1 files changed, 87 insertions, 31 deletions

diff --git a/spec/lib/gitlab/auth_spec.rb b/spec/lib/gitlab/auth_spec.rb
index 11e9ecdb878..36c87fb4557 100644
--- a/spec/lib/gitlab/auth_spec.rb
+++ b/spec/lib/gitlab/auth_spec.rb
@@ -21,6 +21,10 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
       expect(subject::REPOSITORY_SCOPES).to match_array %i[read_repository write_repository]
     end
 
+    it 'OBSERVABILITY_SCOPES contains all scopes for Observability access' do
+      expect(subject::OBSERVABILITY_SCOPES).to match_array %i[read_observability write_observability]
+    end
+
     it 'OPENID_SCOPES contains all scopes for OpenID Connect' do
       expect(subject::OPENID_SCOPES).to match_array [:openid]
     end
@@ -31,54 +35,103 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
   end
 
   context 'available_scopes' do
-    it 'contains all non-default scopes' do
+    before do
       stub_container_registry_config(enabled: true)
+    end
 
-      expect(subject.all_available_scopes).to match_array %i[api read_user read_api read_repository write_repository read_registry write_registry sudo admin_mode]
+    it 'contains all non-default scopes' do
+      expect(subject.all_available_scopes).to match_array %i[api read_user read_api read_repository write_repository read_registry write_registry sudo admin_mode read_observability write_observability]
     end
 
-    it 'contains for non-admin user all non-default scopes without ADMIN access' do
-      stub_container_registry_config(enabled: true)
-      user = create(:user, admin: false)
+    it 'contains for non-admin user all non-default scopes without ADMIN access and without observability scopes' do
+      user = build_stubbed(:user, admin: false)
 
       expect(subject.available_scopes_for(user)).to match_array %i[api read_user read_api read_repository write_repository read_registry write_registry]
     end
 
-    it 'contains for admin user all non-default scopes with ADMIN access' do
-      stub_container_registry_config(enabled: true)
-      user = create(:user, admin: true)
+    it 'contains for admin user all non-default scopes with ADMIN access and without observability scopes' do
+      user = build_stubbed(:user, admin: true)
 
       expect(subject.available_scopes_for(user)).to match_array %i[api read_user read_api read_repository write_repository read_registry write_registry sudo admin_mode]
     end
 
+    it 'contains for project all resource bot scopes without observability scopes' do
+      expect(subject.available_scopes_for(project)).to match_array %i[api read_api read_repository write_repository read_registry write_registry]
+    end
+
+    it 'contains for group all resource bot scopes' do
+      group = build_stubbed(:group)
+
+      expect(subject.available_scopes_for(group)).to match_array %i[api read_api read_repository write_repository read_registry write_registry read_observability write_observability]
+    end
+
+    it 'contains for unsupported type no scopes' do
+      expect(subject.available_scopes_for(:something)).to be_empty
+    end
+
     it 'optional_scopes contains all non-default scopes' do
-      stub_container_registry_config(enabled: true)
+      expect(subject.optional_scopes).to match_array %i[read_user read_api read_repository write_repository read_registry write_registry sudo admin_mode openid profile email read_observability write_observability]
+    end
+
+    context 'with observability_group_tab feature flag' do
+      context 'when disabled' do
+        before do
+          stub_feature_flags(observability_group_tab: false)
+        end
+
+        it 'contains for group all resource bot scopes without observability scopes' do
+          group = build_stubbed(:group)
 
