Commit 2dae609e authored by Douwe Maan's avatar Douwe Maan

Only enable LDAP group sync filter method on EEP

parent a473bde1
......@@ -2,6 +2,8 @@ document.addEventListener('DOMContentLoaded', () => {
const showGroupLink = () => {
const $cnLink = $('.cn-link');
const $filterLink = $('.filter-link');
if (!$cnLink.length || !$filterLink.length) return;
const $checkedSync = $('input[name="sync_method"]:checked').val() === 'group';
$cnLink.toggle($checkedSync);
......
......@@ -43,6 +43,9 @@ class Groups::LdapGroupLinksController < Groups::ApplicationController
end
def ldap_group_link_params
params.require(:ldap_group_link).permit(:cn, :filter, :group_access, :provider)
attrs = %i[cn group_access provider]
attrs << :filter if ::License.feature_available?(:ldap_group_sync_filter)
params.require(:ldap_group_link).permit(attrs)
end
end
......@@ -17,6 +17,6 @@ class Groups::LdapsController < Groups::ApplicationController
private
def check_enabled_extras!
render_404 unless Gitlab::LDAP::Config.enabled? && ::License.feature_available?(:ldap_group_sync)
render_404 unless Gitlab::LDAP::Config.group_sync_enabled?
end
end
......@@ -230,20 +230,12 @@ class Group < Namespace
ldap_group_links.first.try(:cn)
end
def ldap_filter
ldap_group_links.first.try(:filter)
end
def ldap_access
ldap_group_links.first.try(:group_access)
end
def ldap_cn_or_filter_present?
ldap_cn.present? || ldap_filter.present?
end
def ldap_synced?
Gitlab.config.ldap.enabled && ldap_cn_or_filter_present?
Gitlab.config.ldap.enabled && ldap_group_links.any?(&:active?)
end
def post_create_hook
......
......@@ -43,6 +43,14 @@ class LdapGroupLink < ActiveRecord::Base
config.label
end
def active?
if filter.present?
::License.feature_available?(:ldap_group_sync_filter)
elsif cn.present?
::License.feature_available?(:ldap_group_sync)
end
end
private
def nullify_blank_attributes
......
......@@ -19,10 +19,10 @@ class License < ActiveRecord::Base
issue_weights
jenkins_integration
ldap_group_sync
multiple_ldap_servers
merge_request_approvers
merge_request_rebase
merge_request_squash
multiple_ldap_servers
multiple_issue_assignees
multiple_issue_boards
push_rules
......@@ -43,6 +43,7 @@ class License < ActiveRecord::Base
geo
group_issue_boards
jira_dev_panel_integration
ldap_group_sync_filter
object_storage
service_desk
variable_environment_scope
......@@ -110,6 +111,7 @@ class License < ActiveRecord::Base
extended_audit_events
geo
ldap_group_sync
ldap_group_sync_filter
multiple_ldap_servers
object_storage
repository_size_limit
......
......@@ -36,7 +36,7 @@
= f.submit 'Save changes', class: "btn btn-save"
= link_to 'Cancel', admin_group_path(@group), class: "btn btn-cancel"
- if ldap_enabled? && @group.persisted?
- if @group.persisted? && Gitlab::LDAP::Config.group_sync_enabled?
%h3.page-title LDAP synchronizations
= render 'ldap_group_links/form', group: @group
= render 'ldap_group_links/ldap_group_links', group: @group
......@@ -62,11 +62,11 @@
= render partial: "namespaces/shared_runner_status", locals: { namespace: @group }
- if Gitlab::LDAP::Config.group_sync_enabled? && @group.ldap_synced?
.panel.panel-default
.panel-heading Active synchronizations
%ul.well-list
- if @group.ldap_group_links.any?
- @group.ldap_group_links.each do |ldap_group_link|
- @group.ldap_group_links.select(&:active?).each do |ldap_group_link|
%li
%strong= ldap_group_link.cn ? "Group: #{ldap_group_link.cn}" : "Filter: #{truncate(ldap_group_link.filter, length: 40)}"
as
......
......@@ -3,7 +3,7 @@
The members of this group are managed using LDAP and cannot be added or removed here.
Because LDAP permissions in GitLab get updated one user at a time and because GitLab caches LDAP check results, changes on your LDAP server or in this group's LDAP sync settings may take up to #{Gitlab.config.ldap['sync_time']}s to show in the list below.
%ul
- @group.ldap_group_links.each do |ldap_group_link|
- @group.ldap_group_links.select(&:active?).each do |ldap_group_link|
%li
People in
%code= ldap_group_link.cn ? "cn: #{ldap_group_link.cn}" : "filter: #{truncate(ldap_group_link.filter, length: 70)}"
......
......@@ -9,6 +9,7 @@
.col-sm-10
= f.select :provider, ldap_server_select_options, {}, class: 'form-control'
- if ::License.feature_available?(:ldap_group_sync_filter)
.form-group.row
= f.label :cn, class: 'control-label col-sm-2' do
Sync method
......@@ -32,6 +33,7 @@
%br
If you select an LDAP group you do not belong to you will lose ownership of #{group.name}.
- if ::License.feature_available?(:ldap_group_sync_filter)
.form-group.row.filter-link
= f.label :filter, class: 'control-label col-sm-2' do
LDAP User filter
......
......@@ -13,3 +13,6 @@
Config for LDAP server
%code= ldap_group_link.provider
is not present in GitLab
- unless ldap_group_link.active?
