1 files changed, 80 insertions, 23 deletions

diff --git a/spec/lib/gitlab/auth_spec.rb b/spec/lib/gitlab/auth_spec.rb
index 8da617175ca..f5b9555916c 100644
--- a/spec/lib/gitlab/auth_spec.rb
+++ b/spec/lib/gitlab/auth_spec.rb
@@ -34,7 +34,7 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
     end
   end
 
-  context 'available_scopes' do
+  describe 'available_scopes' do
     before do
       stub_container_registry_config(enabled: true)
     end
@@ -43,26 +43,26 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
       expect(subject.all_available_scopes).to match_array %i[api read_user read_api read_repository write_repository read_registry write_registry sudo admin_mode read_observability write_observability create_runner k8s_proxy ai_features]
     end
 
-    it 'contains for non-admin user all non-default scopes without ADMIN access and without observability scopes' do
+    it 'contains for non-admin user all non-default scopes without ADMIN access and without observability scopes and ai_features' do
       user = build_stubbed(:user, admin: false)
 
-      expect(subject.available_scopes_for(user)).to match_array %i[api read_user read_api read_repository write_repository read_registry write_registry create_runner k8s_proxy ai_features]
+      expect(subject.available_scopes_for(user)).to match_array %i[api read_user read_api read_repository write_repository read_registry write_registry create_runner k8s_proxy]
     end
 
-    it 'contains for admin user all non-default scopes with ADMIN access and without observability scopes' do
+    it 'contains for admin user all non-default scopes with ADMIN access and without observability scopes and ai_features' do
       user = build_stubbed(:user, admin: true)
 
-      expect(subject.available_scopes_for(user)).to match_array %i[api read_user read_api read_repository write_repository read_registry write_registry sudo admin_mode create_runner k8s_proxy ai_features]
+      expect(subject.available_scopes_for(user)).to match_array %i[api read_user read_api read_repository write_repository read_registry write_registry sudo admin_mode create_runner k8s_proxy]
     end
 
-    it 'contains for project all resource bot scopes without observability scopes' do
-      expect(subject.available_scopes_for(project)).to match_array %i[api read_api read_repository write_repository read_registry write_registry create_runner k8s_proxy ai_features]
+    it 'contains for project all resource bot scopes without ai_features' do
+      expect(subject.available_scopes_for(project)).to match_array %i[api read_api read_repository write_repository read_registry write_registry read_observability write_observability create_runner k8s_proxy]
     end
 
     it 'contains for group all resource bot scopes' do
-      group = build_stubbed(:group)
+      group = build_stubbed(:group).tap { |g| g.namespace_settings = build_stubbed(:namespace_settings, namespace: g) }
 
-      expect(subject.available_scopes_for(group)).to match_array %i[api read_api read_repository write_repository read_registry write_registry read_observability write_observability create_runner k8s_proxy ai_features]
+      expect(subject.available_scopes_for(group)).to match_array %i[api read_api read_repository write_repository read_registry write_registry read_observability write_observability create_runner k8s_proxy]
     end
 
     it 'contains for unsupported type no scopes' do
@@ -73,44 +73,101 @@ RSpec.describe Gitlab::Auth, :use_clean_rails_memory_store_caching, feature_cate
       expect(subject.optional_scopes).to match_array %i[read_user read_api read_repository write_repository read_registry write_registry sudo admin_mode openid profile email read_observability write_observability create_runner k8s_proxy ai_features]
     end
 
-    context 'with observability_group_tab feature flag' do
+    describe 'ai_features scope' do
+      let(:resource) { nil }
+
+      subject { described_class.available_scopes_for(resource) }
+
+      context 'when resource is user', 'and user has a group with ai features' do
+        let(:resource) { build_stubbed(:user) }
+
+        it { is_expected.not_to include(:ai_features) }
+      end
+
+      context 'when resource is project' do
+        let(:resource) { build_stubbed(:project) }
+
+        it 'does not include ai_features scope' do
+          is_expected.not_to include(:ai_features)
+        end
+      end
+
+      context 'when resource is group' do
+        let(:resource) { build_stubbed(:group) }
+
+        it 'does not include ai_features scope' do
+          is_expected.not_to include(:ai_features)
+        end
+      end
+    end
+
+    context 'with observability_tracing feature flag' do
       context 'when disabled' do
         before do
-          stub_feature_flags(observability_group_tab: false)
+          stub_feature_flags(observability_tracing: false)
         end
 
         it 'contains for group all resource bot scopes without observability scopes' do
-          group = build_stubbed(:group)
+          group = build_stubbed(:group).tap do |g|
+            g.namespace_settings = build_stubbed(:namespace_settings, namespace: g)
+          end
 
