Merge branch 'chore/disable-admin-mode-in-lib' into 'master'

Disable auto admin mode for lib specs [RUN AS-IF-FOSS] See merge request gitlab-org/gitlab!50056

Merge branch 'chore/disable-admin-mode-in-lib' into 'master'
Disable auto admin mode for lib specs [RUN AS-IF-FOSS] See merge request gitlab-org/gitlab!50056
1ed6725f · Bob Van Landuyt · 107adcd3 · f9356b47 · 1ed6725f · 1ed6725f
Commit 1ed6725f authored Dec 17, 2020 by Bob Van Landuyt
45 changed files
--- a/changelogs/unreleased/chore-disable-admin-mode-in-lib.yml
+++ b/changelogs/unreleased/chore-disable-admin-mode-in-lib.yml
+---
+title: Disable auto admin mode for lib specs
+merge_request: 50056
+author: Diego Louzán
+type: other
--- a/ee/spec/lib/gitlab/analytics/cycle_analytics/group_stage_time_summary_spec.rb
+++ b/ee/spec/lib/gitlab/analytics/cycle_analytics/group_stage_time_summary_spec.rb
@@ -5,7 +5,7 @@ RSpec.describe Gitlab::Analytics::CycleAnalytics::GroupStageTimeSummary do
  let_it_be(:group) { create(:group) }
  let_it_be(:project) { create(:project, :repository, namespace: group) }
  let_it_be(:project_2) { create(:project, :repository, namespace: group) }
-  let_it_be(:user) { create(:user, :admin) }
+  let_it_be(:user) { create(:user) }
  let(:from) { 1.day.ago }
  let(:to) { nil }
  let(:options) { { from: from, to: to, current_user: user } }
@@ -16,6 +16,10 @@ RSpec.describe Gitlab::Analytics::CycleAnalytics::GroupStageTimeSummary do
    freeze_time { example.run }
  end
+  before do
+    group.add_owner(user)
+  end
  describe '#lead_time' do
    describe 'issuable filter parameters' do
      let_it_be(:label) { create(:group_label, group: group) }

--- a/ee/spec/lib/gitlab/analytics/cycle_analytics/summary/group/stage_summary_spec.rb
+++ b/ee/spec/lib/gitlab/analytics/cycle_analytics/summary/group/stage_summary_spec.rb
@@ -6,10 +6,14 @@ RSpec.describe Gitlab::Analytics::CycleAnalytics::Summary::Group::StageSummary d
  let(:project) { create(:project, :repository, namespace: group) }
  let(:project_2) { create(:project, :repository, namespace: group) }
  let(:from) { 1.day.ago }
-  let(:user) { create(:user, :admin) }
+  let(:user) { create(:user) }
  subject { described_class.new(group, options: { from: Time.now, current_user: user }).data }
+  before do
+    group.add_owner(user)
+  end
  describe "#new_issues" do
    context 'with from date' do
      before do

--- a/ee/spec/lib/gitlab/analytics/cycle_analytics/summary/group/stage_time_summary_spec.rb
+++ b/ee/spec/lib/gitlab/analytics/cycle_analytics/summary/group/stage_time_summary_spec.rb
@@ -7,7 +7,7 @@ RSpec.describe Gitlab::Analytics::CycleAnalytics::Summary::Group::StageTimeSumma
  let(:project_2) { create(:project, :repository, namespace: group) }
  let(:from) { 1.day.ago }
  let(:to) { nil }
-  let(:user) { create(:user, :admin) }
+  let(:user) { create(:user) }
  subject { described_class.new(group, options: { from: from, to: to, current_user: user }).data }
@@ -15,6 +15,10 @@ RSpec.describe Gitlab::Analytics::CycleAnalytics::Summary::Group::StageTimeSumma
    freeze_time { example.run }
  end
+  before do
+    group.add_owner(user)
+  end
  describe '#lead_time' do
    context 'with `from` date' do
      let(:from) { 6.days.ago }

--- a/ee/spec/lib/gitlab/ci/templates/Jobs/browser_performance_testing_gitlab_ci_yaml_spec.rb
+++ b/ee/spec/lib/gitlab/ci/templates/Jobs/browser_performance_testing_gitlab_ci_yaml_spec.rb
@@ -19,13 +19,13 @@ RSpec.describe 'Jobs/Browser-Performance-Testing.gitlab-ci.yml' do
  end
  describe 'the created pipeline' do
-    let(:user) { create(:admin) }
    let(:project) do
      create(:project, :repository, variables: [
        build(:ci_variable, key: 'CI_KUBERNETES_ACTIVE', value: 'true')
      ])
    end
+    let(:user) { project.owner }
    let(:default_branch) { 'master' }
    let(:pipeline_ref) { default_branch }
    let(:service) { Ci::CreatePipelineService.new(project, user, ref: pipeline_ref) }

--- a/ee/spec/lib/gitlab/ci/templates/Jobs/dast_default_branch_gitlab_ci_yaml_spec.rb
+++ b/ee/spec/lib/gitlab/ci/templates/Jobs/dast_default_branch_gitlab_ci_yaml_spec.rb
@@ -22,13 +22,13 @@ RSpec.describe 'Jobs/DAST-Default-Branch-Deploy.gitlab-ci.yml' do
  end
  describe 'the created pipeline' do
-    let(:user) { create(:admin) }
    let(:project) do
      create(:project, :repository, variables: [
        build(:ci_variable, key: 'CI_KUBERNETES_ACTIVE', value: 'true')
      ])
    end
+    let(:user) { project.owner }
    let(:default_branch) { 'master' }
    let(:pipeline_ref) { default_branch }
    let(:service) { Ci::CreatePipelineService.new(project, user, ref: pipeline_ref) }

