Return 403 if LDAP extras are disabled

fcd0b3fb · Michael Kozono · 0296a401 · fcd0b3fb · fcd0b3fb · fcd0b3fb
Commit fcd0b3fb authored Aug 30, 2017 by Michael Kozono
Showing with 73 additions and 44 deletions

app/controllers/groups/ldaps_controller.rb app/controllers/groups/ldaps_controller.rb +7 -0

lib/api/groups.rb lib/api/groups.rb +2 -0

spec/requests/api/groups_spec.rb spec/requests/api/groups_spec.rb +64 -44

No files found.
--- a/app/controllers/groups/ldaps_controller.rb
+++ b/app/controllers/groups/ldaps_controller.rb
 class Groups::LdapsController < Groups::ApplicationController
  before_action :group
  before_action :authorize_admin_group!
+  before_action :check_enabled_extras!
  def sync
    if @group.pending_ldap_sync
@@ -12,4 +13,10 @@ class Groups::LdapsController < Groups::ApplicationController
    redirect_to group_group_members_path(@group), notice: message
  end
+  private
+  def check_enabled_extras!
+    render_403 unless Gitlab::LDAP::Config.enabled_extras?
+  end
 end
--- a/lib/api/groups.rb
+++ b/lib/api/groups.rb
@@ -204,6 +204,8 @@ module API
      desc 'Sync a group with LDAP.'
      post ":id/ldap_sync" do
+        forbidden!('LDAP is disabled, or LDAP extras are disabled for this license') unless Gitlab::LDAP::Config.enabled_extras?
        group = find_group!(params[:id])
        authorize! :admin_group, group

--- a/spec/requests/api/groups_spec.rb
+++ b/spec/requests/api/groups_spec.rb
@@ -672,21 +672,24 @@ describe API::Groups do
  end
  describe 'POST /groups/:id/ldap_sync' do
+    context 'when LDAP config enabled_extras is true' do
+      before do
+        allow(Gitlab::LDAP::Config).to receive(:enabled_extras?).and_return(true)
+      end
      context 'when authenticated as the group owner' do
        context 'when the group is ready to sync' do
          it 'returns 202 Accepted' do
-          post api("/groups/#{group1.id}/ldap_sync", user1)
+            ldap_sync(group1.id, user1, :disable!)
            expect(response).to have_http_status(202)
          end
          it 'queues a sync job' do
-          Sidekiq::Testing.fake! do
+            expect { ldap_sync(group1.id, user1, :fake!) }.to change(LdapGroupSyncWorker.jobs, :size).by(1)
-            expect { post api("/groups/#{group1.id}/ldap_sync", user1) }.to change(LdapGroupSyncWorker.jobs, :size).by(1)
-          end
          end
          it 'sets the ldap_sync state to pending' do
-          post api("/groups/#{group1.id}/ldap_sync", user1)
+            ldap_sync(group1.id, user1, :disable!)
            expect(group1.reload.ldap_sync_pending?).to be_truthy
          end
        end
@@ -697,49 +700,66 @@ describe API::Groups do
          end
          it 'returns 202 Accepted' do
-          post api("/groups/#{group1.id}/ldap_sync", user1)
+            ldap_sync(group1.id, user1, :disable!)
            expect(response).to have_http_status(202)
          end
          it 'does not queue a sync job' do
-          Sidekiq::Testing.fake! do
+            expect { ldap_sync(group1.id, user1, :fake!) }.not_to change(LdapGroupSyncWorker.jobs, :size)
-            expect { post api("/groups/#{group1.id}/ldap_sync", user1) }.not_to change(LdapGroupSyncWorker.jobs, :size)
-          end
          end
          it 'does not change the ldap_sync state' do
            expect do
-            post api("/groups/#{group1.id}/ldap_sync", user1)
+              ldap_sync(group1.id, user1, :disable!)
            end.not_to change { group1.reload.ldap_sync_status }
          end
        end
        it 'returns 404 for a non existing group' do
-        post api('/groups/1328/ldap_sync', user1)
+          ldap_sync(1328, user1, :disable!)
          expect(response).to have_http_status(404)
        end
      end
      context 'when authenticated as the admin' do
        it 'returns 202 Accepted' do
-        post api("/groups/#{group1.id}/ldap_sync", admin)
+          ldap_sync(group1.id, admin, :disable!)
          expect(response).to have_http_status(202)
        end
      end
-    context 'when authenticated as an user that can see the group' do
+      context 'when authenticated as a non-owner user that can see the group' do
-      it 'does not updates the group' do
+        it 'returns 403' do
-        post api("/groups/#{group1.id}/ldap_sync", user2)
+          ldap_sync(group1.id, user2, :disable!)
          expect(response).to have_http_status(403)
        end
      end
      context 'when authenticated as an user that cannot see the group' do
-      it 'returns 404 when trying to update the group' do
+        it 'returns 404' do
-        post api("/groups/#{group2.id}/ldap_sync", user1)
+          ldap_sync(group2.id, user1, :disable!)
          expect(response).to have_http_status(404)
        end
      end
    end
+    context 'when LDAP config enabled_extras is false' do
+      before do
+        allow(Gitlab::LDAP::Config).to receive(:enabled_extras?).and_return(false)
+      end
+      it 'returns 403' do
+        ldap_sync(group1.id, admin, :disable!)
+        expect(response).to have_http_status(403)
+      end
+    end
+  end
+  def ldap_sync(group_id, user, sidekiq_testing_method)
+    Sidekiq::Testing.send(sidekiq_testing_method) do
+      post api("/groups/#{group_id}/ldap_sync", user)
+    end
+  end
 end