Merge branch '360399-expand-codeowner-auth-pattern' into 'master'

Expand CODEOWNER auth pattern See merge request gitlab-org/gitlab!85937

Merge branch '360399-expand-codeowner-auth-pattern' into 'master'
793aa623 · Rémy Coutable · 775c8e64 · 64bb457c · 793aa623 · 793aa623
--- a/.gitlab/CODEOWNERS
+++ b/.gitlab/CODEOWNERS
@@ -800,29 +800,245 @@ lib/gitlab/checks/** @proglottis @toon @zj-gitlab
 /doc/user/workspace/index.md @fneill

 [Authentication and Authorization]
-/app/**/*password* @gitlab-org/manage/authentication-and-authorization
-/ee/app/**/*password* @gitlab-org/manage/authentication-and-authorization
-/config/**/*password* @gitlab-org/manage/authentication-and-authorization
-/ee/config/**/*password* @gitlab-org/manage/authentication-and-authorization
-/lib/**/*password* @gitlab-org/manage/authentication-and-authorization
-/ee/lib/**/*password* @gitlab-org/manage/authentication-and-authorization
-/app/controllers/**/*password* @gitlab-org/manage/authentication-and-authorization
-/ee/app/controllers/**/*password* @gitlab-org/manage/authentication-and-authorization
-
-/app/**/*auth* @gitlab-org/manage/authentication-and-authorization
-/ee/app/**/*auth* @gitlab-org/manage/authentication-and-authorization
-/config/**/*auth* @gitlab-org/manage/authentication-and-authorization
-/ee/config/**/*auth* @gitlab-org/manage/authentication-and-authorization
-/lib/**/*auth* @gitlab-org/manage/authentication-and-authorization
-/ee/lib/**/*auth* @gitlab-org/manage/authentication-and-authorization
-/app/controllers/**/*auth* @gitlab-org/manage/authentication-and-authorization
-/ee/app/controllers/**/*auth* @gitlab-org/manage/authentication-and-authorization
-
-/app/**/*token* @gitlab-org/manage/authentication-and-authorization
-/ee/app/**/*token* @gitlab-org/manage/authentication-and-authorization
-/config/**/*token* @gitlab-org/manage/authentication-and-authorization
-/ee/config/**/*token* @gitlab-org/manage/authentication-and-authorization
-/lib/**/*token* @gitlab-org/manage/authentication-and-authorization
-/ee/lib/**/*token* @gitlab-org/manage/authentication-and-authorization
-/app/controllers/**/*token* @gitlab-org/manage/authentication-and-authorization
-/ee/app/controllers/**/*token* @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/access_tokens @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/alerts_settings/graphql/mutations/reset_http_token.mutation.graphql @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/authentication @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/ide/components/shared/tokened_input.vue @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/invite_members/components/members_token_select.vue @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/logs/components/tokens @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/packages_and_registries/package_registry/components/list/tokens @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/pages/admin/impersonation_tokens @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/pages/groups/settings/access_tokens @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/pages/ldap @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/pages/oauth @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/pages/omniauth_callbacks @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/pages/profiles/password_prompt @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/pages/profiles/personal_access_tokens @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/pages/profiles/two_factor_auths @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/pages/projects/settings/access_tokens @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/pages/sessions/new/oauth_remember_me.js @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/pipelines/components/pipelines_list/tokens/constants.js @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/pipelines/components/pipelines_list/tokens/pipeline_branch_name_token.vue @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/pipelines/components/pipelines_list/tokens/pipeline_source_token.vue @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/pipelines/components/pipelines_list/tokens/pipeline_status_token.vue @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/pipelines/components/pipelines_list/tokens/pipeline_tag_name_token.vue @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/projects/settings/topics/components @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/related_issues/components/issue_token.vue @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/runner/components/registration/registration_token.vue @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/runner/components/registration/registration_token_reset_dropdown_item.vue @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/runner/components/search_tokens @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/static_site_editor/rich_content_editor/services/renderers/build_uneditable_token.js @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/token_access/components @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/token_access/index.js @gitlab-org/manage/authentication-and-authorization
