Merge branch 'chore/disable-admin-mode-in-lib' into 'master'

Disable auto admin mode for lib specs [RUN AS-IF-FOSS]

See merge request gitlab-org/gitlab!50056

changelogs/unreleased/chore-disable-admin-mode-in-lib.yml

+---
+title: Disable auto admin mode for lib specs
+merge_request: 50056
+author: Diego Louzán
+type: other

ee/spec/lib/gitlab/analytics/cycle_analytics/group_stage_time_summary_spec.rb

@@ -5,7 +5,7 @@ RSpec.describe Gitlab::Analytics::CycleAnalytics::GroupStageTimeSummary do
   let_it_be(:group) { create(:group) }
   let_it_be(:project) { create(:project, :repository, namespace: group) }
   let_it_be(:project_2) { create(:project, :repository, namespace: group) }
-  let_it_be(:user) { create(:user, :admin) }
+  let_it_be(:user) { create(:user) }
   let(:from) { 1.day.ago }
   let(:to) { nil }
   let(:options) { { from: from, to: to, current_user: user } }
@@ -16,6 +16,10 @@ RSpec.describe Gitlab::Analytics::CycleAnalytics::GroupStageTimeSummary do
     freeze_time { example.run }
   end
 
+  before do
+    group.add_owner(user)
+  end
+
   describe '#lead_time' do
     describe 'issuable filter parameters' do
       let_it_be(:label) { create(:group_label, group: group) }

ee/spec/lib/gitlab/analytics/cycle_analytics/summary/group/stage_summary_spec.rb

@@ -6,10 +6,14 @@ RSpec.describe Gitlab::Analytics::CycleAnalytics::Summary::Group::StageSummary d
   let(:project) { create(:project, :repository, namespace: group) }
   let(:project_2) { create(:project, :repository, namespace: group) }
   let(:from) { 1.day.ago }
-  let(:user) { create(:user, :admin) }
+  let(:user) { create(:user) }
 
   subject { described_class.new(group, options: { from: Time.now, current_user: user }).data }
 
+  before do
+    group.add_owner(user)
+  end
+
   describe "#new_issues" do
     context 'with from date' do
       before do

ee/spec/lib/gitlab/analytics/cycle_analytics/summary/group/stage_time_summary_spec.rb

@@ -7,7 +7,7 @@ RSpec.describe Gitlab::Analytics::CycleAnalytics::Summary::Group::StageTimeSumma
   let(:project_2) { create(:project, :repository, namespace: group) }
   let(:from) { 1.day.ago }
   let(:to) { nil }
-  let(:user) { create(:user, :admin) }
+  let(:user) { create(:user) }
 
   subject { described_class.new(group, options: { from: from, to: to, current_user: user }).data }
 
@@ -15,6 +15,10 @@ RSpec.describe Gitlab::Analytics::CycleAnalytics::Summary::Group::StageTimeSumma
     freeze_time { example.run }
   end
 
+  before do
+    group.add_owner(user)
+  end
+
   describe '#lead_time' do
     context 'with `from` date' do
       let(:from) { 6.days.ago }

ee/spec/lib/gitlab/ci/templates/Jobs/browser_performance_testing_gitlab_ci_yaml_spec.rb

@@ -19,13 +19,13 @@ RSpec.describe 'Jobs/Browser-Performance-Testing.gitlab-ci.yml' do
   end
 
   describe 'the created pipeline' do
-    let(:user) { create(:admin) }
     let(:project) do
       create(:project, :repository, variables: [
         build(:ci_variable, key: 'CI_KUBERNETES_ACTIVE', value: 'true')
       ])
     end
 
+    let(:user) { project.owner }
     let(:default_branch) { 'master' }
     let(:pipeline_ref) { default_branch }
     let(:service) { Ci::CreatePipelineService.new(project, user, ref: pipeline_ref) }

ee/spec/lib/gitlab/ci/templates/Jobs/dast_default_branch_gitlab_ci_yaml_spec.rb

@@ -22,13 +22,13 @@ RSpec.describe 'Jobs/DAST-Default-Branch-Deploy.gitlab-ci.yml' do
   end
 
   describe 'the created pipeline' do
-    let(:user) { create(:admin) }
     let(:project) do
       create(:project, :repository, variables: [
         build(:ci_variable, key: 'CI_KUBERNETES_ACTIVE', value: 'true')
       ])
     end
 
+    let(:user) { project.owner }
     let(:default_branch) { 'master' }
     let(:pipeline_ref) { default_branch }
     let(:service) { Ci::CreatePipelineService.new(project, user, ref: pipeline_ref) }

ee/spec/lib/gitlab/ci/templates/Jobs/load_performance_testing_gitlab_ci_yaml_spec.rb

@@ -19,13 +19,13 @@ RSpec.describe 'Jobs/Load-Performance-Testing.gitlab-ci.yml' do
   end
 
   describe 'the created pipeline' do
-    let(:user) { create(:admin) }
     let(:project) do
       create(:project, :repository, variables: [
         build(:ci_variable, key: 'CI_KUBERNETES_ACTIVE', value: 'true')
       ])
     end
 
+    let(:user) { project.owner }
     let(:default_branch) { 'master' }
     let(:pipeline_ref) { default_branch }
     let(:service) { Ci::CreatePipelineService.new(project, user, ref: pipeline_ref) }

ee/spec/lib/gitlab/ci/templates/Verify/browser_performance_testing_gitlab_ci_yaml_spec.rb

@@ -18,9 +18,9 @@ RSpec.describe 'Verify/Browser-Performance.gitlab-ci.yml' do
     YAML
   end
 
-  describe 'the created pipeline' do
-    let(:user) { create(:admin) }
+  describe 'the created pipeline', :clean_gitlab_redis_cache do
     let(:project) { create(:project, :repository) }
+    let(:user) { project.owner }
 
     let(:default_branch) { 'master' }
     let(:pipeline_ref) { default_branch }

ee/spec/lib/gitlab/ci/templates/Verify/load_performance_testing_gitlab_ci_yaml_spec.rb

@@ -18,9 +18,9 @@ RSpec.describe 'Verify/Load-Performance-Testing.gitlab-ci.yml' do
     YAML
   end
 
-  describe 'the created pipeline' do
-    let(:user) { create(:admin) }
+  describe 'the created pipeline', :clean_gitlab_redis_cache do
     let(:project) { create(:project, :repository) }
+    let(:user) { project.owner }
 
     let(:default_branch) { 'master' }
     let(:pipeline_ref) { default_branch }

ee/spec/lib/gitlab/ci/templates/api_fuzzing_gitlab_ci_yaml_spec.rb

@@ -27,16 +27,17 @@ RSpec.describe 'API-Fuzzing.gitlab-ci.yml' do
   end
 
   describe 'the created pipeline' do
-    let(:user) { create(:admin) }
     let(:default_branch) { 'master' }
     let(:pipeline_branch) { default_branch }
     let(:project) { create(:project, :custom_repo, files: { 'README.txt' => '' }) }
+    let(:user) { project.owner }
     let(:service) { Ci::CreatePipelineService.new(project, user, ref: pipeline_branch ) }
     let(:pipeline) { service.execute!(:push) }
     let(:build_names) { pipeline.builds.pluck(:name) }
 
     before do
       stub_ci_pipeline_yaml_file(template.content)
+
       allow_any_instance_of(Ci::BuildScheduleWorker).to receive(:perform).and_return(true)
       allow(project).to receive(:default_branch).and_return(default_branch)
     end

ee/spec/lib/gitlab/ci/templates/container_scanning_gitlab_ci_yaml_spec.rb

@@ -6,9 +6,9 @@ RSpec.describe 'Container-Scanning.gitlab-ci.yml' do
   subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Container-Scanning') }
 
   describe 'the created pipeline' do
-    let(:user) { create(:admin) }
     let(:default_branch) { 'master' }
     let(:project) { create(:project, :custom_repo, files: { 'README.txt' => '' }) }
+    let(:user) { project.owner }
     let(:service) { Ci::CreatePipelineService.new(project, user, ref: 'master' ) }
     let(:pipeline) { service.execute!(:push) }
     let(:build_names) { pipeline.builds.pluck(:name) }

ee/spec/lib/gitlab/ci/templates/coverage_fuzzing_gitlab_ci_yaml_spec.rb

@@ -6,9 +6,9 @@ RSpec.describe 'Coverage-Fuzzing.gitlab-ci.yml' do
   subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Coverage-Fuzzing') }
 
   describe 'the created pipeline' do
-    let(:user) { create(:admin) }
     let(:default_branch) { 'master' }
     let(:project) { create(:project, :custom_repo, files: { 'README.txt' => '' }) }
+    let(:user) { project.owner }
     let(:service) { Ci::CreatePipelineService.new(project, user, ref: 'master' ) }
     let(:pipeline) { service.execute!(:push) }
     let(:build_names) { pipeline.builds.pluck(:name) }

ee/spec/lib/gitlab/ci/templates/dast_gitlab_ci_yaml_spec.rb

@@ -6,10 +6,10 @@ RSpec.describe 'DAST.gitlab-ci.yml' do
   subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('DAST') }
 
   describe 'the created pipeline' do
-    let(:user) { create(:admin) }
     let(:default_branch) { 'master' }
     let(:pipeline_branch) { default_branch }
     let(:project) { create(:project, :custom_repo, files: { 'README.txt' => '' }) }
+    let(:user) { project.owner }
     let(:service) { Ci::CreatePipelineService.new(project, user, ref: pipeline_branch ) }
     let(:pipeline) { service.execute!(:push) }
     let(:build_names) { pipeline.builds.pluck(:name) }

ee/spec/lib/gitlab/ci/templates/dependency_scanning_gitlab_ci_yaml_spec.rb

@@ -6,10 +6,10 @@ RSpec.describe 'Dependency-Scanning.gitlab-ci.yml' do
   subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Dependency-Scanning') }
 
   describe 'the created pipeline' do
-    let(:user) { create(:admin) }
     let(:default_branch) { 'master' }
     let(:files) { { 'README.txt' => '' } }
     let(:project) { create(:project, :custom_repo, files: files) }
+    let(:user) { project.owner }
     let(:service) { Ci::CreatePipelineService.new(project, user, ref: 'master' ) }
     let(:pipeline) { service.execute!(:push) }
     let(:build_names) { pipeline.builds.pluck(:name) }

ee/spec/lib/gitlab/ci/templates/license_scanning_gitlab_ci_yaml_spec.rb

@@ -6,9 +6,9 @@ RSpec.describe 'License-Scanning.gitlab-ci.yml' do
   subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('License-Scanning') }
 
   describe 'the created pipeline' do
-    let(:user) { create(:admin) }
     let(:default_branch) { 'master' }
     let(:project) { create(:project, :custom_repo, files: { 'README.txt' => '' }) }
+    let(:user) { project.owner }
     let(:service) { Ci::CreatePipelineService.new(project, user, ref: 'master' ) }
     let(:pipeline) { service.execute!(:push) }
     let(:build_names) { pipeline.builds.pluck(:name) }

ee/spec/lib/gitlab/ci/templates/sast_gitlab_ci_yaml_spec.rb

@@ -6,10 +6,10 @@ RSpec.describe 'SAST.gitlab-ci.yml' do
   subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('SAST') }
 
   describe 'the created pipeline' do
-    let(:user) { create(:admin) }
     let(:default_branch) { 'master' }
     let(:files) { { 'README.txt' => '' } }
     let(:project) { create(:project, :custom_repo, files: files) }
+    let(:user) { project.owner }
     let(:service) { Ci::CreatePipelineService.new(project, user, ref: 'master' ) }
     let(:pipeline) { service.execute!(:push) }
     let(:build_names) { pipeline.builds.pluck(:name) }

ee/spec/lib/gitlab/elastic/search_results_spec.rb

@@ -445,17 +445,36 @@ RSpec.describe Gitlab::Elastic::SearchResults, :elastic, :sidekiq_might_not_need
         expect(results.issues_count).to eq 4
       end
 
-      it 'lists all issues for admin' do
-        results = described_class.new(admin, query, limit_project_ids)
-        issues = results.objects('issues')
+      context 'for admin users' do
+        context 'when admin mode enabled', :enable_admin_mode do
+          it 'lists all issues' do
+            results = described_class.new(admin, query, limit_project_ids)
+            issues = results.objects('issues')
+
+            expect(issues).to include @issue
+            expect(issues).to include @security_issue_1
+            expect(issues).to include @security_issue_2
+            expect(issues).to include @security_issue_3
+            expect(issues).to include @security_issue_4
+            expect(issues).to include @security_issue_5
+            expect(results.issues_count).to eq 6
+          end
+        end
 
-        expect(issues).to include @issue
-        expect(issues).to include @security_issue_1
-        expect(issues).to include @security_issue_2
-        expect(issues).to include @security_issue_3
-        expect(issues).to include @security_issue_4
-        expect(issues).to include @security_issue_5
-        expect(results.issues_count).to eq 6
+        context 'when admin mode disabled' do
+          it 'does not list confidential issues' do
+            results = described_class.new(admin, query, limit_project_ids)
+            issues = results.objects('issues')
+
+            expect(issues).to include @issue
+            expect(issues).not_to include @security_issue_1
+            expect(issues).not_to include @security_issue_2
+            expect(issues).not_to include @security_issue_3
+            expect(issues).not_to include @security_issue_4
+            expect(issues).not_to include @security_issue_5
+            expect(results.issues_count).to eq 1
+          end
+        end
       end
     end
 
@@ -530,17 +549,36 @@ RSpec.describe Gitlab::Elastic::SearchResults, :elastic, :sidekiq_might_not_need
         expect(results.issues_count).to eq 3
       end
 
-      it 'lists all issues for admin' do
-        results = described_class.new(admin, query, limit_project_ids)
-        issues = results.objects('issues')
+      context 'for admin users' do
+        context 'when admin mode enabled', :enable_admin_mode do
+          it 'lists all issues' do
+            results = described_class.new(admin, query, limit_project_ids)
+            issues = results.objects('issues')
+
+            expect(issues).to include @issue
+            expect(issues).not_to include @security_issue_1
+            expect(issues).not_to include @security_issue_2
+            expect(issues).to include @security_issue_3
+            expect(issues).to include @security_issue_4
+            expect(issues).to include @security_issue_5
+            expect(results.issues_count).to eq 4
+          end
+        end
 
-        expect(issues).to include @issue
-        expect(issues).not_to include @security_issue_1
-        expect(issues).not_to include @security_issue_2
-        expect(issues).to include @security_issue_3
-        expect(issues).to include @security_issue_4
-        expect(issues).to include @security_issue_5
-        expect(results.issues_count).to eq 4
+        context 'when admin mode disabled' do
+          it 'does not list confidential issues' do
+            results = described_class.new(admin, query, limit_project_ids)
+            issues = results.objects('issues')
+
+            expect(issues).to include @issue
+            expect(issues).not_to include @security_issue_1
+            expect(issues).not_to include @security_issue_2
+            expect(issues).not_to include @security_issue_3
+            expect(issues).not_to include @security_issue_4
+            expect(issues).not_to include @security_issue_5
+            expect(results.issues_count).to eq 1
+          end
+        end
       end
     end
   end
@@ -1095,18 +1133,20 @@ RSpec.describe Gitlab::Elastic::SearchResults, :elastic, :sidekiq_might_not_need
           end
 
           context 'when user is admin' do
-            it 'returns right set of milestones' do
-              user.update(admin: true)
-              public_project.project_feature.update!(merge_requests_access_level: ProjectFeature::PRIVATE)
-              public_project.project_feature.update!(issues_access_level: ProjectFeature::PRIVATE)
-              internal_project.project_feature.update!(issues_access_level: ProjectFeature::DISABLED)
-              internal_project.project_feature.update!(merge_requests_access_level: ProjectFeature::DISABLED)
-              ensure_elasticsearch_index!
-
-              results = described_class.new(user, 'project', :any)
-              milestones = results.objects('milestones')
-
-              expect(milestones).to match_array([milestone_2, milestone_3, milestone_4])
+            context 'when admin mode enabled', :enable_admin_mode do
+              it 'returns right set of milestones' do
+                user.update(admin: true)
+                public_project.project_feature.update!(merge_requests_access_level: ProjectFeature::PRIVATE)
+                public_project.project_feature.update!(issues_access_level: ProjectFeature::PRIVATE)
+                internal_project.project_feature.update!(issues_access_level: ProjectFeature::DISABLED)
+                internal_project.project_feature.update!(merge_requests_access_level: ProjectFeature::DISABLED)
+                ensure_elasticsearch_index!
+
+                results = described_class.new(user, 'project', :any)
+                milestones = results.objects('milestones')
+
+                expect(milestones).to match_array([milestone_2, milestone_3, milestone_4])
+              end
             end
           end
 

ee/spec/lib/gitlab/elastic/snippet_search_results_spec.rb

@@ -71,7 +71,7 @@ RSpec.describe Gitlab::Elastic::SnippetSearchResults, :elastic, :sidekiq_might_n
     end
   end
 
-  context 'when user has read_all_resources', :do_not_mock_admin_mode do
+  context 'when user has read_all_resources' do
     include_context 'custom session'
 
     let(:user) { create(:admin) }

ee/spec/lib/gitlab/git_access_spec.rb

@@ -5,6 +5,7 @@ require 'spec_helper'
 RSpec.describe Gitlab::GitAccess do
   include GitHelpers
   include EE::GeoHelpers
+  include AdminModeHelper
 
   let_it_be(:user) { create(:user) }
 
@@ -456,8 +457,9 @@ RSpec.describe Gitlab::GitAccess do
         # Expectations are given a custom failure message proc so that it's
         # easier to identify which check(s) failed.
         it "has the correct permissions for #{role}s" do
-          if role == :admin
+          if [:admin_with_admin_mode, :admin_without_admin_mode].include?(role)
             user.update_attribute(:admin, true)
+            enable_admin_mode!(user) if role == :admin_with_admin_mode
             project.add_guest(user)
           else
             project.add_role(user, role)
@@ -509,7 +511,7 @@ RSpec.describe Gitlab::GitAccess do
     end
 
     permissions_matrix = {
-      admin: {
+      admin_with_admin_mode: {
         any: true,
         push_new_branch: true,
         push_master: true,
@@ -521,6 +523,18 @@ RSpec.describe Gitlab::GitAccess do
         merge_into_protected_branch: true
       },
 
+      admin_without_admin_mode: {
+        any: false,
+        push_new_branch: false,
+        push_master: false,
+        push_protected_branch: false,
+        push_remove_protected_branch: false,
+        push_tag: false,
+        push_new_tag: false,
+        push_all: false,
+        merge_into_protected_branch: false
+      },
+
       maintainer: {
         any: true,
         push_new_branch: true,
@@ -589,7 +603,8 @@ RSpec.describe Gitlab::GitAccess do
             create(:merge_request, source_project: project, source_branch: unprotected_branch, target_branch: 'feature', state: 'locked', in_progress_merge_commit_sha: merge_into_protected_branch)
           end
 
-          run_permission_checks(permissions_matrix.deep_merge(admin: { push_protected_branch: false, push_all: false, merge_into_protected_branch: true },
+          run_permission_checks(permissions_matrix.deep_merge(admin_with_admin_mode: { push_protected_branch: false, push_all: false, merge_into_protected_branch: true },
+                                                              admin_without_admin_mode: { push_protected_branch: false, merge_into_protected_branch: false },
                                                               maintainer: { push_protected_branch: false, push_all: false, merge_into_protected_branch: true },
                                                               developer: { push_protected_branch: false, push_all: false, merge_into_protected_branch: true },
                                                               guest: { push_protected_branch: false, merge_into_protected_branch: false },
@@ -613,6 +628,7 @@ RSpec.describe Gitlab::GitAccess do
         before do
           create_current_license(starts_at: 1.month.ago.to_date, block_changes_at: Date.current, notify_admins_at: Date.current)
           user.update_attribute(:admin, true)
+          enable_admin_mode!(user)
           project.add_role(user, :developer)
         end
 
@@ -632,9 +648,10 @@ RSpec.describe Gitlab::GitAccess do
         context "when a specific group is allowed to push into the #{protected_branch_type} protected branch" do
           let(:protected_branch) { build(:protected_branch, authorize_group_to_push: group, name: protected_branch_name, project: project) }
 
-          permissions = permissions_matrix.except(:admin).deep_merge(developer: { push_protected_branch: true, push_all: true, merge_into_protected_branch: true },
-                                                                     guest: { push_protected_branch: false, merge_into_protected_branch: false },
-                                                                     reporter: { push_protected_branch: false, merge_into_protected_branch: false })
+          permissions = permissions_matrix.except(:admin_with_admin_mode, :admin_without_admin_mode)
+                            .deep_merge(developer: { push_protected_branch: true, push_all: true, merge_into_protected_branch: true },
+                                        guest: { push_protected_branch: false, merge_into_protected_branch: false },
+                                        reporter: { push_protected_branch: false, merge_into_protected_branch: false })
 
           run_group_permission_checks(permissions)
         end
@@ -646,10 +663,11 @@ RSpec.describe Gitlab::GitAccess do
             create(:merge_request, source_project: project, source_branch: unprotected_branch, target_branch: 'feature', state: 'locked', in_progress_merge_commit_sha: merge_into_protected_branch)
           end
 
-          permissions = permissions_matrix.except(:admin).deep_merge(maintainer: { push_protected_branch: false, push_all: false, merge_into_protected_branch: true },
-                                                                     developer: { push_protected_branch: false, push_all: false, merge_into_protected_branch: true },
-                                                                     guest: { push_protected_branch: false, merge_into_protected_branch: false },
-                                                                     reporter: { push_protected_branch: false, merge_into_protected_branch: false })
+          permissions = permissions_matrix.except(:admin_with_admin_mode, :admin_without_admin_mode)
+                            .deep_merge(maintainer: { push_protected_branch: false, push_all: false, merge_into_protected_branch: true },
+                                        developer: { push_protected_branch: false, push_all: false, merge_into_protected_branch: true },
+                                        guest: { push_protected_branch: false, merge_into_protected_branch: false },
+                                        reporter: { push_protected_branch: false, merge_into_protected_branch: false })
 
           run_group_permission_checks(permissions)
         end
@@ -661,9 +679,10 @@ RSpec.describe Gitlab::GitAccess do
             create(:merge_request, source_project: project, source_branch: unprotected_branch, target_branch: 'feature', state: 'locked', in_progress_merge_commit_sha: merge_into_protected_branch)
           end
 
-          permissions = permissions_matrix.except(:admin).deep_merge(developer: { push_protected_branch: true, push_all: true, merge_into_protected_branch: true },
-                                                                     guest: { push_protected_branch: false, merge_into_protected_branch: false },
-                                                                     reporter: { push_protected_branch: false, merge_into_protected_branch: false })
+          permissions = permissions_matrix.except(:admin_with_admin_mode, :admin_without_admin_mode)
+                            .deep_merge(developer: { push_protected_branch: true, push_all: true, merge_into_protected_branch: true },
+                                        guest: { push_protected_branch: false, merge_into_protected_branch: false },
+                                        reporter: { push_protected_branch: false, merge_into_protected_branch: false })
 
           run_group_permission_checks(permissions)
         end

spec/lib/banzai/filter/reference_redactor_filter_spec.rb

@@ -143,15 +143,32 @@ RSpec.describe Banzai::Filter::ReferenceRedactorFilter do
         expect(doc.css('a').length).to eq 1
       end
 
-      it 'allows references for admin' do
-        admin = create(:admin)
-        project = create(:project, :public)
-        issue = create(:issue, :confidential, project: project)
-        link = reference_link(project: project.id, issue: issue.id, reference_type: 'issue')
+      context 'for admin' do
+        context 'when admin mode is enabled', :enable_admin_mode do
+          it 'allows references' do
+            admin = create(:admin)
+            project = create(:project, :public)
+            issue = create(:issue, :confidential, project: project)
+            link = reference_link(project: project.id, issue: issue.id, reference_type: 'issue')
+
+            doc = filter(link, current_user: admin)
+
+            expect(doc.css('a').length).to eq 1
+          end
+        end
 
-        doc = filter(link, current_user: admin)
+        context 'when admin mode is disabled' do
+          it 'removes references' do
+            admin = create(:admin)
+            project = create(:project, :public)
+            issue = create(:issue, :confidential, project: project)
+            link = reference_link(project: project.id, issue: issue.id, reference_type: 'issue')
 
-        expect(doc.css('a').length).to eq 1
+            doc = filter(link, current_user: admin)
+
+            expect(doc.css('a').length).to eq 0
+          end
+        end
       end
 
       context "when a confidential issue is moved from a public project to a private one" do

spec/lib/constraints/admin_constrainer_spec.rb

@@ -2,7 +2,7 @@
 #
 require 'spec_helper'
 
-RSpec.describe Constraints::AdminConstrainer, :do_not_mock_admin_mode do
+RSpec.describe Constraints::AdminConstrainer do
   let(:user) { create(:user) }
 
   let(:session) { {} }

spec/lib/gitlab/auth/current_user_mode_spec.rb

@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe Gitlab::Auth::CurrentUserMode, :do_not_mock_admin_mode, :request_store do
+RSpec.describe Gitlab::Auth::CurrentUserMode, :request_store do
   let(:user) { build_stubbed(:user) }
 
   subject { described_class.new(user) }

spec/lib/gitlab/ci/templates/AWS/deploy_ecs_gitlab_ci_yaml_spec.rb

@@ -6,10 +6,10 @@ RSpec.describe 'Deploy-ECS.gitlab-ci.yml' do
   subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('AWS/Deploy-ECS') }
 
   describe 'the created pipeline' do
-    let_it_be(:user) { create(:admin) }
     let(:default_branch) { 'master' }
     let(:pipeline_branch) { default_branch }
     let(:project) { create(:project, :auto_devops, :custom_repo, files: { 'README.md' => '' }) }
+    let(:user) { project.owner }
     let(:service) { Ci::CreatePipelineService.new(project, user, ref: pipeline_branch ) }
     let(:pipeline) { service.execute!(:push) }
     let(:build_names) { pipeline.builds.pluck(:name) }

spec/lib/gitlab/ci/templates/Jobs/build_gitlab_ci_yaml_spec.rb

@@ -6,8 +6,8 @@ RSpec.describe 'Jobs/Build.gitlab-ci.yml' do
   subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Jobs/Build') }
 
   describe 'the created pipeline' do
-    let_it_be(:user) { create(:admin) }
     let_it_be(:project) { create(:project, :repository) }
+    let_it_be(:user) { project.owner }
 
     let(:default_branch) { 'master' }
     let(:pipeline_ref) { default_branch }

spec/lib/gitlab/ci/templates/Jobs/code_quality_gitlab_ci_yaml_spec.rb

@@ -6,8 +6,8 @@ RSpec.describe 'Jobs/Code-Quality.gitlab-ci.yml' do
   subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Jobs/Code-Quality') }
 
   describe 'the created pipeline' do
-    let_it_be(:user) { create(:admin) }
     let_it_be(:project) { create(:project, :repository) }
+    let_it_be(:user) { project.owner }
 
     let(:default_branch) { 'master' }
     let(:pipeline_ref) { default_branch }

spec/lib/gitlab/ci/templates/Jobs/deploy_gitlab_ci_yaml_spec.rb

@@ -27,8 +27,8 @@ RSpec.describe 'Jobs/Deploy.gitlab-ci.yml' do
   end
 
   describe 'the created pipeline' do
-    let(:user) { create(:admin) }
     let(:project) { create(:project, :repository) }
+    let(:user) { project.owner }
 
     let(:default_branch) { 'master' }
     let(:pipeline_ref) { default_branch }

spec/lib/gitlab/ci/templates/Jobs/test_gitlab_ci_yaml_spec.rb

@@ -6,8 +6,8 @@ RSpec.describe 'Jobs/Test.gitlab-ci.yml' do
   subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Jobs/Test') }
 
   describe 'the created pipeline' do
-    let_it_be(:user) { create(:admin) }
     let_it_be(:project) { create(:project, :repository) }
+    let_it_be(:user) { project.owner }
 
     let(:default_branch) { 'master' }
     let(:pipeline_ref) { default_branch }

spec/lib/gitlab/ci/templates/Terraform/base_gitlab_ci_yaml_spec.rb

@@ -6,10 +6,10 @@ RSpec.describe 'Terraform/Base.latest.gitlab-ci.yml' do
   subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Terraform/Base.latest') }
 
   describe 'the created pipeline' do
-    let(:user) { create(:admin) }
     let(:default_branch) { 'master' }
     let(:pipeline_branch) { default_branch }
     let(:project) { create(:project, :custom_repo, files: { 'README.md' => '' }) }
+    let(:user) { project.owner }
     let(:service) { Ci::CreatePipelineService.new(project, user, ref: pipeline_branch ) }
     let(:pipeline) { service.execute!(:push) }
     let(:build_names) { pipeline.builds.pluck(:name) }

spec/lib/gitlab/ci/templates/Verify/load_performance_testing_gitlab_ci_yaml_spec.rb

