diff --git a/.gitlab/CODEOWNERS b/.gitlab/CODEOWNERS
index 069b0a225c6e7cc180cc50a5a8077eaa278a8099..516a61edb629fb8c67b16d4f1417c00deae3387d 100644
--- a/.gitlab/CODEOWNERS
+++ b/.gitlab/CODEOWNERS
@@ -800,29 +800,245 @@ lib/gitlab/checks/** @proglottis @toon @zj-gitlab
/doc/user/workspace/index.md @fneill
[Authentication and Authorization]
-/app/**/*password* @gitlab-org/manage/authentication-and-authorization
-/ee/app/**/*password* @gitlab-org/manage/authentication-and-authorization
-/config/**/*password* @gitlab-org/manage/authentication-and-authorization
-/ee/config/**/*password* @gitlab-org/manage/authentication-and-authorization
-/lib/**/*password* @gitlab-org/manage/authentication-and-authorization
-/ee/lib/**/*password* @gitlab-org/manage/authentication-and-authorization
-/app/controllers/**/*password* @gitlab-org/manage/authentication-and-authorization
-/ee/app/controllers/**/*password* @gitlab-org/manage/authentication-and-authorization
-
-/app/**/*auth* @gitlab-org/manage/authentication-and-authorization
-/ee/app/**/*auth* @gitlab-org/manage/authentication-and-authorization
-/config/**/*auth* @gitlab-org/manage/authentication-and-authorization
-/ee/config/**/*auth* @gitlab-org/manage/authentication-and-authorization
-/lib/**/*auth* @gitlab-org/manage/authentication-and-authorization
-/ee/lib/**/*auth* @gitlab-org/manage/authentication-and-authorization
-/app/controllers/**/*auth* @gitlab-org/manage/authentication-and-authorization
-/ee/app/controllers/**/*auth* @gitlab-org/manage/authentication-and-authorization
-
-/app/**/*token* @gitlab-org/manage/authentication-and-authorization
-/ee/app/**/*token* @gitlab-org/manage/authentication-and-authorization
-/config/**/*token* @gitlab-org/manage/authentication-and-authorization
-/ee/config/**/*token* @gitlab-org/manage/authentication-and-authorization
-/lib/**/*token* @gitlab-org/manage/authentication-and-authorization
-/ee/lib/**/*token* @gitlab-org/manage/authentication-and-authorization
-/app/controllers/**/*token* @gitlab-org/manage/authentication-and-authorization
-/ee/app/controllers/**/*token* @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/access_tokens @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/alerts_settings/graphql/mutations/reset_http_token.mutation.graphql @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/authentication @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/ide/components/shared/tokened_input.vue @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/invite_members/components/members_token_select.vue @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/logs/components/tokens @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/packages_and_registries/package_registry/components/list/tokens @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/pages/admin/impersonation_tokens @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/pages/groups/settings/access_tokens @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/pages/ldap @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/pages/oauth @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/pages/omniauth_callbacks @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/pages/profiles/password_prompt @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/pages/profiles/personal_access_tokens @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/pages/profiles/two_factor_auths @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/pages/projects/settings/access_tokens @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/pages/sessions/new/oauth_remember_me.js @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/pipelines/components/pipelines_list/tokens/constants.js @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/pipelines/components/pipelines_list/tokens/pipeline_branch_name_token.vue @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/pipelines/components/pipelines_list/tokens/pipeline_source_token.vue @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/pipelines/components/pipelines_list/tokens/pipeline_status_token.vue @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/pipelines/components/pipelines_list/tokens/pipeline_tag_name_token.vue @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/projects/settings/topics/components @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/related_issues/components/issue_token.vue @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/runner/components/registration/registration_token.vue @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/runner/components/registration/registration_token_reset_dropdown_item.vue @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/runner/components/search_tokens @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/static_site_editor/rich_content_editor/services/renderers/build_uneditable_token.js @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/token_access/components @gitlab-org/manage/authentication-and-authorization
