1# frozen_string_literal: true
2
3require 'spec_helper'
4
5RSpec.describe GroupPolicy do
6  include_context 'GroupPolicy context'
7
8  context 'public group with no user' do
9    let(:group) { create(:group, :public) }
10    let(:current_user) { nil }
11
12    it do
13      expect_allowed(:read_group)
14      expect_allowed(:read_crm_organization)
15      expect_allowed(:read_crm_contact)
16      expect_allowed(:read_counts)
17      expect_allowed(*read_group_permissions)
18      expect_disallowed(:upload_file)
19      expect_disallowed(*reporter_permissions)
20      expect_disallowed(*developer_permissions)
21      expect_disallowed(*maintainer_permissions)
22      expect_disallowed(*owner_permissions)
23      expect_disallowed(:read_namespace)
24    end
25  end
26
27  context 'with no user and public project' do
28    let(:project) { create(:project, :public) }
29    let(:current_user) { nil }
30
31    before do
32      create(:project_group_link, project: project, group: group)
33    end
34
35    it { expect_disallowed(:read_group) }
36    it { expect_disallowed(:read_crm_organization) }
37    it { expect_disallowed(:read_crm_contact) }
38    it { expect_disallowed(:read_counts) }
39    it { expect_disallowed(*read_group_permissions) }
40  end
41
42  context 'with foreign user and public project' do
43    let(:project) { create(:project, :public) }
44    let(:current_user) { create(:user) }
45
46    before do
47      create(:project_group_link, project: project, group: group)
48    end
49
50    it { expect_disallowed(:read_group) }
51    it { expect_disallowed(:read_crm_organization) }
52    it { expect_disallowed(:read_crm_contact) }
53    it { expect_disallowed(:read_counts) }
54    it { expect_disallowed(*read_group_permissions) }
55  end
56
57  context 'has projects' do
58    let(:current_user) { create(:user) }
59    let(:project) { create(:project, namespace: group) }
60
61    before do
62      project.add_developer(current_user)
63    end
64
65    it { expect_allowed(*read_group_permissions) }
66
67    context 'in subgroups' do
68      let(:subgroup) { create(:group, :private, parent: group) }
69      let(:project) { create(:project, namespace: subgroup) }
70
71      it { expect_allowed(*read_group_permissions) }
72    end
73  end
74
75  shared_examples 'deploy token does not get confused with user' do
76    before do
77      deploy_token.update!(id: user_id)
78    end
79
80    let(:deploy_token) { create(:deploy_token) }
81    let(:current_user) { deploy_token }
82
83    it do
84      expect_disallowed(*read_group_permissions)
85      expect_disallowed(*guest_permissions)
86      expect_disallowed(*reporter_permissions)
87      expect_disallowed(*developer_permissions)
88      expect_disallowed(*maintainer_permissions)
89      expect_disallowed(*owner_permissions)
90    end
91  end
92
93  context 'guests' do
94    let(:current_user) { guest }
95
96    it do
97      expect_allowed(*read_group_permissions)
98      expect_allowed(*guest_permissions)
99      expect_disallowed(*reporter_permissions)
100      expect_disallowed(*developer_permissions)
101      expect_disallowed(*maintainer_permissions)
102      expect_disallowed(*owner_permissions)
103    end
104
105    it_behaves_like 'deploy token does not get confused with user' do
106      let(:user_id) { guest.id }
107    end
108  end
109
110  context 'reporter' do
111    let(:current_user) { reporter }
112
113    it do
114      expect_allowed(*read_group_permissions)
115      expect_allowed(*guest_permissions)
116      expect_allowed(*reporter_permissions)
117      expect_disallowed(*developer_permissions)
118      expect_disallowed(*maintainer_permissions)
119      expect_disallowed(*owner_permissions)
120    end
121
122    it_behaves_like 'deploy token does not get confused with user' do
123      let(:user_id) { reporter.id }
124    end
125  end
126
127  context 'developer' do
128    let(:current_user) { developer }
129
130    it do
131      expect_allowed(*read_group_permissions)
132      expect_allowed(*guest_permissions)
133      expect_allowed(*reporter_permissions)
134      expect_allowed(*developer_permissions)
135      expect_disallowed(*maintainer_permissions)
136      expect_disallowed(*owner_permissions)
137    end
138
139    it_behaves_like 'deploy token does not get confused with user' do
140      let(:user_id) { developer.id }
141    end
142  end
143
144  context 'maintainer' do
145    let(:current_user) { maintainer }
146
147    context 'with subgroup_creation level set to maintainer' do