--- a/ee/spec/lib/gitlab/ci/templates/Jobs/load_performance_testing_gitlab_ci_yaml_spec.rb
+++ b/ee/spec/lib/gitlab/ci/templates/Jobs/load_performance_testing_gitlab_ci_yaml_spec.rb
@@ -19,13 +19,13 @@ RSpec.describe 'Jobs/Load-Performance-Testing.gitlab-ci.yml' do
  end
  describe 'the created pipeline' do
-    let(:user) { create(:admin) }
    let(:project) do
      create(:project, :repository, variables: [
        build(:ci_variable, key: 'CI_KUBERNETES_ACTIVE', value: 'true')
      ])
    end
+    let(:user) { project.owner }
    let(:default_branch) { 'master' }
    let(:pipeline_ref) { default_branch }
    let(:service) { Ci::CreatePipelineService.new(project, user, ref: pipeline_ref) }

--- a/ee/spec/lib/gitlab/ci/templates/Verify/browser_performance_testing_gitlab_ci_yaml_spec.rb
+++ b/ee/spec/lib/gitlab/ci/templates/Verify/browser_performance_testing_gitlab_ci_yaml_spec.rb
@@ -18,9 +18,9 @@ RSpec.describe 'Verify/Browser-Performance.gitlab-ci.yml' do
    YAML
  end
-  describe 'the created pipeline' do
+  describe 'the created pipeline', :clean_gitlab_redis_cache do
-    let(:user) { create(:admin) }
    let(:project) { create(:project, :repository) }
+    let(:user) { project.owner }
    let(:default_branch) { 'master' }
    let(:pipeline_ref) { default_branch }

--- a/ee/spec/lib/gitlab/ci/templates/Verify/load_performance_testing_gitlab_ci_yaml_spec.rb
+++ b/ee/spec/lib/gitlab/ci/templates/Verify/load_performance_testing_gitlab_ci_yaml_spec.rb
@@ -18,9 +18,9 @@ RSpec.describe 'Verify/Load-Performance-Testing.gitlab-ci.yml' do
    YAML
  end
-  describe 'the created pipeline' do
+  describe 'the created pipeline', :clean_gitlab_redis_cache do
-    let(:user) { create(:admin) }
    let(:project) { create(:project, :repository) }
+    let(:user) { project.owner }
    let(:default_branch) { 'master' }
    let(:pipeline_ref) { default_branch }

--- a/ee/spec/lib/gitlab/ci/templates/api_fuzzing_gitlab_ci_yaml_spec.rb
+++ b/ee/spec/lib/gitlab/ci/templates/api_fuzzing_gitlab_ci_yaml_spec.rb
@@ -27,16 +27,17 @@ RSpec.describe 'API-Fuzzing.gitlab-ci.yml' do
  end
  describe 'the created pipeline' do
-    let(:user) { create(:admin) }
    let(:default_branch) { 'master' }
    let(:pipeline_branch) { default_branch }
    let(:project) { create(:project, :custom_repo, files: { 'README.txt' => '' }) }
+    let(:user) { project.owner }
    let(:service) { Ci::CreatePipelineService.new(project, user, ref: pipeline_branch ) }
    let(:pipeline) { service.execute!(:push) }
    let(:build_names) { pipeline.builds.pluck(:name) }
    before do
      stub_ci_pipeline_yaml_file(template.content)
      allow_any_instance_of(Ci::BuildScheduleWorker).to receive(:perform).and_return(true)
      allow(project).to receive(:default_branch).and_return(default_branch)
    end

--- a/ee/spec/lib/gitlab/ci/templates/container_scanning_gitlab_ci_yaml_spec.rb
+++ b/ee/spec/lib/gitlab/ci/templates/container_scanning_gitlab_ci_yaml_spec.rb
@@ -6,9 +6,9 @@ RSpec.describe 'Container-Scanning.gitlab-ci.yml' do
  subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Container-Scanning') }
  describe 'the created pipeline' do
-    let(:user) { create(:admin) }
    let(:default_branch) { 'master' }
    let(:project) { create(:project, :custom_repo, files: { 'README.txt' => '' }) }
+    let(:user) { project.owner }
    let(:service) { Ci::CreatePipelineService.new(project, user, ref: 'master' ) }
    let(:pipeline) { service.execute!(:push) }
    let(:build_names) { pipeline.builds.pluck(:name) }

--- a/ee/spec/lib/gitlab/ci/templates/coverage_fuzzing_gitlab_ci_yaml_spec.rb
+++ b/ee/spec/lib/gitlab/ci/templates/coverage_fuzzing_gitlab_ci_yaml_spec.rb
@@ -6,9 +6,9 @@ RSpec.describe 'Coverage-Fuzzing.gitlab-ci.yml' do
  subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Coverage-Fuzzing') }
  describe 'the created pipeline' do
-    let(:user) { create(:admin) }
    let(:default_branch) { 'master' }
    let(:project) { create(:project, :custom_repo, files: { 'README.txt' => '' }) }
+    let(:user) { project.owner }
    let(:service) { Ci::CreatePipelineService.new(project, user, ref: 'master' ) }
    let(:pipeline) { service.execute!(:push) }
    let(:build_names) { pipeline.builds.pluck(:name) }

--- a/ee/spec/lib/gitlab/ci/templates/dast_gitlab_ci_yaml_spec.rb
+++ b/ee/spec/lib/gitlab/ci/templates/dast_gitlab_ci_yaml_spec.rb
@@ -6,10 +6,10 @@ RSpec.describe 'DAST.gitlab-ci.yml' do
  subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('DAST') }
  describe 'the created pipeline' do
-    let(:user) { create(:admin) }
    let(:default_branch) { 'master' }
    let(:pipeline_branch) { default_branch }
    let(:project) { create(:project, :custom_repo, files: { 'README.txt' => '' }) }
+    let(:user) { project.owner }
    let(:service) { Ci::CreatePipelineService.new(project, user, ref: pipeline_branch ) }
    let(:pipeline) { service.execute!(:push) }
    let(:build_names) { pipeline.builds.pluck(:name) }