+/app/assets/javascripts/token_access/index.js @gitlab-org/manage/authentication-and-authorization
+/app/assets/stylesheets/page_bundles/profile_two_factor_auth.scss @gitlab-org/manage/authentication-and-authorization
+/app/controllers/admin/impersonation_tokens_controller.rb @gitlab-org/manage/authentication-and-authorization
+/app/controllers/concerns/access_tokens_actions.rb @gitlab-org/manage/authentication-and-authorization
+/app/controllers/concerns/authenticates_with_two_factor.rb @gitlab-org/manage/authentication-and-authorization
+/app/controllers/concerns/authenticates_with_two_factor_for_admin_mode.rb @gitlab-org/manage/authentication-and-authorization
+/app/controllers/concerns/enforces_admin_authentication.rb @gitlab-org/manage/authentication-and-authorization
+/app/controllers/concerns/enforces_two_factor_authentication.rb @gitlab-org/manage/authentication-and-authorization
+/app/controllers/concerns/oauth_applications.rb @gitlab-org/manage/authentication-and-authorization
+/app/controllers/concerns/project_unauthorized.rb @gitlab-org/manage/authentication-and-authorization
+/app/controllers/concerns/sessionless_authentication.rb @gitlab-org/manage/authentication-and-authorization
+/app/controllers/concerns/snippet_authorizations.rb @gitlab-org/manage/authentication-and-authorization
+/app/controllers/concerns/workhorse_authorization.rb @gitlab-org/manage/authentication-and-authorization
+/app/controllers/groups/settings/access_tokens_controller.rb @gitlab-org/manage/authentication-and-authorization
+/app/controllers/ldap @gitlab-org/manage/authentication-and-authorization
+/app/controllers/oauth @gitlab-org/manage/authentication-and-authorization
+/app/controllers/omniauth_callbacks_controller.rb @gitlab-org/manage/authentication-and-authorization
+/app/controllers/passwords_controller.rb @gitlab-org/manage/authentication-and-authorization
+/app/controllers/profiles/passwords_controller.rb @gitlab-org/manage/authentication-and-authorization
+/app/controllers/profiles/personal_access_tokens_controller.rb @gitlab-org/manage/authentication-and-authorization
+/app/controllers/profiles/two_factor_auths_controller.rb @gitlab-org/manage/authentication-and-authorization
+/app/controllers/profiles/webauthn_registrations_controller.rb @gitlab-org/manage/authentication-and-authorization
+/app/controllers/projects/settings/access_tokens_controller.rb @gitlab-org/manage/authentication-and-authorization
+/app/finders/groups/projects_requiring_authorizations_refresh @gitlab-org/manage/authentication-and-authorization
+/app/finders/personal_access_tokens_finder.rb @gitlab-org/manage/authentication-and-authorization
+/app/helpers/access_tokens_helper.rb @gitlab-org/manage/authentication-and-authorization
+/app/helpers/auth_helper.rb @gitlab-org/manage/authentication-and-authorization
+/app/models/authentication_event.rb @gitlab-org/manage/authentication-and-authorization
+/app/models/concerns/admin_changed_password_notifier.rb @gitlab-org/manage/authentication-and-authorization
+/app/models/concerns/mirror_authentication.rb @gitlab-org/manage/authentication-and-authorization
+/app/models/concerns/select_for_project_authorization.rb @gitlab-org/manage/authentication-and-authorization
+/app/models/concerns/token_authenticatable.rb @gitlab-org/manage/authentication-and-authorization
+/app/models/concerns/token_authenticatable_strategies @gitlab-org/manage/authentication-and-authorization
+/app/models/oauth_access_grant.rb @gitlab-org/manage/authentication-and-authorization
+/app/models/oauth_access_token.rb @gitlab-org/manage/authentication-and-authorization
+/app/models/personal_access_token.rb @gitlab-org/manage/authentication-and-authorization
+/app/models/project_authorization.rb @gitlab-org/manage/authentication-and-authorization
+/app/models/token_with_iv.rb @gitlab-org/manage/authentication-and-authorization
+/app/models/webauthn_registration.rb @gitlab-org/manage/authentication-and-authorization
+/app/policies/personal_access_token_policy.rb @gitlab-org/manage/authentication-and-authorization
+/app/services/access_token_validation_service.rb @gitlab-org/manage/authentication-and-authorization
+/app/services/auth @gitlab-org/manage/authentication-and-authorization
+/app/services/authorized_project_update @gitlab-org/manage/authentication-and-authorization
+/app/services/chat_names/authorize_user_service.rb @gitlab-org/manage/authentication-and-authorization
+/app/services/personal_access_tokens @gitlab-org/manage/authentication-and-authorization