148      before_all do
149        group.update!(subgroup_creation_level: ::Gitlab::Access::MAINTAINER_SUBGROUP_ACCESS)
150      end
151
152      it 'allows every maintainer permission plus creating subgroups' do
153        create_subgroup_permission = [:create_subgroup]
154        updated_maintainer_permissions =
155          maintainer_permissions + create_subgroup_permission
156        updated_owner_permissions =
157          owner_permissions - create_subgroup_permission
158
159        expect_allowed(*read_group_permissions)
160        expect_allowed(*guest_permissions)
161        expect_allowed(*reporter_permissions)
162        expect_allowed(*developer_permissions)
163        expect_allowed(*updated_maintainer_permissions)
164        expect_disallowed(*updated_owner_permissions)
165      end
166    end
167
168    context 'with subgroup_creation_level set to owner' do
169      it 'allows every maintainer permission' do
170        expect_allowed(*read_group_permissions)
171        expect_allowed(*guest_permissions)
172        expect_allowed(*reporter_permissions)
173        expect_allowed(*developer_permissions)
174        expect_allowed(*maintainer_permissions)
175        expect_disallowed(*owner_permissions)
176      end
177    end
178
179    it_behaves_like 'deploy token does not get confused with user' do
180      let(:user_id) { maintainer.id }
181    end
182  end
183
184  context 'owner' do
185    let(:current_user) { owner }
186
187    it do
188      expect_allowed(*read_group_permissions)
189      expect_allowed(*guest_permissions)
190      expect_allowed(*reporter_permissions)
191      expect_allowed(*developer_permissions)
192      expect_allowed(*maintainer_permissions)
193      expect_allowed(*owner_permissions)
194    end
195
196    it_behaves_like 'deploy token does not get confused with user' do
197      let(:user_id) { owner.id }
198    end
199  end
200
201  context 'admin' do
202    let(:current_user) { admin }
203
204    specify do
205      expect_disallowed(*read_group_permissions)
206      expect_disallowed(*guest_permissions)
207      expect_disallowed(*reporter_permissions)
208      expect_disallowed(*developer_permissions)
209      expect_disallowed(*maintainer_permissions)
210      expect_disallowed(*owner_permissions)
211    end
212
213    context 'with admin mode', :enable_admin_mode do
214      specify do
215        expect_allowed(*read_group_permissions)
216        expect_allowed(*guest_permissions)
217        expect_allowed(*reporter_permissions)
218        expect_allowed(*developer_permissions)
219        expect_allowed(*maintainer_permissions)
220        expect_allowed(*owner_permissions)
221        expect_allowed(*admin_permissions)
222      end
223    end
224
225    it_behaves_like 'deploy token does not get confused with user' do
226      let(:user_id) { admin.id }
227
228      context 'with admin mode', :enable_admin_mode do
229        it { expect_disallowed(*admin_permissions) }
230      end
231    end
232  end
233
234  describe 'private nested group use the highest access level from the group and inherited permissions' do
235    let_it_be(:nested_group) do
236      create(:group, :private, :owner_subgroup_creation_only, parent: group)
237    end
238
239    before_all do
240      nested_group.add_guest(guest)
241      nested_group.add_guest(reporter)
242      nested_group.add_guest(developer)
243      nested_group.add_guest(maintainer)
244
245      group.owners.destroy_all # rubocop: disable Cop/DestroyAll
246
247      group.add_guest(owner)
248      nested_group.add_owner(owner)
249    end
250
251    subject { described_class.new(current_user, nested_group) }
252
253    context 'with no user' do
254      let(:current_user) { nil }
255
256      it do
257        expect_disallowed(:read_counts)
258        expect_disallowed(*read_group_permissions)
259        expect_disallowed(*guest_permissions)
260        expect_disallowed(*reporter_permissions)
261        expect_disallowed(*developer_permissions)
262        expect_disallowed(*maintainer_permissions)
263        expect_disallowed(*owner_permissions)
264      end
265    end
266
267    context 'guests' do
268      let(:current_user) { guest }
269
270      it do
271        expect_allowed(:read_counts)
272        expect_allowed(*read_group_permissions)
273        expect_allowed(*guest_permissions)
274        expect_disallowed(*reporter_permissions)
275        expect_disallowed(*developer_permissions)
276        expect_disallowed(*maintainer_permissions)