--- a/ee/spec/lib/gitlab/ci/templates/dependency_scanning_gitlab_ci_yaml_spec.rb
+++ b/ee/spec/lib/gitlab/ci/templates/dependency_scanning_gitlab_ci_yaml_spec.rb
@@ -6,10 +6,10 @@ RSpec.describe 'Dependency-Scanning.gitlab-ci.yml' do
  subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Dependency-Scanning') }
  describe 'the created pipeline' do
-    let(:user) { create(:admin) }
    let(:default_branch) { 'master' }
    let(:files) { { 'README.txt' => '' } }
    let(:project) { create(:project, :custom_repo, files: files) }
+    let(:user) { project.owner }
    let(:service) { Ci::CreatePipelineService.new(project, user, ref: 'master' ) }
    let(:pipeline) { service.execute!(:push) }
    let(:build_names) { pipeline.builds.pluck(:name) }

--- a/ee/spec/lib/gitlab/ci/templates/license_scanning_gitlab_ci_yaml_spec.rb
+++ b/ee/spec/lib/gitlab/ci/templates/license_scanning_gitlab_ci_yaml_spec.rb
@@ -6,9 +6,9 @@ RSpec.describe 'License-Scanning.gitlab-ci.yml' do
  subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('License-Scanning') }
  describe 'the created pipeline' do
-    let(:user) { create(:admin) }
    let(:default_branch) { 'master' }
    let(:project) { create(:project, :custom_repo, files: { 'README.txt' => '' }) }
+    let(:user) { project.owner }
    let(:service) { Ci::CreatePipelineService.new(project, user, ref: 'master' ) }
    let(:pipeline) { service.execute!(:push) }
    let(:build_names) { pipeline.builds.pluck(:name) }

--- a/ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb
+++ b/ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb
@@ -6,10 +6,10 @@ RSpec.describe 'SAST.gitlab-ci.yml' do
  subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('SAST') }
  describe 'the created pipeline' do
-    let(:user) { create(:admin) }
    let(:default_branch) { 'master' }
    let(:files) { { 'README.txt' => '' } }
    let(:project) { create(:project, :custom_repo, files: files) }
+    let(:user) { project.owner }
    let(:service) { Ci::CreatePipelineService.new(project, user, ref: 'master' ) }
    let(:pipeline) { service.execute!(:push) }
    let(:build_names) { pipeline.builds.pluck(:name) }

--- a/ee/spec/lib/gitlab/elastic/search_results_spec.rb
+++ b/ee/spec/lib/gitlab/elastic/search_results_spec.rb
@@ -445,7 +445,9 @@ RSpec.describe Gitlab::Elastic::SearchResults, :elastic, :sidekiq_might_not_need
        expect(results.issues_count).to eq 4
      end
-      it 'lists all issues for admin' do
+      context 'for admin users' do
+        context 'when admin mode enabled', :enable_admin_mode do
+          it 'lists all issues' do
            results = described_class.new(admin, query, limit_project_ids)
            issues = results.objects('issues')
@@ -459,6 +461,23 @@ RSpec.describe Gitlab::Elastic::SearchResults, :elastic, :sidekiq_might_not_need
          end
        end
+        context 'when admin mode disabled' do
+          it 'does not list confidential issues' do
+            results = described_class.new(admin, query, limit_project_ids)
+            issues = results.objects('issues')
+            expect(issues).to include @issue
+            expect(issues).not_to include @security_issue_1
+            expect(issues).not_to include @security_issue_2
+            expect(issues).not_to include @security_issue_3
+            expect(issues).not_to include @security_issue_4
+            expect(issues).not_to include @security_issue_5
+            expect(results.issues_count).to eq 1
+          end
+        end
+      end
+    end
    context 'search by iid' do
      let(:query) { '#1' }
@@ -530,7 +549,9 @@ RSpec.describe Gitlab::Elastic::SearchResults, :elastic, :sidekiq_might_not_need
        expect(results.issues_count).to eq 3
      end
-      it 'lists all issues for admin' do
+      context 'for admin users' do
+        context 'when admin mode enabled', :enable_admin_mode do
+          it 'lists all issues' do
            results = described_class.new(admin, query, limit_project_ids)
            issues = results.objects('issues')
@@ -543,6 +564,23 @@ RSpec.describe Gitlab::Elastic::SearchResults, :elastic, :sidekiq_might_not_need
            expect(results.issues_count).to eq 4
          end
        end
+        context 'when admin mode disabled' do
+          it 'does not list confidential issues' do
+            results = described_class.new(admin, query, limit_project_ids)
+            issues = results.objects('issues')
+            expect(issues).to include @issue
+            expect(issues).not_to include @security_issue_1
+            expect(issues).not_to include @security_issue_2
+            expect(issues).not_to include @security_issue_3
+            expect(issues).not_to include @security_issue_4
+            expect(issues).not_to include @security_issue_5
+            expect(results.issues_count).to eq 1
+          end
+        end
+      end
+    end
  end
  describe 'merge requests' do
@@ -1095,6 +1133,7 @@ RSpec.describe Gitlab::Elastic::SearchResults, :elastic, :sidekiq_might_not_need
          end
          context 'when user is admin' do
+            context 'when admin mode enabled', :enable_admin_mode do
              it 'returns right set of milestones' do
                user.update(admin: true)
                public_project.project_feature.update!(merge_requests_access_level: ProjectFeature::PRIVATE)
@@ -1109,6 +1148,7 @@ RSpec.describe Gitlab::Elastic::SearchResults, :elastic, :sidekiq_might_not_need
                expect(milestones).to match_array([milestone_2, milestone_3, milestone_4])
              end
            end
+          end
          context 'when user can read milestones' do
            it 'returns right set of milestones' do

--- a/ee/spec/lib/gitlab/elastic/snippet_search_results_spec.rb
+++ b/ee/spec/lib/gitlab/elastic/snippet_search_results_spec.rb
@@ -71,7 +71,7 @@ RSpec.describe Gitlab::Elastic::SnippetSearchResults, :elastic, :sidekiq_might_n
    end
  end
-  context 'when user has read_all_resources', :do_not_mock_admin_mode do
+  context 'when user has read_all_resources' do
    include_context 'custom session'
    let(:user) { create(:admin) }

