Merge branch 'patch/fix-ldap-unblock-user-logic' into 'master'

Unblocks user when active_directory is disabled and it can be found

We implemented a specific block state to handle user blocking that originates from LDAP filtering rules / directory state in !2242. 

That introduced a regression in LDAP authentication when Active Directory support was disabled. You could have a scenario where the user would not be temporarily found (like a filtering rule), that would mark the user as `ldap_blocked`, but will never unblock it automatically when that state changed.

Fixes #14253, #13179, #13259, #13959

See merge request !3550

1 files changed, 26 insertions, 1 deletions

diff --git a/spec/lib/gitlab/ldap/access_spec.rb b/spec/lib/gitlab/ldap/access_spec.rb
index 32a19bf344b..f5b66b8156f 100644
--- a/spec/lib/gitlab/ldap/access_spec.rb
+++ b/spec/lib/gitlab/ldap/access_spec.rb
@@ -33,7 +33,7 @@ describe Gitlab::LDAP::Access, lib: true do
 
         it { is_expected.to be_falsey }
 
-        it 'should block user in GitLab' do
+        it 'blocks user in GitLab' do
           access.allowed?
           expect(user).to be_blocked
           expect(user).to be_ldap_blocked
@@ -78,6 +78,31 @@ describe Gitlab::LDAP::Access, lib: true do
         end
 
         it { is_expected.to be_truthy }
+
+        context 'when user cannot be found' do
+          before do
+            allow(Gitlab::LDAP::Person).to receive(:find_by_dn).and_return(nil)
+          end
+
+          it { is_expected.to be_falsey }
+
+          it 'blocks user in GitLab' do
+            access.allowed?
+            expect(user).to be_blocked
+            expect(user).to be_ldap_blocked
+          end
+        end
+
+        context 'when user was previously ldap_blocked' do
+          before do
+            user.ldap_block
+          end
+
+          it 'unblocks the user if it exists' do
+            access.allowed?
+            expect(user).not_to be_blocked
+          end
+        end
       end
     end
   end