@@ -19,8 +19,8 @@ RSpec.describe 'Verify/Load-Performance-Testing.gitlab-ci.yml' do
   end
 
   describe 'the created pipeline' do
-    let(:user) { create(:admin) }
     let(:project) { create(:project, :repository) }
+    let(:user) { project.owner }
 
     let(:default_branch) { 'master' }
     let(:pipeline_ref) { default_branch }

spec/lib/gitlab/ci/templates/auto_devops_gitlab_ci_yaml_spec.rb

@@ -6,10 +6,10 @@ RSpec.describe 'Auto-DevOps.gitlab-ci.yml' do
   subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Auto-DevOps') }
 
   describe 'the created pipeline' do
-    let(:user) { create(:admin) }
     let(:default_branch) { 'master' }
     let(:pipeline_branch) { default_branch }
     let(:project) { create(:project, :auto_devops, :custom_repo, files: { 'README.md' => '' }) }
+    let(:user) { project.owner }
     let(:service) { Ci::CreatePipelineService.new(project, user, ref: pipeline_branch ) }
     let(:pipeline) { service.execute!(:push) }
     let(:build_names) { pipeline.builds.pluck(:name) }
@@ -232,8 +232,8 @@ RSpec.describe 'Auto-DevOps.gitlab-ci.yml' do
     end
 
     with_them do
-      let(:user) { create(:admin) }
       let(:project) { create(:project, :custom_repo, files: files) }
+      let(:user) { project.owner }
       let(:service) { Ci::CreatePipelineService.new(project, user, ref: 'master' ) }
       let(:pipeline) { service.execute(:push) }
       let(:build_names) { pipeline.builds.pluck(:name) }

spec/lib/gitlab/ci/templates/flutter_gitlab_ci_yaml_spec.rb

@@ -6,10 +6,9 @@ RSpec.describe 'Flutter.gitlab-ci.yml' do
   subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Flutter') }
 
   describe 'the created pipeline' do
-    let_it_be(:user) { create(:admin) }
-
     let(:pipeline_branch) { 'master' }
     let(:project) { create(:project, :custom_repo, files: { 'README.md' => '' }) }
+    let(:user) { project.owner }
     let(:service) { Ci::CreatePipelineService.new(project, user, ref: pipeline_branch ) }
     let(:pipeline) { service.execute!(:push) }
     let(:build_names) { pipeline.builds.pluck(:name) }

spec/lib/gitlab/ci/templates/npm_spec.rb

@@ -6,11 +6,10 @@ RSpec.describe 'npm.latest.gitlab-ci.yml' do
   subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('npm.latest') }
 
   describe 'the created pipeline' do
-    let_it_be(:user) { create(:admin) }
-
     let(:repo_files) { { 'package.json' => '{}', 'README.md' => '' } }
     let(:modified_files) { %w[package.json] }
     let(:project) { create(:project, :custom_repo, files: repo_files) }
+    let(:user) { project.owner }
     let(:pipeline_branch) { project.default_branch }
     let(:pipeline_tag) { 'v1.2.1' }
     let(:pipeline_ref) { pipeline_branch }

spec/lib/gitlab/ci/templates/terraform_latest_gitlab_ci_yaml_spec.rb

@@ -10,11 +10,10 @@ RSpec.describe 'Terraform.latest.gitlab-ci.yml' do
   subject(:template) { Gitlab::Template::GitlabCiYmlTemplate.find('Terraform.latest') }
 
   describe 'the created pipeline' do
-    let_it_be(:user) { create(:admin) }
-
     let(:default_branch) { 'master' }
     let(:pipeline_branch) { default_branch }
     let(:project) { create(:project, :custom_repo, files: { 'README.md' => '' }) }
+    let(:user) { project.owner }
     let(:service) { Ci::CreatePipelineService.new(project, user, ref: pipeline_branch ) }
     let(:pipeline) { service.execute!(:push) }
     let(:build_names) { pipeline.builds.pluck(:name) }

spec/lib/gitlab/cycle_analytics/base_event_fetcher_spec.rb

@@ -5,7 +5,7 @@ require 'spec_helper'
 RSpec.describe Gitlab::CycleAnalytics::BaseEventFetcher do
   let(:max_events) { 2 }
   let(:project) { create(:project, :repository) }
-  let(:user) { create(:user, :admin) }
+  let(:user) { project.owner }
   let(:start_time_attrs) { Issue.arel_table[:created_at] }
   let(:end_time_attrs) { [Issue::Metrics.arel_table[:first_associated_with_milestone_at]] }
   let(:options) do

spec/lib/gitlab/cycle_analytics/events_spec.rb

@@ -4,7 +4,7 @@ require 'spec_helper'
 
 RSpec.describe 'value stream analytics events', :aggregate_failures do
   let_it_be(:project) { create(:project, :repository) }
-  let_it_be(:user) { create(:user, :admin) }
+  let_it_be(:user) { project.owner }
   let(:from_date) { 10.days.ago }
   let!(:context) { create(:issue, project: project, created_at: 2.days.ago) }
 

spec/lib/gitlab/git_access_snippet_spec.rb

@@ -172,7 +172,7 @@ RSpec.describe Gitlab::GitAccessSnippet do
         end
       end
 
-      [:guest, :reporter, :maintainer, :author, :admin].each do |membership|
+      [:guest, :reporter, :maintainer, :author].each do |membership|
         context membership.to_s do
           let(:membership) { membership }
 
@@ -183,6 +183,24 @@ RSpec.describe Gitlab::GitAccessSnippet do
         end
       end
 
+      context 'admin' do
+        let(:membership) { :admin }
+
+        context 'when admin mode is enabled', :enable_admin_mode do
+          it 'cannot perform git pushes' do
+            expect { push_access_check }.to raise_error(described_class::ForbiddenError)
+            expect { pull_access_check }.not_to raise_error
+          end
+        end
+
+        context 'when admin mode is disabled' do
+          it 'cannot perform git operations' do
+            expect { push_access_check }.to raise_error(described_class::ForbiddenError)
+            expect { pull_access_check }.to raise_error(described_class::ForbiddenError)
+          end
+        end
+      end
+
       it_behaves_like 'actor is migration bot'
     end
 

spec/lib/gitlab/git_access_spec.rb

@@ -5,6 +5,7 @@ require 'spec_helper'
 RSpec.describe Gitlab::GitAccess do
   include TermsHelper
   include GitHelpers
+  include AdminModeHelper
 
   let(:user) { create(:user) }
 
@@ -769,19 +770,39 @@ RSpec.describe Gitlab::GitAccess do
       describe 'admin user' do
         let(:user) { create(:admin) }
 