+/app/assets/stylesheets/page_bundles/profile_two_factor_auth.scss @gitlab-org/manage/authentication-and-authorization
+/app/controllers/admin/impersonation_tokens_controller.rb @gitlab-org/manage/authentication-and-authorization
+/app/controllers/concerns/access_tokens_actions.rb @gitlab-org/manage/authentication-and-authorization
+/app/controllers/concerns/authenticates_with_two_factor.rb @gitlab-org/manage/authentication-and-authorization
+/app/controllers/concerns/authenticates_with_two_factor_for_admin_mode.rb @gitlab-org/manage/authentication-and-authorization
+/app/controllers/concerns/enforces_admin_authentication.rb @gitlab-org/manage/authentication-and-authorization
+/app/controllers/concerns/enforces_two_factor_authentication.rb @gitlab-org/manage/authentication-and-authorization
+/app/controllers/concerns/oauth_applications.rb @gitlab-org/manage/authentication-and-authorization
+/app/controllers/concerns/project_unauthorized.rb @gitlab-org/manage/authentication-and-authorization
+/app/controllers/concerns/sessionless_authentication.rb @gitlab-org/manage/authentication-and-authorization
+/app/controllers/concerns/snippet_authorizations.rb @gitlab-org/manage/authentication-and-authorization
+/app/controllers/concerns/workhorse_authorization.rb @gitlab-org/manage/authentication-and-authorization
+/app/controllers/groups/settings/access_tokens_controller.rb @gitlab-org/manage/authentication-and-authorization
+/app/controllers/ldap @gitlab-org/manage/authentication-and-authorization
+/app/controllers/oauth @gitlab-org/manage/authentication-and-authorization
+/app/controllers/omniauth_callbacks_controller.rb @gitlab-org/manage/authentication-and-authorization
+/app/controllers/passwords_controller.rb @gitlab-org/manage/authentication-and-authorization
+/app/controllers/profiles/passwords_controller.rb @gitlab-org/manage/authentication-and-authorization
+/app/controllers/profiles/personal_access_tokens_controller.rb @gitlab-org/manage/authentication-and-authorization
+/app/controllers/profiles/two_factor_auths_controller.rb @gitlab-org/manage/authentication-and-authorization
+/app/controllers/profiles/webauthn_registrations_controller.rb @gitlab-org/manage/authentication-and-authorization
+/app/controllers/projects/settings/access_tokens_controller.rb @gitlab-org/manage/authentication-and-authorization
+/app/finders/groups/projects_requiring_authorizations_refresh @gitlab-org/manage/authentication-and-authorization
+/app/finders/personal_access_tokens_finder.rb @gitlab-org/manage/authentication-and-authorization
+/app/helpers/access_tokens_helper.rb @gitlab-org/manage/authentication-and-authorization
+/app/helpers/auth_helper.rb @gitlab-org/manage/authentication-and-authorization
+/app/models/authentication_event.rb @gitlab-org/manage/authentication-and-authorization
+/app/models/concerns/admin_changed_password_notifier.rb @gitlab-org/manage/authentication-and-authorization
+/app/models/concerns/mirror_authentication.rb @gitlab-org/manage/authentication-and-authorization
+/app/models/concerns/select_for_project_authorization.rb @gitlab-org/manage/authentication-and-authorization
+/app/models/concerns/token_authenticatable.rb @gitlab-org/manage/authentication-and-authorization
+/app/models/concerns/token_authenticatable_strategies @gitlab-org/manage/authentication-and-authorization
+/app/models/oauth_access_grant.rb @gitlab-org/manage/authentication-and-authorization
+/app/models/oauth_access_token.rb @gitlab-org/manage/authentication-and-authorization
+/app/models/personal_access_token.rb @gitlab-org/manage/authentication-and-authorization
+/app/models/project_authorization.rb @gitlab-org/manage/authentication-and-authorization
+/app/models/token_with_iv.rb @gitlab-org/manage/authentication-and-authorization
+/app/models/webauthn_registration.rb @gitlab-org/manage/authentication-and-authorization
+/app/policies/personal_access_token_policy.rb @gitlab-org/manage/authentication-and-authorization
+/app/services/access_token_validation_service.rb @gitlab-org/manage/authentication-and-authorization
+/app/services/auth @gitlab-org/manage/authentication-and-authorization
+/app/services/authorized_project_update @gitlab-org/manage/authentication-and-authorization
+/app/services/chat_names/authorize_user_service.rb @gitlab-org/manage/authentication-and-authorization
+/app/services/personal_access_tokens @gitlab-org/manage/authentication-and-authorization