(Inactive because syncing with an LDAP user filter is not included in the current license)
......@@ -3,7 +3,7 @@ class LdapAllGroupsSyncWorker
include CronjobQueue
def perform
return unless Gitlab::LDAP::Config.enabled? && ::License.feature_available?(:ldap_group_sync)
return unless Gitlab::LDAP::Config.group_sync_enabled?
logger.info 'Started LDAP group sync'
EE::Gitlab::LDAP::Sync::Groups.execute
......
......@@ -3,7 +3,7 @@ class LdapGroupSyncWorker
include DedicatedSidekiqQueue
def perform(group_ids, provider = nil)
return unless Gitlab::LDAP::Config.enabled? && ::License.feature_available?(:ldap_group_sync)
return unless Gitlab::LDAP::Config.group_sync_enabled?
groups = Group.where(id: Array(group_ids))
......
......@@ -3,7 +3,7 @@ class LdapSyncWorker
include CronjobQueue
def perform
return unless Gitlab::LDAP::Config.enabled? && ::License.feature_available?(:ldap_group_sync)
return unless Gitlab::LDAP::Config.group_sync_enabled?
Rails.logger.info "Performing daily LDAP sync task."
User.ldap.find_each(batch_size: 100).each do |ldap_user|
......
......@@ -54,7 +54,7 @@ new groups they might be added to when the user logs in. That way they don't nee
to wait for the hourly sync to be granted access to the groups that they are in
in LDAP.
We can also add a GitLab group to sync with one or multiple LDAP groups or we can
In GitLab Enterprise Edition Premium, we can also add a GitLab group to sync with one or multiple LDAP groups or we can
also add a filter. The filter must comply with the syntax defined in [RFC 2254](https://tools.ietf.org/search/rfc2254).
A group sync process will run every hour on the hour, and `group_base` must be set
......
- if Gitlab::LDAP::Config.enabled? && ::License.feature_available?(:ldap_group_sync) && can?(current_user, :admin_ldap_group_links, @group)
- if Gitlab::LDAP::Config.group_sync_enabled? && can?(current_user, :admin_ldap_group_links, @group)
= nav_link(path: 'ldap_group_links#index') do
= link_to group_ldap_group_links_path(@group), title: 'LDAP Group' do
%span
......
module EE
module Gitlab
module LDAP
module Config
extend ActiveSupport::Concern
class_methods do
def group_sync_enabled?
enabled? && ::License.feature_available?(:ldap_group_sync)
end
end
end
end
end
end
......@@ -74,6 +74,8 @@ module EE
access_levels = AccessLevels.new
# Only iterate over group links for the current provider
group.ldap_group_links.with_provider(provider).each do |group_link|
next unless group_link.active?
update_access_levels(access_levels, group_link)
end
......
......@@ -213,7 +213,7 @@ module API
desc 'Sync a group with LDAP.'
post ":id/ldap_sync" do
not_found! unless Gitlab::LDAP::Config.enabled? && ::License.feature_available?(:ldap_group_sync)
not_found! unless Gitlab::LDAP::Config.group_sync_enabled?
group = find_group!(params[:id])
authorize! :admin_group, group
......
......@@ -2,6 +2,8 @@
module Gitlab
module LDAP
class Config
include ::EE::Gitlab::LDAP::Config
NET_LDAP_ENCRYPTION_METHOD = {
simple_tls: :simple_tls,
start_tls: :start_tls,
......
......@@ -381,6 +381,10 @@ describe EE::Gitlab::LDAP::Sync::Group do
end
context 'filter' do
before do
stub_licensed_features(ldap_group_sync_filter: true)
end
describe '#update_permissions' do
before do
# Safe-check because some permissions are removed when `Group#ldap_synced?`
......
......@@ -19,7 +19,7 @@ feature 'Edit group settings' do
scenario 'is able to navigate to LDAP group section' do
visit edit_group_path(group)
expect(find('.nav-sidebar')).to have_content('LDAP Group')
expect(find('.nav-sidebar')).to have_content('LDAP Synchronization')
end
context 'with owners not being able to manage LDAP' do
......@@ -28,7 +28,7 @@ feature 'Edit group settings' do
visit edit_group_path(group)
expect(find('.nav-sidebar')).not_to have_content('LDAP Group')
expect(find('.nav-sidebar')).not_to have_content('LDAP Synchronization')
end
end
end
......
......@@ -12,6 +12,11 @@ feature 'Edit group settings', :js do
context 'LDAP sync method' do
before do
allow(Gitlab.config.ldap).to receive(:enabled).and_return(true)
end
context 'when the LDAP group sync filter feature is available' do
before do
stub_licensed_features(ldap_group_sync_filter: true)
visit group_ldap_group_links_path(group)
end
......@@ -31,4 +36,25 @@ feature 'Edit group settings', :js do
expect(page).not_to have_content('This query must use valid LDAP Search Filter Syntax')
end
end
context 'when the LDAP group sync filter feature is available' do
before do
stub_licensed_features(ldap_group_sync_filter: false)
visit group_ldap_group_links_path(group)
end
scenario 'does not show the LDAP search method switcher' do
expect(page).not_to have_field('sync_method_filter')
end
scenario 'shows the LDAP group section' do
expect(page).to have_content("Synchronize #{group.name}'s members with this LDAP group")
end
scenario 'does not shows the LDAP filter section' do
expect(page).not_to have_content('This query must use valid LDAP Search Filter Syntax')
end
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment