Add latest changes from gitlab-org/gitlab@15-6-stable-eev15.6.0-rc42

8 files changed, 309 insertions, 110 deletions

diff --git a/spec/policies/global_policy_spec.rb b/spec/policies/global_policy_spec.rb
index da0427420e4..4a8855f1da7 100644
--- a/spec/policies/global_policy_spec.rb
+++ b/spec/policies/global_policy_spec.rb
@@ -591,34 +591,4 @@ RSpec.describe GlobalPolicy do
       it { is_expected.not_to be_allowed(:log_in) }
     end
   end
-
-  describe 'delete runners' do
-    context 'when anonymous' do
-      let(:current_user) { nil }
-
-      it { is_expected.not_to be_allowed(:delete_runners) }
-    end
-
-    context 'regular user' do
-      it { is_expected.not_to be_allowed(:delete_runners) }
-    end
-
-    context 'when external' do
-      let(:current_user) { build(:user, :external) }
-
-      it { is_expected.not_to be_allowed(:delete_runners) }
-    end
-
-    context 'admin user' do
-      let_it_be(:current_user) { create(:user, :admin) }
-
-      context 'when admin mode is enabled', :enable_admin_mode do
-        it { is_expected.to be_allowed(:delete_runners) }
-      end
-
-      context 'when admin mode is disabled' do
-        it { is_expected.to be_disallowed(:delete_runners) }
-      end
-    end
-  end
 end
diff --git a/spec/policies/group_member_policy_spec.rb b/spec/policies/group_member_policy_spec.rb
index 27ce683861c..6ae5e43def4 100644
--- a/spec/policies/group_member_policy_spec.rb
+++ b/spec/policies/group_member_policy_spec.rb
@@ -83,6 +83,31 @@ RSpec.describe GroupMemberPolicy do
     specify { expect_allowed(:read_group) }
   end
 
+  context 'for access requests' do
+    let_it_be(:group) { create(:group, :public) }
+    let_it_be(:user) { create(:user) }
+
+    let(:current_user) { user }
+
+    context 'for own access request' do
+      let(:membership) { create(:group_member, :access_request, group: group, user: user) }
+
+      specify { expect_allowed(:withdraw_member_access_request) }
+    end
+
+    context "for another user's access request" do
+      let(:membership) { create(:group_member, :access_request, group: group, user: create(:user)) }
+
+      specify { expect_disallowed(:withdraw_member_access_request) }
+    end
+
+    context 'for own, valid membership' do
+      let(:membership) { create(:group_member, :developer, group: group, user: user) }
+
+      specify { expect_disallowed(:withdraw_member_access_request) }
+    end
+  end
+
   context 'with bot user' do
     let(:current_user) { create(:user, :project_bot) }
 
@@ -100,74 +125,83 @@ RSpec.describe GroupMemberPolicy do
     specify { expect_disallowed(:read_group, :destroy_project_bot_member) }
   end
 
-  context 'with one owner' do
+  context 'with owner' do
     let(:current_user) { owner }
 
-    specify { expect_disallowed(*member_related_permissions) }
-    specify { expect_allowed(:read_group) }
-  end
+    context 'with group with one owner' do
+      specify { expect_disallowed(*member_related_permissions) }
+      specify { expect_allowed(:read_group) }
+    end
 
-  context 'with one blocked owner' do
-    let(:owner) { create(:user, :blocked) }
-    let(:current_user) { owner }
+    context 'with group with bot user owner' do
+      before do
+        group.add_owner(create(:user, :project_bot))
+      end
 
-    specify { expect_disallowed(*member_related_permissions) }
-    specify { expect_disallowed(:read_group) }
-  end
+      specify { expect_disallowed(*member_related_permissions) }
+    end
 
-  context 'with more than one owner' do
-    let(:current_user) { owner }
+    context 'with group with more than one owner' do
+      before do
+        group.add_owner(create(:user))
+      end
 
-    before do
-      group.add_owner(create(:user))
+      specify { expect_allowed(*member_related_permissions) }
+      specify { expect_disallowed(:destroy_project_bot_member) }
     end
 