+/app/services/projects/move_project_authorizations_service.rb @gitlab-org/manage/authentication-and-authorization
+/app/services/resource_access_tokens @gitlab-org/manage/authentication-and-authorization
+/app/services/todos/destroy/unauthorized_features_service.rb @gitlab-org/manage/authentication-and-authorization
+/app/services/users/authorized_build_service.rb @gitlab-org/manage/authentication-and-authorization
+/app/services/users/authorized_create_service.rb @gitlab-org/manage/authentication-and-authorization
+/app/services/users/refresh_authorized_projects_service.rb @gitlab-org/manage/authentication-and-authorization
+/app/services/webauthn @gitlab-org/manage/authentication-and-authorization
+/app/validators/json_schemas/cluster_agent_authorization_configuration.json @gitlab-org/manage/authentication-and-authorization
+/app/views/admin/application_settings/_external_authorization_service_form.html.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/admin/impersonation_tokens @gitlab-org/manage/authentication-and-authorization
+/app/views/authentication @gitlab-org/manage/authentication-and-authorization
+/app/views/ci/token_access @gitlab-org/manage/authentication-and-authorization
+/app/views/dashboard/projects/_zero_authorized_projects.html.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/devise/mailer/password_change.html.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/devise/mailer/password_change.text.erb @gitlab-org/manage/authentication-and-authorization
+/app/views/devise/mailer/password_change_by_admin.html.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/devise/mailer/password_change_by_admin.text.erb @gitlab-org/manage/authentication-and-authorization
+/app/views/devise/mailer/reset_password_instructions.html.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/devise/mailer/reset_password_instructions.text.erb @gitlab-org/manage/authentication-and-authorization
+/app/views/devise/passwords @gitlab-org/manage/authentication-and-authorization
+/app/views/devise/shared/_omniauth_box.html.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/devise/shared/_signup_omniauth_provider_list.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/devise/shared/_signup_omniauth_providers.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/devise/shared/_signup_omniauth_providers_top.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/doorkeeper/authorizations @gitlab-org/manage/authentication-and-authorization
+/app/views/doorkeeper/authorized_applications @gitlab-org/manage/authentication-and-authorization
+/app/views/errors/omniauth_error.html.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/groups/settings/_resource_access_token_creation.html.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/groups/settings/_two_factor_auth.html.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/groups/settings/access_tokens @gitlab-org/manage/authentication-and-authorization
+/app/views/layouts/oauth_error.html.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/notify/access_token_about_to_expire_email.html.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/notify/access_token_about_to_expire_email.text.erb @gitlab-org/manage/authentication-and-authorization
+/app/views/notify/access_token_created_email.html.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/notify/access_token_created_email.text.erb @gitlab-org/manage/authentication-and-authorization
+/app/views/notify/access_token_expired_email.html.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/notify/access_token_expired_email.text.erb @gitlab-org/manage/authentication-and-authorization
+/app/views/profiles/passwords @gitlab-org/manage/authentication-and-authorization
+/app/views/profiles/personal_access_tokens @gitlab-org/manage/authentication-and-authorization
+/app/views/profiles/two_factor_auths @gitlab-org/manage/authentication-and-authorization
+/app/views/projects/mirrors/_authentication_method.html.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/projects/settings/access_tokens @gitlab-org/manage/authentication-and-authorization
+/app/views/shared/_no_password.html.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/shared/_two_factor_auth_recovery_settings_check.html.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/shared/access_tokens @gitlab-org/manage/authentication-and-authorization
+/app/views/shared/members/_two_factor_auth_badge.html.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/shared/tokens @gitlab-org/manage/authentication-and-authorization
+/app/workers/authorized_keys_worker.rb @gitlab-org/manage/authentication-and-authorization
+/app/workers/authorized_project_update @gitlab-org/manage/authentication-and-authorization
+/app/workers/authorized_projects_worker.rb @gitlab-org/manage/authentication-and-authorization
+/app/workers/personal_access_tokens @gitlab-org/manage/authentication-and-authorization
+/config/feature_flags/development/application_settings_tokens_optional_encryption.yml @gitlab-org/manage/authentication-and-authorization
+/config/feature_flags/development/enforce_auth_checks_on_uploads.yml @gitlab-org/manage/authentication-and-authorization
+/config/feature_flags/development/forti_authenticator.yml @gitlab-org/manage/authentication-and-authorization
+/config/feature_flags/development/forti_token_cloud.yml @gitlab-org/manage/authentication-and-authorization
+/config/feature_flags/development/groups_tokens_optional_encryption.yml @gitlab-org/manage/authentication-and-authorization
+/config/feature_flags/development/omniauth_initializer_fullhost_proc.yml @gitlab-org/manage/authentication-and-authorization
+/config/feature_flags/development/omniauth_login_minimal_scopes.yml @gitlab-org/manage/authentication-and-authorization
+/config/feature_flags/development/personal_access_tokens_scoped_to_projects.yml @gitlab-org/manage/authentication-and-authorization
+/config/feature_flags/development/projects_tokens_optional_encryption.yml @gitlab-org/manage/authentication-and-authorization
+/config/feature_flags/development/specialized_worker_for_group_lock_update_auth_recalculation.yml @gitlab-org/manage/authentication-and-authorization
+/config/feature_flags/development/webauthn.yml @gitlab-org/manage/authentication-and-authorization
+/config/feature_flags/ops/block_password_auth_for_saml_users.yml @gitlab-org/manage/authentication-and-authorization
+/config/initializers/01_secret_token.rb @gitlab-org/manage/authentication-and-authorization
+/config/initializers/devise_dynamic_password_length_validation.rb @gitlab-org/manage/authentication-and-authorization
+/config/initializers/devise_password_length.rb.example @gitlab-org/manage/authentication-and-authorization
+/config/initializers/gitlab_shell_secret_token.rb @gitlab-org/manage/authentication-and-authorization
+/config/initializers/omniauth.rb @gitlab-org/manage/authentication-and-authorization
+/config/initializers/rails_host_authorization.rb @gitlab-org/manage/authentication-and-authorization
+/config/initializers/rails_host_authorization_gitpod.rb @gitlab-org/manage/authentication-and-authorization
+/config/initializers/webauthn.rb @gitlab-org/manage/authentication-and-authorization
+/config/initializers_before_autoloader/100_patch_omniauth_oauth2.rb @gitlab-org/manage/authentication-and-authorization
+/config/initializers_before_autoloader/100_patch_omniauth_saml.rb @gitlab-org/manage/authentication-and-authorization
+/ee/app/assets/javascripts/access_tokens @gitlab-org/manage/authentication-and-authorization
+/ee/app/assets/javascripts/audit_events/components/tokens @gitlab-org/manage/authentication-and-authorization
+/ee/app/assets/javascripts/audit_events/token_utils.js @gitlab-org/manage/authentication-and-authorization
+/ee/app/assets/javascripts/groups/settings/components @gitlab-org/manage/authentication-and-authorization
+/ee/app/assets/javascripts/pages/groups/omniauth_callbacks @gitlab-org/manage/authentication-and-authorization
+/ee/app/assets/javascripts/pipelines/components/pipelines_list @gitlab-org/manage/authentication-and-authorization
+/ee/app/assets/javascripts/requirements/components/tokens @gitlab-org/manage/authentication-and-authorization
+/ee/app/assets/javascripts/saml_providers/scim_token_service.js @gitlab-org/manage/authentication-and-authorization
+/ee/app/assets/javascripts/saml_sso/components @gitlab-org/manage/authentication-and-authorization
+/ee/app/assets/javascripts/vue_merge_request_widget/components/approvals/approvals_auth.vue @gitlab-org/manage/authentication-and-authorization
+/ee/app/controllers/concerns/ee/authenticates_with_two_factor.rb @gitlab-org/manage/authentication-and-authorization
+/ee/app/controllers/concerns/ee/enforces_two_factor_authentication.rb @gitlab-org/manage/authentication-and-authorization
+/ee/app/controllers/concerns/saml_authorization.rb @gitlab-org/manage/authentication-and-authorization
+/ee/app/controllers/ee/ldap @gitlab-org/manage/authentication-and-authorization
+/ee/app/controllers/ee/omniauth_callbacks_controller.rb @gitlab-org/manage/authentication-and-authorization
+/ee/app/controllers/ee/passwords_controller.rb @gitlab-org/manage/authentication-and-authorization
+/ee/app/controllers/groups/omniauth_callbacks_controller.rb @gitlab-org/manage/authentication-and-authorization
+/ee/app/controllers/groups/scim_oauth_controller.rb @gitlab-org/manage/authentication-and-authorization
+/ee/app/controllers/oauth @gitlab-org/manage/authentication-and-authorization
+/ee/app/controllers/omniauth_kerberos_spnego_controller.rb @gitlab-org/manage/authentication-and-authorization
+/ee/app/finders/auth @gitlab-org/manage/authentication-and-authorization