+/app/services/projects/move_project_authorizations_service.rb @gitlab-org/manage/authentication-and-authorization
+/app/services/resource_access_tokens @gitlab-org/manage/authentication-and-authorization
+/app/services/todos/destroy/unauthorized_features_service.rb @gitlab-org/manage/authentication-and-authorization
+/app/services/users/authorized_build_service.rb @gitlab-org/manage/authentication-and-authorization
+/app/services/users/authorized_create_service.rb @gitlab-org/manage/authentication-and-authorization
+/app/services/users/refresh_authorized_projects_service.rb @gitlab-org/manage/authentication-and-authorization
+/app/services/webauthn @gitlab-org/manage/authentication-and-authorization
+/app/validators/json_schemas/cluster_agent_authorization_configuration.json @gitlab-org/manage/authentication-and-authorization
+/app/views/admin/application_settings/_external_authorization_service_form.html.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/admin/impersonation_tokens @gitlab-org/manage/authentication-and-authorization
+/app/views/authentication @gitlab-org/manage/authentication-and-authorization
+/app/views/ci/token_access @gitlab-org/manage/authentication-and-authorization
+/app/views/dashboard/projects/_zero_authorized_projects.html.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/devise/mailer/password_change.html.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/devise/mailer/password_change.text.erb @gitlab-org/manage/authentication-and-authorization
+/app/views/devise/mailer/password_change_by_admin.html.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/devise/mailer/password_change_by_admin.text.erb @gitlab-org/manage/authentication-and-authorization
+/app/views/devise/mailer/reset_password_instructions.html.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/devise/mailer/reset_password_instructions.text.erb @gitlab-org/manage/authentication-and-authorization
+/app/views/devise/passwords @gitlab-org/manage/authentication-and-authorization
+/app/views/devise/shared/_omniauth_box.html.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/devise/shared/_signup_omniauth_provider_list.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/devise/shared/_signup_omniauth_providers.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/devise/shared/_signup_omniauth_providers_top.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/doorkeeper/authorizations @gitlab-org/manage/authentication-and-authorization
+/app/views/doorkeeper/authorized_applications @gitlab-org/manage/authentication-and-authorization
+/app/views/errors/omniauth_error.html.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/groups/settings/_resource_access_token_creation.html.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/groups/settings/_two_factor_auth.html.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/groups/settings/access_tokens @gitlab-org/manage/authentication-and-authorization
+/app/views/layouts/oauth_error.html.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/notify/access_token_about_to_expire_email.html.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/notify/access_token_about_to_expire_email.text.erb @gitlab-org/manage/authentication-and-authorization
+/app/views/notify/access_token_created_email.html.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/notify/access_token_created_email.text.erb @gitlab-org/manage/authentication-and-authorization
+/app/views/notify/access_token_expired_email.html.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/notify/access_token_expired_email.text.erb @gitlab-org/manage/authentication-and-authorization
+/app/views/profiles/passwords @gitlab-org/manage/authentication-and-authorization
+/app/views/profiles/personal_access_tokens @gitlab-org/manage/authentication-and-authorization
+/app/views/profiles/two_factor_auths @gitlab-org/manage/authentication-and-authorization
+/app/views/projects/mirrors/_authentication_method.html.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/projects/settings/access_tokens @gitlab-org/manage/authentication-and-authorization
+/app/views/shared/_no_password.html.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/shared/_two_factor_auth_recovery_settings_check.html.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/shared/access_tokens @gitlab-org/manage/authentication-and-authorization
+/app/views/shared/members/_two_factor_auth_badge.html.haml @gitlab-org/manage/authentication-and-authorization
+/app/views/shared/tokens @gitlab-org/manage/authentication-and-authorization
+/app/workers/authorized_keys_worker.rb @gitlab-org/manage/authentication-and-authorization
+/app/workers/authorized_project_update @gitlab-org/manage/authentication-and-authorization
+/app/workers/authorized_projects_worker.rb @gitlab-org/manage/authentication-and-authorization
+/app/workers/personal_access_tokens @gitlab-org/manage/authentication-and-authorization
+/config/feature_flags/development/application_settings_tokens_optional_encryption.yml @gitlab-org/manage/authentication-and-authorization
+/config/feature_flags/development/enforce_auth_checks_on_uploads.yml @gitlab-org/manage/authentication-and-authorization
+/config/feature_flags/development/forti_authenticator.yml @gitlab-org/manage/authentication-and-authorization
+/config/feature_flags/development/forti_token_cloud.yml @gitlab-org/manage/authentication-and-authorization
+/config/feature_flags/development/groups_tokens_optional_encryption.yml @gitlab-org/manage/authentication-and-authorization
+/config/feature_flags/development/omniauth_initializer_fullhost_proc.yml @gitlab-org/manage/authentication-and-authorization
+/config/feature_flags/development/omniauth_login_minimal_scopes.yml @gitlab-org/manage/authentication-and-authorization
+/config/feature_flags/development/personal_access_tokens_scoped_to_projects.yml @gitlab-org/manage/authentication-and-authorization
+/config/feature_flags/development/projects_tokens_optional_encryption.yml @gitlab-org/manage/authentication-and-authorization
+/config/feature_flags/development/specialized_worker_for_group_lock_update_auth_recalculation.yml @gitlab-org/manage/authentication-and-authorization
+/config/feature_flags/development/webauthn.yml @gitlab-org/manage/authentication-and-authorization
+/config/feature_flags/ops/block_password_auth_for_saml_users.yml @gitlab-org/manage/authentication-and-authorization
+/config/initializers/01_secret_token.rb @gitlab-org/manage/authentication-and-authorization
+/config/initializers/devise_dynamic_password_length_validation.rb @gitlab-org/manage/authentication-and-authorization
+/config/initializers/devise_password_length.rb.example @gitlab-org/manage/authentication-and-authorization
+/config/initializers/gitlab_shell_secret_token.rb @gitlab-org/manage/authentication-and-authorization
+/config/initializers/omniauth.rb @gitlab-org/manage/authentication-and-authorization
+/config/initializers/rails_host_authorization.rb @gitlab-org/manage/authentication-and-authorization
+/config/initializers/rails_host_authorization_gitpod.rb @gitlab-org/manage/authentication-and-authorization
+/config/initializers/webauthn.rb @gitlab-org/manage/authentication-and-authorization
+/config/initializers_before_autoloader/100_patch_omniauth_oauth2.rb @gitlab-org/manage/authentication-and-authorization
+/config/initializers_before_autoloader/100_patch_omniauth_saml.rb @gitlab-org/manage/authentication-and-authorization
+/ee/app/assets/javascripts/access_tokens @gitlab-org/manage/authentication-and-authorization
+/ee/app/assets/javascripts/audit_events/components/tokens @gitlab-org/manage/authentication-and-authorization
+/ee/app/assets/javascripts/audit_events/token_utils.js @gitlab-org/manage/authentication-and-authorization
+/ee/app/assets/javascripts/groups/settings/components @gitlab-org/manage/authentication-and-authorization
+/ee/app/assets/javascripts/pages/groups/omniauth_callbacks @gitlab-org/manage/authentication-and-authorization
+/ee/app/assets/javascripts/pipelines/components/pipelines_list @gitlab-org/manage/authentication-and-authorization
+/ee/app/assets/javascripts/requirements/components/tokens @gitlab-org/manage/authentication-and-authorization
+/ee/app/assets/javascripts/saml_providers/scim_token_service.js @gitlab-org/manage/authentication-and-authorization
+/ee/app/assets/javascripts/saml_sso/components @gitlab-org/manage/authentication-and-authorization
+/ee/app/assets/javascripts/vue_merge_request_widget/components/approvals/approvals_auth.vue @gitlab-org/manage/authentication-and-authorization
+/ee/app/controllers/concerns/ee/authenticates_with_two_factor.rb @gitlab-org/manage/authentication-and-authorization
+/ee/app/controllers/concerns/ee/enforces_two_factor_authentication.rb @gitlab-org/manage/authentication-and-authorization
+/ee/app/controllers/concerns/saml_authorization.rb @gitlab-org/manage/authentication-and-authorization
+/ee/app/controllers/ee/ldap @gitlab-org/manage/authentication-and-authorization
+/ee/app/controllers/ee/omniauth_callbacks_controller.rb @gitlab-org/manage/authentication-and-authorization
+/ee/app/controllers/ee/passwords_controller.rb @gitlab-org/manage/authentication-and-authorization
+/ee/app/controllers/groups/omniauth_callbacks_controller.rb @gitlab-org/manage/authentication-and-authorization
+/ee/app/controllers/groups/scim_oauth_controller.rb @gitlab-org/manage/authentication-and-authorization
+/ee/app/controllers/oauth @gitlab-org/manage/authentication-and-authorization
