Merge branch '4435-add-ldap-user-filter-to-group-link-api' into 'master'

Add LDAP User Filter to group link API

Closes #4435

See merge request gitlab-org/gitlab!26202

doc/api/groups.md

@@ -862,49 +862,71 @@ Lists LDAP group links.
 GET /groups/:id/ldap_group_links
 ```
 
-Parameters:
-
-- `id` (required) - The ID of a group
+| Attribute | Type           | Required | Description |
+| --------- | -------------- | -------- | ----------- |
+| `id`      | integer/string | yes      | The ID or [URL-encoded path of the group](README.md#namespaced-path-encoding) |
 
-### Add LDAP group link **(STARTER)**
+### Add LDAP group link with CN or filter **(STARTER)**
 
-Adds an LDAP group link.
+Adds an LDAP group link using a CN or filter. Adding a group link by filter is only supported in the Premium tier and above.
 
 ```plaintext
 POST /groups/:id/ldap_group_links
 ```
 
-Parameters:
+| Attribute | Type           | Required | Description |
+| --------- | -------------- | -------- | ----------- |
+| `id`      | integer/string | yes      | The ID or [URL-encoded path of the group](README.md#namespaced-path-encoding) |
+| `cn`      | string         | no       | The CN of an LDAP group |
+| `filter`  | string         | no       | The LDAP filter for the group |
+| `group_access` | integer   | yes      | Minimum access level for members of the LDAP group |
+| `provider` | string        | yes      | LDAP provider for the LDAP group link |
 
-- `id` (required) - The ID of a group
-- `cn` (required) - The CN of a LDAP group
-- `group_access` (required) - Minimum access level for members of the LDAP group
-- `provider` (required) - LDAP provider for the LDAP group
+NOTE: **Note:**
+To define the LDAP group link, provide either a `cn` or a `filter`, but not both.
 
 ### Delete LDAP group link **(STARTER)**
 
-Deletes an LDAP group link.
+Deletes an LDAP group link. Deprecated. Will be removed in a future release.
 
 ```plaintext
 DELETE /groups/:id/ldap_group_links/:cn
 ```
 
-Parameters:
-
-- `id` (required) - The ID of a group
-- `cn` (required) - The CN of a LDAP group
+| Attribute | Type           | Required | Description |
+| --------- | -------------- | -------- | ----------- |
+| `id`      | integer/string | yes      | The ID or [URL-encoded path of the group](README.md#namespaced-path-encoding) |
+| `cn`      | string         | yes      | The CN of an LDAP group |
 
-Deletes a LDAP group link for a specific LDAP provider
+Deletes an LDAP group link for a specific LDAP provider. Deprecated. Will be removed in a future release.
 