--- a/ee/spec/lib/gitlab/git_access_spec.rb
+++ b/ee/spec/lib/gitlab/git_access_spec.rb
@@ -5,6 +5,7 @@ require 'spec_helper'
 RSpec.describe Gitlab::GitAccess do
  include GitHelpers
  include EE::GeoHelpers
+  include AdminModeHelper
  let_it_be(:user) { create(:user) }
@@ -456,8 +457,9 @@ RSpec.describe Gitlab::GitAccess do
        # Expectations are given a custom failure message proc so that it's
        # easier to identify which check(s) failed.
        it "has the correct permissions for #{role}s" do
-          if role == :admin
+          if [:admin_with_admin_mode, :admin_without_admin_mode].include?(role)
            user.update_attribute(:admin, true)
+            enable_admin_mode!(user) if role == :admin_with_admin_mode
            project.add_guest(user)
          else
            project.add_role(user, role)
@@ -509,7 +511,7 @@ RSpec.describe Gitlab::GitAccess do
    end
    permissions_matrix = {
-      admin: {
+      admin_with_admin_mode: {
        any: true,
        push_new_branch: true,
        push_master: true,
@@ -521,6 +523,18 @@ RSpec.describe Gitlab::GitAccess do
        merge_into_protected_branch: true
      },
+      admin_without_admin_mode: {
+        any: false,
+        push_new_branch: false,
+        push_master: false,
+        push_protected_branch: false,
+        push_remove_protected_branch: false,
+        push_tag: false,
+        push_new_tag: false,
+        push_all: false,
+        merge_into_protected_branch: false
+      },
      maintainer: {
        any: true,
        push_new_branch: true,
@@ -589,7 +603,8 @@ RSpec.describe Gitlab::GitAccess do
            create(:merge_request, source_project: project, source_branch: unprotected_branch, target_branch: 'feature', state: 'locked', in_progress_merge_commit_sha: merge_into_protected_branch)
          end
-          run_permission_checks(permissions_matrix.deep_merge(admin: { push_protected_branch: false, push_all: false, merge_into_protected_branch: true },
+          run_permission_checks(permissions_matrix.deep_merge(admin_with_admin_mode: { push_protected_branch: false, push_all: false, merge_into_protected_branch: true },
+                                                              admin_without_admin_mode: { push_protected_branch: false, merge_into_protected_branch: false },
                                                              maintainer: { push_protected_branch: false, push_all: false, merge_into_protected_branch: true },
                                                              developer: { push_protected_branch: false, push_all: false, merge_into_protected_branch: true },
                                                              guest: { push_protected_branch: false, merge_into_protected_branch: false },
@@ -613,6 +628,7 @@ RSpec.describe Gitlab::GitAccess do
        before do
          create_current_license(starts_at: 1.month.ago.to_date, block_changes_at: Date.current, notify_admins_at: Date.current)
          user.update_attribute(:admin, true)
+          enable_admin_mode!(user)
          project.add_role(user, :developer)
        end
@@ -632,7 +648,8 @@ RSpec.describe Gitlab::GitAccess do
        context "when a specific group is allowed to push into the #{protected_branch_type} protected branch" do
          let(:protected_branch) { build(:protected_branch, authorize_group_to_push: group, name: protected_branch_name, project: project) }
-          permissions = permissions_matrix.except(:admin).deep_merge(developer: { push_protected_branch: true, push_all: true, merge_into_protected_branch: true },
+          permissions = permissions_matrix.except(:admin_with_admin_mode, :admin_without_admin_mode)
+                            .deep_merge(developer: { push_protected_branch: true, push_all: true, merge_into_protected_branch: true },
                                        guest: { push_protected_branch: false, merge_into_protected_branch: false },
                                        reporter: { push_protected_branch: false, merge_into_protected_branch: false })
@@ -646,7 +663,8 @@ RSpec.describe Gitlab::GitAccess do
            create(:merge_request, source_project: project, source_branch: unprotected_branch, target_branch: 'feature', state: 'locked', in_progress_merge_commit_sha: merge_into_protected_branch)
          end
-          permissions = permissions_matrix.except(:admin).deep_merge(maintainer: { push_protected_branch: false, push_all: false, merge_into_protected_branch: true },
+          permissions = permissions_matrix.except(:admin_with_admin_mode, :admin_without_admin_mode)
+                            .deep_merge(maintainer: { push_protected_branch: false, push_all: false, merge_into_protected_branch: true },
                                        developer: { push_protected_branch: false, push_all: false, merge_into_protected_branch: true },
                                        guest: { push_protected_branch: false, merge_into_protected_branch: false },
                                        reporter: { push_protected_branch: false, merge_into_protected_branch: false })
@@ -661,7 +679,8 @@ RSpec.describe Gitlab::GitAccess do
            create(:merge_request, source_project: project, source_branch: unprotected_branch, target_branch: 'feature', state: 'locked', in_progress_merge_commit_sha: merge_into_protected_branch)
          end
-          permissions = permissions_matrix.except(:admin).deep_merge(developer: { push_protected_branch: true, push_all: true, merge_into_protected_branch: true },
+          permissions = permissions_matrix.except(:admin_with_admin_mode, :admin_without_admin_mode)
+                            .deep_merge(developer: { push_protected_branch: true, push_all: true, merge_into_protected_branch: true },
                                        guest: { push_protected_branch: false, merge_into_protected_branch: false },
                                        reporter: { push_protected_branch: false, merge_into_protected_branch: false })

