Strictly require compliance group approval for relevant changes

cf5ddec5 · Lin Jen-Shin · Max Woolf · c2c0e85d · cf5ddec5 · cf5ddec5
Commit cf5ddec5 authored 2 years ago by Lin Jen-Shin Committed by Max Woolf 2 years ago
--- a/.gitlab/CODEOWNERS
+++ b/.gitlab/CODEOWNERS
@@ -1057,3 +1057,142 @@ lib/gitlab/checks/** @proglottis @toon @zj-gitlab
 /lib/system_check/incoming_email/imap_authentication_check.rb @gitlab-org/manage/authentication-and-authorization/approvers
 /lib/tasks/gitlab/password.rake @gitlab-org/manage/authentication-and-authorization/approvers
 /lib/tasks/tokens.rake @gitlab-org/manage/authentication-and-authorization/approvers
+
+[Compliance]
+/ee/app/services/audit_events/build_service.rb @gitlab-org/manage/compliance
+/ee/spec/services/audit_events/custom_audit_event_service_spec.rb @gitlab-org/manage/compliance
+/app/models/audit_event.rb @gitlab-org/manage/compliance
+/app/services/audit_event_service.rb @gitlab-org/manage/compliance
+/app/services/concerns/audit_event_save_type.rb @gitlab-org/manage/compliance
+/app/views/profiles/audit_log.html.haml @gitlab-org/manage/compliance
+/config/feature_flags/development/custom_headers_streaming_audit_events_ui.yml @gitlab-org/manage/compliance
+/data/deprecations/14-3-repository-push-audit-events.yml @gitlab-org/manage/compliance
+/data/removals/15_0/removal_manage_repository_push_audit_event.yml @gitlab-org/manage/compliance
+/db/docs/audit_events.yml @gitlab-org/manage/compliance
+/db/docs/audit_events_external_audit_event_destinations.yml @gitlab-org/manage/compliance
+/db/docs/audit_events_streaming_headers.yml @gitlab-org/manage/compliance
+/db/migrate/20210819185500_create_external_audit_event_destinations_table.rb @gitlab-org/manage/compliance
+/db/migrate/20220524141800_create_audit_events_streaming_headers.rb @gitlab-org/manage/compliance
+/db/post_migrate/20210331105335_drop_non_partitioned_audit_events.rb @gitlab-org/manage/compliance
+/db/post_migrate/20220119094503_populate_audit_event_streaming_verification_token.rb @gitlab-org/manage/compliance
+/doc/administration/audit_event_streaming.md @gitlab-org/manage/compliance
+/doc/administration/audit_events.md @gitlab-org/manage/compliance
+/doc/administration/audit_reports.md @gitlab-org/manage/compliance
+/doc/administration/auditor_users.md @gitlab-org/manage/compliance
+/doc/api/audit_events.md @gitlab-org/manage/compliance
+/doc/api/graphql/audit_report.md @gitlab-org/manage/compliance
+/ee/app/assets/javascripts/audit_events/components/audit_events_app.vue @gitlab-org/manage/compliance
+/ee/app/assets/javascripts/audit_events/components/audit_events_export_button.vue @gitlab-org/manage/compliance
+/ee/app/assets/javascripts/audit_events/components/audit_events_filter.vue @gitlab-org/manage/compliance
+/ee/app/assets/javascripts/audit_events/components/audit_events_log.vue @gitlab-org/manage/compliance
+/ee/app/assets/javascripts/audit_events/components/audit_events_stream.vue @gitlab-org/manage/compliance
+/ee/app/assets/javascripts/audit_events/components/audit_events_table.vue @gitlab-org/manage/compliance
+/ee/app/assets/javascripts/audit_events/components/tokens/shared/ @gitlab-org/manage/compliance
+/ee/app/assets/javascripts/audit_events/init_audit_events.js @gitlab-org/manage/compliance
+/ee/app/controllers/admin/audit_log_reports_controller.rb @gitlab-org/manage/compliance
+/ee/app/controllers/admin/audit_logs_controller.rb @gitlab-org/manage/compliance
