diff --git a/.gitlab/CODEOWNERS b/.gitlab/CODEOWNERS
index e78c91baee0c8d1c843d092f07d87f3a80c8cb37..d37a14e2c580b3df8fc313bc555cf9fbe9801723 100644
--- a/.gitlab/CODEOWNERS
+++ b/.gitlab/CODEOWNERS
@@ -1284,21 +1284,23 @@ lib/gitlab/checks/**
/lib/container_registry/
[Authentication] @gitlab-org/software-supply-chain-security/authentication/approvers
+/app/views/layouts/terms.html.haml
+/app/views/admin/sessions/
/app/assets/javascripts/access_tokens/
/app/assets/javascripts/alerts_settings/graphql/mutations/reset_http_token.mutation.graphql
/app/assets/javascripts/authentication/
+/app/assets/javascripts/oauth_application/
/app/assets/javascripts/pages/admin/impersonation_tokens/
/app/assets/javascripts/pages/groups/settings/access_tokens/
/app/assets/javascripts/pages/ldap/
/app/assets/javascripts/pages/oauth/
/app/assets/javascripts/pages/omniauth_callbacks/
-/app/assets/javascripts/pages/profiles/password_prompt/
-/app/assets/javascripts/pages/user_settings/personal_access_tokens/
+/app/assets/javascripts/pages/passwords/
/app/assets/javascripts/pages/profiles/two_factor_auths/
/app/assets/javascripts/pages/projects/settings/access_tokens/
-/app/assets/javascripts/pages/sessions/new/oauth_remember_me.js
+/app/assets/javascripts/pages/user_settings/personal_access_tokens/
+/app/assets/javascripts/profile/password_prompt/
/app/assets/javascripts/projects/settings/topics/components/
-/app/assets/javascripts/related_issues/components/issue_token.vue
/app/assets/stylesheets/page_bundles/profile_two_factor_auth.scss
/app/controllers/admin/impersonation_tokens_controller.rb
/app/controllers/concerns/access_tokens_actions.rb
@@ -1307,39 +1309,41 @@ lib/gitlab/checks/**
/app/controllers/concerns/enforces_admin_authentication.rb
/app/controllers/concerns/enforces_two_factor_authentication.rb
/app/controllers/concerns/oauth_applications.rb
-/app/controllers/concerns/project_unauthorized.rb
-/app/models/concerns/require_email_verification.rb
+/app/controllers/concerns/render_access_tokens.rb
+/app/controllers/concerns/renders_ldap_servers.rb
/app/controllers/concerns/sessionless_authentication.rb
-/app/controllers/concerns/snippet_authorizations.rb
-/app/controllers/concerns/verifies_with_email.rb
-/app/controllers/concerns/workhorse_authorization.rb
/app/controllers/groups/settings/access_tokens_controller.rb
/app/controllers/ldap/
-/app/controllers/oauth/
+/app/controllers/oauth/applications_controller.rb
+/app/controllers/oauth/device_codes_controller.rb
+/app/controllers/oauth/token_info_controller.rb
+/app/controllers/oauth/tokens_controller.rb
/app/controllers/omniauth_callbacks_controller.rb
/app/controllers/passwords_controller.rb
-/app/controllers/profiles/passwords_controller.rb
-/app/controllers/user_settings/personal_access_tokens_controller.rb
/app/controllers/profiles/two_factor_auths_controller.rb
-/app/controllers/profiles/webauthn_registrations_controller.rb
/app/controllers/projects/settings/access_tokens_controller.rb
-/app/controllers/sessions_controller.rb
-/app/finders/groups/projects_requiring_authorizations_refresh/
+/app/controllers/user_settings/passwords_controller.rb
+/app/controllers/user_settings/personal_access_tokens_controller.rb
/app/finders/personal_access_tokens_finder.rb
/app/helpers/access_tokens_helper.rb
/app/helpers/auth_helper.rb
+/app/helpers/feed_token_helper.rb
+/app/helpers/kerberos_helper.rb
+/app/mailers/devise_mailer.rb
+/app/mailers/previews/devise_mailer_preview.rb
/app/models/authentication_event.rb
/app/models/concerns/admin_changed_password_notifier.rb
-/app/models/concerns/mirror_authentication.rb
-/app/models/concerns/select_for_project_authorization.rb