--- a/spec/lib/banzai/filter/reference_redactor_filter_spec.rb
+++ b/spec/lib/banzai/filter/reference_redactor_filter_spec.rb
@@ -143,7 +143,9 @@ RSpec.describe Banzai::Filter::ReferenceRedactorFilter do
        expect(doc.css('a').length).to eq 1
      end
-      it 'allows references for admin' do
+      context 'for admin' do
+        context 'when admin mode is enabled', :enable_admin_mode do
+          it 'allows references' do
            admin = create(:admin)
            project = create(:project, :public)
            issue = create(:issue, :confidential, project: project)
@@ -153,6 +155,21 @@ RSpec.describe Banzai::Filter::ReferenceRedactorFilter do
            expect(doc.css('a').length).to eq 1
          end
+        end
+        context 'when admin mode is disabled' do
+          it 'removes references' do
+            admin = create(:admin)
+            project = create(:project, :public)
+            issue = create(:issue, :confidential, project: project)
+            link = reference_link(project: project.id, issue: issue.id, reference_type: 'issue')
+            doc = filter(link, current_user: admin)
+            expect(doc.css('a').length).to eq 0
+          end
+        end
+      end
      context "when a confidential issue is moved from a public project to a private one" do
        let(:public_project) { create(:project, :public) }

--- a/spec/lib/constraints/admin_constrainer_spec.rb
+++ b/spec/lib/constraints/admin_constrainer_spec.rb
@@ -2,7 +2,7 @@
 #
 require 'spec_helper'
-RSpec.describe Constraints::AdminConstrainer, :do_not_mock_admin_mode do
+RSpec.describe Constraints::AdminConstrainer do
  let(:user) { create(:user) }
  let(:session) { {} }

--- a/spec/lib/gitlab/auth/current_user_mode_spec.rb
+++ b/spec/lib/gitlab/auth/current_user_mode_spec.rb
@@ -2,7 +2,7 @@
 require 'spec_helper'
-RSpec.describe Gitlab::Auth::CurrentUserMode, :do_not_mock_admin_mode, :request_store do
+RSpec.describe Gitlab::Auth::CurrentUserMode, :request_store do
  let(:user) { build_stubbed(:user) }
  subject { described_class.new(user) }

--- a/spec/lib/gitlab/ci/templates/AWS/deploy_ecs_gitlab_ci_yaml_spec.rb
+++ b/spec/lib/gitlab/ci/templates/AWS/deploy_ecs_gitlab_ci_yaml_spec.rb
@@ -6,10 +6,10 @@ RSpec.describe 'Deploy-ECS.gitlab-ci.yml' do
  subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('AWS/Deploy-ECS') }
  describe 'the created pipeline' do
-    let_it_be(:user) { create(:admin) }
    let(:default_branch) { 'master' }
    let(:pipeline_branch) { default_branch }
    let(:project) { create(:project, :auto_devops, :custom_repo, files: { 'README.md' => '' }) }
+    let(:user) { project.owner }
    let(:service) { Ci::CreatePipelineService.new(project, user, ref: pipeline_branch ) }
    let(:pipeline) { service.execute!(:push) }
    let(:build_names) { pipeline.builds.pluck(:name) }

--- a/spec/lib/gitlab/ci/templates/Jobs/build_gitlab_ci_yaml_spec.rb
+++ b/spec/lib/gitlab/ci/templates/Jobs/build_gitlab_ci_yaml_spec.rb
@@ -6,8 +6,8 @@ RSpec.describe 'Jobs/Build.gitlab-ci.yml' do
  subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Jobs/Build') }
  describe 'the created pipeline' do
-    let_it_be(:user) { create(:admin) }
    let_it_be(:project) { create(:project, :repository) }
+    let_it_be(:user) { project.owner }
    let(:default_branch) { 'master' }
    let(:pipeline_ref) { default_branch }

--- a/spec/lib/gitlab/ci/templates/Jobs/code_quality_gitlab_ci_yaml_spec.rb
+++ b/spec/lib/gitlab/ci/templates/Jobs/code_quality_gitlab_ci_yaml_spec.rb
@@ -6,8 +6,8 @@ RSpec.describe 'Jobs/Code-Quality.gitlab-ci.yml' do
  subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Jobs/Code-Quality') }
  describe 'the created pipeline' do
-    let_it_be(:user) { create(:admin) }
    let_it_be(:project) { create(:project, :repository) }
+    let_it_be(:user) { project.owner }
    let(:default_branch) { 'master' }
    let(:pipeline_ref) { default_branch }

--- a/spec/lib/gitlab/ci/templates/Jobs/deploy_gitlab_ci_yaml_spec.rb
+++ b/spec/lib/gitlab/ci/templates/Jobs/deploy_gitlab_ci_yaml_spec.rb
@@ -27,8 +27,8 @@ RSpec.describe 'Jobs/Deploy.gitlab-ci.yml' do
  end
  describe 'the created pipeline' do
-    let(:user) { create(:admin) }
    let(:project) { create(:project, :repository) }
+    let(:user) { project.owner }
    let(:default_branch) { 'master' }
    let(:pipeline_ref) { default_branch }

--- a/spec/lib/gitlab/ci/templates/Jobs/test_gitlab_ci_yaml_spec.rb
+++ b/spec/lib/gitlab/ci/templates/Jobs/test_gitlab_ci_yaml_spec.rb
@@ -6,8 +6,8 @@ RSpec.describe 'Jobs/Test.gitlab-ci.yml' do
  subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Jobs/Test') }
  describe 'the created pipeline' do
-    let_it_be(:user) { create(:admin) }
    let_it_be(:project) { create(:project, :repository) }
+    let_it_be(:user) { project.owner }
    let(:default_branch) { 'master' }
    let(:pipeline_ref) { default_branch }

--- a/spec/lib/gitlab/ci/templates/Terraform/base_gitlab_ci_yaml_spec.rb
+++ b/spec/lib/gitlab/ci/templates/Terraform/base_gitlab_ci_yaml_spec.rb
@@ -6,10 +6,10 @@ RSpec.describe 'Terraform/Base.latest.gitlab-ci.yml' do
  subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Terraform/Base.latest') }
  describe 'the created pipeline' do
-    let(:user) { create(:admin) }
    let(:default_branch) { 'master' }
    let(:pipeline_branch) { default_branch }
    let(:project) { create(:project, :custom_repo, files: { 'README.md' => '' }) }
+    let(:user) { project.owner }
    let(:service) { Ci::CreatePipelineService.new(project, user, ref: pipeline_branch ) }
    let(:pipeline) { service.execute!(:push) }
    let(:build_names) { pipeline.builds.pluck(:name) }