-          expect(subject.available_scopes_for(group)).to match_array %i[api read_api read_repository write_repository read_registry write_registry create_runner k8s_proxy ai_features]
+          expect(subject.available_scopes_for(group)).to match_array %i[api read_api read_repository write_repository read_registry write_registry create_runner k8s_proxy]
+        end
+
+        it 'contains for project all resource bot scopes without observability scopes' do
+          group = build_stubbed(:group).tap do |g|
+            g.namespace_settings = build_stubbed(:namespace_settings, namespace: g)
+          end
+          project = build_stubbed(:project, namespace: group)
+
+          expect(subject.available_scopes_for(project)).to match_array %i[api read_api read_repository write_repository read_registry write_registry create_runner k8s_proxy]
         end
       end
 
-      context 'when enabled for specific group' do
-        let(:group) { build_stubbed(:group) }
+      context 'when enabled for specific root group' do
+        let(:parent) { build_stubbed(:group) }
+        let(:group) do
+          build_stubbed(:group, parent: parent).tap { |g| g.namespace_settings = build_stubbed(:namespace_settings, namespace: g) }
+        end
+
+        let(:project) { build_stubbed(:project, namespace: group) }
 
         before do
-          stub_feature_flags(observability_group_tab: group)
+          stub_feature_flags(observability_tracing: parent)
         end
 
-        it 'contains for other group all resource bot scopes including observability scopes' do
-          expect(subject.available_scopes_for(group)).to match_array %i[api read_api read_repository write_repository read_registry write_registry read_observability write_observability create_runner k8s_proxy ai_features]
+        it 'contains for group all resource bot scopes including observability scopes' do
+          expect(subject.available_scopes_for(group)).to match_array %i[api read_api read_repository write_repository read_registry write_registry read_observability write_observability create_runner k8s_proxy]
         end
 
         it 'contains for admin user all non-default scopes with ADMIN access and without observability scopes' do
           user = build_stubbed(:user, admin: true)
 
-          expect(subject.available_scopes_for(user)).to match_array %i[api read_user read_api read_repository write_repository read_registry write_registry sudo admin_mode create_runner k8s_proxy ai_features]
+          expect(subject.available_scopes_for(user)).to match_array %i[api read_user read_api read_repository write_repository read_registry write_registry sudo admin_mode create_runner k8s_proxy]
         end
 
-        it 'contains for project all resource bot scopes without observability scopes' do
-          expect(subject.available_scopes_for(project)).to match_array %i[api read_api read_repository write_repository read_registry write_registry create_runner k8s_proxy ai_features]
+        it 'contains for project all resource bot scopes including observability scopes' do
+          expect(subject.available_scopes_for(project)).to match_array %i[api read_api read_repository write_repository read_registry write_registry read_observability write_observability create_runner k8s_proxy]
         end
 
         it 'contains for other group all resource bot scopes without observability scopes' do
-          other_group = build_stubbed(:group)
+          other_parent = build_stubbed(:group)
+          other_group = build_stubbed(:group, parent: other_parent).tap do |g|
+            g.namespace_settings = build_stubbed(:namespace_settings, namespace: g)
+          end
+
+          expect(subject.available_scopes_for(other_group)).to match_array %i[api read_api read_repository write_repository read_registry write_registry create_runner k8s_proxy]
+        end
+
+        it 'contains for other project all resource bot scopes without observability scopes' do
+          other_parent = build_stubbed(:group)
+          other_group = build_stubbed(:group, parent: other_parent).tap do |g|
+            g.namespace_settings = build_stubbed(:namespace_settings, namespace: g)
+          end
+          other_project = build_stubbed(:project, namespace: other_group)
 
-          expect(subject.available_scopes_for(other_group)).to match_array %i[api read_api read_repository write_repository read_registry write_registry create_runner k8s_proxy ai_features]
+          expect(subject.available_scopes_for(other_project)).to match_array %i[api read_api read_repository write_repository read_registry write_registry create_runner k8s_proxy]
         end
       end
     end