277        expect_disallowed(*owner_permissions)
278      end
279    end
280
281    context 'reporter' do
282      let(:current_user) { reporter }
283
284      it do
285        expect_allowed(:read_counts)
286        expect_allowed(*read_group_permissions)
287        expect_allowed(*guest_permissions)
288        expect_allowed(*reporter_permissions)
289        expect_disallowed(*developer_permissions)
290        expect_disallowed(*maintainer_permissions)
291        expect_disallowed(*owner_permissions)
292      end
293    end
294
295    context 'developer' do
296      let(:current_user) { developer }
297
298      it do
299        expect_allowed(:read_counts)
300        expect_allowed(*read_group_permissions)
301        expect_allowed(*guest_permissions)
302        expect_allowed(*reporter_permissions)
303        expect_allowed(*developer_permissions)
304        expect_disallowed(*maintainer_permissions)
305        expect_disallowed(*owner_permissions)
306      end
307    end
308
309    context 'maintainer' do
310      let(:current_user) { maintainer }
311
312      it do
313        expect_allowed(:read_counts)
314        expect_allowed(*read_group_permissions)
315        expect_allowed(*guest_permissions)
316        expect_allowed(*reporter_permissions)
317        expect_allowed(*developer_permissions)
318        expect_allowed(*maintainer_permissions)
319        expect_disallowed(*owner_permissions)
320      end
321    end
322
323    context 'owner' do
324      let(:current_user) { owner }
325
326      it do
327        expect_allowed(:read_counts)
328        expect_allowed(*read_group_permissions)
329        expect_allowed(*guest_permissions)
330        expect_allowed(*reporter_permissions)
331        expect_allowed(*developer_permissions)
332        expect_allowed(*maintainer_permissions)
333        expect_allowed(*owner_permissions)
334      end
335    end
336  end
337
338  describe 'change_share_with_group_lock' do
339    context 'when the current_user owns the group' do
340      let(:current_user) { owner }
341
342      context 'when the group share_with_group_lock is enabled' do
343        let(:group) { create(:group, share_with_group_lock: true, parent: parent) }
344
345        before do
346          group.add_owner(owner)
347        end
348
349        context 'when the parent group share_with_group_lock is enabled' do
350          context 'when the group has a grandparent' do
351            let(:parent) { create(:group, share_with_group_lock: true, parent: grandparent) }
352
353            context 'when the grandparent share_with_group_lock is enabled' do
354              let(:grandparent) { create(:group, share_with_group_lock: true) }
355
356              context 'when the current_user owns the parent' do
357                before do
358                  parent.add_owner(current_user)
359                end
360
361                context 'when the current_user owns the grandparent' do
362                  before do
363                    grandparent.add_owner(current_user)
364                  end
365
366                  it { expect_allowed(:change_share_with_group_lock) }
367                end
368
369                context 'when the current_user does not own the grandparent' do
370                  it { expect_disallowed(:change_share_with_group_lock) }
371                end
372              end
373
374              context 'when the current_user does not own the parent' do
375                it { expect_disallowed(:change_share_with_group_lock) }
376              end
377            end
378
379            context 'when the grandparent share_with_group_lock is disabled' do
380              let(:grandparent) { create(:group) }
381
382              context 'when the current_user owns the parent' do
383                before do
384                  parent.add_owner(current_user)
385                end
386
387                it { expect_allowed(:change_share_with_group_lock) }
388              end
389
390              context 'when the current_user does not own the parent' do
391                it { expect_disallowed(:change_share_with_group_lock) }
392              end
393            end
394          end
395
396          context 'when the group does not have a grandparent' do
397            let(:parent) { create(:group, share_with_group_lock: true) }
398
399            context 'when the current_user owns the parent' do
400              before do
401                parent.add_owner(current_user)
