1 files changed, 39 insertions, 26 deletions
diff --git a/spec/services/projects/create_service_spec.rb b/spec/services/projects/create_service_spec.rb
index d1b110b9806..f54f9200661 100644
--- a/spec/services/projects/create_service_spec.rb
+++ b/spec/services/projects/create_service_spec.rb
@@ -1,6 +1,9 @@
+# frozen_string_literal: true
+
 require 'spec_helper'
 
 describe Projects::CreateService, '#execute' do
+  include ExternalAuthorizationServiceHelpers
   include GitHelpers
 
   let(:gitlab_shell) { Gitlab::Shell.new }
@@ -265,32 +268,6 @@ describe Projects::CreateService, '#execute' do
     end
   end
 
-  context 'when group has kubernetes cluster' do
-    let(:group_cluster) { create(:cluster, :group, :provided_by_gcp) }
-    let(:group) { group_cluster.group }
-
-    let(:token) { 'aaaa' }
-    let(:service_account_creator) { double(Clusters::Gcp::Kubernetes::CreateOrUpdateServiceAccountService, execute: true) }
-    let(:secrets_fetcher) { double(Clusters::Gcp::Kubernetes::FetchKubernetesTokenService, execute: token) }
-
-    before do
-      group.add_owner(user)
-
-      expect(Clusters::Gcp::Kubernetes::CreateOrUpdateServiceAccountService).to receive(:namespace_creator).and_return(service_account_creator)
-      expect(Clusters::Gcp::Kubernetes::FetchKubernetesTokenService).to receive(:new).and_return(secrets_fetcher)
-    end
-
-    it 'creates kubernetes namespace for the project' do
-      project = create_project(user, opts.merge!(namespace_id: group.id))
-
-      expect(project).to be_valid
-
-      kubernetes_namespace = group_cluster.kubernetes_namespaces.first
-      expect(kubernetes_namespace).to be_present
-      expect(kubernetes_namespace.project).to eq(project)
-    end
-  end
-
   context 'when there is an active service template' do
     before do
       create(:service, project: nil, template: true, active: true)
@@ -343,6 +320,42 @@ describe Projects::CreateService, '#execute' do
     expect(rugged.config['gitlab.fullpath']).to eq project.full_path
   end
 
+  context 'with external authorization enabled' do
+    before do
+      enable_external_authorization_service_check
+    end
+
+    it 'does not save the project with an error if the service denies access' do
+      expect(::Gitlab::ExternalAuthorization)
+        .to receive(:access_allowed?).with(user, 'new-label', any_args) { false }
+
+      project = create_project(user, opts.merge({ external_authorization_classification_label: 'new-label' }))
+
+      expect(project.errors[:external_authorization_classification_label]).to be_present
+      expect(project).not_to be_persisted
+    end
+
+    it 'saves the project when the user has access to the label' do
+      expect(::Gitlab::ExternalAuthorization)
+        .to receive(:access_allowed?).with(user, 'new-label', any_args) { true }
+
+      project = create_project(user, opts.merge({ external_authorization_classification_label: 'new-label' }))
+
+      expect(project).to be_persisted
+      expect(project.external_authorization_classification_label).to eq('new-label')
+    end
+
+    it 'does not save the project when the user has no access to the default label and no label is provided' do
+      expect(::Gitlab::ExternalAuthorization)
+        .to receive(:access_allowed?).with(user, 'default_label', any_args) { false }
+
+      project = create_project(user, opts)
+
+      expect(project.errors[:external_authorization_classification_label]).to be_present
+      expect(project).not_to be_persisted
+    end
+  end
+
   def create_project(user, opts)
     Projects::CreateService.new(user, opts).execute
   end