+/ee/app/helpers/ee/access_tokens_helper.rb @gitlab-org/manage/authentication-and-authorization
+/ee/app/helpers/ee/auth_helper.rb @gitlab-org/manage/authentication-and-authorization
+/ee/app/helpers/ee/personal_access_tokens_helper.rb @gitlab-org/manage/authentication-and-authorization
+/ee/app/models/ee/personal_access_token.rb @gitlab-org/manage/authentication-and-authorization
+/ee/app/models/ee/project_authorization.rb @gitlab-org/manage/authentication-and-authorization
+/ee/app/models/scim_oauth_access_token.rb @gitlab-org/manage/authentication-and-authorization
+/ee/app/serializers/scim_oauth_access_token_entity.rb @gitlab-org/manage/authentication-and-authorization
+/ee/app/services/ee/auth @gitlab-org/manage/authentication-and-authorization
+/ee/app/services/ee/personal_access_tokens @gitlab-org/manage/authentication-and-authorization
+/ee/app/services/ee/resource_access_tokens @gitlab-org/manage/authentication-and-authorization
+/ee/app/services/personal_access_tokens @gitlab-org/manage/authentication-and-authorization
+/ee/app/services/security/token_revocation_service.rb @gitlab-org/manage/authentication-and-authorization
+/ee/app/views/admin/application_settings/_personal_access_token_expiration_policy.html.haml @gitlab-org/manage/authentication-and-authorization
+/ee/app/views/credentials_inventory_mailer/personal_access_token_revoked_email.html.haml @gitlab-org/manage/authentication-and-authorization
+/ee/app/views/credentials_inventory_mailer/personal_access_token_revoked_email.text.haml @gitlab-org/manage/authentication-and-authorization
+/ee/app/views/groups/_personal_access_token_expiration_policy.html.haml @gitlab-org/manage/authentication-and-authorization
+/ee/app/views/groups/sso/_authorize_pane.html.haml @gitlab-org/manage/authentication-and-authorization
+/ee/app/views/notify/policy_revoked_personal_access_tokens_email.html.haml @gitlab-org/manage/authentication-and-authorization
+/ee/app/views/notify/policy_revoked_personal_access_tokens_email.text.erb @gitlab-org/manage/authentication-and-authorization
+/ee/app/views/oauth @gitlab-org/manage/authentication-and-authorization
+/ee/app/views/shared/credentials_inventory/_personal_access_tokens.html.haml @gitlab-org/manage/authentication-and-authorization
+/ee/app/views/shared/credentials_inventory/_project_access_tokens.html.haml @gitlab-org/manage/authentication-and-authorization
+/ee/app/views/shared/credentials_inventory/personal_access_tokens @gitlab-org/manage/authentication-and-authorization
+/ee/app/views/shared/credentials_inventory/project_access_tokens @gitlab-org/manage/authentication-and-authorization
+/ee/app/workers/personal_access_tokens @gitlab-org/manage/authentication-and-authorization
+/ee/config/routes/oauth.rb @gitlab-org/manage/authentication-and-authorization
+/ee/lib/ee/gitlab/auth @gitlab-org/manage/authentication-and-authorization
+/ee/lib/ee/gitlab/auth.rb @gitlab-org/manage/authentication-and-authorization
+/ee/lib/ee/gitlab/omniauth_initializer.rb @gitlab-org/manage/authentication-and-authorization
+/ee/lib/gitlab/auth @gitlab-org/manage/authentication-and-authorization
+/ee/lib/gitlab/auth_logger.rb @gitlab-org/manage/authentication-and-authorization
+/ee/lib/gitlab/authority_analyzer.rb @gitlab-org/manage/authentication-and-authorization
+/ee/lib/gitlab/geo/oauth @gitlab-org/manage/authentication-and-authorization
+/ee/lib/gitlab/kerberos @gitlab-org/manage/authentication-and-authorization
+/ee/lib/omni_auth @gitlab-org/manage/authentication-and-authorization
+/ee/lib/system_check/geo/authorized_keys_check.rb @gitlab-org/manage/authentication-and-authorization
+/ee/lib/system_check/geo/authorized_keys_flag_check.rb @gitlab-org/manage/authentication-and-authorization
+/lib/api/entities/ci/reset_token_result.rb @gitlab-org/manage/authentication-and-authorization
+/lib/api/entities/impersonation_token.rb @gitlab-org/manage/authentication-and-authorization
+/lib/api/entities/impersonation_token_with_token.rb @gitlab-org/manage/authentication-and-authorization
+/lib/api/entities/personal_access_token.rb @gitlab-org/manage/authentication-and-authorization
+/lib/api/entities/personal_access_token_with_token.rb @gitlab-org/manage/authentication-and-authorization
+/lib/api/entities/resource_access_token.rb @gitlab-org/manage/authentication-and-authorization
+/lib/api/entities/resource_access_token_with_token.rb @gitlab-org/manage/authentication-and-authorization
+/lib/api/helpers/authentication.rb @gitlab-org/manage/authentication-and-authorization
+/lib/api/helpers/packages/basic_auth_helpers.rb @gitlab-org/manage/authentication-and-authorization
+/lib/api/personal_access_tokens.rb @gitlab-org/manage/authentication-and-authorization
+/lib/api/resource_access_tokens.rb @gitlab-org/manage/authentication-and-authorization
