Add cr remarks

spec/lib/gitlab/background_migration/update_existing_users_that_require_two_factor_auth_spec.rb

@@ -14,11 +14,11 @@ RSpec.describe Gitlab::BackgroundMigration::UpdateExistingUsersThatRequireTwoFac
 
   describe '#perform' do
     context 'with group members' do
-      let(:user_1) { users_table.create!(email: 'user@example.com', projects_limit: 10, require_two_factor_authentication_from_group: true) }
-      let!(:member) { members_table.create!(user_id: user_1.id, source_id: group_with_2fa_parent.id, access_level: GroupMember::MAINTAINER, source_type: "Namespace", type: "GroupMember", notification_level: 3) }
-      let!(:user_without_group) { users_table.create!(email: 'user_without@example.com', projects_limit: 10, require_two_factor_authentication_from_group: true) }
-      let(:user_other) { users_table.create!(email: 'user_other@example.com', projects_limit: 10, require_two_factor_authentication_from_group: true) }
-      let!(:member_other) { members_table.create!(user_id: user_other.id, source_id: group_with_2fa_parent.id, access_level: GroupMember::MAINTAINER, source_type: "Namespace", type: "GroupMember", notification_level: 3) }
+      let(:user_1) { create_user('user@example.com') }
+      let!(:member) { create_group_member(user_1, group_with_2fa_parent) }
+      let!(:user_without_group) { create_user('user_without@example.com') }
+      let(:user_other) { create_user('user_other@example.com') }
+      let!(:member_other) { create_group_member(user_other, group_with_2fa_parent) }
 
       it 'updates user when user should not be required to establish two factor authentication' do
         subject.perform(user_1.id, user_without_group.id)
@@ -26,9 +26,9 @@ RSpec.describe Gitlab::BackgroundMigration::UpdateExistingUsersThatRequireTwoFac
         expect(user_1.reload.require_two_factor_authentication_from_group).to eq(false)
       end
 
-      it 'does not update user when user should be required to establish two factor authentication' do
+      it 'does not update user when user is member of group that requires two factor authentication' do
         group = create_namespace('other', Gitlab::VisibilityLevel::PRIVATE, require_two_factor_authentication: true)
-        members_table.create!(user_id: user_1.id, source_id: group.id, access_level: GroupMember::MAINTAINER, source_type: "Namespace", type: "GroupMember", notification_level: 3)
+        create_group_member(user_1, group)
 
         subject.perform(user_1.id, user_without_group.id)
 
@@ -46,6 +46,29 @@ RSpec.describe Gitlab::BackgroundMigration::UpdateExistingUsersThatRequireTwoFac
 
         expect(user_other.reload.require_two_factor_authentication_from_group).to eq(false)
       end
+
+      it 'does not update user when user is member of group which parent group requires two factor authentication' do
+        group_with_2fa_parent.update!(require_two_factor_authentication: true)
+        subject.perform(user_1.id, user_other.id)
+
+        expect(user_1.reload.require_two_factor_authentication_from_group).to eq(true)
+      end
+
+      it 'does not update user when user is member of group which has subgroup that requires two factor authentication' do
+        create_namespace('subgroup', Gitlab::VisibilityLevel::PRIVATE, require_two_factor_authentication: true, parent_id: group_with_2fa_child.id)
+
+        subject.perform(user_1.id, user_other.id)
+
+        expect(user_1.reload.require_two_factor_authentication_from_group).to eq(true)
+      end
     end
   end
+
+  def create_user(email, require_2fa: true)
+    users_table.create!(email: email, projects_limit: 10, require_two_factor_authentication_from_group: require_2fa)
+  end
+
+  def create_group_member(user, group)
+    members_table.create!(user_id: user.id, source_id: group.id, access_level: GroupMember::MAINTAINER, source_type: "Namespace", type: "GroupMember", notification_level: 3)
+  end
 end