diff options
Diffstat (limited to 'spec/lib/gitlab/auth_spec.rb')
-rw-r--r-- | spec/lib/gitlab/auth_spec.rb | 103 |
1 files changed, 80 insertions, 23 deletions
diff --git a/spec/lib/gitlab/auth_spec.rb b/spec/lib/gitlab/auth_spec.rb index 8da617175ca..f5b9555916c 100644 --- a/spec/lib/gitlab/auth_spec.rb +++ b/spec/lib/gitlab/auth_spec.rb @@ -34,7 +34,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate end end - context 'available_scopes' do + describe 'available_scopes' do before do stub_container_registry_config(enabled: true) end @@ -43,26 +43,26 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate expect(subject.all_available_scopes).to match_array %i[api read_user read_api read_repository write_repository read_registry write_registry sudo admin_mode read_observability write_observability create_runner k8s_proxy ai_features] end - it 'contains for non-admin user all non-default scopes without ADMIN access and without observability scopes' do + it 'contains for non-admin user all non-default scopes without ADMIN access and without observability scopes and ai_features' do user = build_stubbed(:user, admin: false) - expect(subject.available_scopes_for(user)).to match_array %i[api read_user read_api read_repository write_repository read_registry write_registry create_runner k8s_proxy ai_features] + expect(subject.available_scopes_for(user)).to match_array %i[api read_user read_api read_repository write_repository read_registry write_registry create_runner k8s_proxy] end - it 'contains for admin user all non-default scopes with ADMIN access and without observability scopes' do + it 'contains for admin user all non-default scopes with ADMIN access and without observability scopes and ai_features' do user = build_stubbed(:user, admin: true) - expect(subject.available_scopes_for(user)).to match_array %i[api read_user read_api read_repository write_repository read_registry write_registry sudo admin_mode create_runner k8s_proxy ai_features] + expect(subject.available_scopes_for(user)).to match_array %i[api read_user read_api read_repository write_repository read_registry write_registry sudo admin_mode create_runner k8s_proxy] end - it 'contains for project all resource bot scopes without observability scopes' do - expect(subject.available_scopes_for(project)).to match_array %i[api read_api read_repository write_repository read_registry write_registry create_runner k8s_proxy ai_features] + it 'contains for project all resource bot scopes without ai_features' do + expect(subject.available_scopes_for(project)).to match_array %i[api read_api read_repository write_repository read_registry write_registry read_observability write_observability create_runner k8s_proxy] end it 'contains for group all resource bot scopes' do - group = build_stubbed(:group) + group = build_stubbed(:group).tap { |g| g.namespace_settings = build_stubbed(:namespace_settings, namespace: g) } - expect(subject.available_scopes_for(group)).to match_array %i[api read_api read_repository write_repository read_registry write_registry read_observability write_observability create_runner k8s_proxy ai_features] + expect(subject.available_scopes_for(group)).to match_array %i[api read_api read_repository write_repository read_registry write_registry read_observability write_observability create_runner k8s_proxy] end it 'contains for unsupported type no scopes' do @@ -73,44 +73,101 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate expect(subject.optional_scopes).to match_array %i[read_user read_api read_repository write_repository read_registry write_registry sudo admin_mode openid profile email read_observability write_observability create_runner k8s_proxy ai_features] end - context 'with observability_group_tab feature flag' do + describe 'ai_features scope' do + let(:resource) { nil } + + subject { described_class.available_scopes_for(resource) } + + context 'when resource is user', 'and user has a group with ai features' do + let(:resource) { build_stubbed(:user) } + + it { is_expected.not_to include(:ai_features) } + end + + context 'when resource is project' do + let(:resource) { build_stubbed(:project) } + + it 'does not include ai_features scope' do + is_expected.not_to include(:ai_features) + end + end + + context 'when resource is group' do + let(:resource) { build_stubbed(:group) } + + it 'does not include ai_features scope' do + is_expected.not_to include(:ai_features) + end + end + end + + context 'with observability_tracing feature flag' do context 'when disabled' do before