+/app/models/concerns/async_devise_email.rb
+/app/models/concerns/encrypted_user_password.rb
/app/models/concerns/token_authenticatable.rb
-/lib/authn/token_field/
+/app/models/doorkeeper/access_grant.rb
+/app/models/doorkeeper/access_token.rb
+/app/models/doorkeeper/openid_connect/
+/app/models/namespaces/ldap_setting.rb
/app/models/oauth_access_grant.rb
/app/models/oauth_access_token.rb
/app/models/personal_access_token.rb
-/app/models/project_authorization.rb
/app/models/webauthn_registration.rb
-/app/policies/personal_access_token_policy.rb
/app/serializers/access_token_entity_base.rb
/app/serializers/group_access_token_entity.rb
/app/serializers/group_access_token_serializer.rb
@@ -1350,39 +1354,30 @@ lib/gitlab/checks/**
/app/serializers/project_access_token_entity.rb
/app/serializers/project_access_token_serializer.rb
/app/services/access_token_validation_service.rb
-/app/services/auth/
-/app/services/authorized_project_update/
-/app/services/chat_names/authorize_user_service.rb
+/app/services/group_access_tokens/
+/app/services/groups/agnostic_token_revocation_service.rb
/app/services/personal_access_tokens/
-/app/services/projects/move_project_authorizations_service.rb
+/app/services/project_access_tokens/
/app/services/resource_access_tokens/
-/app/services/todos/destroy/unauthorized_features_service.rb
-/app/services/users/authorized_build_service.rb
-/app/services/users/authorized_create_service.rb
-/app/services/users/email_verification/
-/app/services/users/refresh_authorized_projects_service.rb
+/app/services/users/email_verification/generate_token_service.rb
+/app/services/users/email_verification/validate_token_service.rb
+/app/services/users/repair_ldap_blocked_service.rb
+/app/services/users/reset_feed_token_service.rb
/app/services/webauthn/
-/app/validators/json_schemas/cluster_agent_authorization_configuration.json
-/app/views/admin/application_settings/_external_authorization_service_form.html.haml
+/app/validators/devise_email_validator.rb
+/app/views/admin/application_settings/_require_personal_access_token_expiry.html.haml
+/app/views/admin/application_settings/_resource_access_token_notify_inherited_settings.html.haml
/app/views/admin/impersonation_tokens/
-/app/views/admin/sessions/
/app/views/authentication/
-/app/views/dashboard/projects/_zero_authorized_projects.html.haml
-/app/views/devise/mailer/password_change.html.haml
-/app/views/devise/mailer/password_change.text.erb
-/app/views/devise/mailer/password_change_by_admin.html.haml
-/app/views/devise/mailer/password_change_by_admin.text.erb
-/app/views/devise/mailer/reset_password_instructions.html.haml
-/app/views/devise/mailer/reset_password_instructions.text.erb
-/app/views/devise/**/
-/app/views/doorkeeper/authorizations/
-/app/views/doorkeeper/authorized_applications/
-/app/views/errors/omniauth_error.html.haml
+/app/views/devise/
+/app/views/doorkeeper/applications/
/app/views/groups/settings/_resource_access_token_creation.html.haml
+/app/views/groups/settings/_resource_access_token_notify_inherited_settings.html.haml
/app/views/groups/settings/_two_factor_auth.html.haml
/app/views/groups/settings/access_tokens/
-/app/views/layouts/devise*.haml
-/app/views/layouts/terms.html.haml
+/app/views/layouts/devise.html.haml
+/app/views/layouts/devise_empty.html.haml
+/app/views/layouts/mailer/devise.html.haml
/app/views/layouts/oauth_error.html.haml
/app/views/notify/access_token_about_to_expire_email.html.haml
/app/views/notify/access_token_about_to_expire_email.text.erb
@@ -1392,97 +1387,134 @@ lib/gitlab/checks/**
/app/views/notify/access_token_expired_email.text.erb
/app/views/notify/access_token_revoked_email.html.haml