-    specify { expect_allowed(*member_related_permissions) }
-    specify { expect_disallowed(:destroy_project_bot_member) }
-  end
+    context 'with group with owners from a parent' do
+      context 'when top-level group' do
+        context 'with group sharing' do
+          let!(:subgroup) { create(:group, :private, parent: group) }
 
-  context 'with the group parent' do
-    let(:current_user) { create :user }
-    let(:subgroup) { create(:group, :private, parent: group) }
+          before do
+            create(:group_group_link, :owner, shared_group: group, shared_with_group: subgroup)
+            create(:group_member, :owner, group: subgroup)
+          end
 
-    before do
-      group.add_owner(owner)
-      subgroup.add_owner(current_user)
-    end
+          specify { expect_disallowed(*member_related_permissions) }
+          specify { expect_allowed(:read_group) }
+        end
+      end
 
-    it do
-      expect_allowed(:destroy_group_member)
-      expect_allowed(:update_group_member)
-    end
-  end
+      context 'when subgroup' do
+        let(:current_user) { create :user }
 
-  context 'without group parent' do
-    let(:current_user) { create :user }
-    let(:subgroup) { create(:group, :private) }
+        let!(:subgroup) { create(:group, :private, parent: group) }
 
-    before do
-      subgroup.add_owner(current_user)
-    end
+        before do
+          subgroup.add_owner(current_user)
+        end
 
-    it do
-      expect_disallowed(:destroy_group_member)
-      expect_disallowed(:update_group_member)
+        specify { expect_allowed(*member_related_permissions) }
+        specify { expect_allowed(:read_group) }
+      end
     end
   end
 
-  context 'without group parent with two owners' do
-    let(:current_user) { create :user }
-    let(:other_user) { create :user }
-    let(:subgroup) { create(:group, :private) }
+  context 'with blocked owner' do
+    let(:owner) { create(:user, :blocked) }
+    let(:current_user) { owner }
 
-    before do
-      subgroup.add_owner(current_user)
-      subgroup.add_owner(other_user)
+    specify { expect_disallowed(*member_related_permissions) }
+    specify { expect_disallowed(:read_group) }
+
+    context 'with group with bot user owner' do
+      before do
+        group.add_owner(create(:user, :project_bot))
+      end
+
+      specify { expect_disallowed(*member_related_permissions) }
+      specify { expect_disallowed(:read_group) }
     end
 
-    it do
-      expect_allowed(:destroy_group_member)
-      expect_allowed(:update_group_member)
+    context 'with group with more than one blocked owner' do
+      before do
+        group.add_owner(create(:user, :blocked))
+      end
+
+      specify { expect_allowed(:destroy_group_member) }
     end
   end
 end
diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb
index c65933c5208..60acacac814 100644
--- a/spec/policies/group_policy_spec.rb
+++ b/spec/policies/group_policy_spec.rb
@@ -258,6 +258,19 @@ RSpec.describe GroupPolicy do
     it_behaves_like 'deploy token does not get confused with user' do
       let(:user_id) { migration_bot.id }
     end
+
+    context 'with no user' do
+      let(:current_user) { nil }
+
+      it :aggregate_failures do
+        expect_disallowed(:read_resource_access_tokens, :destroy_resource_access_tokens)
+        expect_disallowed(*guest_permissions)
+        expect_disallowed(*reporter_permissions)
+        expect_disallowed(*developer_permissions)
+        expect_disallowed(*maintainer_permissions)
+        expect_disallowed(*owner_permissions)
+      end
+    end
   end
 
   describe 'private nested group use the highest access level from the group and inherited permissions' do
diff --git a/spec/policies/issuable_policy_spec.rb b/spec/policies/issuable_policy_spec.rb
index 2bedcf60539..c8c322b02db 100644
--- a/spec/policies/issuable_policy_spec.rb
+++ b/spec/policies/issuable_policy_spec.rb
@@ -31,8 +31,8 @@ RSpec.describe IssuablePolicy, models: true do
         expect(policies).to be_allowed(:resolve_note)
       end
 
