Log messages when blocking/unblocking LDAP accounts

1 files changed, 55 insertions, 8 deletions

diff --git a/spec/lib/gitlab/ldap/access_spec.rb b/spec/lib/gitlab/ldap/access_spec.rb
index 534bcbf39fe..ea64f8a3e0e 100644
--- a/spec/lib/gitlab/ldap/access_spec.rb
+++ b/spec/lib/gitlab/ldap/access_spec.rb
@@ -15,9 +15,9 @@ describe Gitlab::LDAP::Access, lib: true do
       it { is_expected.to be_falsey }
 
       it 'should block user in GitLab' do
+        expect(access).to receive(:block_user).with(user, 'does not exist anymore')
+
         access.allowed?
-        expect(user).to be_blocked
-        expect(user).to be_ldap_blocked
       end
     end
 
@@ -34,9 +34,9 @@ describe Gitlab::LDAP::Access, lib: true do
         it { is_expected.to be_falsey }
 
         it 'blocks user in GitLab' do
+          expect(access).to receive(:block_user).with(user, 'is disabled in Active Directory')
+
           access.allowed?
-          expect(user).to be_blocked
-          expect(user).to be_ldap_blocked
         end
       end
 
@@ -53,7 +53,10 @@ describe Gitlab::LDAP::Access, lib: true do
           end
 
           it 'does not unblock user in GitLab' do
+            expect(access).not_to receive(:unblock_user)
+
             access.allowed?
+
             expect(user).to be_blocked
             expect(user).not_to be_ldap_blocked # this block is handled by omniauth not by our internal logic
           end
@@ -65,8 +68,9 @@ describe Gitlab::LDAP::Access, lib: true do
           end
 
           it 'unblocks user in GitLab' do
+            expect(access).to receive(:unblock_user).with(user, 'is not disabled anymore')
+
             access.allowed?
-            expect(user).not_to be_blocked
           end
         end
       end
@@ -87,9 +91,9 @@ describe Gitlab::LDAP::Access, lib: true do
           it { is_expected.to be_falsey }
 
           it 'blocks user in GitLab' do
+            expect(access).to receive(:block_user).with(user, 'does not exist anymore')
+
             access.allowed?
-            expect(user).to be_blocked
-            expect(user).to be_ldap_blocked
           end
         end
 
@@ -99,11 +103,54 @@ describe Gitlab::LDAP::Access, lib: true do
           end
 
           it 'unblocks the user if it exists' do
+            expect(access).to receive(:unblock_user).with(user, 'is not in Active Directory anymore')
+
             access.allowed?
-            expect(user).not_to be_blocked
           end
         end
       end
     end
   end
+
+  describe '#block_user' do
+    before do
+      user.activate
+      allow(Gitlab::AppLogger).to receive(:info)
+
+      access.block_user user, 'reason'
+    end
+
+    it 'blocks the user' do
+      expect(user).to be_blocked
+      expect(user).to be_ldap_blocked
+    end
+
+    it 'logs the reason' do
+      expect(Gitlab::AppLogger).to have_received(:info).with(
+        "LDAP account \"123456\" reason, " +
+        "blocking Gitlab user \"#{user.name}\" (#{user.email})"
+      )
+    end
+  end
+
+  describe '#unblock_user' do
+    before do
+      user.ldap_block
+      allow(Gitlab::AppLogger).to receive(:info)
+
+      access.unblock_user user, 'reason'
+    end
+
+    it 'activates the user' do
+      expect(user).not_to be_blocked
+      expect(user).not_to be_ldap_blocked
+    end
+
+    it 'logs the reason' do
+      Gitlab::AppLogger.info(
+        "LDAP account \"123456\" reason, " +
+        "unblocking Gitlab user \"#{user.name}\" (#{user.email})"
+      )
+    end
+  end
 end