/app/views/notify/access_token_revoked_email.text.erb
-/app/views/profiles/passwords/
-/app/views/user_settings/personal_access_tokens/
+/app/views/notify/bot_resource_access_token_about_to_expire_email.html.haml
+/app/views/notify/bot_resource_access_token_about_to_expire_email.text.erb
/app/views/profiles/two_factor_auths/
/app/views/projects/mirrors/_authentication_method.html.haml
/app/views/projects/settings/access_tokens/
/app/views/shared/_no_password.html.haml
/app/views/shared/_two_factor_auth_recovery_settings_check.html.haml
/app/views/shared/access_tokens/
+/app/views/shared/doorkeeper/
/app/views/shared/members/_two_factor_auth_badge.html.haml
/app/views/shared/tokens/
-/app/workers/authorized_project_update/
-/app/workers/authorized_projects_worker.rb
+/app/views/user_settings/passwords/
+/app/views/user_settings/personal_access_tokens/
+/app/views/user_settings/user_settings/authentication_log.haml
/app/workers/personal_access_tokens/
+/app/workers/resource_access_tokens/
/config/initializers/01_secret_token.rb
-/config/initializers/declarative_policy.rb
-/config/initializers/declarative_policy_cached_attributes.rb
+/config/initializers/8_devise.rb
/config/initializers/devise_dynamic_password_length_validation.rb
/config/initializers/devise_password_length.rb.example
/config/initializers/doorkeeper.rb
/config/initializers/doorkeeper_openid_connect.rb
/config/initializers/gitlab_shell_secret_token.rb
/config/initializers/omniauth.rb
-/config/initializers/rails_host_authorization.rb
-/config/initializers/rails_host_authorization_gitpod.rb
/config/initializers/warden.rb
/config/initializers/webauthn.rb
/config/initializers_before_autoloader/100_patch_omniauth_oauth2.rb
/config/initializers_before_autoloader/100_patch_omniauth_saml.rb
+/config/routes/device_auth.rb
/config/weak_password_digests.yml
/ee/app/assets/javascripts/access_tokens/
-/ee/app/assets/javascripts/audit_events/components/tokens/
-/ee/app/assets/javascripts/audit_events/token_utils.js
/ee/app/assets/javascripts/groups/settings/components/
+/ee/app/assets/javascripts/ldap/
+/ee/app/assets/javascripts/members/components/action_dropdowns/ldap_dropdown_footer.vue
+/ee/app/assets/javascripts/members/components/action_dropdowns/ldap_override_dropdown_item.vue
+/ee/app/assets/javascripts/members/components/modals/ldap_override_confirmation_modal.vue
/ee/app/assets/javascripts/pages/admin/application_settings/general/components/password_complexity_checkbox_group.vue
+/ee/app/assets/javascripts/pages/admin/application_settings/service_accounts/
/ee/app/assets/javascripts/pages/groups/omniauth_callbacks/
+/ee/app/assets/javascripts/pages/groups/settings/service_accounts/
/ee/app/assets/javascripts/pages/passwords/
-/ee/app/assets/javascripts/pages/profiles/passwords/
+/ee/app/assets/javascripts/pages/user_settings/passwords/
/ee/app/assets/javascripts/password/
-/ee/app/assets/javascripts/saml_providers/scim_token_service.js
-/ee/app/assets/javascripts/saml_sso/components/
-/ee/app/assets/javascripts/vue_merge_request_widget/components/approvals/approvals_auth.vue
+/ee/app/assets/javascripts/service_accounts/
+/ee/app/controllers/admin/application_settings/service_accounts_controller.rb
+/ee/app/controllers/concerns/credentials_inventory_actions.rb
/ee/app/controllers/concerns/ee/authenticates_with_two_factor.rb
/ee/app/controllers/concerns/ee/enforces_two_factor_authentication.rb
-/ee/app/controllers/concerns/saml_authorization.rb
/ee/app/controllers/ee/ldap/
/ee/app/controllers/ee/omniauth_callbacks_controller.rb
/ee/app/controllers/ee/passwords_controller.rb
-/ee/app/controllers/ee/sessions_controller.rb
+/ee/app/controllers/ee/user_settings/personal_access_tokens_controller.rb
