Hide the auditor user feature behind an EE add-on.

1. The add-on is named `GitLab_Auditor_User`

2. An auditor user cannot be created if the addon is not present.

3. `auditor?` always returns `false` if the addon is not present.

app/models/user.rb

@@ -124,6 +124,7 @@ class User < ActiveRecord::Base
   validate :owns_notification_email, if: ->(user) { user.notification_email_changed? }
   validate :owns_public_email, if: ->(user) { user.public_email_changed? }
   validate :cannot_be_admin_and_auditor
+  validate :auditor_requires_license_add_on
   validates :avatar, file_size: { maximum: 200.kilobytes.to_i }
 
   before_validation :generate_password, on: :create
@@ -460,6 +461,12 @@ class User < ActiveRecord::Base
     end
   end
 
+  def auditor_requires_license_add_on
+    unless ::License.current && ::License.current.add_on?('GitLab_Auditor_User')
+      errors.add(:auditor, 'user cannot be created without the "GitLab_Auditor_User" addon')
+    end
+  end
+
   # Returns the groups a user has access to
   def authorized_groups
     union = Gitlab::SQL::Union.
@@ -538,6 +545,12 @@ class User < ActiveRecord::Base
     admin
   end
 
+  def auditor?
+    @license_allows_auditors ||= (::License.current && ::License.current.add_on?('GitLab_Auditor_User'))
+
+    @license_allows_auditors && self.auditor
+  end
+
   def admin_or_auditor?
     admin? || auditor?
   end

spec/factories/licenses.rb

@@ -6,7 +6,12 @@ FactoryGirl.define do
       { "Name" => FFaker::Name.name }
     end
     restrictions do
-      { add_ons: { 'GitLab_FileLocks' => 1 } }
+      {
+        add_ons: {
+          'GitLab_FileLocks' => 1,
+          'GitLab_Auditor_User' => 1
+        }
+      }
     end
     notify_users_at   { |l| l.expires_at }
     notify_admins_at  { |l| l.expires_at }

spec/models/user_spec.rb

@@ -1492,4 +1492,52 @@ describe User, models: true do
       expect(user.project_authorizations.where(access_level: Gitlab::Access::REPORTER).exists?).to eq(true)
     end
   end
+
+  describe 'the GitLab_Auditor_User add-on' do
+    context 'creating an auditor user' do
+      it "does not allow creating an auditor user if the addon isn't enabled" do
+        allow_any_instance_of(License).to receive(:add_ons).and_return({})
+
+        expect(build(:user, :auditor)).to be_invalid
+      end
+
+      it "does not allow creating an auditor user if no license is present" do
+        allow(License).to receive(:current).and_return nil
+
+        expect(build(:user, :auditor)).to be_invalid
+      end
+
+      it "allows creating an auditor user if the addon is enabled" do
+        allow_any_instance_of(License).to receive(:add_ons).and_return({ 'GitLab_Auditor_User' => 1 })
+
+        expect(build(:user, :auditor)).to be_valid
+      end
+    end
+
+    context '#auditor?' do
+      it "returns true for an auditor user if the addon is enabled" do
+        allow_any_instance_of(License).to receive(:add_ons).and_return({ 'GitLab_Auditor_User' => 1 })
+
+        expect(build(:user, :auditor)).to be_auditor
+      end
+
+      it "returns false for an auditor user if the addon is not enabled" do
+        allow_any_instance_of(License).to receive(:add_ons).and_return({})
+
+        expect(build(:user, :auditor)).not_to be_auditor
+      end
+
+      it "returns false for an auditor user if a license is not present" do
+        allow(License).to receive(:current).and_return nil
+
+        expect(build(:user, :auditor)).not_to be_auditor
+      end
+
+      it "returns false for a non-auditor user even if the addon is present" do
+        allow_any_instance_of(License).to receive(:add_ons).and_return({ 'GitLab_Auditor_User' => 1 })
+
+        expect(build(:user)).not_to be_auditor
+      end
+    end
+  end
 end