Expose namespace storage statistics with GraphQL

Root namespaces have storage statistics.
This commit allows namespace owners to get those stats via GraphQL
queries like the following one

{
  namespace(fullPath: "a_namespace_path") {
    rootStorageStatistics {
      storageSize
      repositorySize
      lfsObjectsSize
      buildArtifactsSize
      packagesSize
      wikiSize
    }
  }
}

2 files changed, 81 insertions, 1 deletions

diff --git a/spec/policies/namespace/root_storage_statistics_policy_spec.rb b/spec/policies/namespace/root_storage_statistics_policy_spec.rb
new file mode 100644
index 00000000000..8d53050fffb
--- /dev/null
+++ b/spec/policies/namespace/root_storage_statistics_policy_spec.rb
@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe Namespace::RootStorageStatisticsPolicy do
+  using RSpec::Parameterized::TableSyntax
+
+  describe '#rules' do
+    let(:statistics) { create(:namespace_root_storage_statistics, namespace: namespace) }
+    let(:user) { create(:user) }
+
+    subject { Ability.allowed?(user, :read_statistics, statistics) }
+
+    shared_examples 'deny anonymous users' do
+      context 'when the users is anonymous' do
+        let(:user) { nil }
+
+        it { is_expected.to be_falsey }
+      end
+    end
+
+    context 'when the namespace is a personal namespace' do
+      let(:owner) { create(:user) }
+      let(:namespace) { owner.namespace }
+
+      include_examples 'deny anonymous users'
+
+      context 'when the user is not the owner' do
+        it { is_expected.to be_falsey }
+      end
+
+      context 'when the user is the owner' do
+        let(:user) { owner }
+
+        it { is_expected.to be_truthy }
+      end
+    end
+
+    context 'when the namespace is a group' do
+      let(:user)     { create(:user) }
+      let(:external) { create(:user, :external) }
+
+      shared_examples 'allows only owners' do |group_type|
+        let(:group) { create(:group, visibility_level: Gitlab::VisibilityLevel.level_value(group_type.to_s)) }
+        let(:namespace) { group }
+
+        include_examples 'deny anonymous users'
+
+        where(:user_type, :outcome) do
+          [
+            [:non_member, false],
+            [:guest, false],
+            [:reporter, false],
+            [:developer, false],
+            [:maintainer, false],
+            [:owner, true]
+          ]
+        end
+
+        with_them do
+          before do
+            group.add_user(user, user_type) unless user_type == :non_member
+          end
+
+          it { is_expected.to eq(outcome) }
+
+          context 'when the user is external' do
+            let(:user) { external }
+
+            it { is_expected.to eq(outcome) }
+          end
+        end
+      end
+
+      include_examples 'allows only owners', :public
+      include_examples 'allows only owners', :private
+      include_examples 'allows only owners', :internal
+    end
+  end
+end
diff --git a/spec/policies/namespace_policy_spec.rb b/spec/policies/namespace_policy_spec.rb
index 99fa8b1fe44..216aaae70ee 100644
--- a/spec/policies/namespace_policy_spec.rb
+++ b/spec/policies/namespace_policy_spec.rb
@@ -6,7 +6,7 @@ describe NamespacePolicy do
   let(:admin) { create(:admin) }
   let(:namespace) { create(:namespace, owner: owner) }
 
-  let(:owner_permissions) { [:create_projects, :admin_namespace, :read_namespace] }
+  let(:owner_permissions) { [:create_projects, :admin_namespace, :read_namespace, :read_statistics] }
 
   subject { described_class.new(current_user, namespace) }