+/lib/api/support/token_with_expiration.rb @gitlab-org/manage/authentication-and-authorization
+/lib/gitlab/api_authentication @gitlab-org/manage/authentication-and-authorization
+/lib/gitlab/auth @gitlab-org/manage/authentication-and-authorization
+/lib/gitlab/auth.rb @gitlab-org/manage/authentication-and-authorization
+/lib/gitlab/auth_logger.rb @gitlab-org/manage/authentication-and-authorization
+/lib/gitlab/authorized_keys.rb @gitlab-org/manage/authentication-and-authorization
+/lib/gitlab/background_migration/encrypt_static_object_token.rb @gitlab-org/manage/authentication-and-authorization
+/lib/gitlab/background_migration/migrate_u2f_webauthn.rb @gitlab-org/manage/authentication-and-authorization
+/lib/gitlab/background_migration/update_users_where_two_factor_auth_required_from_group.rb @gitlab-org/manage/authentication-and-authorization
+/lib/gitlab/chat_name_token.rb @gitlab-org/manage/authentication-and-authorization
+/lib/gitlab/ci/pipeline/expression/token.rb @gitlab-org/manage/authentication-and-authorization
+/lib/gitlab/external_authorization @gitlab-org/manage/authentication-and-authorization
+/lib/gitlab/external_authorization.rb @gitlab-org/manage/authentication-and-authorization
+/lib/gitlab/graphql/authorize @gitlab-org/manage/authentication-and-authorization
+/lib/gitlab/jwt_authenticatable.rb @gitlab-org/manage/authentication-and-authorization
+/lib/gitlab/jwt_token.rb @gitlab-org/manage/authentication-and-authorization
+/lib/gitlab/lfs_token.rb @gitlab-org/manage/authentication-and-authorization
+/lib/gitlab/mail_room @gitlab-org/manage/authentication-and-authorization
+/lib/gitlab/omniauth_initializer.rb @gitlab-org/manage/authentication-and-authorization
+/lib/gitlab/project_authorizations.rb @gitlab-org/manage/authentication-and-authorization
+/lib/json_web_token @gitlab-org/manage/authentication-and-authorization
+/lib/omni_auth @gitlab-org/manage/authentication-and-authorization
+/lib/system_check/app/authorized_keys_permission_check.rb @gitlab-org/manage/authentication-and-authorization
+/lib/system_check/incoming_email/imap_authentication_check.rb @gitlab-org/manage/authentication-and-authorization
+/lib/tasks/gitlab/password.rake @gitlab-org/manage/authentication-and-authorization
+/lib/tasks/tokens.rake @gitlab-org/manage/authentication-and-authorization
--- a/spec/tooling/fixtures/find_codeowners/dir0/dir1/dir2/file2
+++ b/spec/tooling/fixtures/find_codeowners/dir0/dir1/dir2/file2
--- a/spec/tooling/fixtures/find_codeowners/dir0/dir1/file1
+++ b/spec/tooling/fixtures/find_codeowners/dir0/dir1/file1
--- a/spec/tooling/fixtures/find_codeowners/dir0/file0
+++ b/spec/tooling/fixtures/find_codeowners/dir0/file0
--- a/spec/tooling/fixtures/find_codeowners/file
+++ b/spec/tooling/fixtures/find_codeowners/file
--- a/spec/tooling/lib/tooling/find_codeowners_spec.rb
+++ b/spec/tooling/lib/tooling/find_codeowners_spec.rb
+# frozen_string_literal: true
+
+require_relative '../../../../tooling/lib/tooling/find_codeowners'
+
+RSpec.describe Tooling::FindCodeowners do
+  let(:subject) { described_class.new }
+  let(:root) { File.expand_path('../../fixtures/find_codeowners', __dir__) }
+
+  describe '#execute' do
+    before do
+      allow(subject).to receive(:load_config).and_return(
+        '[Section name]': {
+          '@group': {
+            allow: {
+              keywords: %w[dir0 file],
+              patterns: ['/%{keyword}/**/*', '/%{keyword}']
+            },
+            deny: {
+              keywords: %w[file0],
+              patterns: ['**/%{keyword}']
+            }
+          }
+        }
+      )
+    end
+
+    it 'prints CODEOWNERS as configured' do
+      expect do
+        Dir.chdir(root) do
+          subject.execute
+        end
+      end.to output(<<~CODEOWNERS).to_stdout
+        [Section name]
+        /dir0/dir1 @group
+        /file @group
+      CODEOWNERS
+    end
+  end
+
+  describe '#load_definitions' do
+    it 'expands the allow and deny list with keywords and patterns' do
+      subject.load_definitions.each do |section, group_defintions|
+        group_defintions.each do |group, definitions|
+          expect(definitions[:allow]).to be_an(Array)
+          expect(definitions[:deny]).to be_an(Array)
+        end
+      end
+    end
+
+    it 'expands the auth group' do
+      auth = subject.load_definitions.dig(
+        :'[Authentication and Authorization]',
+        :'@gitlab-org/manage/authentication-and-authorization')
+
+      expect(auth).to eq(
+        allow: %w[
+          /{,ee/}app/**/*password*{/**/*,}
+          /{,ee/}config/**/*password*{/**/*,}
+          /{,ee/}lib/**/*password*{/**/*,}
+          /{,ee/}app/**/*auth*{/**/*,}
+          /{,ee/}config/**/*auth*{/**/*,}
+          /{,ee/}lib/**/*auth*{/**/*,}
+          /{,ee/}app/**/*token*{/**/*,}
+          /{,ee/}config/**/*token*{/**/*,}