 ```plaintext
 DELETE /groups/:id/ldap_group_links/:provider/:cn
 ```
 
-Parameters:
+| Attribute | Type           | Required | Description |
+| --------- | -------------- | -------- | ----------- |
+| `id`      | integer/string | yes      | The ID or [URL-encoded path of the group](README.md#namespaced-path-encoding) |
+| `cn`      | string         | yes      | The CN of an LDAP group |
+| `provider` | string        | yes      | LDAP provider for the LDAP group link |
+
+### Delete LDAP group link with CN or filter **(STARTER)**
+
+Deletes an LDAP group link using a CN or filter. Deleting by filter is only supported in the Premium tier and above.
+
+```plaintext
+DELETE /groups/:id/ldap_group_links
+```
 
-- `id` (required) - The ID of a group
-- `cn` (required) - The CN of a LDAP group
-- `provider` (required) - Name of a LDAP provider
+| Attribute | Type           | Required | Description |
+| --------- | -------------- | -------- | ----------- |
+| `id`      | integer/string | yes      | The ID or [URL-encoded path of the group](README.md#namespaced-path-encoding) |
+| `cn`      | string         | no       | The CN of an LDAP group |
+| `filter`  | string         | no       | The LDAP filter for the group |
+| `provider` | string        | yes       | LDAP provider for the LDAP group link |
+
+NOTE: **Note:**
+To delete the LDAP group link, provide either a `cn` or a `filter`, but not both.
 
 ## Namespaces in groups
 

ee/changelogs/unreleased/4435-add-ldap-user-filter-to-group-link-api.yml

+---
+title: Add LDAP user filter to group link API
+merge_request: 26202
+author:
+type: added

ee/lib/api/ldap_group_links.rb

@@ -16,7 +16,8 @@ module API
         authorize! :admin_group, group
 
         ldap_group_links = group.ldap_group_links
-        if ldap_group_links && ldap_group_links != []
+
+        if ldap_group_links.present?
           present ldap_group_links, with: EE::API::Entities::LdapGroupLink
         else
           render_api_error!('No linked LDAP groups found', 404)
@@ -27,16 +28,20 @@ module API
         success EE::API::Entities::LdapGroupLink
       end
       params do
-        requires 'cn', type: String, desc: 'The CN of a LDAP group'
+        optional 'cn', type: String, desc: 'The CN of a LDAP group'
+        optional 'filter', type: String, desc: 'The LDAP user filter'
         requires 'group_access', type: Integer, values: Gitlab::Access.all_values,
                                  desc: 'Level of permissions for the linked LDAP group'
         requires 'provider', type: String, desc: 'The LDAP provider for this LDAP group'
+        exactly_one_of :cn, :filter
       end
       post ":id/ldap_group_links" do
         group = find_group(params[:id])
         authorize! :admin_group, group
+        break not_found! if params[:filter] && !group.feature_available?(:ldap_group_sync_filter)
 
         ldap_group_link = group.ldap_group_links.new(declared_params(include_missing: false))
+
         if ldap_group_link.save
           present ldap_group_link, with: EE::API::Entities::LdapGroupLink
         else
@@ -44,7 +49,9 @@ module API
         end
       end
 
-      desc 'Remove a linked LDAP group from group'
+      desc 'Remove a linked LDAP group from group' do
+        detail 'Duplicate. DEPRECATED and will be removed in a later version'
+      end
       params do
         requires 'cn', type: String, desc: 'The CN of a LDAP group'
       end
@@ -54,6 +61,7 @@ module API
         authorize! :admin_group, group
 
         ldap_group_link = group.ldap_group_links.find_by(cn: params[:cn])
+
         if ldap_group_link
           ldap_group_link.destroy
           no_content!
@@ -63,7 +71,9 @@ module API
       end
       # rubocop: enable CodeReuse/ActiveRecord
 
-      desc 'Remove a linked LDAP group from group'
+      desc 'Remove a linked LDAP group from group' do
+        detail 'Duplicate. DEPRECATED and will be removed in a later version'
+      end
       params do
         requires 'cn', type: String, desc: 'The CN of a LDAP group'
         requires 'provider', type: String, desc: 'The LDAP provider for this LDAP group'
@@ -74,6 +84,7 @@ module API
         authorize! :admin_group, group
 
         ldap_group_link = group.ldap_group_links.find_by(cn: params[:cn], provider: params[:provider])
+
         if ldap_group_link
           ldap_group_link.destroy
           no_content!
@@ -82,6 +93,29 @@ module API
         end
       end
       # rubocop: enable CodeReuse/ActiveRecord
+
+      desc 'Remove a linked LDAP group from group'
+      params do
+        optional 'cn', type: String, desc: 'The CN of a LDAP group'
+        optional 'filter', type: String, desc: 'The LDAP user filter'
+        requires 'provider', type: String, desc: 'The LDAP provider for this LDAP group'
+        exactly_one_of :cn, :filter
+      end
+      # rubocop: disable CodeReuse/ActiveRecord
+      delete ":id/ldap_group_links" do
+        group = find_group(params[:id])
+        authorize! :admin_group, group
+        break not_found! if params[:filter] && !group.feature_available?(:ldap_group_sync_filter)
+
+        ldap_group_link = group.ldap_group_links.find_by(declared_params(include_missing: false))
+
+        if ldap_group_link
+          ldap_group_link.destroy
+          no_content!
+        else
+          render_api_error!('Linked LDAP group not found', 404)
+        end
+      end
     end
   end
 end

ee/lib/ee/api/entities/ldap_group_link.rb

@@ -5,6 +5,7 @@ module EE
     module Entities
       class LdapGroupLink < Grape::Entity
         expose :cn, :group_access, :provider
+        expose :filter, if: ->(_, _) { License.feature_available?(:ldap_group_sync_filter) }
       end
     end
   end