--- a/spec/lib/gitlab/ci/templates/Verify/load_performance_testing_gitlab_ci_yaml_spec.rb
+++ b/spec/lib/gitlab/ci/templates/Verify/load_performance_testing_gitlab_ci_yaml_spec.rb
@@ -19,8 +19,8 @@ RSpec.describe 'Verify/Load-Performance-Testing.gitlab-ci.yml' do
  end
  describe 'the created pipeline' do
-    let(:user) { create(:admin) }
    let(:project) { create(:project, :repository) }
+    let(:user) { project.owner }
    let(:default_branch) { 'master' }
    let(:pipeline_ref) { default_branch }

--- a/spec/lib/gitlab/ci/templates/auto_devops_gitlab_ci_yaml_spec.rb
+++ b/spec/lib/gitlab/ci/templates/auto_devops_gitlab_ci_yaml_spec.rb
@@ -6,10 +6,10 @@ RSpec.describe 'Auto-DevOps.gitlab-ci.yml' do
  subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Auto-DevOps') }
  describe 'the created pipeline' do
-    let(:user) { create(:admin) }
    let(:default_branch) { 'master' }
    let(:pipeline_branch) { default_branch }
    let(:project) { create(:project, :auto_devops, :custom_repo, files: { 'README.md' => '' }) }
+    let(:user) { project.owner }
    let(:service) { Ci::CreatePipelineService.new(project, user, ref: pipeline_branch ) }
    let(:pipeline) { service.execute!(:push) }
    let(:build_names) { pipeline.builds.pluck(:name) }
@@ -232,8 +232,8 @@ RSpec.describe 'Auto-DevOps.gitlab-ci.yml' do
    end
    with_them do
-      let(:user) { create(:admin) }
      let(:project) { create(:project, :custom_repo, files: files) }
+      let(:user) { project.owner }
      let(:service) { Ci::CreatePipelineService.new(project, user, ref: 'master' ) }
      let(:pipeline) { service.execute(:push) }
      let(:build_names) { pipeline.builds.pluck(:name) }

--- a/spec/lib/gitlab/ci/templates/flutter_gitlab_ci_yaml_spec.rb
+++ b/spec/lib/gitlab/ci/templates/flutter_gitlab_ci_yaml_spec.rb
@@ -6,10 +6,9 @@ RSpec.describe 'Flutter.gitlab-ci.yml' do
  subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Flutter') }
  describe 'the created pipeline' do
-    let_it_be(:user) { create(:admin) }
    let(:pipeline_branch) { 'master' }
    let(:project) { create(:project, :custom_repo, files: { 'README.md' => '' }) }
+    let(:user) { project.owner }
    let(:service) { Ci::CreatePipelineService.new(project, user, ref: pipeline_branch ) }
    let(:pipeline) { service.execute!(:push) }
    let(:build_names) { pipeline.builds.pluck(:name) }

--- a/spec/lib/gitlab/ci/templates/npm_spec.rb
+++ b/spec/lib/gitlab/ci/templates/npm_spec.rb
@@ -6,11 +6,10 @@ RSpec.describe 'npm.latest.gitlab-ci.yml' do
  subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('npm.latest') }
  describe 'the created pipeline' do
-    let_it_be(:user) { create(:admin) }
    let(:repo_files) { { 'package.json' => '{}', 'README.md' => '' } }
    let(:modified_files) { %w[package.json] }
    let(:project) { create(:project, :custom_repo, files: repo_files) }
+    let(:user) { project.owner }
    let(:pipeline_branch) { project.default_branch }
    let(:pipeline_tag) { 'v1.2.1' }
    let(:pipeline_ref) { pipeline_branch }

--- a/spec/lib/gitlab/ci/templates/terraform_latest_gitlab_ci_yaml_spec.rb
+++ b/spec/lib/gitlab/ci/templates/terraform_latest_gitlab_ci_yaml_spec.rb
@@ -10,11 +10,10 @@ RSpec.describe 'Terraform.latest.gitlab-ci.yml' do
  subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Terraform.latest') }
  describe 'the created pipeline' do
-    let_it_be(:user) { create(:admin) }
    let(:default_branch) { 'master' }
    let(:pipeline_branch) { default_branch }
    let(:project) { create(:project, :custom_repo, files: { 'README.md' => '' }) }
+    let(:user) { project.owner }
    let(:service) { Ci::CreatePipelineService.new(project, user, ref: pipeline_branch ) }
    let(:pipeline) { service.execute!(:push) }
    let(:build_names) { pipeline.builds.pluck(:name) }

--- a/spec/lib/gitlab/cycle_analytics/base_event_fetcher_spec.rb
+++ b/spec/lib/gitlab/cycle_analytics/base_event_fetcher_spec.rb
@@ -5,7 +5,7 @@ require 'spec_helper'
 RSpec.describe Gitlab::CycleAnalytics::BaseEventFetcher do
  let(:max_events) { 2 }
  let(:project) { create(:project, :repository) }
-  let(:user) { create(:user, :admin) }
+  let(:user) { project.owner }
  let(:start_time_attrs) { Issue.arel_table[:created_at] }
  let(:end_time_attrs) { [Issue::Metrics.arel_table[:first_associated_with_milestone_at]] }
  let(:options) do

--- a/spec/lib/gitlab/cycle_analytics/events_spec.rb
+++ b/spec/lib/gitlab/cycle_analytics/events_spec.rb
@@ -4,7 +4,7 @@ require 'spec_helper'
 RSpec.describe 'value stream analytics events', :aggregate_failures do
  let_it_be(:project) { create(:project, :repository) }
-  let_it_be(:user) { create(:user, :admin) }
+  let_it_be(:user) { project.owner }
  let(:from_date) { 10.days.ago }
  let!(:context) { create(:issue, project: project, created_at: 2.days.ago) }