+/ee/app/controllers/omniauth_kerberos_spnego_controller.rb @gitlab-org/manage/authentication-and-authorization
+/ee/app/finders/auth @gitlab-org/manage/authentication-and-authorization
+/ee/app/helpers/ee/access_tokens_helper.rb @gitlab-org/manage/authentication-and-authorization
+/ee/app/helpers/ee/auth_helper.rb @gitlab-org/manage/authentication-and-authorization
+/ee/app/helpers/ee/personal_access_tokens_helper.rb @gitlab-org/manage/authentication-and-authorization
+/ee/app/models/ee/personal_access_token.rb @gitlab-org/manage/authentication-and-authorization
+/ee/app/models/ee/project_authorization.rb @gitlab-org/manage/authentication-and-authorization
+/ee/app/models/scim_oauth_access_token.rb @gitlab-org/manage/authentication-and-authorization
+/ee/app/serializers/scim_oauth_access_token_entity.rb @gitlab-org/manage/authentication-and-authorization
+/ee/app/services/ee/auth @gitlab-org/manage/authentication-and-authorization
+/ee/app/services/ee/personal_access_tokens @gitlab-org/manage/authentication-and-authorization
+/ee/app/services/ee/resource_access_tokens @gitlab-org/manage/authentication-and-authorization
+/ee/app/services/personal_access_tokens @gitlab-org/manage/authentication-and-authorization
+/ee/app/services/security/token_revocation_service.rb @gitlab-org/manage/authentication-and-authorization
+/ee/app/views/admin/application_settings/_personal_access_token_expiration_policy.html.haml @gitlab-org/manage/authentication-and-authorization
+/ee/app/views/credentials_inventory_mailer/personal_access_token_revoked_email.html.haml @gitlab-org/manage/authentication-and-authorization
+/ee/app/views/credentials_inventory_mailer/personal_access_token_revoked_email.text.haml @gitlab-org/manage/authentication-and-authorization
+/ee/app/views/groups/_personal_access_token_expiration_policy.html.haml @gitlab-org/manage/authentication-and-authorization
+/ee/app/views/groups/sso/_authorize_pane.html.haml @gitlab-org/manage/authentication-and-authorization
+/ee/app/views/notify/policy_revoked_personal_access_tokens_email.html.haml @gitlab-org/manage/authentication-and-authorization
+/ee/app/views/notify/policy_revoked_personal_access_tokens_email.text.erb @gitlab-org/manage/authentication-and-authorization
+/ee/app/views/oauth @gitlab-org/manage/authentication-and-authorization
+/ee/app/views/shared/credentials_inventory/_personal_access_tokens.html.haml @gitlab-org/manage/authentication-and-authorization
+/ee/app/views/shared/credentials_inventory/_project_access_tokens.html.haml @gitlab-org/manage/authentication-and-authorization
+/ee/app/views/shared/credentials_inventory/personal_access_tokens @gitlab-org/manage/authentication-and-authorization
+/ee/app/views/shared/credentials_inventory/project_access_tokens @gitlab-org/manage/authentication-and-authorization
+/ee/app/workers/personal_access_tokens @gitlab-org/manage/authentication-and-authorization
+/ee/config/routes/oauth.rb @gitlab-org/manage/authentication-and-authorization
+/ee/lib/ee/gitlab/auth @gitlab-org/manage/authentication-and-authorization
+/ee/lib/ee/gitlab/auth.rb @gitlab-org/manage/authentication-and-authorization
+/ee/lib/ee/gitlab/omniauth_initializer.rb @gitlab-org/manage/authentication-and-authorization
+/ee/lib/gitlab/auth @gitlab-org/manage/authentication-and-authorization
+/ee/lib/gitlab/auth_logger.rb @gitlab-org/manage/authentication-and-authorization
+/ee/lib/gitlab/authority_analyzer.rb @gitlab-org/manage/authentication-and-authorization
+/ee/lib/gitlab/geo/oauth @gitlab-org/manage/authentication-and-authorization
+/ee/lib/gitlab/kerberos @gitlab-org/manage/authentication-and-authorization
+/ee/lib/omni_auth @gitlab-org/manage/authentication-and-authorization
+/ee/lib/system_check/geo/authorized_keys_check.rb @gitlab-org/manage/authentication-and-authorization
+/ee/lib/system_check/geo/authorized_keys_flag_check.rb @gitlab-org/manage/authentication-and-authorization
+/lib/api/entities/ci/reset_token_result.rb @gitlab-org/manage/authentication-and-authorization
+/lib/api/entities/impersonation_token.rb @gitlab-org/manage/authentication-and-authorization
+/lib/api/entities/impersonation_token_with_token.rb @gitlab-org/manage/authentication-and-authorization
+/lib/api/entities/personal_access_token.rb @gitlab-org/manage/authentication-and-authorization
+/lib/api/entities/personal_access_token_with_token.rb @gitlab-org/manage/authentication-and-authorization
+/lib/api/entities/resource_access_token.rb @gitlab-org/manage/authentication-and-authorization
+/lib/api/entities/resource_access_token_with_token.rb @gitlab-org/manage/authentication-and-authorization
+/lib/api/helpers/authentication.rb @gitlab-org/manage/authentication-and-authorization