-      it 'allows reading internal notes' do
-        expect(policies).to be_allowed(:read_internal_note)
+      it 'does not allow reading internal notes' do
+        expect(policies).to be_disallowed(:read_internal_note)
       end
 
       context 'when user is able to read project' do
@@ -94,8 +94,8 @@ RSpec.describe IssuablePolicy, models: true do
       let(:issue) { create(:issue, project: project, assignees: [user]) }
       let(:policies) { described_class.new(user, issue) }
 
-      it 'allows reading internal notes' do
-        expect(policies).to be_allowed(:read_internal_note)
+      it 'does not allow reading internal notes' do
+        expect(policies).to be_disallowed(:read_internal_note)
       end
     end
 
diff --git a/spec/policies/note_policy_spec.rb b/spec/policies/note_policy_spec.rb
index eeaa77a4589..6a261b4ff5b 100644
--- a/spec/policies/note_policy_spec.rb
+++ b/spec/policies/note_policy_spec.rb
@@ -309,42 +309,41 @@ RSpec.describe NotePolicy do
 
         shared_examples_for 'confidential notes permissions' do
           it 'does not allow non members to read confidential notes and replies' do
-            expect(permissions(non_member, confidential_note)).to be_disallowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji)
+            expect(permissions(non_member, confidential_note)).to be_disallowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji, :mark_note_as_confidential)
           end
 
           it 'does not allow guests to read confidential notes and replies' do
-            expect(permissions(guest, confidential_note)).to be_disallowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji)
+            expect(permissions(guest, confidential_note)).to be_disallowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji, :mark_note_as_confidential)
           end
 
           it 'allows reporter to read all notes but not resolve and admin them' do
-            expect(permissions(reporter, confidential_note)).to be_allowed(:read_note, :award_emoji)
+            expect(permissions(reporter, confidential_note)).to be_allowed(:read_note, :award_emoji, :mark_note_as_confidential)
             expect(permissions(reporter, confidential_note)).to be_disallowed(:admin_note, :reposition_note, :resolve_note)
           end
 
           it 'allows developer to read and resolve all notes' do
-            expect(permissions(developer, confidential_note)).to be_allowed(:read_note, :award_emoji, :resolve_note)
+            expect(permissions(developer, confidential_note)).to be_allowed(:read_note, :award_emoji, :resolve_note, :mark_note_as_confidential)
             expect(permissions(developer, confidential_note)).to be_disallowed(:admin_note, :reposition_note)
           end
 
           it 'allows maintainers to read all notes and admin them' do
-            expect(permissions(maintainer, confidential_note)).to be_allowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji)
+            expect(permissions(maintainer, confidential_note)).to be_allowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji, :mark_note_as_confidential)
           end
 
           context 'when admin mode is enabled', :enable_admin_mode do
             it 'allows admins to read all notes and admin them' do
-              expect(permissions(admin, confidential_note)).to be_allowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji)
+              expect(permissions(admin, confidential_note)).to be_allowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji, :mark_note_as_confidential)
             end
           end
 
           context 'when admin mode is disabled' do
             it 'does not allow non members to read confidential notes and replies' do
-              expect(permissions(admin, confidential_note)).to be_disallowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji)
+              expect(permissions(admin, confidential_note)).to be_disallowed(:read_note, :admin_note, :reposition_note, :resolve_note, :award_emoji, :mark_note_as_confidential)
             end
           end
 
-          it 'allows noteable author to read and resolve all notes' do
-            expect(permissions(author, confidential_note)).to be_allowed(:read_note, :resolve_note, :award_emoji)
-            expect(permissions(author, confidential_note)).to be_disallowed(:admin_note, :reposition_note)
+          it 'disallows noteable author to read and resolve all notes' do
+            expect(permissions(author, confidential_note)).to be_disallowed(:read_note, :resolve_note, :award_emoji, :mark_note_as_confidential, :admin_note, :reposition_note)
           end
         end
 