+          /{,ee/}lib/**/*token*{/**/*,}
+        ],
+        deny: %w[
+          **/*author.*{/**/*,}
+          **/*author_*{/**/*,}
+          **/*authored*{/**/*,}
+          **/*authoring*{/**/*,}
+          **/*.png*{/**/*,}
+          **/*.svg*{/**/*,}
+          **/*deploy_token*{/**/*,}
+          **/*runner{,s}_token*{/**/*,}
+          **/*job_token*{/**/*,}
+          **/*autocomplete_tokens*{/**/*,}
+          **/*dast_site_token*{/**/*,}
+          **/*reset_prometheus_token*{/**/*,}
+          **/*reset_registration_token*{/**/*,}
+          **/*runners_registration_token*{/**/*,}
+          **/*terraform_registry_token*{/**/*,}
+          **/*tokenizer*{/**/*,}
+          **/*filtered_search*{/**/*,}
+          **/*/alert_management/*{/**/*,}
+          **/*/analytics/*{/**/*,}
+          **/*/bitbucket/*{/**/*,}
+          **/*/clusters/*{/**/*,}
+          **/*/clusters_list/*{/**/*,}
+          **/*/dast/*{/**/*,}
+          **/*/dast_profiles/*{/**/*,}
+          **/*/dast_site_tokens/*{/**/*,}
+          **/*/dast_site_validation/*{/**/*,}
+          **/*/dependency_proxy/*{/**/*,}
+          **/*/error_tracking/*{/**/*,}
+          **/*/google_api/*{/**/*,}
+          **/*/google_cloud/*{/**/*,}
+          **/*/jira_connect/*{/**/*,}
+          **/*/kubernetes/*{/**/*,}
+          **/*/protected_environments/*{/**/*,}
+          **/*/config/feature_flags/development/jira_connect_*{/**/*,}
+          **/*/config/metrics/*{/**/*,}
+          **/*/app/controllers/groups/dependency_proxy_auth_controller.rb*{/**/*,}
+          **/*/app/finders/ci/auth_job_finder.rb*{/**/*,}
+          **/*/ee/config/metrics/*{/**/*,}
+          **/*/lib/gitlab/conan_token.rb*{/**/*,}
+        ]
+      )
+    end
+  end
+
+  describe '#load_config' do
+    it 'loads the config with symbolized keys' do
+      config = subject.load_config
+
+      expect_hash_keys_to_be_symbols(config)
+    end
+
+    context 'when YAML has safe_load_file' do
+      before do
+        allow(YAML).to receive(:respond_to?).with(:safe_load_file).and_return(true)
+      end
+
+      it 'calls safe_load_file' do
+        expect(YAML).to receive(:safe_load_file)
+
+        subject.load_config
+      end
+    end
+
+    context 'when YAML does not have safe_load_file' do
+      before do
+        allow(YAML).to receive(:respond_to?).with(:safe_load_file).and_return(false)
+      end
+
+      it 'calls load_file' do
+        expect(YAML).to receive(:safe_load)
+
+        subject.load_config
+      end
+    end
+
+    def expect_hash_keys_to_be_symbols(object)
+      if object.is_a?(Hash)
+        object.each do |key, value|
+          expect(key).to be_a(Symbol)
+
+          expect_hash_keys_to_be_symbols(value)
+        end
+      end
+    end
+  end
+
+  describe '#path_matches?' do
+    let(:pattern) { 'pattern' }
+    let(:path) { 'path' }
+
+    it 'passes flags we are expecting to File.fnmatch?' do
+      expected_flags =
+        ::File::FNM_DOTMATCH | ::File::FNM_PATHNAME | ::File::FNM_EXTGLOB
+
+      expect(File).to receive(:fnmatch?).with(pattern, path, expected_flags)
+
+      subject.path_matches?(pattern, path)
+    end
+  end
+
+  describe '#consolidate_paths' do
+    before do
+      allow(subject).to receive(:find_dir_maxdepth_1).and_return(<<~LINES)
+        dir
+        dir/0
+        dir/2
+        dir/3
+        dir/1
+      LINES
+    end
+
+    context 'when the directory has the same number of entries' do
+      let(:input_paths) { %W[dir/0\n dir/1\n dir/2\n dir/3\n] }
+
+      it 'consolidates into the directory' do
+        paths = subject.consolidate_paths(input_paths)
+
+        expect(paths).to eq(["dir\n"])
+      end
+    end
+
+    context 'when the directory has different number of entries' do
+      let(:input_paths) { %W[dir/0\n dir/1\n dir/2\n] }
+
+      it 'returns the original paths' do
+        paths = subject.consolidate_paths(input_paths)
+
+        expect(paths).to eq(input_paths)
+      end
+    end
+  end
+end
--- a/tooling/bin/find_codeowners
+++ b/tooling/bin/find_codeowners
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require_relative '../lib/tooling/find_codeowners'
+
+Tooling::FindCodeowners.new.execute
--- a/tooling/config/CODEOWNERS.yml
+++ b/tooling/config/CODEOWNERS.yml
+# This is supposed to be used with:
+#     tooling/bin/find_codeowners tooling/config/CODEOWNERS.yml
+# And paste the contents into .gitlab/CODEOWNERS
+
+'[Authentication and Authorization]':
+  '@gitlab-org/manage/authentication-and-authorization':
+    allow:
+      keywords:
+        - password
+        - auth
+        - token
+      patterns:
+        - '/{,ee/}app/**/*%{keyword}*{/**/*,}'
+        - '/{,ee/}config/**/*%{keyword}*{/**/*,}'
+        - '/{,ee/}lib/**/*%{keyword}*{/**/*,}'
+    deny:
+      keywords:
+        - author.