+/ee/app/controllers/groups/ldaps_controller.rb
/ee/app/controllers/groups/omniauth_callbacks_controller.rb
-/ee/app/controllers/groups/scim_oauth_controller.rb
+/ee/app/controllers/groups/settings/service_accounts_controller.rb
+/ee/app/controllers/groups/two_factor_auths_controller.rb
/ee/app/controllers/oauth/
/ee/app/controllers/omniauth_kerberos_controller.rb
+/ee/app/controllers/smartcard_controller.rb
/ee/app/finders/auth/
+/ee/app/finders/authn/
+/ee/app/helpers/credentials_inventory_helper.rb
/ee/app/helpers/ee/access_tokens_helper.rb
/ee/app/helpers/ee/auth_helper.rb
+/ee/app/helpers/ee/kerberos_helper.rb
/ee/app/helpers/ee/personal_access_tokens_helper.rb
+/ee/app/mailers/credentials_inventory_mailer.rb
+/ee/app/models/auth/
/ee/app/models/concerns/password_complexity.rb
/ee/app/models/ee/personal_access_token.rb
-/ee/app/models/ee/project_authorization.rb
-/ee/app/models/scim_oauth_access_token.rb
-/ee/app/serializers/scim_oauth_access_token_entity.rb
+/ee/app/models/ldap_key.rb
+/ee/app/models/smartcard_identity.rb
+/ee/app/models/system_access/group_microsoft_graph_access_token.rb
+/ee/app/models/system_access/instance_microsoft_graph_access_token.rb
+/ee/app/models/system_access/microsoft_graph_access_token.rb
/ee/app/services/ee/personal_access_tokens/
/ee/app/services/ee/resource_access_tokens/
-/ee/app/services/ee/users/authorized_build_service.rb
+/ee/app/services/namespaces/service_accounts/
/ee/app/services/personal_access_tokens/
/ee/app/services/security/token_revocation_service.rb
-/ee/app/services/users/email_verification/
+/ee/app/services/users/service_accounts/
+/ee/app/validators/ldap_filter_validator.rb
/ee/app/validators/password/
+/ee/app/views/admin/application_settings/_allow_top_level_group_owners_to_create_service_accounts.html.haml
+/ee/app/views/admin/application_settings/_disable_personal_access_tokens.html.haml
+/ee/app/views/admin/application_settings/_ldap_access_setting.html.haml
/ee/app/views/admin/application_settings/_personal_access_token_expiration_policy.html.haml
-/ee/app/views/credentials_inventory_mailer/personal_access_token_revoked_email.html.haml
-/ee/app/views/credentials_inventory_mailer/personal_access_token_revoked_email.text.haml
+/ee/app/views/admin/application_settings/service_accounts/
+/ee/app/views/credentials_inventory_mailer/
+/ee/app/views/devise/registrations/_opt_in_to_email.html.haml
+/ee/app/views/devise/registrations/_password_input.html.haml
+/ee/app/views/devise/sessions/
+/ee/app/views/devise/shared/
/ee/app/views/groups/_personal_access_token_expiration_policy.html.haml
-/ee/app/views/groups/sso/_authorize_pane.html.haml
+/ee/app/views/groups/settings/_personal_access_tokens.html.haml
+/ee/app/views/groups/settings/service_accounts/
+/ee/app/views/layouts/mailer/devise.text.erb
/ee/app/views/notify/policy_revoked_personal_access_tokens_email.html.haml
/ee/app/views/notify/policy_revoked_personal_access_tokens_email.text.erb
/ee/app/views/oauth/
+/ee/app/views/projects/_empty_kerberos_pane.html.haml
+/ee/app/views/projects/_empty_kerberos_tab_link.html.haml
+/ee/app/views/projects/buttons/_kerberos_clone_field.html.haml
+/ee/app/views/projects/settings/access_tokens/
+/ee/app/views/shared/_kerberos_clone_button.html.haml
+/ee/app/views/shared/_mobile_kerberos_clone.html.haml
/ee/app/views/shared/_password_requirements_list.html.haml
-/ee/app/views/shared/credentials_inventory/_personal_access_tokens.html.haml
-/ee/app/views/shared/credentials_inventory/personal_access_tokens/
-/ee/app/workers/auth/
+/ee/app/views/shared/credentials_inventory/
+/ee/app/views/shared/dashboard/
+/ee/app/views/shared/members/ee/_ldap_tag.html.haml
