1 files changed, 132 insertions, 0 deletions

diff --git a/spec/services/clusters/agents/refresh_authorization_service_spec.rb b/spec/services/clusters/agents/refresh_authorization_service_spec.rb
new file mode 100644
index 00000000000..77ba81ea9c0
--- /dev/null
+++ b/spec/services/clusters/agents/refresh_authorization_service_spec.rb
@@ -0,0 +1,132 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Clusters::Agents::RefreshAuthorizationService do
+  describe '#execute' do
+    let_it_be(:root_ancestor) { create(:group) }
+
+    let_it_be(:removed_group) { create(:group, parent: root_ancestor) }
+    let_it_be(:modified_group) { create(:group, parent: root_ancestor) }
+    let_it_be(:added_group) { create(:group, parent: root_ancestor) }
+
+    let_it_be(:removed_project) { create(:project, namespace: root_ancestor) }
+    let_it_be(:modified_project) { create(:project, namespace: root_ancestor) }
+    let_it_be(:added_project) { create(:project, namespace: root_ancestor) }
+
+    let(:project) { create(:project, namespace: root_ancestor) }
+    let(:agent) { create(:cluster_agent, project: project) }
+
+    let(:config) do
+      {
+        ci_access: {
+          groups: [
+            { id: added_group.full_path, default_namespace: 'default' },
+            { id: modified_group.full_path, default_namespace: 'new-namespace' }
+          ],
+          projects: [
+            { id: added_project.full_path, default_namespace: 'default' },
+            { id: modified_project.full_path, default_namespace: 'new-namespace' }
+          ]
+        }
+      }.deep_stringify_keys
+    end
+
+    subject { described_class.new(agent, config: config).execute }
+
+    before do
+      default_config = { default_namespace: 'default' }
+
+      agent.group_authorizations.create!(group: removed_group, config: default_config)
+      agent.group_authorizations.create!(group: modified_group, config: default_config)
+
+      agent.project_authorizations.create!(project: removed_project, config: default_config)
+      agent.project_authorizations.create!(project: modified_project, config: default_config)
+    end
+
+    shared_examples 'removing authorization' do
+      context 'config contains no groups' do
+        let(:config) { {} }
+
+        it 'removes all authorizations' do
+          expect(subject).to be_truthy
+          expect(authorizations).to be_empty
+        end
+      end
+
+      context 'config contains groups outside of the configuration project hierarchy' do
+        let(:project) { create(:project, namespace: create(:group)) }
+
+        it 'removes all authorizations' do
+          expect(subject).to be_truthy
+          expect(authorizations).to be_empty
+        end
+      end
+
+      context 'configuration project does not belong to a group' do
+        let(:project) { create(:project) }
+
+        it 'removes all authorizations' do
+          expect(subject).to be_truthy
+          expect(authorizations).to be_empty
+        end
+      end
+    end
+
+    describe 'group authorization' do
+      it 'refreshes authorizations for the agent' do
+        expect(subject).to be_truthy
+        expect(agent.authorized_groups).to contain_exactly(added_group, modified_group)
+
+        added_authorization = agent.group_authorizations.find_by(group: added_group)
+        expect(added_authorization.config).to eq({ 'default_namespace' => 'default' })
+
+        modified_authorization = agent.group_authorizations.find_by(group: modified_group)
+        expect(modified_authorization.config).to eq({ 'default_namespace' => 'new-namespace' })
+      end
+
+      context 'config contains too many groups' do
+        before do
+          stub_const("#{described_class}::AUTHORIZED_ENTITY_LIMIT", 1)
+        end
+
+        it 'authorizes groups up to the limit' do
+          expect(subject).to be_truthy
+          expect(agent.authorized_groups).to contain_exactly(added_group)
+        end
+      end
+
+      include_examples 'removing authorization' do
+        let(:authorizations) { agent.authorized_groups }
+      end
+    end
+
+    describe 'project authorization' do
+      it 'refreshes authorizations for the agent' do
+        expect(subject).to be_truthy
+        expect(agent.authorized_projects).to contain_exactly(added_project, modified_project)
+
+        added_authorization = agent.project_authorizations.find_by(project: added_project)
+        expect(added_authorization.config).to eq({ 'default_namespace' => 'default' })
+
+        modified_authorization = agent.project_authorizations.find_by(project: modified_project)
+        expect(modified_authorization.config).to eq({ 'default_namespace' => 'new-namespace' })
+      end
+
+      context 'config contains too many projects' do
+        before do
+          stub_const("#{described_class}::AUTHORIZED_ENTITY_LIMIT", 1)
+        end
+
+        it 'authorizes projects up to the limit' do
+          expect(subject).to be_truthy
+          expect(agent.authorized_projects).to contain_exactly(added_project)
+        end
+      end
+
+      include_examples 'removing authorization' do
+        let(:authorizations) { agent.authorized_projects }
+      end
+    end
+  end
+end