3 files changed, 99 insertions, 21 deletions

diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb
index 201ccf0fc14..fc4fbace790 100644
--- a/spec/policies/group_policy_spec.rb
+++ b/spec/policies/group_policy_spec.rb
@@ -11,8 +11,8 @@ RSpec.describe GroupPolicy do
 
     it do
       expect_allowed(:read_group)
-      expect_allowed(:read_organization)
-      expect_allowed(:read_contact)
+      expect_allowed(:read_crm_organization)
+      expect_allowed(:read_crm_contact)
       expect_allowed(:read_counts)
       expect_allowed(*read_group_permissions)
       expect_disallowed(:upload_file)
@@ -33,8 +33,8 @@ RSpec.describe GroupPolicy do
     end
 
     it { expect_disallowed(:read_group) }
-    it { expect_disallowed(:read_organization) }
-    it { expect_disallowed(:read_contact) }
+    it { expect_disallowed(:read_crm_organization) }
+    it { expect_disallowed(:read_crm_contact) }
     it { expect_disallowed(:read_counts) }
     it { expect_disallowed(*read_group_permissions) }
   end
@@ -48,8 +48,8 @@ RSpec.describe GroupPolicy do
     end
 
     it { expect_disallowed(:read_group) }
-    it { expect_disallowed(:read_organization) }
-    it { expect_disallowed(:read_contact) }
+    it { expect_disallowed(:read_crm_organization) }
+    it { expect_disallowed(:read_crm_contact) }
     it { expect_disallowed(:read_counts) }
     it { expect_disallowed(*read_group_permissions) }
   end
@@ -933,8 +933,8 @@ RSpec.describe GroupPolicy do
 
       it { is_expected.to be_allowed(:read_package) }
       it { is_expected.to be_allowed(:read_group) }
-      it { is_expected.to be_allowed(:read_organization) }
-      it { is_expected.to be_allowed(:read_contact) }
+      it { is_expected.to be_allowed(:read_crm_organization) }
+      it { is_expected.to be_allowed(:read_crm_contact) }
       it { is_expected.to be_disallowed(:create_package) }
     end
 
@@ -944,8 +944,8 @@ RSpec.describe GroupPolicy do
       it { is_expected.to be_allowed(:create_package) }
       it { is_expected.to be_allowed(:read_package) }
       it { is_expected.to be_allowed(:read_group) }
-      it { is_expected.to be_allowed(:read_organization) }
-      it { is_expected.to be_allowed(:read_contact) }
+      it { is_expected.to be_allowed(:read_crm_organization) }
+      it { is_expected.to be_allowed(:read_crm_contact) }
       it { is_expected.to be_disallowed(:destroy_package) }
     end
 
@@ -1032,4 +1032,17 @@ RSpec.describe GroupPolicy do
       it { is_expected.to be_disallowed(:update_runners_registration_token) }
     end
   end
+
+  context 'with customer_relations feature flag disabled' do
+    let(:current_user) { owner }
+
+    before do
+      stub_feature_flags(customer_relations: false)
+    end
+
+    it { is_expected.to be_disallowed(:read_crm_contact) }
+    it { is_expected.to be_disallowed(:read_crm_organization) }
+    it { is_expected.to be_disallowed(:admin_crm_contact) }
+    it { is_expected.to be_disallowed(:admin_crm_organization) }
+  end
 end
diff --git a/spec/policies/namespaces/project_namespace_policy_spec.rb b/spec/policies/namespaces/project_namespace_policy_spec.rb
index 22f3ccec1f8..5bb38deb498 100644
--- a/spec/policies/namespaces/project_namespace_policy_spec.rb
+++ b/spec/policies/namespaces/project_namespace_policy_spec.rb
@@ -4,7 +4,8 @@ require 'spec_helper'
 
 RSpec.describe NamespacePolicy do
   let_it_be(:parent) { create(:namespace) }
-  let_it_be(:namespace) { create(:project_namespace, parent: parent) }
+  let_it_be(:project) { create(:project, namespace: parent) }
+  let_it_be(:namespace) { project.project_namespace }
 
   let(:permissions) do
     [:owner_access, :create_projects, :admin_namespace, :read_namespace,
diff --git a/spec/policies/project_policy_spec.rb b/spec/policies/project_policy_spec.rb
index f36b0a62aa3..2953c198af6 100644
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -104,29 +104,71 @@ RSpec.describe ProjectPolicy do
   end
 
   context 'pipeline feature' do
-    let(:project) { private_project }
+    let(:project)      { private_project }
+    let(:current_user) { developer }
+    let(:pipeline)     { create(:ci_pipeline, project: project) }
 
-    before do
-      private_project.add_developer(current_user)
+    describe 'for confirmed user' do
+      it 'allows modify pipelines' do
+        expect_allowed(:create_pipeline)
+        expect_allowed(:update_pipeline)
+        expect_allowed(:create_pipeline_schedule)
+      end
     end
 
     describe 'for unconfirmed user' do
-      let(:current_user) { create(:user, confirmed_at: nil) }
+      let(:current_user) { project.owner.tap { |u| u.update!(confirmed_at: nil) } }
 
       it 'disallows to modify pipelines' do
         expect_disallowed(:create_pipeline)
         expect_disallowed(:update_pipeline)
+        expect_disallowed(:destroy_pipeline)
         expect_disallowed(:create_pipeline_schedule)
       end
     end
 
-    describe 'for confirmed user' do
-      let(:current_user) { developer }
+    describe 'destroy permission' do
+      describe 'for developers' do
+        it 'prevents :destroy_pipeline' do
+          expect(current_user.can?(:destroy_pipeline, pipeline)).to be_falsey
+        end
+      end
 
-      it 'allows modify pipelines' do
-        expect_allowed(:create_pipeline)
-        expect_allowed(:update_pipeline)
-        expect_allowed(:create_pipeline_schedule)
+      describe 'for maintainers' do
+        let(:current_user) { maintainer }
+
+        it 'prevents :destroy_pipeline' do
+          project.add_maintainer(maintainer)
+          expect(current_user.can?(:destroy_pipeline, pipeline)).to be_falsey
+        end
+      end
+
+      describe 'for project owner' do
+        let(:current_user) { project.owner }
+
+        it 'allows :destroy_pipeline' do
+          expect(current_user.can?(:destroy_pipeline, pipeline)).to be_truthy
+        end
+
+        context 'on archived projects' do
+          before do
+            project.update!(archived: true)
+          end
+
+          it 'prevents :destroy_pipeline' do
+            expect(current_user.can?(:destroy_pipeline, pipeline)).to be_falsey
+          end
+        end
+
+        context 'on archived pending_delete projects' do
+          before do
+            project.update!(archived: true, pending_delete: true)
+          end
+
+          it 'allows :destroy_pipeline' do
+            expect(current_user.can?(:destroy_pipeline, pipeline)).to be_truthy
+          end
+        end
       end
     end
   end
@@ -955,6 +997,28 @@ RSpec.describe ProjectPolicy do
     end
   end
 
+  context 'infrastructure google cloud feature' do
+    %w(guest reporter developer).each do |role|
+      context role do
+        let(:current_user) { send(role) }
+
+        it 'disallows managing google cloud' do
+          expect_disallowed(:admin_project_google_cloud)
+        end
+      end
+    end
+
+    %w(maintainer owner).each do |role|
+      context role do
+        let(:current_user) { send(role) }
+
+        it 'allows managing google cloud' do
+          expect_allowed(:admin_project_google_cloud)
+        end
+      end
+    end
+  end
+
   describe 'design permissions' do
     include DesignManagementTestHelpers