/ee/app/workers/personal_access_tokens/
/ee/config/routes/oauth.rb
+/ee/config/routes/smartcard.rb
+/ee/config/saas_features/group_credentials_inventory.yml
+/ee/lib/api/group_service_accounts.rb
+/ee/lib/api/ldap.rb
+/ee/lib/api/service_accounts.rb
+/ee/lib/authn/
/ee/lib/ee/gitlab/auth/
+/ee/lib/ee/gitlab/background_migration/backfill_workspace_personal_access_token.rb
/ee/lib/ee/gitlab/omniauth_initializer.rb
+/ee/lib/ee/gitlab/personal_access_tokens/
/ee/lib/gitlab/auth/
-/ee/lib/gitlab/authority_analyzer.rb
/ee/lib/gitlab/geo/oauth/
/ee/lib/gitlab/kerberos/
/ee/lib/omni_auth/
-/ee/lib/system_check/geo/authorized_keys_check.rb
-/ee/lib/system_check/geo/authorized_keys_flag_check.rb
+/ee/lib/users/user_password_reset_auditor.rb
+/lib/api/admin/token.rb
/lib/api/entities/impersonation_token.rb
/lib/api/entities/impersonation_token_with_token.rb
/lib/api/entities/personal_access_token.rb
@@ -1496,34 +1528,56 @@ lib/gitlab/checks/**
/lib/api/personal_access_tokens.rb
/lib/api/resource_access_tokens.rb
/lib/api/support/token_with_expiration.rb
+/lib/authn/agnostic_token_identifier.rb
+/lib/authn/token_field/
+/lib/authn/tokens/feed_token.rb
+/lib/authn/tokens/oauth_application_secret.rb
+/lib/authn/tokens/personal_access_token.rb
+/lib/bitbucket/app_password_connection.rb
+/lib/bitbucket/oauth_connection.rb
/lib/gitlab/api_authentication/
-/lib/gitlab/auth/
/lib/gitlab/auth.rb
-/lib/gitlab/auth_logger.rb
-/lib/gitlab/authorized_keys.rb
-/lib/gitlab/background_migration/encrypt_static_object_token.rb
+/lib/gitlab/auth/activity.rb
+/lib/gitlab/auth/atlassian/
+/lib/gitlab/auth/auth_finders.rb
+/lib/gitlab/auth/blocked_user_tracker.rb
+/lib/gitlab/auth/crowd/
+/lib/gitlab/auth/current_user_mode.rb
+/lib/gitlab/auth/database/
+/lib/gitlab/auth/devise/
+/lib/gitlab/auth/external_username_sanitizer.rb
+/lib/gitlab/auth/identity.rb
+/lib/gitlab/auth/ip_blocked.rb
+/lib/gitlab/auth/key_status_checker.rb
+/lib/gitlab/auth/ldap/
+/lib/gitlab/auth/o_auth/
+/lib/gitlab/auth/omniauth_identity_linker_base.rb
+/lib/gitlab/auth/otp/
+/lib/gitlab/auth/request_authenticator.rb
+/lib/gitlab/auth/result.rb
+/lib/gitlab/auth/saml/
+/lib/gitlab/auth/too_many_ips.rb
+/lib/gitlab/auth/two_factor_auth_verifier.rb
+/lib/gitlab/auth/user_access_denied_reason.rb
+/lib/gitlab/auth/visitor_location.rb
+/lib/gitlab/background_migration/backfill_admin_mode_scope_for_personal_access_tokens.rb
+/lib/gitlab/background_migration/backfill_personal_access_token_seven_days_notification_sent.rb
+/lib/gitlab/background_migration/backfill_workspace_personal_access_token.rb
/lib/gitlab/background_migration/expire_o_auth_tokens.rb
-/lib/gitlab/background_migration/migrate_u2f_webauthn.rb
-/lib/gitlab/background_migration/update_users_where_two_factor_auth_required_from_group.rb
-/lib/gitlab/chat_name_token.rb
+/lib/gitlab/background_migration/update_users_set_external_if_service_account.rb
+/lib/gitlab/base_doorkeeper_controller.rb
/lib/gitlab/cleanup/personal_access_tokens.rb
-/lib/gitlab/external_authorization/
-/lib/gitlab/external_authorization.rb
-/lib/gitlab/grape_logging/loggers/token_logger.rb
-/lib/gitlab/graphql/authorize/
-/lib/gitlab/jwt_authenticatable.rb
-/lib/gitlab/jwt_token.rb
-/lib/gitlab/lfs_token.rb
-/lib/gitlab/mail_room/
+/lib/gitlab/data_builder/resource_access_token.rb
+/lib/gitlab/devise_failure.rb
+/lib/gitlab/doorkeeper_secret_storing/
+/lib/gitlab/encrypted_ldap_command.rb
+/lib/gitlab/middleware/unauthenticated_session_expiry.rb
/lib/gitlab/omniauth_initializer.rb
-/lib/gitlab/project_authorizations.rb
-/lib/json_web_token/
-/lib/omni_auth/
+/lib/gitlab/url_blockers/ip_allowlist_entry.rb