--- a/spec/lib/gitlab/git_access_snippet_spec.rb
+++ b/spec/lib/gitlab/git_access_snippet_spec.rb
@@ -172,7 +172,7 @@ RSpec.describe Gitlab::GitAccessSnippet do
        end
      end
-      [:guest, :reporter, :maintainer, :author, :admin].each do |membership|
+      [:guest, :reporter, :maintainer, :author].each do |membership|
        context membership.to_s do
          let(:membership) { membership }
@@ -183,6 +183,24 @@ RSpec.describe Gitlab::GitAccessSnippet do
        end
      end
+      context 'admin' do
+        let(:membership) { :admin }
+        context 'when admin mode is enabled', :enable_admin_mode do
+          it 'cannot perform git pushes' do
+            expect { push_access_check }.to raise_error(described_class::ForbiddenError)
+            expect { pull_access_check }.not_to raise_error
+          end
+        end
+        context 'when admin mode is disabled' do
+          it 'cannot perform git operations' do
+            expect { push_access_check }.to raise_error(described_class::ForbiddenError)
+            expect { pull_access_check }.to raise_error(described_class::ForbiddenError)
+          end
+        end
+      end
      it_behaves_like 'actor is migration bot'
    end

--- a/spec/lib/gitlab/git_access_spec.rb
+++ b/spec/lib/gitlab/git_access_spec.rb
@@ -5,6 +5,7 @@ require 'spec_helper'
 RSpec.describe Gitlab::GitAccess do
  include TermsHelper
  include GitHelpers
+  include AdminModeHelper
  let(:user) { create(:user) }
@@ -769,6 +770,7 @@ RSpec.describe Gitlab::GitAccess do
      describe 'admin user' do
        let(:user) { create(:admin) }
+        context 'when admin mode enabled', :enable_admin_mode do
          context 'when member of the project' do
            before do
              project.add_reporter(user)
@@ -786,6 +788,25 @@ RSpec.describe Gitlab::GitAccess do
          end
        end
+        context 'when admin mode disabled' do
+          context 'when member of the project' do
+            before do
+              project.add_reporter(user)
+            end
+            context 'pull code' do
+              it { expect { pull_access_check }.not_to raise_error }
+            end
+          end
+          context 'when is not member of the project' do
+            context 'pull code' do
+              it { expect { pull_access_check }.to raise_not_found }
+            end
+          end
+        end
+      end
      describe 'generic CI (build without a user)' do
        let(:actor) { :ci }
@@ -870,8 +891,9 @@ RSpec.describe Gitlab::GitAccess do
        # Expectations are given a custom failure message proc so that it's
        # easier to identify which check(s) failed.
        it "has the correct permissions for #{role}s" do
-          if role == :admin
+          if [:admin_with_admin_mode, :admin_without_admin_mode].include?(role)
            user.update_attribute(:admin, true)
+            enable_admin_mode!(user) if role == :admin_with_admin_mode
            project.add_guest(user)
          else
            project.add_role(user, role)
@@ -897,7 +919,7 @@ RSpec.describe Gitlab::GitAccess do
    end
    permissions_matrix = {
-      admin: {
+      admin_with_admin_mode: {
        any: true,
        push_new_branch: true,
        push_master: true,
@@ -909,6 +931,18 @@ RSpec.describe Gitlab::GitAccess do
        merge_into_protected_branch: true
      },
+      admin_without_admin_mode: {
+        any: false,
+        push_new_branch: false,
+        push_master: false,
+        push_protected_branch: false,
+        push_remove_protected_branch: false,
+        push_tag: false,
+        push_new_tag: false,
+        push_all: false,
+        merge_into_protected_branch: false
+      },
      maintainer: {
        any: true,
        push_new_branch: true,
@@ -1009,7 +1043,7 @@ RSpec.describe Gitlab::GitAccess do
        run_permission_checks(permissions_matrix.deep_merge(developer: { push_protected_branch: false, push_all: false, merge_into_protected_branch: false },
                                                            maintainer: { push_protected_branch: false, push_all: false, merge_into_protected_branch: false },
-                                                            admin: { push_protected_branch: false, push_all: false, merge_into_protected_branch: false }))
+                                                            admin_with_admin_mode: { push_protected_branch: false, push_all: false, merge_into_protected_branch: false }))
      end
    end

--- a/spec/lib/gitlab/search_results_spec.rb
+++ b/spec/lib/gitlab/search_results_spec.rb
@@ -342,7 +342,9 @@ RSpec.describe Gitlab::SearchResults do
      expect(results.limited_issues_count).to eq 4
    end
-    it 'lists all issues for admin' do
+    context 'with admin user' do
+      context 'when admin mode enabled', :enable_admin_mode do
+        it 'lists all issues' do
          results = described_class.new(admin, query, limit_projects)
          issues = results.objects('issues')
@@ -356,6 +358,23 @@ RSpec.describe Gitlab::SearchResults do
        end
      end
+      context 'when admin mode disabled' do
+        it 'does not list confidential issues' do
+          results = described_class.new(admin, query, limit_projects)
+          issues = results.objects('issues')
+          expect(issues).to include issue
+          expect(issues).not_to include security_issue_1
+          expect(issues).not_to include security_issue_2
+          expect(issues).not_to include security_issue_3
+          expect(issues).not_to include security_issue_4
+          expect(issues).not_to include security_issue_5
+          expect(results.limited_issues_count).to eq 1
+        end
+      end
+    end
+  end
  it 'does not list merge requests on projects with limited access' do
    project.update!(visibility_level: Gitlab::VisibilityLevel::PUBLIC)
    project.project_feature.update!(merge_requests_access_level: ProjectFeature::PRIVATE)

--- a/spec/lib/gitlab/sidekiq_middleware/admin_mode/client_spec.rb
+++ b/spec/lib/gitlab/sidekiq_middleware/admin_mode/client_spec.rb
@@ -2,7 +2,7 @@
 require 'spec_helper'
-RSpec.describe Gitlab::SidekiqMiddleware::AdminMode::Client, :do_not_mock_admin_mode, :request_store do
+RSpec.describe Gitlab::SidekiqMiddleware::AdminMode::Client, :request_store do
  include AdminModeHelper
  let(:worker) do

