1 files changed, 101 insertions, 41 deletions

diff --git a/spec/policies/global_policy_spec.rb b/spec/policies/global_policy_spec.rb
index 0575ba3237b..dce97fab252 100644
--- a/spec/policies/global_policy_spec.rb
+++ b/spec/policies/global_policy_spec.rb
@@ -7,8 +7,11 @@ RSpec.describe GlobalPolicy, feature_category: :shared do
 
   let_it_be(:admin_user) { create(:admin) }
   let_it_be(:project_bot) { create(:user, :project_bot) }
+  let_it_be(:service_account) { create(:user, :service_account) }
   let_it_be(:migration_bot) { create(:user, :migration_bot) }
   let_it_be(:security_bot) { create(:user, :security_bot) }
+  let_it_be(:security_policy_bot) { create(:user, :security_policy_bot) }
+  let_it_be(:llm_bot) { create(:user, :llm_bot) }
   let_it_be_with_reload(:current_user) { create(:user) }
   let_it_be(:user) { create(:user) }
 
@@ -219,6 +222,12 @@ RSpec.describe GlobalPolicy, feature_category: :shared do
       it { is_expected.to be_allowed(:access_api) }
     end
 
+    context 'service account' do
+      let(:current_user) { service_account }
+
+      it { is_expected.to be_allowed(:access_api) }
+    end
+
     context 'migration bot' do
       let(:current_user) { migration_bot }
 
@@ -231,6 +240,12 @@ RSpec.describe GlobalPolicy, feature_category: :shared do
       it { is_expected.to be_disallowed(:access_api) }
     end
 
+    context 'llm bot' do
+      let(:current_user) { llm_bot }
+
+      it { is_expected.to be_disallowed(:access_api) }
+    end
+
     context 'user blocked pending approval' do
       before do
         current_user.block_pending_approval
@@ -285,6 +300,7 @@ RSpec.describe GlobalPolicy, feature_category: :shared do
 
     context 'inactive user' do
       before do
+        stub_application_setting_enum('email_confirmation_setting', 'soft')
         current_user.update!(confirmed_at: nil, confirmation_sent_at: 5.days.ago)
       end
 
@@ -345,6 +361,12 @@ RSpec.describe GlobalPolicy, feature_category: :shared do
       it { is_expected.to be_disallowed(:receive_notifications) }
     end
 
+    context 'service account' do
+      let(:current_user) { service_account }
+
+      it { is_expected.to be_disallowed(:receive_notifications) }
+    end
+
     context 'migration bot' do
       let(:current_user) { migration_bot }
 
@@ -389,6 +411,12 @@ RSpec.describe GlobalPolicy, feature_category: :shared do
       it { is_expected.to be_allowed(:access_git) }
     end
 
+    context 'security policy bot' do
+      let(:current_user) { security_policy_bot }
+
+      it { is_expected.to be_allowed(:access_git) }
+    end
+
     describe 'deactivated user' do
       before do
         current_user.deactivate
@@ -399,6 +427,7 @@ RSpec.describe GlobalPolicy, feature_category: :shared do
 
     describe 'inactive user' do
       before do
+        stub_application_setting_enum('email_confirmation_setting', 'soft')
         current_user.update!(confirmed_at: nil)
       end
 
@@ -433,6 +462,12 @@ RSpec.describe GlobalPolicy, feature_category: :shared do
       it { is_expected.to be_allowed(:access_git) }
     end
 
+    context 'service account' do
+      let(:current_user) { service_account }
+
+      it { is_expected.to be_allowed(:access_git) }
+    end
+
     context 'user blocked pending approval' do
       before do
         current_user.block_pending_approval
@@ -497,6 +532,7 @@ RSpec.describe GlobalPolicy, feature_category: :shared do
 
     describe 'inactive user' do
       before do
+        stub_application_setting_enum('email_confirmation_setting', 'soft')
         current_user.update!(confirmed_at: nil)
       end
 
@@ -517,6 +553,12 @@ RSpec.describe GlobalPolicy, feature_category: :shared do
       it { is_expected.to be_allowed(:use_slash_commands) }
     end
 
+    context 'service account' do
+      let(:current_user) { service_account }
+
+      it { is_expected.to be_allowed(:use_slash_commands) }
+    end
+
     context 'migration bot' do
       let(:current_user) { migration_bot }
 
@@ -571,6 +613,12 @@ RSpec.describe GlobalPolicy, feature_category: :shared do
       it { is_expected.to be_disallowed(:log_in) }
     end
 
+    context 'service account' do
+      let(:current_user) { service_account }
+
+      it { is_expected.to be_disallowed(:log_in) }
+    end
+
     context 'migration bot' do
       let(:current_user) { migration_bot }
 
@@ -583,6 +631,12 @@ RSpec.describe GlobalPolicy, feature_category: :shared do
       it { is_expected.to be_disallowed(:log_in) }
     end
 