+/lib/omni_auth/strategies/azure_oauth2.rb
+/lib/omni_auth/strategies/bitbucket.rb
/lib/security/weak_passwords.rb
-/lib/system_check/app/authorized_keys_permission_check.rb
-/lib/system_check/incoming_email/imap_authentication_check.rb
-/lib/tasks/gitlab/password.rake
-/lib/tasks/tokens.rake
+/lib/system_check/ldap_check.rb
# Necessary for GitLab availability
[Verify] @gitlab-org/maintainers/cicd-verify @stanhu @ayufan
diff --git a/spec/tooling/lib/tooling/find_codeowners_spec.rb b/spec/tooling/lib/tooling/find_codeowners_spec.rb
index e75793b69c6d9bb7c18ffdf273d5f240a45dbfaa..62e5071ebc06dc4e40da4556d9e98b0f01aa8045 100644
--- a/spec/tooling/lib/tooling/find_codeowners_spec.rb
+++ b/spec/tooling/lib/tooling/find_codeowners_spec.rb
@@ -10,16 +10,15 @@
before do
allow(subject).to receive(:load_config).and_return(
'[Section name]': {
- '@group': {
- entries: %w[whatever entries],
- allow: {
- keywords: %w[dir0 file],
- patterns: ['/%{keyword}/**/*', '/%{keyword}']
- },
- deny: {
- keywords: %w[file0],
- patterns: ['**/%{keyword}']
- }
+ group: '@group',
+ entries: %w[whatever entries],
+ allow: {
+ keywords: %w[dir0 file],
+ patterns: ['/%{keyword}/**/*', '/%{keyword}']
+ },
+ deny: {
+ keywords: %w[file0],
+ patterns: ['**/%{keyword}']
}
}
)
@@ -31,11 +30,11 @@
subject.execute
end
end.to output(<<~CODEOWNERS).to_stdout
- [Section name]
- whatever @group
- entries @group
- /dir0/dir1/ @group
- /file @group
+ [Section name] @group
+ whatever
+ entries
+ /dir0/dir1/
+ /file
CODEOWNERS
end
@@ -46,32 +45,30 @@
allow(subject).to receive(:load_config).and_return(
{
'[Authentication and Authorization]': {
- '@gitlab-org/manage/authentication-and-authorization': {
- allow: {
- keywords: %w[password auth token],
- patterns:
- %w[
- /{,ee/}app/**/*%{keyword}*{,/**/*}
- /{,ee/}config/**/*%{keyword}*{,/**/*}
- /{,ee/}lib/**/*%{keyword}*{,/**/*}
- ]
- },
- deny: {
- keywords: %w[*author.* *author_* *authored*],
- patterns: ['%{keyword}']
- }
+ group: '@gitlab-org/manage/authentication-and-authorization',
+ allow: {
+ keywords: %w[password auth token],
+ patterns:
+ %w[
+ /{,ee/}app/**/*%{keyword}*{,/**/*}
+ /{,ee/}config/**/*%{keyword}*{,/**/*}
+ /{,ee/}lib/**/*%{keyword}*{,/**/*}
+ ]
+ },
+ deny: {
+ keywords: %w[*author.* *author_* *authored*],
+ patterns: ['%{keyword}']
}
},
'[Compliance]': {
- '@gitlab-org/govern/compliance': {
- entries: %w[
- /ee/app/services/audit_events/build_service.rb
- ],
- allow: {
- patterns: %w[
- /ee/app/services/audit_events/*
- ]
- }
+ group: '@gitlab-org/govern/compliance',
+ entries: %w[
+ /ee/app/services/audit_events/build_service.rb
+ ],
+ allow: {
+ patterns: %w[
+ /ee/app/services/audit_events/*
+ ]
}
}
}
@@ -79,20 +76,17 @@
end
it 'expands the allow and deny list with keywords and patterns' do
- group_defintions = subject.load_definitions[:'[Authentication and Authorization]']
+ group_definitions = subject.load_definitions[:'[Authentication and Authorization]']
- group_defintions.each do |group, definitions|
- expect(definitions[:allow]).to be_an(Array)
- expect(definitions[:deny]).to be_an(Array)
- end
+ expect(group_definitions[:allow]).to be_an(Array)
+ expect(group_definitions[:deny]).to be_an(Array)
end
it 'expands the patterns for the auth group' do
- auth = subject.load_definitions.dig(
- :'[Authentication and Authorization]',
- :'@gitlab-org/manage/authentication-and-authorization')
+ auth = subject.load_definitions[:'[Authentication and Authorization]']
expect(auth).to eq(
+ group: '@gitlab-org/manage/authentication-and-authorization',
allow: %w[
/{,ee/}app/**/*password*{,/**/*}
/{,ee/}config/**/*password*{,/**/*}
@@ -113,11 +107,9 @@
end
it 'retains the array and expands the patterns for the compliance group' do
