Add ldap settings controller

This controller will for now just handle the status change of lock_membership_to_ldap

Add ldap settings controller
This controller will for now just handle the status change of lock_membership_to_ldap
13e5972e · Sebastian Arcila Valenzuela · 82d535cc · 13e5972e · 13e5972e · 13e5972e
Commit 13e5972e authored Mar 04, 2020 by Sebastian Arcila Valenzuela
5 changed files
--- a/ee/app/controllers/groups/ldap_settings_controller.rb
+++ b/ee/app/controllers/groups/ldap_settings_controller.rb
+# frozen_string_literal: true
+
+class Groups::LdapSettingsController < Groups::ApplicationController
+  before_action :group
+  before_action :require_ldap_enabled
+  before_action :authorize_admin_group!
+  before_action :authorize_manage_ldap_settings!
+
+  def update
+    if @group.update(ldap_settings_params)
+      redirect_back_or_default(default: group_ldap_group_links_path(@group), options: { notice: _('LDAP settings updated') })
+    else
+      redirect_back_or_default(default: group_ldap_group_links_path(@group), options: { alert: _('Could not update the LDAP settings') })
+    end
+  end
+
+  private
+
+  def authorize_manage_ldap_settings!
+    render_404 unless Feature.enabled?(:ldap_settings_unlock_groups_by_owners)
+    render_404 unless can?(current_user, :admin_ldap_group_settings, group)
+  end
+
+  def require_ldap_enabled
+    render_404 unless Gitlab::Auth::Ldap::Config.enabled?
+  end
+
+  def ldap_settings_params
+    attrs = %i[unlock_membership_to_ldap]
+
+    params.require(:group).permit(attrs)
+  end
+end
--- a/ee/app/policies/ee/group_policy.rb
+++ b/ee/app/policies/ee/group_policy.rb
@@ -187,6 +187,7 @@ module EE
    end

    def ldap_lock_bypassable?
+      return false unless ::Feature.enabled?(:ldap_settings_unlock_groups_by_owners)
      return false unless ::Gitlab::CurrentSettings.allow_group_owners_to_manage_ldap?

      !!subject.unlock_membership_to_ldap? && subject.owned_by?(user)

--- a/ee/config/routes/group.rb
+++ b/ee/config/routes/group.rb
@@ -42,6 +42,8 @@ constraints(::Constraints::GroupUrlConstrainer.new) do
      end
    end

+    resource :ldap_settings, only: [:update]
+
    resource :issues_analytics, only: [:show]

    resource :insights, only: [:show], trailing_slash: true do

--- a/ee/spec/controllers/groups/ldap_settings_controller_spec.rb
+++ b/ee/spec/controllers/groups/ldap_settings_controller_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Groups::LdapSettingsController do
+  include LdapHelpers
+
+  let(:group) { create(:group) }
+  let(:user)  { create(:user) }
+
+  before do
+    stub_ldap_setting(enabled: true)
+    stub_feature_flags(ldap_settings_unlock_groups_by_owners: true)
+
+    sign_in(user)
+  end
+
+  describe 'PUT #update' do
+    describe 'as an owner' do
+      before do
+        group.add_owner(user)
+      end
+
+      describe 'admin allows owners to modify ldap settings' do
+        before do
+          allow(::Gitlab::CurrentSettings).to receive(:allow_group_owners_to_manage_ldap?).and_return(true)
+        end
+
+        it 'changes the value of unlock_membership_to_ldap' do
+          expect do
+            put :update, params: { group_id: group.to_param, group: { unlock_membership_to_ldap: true } }
+          end.to change { group.reload.unlock_membership_to_ldap }
+        end
+
+        describe 'ldap_settings_unlock_groups_by_owners is disabled' do
+          before do
+            stub_feature_flags(ldap_settings_unlock_groups_by_owners: false)
+          end
+
+          it 'does not change the value of the unlock_membership_to_ldap' do
+            expect do
+              put :update, params: { group_id: group.to_param, group: { unlock_membership_to_ldap: true } }
+            end.not_to change { group.reload.unlock_membership_to_ldap }
+          end
+        end
+      end
+
+      describe 'admin disallow owners to modify ldap settings' do
+        before do
+          allow(::Gitlab::CurrentSettings).to receive(:allow_group_owners_to_manage_ldap?).and_return(false)
+        end
+
+        it 'does not change the value of unlock_membership_to_ldap' do
+          expect do
+            put :update, params: { group_id: group.to_param, group: { unlock_membership_to_ldap: true } }
+          end.not_to change { group.reload.unlock_membership_to_ldap }
+        end
+      end
+    end
+
+    describe 'as a maintainer' do
+      before do
+        group.add_maintainer(user)
+        allow(::Gitlab::CurrentSettings).to receive(:allow_group_owners_to_manage_ldap?).and_return(true)
+      end
+
+      it 'does not change the value of unlock_membership_to_ldap' do
+        expect do
+          put :update, params: { group_id: group.to_param, group: { unlock_membership_to_ldap: true } }
+        end.not_to change { group.reload.unlock_membership_to_ldap }
+      end
+    end
+  end
+end
--- a/ee/spec/policies/group_policy_spec.rb
+++ b/ee/spec/policies/group_policy_spec.rb
@@ -396,11 +396,22 @@ describe GroupPolicy do
        context 'Group Owner disable membership lock' do
          before do
            group.update!(unlock_membership_to_ldap: true)
+            stub_feature_flags(ldap_settings_unlock_groups_by_owners: true)
          end

          it { is_expected.to be_allowed(:admin_group_member) }
          it { is_expected.to be_allowed(:override_group_member) }
          it { is_expected.to be_allowed(:update_group_member) }
+
+          context 'ldap_settings_unlock_groups_by_owners is disabled' do
+            before do
+              stub_feature_flags(ldap_settings_unlock_groups_by_owners: false)
+            end
+
+            it { is_expected.to be_disallowed(:admin_group_member) }
+            it { is_expected.to be_disallowed(:override_group_member) }
+            it { is_expected.to be_disallowed(:update_group_member) }
+          end
        end

        context 'Group Owner keeps the membership lock' do