) }.to \
+        expect { access.update_ldap_group_links }.to \
          change{ gitlab_group_1.members.where(user_id: user).any? }.from(true).to(false)
      end
    end
@@ -338,13 +308,16 @@ objectclass: posixGroup
        Gitlab::LDAP::Group.new(ldap_group_response_2)
      ]
    end
-    let(:ldap_user) { Gitlab::LDAP::Person.new(Net::LDAP::Entry.new) }
+    let(:ldap_user) { Gitlab::LDAP::Person.new(Net::LDAP::Entry.new, user.provider) }

-    before { ldap_user.stub(:uid) { 'user42' } }
+    before do
+      access.stub(ldap_user: ldap_user)
+      ldap_user.stub(:uid) { 'user42' }
+    end

    it "only returns ldap cns to which the user has access" do
      access.stub(ldap_groups: ldap_groups)
-      expect(access.cns_with_access(ldap_user)).to eql ['group1']
+      expect(access.cns_with_access).to eql ['group1']
    end
  end
 end