+/lib/api/helpers/packages/basic_auth_helpers.rb @gitlab-org/manage/authentication-and-authorization
+/lib/api/personal_access_tokens.rb @gitlab-org/manage/authentication-and-authorization
+/lib/api/resource_access_tokens.rb @gitlab-org/manage/authentication-and-authorization
+/lib/api/support/token_with_expiration.rb @gitlab-org/manage/authentication-and-authorization
+/lib/gitlab/api_authentication @gitlab-org/manage/authentication-and-authorization
+/lib/gitlab/auth @gitlab-org/manage/authentication-and-authorization
+/lib/gitlab/auth.rb @gitlab-org/manage/authentication-and-authorization
+/lib/gitlab/auth_logger.rb @gitlab-org/manage/authentication-and-authorization
+/lib/gitlab/authorized_keys.rb @gitlab-org/manage/authentication-and-authorization
+/lib/gitlab/background_migration/encrypt_static_object_token.rb @gitlab-org/manage/authentication-and-authorization
+/lib/gitlab/background_migration/migrate_u2f_webauthn.rb @gitlab-org/manage/authentication-and-authorization
+/lib/gitlab/background_migration/update_users_where_two_factor_auth_required_from_group.rb @gitlab-org/manage/authentication-and-authorization
+/lib/gitlab/chat_name_token.rb @gitlab-org/manage/authentication-and-authorization
+/lib/gitlab/ci/pipeline/expression/token.rb @gitlab-org/manage/authentication-and-authorization
+/lib/gitlab/external_authorization @gitlab-org/manage/authentication-and-authorization
+/lib/gitlab/external_authorization.rb @gitlab-org/manage/authentication-and-authorization
+/lib/gitlab/graphql/authorize @gitlab-org/manage/authentication-and-authorization
+/lib/gitlab/jwt_authenticatable.rb @gitlab-org/manage/authentication-and-authorization
+/lib/gitlab/jwt_token.rb @gitlab-org/manage/authentication-and-authorization
+/lib/gitlab/lfs_token.rb @gitlab-org/manage/authentication-and-authorization
+/lib/gitlab/mail_room @gitlab-org/manage/authentication-and-authorization
+/lib/gitlab/omniauth_initializer.rb @gitlab-org/manage/authentication-and-authorization
+/lib/gitlab/project_authorizations.rb @gitlab-org/manage/authentication-and-authorization
+/lib/json_web_token @gitlab-org/manage/authentication-and-authorization
+/lib/omni_auth @gitlab-org/manage/authentication-and-authorization
+/lib/system_check/app/authorized_keys_permission_check.rb @gitlab-org/manage/authentication-and-authorization
+/lib/system_check/incoming_email/imap_authentication_check.rb @gitlab-org/manage/authentication-and-authorization
+/lib/tasks/gitlab/password.rake @gitlab-org/manage/authentication-and-authorization
+/lib/tasks/tokens.rake @gitlab-org/manage/authentication-and-authorization
diff --git a/spec/tooling/fixtures/find_codeowners/dir0/dir1/dir2/file2 b/spec/tooling/fixtures/find_codeowners/dir0/dir1/dir2/file2
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
diff --git a/spec/tooling/fixtures/find_codeowners/dir0/dir1/file1 b/spec/tooling/fixtures/find_codeowners/dir0/dir1/file1
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
diff --git a/spec/tooling/fixtures/find_codeowners/dir0/file0 b/spec/tooling/fixtures/find_codeowners/dir0/file0
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
diff --git a/spec/tooling/fixtures/find_codeowners/file b/spec/tooling/fixtures/find_codeowners/file
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
diff --git a/spec/tooling/lib/tooling/find_codeowners_spec.rb b/spec/tooling/lib/tooling/find_codeowners_spec.rb
new file mode 100644
index 0000000000000000000000000000000000000000..b29c5f35ec990ca6f3221ade9b977204b92c1f02
--- /dev/null
+++ b/spec/tooling/lib/tooling/find_codeowners_spec.rb
@@ -0,0 +1,199 @@
+# frozen_string_literal: true
+
+require_relative '../../../../tooling/lib/tooling/find_codeowners'
+
+RSpec.describe Tooling::FindCodeowners do
+ let(:subject) { described_class.new }
+ let(:root) { File.expand_path('../../fixtures/find_codeowners', __dir__) }
+
+ describe '#execute' do
+ before do
+ allow(subject).to receive(:load_config).and_return(
+ '[Section name]': {
+ '@group': {
+ allow: {
+ keywords: %w[dir0 file],
+ patterns: ['/%{keyword}/**/*', '/%{keyword}']
+ },
+ deny: {
+ keywords: %w[file0],
+ patterns: ['**/%{keyword}']
+ }
+ }
+ }
+ )
+ end
+
+ it 'prints CODEOWNERS as configured' do
+ expect do
+ Dir.chdir(root) do
+ subject.execute
+ end
+ end.to output(<<~CODEOWNERS).to_stdout
+ [Section name]
+ /dir0/dir1 @group
+ /file @group
+ CODEOWNERS
+ end
+ end
+
+ describe '#load_definitions' do
+ it 'expands the allow and deny list with keywords and patterns' do
+ subject.load_definitions.each do |section, group_defintions|
+ group_defintions.each do |group, definitions|
+ expect(definitions[:allow]).to be_an(Array)
+ expect(definitions[:deny]).to be_an(Array)
+ end
+ end
+ end
+
+ it 'expands the auth group' do
+ auth = subject.load_definitions.dig(