+    context 'llm bot' do
+      let(:current_user) { llm_bot }
+
+      it { is_expected.to be_disallowed(:log_in) }
+    end
+
     context 'user blocked pending approval' do
       before do
         current_user.block_pending_approval
@@ -592,100 +646,106 @@ RSpec.describe GlobalPolicy, feature_category: :shared do
     end
   end
 
-  describe 'create_instance_runners' do
-    context 'create_runner_workflow flag enabled' do
-      before do
-        stub_feature_flags(create_runner_workflow: true)
+  describe 'create_instance_runner' do
+    context 'admin' do
+      let(:current_user) { admin_user }
+
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it { is_expected.to be_allowed(:create_instance_runner) }
       end
 
-      context 'admin' do
-        let(:current_user) { admin_user }
+      context 'when admin mode is disabled' do
+        it { is_expected.to be_disallowed(:create_instance_runner) }
+      end
+    end
 
-        context 'when admin mode is enabled', :enable_admin_mode do
-          it { is_expected.to be_allowed(:create_instance_runners) }
-        end
+    context 'with project_bot' do
+      let(:current_user) { project_bot }
 
-        context 'when admin mode is disabled' do
-          it { is_expected.to be_disallowed(:create_instance_runners) }
-        end
-      end
+      it { is_expected.to be_disallowed(:create_instance_runner) }
+    end
 
-      context 'with project_bot' do
-        let(:current_user) { project_bot }
+    context 'with migration_bot' do
+      let(:current_user) { migration_bot }
 
-        it { is_expected.to be_disallowed(:create_instance_runners) }
-      end
+      it { is_expected.to be_disallowed(:create_instance_runner) }
+    end
 
-      context 'with migration_bot' do
-        let(:current_user) { migration_bot }
+    context 'with security_bot' do
+      let(:current_user) { security_bot }
 
-        it { is_expected.to be_disallowed(:create_instance_runners) }
-      end
+      it { is_expected.to be_disallowed(:create_instance_runner) }
+    end
 
-      context 'with security_bot' do
-        let(:current_user) { security_bot }
+    context 'with llm_bot' do
+      let(:current_user) { llm_bot }
 
-        it { is_expected.to be_disallowed(:create_instance_runners) }
-      end
+      it { is_expected.to be_disallowed(:create_instance_runners) }
+    end
 
-      context 'with regular user' do
-        let(:current_user) { user }
+    context 'with regular user' do
+      let(:current_user) { user }
 
-        it { is_expected.to be_disallowed(:create_instance_runners) }
-      end
+      it { is_expected.to be_disallowed(:create_instance_runner) }
+    end
 
-      context 'with anonymous' do
-        let(:current_user) { nil }
+    context 'with anonymous' do
+      let(:current_user) { nil }
 
-        it { is_expected.to be_disallowed(:create_instance_runners) }
-      end
+      it { is_expected.to be_disallowed(:create_instance_runner) }
     end
 
-    context 'create_runner_workflow flag disabled' do
+    context 'create_runner_workflow_for_admin flag disabled' do
       before do
-        stub_feature_flags(create_runner_workflow: false)
+        stub_feature_flags(create_runner_workflow_for_admin: false)
       end
 
       context 'admin' do
         let(:current_user) { admin_user }
 
         context 'when admin mode is enabled', :enable_admin_mode do
-          it { is_expected.to be_disallowed(:create_instance_runners) }
+          it { is_expected.to be_disallowed(:create_instance_runner) }
         end
 
         context 'when admin mode is disabled' do
-          it { is_expected.to be_disallowed(:create_instance_runners) }
+          it { is_expected.to be_disallowed(:create_instance_runner) }
         end
       end
 
       context 'with project_bot' do
         let(:current_user) { project_bot }
 
-        it { is_expected.to be_disallowed(:create_instance_runners) }
+        it { is_expected.to be_disallowed(:create_instance_runner) }
       end
 
       context 'with migration_bot' do
         let(:current_user) { migration_bot }
 
-        it { is_expected.to be_disallowed(:create_instance_runners) }
+        it { is_expected.to be_disallowed(:create_instance_runner) }
       end
 
       context 'with security_bot' do
         let(:current_user) { security_bot }
 
+        it { is_expected.to be_disallowed(:create_instance_runner) }
+      end
+
+      context 'with llm_bot' do
+        let(:current_user) { llm_bot }
+
         it { is_expected.to be_disallowed(:create_instance_runners) }
       end
 
       context 'with regular user' do
         let(:current_user) { user }
 
-        it { is_expected.to be_disallowed(:create_instance_runners) }
+        it { is_expected.to be_disallowed(:create_instance_runner) }
       end
 
       context 'with anonymous' do
         let(:current_user) { nil }
 
-        it { is_expected.to be_disallowed(:create_instance_runners) }
+        it { is_expected.to be_disallowed(:create_instance_runner) }
       end
     end
   end