- compliance = subject.load_definitions.dig(
- :'[Compliance]',
- :'@gitlab-org/govern/compliance')
-
+ compliance = subject.load_definitions[:'[Compliance]']
expect(compliance).to eq(
+ group: '@gitlab-org/govern/compliance',
entries: %w[
/ee/app/services/audit_events/build_service.rb
],
diff --git a/tooling/config/CODEOWNERS.yml b/tooling/config/CODEOWNERS.yml
index e5bcb3c598346bb0bb06a590f59c10ce863400fe..e0268848c011d7ff8ea09b975bb9e463e0d0f86e 100644
--- a/tooling/config/CODEOWNERS.yml
+++ b/tooling/config/CODEOWNERS.yml
@@ -3,81 +3,141 @@
# And paste the contents into .gitlab/CODEOWNERS
'[Authentication]':
- '@gitlab-org/software-supply-chain-security/authentication/approvers':
- allow:
+ group: '@gitlab-org/software-supply-chain-security/authentication/approvers'
+ entries:
+ - '/app/views/layouts/terms.html.haml'
+ - '/app/views/admin/sessions/'
+ allow:
+ keywords:
+ - 'auth'
+ - 'credentials_inventory'
+ - 'devise'
+ - 'doorkeeper'
+ - 'feed_token'
+ - 'ip_allowlist'
+ - 'kerberos'
+ - 'ldap'
+ - 'passkeys'
+ - 'password'
+ - 'service_account'
+ - 'smartcard'
+ - 'token'
+ - 'two_factor_auth'
+ - 'warden'
+ patterns:
+ - '/{,ee/}app/**/*%{keyword}*{,/**/*}'
+ - '/{,ee/}config/**/*%{keyword}*{,/**/*}'
+ - '/{,ee/}lib/**/*%{keyword}*{,/**/*}'
+ deny:
keywords:
- - 'password'
- - 'auth'
- - 'token'
+ - '.png'
+ - '.svg'
+ - 'alert_management'
+ - 'application_setting_columns/'
+ - 'arkose'
+ - 'audit_event'
+ - 'author'
+ - 'authorize'
+ - 'authz'
+ - 'autocomplete'
+ - 'batch_comments'
+ - 'chat_name_token'
+ - 'ci'
+ - 'cloud_connector'
+ - 'cluster'
+ - 'commit'
+ - 'compliance'
+ - 'conan_token'
+ - 'container_registry'
+ - 'custom_abilities'
+ - 'dast'
+ - 'dependency_proxy'
+ - 'deploy_token'
+ - 'doctor'
+ - 'dpop'
+ - 'elasticsearch'
+ - 'embed'
+ - 'error_tracking'
+ - 'errors'
+ - 'events/'
+ - 'external_auth_client'
+ - 'external_storage'
+ - 'feature_flag'
+ - 'filter{,ed}_{bar,search,token}'
+ - 'gitlab_subscriptions'
+ - 'google_api'
+ - 'google_cloud'
+ - 'group_{link,sync}'
+ - 'health_check'
+ - 'hook'
+ - 'ide/'
+ - 'import/'
+ - 'incoming_email'
+ - 'instrumentations'
+ - 'invite_members'
+ - 'issue_token'
+ - 'jira'
+ - 'jitsu'
+ - 'job_token'
+ - 'json_schema'
+ - 'json_web_token'
+ - 'jwt'
+ - 'kubernetes'
+ - 'locale'
+ - 'ldap*_*{group,sync,link}'
+ - 'lfs'
+ - 'limit'
+ - 'logger'
+ - 'mail_room'
+ - 'maven'
+ - 'merge_request'
+ - 'metadata'
+ - 'metric'
+ - 'mirror_authentication'
+ - 'pipeline'
+ - 'protected_environment'
+ - 'remote_development'
+ - 'requirements/'
+ - 'reset_prometheus_token'
+ - 'reset_registration_token'
+ - 'runner'
+ - '{saml,sync,link}_group'
+ - 'scim'
+ - 'scope_validator'
+ - 'search/'
+ - 'search_token'
+ - 'secret_detection'
+ - 'service_access'
+ - 'services/ai/'
+ - 'sidebars/'
+ - 'task'
+ - 'terraform_registry_token'
+ - 'throttle'
+ - 'token_access'
+ - 'tracking'
+ - 'tracing'
+ - 'usage_quotas'
+ - 'web_ide'
+ - 'work_item_token'
+ - 'work_items'
patterns:
- '/{,ee/}app/**/*%{keyword}*{,/**/*}'
- '/{,ee/}config/**/*%{keyword}*{,/**/*}'
- '/{,ee/}lib/**/*%{keyword}*{,/**/*}'
- deny:
- keywords:
- - '*author{,s}.*'
- - '*author{,s}_*'
- - '*authored*'
- - '*authoring*'
- - '*.png'
- - '*.svg'
- - '*deploy_token{,s}{*,/**/*}'
- - '*runner{,s}_token*'
- - '*job_token{,_scope}{*,/**/*}'
- - '*autocomplete_tokens*'
- - 'dast_site_token*'
- - 'reset_prometheus_token*'
- - 'reset_registration_token*'
- - 'runners_registration_token{*,/**/*}'
- - 'terraform_registry_token*'
- - 'filtered_search{_bar,}/'
- - 'alert_management/'
- - 'analytics/'
- - 'bitbucket/'
- - 'clusters/'
- - 'clusters_list/'
- - 'dast/'
- - 'dast_profiles/'