-        context 'when member of the project' do
-          before do
-            project.add_reporter(user)
+        context 'when admin mode enabled', :enable_admin_mode do
+          context 'when member of the project' do
+            before do
+              project.add_reporter(user)
+            end
+
+            context 'pull code' do
+              it { expect { pull_access_check }.not_to raise_error }
+            end
           end
 
-          context 'pull code' do
-            it { expect { pull_access_check }.not_to raise_error }
+          context 'when is not member of the project' do
+            context 'pull code' do
+              it { expect { pull_access_check }.to raise_forbidden(described_class::ERROR_MESSAGES[:download]) }
+            end
           end
         end
 
-        context 'when is not member of the project' do
-          context 'pull code' do
-            it { expect { pull_access_check }.to raise_forbidden(described_class::ERROR_MESSAGES[:download]) }
+        context 'when admin mode disabled' do
+          context 'when member of the project' do
+            before do
+              project.add_reporter(user)
+            end
+
+            context 'pull code' do
+              it { expect { pull_access_check }.not_to raise_error }
+            end
+          end
+
+          context 'when is not member of the project' do
+            context 'pull code' do
+              it { expect { pull_access_check }.to raise_not_found }
+            end
           end
         end
       end
@@ -870,8 +891,9 @@ RSpec.describe Gitlab::GitAccess do
         # Expectations are given a custom failure message proc so that it's
         # easier to identify which check(s) failed.
         it "has the correct permissions for #{role}s" do
-          if role == :admin
+          if [:admin_with_admin_mode, :admin_without_admin_mode].include?(role)
             user.update_attribute(:admin, true)
+            enable_admin_mode!(user) if role == :admin_with_admin_mode
             project.add_guest(user)
           else
             project.add_role(user, role)
@@ -897,7 +919,7 @@ RSpec.describe Gitlab::GitAccess do
     end
 
     permissions_matrix = {
-      admin: {
+      admin_with_admin_mode: {
         any: true,
         push_new_branch: true,
         push_master: true,
@@ -909,6 +931,18 @@ RSpec.describe Gitlab::GitAccess do
         merge_into_protected_branch: true
       },
 
+      admin_without_admin_mode: {
+        any: false,
+        push_new_branch: false,
+        push_master: false,
+        push_protected_branch: false,
+        push_remove_protected_branch: false,
+        push_tag: false,
+        push_new_tag: false,
+        push_all: false,
+        merge_into_protected_branch: false
+      },
+
       maintainer: {
         any: true,
         push_new_branch: true,
@@ -1009,7 +1043,7 @@ RSpec.describe Gitlab::GitAccess do
 
         run_permission_checks(permissions_matrix.deep_merge(developer: { push_protected_branch: false, push_all: false, merge_into_protected_branch: false },
                                                             maintainer: { push_protected_branch: false, push_all: false, merge_into_protected_branch: false },
-                                                            admin: { push_protected_branch: false, push_all: false, merge_into_protected_branch: false }))
+                                                            admin_with_admin_mode: { push_protected_branch: false, push_all: false, merge_into_protected_branch: false }))
       end
     end
 

spec/lib/gitlab/search_results_spec.rb

@@ -342,17 +342,36 @@ RSpec.describe Gitlab::SearchResults do
       expect(results.limited_issues_count).to eq 4
     end
 
-    it 'lists all issues for admin' do
-      results = described_class.new(admin, query, limit_projects)
-      issues = results.objects('issues')
+    context 'with admin user' do
+      context 'when admin mode enabled', :enable_admin_mode do
+        it 'lists all issues' do
+          results = described_class.new(admin, query, limit_projects)
+          issues = results.objects('issues')
+
+          expect(issues).to include issue
+          expect(issues).to include security_issue_1
+          expect(issues).to include security_issue_2
+          expect(issues).to include security_issue_3
+          expect(issues).to include security_issue_4
+          expect(issues).not_to include security_issue_5
+          expect(results.limited_issues_count).to eq 5
+        end
+      end
 
-      expect(issues).to include issue
-      expect(issues).to include security_issue_1
-      expect(issues).to include security_issue_2
-      expect(issues).to include security_issue_3
-      expect(issues).to include security_issue_4
-      expect(issues).not_to include security_issue_5
-      expect(results.limited_issues_count).to eq 5
+      context 'when admin mode disabled' do
+        it 'does not list confidential issues' do
+          results = described_class.new(admin, query, limit_projects)
+          issues = results.objects('issues')
+
+          expect(issues).to include issue
+          expect(issues).not_to include security_issue_1
+          expect(issues).not_to include security_issue_2
+          expect(issues).not_to include security_issue_3
+          expect(issues).not_to include security_issue_4
+          expect(issues).not_to include security_issue_5
+          expect(results.limited_issues_count).to eq 1
+        end
+      end
     end
   end
 

spec/lib/gitlab/sidekiq_middleware/admin_mode/client_spec.rb

@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe Gitlab::SidekiqMiddleware::AdminMode::Client, :do_not_mock_admin_mode, :request_store do
+RSpec.describe Gitlab::SidekiqMiddleware::AdminMode::Client, :request_store do
   include AdminModeHelper
 
   let(:worker) do

spec/lib/gitlab/sidekiq_middleware/admin_mode/server_spec.rb

@@ -2,7 +2,7 @@
 
 require 'spec_helper'
 