@@ -354,9 +353,8 @@ RSpec.describe NotePolicy do
 
           it_behaves_like 'confidential notes permissions'
 
-          it 'allows noteable assignees to read all notes' do
-            expect(permissions(assignee, confidential_note)).to be_allowed(:read_note, :award_emoji)
-            expect(permissions(assignee, confidential_note)).to be_disallowed(:admin_note, :reposition_note, :resolve_note)
+          it 'disallows noteable assignees to read all notes' do
+            expect(permissions(assignee, confidential_note)).to be_disallowed(:read_note, :award_emoji, :mark_note_as_confidential, :admin_note, :reposition_note, :resolve_note)
           end
         end
       end
diff --git a/spec/policies/project_member_policy_spec.rb b/spec/policies/project_member_policy_spec.rb
index b19ab71fcb5..d7c155b39f5 100644
--- a/spec/policies/project_member_policy_spec.rb
+++ b/spec/policies/project_member_policy_spec.rb
@@ -4,13 +4,14 @@ require 'spec_helper'
 
 RSpec.describe ProjectMemberPolicy do
   let(:project) { create(:project) }
-  let(:maintainer_user) { create(:user) }
+  let(:maintainer) { create(:user) }
   let(:member) { create(:project_member, project: project, user: member_user) }
+  let(:current_user) { maintainer }
 
-  subject { described_class.new(maintainer_user, member) }
+  subject { described_class.new(current_user, member) }
 
   before do
-    create(:project_member, :maintainer, project: project, user: maintainer_user)
+    create(:project_member, :maintainer, project: project, user: maintainer)
   end
 
   context 'with regular member' do
@@ -40,4 +41,29 @@ RSpec.describe ProjectMemberPolicy do
     it { is_expected.not_to be_allowed(:update_project_member) }
     it { is_expected.not_to be_allowed(:destroy_project_member) }
   end
+
+  context 'for access requests' do
+    let_it_be(:project) { create(:project, :public) }
+    let_it_be(:user) { create(:user) }
+
+    let(:current_user) { user }
+
+    context 'for own access request' do
+      let(:member) { create(:project_member, :access_request, project: project, user: user) }
+
+      specify { expect_allowed(:withdraw_member_access_request) }
+    end
+
+    context "for another user's access request" do
+      let(:member) { create(:project_member, :access_request, project: project, user: create(:user)) }
+
+      specify { expect_disallowed(:withdraw_member_access_request) }
+    end
+
+    context 'for own, valid membership' do
+      let(:member) { create(:project_member, :developer, project: project, user: user) }
+
+      specify { expect_disallowed(:withdraw_member_access_request) }
+    end
+  end
 end
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index 40ee2e662b2..973ed66b8d8 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -323,7 +323,7 @@ RSpec.describe ProjectPolicy do
         :create_environment, :read_environment, :update_environment, :admin_environment, :destroy_environment,
         :create_cluster, :read_cluster, :update_cluster, :admin_cluster,
         :create_deployment, :read_deployment, :update_deployment, :admin_deployment, :destroy_deployment,
-        :destroy_release, :download_code, :build_download_code
+        :download_code, :build_download_code
       ]
     end
 