-      expect(subject.optional_scopes).to match_array %i[read_user read_api read_repository write_repository read_registry write_registry sudo admin_mode openid profile email]
+          expect(subject.available_scopes_for(group)).to match_array %i[api read_api read_repository write_repository read_registry write_registry]
+        end
+      end
+
+      context 'when enabled for specific group' do
+        let(:group) { build_stubbed(:group) }
+
+        before do
+          stub_feature_flags(observability_group_tab: group)
+        end
+
+        it 'contains for other group all resource bot scopes including observability scopes' do
+          expect(subject.available_scopes_for(group)).to match_array %i[api read_api read_repository write_repository read_registry write_registry read_observability write_observability]
+        end
+
+        it 'contains for admin user all non-default scopes with ADMIN access and without observability scopes' do
+          user = build_stubbed(:user, admin: true)
+
+          expect(subject.available_scopes_for(user)).to match_array %i[api read_user read_api read_repository write_repository read_registry write_registry sudo admin_mode]
+        end
+
+        it 'contains for project all resource bot scopes without observability scopes' do
+          expect(subject.available_scopes_for(project)).to match_array %i[api read_api read_repository write_repository read_registry write_registry]
+        end
+
+        it 'contains for other group all resource bot scopes without observability scopes' do
+          other_group = build_stubbed(:group)
+
+          expect(subject.available_scopes_for(other_group)).to match_array %i[api read_api read_repository write_repository read_registry write_registry]
+        end
+      end
     end
 
-    context 'with feature flag disabled' do
+    context 'with admin_mode_for_api feature flag disabled' do
       before do
         stub_feature_flags(admin_mode_for_api: false)
       end
 
       it 'contains all non-default scopes' do
-        stub_container_registry_config(enabled: true)
-
-        expect(subject.all_available_scopes).to match_array %i[api read_user read_api read_repository write_repository read_registry write_registry sudo admin_mode]
+        expect(subject.all_available_scopes).to match_array %i[api read_user read_api read_repository write_repository read_registry write_registry sudo admin_mode read_observability write_observability]
       end
 
-      it 'contains for admin user all non-default scopes with ADMIN access' do
-        stub_container_registry_config(enabled: true)
-        user = create(:user, admin: true)
+      it 'contains for admin user all non-default scopes with ADMIN access and without observability scopes' do
+        user = build_stubbed(:user, admin: true)
 
         expect(subject.available_scopes_for(user)).to match_array %i[api read_user read_api read_repository write_repository read_registry write_registry sudo]
       end
 
       it 'optional_scopes contains all non-default scopes' do
-        stub_container_registry_config(enabled: true)
-
-        expect(subject.optional_scopes).to match_array %i[read_user read_api read_repository write_repository read_registry write_registry sudo admin_mode openid profile email]
+        expect(subject.optional_scopes).to match_array %i[read_user read_api read_repository write_repository read_registry write_registry sudo admin_mode openid profile email read_observability write_observability]
       end
     end
 
@@ -120,8 +173,8 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
           end
         end
 
-        it 'raises an IpBlacklisted exception' do
-          expect { subject }.to raise_error(Gitlab::Auth::IpBlacklisted)
+        it 'raises an IpBlocked exception' do
+          expect { subject }.to raise_error(Gitlab::Auth::IpBlocked)
         end
       end
 
@@ -314,15 +367,17 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
         using RSpec::Parameterized::TableSyntax
 
         where(:scopes, :abilities) do
-          'api' | described_class.full_authentication_abilities
-          'read_api' | described_class.read_only_authentication_abilities
-          'read_repository' | [:download_code]
-          'write_repository' | [:download_code, :push_code]
-          'read_user' | []
-          'sudo' | []
-          'openid' | []
-          'profile' | []
-          'email' | []
+          'api'                 | described_class.full_authentication_abilities
+          'read_api'            | described_class.read_only_authentication_abilities
+          'read_repository'     | [:download_code]
+          'write_repository'    | [:download_code, :push_code]
+          'read_user'           | []
+          'sudo'                | []
+          'openid'              | []
+          'profile'             | []
+          'email'               | []
+          'read_observability'  | []
+          'write_observability' | []
         end
 
         with_them do
@@ -1024,6 +1079,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
     it { is_expected.to include(*described_class::API_SCOPES - [:read_user]) }
     it { is_expected.to include(*described_class::REPOSITORY_SCOPES) }
     it { is_expected.to include(*described_class.registry_scopes) }
+    it { is_expected.to include(*described_class::OBSERVABILITY_SCOPES) }
   end
 
   private