Merge branch 'sh-ldap-lock-down-api-admin-10-4' into 'security-10-4-ee'

Restrict LDAP API to admins only - 10.4 port

changelogs/unreleased-ee/sh-lock-down-ldap-api-admin.yml

+---
+title: Restrict LDAP API to admins only
+merge_request:
+author:
+type: security

ee/lib/api/ldap.rb

 module API
   class Ldap < Grape::API
-    before { authenticate! }
+    before { authenticated_as_admin! }
 
     resource :ldap do
       helpers do

spec/requests/api/ldap_spec.rb

@@ -4,7 +4,8 @@ describe API::Ldap do
   include ApiHelpers
   include LdapHelpers
 
-  let(:user) { create(:user) }
+  set(:user) { create(:user) }
+  set(:admin) { create(:admin) }
   let(:adapter) { ldap_adapter }
 
   before do
@@ -27,8 +28,15 @@ describe API::Ldap do
     end
 
     context "when authenticated as user" do
-      it "returns an array of ldap groups" do
+      it "returns authentication error" do
         get api("/ldap/groups", user)
+        expect(response.status).to eq 403
+      end
+    end
+
+    context "when authenticated as admin" do
+      it "returns an array of ldap groups" do
+        get api("/ldap/groups", admin)
         expect(response.status).to eq 200
         expect(json_response).to be_an Array
         expect(json_response.length).to eq 2
@@ -46,8 +54,15 @@ describe API::Ldap do
     end
 
     context "when authenticated as user" do
-      it "returns an array of ldap groups" do
+      it "returns authentication error" do
         get api("/ldap/ldapmain/groups", user)
+        expect(response.status).to eq 403
+      end
+    end
+
+    context "when authenticated as admin" do
+      it "returns an array of ldap groups" do
+        get api("/ldap/ldapmain/groups", admin)
         expect(response.status).to eq 200
         expect(json_response).to be_an Array
         expect(json_response.length).to eq 2