@@ -533,6 +533,41 @@ RSpec.describe ProjectPolicy do
     end
   end
 
+  context 'with timeline event tags' do
+    context 'when user is member of the project' do
+      it 'allows access to timeline event tags' do
+        expect(described_class.new(owner, project)).to be_allowed(:read_incident_management_timeline_event_tag)
+        expect(described_class.new(developer, project)).to be_allowed(:read_incident_management_timeline_event_tag)
+        expect(described_class.new(guest, project)).to be_allowed(:read_incident_management_timeline_event_tag)
+        expect(described_class.new(admin, project)).to be_allowed(:read_incident_management_timeline_event_tag)
+      end
+    end
+
+    context 'when user is a maintainer/owner' do
+      it 'allows to create timeline event tags' do
+        expect(described_class.new(maintainer, project)).to be_allowed(:admin_incident_management_timeline_event_tag)
+        expect(described_class.new(owner, project)).to be_allowed(:admin_incident_management_timeline_event_tag)
+      end
+    end
+
+    context 'when user is a developer/guest/reporter' do
+      it 'disallows creation' do
+        expect(described_class.new(developer, project)).to be_disallowed(:admin_incident_management_timeline_event_tag)
+        expect(described_class.new(guest, project)).to be_disallowed(:admin_incident_management_timeline_event_tag)
+        expect(described_class.new(reporter, project)).to be_disallowed(:admin_incident_management_timeline_event_tag)
+      end
+    end
+
+    context 'when user is not a member of the project' do
+      let(:project) { private_project }
+
+      it 'disallows access to the timeline event tags' do
+        expect(described_class.new(non_member, project)).to be_disallowed(:read_incident_management_timeline_event_tag)
+        expect(described_class.new(non_member, project)).to be_disallowed(:admin_incident_management_timeline_event_tag)
+      end
+    end
+  end
+
   context 'reading a project' do
     it 'allows access when a user has read access to the repo' do
       expect(described_class.new(owner, project)).to be_allowed(:read_project)
@@ -629,17 +664,7 @@ RSpec.describe ProjectPolicy do
     context 'when user is member of the project' do
       let(:current_user) { developer }
 
-      context 'when work_items feature flag is enabled' do
-        it { expect_allowed(:create_task) }
-      end
-
-      context 'when work_items feature flag is disabled' do
-        before do
-          stub_feature_flags(work_items: false)
-        end
-
-        it { expect_disallowed(:create_task) }
-      end
+      it { expect_allowed(:create_task) }
     end
   end
 
@@ -2299,6 +2324,74 @@ RSpec.describe ProjectPolicy do
     end
   end
 
+  describe 'infrastructure feature' do
+    using RSpec::Parameterized::TableSyntax
+
+    let(:guest_permissions) { [] }
+
+    let(:developer_permissions) do
+      guest_permissions + [:read_terraform_state, :read_pod_logs, :read_prometheus]
+    end
+
+    let(:maintainer_permissions) do
+      developer_permissions + [:create_cluster, :read_cluster, :update_cluster, :admin_cluster, :admin_terraform_state, :admin_project_google_cloud]
+    end
+
+    where(:project_visibility, :access_level, :role, :allowed) do
+      :public   | ProjectFeature::ENABLED   | :maintainer | true
+      :public   | ProjectFeature::ENABLED   | :developer  | true
+      :public   | ProjectFeature::ENABLED   | :guest      | true
+      :public   | ProjectFeature::ENABLED   | :anonymous  | true
+      :public   | ProjectFeature::PRIVATE   | :maintainer | true
+      :public   | ProjectFeature::PRIVATE   | :developer  | true
+      :public   | ProjectFeature::PRIVATE   | :guest      | true
+      :public   | ProjectFeature::PRIVATE   | :anonymous  | false
+      :public   | ProjectFeature::DISABLED  | :maintainer | false
+      :public   | ProjectFeature::DISABLED  | :developer  | false
+      :public   | ProjectFeature::DISABLED  | :guest      | false
+      :public   | ProjectFeature::DISABLED  | :anonymous  | false
+      :internal | ProjectFeature::ENABLED   | :maintainer | true
+      :internal | ProjectFeature::ENABLED   | :developer  | true
+      :internal | ProjectFeature::ENABLED   | :guest      | true
+      :internal | ProjectFeature::ENABLED   | :anonymous  | false
+      :internal | ProjectFeature::PRIVATE   | :maintainer | true
+      :internal | ProjectFeature::PRIVATE   | :developer  | true
+      :internal | ProjectFeature::PRIVATE   | :guest      | true
+      :internal | ProjectFeature::PRIVATE   | :anonymous  | false
+      :internal | ProjectFeature::DISABLED  | :maintainer | false
+      :internal | ProjectFeature::DISABLED  | :developer  | false
+      :internal | ProjectFeature::DISABLED  | :guest      | false
+      :internal | ProjectFeature::DISABLED  | :anonymous  | false
+      :private  | ProjectFeature::ENABLED   | :maintainer | true
+      :private  | ProjectFeature::ENABLED   | :developer  | true
+      :private  | ProjectFeature::ENABLED   | :guest      | true
+      :private  | ProjectFeature::ENABLED   | :anonymous  | false
+      :private  | ProjectFeature::PRIVATE   | :maintainer | true
+      :private  | ProjectFeature::PRIVATE   | :developer  | true
+      :private  | ProjectFeature::PRIVATE   | :guest      | true
+      :private  | ProjectFeature::PRIVATE   | :anonymous  | false
+      :private  | ProjectFeature::DISABLED  | :maintainer | false
+      :private  | ProjectFeature::DISABLED  | :developer  | false
+      :private  | ProjectFeature::DISABLED  | :guest      | false
+      :private  | ProjectFeature::DISABLED  | :anonymous  | false
+    end
+
+    with_them do
+      let(:current_user) { user_subject(role) }
+      let(:project) { project_subject(project_visibility) }
+
+      it 'allows/disallows the abilities based on the infrastructure access level' do
+        project.project_feature.update!(infrastructure_access_level: access_level)
+
+        if allowed
+          expect_allowed(*permissions_abilities(role))
+        else
+          expect_disallowed(*permissions_abilities(role))
+        end
+      end
+    end
+  end
+
   describe 'access_security_and_compliance' do
     context 'when the "Security & Compliance" is enabled' do
       before do
@@ -2791,6 +2884,27 @@ RSpec.describe ProjectPolicy do
     end
   end
 