402              end
403
404              it { expect_allowed(:change_share_with_group_lock) }
405            end
406
407            context 'when the current_user does not own the parent' do
408              it { expect_disallowed(:change_share_with_group_lock) }
409            end
410          end
411        end
412
413        context 'when the parent group share_with_group_lock is disabled' do
414          let(:parent) { create(:group) }
415
416          it { expect_allowed(:change_share_with_group_lock) }
417        end
418      end
419
420      context 'when the group share_with_group_lock is disabled' do
421        it { expect_allowed(:change_share_with_group_lock) }
422      end
423    end
424
425    context 'when the current_user does not own the group' do
426      let(:current_user) { create(:user) }
427
428      it { expect_disallowed(:change_share_with_group_lock) }
429    end
430  end
431
432  context 'transfer_projects' do
433    shared_examples_for 'allowed to transfer projects' do
434      before do
435        group.update!(project_creation_level: project_creation_level)
436      end
437
438      it { is_expected.to be_allowed(:transfer_projects) }
439    end
440
441    shared_examples_for 'not allowed to transfer projects' do
442      before do
443        group.update!(project_creation_level: project_creation_level)
444      end
445
446      it { is_expected.to be_disallowed(:transfer_projects) }
447    end
448
449    context 'reporter' do
450      let(:current_user) { reporter }
451
452      it_behaves_like 'not allowed to transfer projects' do
453        let(:project_creation_level) { ::Gitlab::Access::NO_ONE_PROJECT_ACCESS }
454      end
455
456      it_behaves_like 'not allowed to transfer projects' do
457        let(:project_creation_level) { ::Gitlab::Access::MAINTAINER_PROJECT_ACCESS }
458      end
459
460      it_behaves_like 'not allowed to transfer projects' do
461        let(:project_creation_level) { ::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS }
462      end
463    end
464
465    context 'developer' do
466      let(:current_user) { developer }
467
468      it_behaves_like 'not allowed to transfer projects' do
469        let(:project_creation_level) { ::Gitlab::Access::NO_ONE_PROJECT_ACCESS }
470      end
471
472      it_behaves_like 'not allowed to transfer projects' do
473        let(:project_creation_level) { ::Gitlab::Access::MAINTAINER_PROJECT_ACCESS }
474      end
475
476      it_behaves_like 'not allowed to transfer projects' do
477        let(:project_creation_level) { ::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS }
478      end
479    end
480
481    context 'maintainer' do
482      let(:current_user) { maintainer }
483
484      it_behaves_like 'not allowed to transfer projects' do
485        let(:project_creation_level) { ::Gitlab::Access::NO_ONE_PROJECT_ACCESS }
486      end
487
488      it_behaves_like 'allowed to transfer projects' do
489        let(:project_creation_level) { ::Gitlab::Access::MAINTAINER_PROJECT_ACCESS }
490      end
491
492      it_behaves_like 'allowed to transfer projects' do
493        let(:project_creation_level) { ::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS }
494      end
495    end
496
497    context 'owner' do
498      let(:current_user) { owner }
499
500      it_behaves_like 'not allowed to transfer projects' do
501        let(:project_creation_level) { ::Gitlab::Access::NO_ONE_PROJECT_ACCESS }
502      end
503
504      it_behaves_like 'allowed to transfer projects' do
505        let(:project_creation_level) { ::Gitlab::Access::MAINTAINER_PROJECT_ACCESS }
506      end
507
508      it_behaves_like 'allowed to transfer projects' do
509        let(:project_creation_level) { ::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS }
510      end
511    end
512  end
513
514  context 'create_projects' do
515    context 'when group has no project creation level set' do
516      before_all do
517        group.update!(project_creation_level: nil)
518      end
519
520      context 'reporter' do
521        let(:current_user) { reporter }
522
523        it { is_expected.to be_disallowed(:create_projects) }
524      end
525
526      context 'developer' do
527        let(:current_user) { developer }
528
529        it { is_expected.to be_allowed(:create_projects) }
530      end
531
532      context 'maintainer' do
533        let(:current_user) { maintainer }
534
535        it { is_expected.to be_allowed(:create_projects) }
536      end
537
538      context 'owner' do
