1 files changed, 32 insertions, 0 deletions

diff --git a/spec/finders/clusters/agent_authorizations_finder_spec.rb b/spec/finders/clusters/agent_authorizations_finder_spec.rb
index 687906db0d7..2d90f32adc5 100644
--- a/spec/finders/clusters/agent_authorizations_finder_spec.rb
+++ b/spec/finders/clusters/agent_authorizations_finder_spec.rb
@@ -9,6 +9,10 @@ RSpec.describe Clusters::AgentAuthorizationsFinder do
     let_it_be(:subgroup2) { create(:group, parent: subgroup1) }
     let_it_be(:bottom_level_group) { create(:group, parent: subgroup2) }
 
+    let_it_be(:non_ancestor_group) { create(:group, parent: top_level_group) }
+    let_it_be(:non_ancestor_project) { create(:project, namespace: non_ancestor_group) }
+    let_it_be(:non_ancestor_agent) { create(:cluster_agent, project: non_ancestor_project) }
+
     let_it_be(:agent_configuration_project) { create(:project, namespace: subgroup1) }
     let_it_be(:requesting_project, reload: true) { create(:project, namespace: bottom_level_group) }
 
@@ -56,6 +60,20 @@ RSpec.describe Clusters::AgentAuthorizationsFinder do
         it { is_expected.to be_empty }
       end
 
+      context 'agent configuration project shares a root namespace, but does not belong to an ancestor of the given project' do
+        let!(:project_authorization) { create(:agent_project_authorization, agent: non_ancestor_agent, project: requesting_project) }
+
+        it { is_expected.to match_array([project_authorization]) }
+
+        context 'agent_authorization_include_descendants feature flag is disabled' do
+          before do
+            stub_feature_flags(agent_authorization_include_descendants: false)
+          end
+
+          it { is_expected.to be_empty }
+        end
+      end
+
       context 'with project authorizations present' do
         let!(:authorization) { create(:agent_project_authorization, agent: production_agent, project: requesting_project) }
 
@@ -116,6 +134,20 @@ RSpec.describe Clusters::AgentAuthorizationsFinder do
         end
       end
 
+      context 'agent configuration project does not belong to an ancestor of the authorized group' do
+        let!(:group_authorization) { create(:agent_group_authorization, agent: non_ancestor_agent, group: bottom_level_group) }
+
+        it { is_expected.to match_array([group_authorization]) }
+
+        context 'agent_authorization_include_descendants feature flag is disabled' do
+          before do
+            stub_feature_flags(agent_authorization_include_descendants: false)
+          end
+
+          it { is_expected.to be_empty }
+        end
+      end
+
       it_behaves_like 'access_as' do
         let!(:authorization) { create(:agent_group_authorization, agent: production_agent, group: top_level_group, config: config) }
       end