--- a/spec/lib/gitlab/sidekiq_middleware/admin_mode/server_spec.rb
+++ b/spec/lib/gitlab/sidekiq_middleware/admin_mode/server_spec.rb
@@ -2,7 +2,7 @@
 require 'spec_helper'
-RSpec.describe Gitlab::SidekiqMiddleware::AdminMode::Server, :do_not_mock_admin_mode, :request_store do
+RSpec.describe Gitlab::SidekiqMiddleware::AdminMode::Server, :request_store do
  include AdminModeHelper
  let(:worker) do

--- a/spec/lib/gitlab/slash_commands/presenters/issue_move_spec.rb
+++ b/spec/lib/gitlab/slash_commands/presenters/issue_move_spec.rb
@@ -3,15 +3,20 @@
 require 'spec_helper'
 RSpec.describe Gitlab::SlashCommands::Presenters::IssueMove do
-  let_it_be(:admin) { create(:admin) }
+  let_it_be(:user) { create(:user) }
  let_it_be(:project, reload: true) { create(:project) }
  let_it_be(:other_project) { create(:project) }
  let_it_be(:old_issue, reload: true) { create(:issue, project: project) }
-  let(:new_issue) { Issues::MoveService.new(project, admin).execute(old_issue, other_project) }
+  let(:new_issue) { Issues::MoveService.new(project, user).execute(old_issue, other_project) }
  let(:attachment) { subject[:attachments].first }
  subject { described_class.new(new_issue).present(old_issue) }
+  before do
+    project.add_developer(user)
+    other_project.add_developer(user)
+  end
  it { is_expected.to be_a(Hash) }
  it 'shows the new issue' do

--- a/spec/lib/gitlab/user_access_spec.rb
+++ b/spec/lib/gitlab/user_access_spec.rb
@@ -45,11 +45,21 @@ RSpec.describe Gitlab::UserAccess do
      let(:empty_project) { create(:project_empty_repo) }
      let(:project_access) { described_class.new(user, container: empty_project) }
+      context 'when admin mode is enabled', :enable_admin_mode do
        it 'returns true for admins' do
          user.update!(admin: true)
          expect(access.can_push_to_branch?('master')).to be_truthy
        end
+      end
+      context 'when admin mode is disabled' do
+        it 'returns false for admins' do
+          user.update!(admin: true)
+          expect(access.can_push_to_branch?('master')).to be_falsey
+        end
+      end
      it 'returns true if user is maintainer' do
        empty_project.add_maintainer(user)
@@ -85,11 +95,21 @@ RSpec.describe Gitlab::UserAccess do
      let(:branch) { create :protected_branch, project: project, name: "test" }
      let(:not_existing_branch) { create :protected_branch, :developers_can_merge, project: project }
+      context 'when admin mode is enabled', :enable_admin_mode do
        it 'returns true for admins' do
          user.update!(admin: true)
          expect(access.can_push_to_branch?(branch.name)).to be_truthy
        end
+      end
+      context 'when admin mode is disabled' do
+        it 'returns false for admins' do
+          user.update!(admin: true)
+          expect(access.can_push_to_branch?(branch.name)).to be_falsey
+        end
+      end
      it 'returns true if user is a maintainer' do
        project.add_maintainer(user)

--- a/spec/lib/gitlab/visibility_level_spec.rb
+++ b/spec/lib/gitlab/visibility_level_spec.rb
@@ -22,6 +22,7 @@ RSpec.describe Gitlab::VisibilityLevel do
  end
  describe '.levels_for_user' do
+    context 'when admin mode is enabled', :enable_admin_mode do
      it 'returns all levels for an admin' do
        user = build(:user, :admin)
@@ -30,6 +31,17 @@ RSpec.describe Gitlab::VisibilityLevel do
                  Gitlab::VisibilityLevel::INTERNAL,
                  Gitlab::VisibilityLevel::PUBLIC])
      end
+    end
+    context 'when admin mode is disabled' do
+      it 'returns INTERNAL and PUBLIC for an admin' do
+        user = build(:user, :admin)
+        expect(described_class.levels_for_user(user))
+            .to eq([Gitlab::VisibilityLevel::INTERNAL,
+                    Gitlab::VisibilityLevel::PUBLIC])
+      end
+    end
    it 'returns INTERNAL and PUBLIC for internal users' do
      user = build(:user)

--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -290,14 +290,11 @@ RSpec.configure do |config|
    admin_mode_mock_dirs = %w(
      ./ee/spec/elastic_integration
      ./ee/spec/finders
-      ./ee/spec/lib
      ./ee/spec/serializers
      ./ee/spec/support/shared_examples/finders/geo
      ./ee/spec/support/shared_examples/graphql/geo
      ./spec/finders
-      ./spec/lib
      ./spec/serializers
-      ./spec/support/shared_examples/lib/gitlab
      ./spec/workers
    )

--- a/spec/support/shared_examples/lib/gitlab/project_search_results_shared_examples.rb
+++ b/spec/support/shared_examples/lib/gitlab/project_search_results_shared_examples.rb
@@ -54,7 +54,7 @@ RSpec.shared_examples 'access restricted confidential issues' do
    end
  end
-  context 'when the user is a developper' do
+  context 'when the user is a developer' do
    let(:user) do
      create(:user) { |user| project.add_developer(user) }
    end
@@ -70,10 +70,19 @@ RSpec.shared_examples 'access restricted confidential issues' do
  context 'when the user is admin', :request_store do
    let(:user) { create(:user, admin: true) }
+    context 'when admin mode is enabled', :enable_admin_mode do
      it 'lists all project issues' do
        expect(objects).to contain_exactly(issue,
                                           security_issue_1,
                                           security_issue_2)
      end
    end
+    context 'when admin mode is disabled' do
+      it 'does not list project confidential issues' do
+        expect(objects).to contain_exactly(issue)
+        expect(results.limited_issues_count).to eq 1
+      end
+    end
+  end
 end