-RSpec.describe Gitlab::SidekiqMiddleware::AdminMode::Server, :do_not_mock_admin_mode, :request_store do
+RSpec.describe Gitlab::SidekiqMiddleware::AdminMode::Server, :request_store do
   include AdminModeHelper
 
   let(:worker) do

spec/lib/gitlab/slash_commands/presenters/issue_move_spec.rb

@@ -3,15 +3,20 @@
 require 'spec_helper'
 
 RSpec.describe Gitlab::SlashCommands::Presenters::IssueMove do
-  let_it_be(:admin) { create(:admin) }
+  let_it_be(:user) { create(:user) }
   let_it_be(:project, reload: true) { create(:project) }
   let_it_be(:other_project) { create(:project) }
   let_it_be(:old_issue, reload: true) { create(:issue, project: project) }
-  let(:new_issue) { Issues::MoveService.new(project, admin).execute(old_issue, other_project) }
+  let(:new_issue) { Issues::MoveService.new(project, user).execute(old_issue, other_project) }
   let(:attachment) { subject[:attachments].first }
 
   subject { described_class.new(new_issue).present(old_issue) }
 
+  before do
+    project.add_developer(user)
+    other_project.add_developer(user)
+  end
+
   it { is_expected.to be_a(Hash) }
 
   it 'shows the new issue' do

spec/lib/gitlab/user_access_spec.rb

@@ -45,10 +45,20 @@ RSpec.describe Gitlab::UserAccess do
       let(:empty_project) { create(:project_empty_repo) }
       let(:project_access) { described_class.new(user, container: empty_project) }
 
-      it 'returns true for admins' do
-        user.update!(admin: true)
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it 'returns true for admins' do
+          user.update!(admin: true)
 
-        expect(access.can_push_to_branch?('master')).to be_truthy
+          expect(access.can_push_to_branch?('master')).to be_truthy
+        end
+      end
+
+      context 'when admin mode is disabled' do
+        it 'returns false for admins' do
+          user.update!(admin: true)
+
+          expect(access.can_push_to_branch?('master')).to be_falsey
+        end
       end
 
       it 'returns true if user is maintainer' do
@@ -85,10 +95,20 @@ RSpec.describe Gitlab::UserAccess do
       let(:branch) { create :protected_branch, project: project, name: "test" }
       let(:not_existing_branch) { create :protected_branch, :developers_can_merge, project: project }
 
-      it 'returns true for admins' do
-        user.update!(admin: true)
+      context 'when admin mode is enabled', :enable_admin_mode do
+        it 'returns true for admins' do
+          user.update!(admin: true)
 
-        expect(access.can_push_to_branch?(branch.name)).to be_truthy
+          expect(access.can_push_to_branch?(branch.name)).to be_truthy
+        end
+      end
+
+      context 'when admin mode is disabled' do
+        it 'returns false for admins' do
+          user.update!(admin: true)
+
+          expect(access.can_push_to_branch?(branch.name)).to be_falsey
+        end
       end
 
       it 'returns true if user is a maintainer' do

spec/lib/gitlab/visibility_level_spec.rb

@@ -22,13 +22,25 @@ RSpec.describe Gitlab::VisibilityLevel do
   end
 
   describe '.levels_for_user' do
-    it 'returns all levels for an admin' do
-      user = build(:user, :admin)
+    context 'when admin mode is enabled', :enable_admin_mode do
+      it 'returns all levels for an admin' do
+        user = build(:user, :admin)
+
+        expect(described_class.levels_for_user(user))
+          .to eq([Gitlab::VisibilityLevel::PRIVATE,
+                  Gitlab::VisibilityLevel::INTERNAL,
+                  Gitlab::VisibilityLevel::PUBLIC])
+      end
+    end
 
-      expect(described_class.levels_for_user(user))
-        .to eq([Gitlab::VisibilityLevel::PRIVATE,
-                Gitlab::VisibilityLevel::INTERNAL,
-                Gitlab::VisibilityLevel::PUBLIC])
+    context 'when admin mode is disabled' do
+      it 'returns INTERNAL and PUBLIC for an admin' do
+        user = build(:user, :admin)
+
+        expect(described_class.levels_for_user(user))
+            .to eq([Gitlab::VisibilityLevel::INTERNAL,
+                    Gitlab::VisibilityLevel::PUBLIC])
+      end
     end
 
     it 'returns INTERNAL and PUBLIC for internal users' do

spec/spec_helper.rb

@@ -290,14 +290,11 @@ RSpec.configure do |config|
     admin_mode_mock_dirs = %w(
       ./ee/spec/elastic_integration
       ./ee/spec/finders
-      ./ee/spec/lib
       ./ee/spec/serializers
       ./ee/spec/support/shared_examples/finders/geo
       ./ee/spec/support/shared_examples/graphql/geo
       ./spec/finders
-      ./spec/lib
       ./spec/serializers
-      ./spec/support/shared_examples/lib/gitlab
       ./spec/workers
     )
 

spec/support/shared_examples/lib/gitlab/project_search_results_shared_examples.rb

@@ -54,7 +54,7 @@ RSpec.shared_examples 'access restricted confidential issues' do
     end
   end
 
-  context 'when the user is a developper' do
+  context 'when the user is a developer' do
     let(:user) do
       create(:user) { |user| project.add_developer(user) }
     end
@@ -70,10 +70,19 @@ RSpec.shared_examples 'access restricted confidential issues' do
   context 'when the user is admin', :request_store do
     let(:user) { create(:user, admin: true) }
 
-    it 'lists all project issues' do
-      expect(objects).to contain_exactly(issue,
-                                         security_issue_1,
-                                         security_issue_2)
+    context 'when admin mode is enabled', :enable_admin_mode do
+      it 'lists all project issues' do
+        expect(objects).to contain_exactly(issue,
+                                           security_issue_1,
+                                           security_issue_2)
+      end
+    end
+
+    context 'when admin mode is disabled' do
+      it 'does not list project confidential issues' do
+        expect(objects).to contain_exactly(issue)
+        expect(results.limited_issues_count).to eq 1
+      end
     end
   end
 end