Updating the tool with the following:

* The tool will no longer download all LDAP groups, instead it only downlodas the LDAP groups corresponding to projects within the system
* The "groupPrefix" key has been moved to the top-level of the configuration, but is now implemented.  The default "gitlab-" means that a gitlab group called "test" will have users from the LDAP group 'gitlab-test'
* The new configuration key "owners" indicates the group name which containers users who will be given "owner" permissions.  Note that the "groupPrefix" is applied to this name.  Note that all users in this group are granted owner permissions on any gitlab group which they are assigned to (but only those groups).  The default (admins) follows the previous behaviour
* The old behaviour of gitlab-default (or ${groupPrefix}default) is used where the group does not exist (or has no entries)
* The definition of Owner and the default access level can be defined.  These default to "50" for owner and "30" for other users (which follows the previous behaviour).
* The gitlab hook function for user addition has been modified so that it returns 200 if invoked with what appears to be a valid request, but only triggers reprocessing if the request is a user add.

Author: rchamberlin-amplero

app.js

@@ -13,6 +13,7 @@ readEnvironmentVariables(configSchema, config);
 
 var validate = require('jsonschema').validate;
 var result = validate(config, configSchema);
+
 if (result.errors.length > 0) {
   console.log('Config file invalid', result);
   process.exit(1);

config.sample.json

@@ -9,7 +9,11 @@
     "url": "ldaps://ldap.example.com",
     "baseDN": "OU=AADDC Users,DC=example,DC=com",
     "username": "ldap@example.com",
-    "password": "mY_S3Cr3T_P455W0Rd",
-    "groupPrefix": "gitlab-"
-  }
+    "password": "mY_S3Cr3T_P455W0Rd"
+  },
+  "groupPrefix": "gitlab-",
+  "ownersGroups": "admins",
+  "ownerAccessLevel": 50,
+  "defaultAccessLevel": 30
+
 }

gitlabLdapGroupSync.js

@@ -4,9 +4,7 @@ var ActiveDirectory = require('activedirectory');
 var NodeGitlab = require('node-gitlab');
 
 var ACCESS_LEVEL_OWNER = 50;
-var ACCESS_LEVEL_NORMAL = 40;
-
-//require('https').globalAgent.options.ca = require('ssl-root-cas/latest').create();
+var ACCESS_LEVEL_NORMAL = 30;
 
 module.exports = GitlabLdapGroupSync;
 
@@ -68,7 +66,8 @@ GitlabLdapGroupSync.prototype.sync = function () {
     }
     while(pagedGroups.length == 100);
 
-    var membersOwner = yield this.resolveLdapGroupMembers(ldap, 'owners', gitlabUserMap);
+    var membersOwner = yield this.resolveLdapGroupMembers(ldap, this.config['ownersGroup'] || 'admins', gitlabUserMap);
+    var membersDefault = yield this.resolveLdapGroupMembers(ldap, 'default', gitlabUserMap);
 
     for (var gitlabGroup of gitlabGroups) {
       console.log('-------------------------');
@@ -89,7 +88,7 @@ GitlabLdapGroupSync.prototype.sync = function () {
           continue; //ignore local users
         }
 
-        var access_level = membersOwner.indexOf(member.id) > -1 ? ACCESS_LEVEL_OWNER : ACCESS_LEVEL_NORMAL;
+        var access_level = this.accessLevel(member.id, membersOwner);
         if (member.access_level !== access_level) {
           console.log('update group member permission', { id: gitlabGroup.id, user_id: member.id, access_level: access_level });
           gitlab.groupMembers.update({ id: gitlabGroup.id, user_id: member.id, access_level: access_level });
@@ -99,6 +98,7 @@ GitlabLdapGroupSync.prototype.sync = function () {
       }
 
       var members = yield this.resolveLdapGroupMembers(ldap, gitlabGroup.name, gitlabUserMap);
+      members = (members && members.length) ? members : membersDefault;
 
       //remove unlisted users
       var toDeleteIds = currentMemberIds.filter(x => members.indexOf(x) == -1);
@@ -110,7 +110,7 @@ GitlabLdapGroupSync.prototype.sync = function () {
       //add new users
       var toAddIds = members.filter(x => currentMemberIds.indexOf(x) == -1);
       for (var id of toAddIds) {
-        var access_level = membersOwner.indexOf(id) > -1 ? ACCESS_LEVEL_OWNER : ACCESS_LEVEL_NORMAL;
+        var access_level = this.accessLevel(id, membersOwner);
         console.log('add group member', { id: gitlabGroup.id, user_id: id, access_level: access_level });
         gitlab.groupMembers.create({ id: gitlabGroup.id, user_id: id, access_level: access_level });
       }
@@ -127,6 +127,15 @@ GitlabLdapGroupSync.prototype.sync = function () {
 
 var ins = undefined;
 
+GitlabLdapGroupSync.prototype.accessLevel = function (id, membersOwner) {
+    var owner = membersOwner.indexOf(id) > -1
+
+    if(owner) {
+        return this.config['ownerAccessLevel'] || ACCESS_LEVEL_OWNER;
+    }
+    return this.config['defaultAccessLevel'] || ACCESS_LEVEL_NORMAL;
+}
+
 GitlabLdapGroupSync.prototype.startScheduler = function (interval) {
   this.stopScheduler();
   ins = every(interval).do(this.sync.bind(this));
@@ -140,7 +149,7 @@ GitlabLdapGroupSync.prototype.stopScheduler = function () {
 }
 
 GitlabLdapGroupSync.prototype.resolveLdapGroupMembers = function(ldap, group, gitlabUserMap) {
-  var groupName = this.config.ldap.groupPrefix + group
+  var groupName = (this.config.groupPrefix || 'gitlab-') + group
   console.log('Loading users for group: ' + groupName)
   return new Promise(function (resolve, reject) {
     var ldapGroups = {};

routes/gitlab.js

@@ -3,10 +3,12 @@ var router = express.Router();
 
 /* GET users listing. */
 router.post('/webhook', function (req, res) {
-  console.log(req);
+  console.log(req.body);
   if (req.body.event_name === 'user_create') {
     gitlabLdapGroupSync.sync();
     res.status(200).send('OK');
+  } else if(req.body.event_name) {
+    res.status(200).send('OK');
   } else {
     res.status(422).send('This is not a valid gitlab system hook');
   }