539        let(:current_user) { owner }
540
541        it { is_expected.to be_allowed(:create_projects) }
542      end
543    end
544
545    context 'when group has project creation level set to no one' do
546      before_all do
547        group.update!(project_creation_level: ::Gitlab::Access::NO_ONE_PROJECT_ACCESS)
548      end
549
550      context 'reporter' do
551        let(:current_user) { reporter }
552
553        it { is_expected.to be_disallowed(:create_projects) }
554      end
555
556      context 'developer' do
557        let(:current_user) { developer }
558
559        it { is_expected.to be_disallowed(:create_projects) }
560      end
561
562      context 'maintainer' do
563        let(:current_user) { maintainer }
564
565        it { is_expected.to be_disallowed(:create_projects) }
566      end
567
568      context 'owner' do
569        let(:current_user) { owner }
570
571        it { is_expected.to be_disallowed(:create_projects) }
572      end
573    end
574
575    context 'when group has project creation level set to maintainer only' do
576      before_all do
577        group.update!(project_creation_level: ::Gitlab::Access::MAINTAINER_PROJECT_ACCESS)
578      end
579
580      context 'reporter' do
581        let(:current_user) { reporter }
582
583        it { is_expected.to be_disallowed(:create_projects) }
584      end
585
586      context 'developer' do
587        let(:current_user) { developer }
588
589        it { is_expected.to be_disallowed(:create_projects) }
590      end
591
592      context 'maintainer' do
593        let(:current_user) { maintainer }
594
595        it { is_expected.to be_allowed(:create_projects) }
596      end
597
598      context 'owner' do
599        let(:current_user) { owner }
600
601        it { is_expected.to be_allowed(:create_projects) }
602      end
603    end
604
605    context 'when group has project creation level set to developers + maintainer' do
606      before_all do
607        group.update!(project_creation_level: ::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS)
608      end
609
610      context 'reporter' do
611        let(:current_user) { reporter }
612
613        it { is_expected.to be_disallowed(:create_projects) }
614      end
615
616      context 'developer' do
617        let(:current_user) { developer }
618
619        it { is_expected.to be_allowed(:create_projects) }
620      end
621
622      context 'maintainer' do
623        let(:current_user) { maintainer }
624
625        it { is_expected.to be_allowed(:create_projects) }
626      end
627
628      context 'owner' do
629        let(:current_user) { owner }
630
631        it { is_expected.to be_allowed(:create_projects) }
632      end
633    end
634  end
635
636  context 'create_subgroup' do
637    context 'when group has subgroup creation level set to owner' do
638      before_all do
639        group.update!(subgroup_creation_level: ::Gitlab::Access::OWNER_SUBGROUP_ACCESS)
640      end
641
642      context 'reporter' do
643        let(:current_user) { reporter }
644
645        it { is_expected.to be_disallowed(:create_subgroup) }
646      end
647
648      context 'developer' do
649        let(:current_user) { developer }
650
651        it { is_expected.to be_disallowed(:create_subgroup) }
652      end
653
654      context 'maintainer' do
655        let(:current_user) { maintainer }
656
657        it { is_expected.to be_disallowed(:create_subgroup) }
658      end
659
660      context 'owner' do
661        let(:current_user) { owner }
662
663        it { is_expected.to be_allowed(:create_subgroup) }
664      end
665    end
666
667    context 'when group has subgroup creation level set to maintainer' do
668      before_all do
669        group.update!(subgroup_creation_level: ::Gitlab::Access::MAINTAINER_SUBGROUP_ACCESS)
670      end
671
672      context 'reporter' do
673        let(:current_user) { reporter }
674
675        it { is_expected.to be_disallowed(:create_subgroup) }
676      end
677
678      context 'developer' do
679        let(:current_user) { developer }
680
681        it { is_expected.to be_disallowed(:create_subgroup) }
682      end
683
684      context 'maintainer' do
685        let(:current_user) { maintainer }
686
687        it { is_expected.to be_allowed(:create_subgroup) }
688      end
689
690      context 'owner' do
691        let(:current_user) { owner }
692
693        it { is_expected.to be_allowed(:create_subgroup) }
694      end
695    end
696  end
697
698  it_behaves_like 'clusterable policies' do