+        - author_
+        - authored
+        - authoring
+        - .png
+        - .svg
+        - deploy_token
+        - runner{,s}_token
+        - job_token
+        - autocomplete_tokens
+        - dast_site_token
+        - reset_prometheus_token
+        - reset_registration_token
+        - runners_registration_token
+        - terraform_registry_token
+        - tokenizer
+        - filtered_search
+        - /alert_management/
+        - /analytics/
+        - /bitbucket/
+        - /clusters/
+        - /clusters_list/
+        - /dast/
+        - /dast_profiles/
+        - /dast_site_tokens/
+        - /dast_site_validation/
+        - /dependency_proxy/
+        - /error_tracking/
+        - /google_api/
+        - /google_cloud/
+        - /jira_connect/
+        - /kubernetes/
+        - /protected_environments/
+        - /config/feature_flags/development/jira_connect_
+        - /config/metrics/
+        - /app/controllers/groups/dependency_proxy_auth_controller.rb
+        - /app/finders/ci/auth_job_finder.rb
+        - /ee/config/metrics/
+        - /lib/gitlab/conan_token.rb
+      patterns:
+        - '**/*%{keyword}*{/**/*,}'
--- a/tooling/lib/tooling/find_codeowners.rb
+++ b/tooling/lib/tooling/find_codeowners.rb
+# frozen_string_literal: true
+
+require 'yaml'
+
+module Tooling
+  class FindCodeowners
+    def execute
+      load_definitions.each do |section, group_defintions|
+        puts section
+
+        group_defintions.each do |group, list|
+          matched_files = git_ls_files.each_line.select do |line|
+            list[:allow].find do |pattern|
+              path = "/#{line.chomp}"
+
+              path_matches?(pattern, path) &&
+                list[:deny].none? { |pattern| path_matches?(pattern, path) }
+            end
+          end
+
+          consolidated = consolidate_paths(matched_files)
+          consolidated_again = consolidate_paths(consolidated)
+
+          # Consider the directory structure is a tree structure:
+          # https://en.wikipedia.org/wiki/Tree_(data_structure)
+          # After we consolidated the leaf entries, it could be possible that
+          # we can consolidate further for the new leaves. Repeat this
+          # process until we see no improvements.
+          while consolidated_again.size < consolidated.size
+            consolidated = consolidated_again
+            consolidated_again = consolidate_paths(consolidated)
+          end
+
+          consolidated.each do |file|
+            puts "/#{file.chomp} #{group}"
+          end
+        end
+      end
+    end
+
+    def load_definitions
+      result = load_config
+
+      result.each do |section, group_defintions|
+        group_defintions.each do |group, definitions|
+          definitions.transform_values! do |rules|
+            rules[:keywords].flat_map do |keyword|
+              rules[:patterns].map do |pattern|
+                pattern % { keyword: keyword }
+              end
+            end
+          end
+        end
+      end
+
+      result
+    end
+
+    def load_config
+      config_path = "#{__dir__}/../../config/CODEOWNERS.yml"
+
+      if YAML.respond_to?(:safe_load_file) # Ruby 3.0+
+        YAML.safe_load_file(config_path, symbolize_names: true)
+      else
+        YAML.safe_load(File.read(config_path), symbolize_names: true)
+      end
+    end
+
+    # Copied and modified from ee/lib/gitlab/code_owners/file.rb
+    def path_matches?(pattern, path)
+      # `FNM_DOTMATCH` makes sure we also match files starting with a `.`
+      # `FNM_PATHNAME` makes sure ** matches path separators
+      flags = ::File::FNM_DOTMATCH | ::File::FNM_PATHNAME
+
+      # BEGIN extension
+      flags |= ::File::FNM_EXTGLOB
+      # END extension
+
+      ::File.fnmatch?(pattern, path, flags)
+    end
+
+    def consolidate_paths(matched_files)
+      matched_files.group_by(&File.method(:dirname)).flat_map do |dir, files|
+        # First line is the dir itself
+        if find_dir_maxdepth_1(dir).lines.drop(1).sort == files.sort
+          "#{dir}\n"
+        else
+          files
+        end
+      end.sort
+    end
+
+    private
+
+    def find_dir_maxdepth_1(dir)
+      `find #{dir} -maxdepth 1`
+    end
+
+    def git_ls_files
+      @git_ls_files ||= `git ls-files`
+    end
+  end
+end