Update the user when there are no matching groups

[jvlcek]

I have confirmed this PR using external auth with IPA/LDPA
Marking as WIP until I am able to confirm with LDAP directly.

Purpose or Intent

The purpose of this PR is to address a situation where:

A valid user with valid MiQ groups had been able to successfully log into MiQ.

After which the LDAP system administrator removed all MiQ groups from the
user with the intent of preventing the user access to MiQ.

However when no valid groups were returned from LDAP the user's group
information was not updated in the DB and the UI would use the stale,
valid records.

This PR simply updates the user's miq_groups to empty when there are
no matching groups. Thereby preventing user authorization.

Steps for Testing/QA

To test this:

1 - configure MiQ to validate using LDAP,
either directly to an LDAP server or to an external authentication server
that supports LDAP (e.g. IPA)

2 - Create a valid user with valid MiQ groups in LDAP

3 - log into MiQ using the valid user, then log off

4 - Remove all valid MiQ groups from the user in LDAP

5 - confirm login attempts into MiQ using the valid user that no longer has
valid MiQ groups in LDAP fails.

Description

When all MiQ groups are removed for a given user
on the "authenticator" the user's DB entry must
be updated to show no matching MiQ groups.

https://bugzilla.redhat.com/show_bug.cgi?id=1342082

[jvlcek]

@abellotti and @kbrock Please review

[abellotti]

@jvlcek until we get a memberof overlay on ApacheDS, you can configure MiqLdap directly to the Ldap of an IPA server and test against that. IPA's openldap implements the memberof overlay.

[miq-bot]

Checked commit jvlcek@7b439c1 with ruby 2.2.5, rubocop 0.37.2, and haml-lint 0.16.1
2 files checked, 0 offenses detected
Everything looks good. 🍪

[abellotti]

@jvlcek nice job diving in and getting this PR done. LGTM!!

[gtanzillo]

👍 LGTM too!

[jvlcek]

@gtanzillo and @abellotti Once the travis tests to pass I'll request a final review/merge.

[jvlcek]

@abellotti Please take a look.
As you know I tested with both miq_ldap and external auth.

[abellotti]

I'm good with this. @kbrock can we borrow your 👀 Thanks.

[kbrock]

This looks great

[chessbyte]

Darga backport details:

$ git cherry-pick -x -m 1  426e642     
[darga bab3149] Merge pull request #10634 from jvlcek/bz_1342082_ext_auth_groups
 Author: Gregg Tanzillo <gtanzill@redhat.com>
 Date: Wed Aug 24 11:43:15 2016 -0400
 2 files changed, 25 insertions(+), 1 deletion(-)

$ git log
commit bab3149e524e31922ef355acb80219572bc00b77
Author: Gregg Tanzillo <gtanzill@redhat.com>
Date:   Wed Aug 24 11:43:15 2016 -0400

    Merge pull request #10634 from jvlcek/bz_1342082_ext_auth_groups

    Update the user when there are no matching groups
    (cherry picked from commit 426e6420e94cb050311ea99992db43dd490992d8)