699    let(:clusterable) { create(:group) }
700    let(:cluster) do
701      create(:cluster,
702             :provided_by_gcp,
703             :group,
704             groups: [clusterable])
705    end
706  end
707
708  describe 'update_max_artifacts_size' do
709    let(:group) { create(:group, :public) }
710
711    context 'when no user' do
712      let(:current_user) { nil }
713
714      it { expect_disallowed(:update_max_artifacts_size) }
715    end
716
717    context 'admin' do
718      let(:current_user) { admin }
719
720      context 'when admin mode is enabled', :enable_admin_mode do
721        it { expect_allowed(:update_max_artifacts_size) }
722      end
723
724      context 'when admin mode is enabled' do
725        it { expect_disallowed(:update_max_artifacts_size) }
726      end
727    end
728
729    %w(guest reporter developer maintainer owner).each do |role|
730      context role do
731        let(:current_user) { send(role) }
732
733        it { expect_disallowed(:update_max_artifacts_size) }
734      end
735    end
736  end
737
738  describe 'design activity' do
739    let_it_be(:group) { create(:group, :public) }
740
741    let(:current_user) { nil }
742
743    subject { described_class.new(current_user, group) }
744
745    context 'when design management is not available' do
746      it { is_expected.not_to be_allowed(:read_design_activity) }
747
748      context 'even when there are projects in the group' do
749        before do
750          create_list(:project_group_link, 2, group: group)
751        end
752
753        it { is_expected.not_to be_allowed(:read_design_activity) }
754      end
755    end
756
757    context 'when design management is available globally' do
758      include DesignManagementTestHelpers
759
760      before do
761        enable_design_management
762      end
763
764      context 'the group has no projects' do
765        it { is_expected.not_to be_allowed(:read_design_activity) }
766      end
767
768      context 'the group has a project' do
769        let(:project) { create(:project, :public) }
770
771        before do
772          create(:project_group_link, project: project, group: group)
773        end
774
775        it { is_expected.to be_allowed(:read_design_activity) }
776
777        context 'which does not have design management enabled' do
778          before do
779            project.update!(lfs_enabled: false)
780          end
781
782          it { is_expected.not_to be_allowed(:read_design_activity) }
783
784          context 'but another project does' do
785            before do
786              create(:project_group_link, project: create(:project, :public), group: group)
787            end
788
789            it { is_expected.to be_allowed(:read_design_activity) }
790          end
791        end
792      end
793    end
794  end
795
796  describe 'create_jira_connect_subscription' do
797    context 'admin' do
798      let(:current_user) { admin }
799
800      context 'when admin mode is enabled', :enable_admin_mode do
801        it { is_expected.to be_allowed(:create_jira_connect_subscription) }
802      end
803
804      context 'when admin mode is disabled' do
805        it { is_expected.to be_disallowed(:create_jira_connect_subscription) }
806      end
807    end
808
809    context 'with owner' do
810      let(:current_user) { owner }
811
812      it { is_expected.to be_allowed(:create_jira_connect_subscription) }
813    end
814
815    context 'with maintainer' do
816      let(:current_user) { maintainer }
817
818      it { is_expected.to be_allowed(:create_jira_connect_subscription) }
819    end
820
821    context 'with reporter' do
822      let(:current_user) { reporter }
823
824      it { is_expected.to be_disallowed(:create_jira_connect_subscription) }
825    end
826
827    context 'with guest' do
828      let(:current_user) { guest }
829
830      it { is_expected.to be_disallowed(:create_jira_connect_subscription) }
831    end
832
833    context 'with non member' do
834      let(:current_user) { create(:user) }
835
836      it { is_expected.to be_disallowed(:create_jira_connect_subscription) }
837    end
838
839    context 'with anonymous' do
840      let(:current_user) { nil }
841
842      it { is_expected.to be_disallowed(:create_jira_connect_subscription) }
843    end
844  end
845
846  describe 'read_package' do
847    context 'admin' do
848      let(:current_user) { admin }
849
850      context 'when admin mode is enabled', :enable_admin_mode do