+ :'[Authentication and Authorization]',
+ :'@gitlab-org/manage/authentication-and-authorization')
+
+ expect(auth).to eq(
+ allow: %w[
+ /{,ee/}app/**/*password*{/**/*,}
+ /{,ee/}config/**/*password*{/**/*,}
+ /{,ee/}lib/**/*password*{/**/*,}
+ /{,ee/}app/**/*auth*{/**/*,}
+ /{,ee/}config/**/*auth*{/**/*,}
+ /{,ee/}lib/**/*auth*{/**/*,}
+ /{,ee/}app/**/*token*{/**/*,}
+ /{,ee/}config/**/*token*{/**/*,}
+ /{,ee/}lib/**/*token*{/**/*,}
+ ],
+ deny: %w[
+ **/*author.*{/**/*,}
+ **/*author_*{/**/*,}
+ **/*authored*{/**/*,}
+ **/*authoring*{/**/*,}
+ **/*.png*{/**/*,}
+ **/*.svg*{/**/*,}
+ **/*deploy_token*{/**/*,}
+ **/*runner{,s}_token*{/**/*,}
+ **/*job_token*{/**/*,}
+ **/*autocomplete_tokens*{/**/*,}
+ **/*dast_site_token*{/**/*,}
+ **/*reset_prometheus_token*{/**/*,}
+ **/*reset_registration_token*{/**/*,}
+ **/*runners_registration_token*{/**/*,}
+ **/*terraform_registry_token*{/**/*,}
+ **/*tokenizer*{/**/*,}
+ **/*filtered_search*{/**/*,}
+ **/*/alert_management/*{/**/*,}
+ **/*/analytics/*{/**/*,}
+ **/*/bitbucket/*{/**/*,}
+ **/*/clusters/*{/**/*,}
+ **/*/clusters_list/*{/**/*,}
+ **/*/dast/*{/**/*,}
+ **/*/dast_profiles/*{/**/*,}
+ **/*/dast_site_tokens/*{/**/*,}
+ **/*/dast_site_validation/*{/**/*,}
+ **/*/dependency_proxy/*{/**/*,}
+ **/*/error_tracking/*{/**/*,}
+ **/*/google_api/*{/**/*,}
+ **/*/google_cloud/*{/**/*,}
+ **/*/jira_connect/*{/**/*,}
+ **/*/kubernetes/*{/**/*,}
+ **/*/protected_environments/*{/**/*,}
+ **/*/config/feature_flags/development/jira_connect_*{/**/*,}
+ **/*/config/metrics/*{/**/*,}
+ **/*/app/controllers/groups/dependency_proxy_auth_controller.rb*{/**/*,}
+ **/*/app/finders/ci/auth_job_finder.rb*{/**/*,}
+ **/*/ee/config/metrics/*{/**/*,}
+ **/*/lib/gitlab/conan_token.rb*{/**/*,}
+ ]
+ )
+ end
+ end
+
+ describe '#load_config' do
+ it 'loads the config with symbolized keys' do
+ config = subject.load_config
+
+ expect_hash_keys_to_be_symbols(config)
+ end
+
+ context 'when YAML has safe_load_file' do
+ before do
+ allow(YAML).to receive(:respond_to?).with(:safe_load_file).and_return(true)
+ end
+
+ it 'calls safe_load_file' do
+ expect(YAML).to receive(:safe_load_file)
+
+ subject.load_config
+ end
+ end
+
+ context 'when YAML does not have safe_load_file' do
+ before do
+ allow(YAML).to receive(:respond_to?).with(:safe_load_file).and_return(false)
+ end
+
+ it 'calls load_file' do
+ expect(YAML).to receive(:safe_load)
+
+ subject.load_config
+ end
+ end
+
+ def expect_hash_keys_to_be_symbols(object)
+ if object.is_a?(Hash)
+ object.each do |key, value|
+ expect(key).to be_a(Symbol)
+
+ expect_hash_keys_to_be_symbols(value)
+ end
+ end
+ end
+ end
+
+ describe '#path_matches?' do
+ let(:pattern) { 'pattern' }
+ let(:path) { 'path' }
+
+ it 'passes flags we are expecting to File.fnmatch?' do
+ expected_flags =
+ ::File::FNM_DOTMATCH | ::File::FNM_PATHNAME | ::File::FNM_EXTGLOB
+
+ expect(File).to receive(:fnmatch?).with(pattern, path, expected_flags)
+
+ subject.path_matches?(pattern, path)
+ end
+ end
+
+ describe '#consolidate_paths' do
+ before do
+ allow(subject).to receive(:find_dir_maxdepth_1).and_return(<<~LINES)
+ dir
+ dir/0
+ dir/2
+ dir/3
+ dir/1
+ LINES
+ end
+
+ context 'when the directory has the same number of entries' do
+ let(:input_paths) { %W[dir/0\n dir/1\n dir/2\n dir/3\n] }
+
+ it 'consolidates into the directory' do
+ paths = subject.consolidate_paths(input_paths)
+
+ expect(paths).to eq(["dir\n"])
+ end
+ end
+
+ context 'when the directory has different number of entries' do
+ let(:input_paths) { %W[dir/0\n dir/1\n dir/2\n] }
+
+ it 'returns the original paths' do
+ paths = subject.consolidate_paths(input_paths)
+
+ expect(paths).to eq(input_paths)
+ end
+ end
+ end
+end
diff --git a/tooling/bin/find_codeowners b/tooling/bin/find_codeowners
new file mode 100755
index 0000000000000000000000000000000000000000..2c028b3162e4080b7f2d01a86768cdf62f93d3b7
--- /dev/null
+++ b/tooling/bin/find_codeowners
@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require_relative '../lib/tooling/find_codeowners'
+
+Tooling::FindCodeowners.new.execute
diff --git a/tooling/config/CODEOWNERS.yml b/tooling/config/CODEOWNERS.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d867c8c22fc1ddbc2007abc9bb73ad938b8fb921
--- /dev/null
+++ b/tooling/config/CODEOWNERS.yml
@@ -0,0 +1,58 @@
+# This is supposed to be used with:
+# tooling/bin/find_codeowners tooling/config/CODEOWNERS.yml
+# And paste the contents into .gitlab/CODEOWNERS
+
+'[Authentication and Authorization]':
+ '@gitlab-org/manage/authentication-and-authorization':
+ allow:
+ keywords:
+ - password
+ - auth
+ - token
+ patterns:
+ - '/{,ee/}app/**/*%{keyword}*{/**/*,}'
+ - '/{,ee/}config/**/*%{keyword}*{/**/*,}'
+ - '/{,ee/}lib/**/*%{keyword}*{/**/*,}'
+ deny:
+ keywords:
+ - author.
