Merge branch 'pedropombeiro/349458/fix-project-runner-registration-for-admin' into 'master'

Allow admin to register project runners at all times

See merge request gitlab-org/gitlab!81298

app/policies/project_policy.rb

@@ -194,6 +194,10 @@ class ProjectPolicy < BasePolicy
     condition(:"#{f}_disabled", score: 32) { !access_allowed_to?(f.to_sym) }
   end
 
+  condition(:project_runner_registration_allowed) do
+    Feature.disabled?(:runner_registration_control) || Gitlab::CurrentSettings.valid_runner_registrars.include?('project')
+  end
+
   # `:read_project` may be prevented in EE, but `:read_project_for_iids` should
   # not.
   rule { guest | admin }.enable :read_project_for_iids
@@ -230,6 +234,8 @@ class ProjectPolicy < BasePolicy
     enable :set_emails_disabled
     enable :set_show_default_award_emojis
     enable :set_warn_about_potentially_unwanted_characters
+
+    enable :register_project_runners
   end
 
   rule { can?(:guest_access) }.policy do
@@ -453,6 +459,7 @@ class ProjectPolicy < BasePolicy
     enable :update_freeze_period
     enable :destroy_freeze_period
     enable :admin_feature_flags_client
+    enable :register_project_runners
     enable :update_runners_registration_token
     enable :admin_project_google_cloud
   end
@@ -727,6 +734,10 @@ class ProjectPolicy < BasePolicy
     enable :access_security_and_compliance
   end
 
+  rule { ~admin & ~project_runner_registration_allowed }.policy do
+    prevent :register_project_runners
+  end
+
   private
 
   def user_is_user?

app/views/projects/runners/_specific_runners.html.haml

@@ -2,7 +2,7 @@
   = _('Specific runners')
 
 .bs-callout.help-callout
-  - if valid_runner_registrars.include?('project')
+  - if can?(current_user, :register_project_runners, @project)
     = _('These runners are specific to this project.')
     - if params[:ci_runner_templates]
       %hr

spec/policies/project_policy_spec.rb

@@ -1755,4 +1755,100 @@ RSpec.describe ProjectPolicy do
       end
     end
   end
+
+  describe 'register_project_runners' do
+    context 'admin' do
+      let(:current_user) { admin }
+
+      context 'when admin mode is enabled', :enable_admin_mode do
+        context 'with runner_registration_control FF disabled' do
+          before do
+            stub_feature_flags(runner_registration_control: false)
+          end
+
+          it { is_expected.to be_allowed(:register_project_runners) }
+        end
+
+        context 'with runner_registration_control FF enabled' do
+          before do
+            stub_feature_flags(runner_registration_control: true)
+          end
+
+          it { is_expected.to be_allowed(:register_project_runners) }
+
+          context 'with project runner registration disabled' do
+            before do
+              stub_application_setting(valid_runner_registrars: ['group'])
+            end
+
+            it { is_expected.to be_allowed(:register_project_runners) }
+          end
+        end
+      end
+
+      context 'when admin mode is disabled' do
+        it { is_expected.to be_disallowed(:register_project_runners) }
+      end
+    end
+
+    context 'with owner' do
+      let(:current_user) { owner }
+
+      it { is_expected.to be_allowed(:register_project_runners) }
+
+      context 'with runner_registration_control FF disabled' do
+        before do
+          stub_feature_flags(runner_registration_control: false)
+        end
+
+        it { is_expected.to be_allowed(:register_project_runners) }
+      end
+
+      context 'with runner_registration_control FF enabled' do
+        before do
+          stub_feature_flags(runner_registration_control: true)
+        end
+
+        it { is_expected.to be_allowed(:register_project_runners) }
+
+        context 'with project runner registration disabled' do
+          before do
+            stub_application_setting(valid_runner_registrars: ['group'])
+          end
+
+          it { is_expected.to be_disallowed(:register_project_runners) }
+        end
+      end
+    end
+
+    context 'with maintainer' do
+      let(:current_user) { maintainer }
+
+      it { is_expected.to be_allowed(:register_project_runners) }
+    end
+
+    context 'with reporter' do
+      let(:current_user) { reporter }
+
+      it { is_expected.to be_disallowed(:register_project_runners) }
+    end
+
+    context 'with guest' do
+      let(:current_user) { guest }
+
+      it { is_expected.to be_disallowed(:register_project_runners) }
+    end
+
+    context 'with non member' do
+      let(:current_user) { create(:user) }
+
+      it { is_expected.to be_disallowed(:register_project_runners) }
+    end
+
+    context 'with anonymous' do
+      let(:current_user) { nil }
+
+      it { is_expected.to be_disallowed(:register_project_runners) }
+    end
+  end
 end

spec/views/projects/runners/_specific_runners.html.haml_spec.rb

@@ -11,12 +11,14 @@ RSpec.describe 'projects/runners/specific_runners.html.haml' do
       @project = project
       @assignable_runners = []
       @project_runners = []
+      allow(view).to receive(:current_user).and_return(user)
       allow(view).to receive(:reset_registration_token_namespace_project_settings_ci_cd_path).and_return('banana_url')
     end
 
     context 'when project runner registration is allowed' do
       before do
         stub_application_setting(valid_runner_registrars: ['project'])
+        allow(view).to receive(:can?).with(user, :register_project_runners, project).and_return(true)
       end
 
       it 'enables the Remove project button for a project' do
@@ -32,7 +34,7 @@ RSpec.describe 'projects/runners/specific_runners.html.haml' do
         stub_application_setting(valid_runner_registrars: ['group'])
       end
 
-      it 'does not enable the  the Remove project button for a project' do
+      it 'does not enable the Remove project button for a project' do
         render 'projects/runners/specific_runners', project: project
 
         expect(rendered).to have_content 'Please contact an admin to register runners.'