851        it { is_expected.to be_allowed(:read_package) }
852      end
853
854      context 'when admin mode is disabled' do
855        it { is_expected.to be_disallowed(:read_package) }
856      end
857    end
858
859    context 'with owner' do
860      let(:current_user) { owner }
861
862      it { is_expected.to be_allowed(:read_package) }
863    end
864
865    context 'with maintainer' do
866      let(:current_user) { maintainer }
867
868      it { is_expected.to be_allowed(:read_package) }
869    end
870
871    context 'with reporter' do
872      let(:current_user) { reporter }
873
874      it { is_expected.to be_allowed(:read_package) }
875    end
876
877    context 'with guest' do
878      let(:current_user) { guest }
879
880      it { is_expected.to be_disallowed(:read_package) }
881    end
882
883    context 'with non member' do
884      let(:current_user) { create(:user) }
885
886      it { is_expected.to be_disallowed(:read_package) }
887    end
888
889    context 'with anonymous' do
890      let(:current_user) { nil }
891
892      it { is_expected.to be_disallowed(:read_package) }
893    end
894  end
895
896  describe 'dependency proxy' do
897    context 'feature disabled' do
898      let(:current_user) { owner }
899
900      it { is_expected.to be_disallowed(:read_dependency_proxy) }
901      it { is_expected.to be_disallowed(:admin_dependency_proxy) }
902    end
903
904    context 'feature enabled' do
905      before do
906        stub_config(dependency_proxy: { enabled: true })
907        group.create_dependency_proxy_setting!(enabled: true)
908      end
909
910      context 'reporter' do
911        let(:current_user) { reporter }
912
913        it { is_expected.to be_disallowed(:admin_dependency_proxy) }
914      end
915
916      context 'developer' do
917        let(:current_user) { developer }
918
919        it { is_expected.to be_allowed(:admin_dependency_proxy) }
920      end
921    end
922  end
923
924  context 'deploy token access' do
925    let!(:group_deploy_token) do
926      create(:group_deploy_token, group: group, deploy_token: deploy_token)
927    end
928
929    subject { described_class.new(deploy_token, group) }
930
931    context 'a deploy token with read_package_registry scope' do
932      let(:deploy_token) { create(:deploy_token, :group, read_package_registry: true) }
933
934      it { is_expected.to be_allowed(:read_package) }
935      it { is_expected.to be_allowed(:read_group) }
936      it { is_expected.to be_allowed(:read_crm_organization) }
937      it { is_expected.to be_allowed(:read_crm_contact) }
938      it { is_expected.to be_disallowed(:create_package) }
939    end
940
941    context 'a deploy token with write_package_registry scope' do
942      let(:deploy_token) { create(:deploy_token, :group, write_package_registry: true) }
943
944      it { is_expected.to be_allowed(:create_package) }
945      it { is_expected.to be_allowed(:read_package) }
946      it { is_expected.to be_allowed(:read_group) }
947      it { is_expected.to be_allowed(:read_crm_organization) }
948      it { is_expected.to be_allowed(:read_crm_contact) }
949      it { is_expected.to be_disallowed(:destroy_package) }
950    end
951
952    context 'a deploy token with dependency proxy scopes' do
953      let_it_be(:deploy_token) { create(:deploy_token, :group, :dependency_proxy_scopes) }
954
955      before do
956        stub_config(dependency_proxy: { enabled: true })
957        group.create_dependency_proxy_setting!(enabled: true)
958      end
959
960      it { is_expected.to be_allowed(:read_dependency_proxy) }
961      it { is_expected.to be_disallowed(:admin_dependency_proxy) }
962    end
963  end
964
965  it_behaves_like 'Self-managed Core resource access tokens'
966
967  context 'support bot' do
968    let_it_be(:group) { create(:group, :private) }
969    let_it_be(:current_user) { User.support_bot }
970
971    before do
972      allow(Gitlab::ServiceDesk).to receive(:supported?).and_return(true)
973    end
974
975    it { expect_disallowed(:read_label) }
976
977    context 'when group hierarchy has a project with service desk enabled' do
978      let_it_be(:subgroup) { create(:group, :private, parent: group)}
979      let_it_be(:project) { create(:project, group: subgroup, service_desk_enabled: true) }
980
981      it { expect_allowed(:read_label) }
982      it { expect(described_class.new(current_user, subgroup)).to be_allowed(:read_label) }
983    end
984  end
985
986  describe 'update_runners_registration_token' do