do - stub_feature_flags(observability_group_tab: false) + stub_feature_flags(observability_tracing: false) end it 'contains for group all resource bot scopes without observability scopes' do - group = build_stubbed(:group) + group = build_stubbed(:group).tap do |g| + g.namespace_settings = build_stubbed(:namespace_settings, namespace: g) + end - expect(subject.available_scopes_for(group)).to match_array %i[api read_api read_repository write_repository read_registry write_registry create_runner k8s_proxy ai_features] + expect(subject.available_scopes_for(group)).to match_array %i[api read_api read_repository write_repository read_registry write_registry create_runner k8s_proxy] + end + + it 'contains for project all resource bot scopes without observability scopes' do + group = build_stubbed(:group).tap do |g| + g.namespace_settings = build_stubbed(:namespace_settings, namespace: g) + end + project = build_stubbed(:project, namespace: group) + + expect(subject.available_scopes_for(project)).to match_array %i[api read_api read_repository write_repository read_registry write_registry create_runner k8s_proxy] end end - context 'when enabled for specific group' do - let(:group) { build_stubbed(:group) } + context 'when enabled for specific root group' do + let(:parent) { build_stubbed(:group) } + let(:group) do + build_stubbed(:group, parent: parent).tap { |g| g.namespace_settings = build_stubbed(:namespace_settings, namespace: g) } + end + + let(:project) { build_stubbed(:project, namespace: group) } before do - stub_feature_flags(observability_group_tab: group) + stub_feature_flags(observability_tracing: parent) end - it 'contains for other group all resource bot scopes including observability scopes' do - expect(subject.available_scopes_for(group)).to match_array %i[api read_api read_repository write_repository read_registry write_registry read_observability write_observability create_runner k8s_proxy ai_features] + it 'contains for group all resource bot scopes including observability scopes' do + expect(subject.available_scopes_for(group)).to match_array %i[api read_api read_repository write_repository read_registry write_registry read_observability write_observability create_runner k8s_proxy] end it 'contains for admin user all non-default scopes with ADMIN access and without observability scopes' do user = build_stubbed(:user, admin: true) - expect(subject.available_scopes_for(user)).to match_array %i[api read_user read_api read_repository write_repository read_registry write_registry sudo admin_mode create_runner k8s_proxy ai_features] + expect(subject.available_scopes_for(user)).to match_array %i[api read_user read_api read_repository write_repository read_registry write_registry sudo admin_mode create_runner k8s_proxy] end - it 'contains for project all resource bot scopes without observability scopes' do - expect(subject.available_scopes_for(project)).to match_array %i[api read_api read_repository write_repository read_registry write_registry create_runner k8s_proxy ai_features] + it 'contains for project all resource bot scopes including observability scopes' do + expect(subject.available_scopes_for(project)).to match_array %i[api read_api read_repository write_repository read_registry write_registry read_observability write_observability create_runner k8s_proxy] end it 'contains for other group all resource bot scopes without observability scopes' do - other_group = build_stubbed(:group) + other_parent = build_stubbed(:group) + other_group = build_stubbed(:group, parent: other_parent).tap do |g| + g.namespace_settings = build_stubbed(:namespace_settings, namespace: g) + end + + expect(subject.available_scopes_for(other_group)).to match_array %i[api read_api read_repository write_repository read_registry write_registry create_runner k8s_proxy] + end + + it 'contains for other project all resource bot scopes without observability scopes' do + other_parent = build_stubbed(:group) + other_group = build_stubbed(:group, parent: other_parent).tap do |g| + g.namespace_settings = build_stubbed(:namespace_settings, namespace: g) + end + other_project = build_stubbed(:project, namespace: other_group) - expect(subject.available_scopes_for(other_group)).to match_array %i[api read_api read_repository write_repository read_registry write_registry create_runner k8s_proxy ai_features] + expect(subject.available_scopes_for(other_project)).to match_array %i[api read_api read_repository write_repository read_registry write_registry create_runner k8s_proxy] end end end |