[go: up one dir, main page]
Skip to content

Cannot add LDAP Group Link with minimal access via REST API

Summary

When using the REST API to add an LDAP group link you cannot set the access_level to minimal (5). Calling POST /groups/:id/ldap_group_links with access_level set to 5 causes an error access_level does not have a valid value.

The GitLab UI does not run into this error.

This is the LDAP equivalent of the SAML issue that was fixed in !205467 (merged).

Steps to reproduce

  1. Create a group
  2. Try to add an LDAP group link with access_level of 5 (minimal) via REST API
  3. Observe error

What is the current bug behavior?

Calling something like:

curl --request POST --header "Content-Type: application/json" --data '{ "cn": "my_ldap_group", "group_access": 5 }' --url "https://gitlab.com/api/v4/groups/$GROUPID/ldap_group_links"

returns a 400 error code and the error:

group_access does not have a valid value

What is the expected correct behavior?

The correct behavior would be to create the LDAP group link with the sent access level and not error.

Root Cause Analysis

The API implementation of ldap_group_links uses the Gitlab::Access.all_values definition to check for valid values:

all_values is defined in access.rb#L43-61, which doesn't include MINIMAL_ACCESS:

# [...]

    NO_ACCESS      = 0
    MINIMAL_ACCESS = 5
    GUEST          = 10

# [...]

      def all_values
        options_with_owner.values
      end

      def options
        {
          "Guest" => GUEST,
          "Planner" => PLANNER,
          "Reporter" => REPORTER,
          "Developer" => DEVELOPER,
          "Maintainer" => MAINTAINER
        }
      end

      def options_with_owner
        options.merge(
          "Owner" => OWNER
        )
      end

# [...]

Proposed Solution

Similar to the fix in !205467 (merged) for SAML group links, we need to update the LDAP group links API to use Gitlab::Access.all_values_with_minimal_access instead of Gitlab::Access.all_values.

The fix should be in ee/lib/api/ldap_group_links.rb around line 48, changing:

values: Gitlab::Access.all_values

to:

values: Gitlab::Access.all_values_with_minimal_access

References

  • Related to !205467 (merged) (Fix SAML Group Link with minimal access via REST API)
  • Related to #420655 (closed) (Cannot add SAML Group Link with minimal access via REST API) - FIXED
  • Parent epic: &8538 (LDAP Group Sync)
  • Parent epic: &19084 (Enterprise user provisioning and management)

How to test

  1. Set up a group with LDAP group sync enabled
  2. Try to add an LDAP Group Link with minimal access (5) via the REST API: 
    curl --request POST --header "Content-Type: application/json" --data '{ "cn": "my_ldap_group", "group_access": 5 }' --url "https://gitlab.com/api/v4/groups/$GROUPID/ldap_group_links"
  3. Verify the operation succeeds without validation errors
  4. Confirm the LDAP group link is created with minimal access level

Labels

backend bug groupseat management ldap typebug devopsfulfillment sectionfulfillment api priority2 severity3