Merge branch 'ia-exempt-admin-bot-from-admin-mode' into 'master'

Exempt ::Users::Internal.admin_bot from admin mode See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/183892 Merged-by: Ian Anderson <ianderson@gitlab.com> Approved-by: Bob Van Landuyt <bob@gitlab.com> Approved-by: mo khan <mo@mokhan.ca>

Merge branch 'ia-exempt-admin-bot-from-admin-mode' into 'master'
90bc53b2 · Ian Anderson · GitLab · cade8365 · 205fd8ff · 90bc53b2
--- a/app/policies/base_policy.rb
+++ b/app/policies/base_policy.rb
@@ -5,6 +5,7 @@ class BasePolicy < DeclarativePolicy::Base
  with_options scope: :user, score: 0
  condition(:admin) do
    next false if @user&.from_ci_job_token?
+    next true if user_is_user? && @user.admin_bot?

    if Gitlab::CurrentSettings.admin_mode
      Gitlab::Auth::CurrentUserMode.new(@user).admin_mode?

--- a/ee/spec/services/compliance_management/pipl/block_non_compliant_user_service_spec.rb
+++ b/ee/spec/services/compliance_management/pipl/block_non_compliant_user_service_spec.rb
@@ -8,7 +8,7 @@
  subject(:execute) { described_class.new(pipl_user: pipl_user, current_user: blocking_user).execute }

  let(:pipl_user) { create(:pipl_user) }
-  let(:blocking_user) { Users::Internal.admin_bot }
+  let(:blocking_user) { create(:user, :admin) }

  shared_examples 'does not block the user' do
    it 'does not change the user status and note' do
@@ -94,7 +94,7 @@
      end

      context 'when the block operation fails' do
-        let(:pipl_user) { create(:pipl_user, user: blocking_user, initial_email_sent_at: 60.days.ago) }
+        let(:pipl_user) { create(:pipl_user, user: Users::Internal.admin_bot, initial_email_sent_at: 60.days.ago) }

        it_behaves_like 'does not block the user'
        it_behaves_like 'has a validation error',

--- a/ee/spec/services/compliance_management/pipl/delete_non_compliant_user_service_spec.rb
+++ b/ee/spec/services/compliance_management/pipl/delete_non_compliant_user_service_spec.rb
@@ -9,7 +9,7 @@

  let_it_be_with_reload(:pipl_user) { create(:pipl_user, :deletable) }
  let_it_be_with_reload(:user) { pipl_user.user }
-  let(:deleting_user) { Users::Internal.admin_bot }
+  let(:deleting_user) { create(:user, :admin) }

  shared_examples 'does not delete the user' do
    it 'does not schedule a deletion migration' do

--- a/spec/policies/base_policy_spec.rb
+++ b/spec/policies/base_policy_spec.rb
@@ -65,6 +65,12 @@ def policy
      end
    end

+    context 'with the admin bot user' do
+      let(:current_user) { ::Users::Internal.admin_bot }
+
+      it { is_expected.to be_allowed(ability) }
+    end
+
    context 'with anonymous' do
      let(:current_user) { nil }


--- a/spec/policies/group_policy_spec.rb
+++ b/spec/policies/group_policy_spec.rb
@@ -1298,7 +1298,7 @@
      end

      context 'all other user types' do
-        User::USER_TYPES.except(:human, :project_bot, :placeholder, :import_user).each_value do |user_type|
+        User::USER_TYPES.except(:human, :project_bot, :admin_bot, :placeholder, :import_user).each_value do |user_type|
          context "with user_type #{user_type}" do
            before do
              current_user.update!(user_type: user_type)

--- a/spec/policies/packages/policies/dependency_proxy/group_policy_spec.rb
+++ b/spec/policies/packages/policies/dependency_proxy/group_policy_spec.rb
@@ -92,7 +92,9 @@
      end

      context 'with all other user types' do
-        User::USER_TYPES.except(:human, :project_bot, :security_policy_bot, :placeholder).each_value do |user_type|
+        excluded_types = %i[human project_bot security_policy_bot admin_bot placeholder]
+
+        User::USER_TYPES.except(*excluded_types).each_value do |user_type|
          context "with user_type #{user_type}" do
            let_it_be(:auth_token) { create(:personal_access_token, user: non_group_member) }