987    context 'admin' do
988      let(:current_user) { admin }
989
990      context 'when admin mode is enabled', :enable_admin_mode do
991        it { is_expected.to be_allowed(:update_runners_registration_token) }
992      end
993
994      context 'when admin mode is disabled' do
995        it { is_expected.to be_disallowed(:update_runners_registration_token) }
996      end
997    end
998
999    context 'with owner' do
1000      let(:current_user) { owner }
1001
1002      it { is_expected.to be_allowed(:update_runners_registration_token) }
1003    end
1004
1005    context 'with maintainer' do
1006      let(:current_user) { maintainer }
1007
1008      it { is_expected.to be_disallowed(:update_runners_registration_token) }
1009    end
1010
1011    context 'with reporter' do
1012      let(:current_user) { reporter }
1013
1014      it { is_expected.to be_disallowed(:update_runners_registration_token) }
1015    end
1016
1017    context 'with guest' do
1018      let(:current_user) { guest }
1019
1020      it { is_expected.to be_disallowed(:update_runners_registration_token) }
1021    end
1022
1023    context 'with non member' do
1024      let(:current_user) { create(:user) }
1025
1026      it { is_expected.to be_disallowed(:update_runners_registration_token) }
1027    end
1028
1029    context 'with anonymous' do
1030      let(:current_user) { nil }
1031
1032      it { is_expected.to be_disallowed(:update_runners_registration_token) }
1033    end
1034  end
1035
1036  describe 'register_group_runners' do
1037    shared_examples 'expected outcome based on runner registration control' do
1038      context 'with runner_registration_control FF disabled' do
1039        before do
1040          stub_feature_flags(runner_registration_control: false)
1041        end
1042
1043        it { is_expected.to be_allowed(:register_group_runners) }
1044      end
1045
1046      context 'with runner_registration_control FF enabled' do
1047        before do
1048          stub_feature_flags(runner_registration_control: true)
1049        end
1050
1051        context 'with group runner registration disabled' do
1052          before do
1053            stub_application_setting(valid_runner_registrars: ['project'])
1054          end
1055
1056          it { is_expected.to be_disallowed(:register_group_runners) }
1057        end
1058      end
1059    end
1060
1061    context 'admin' do
1062      let(:current_user) { admin }
1063
1064      context 'when admin mode is enabled', :enable_admin_mode do
1065        it { is_expected.to be_allowed(:register_group_runners) }
1066
1067        it_behaves_like 'expected outcome based on runner registration control'
1068      end
1069
1070      context 'when admin mode is disabled' do
1071        it { is_expected.to be_disallowed(:register_group_runners) }
1072      end
1073    end
1074
1075    context 'with owner' do
1076      let(:current_user) { owner }
1077
1078      it { is_expected.to be_allowed(:register_group_runners) }
1079
1080      it_behaves_like 'expected outcome based on runner registration control'
1081    end
1082
1083    context 'with maintainer' do
1084      let(:current_user) { maintainer }
1085
1086      it { is_expected.to be_allowed(:register_group_runners) }
1087
1088      it_behaves_like 'expected outcome based on runner registration control'
1089    end
1090
1091    context 'with reporter' do
1092      let(:current_user) { reporter }
1093
1094      it { is_expected.to be_disallowed(:register_group_runners) }
1095    end
1096
1097    context 'with guest' do
1098      let(:current_user) { guest }
1099
1100      it { is_expected.to be_disallowed(:register_group_runners) }
1101    end
1102
1103    context 'with non member' do
1104      let(:current_user) { create(:user) }
1105
1106      it { is_expected.to be_disallowed(:register_group_runners) }
1107    end
1108
1109    context 'with anonymous' do
1110      let(:current_user) { nil }
1111
1112      it { is_expected.to be_disallowed(:register_group_runners) }
1113    end
1114  end
1115
1116  context 'with customer_relations feature flag disabled' do
1117    let(:current_user) { owner }
1118
1119    before do
1120      stub_feature_flags(customer_relations: false)
1121    end
1122
1123    it { is_expected.to be_disallowed(:read_crm_contact) }
1124    it { is_expected.to be_disallowed(:read_crm_organization) }
1125    it { is_expected.to be_disallowed(:admin_crm_contact) }
1126    it { is_expected.to be_disallowed(:admin_crm_organization) }
1127  end
1128end
1129