+ - author_
+ - authored
+ - authoring
+ - .png
+ - .svg
+ - deploy_token
+ - runner{,s}_token
+ - job_token
+ - autocomplete_tokens
+ - dast_site_token
+ - reset_prometheus_token
+ - reset_registration_token
+ - runners_registration_token
+ - terraform_registry_token
+ - tokenizer
+ - filtered_search
+ - /alert_management/
+ - /analytics/
+ - /bitbucket/
+ - /clusters/
+ - /clusters_list/
+ - /dast/
+ - /dast_profiles/
+ - /dast_site_tokens/
+ - /dast_site_validation/
+ - /dependency_proxy/
+ - /error_tracking/
+ - /google_api/
+ - /google_cloud/
+ - /jira_connect/
+ - /kubernetes/
+ - /protected_environments/
+ - /config/feature_flags/development/jira_connect_
+ - /config/metrics/
+ - /app/controllers/groups/dependency_proxy_auth_controller.rb
+ - /app/finders/ci/auth_job_finder.rb
+ - /ee/config/metrics/
+ - /lib/gitlab/conan_token.rb
+ patterns:
+ - '**/*%{keyword}*{/**/*,}'
diff --git a/tooling/lib/tooling/find_codeowners.rb b/tooling/lib/tooling/find_codeowners.rb
new file mode 100644
index 0000000000000000000000000000000000000000..35d8a9d7461fdc72b5117f9ab9a9eb480ea08cdc
--- /dev/null
+++ b/tooling/lib/tooling/find_codeowners.rb
@@ -0,0 +1,103 @@
+# frozen_string_literal: true
+
+require 'yaml'
+
+module Tooling
+ class FindCodeowners
+ def execute
+ load_definitions.each do |section, group_defintions|
+ puts section
+
+ group_defintions.each do |group, list|
+ matched_files = git_ls_files.each_line.select do |line|
+ list[:allow].find do |pattern|
+ path = "/#{line.chomp}"
+
+ path_matches?(pattern, path) &&
+ list[:deny].none? { |pattern| path_matches?(pattern, path) }
+ end
+ end
+
+ consolidated = consolidate_paths(matched_files)
+ consolidated_again = consolidate_paths(consolidated)
+
+ # Consider the directory structure is a tree structure:
+ # https://en.wikipedia.org/wiki/Tree_(data_structure)
+ # After we consolidated the leaf entries, it could be possible that
+ # we can consolidate further for the new leaves. Repeat this
+ # process until we see no improvements.
+ while consolidated_again.size < consolidated.size
+ consolidated = consolidated_again
+ consolidated_again = consolidate_paths(consolidated)
+ end
+
+ consolidated.each do |file|
+ puts "/#{file.chomp} #{group}"
+ end
+ end
+ end
+ end
+
+ def load_definitions
+ result = load_config
+
+ result.each do |section, group_defintions|
+ group_defintions.each do |group, definitions|
+ definitions.transform_values! do |rules|
+ rules[:keywords].flat_map do |keyword|
+ rules[:patterns].map do |pattern|
+ pattern % { keyword: keyword }
+ end
+ end
+ end
+ end
+ end
+
+ result
+ end
+
+ def load_config
+ config_path = "#{__dir__}/../../config/CODEOWNERS.yml"
+
+ if YAML.respond_to?(:safe_load_file) # Ruby 3.0+
+ YAML.safe_load_file(config_path, symbolize_names: true)
+ else
+ YAML.safe_load(File.read(config_path), symbolize_names: true)
+ end
+ end
+
+ # Copied and modified from ee/lib/gitlab/code_owners/file.rb
+ def path_matches?(pattern, path)
+ # `FNM_DOTMATCH` makes sure we also match files starting with a `.`
+ # `FNM_PATHNAME` makes sure ** matches path separators
+ flags = ::File::FNM_DOTMATCH | ::File::FNM_PATHNAME
+
+ # BEGIN extension
+ flags |= ::File::FNM_EXTGLOB
+ # END extension
+
+ ::File.fnmatch?(pattern, path, flags)
+ end
+
+ def consolidate_paths(matched_files)
+ matched_files.group_by(&File.method(:dirname)).flat_map do |dir, files|
+ # First line is the dir itself
+ if find_dir_maxdepth_1(dir).lines.drop(1).sort == files.sort
+ "#{dir}\n"
+ else
+ files
+ end
+ end.sort
+ end
+
+ private
+
+ def find_dir_maxdepth_1(dir)
+ `find #{dir} -maxdepth 1`
+ end
+
+ def git_ls_files
+ @git_ls_files ||= `git ls-files`
+ end
+ end
+end