+  describe 'read_code' do
+    let(:current_user) { create(:user) }
+
+    before do
+      allow(subject).to receive(:allowed?).and_call_original
+      allow(subject).to receive(:allowed?).with(:download_code).and_return(can_download_code)
+    end
+
+    context 'when the current_user can download_code' do
+      let(:can_download_code) { true }
+
+      it { expect_allowed(:read_code) }
+    end
+
+    context 'when the current_user cannot download_code' do
+      let(:can_download_code) { false }
+
+      it { expect_disallowed(:read_code) }
+    end
+  end
+
   private
 
   def project_subject(project_type)
diff --git a/spec/policies/user_policy_spec.rb b/spec/policies/user_policy_spec.rb
index b800e7dbc43..d02a94b810e 100644
--- a/spec/policies/user_policy_spec.rb
+++ b/spec/policies/user_policy_spec.rb
@@ -84,6 +84,50 @@ RSpec.describe UserPolicy do
     end
   end
 
+  describe "reading a user's associations count" do
+    context 'when current_user is not an admin' do
+      context 'fetching their own data' do
+        subject { described_class.new(current_user, current_user) }
+
+        context 'when current_user is not blocked' do
+          it { is_expected.to be_allowed(:get_user_associations_count ) }
+        end
+
+        context 'when current_user is blocked' do
+          let(:current_user) { create(:user, :blocked) }
+
+          it { is_expected.not_to be_allowed(:get_user_associations_count) }
+        end
+      end
+
+      context "fetching a different user's data" do
+        it { is_expected.not_to be_allowed(:get_user_associations_count) }
+      end
+    end
+
+    context 'when current_user is an admin' do
+      let(:current_user) { admin }
+
+      context 'fetching their own data', :enable_admin_mode do
+        subject { described_class.new(current_user, current_user) }
+
+        context 'when current_user is not blocked' do
+          it { is_expected.to be_allowed(:get_user_associations_count ) }
+        end
+
+        context 'when current_user is blocked' do
+          let(:current_user) { create(:admin, :blocked) }
+
+          it { is_expected.not_to be_allowed(:get_user_associations_count) }
+        end
+      end
+
+      context "fetching a different user's data", :enable_admin_mode do
+        it { is_expected.to be_allowed(:get_user_associations_count) }
+      end
+    end
+  end
+
   shared_examples 'changing a user' do |ability|
     context "when a regular user tries to destroy another regular user" do
       it { is_expected.not_to be_allowed(ability) }