- - 'dast_site_tokens/'
- - 'dast_site_validation/'
- - 'dependency_proxy/'
- - 'error_tracking/'
- - 'google_api/'
- - 'google_cloud/'
- - 'jira_connect/'
- - 'kubernetes/'
- - 'protected_environments/'
- - '/config/feature_flags/**/*'
- - '/config/metrics/'
- - '/app/controllers/groups/dependency_proxy_auth_controller.rb'
- - '/app/finders/ci/auth_job_finder.rb'
- - '/ee/config/metrics/'
- - '/lib/gitlab/conan_token.rb'
- - 'token_access/'
- - 'pipelines/'
- - 'ci/runner/'
- - 'config/events/'
- - 'config/audit_events/'
- - 'runner_token_expiration/'
- - '*metadata_id_tokens*'
- - '/app/assets/javascripts/invite_members/'
- - '/app/workers/authorized_keys_worker.rb'
- patterns:
- - '%{keyword}'
'[Compliance]':
- '@gitlab-org/software-supply-chain-security/compliance':
- entries:
- - '/ee/app/services/audit_events/build_service.rb'
- - '/ee/spec/services/audit_events/custom_audit_event_service_spec.rb'
- allow:
- keywords:
- - audit
- patterns:
- - '/{,ee/}app/**/*%{keyword}*'
- - '/{,ee/}config/**/*%{keyword}*'
- - '/{,ee/}lib/**/*%{keyword}*'
- deny:
+ group: '@gitlab-org/software-supply-chain-security/compliance'
+ entries:
+ - '/ee/app/services/audit_events/build_service.rb'
+ - '/ee/spec/services/audit_events/custom_audit_event_service_spec.rb'
+ allow:
+ keywords:
+ - audit
+ patterns:
+ - '/{,ee/}app/**/*%{keyword}*'
+ - '/{,ee/}config/**/*%{keyword}*'
+ - '/{,ee/}lib/**/*%{keyword}*'
+ deny:
keywords:
- '*.png'
- '*bundler-audit*'
diff --git a/tooling/lib/tooling/find_codeowners.rb b/tooling/lib/tooling/find_codeowners.rb
index e542ab9967ca2c32f8996c0fdfdbaa40873ace02..f447da7e577d42bfb2edb4a699e8131d6d5c15ac 100644
--- a/tooling/lib/tooling/find_codeowners.rb
+++ b/tooling/lib/tooling/find_codeowners.rb
@@ -5,43 +5,38 @@
module Tooling
class FindCodeowners
def execute
- load_definitions.each do |section, group_defintions|
- puts section
+ load_definitions.each do |section, section_definition|
+ puts "#{section} #{section_definition[:group]}"
- group_defintions.each do |group, list|
- print_entries(group, list[:entries]) if list[:entries]
- print_expanded_entries(group, list) if list[:allow]
+ print_entries(section_definition[:entries]) if section_definition[:entries]
+ print_expanded_entries(section_definition) if section_definition[:allow]
- puts
- end
+ puts
end
end
def load_definitions
result = load_config
- result.each do |section, group_defintions|
- group_defintions.each do |group, definitions|
- definitions.transform_values! do |rules|
- case rules
- when Hash
- case rules[:keywords]
- when Array
- rules[:keywords].flat_map do |keyword|
- rules[:patterns].map do |pattern|
- pattern % { keyword: keyword }
- end
+ result.each_value do |definitions|
+ definitions.transform_values! do |rules|
+ case rules
+ when Hash
+ case rules[:keywords]
+ when Array
+ rules[:keywords].flat_map do |keyword|
+ rules[:patterns].map do |pattern|
+ pattern % { keyword: keyword }
end
- else
- rules[:patterns]
end
- when Array
- rules
+ else
+ rules[:patterns]
end
+ when Array, String
+ rules
end
end
end
-
result
end
@@ -97,13 +92,13 @@ def consolidate_paths(matched_files)
private
- def print_entries(group, entries)
+ def print_entries(entries)
entries.each do |entry|
- puts "#{entry} #{group}"
+ puts entry
end
end
- def print_expanded_entries(group, list)
+ def print_expanded_entries(list)
matched_files = git_ls_files.each_line.select do |line|
list[:allow].find do |pattern|
path = "/#{line.chomp}"
@@ -133,9 +128,9 @@ def print_expanded_entries(group, list)
path = line.chomp
if File.directory?(path)
- puts "/#{path}/ #{group}"
+ puts "/#{path}/"
else
- puts "/#{path} #{group}"
+ puts "/#{path}"
end
end
end