+/ee/app/controllers/concerns/audit_events/audit_events_params.rb @gitlab-org/manage/compliance
+/ee/app/controllers/groups/audit_events_controller.rb @gitlab-org/manage/compliance
+/ee/app/controllers/projects/audit_events_controller.rb @gitlab-org/manage/compliance
+/ee/app/finders/audit_event_finder.rb @gitlab-org/manage/compliance
+/ee/app/graphql/types/audit_events/external_audit_event_destination_type.rb @gitlab-org/manage/compliance
+/ee/app/helpers/audit_events_helper.rb @gitlab-org/manage/compliance
+/ee/app/helpers/auditor_user_helper.rb @gitlab-org/manage/compliance
+/ee/app/models/audit_events/external_audit_event_destination.rb @gitlab-org/manage/compliance
+/ee/app/models/concerns/auditable.rb @gitlab-org/manage/compliance
+/ee/app/models/ee/audit_event.rb @gitlab-org/manage/compliance
+/ee/app/policies/audit_events/external_audit_event_destination_policy.rb @gitlab-org/manage/compliance
+/ee/app/presenters/audit_event_presenter.rb @gitlab-org/manage/compliance
+/ee/app/serializers/audit_event_entity.rb @gitlab-org/manage/compliance
+/ee/app/serializers/audit_event_serializer.rb @gitlab-org/manage/compliance
+/ee/app/services/ci/audit_variable_change_service.rb @gitlab-org/manage/compliance
+/ee/app/services/ee/audit_event_service.rb @gitlab-org/manage/compliance
+/ee/app/views/admin/users/_auditor_access_level_radio.html.haml @gitlab-org/manage/compliance
+/ee/app/views/admin/users/_auditor_user_badge.html.haml @gitlab-org/manage/compliance
+/ee/app/views/shared/icons/_icon_audit_events_purple.svg @gitlab-org/manage/compliance
+/ee/app/views/shared/promotions/_promote_audit_events.html.haml @gitlab-org/manage/compliance
+/ee/app/workers/audit_events/audit_event_streaming_worker.rb @gitlab-org/manage/compliance
+/ee/config/events/1652263097_groups__audit_events__index_click_streams_tab.yml @gitlab-org/manage/compliance
+/ee/config/events/202108302307_admin_audit_logs_index_click_date_range_button.yml @gitlab-org/manage/compliance
+/ee/config/events/202108302307_groups__audit_events_controller_search_audit_event.yml @gitlab-org/manage/compliance
+/ee/config/events/202108302307_profiles_controller_search_audit_event.yml @gitlab-org/manage/compliance
+/ee/config/events/202108302307_projects__audit_events_controller_search_audit_event.yml @gitlab-org/manage/compliance
+/ee/config/events/202111041910_admin__audit_logs_controller_search_audit_event.yml @gitlab-org/manage/compliance
+/ee/config/feature_flags/development/audit_event_streaming_git_operations.yml @gitlab-org/manage/compliance
+/ee/config/feature_flags/development/audit_log_group_level.yml @gitlab-org/manage/compliance
+/ee/config/metrics/counts_28d/20210216183930_g_compliance_audit_events_monthly.yml @gitlab-org/manage/compliance
+/ee/config/metrics/counts_28d/20210216183934_i_compliance_audit_events_monthly.yml @gitlab-org/manage/compliance
+/ee/config/metrics/counts_28d/20210216183942_a_compliance_audit_events_api_monthly.yml @gitlab-org/manage/compliance
+/ee/config/metrics/counts_28d/20211130085433_g_manage_compliance_audit_event_destinations.yml @gitlab-org/manage/compliance
+/ee/config/metrics/counts_7d/20210216183906_g_compliance_audit_events.yml @gitlab-org/manage/compliance
+/ee/config/metrics/counts_7d/20210216183908_i_compliance_audit_events.yml @gitlab-org/manage/compliance
+/ee/config/metrics/counts_7d/20210216183912_a_compliance_audit_events_api.yml @gitlab-org/manage/compliance
+/ee/config/metrics/counts_7d/20210216183928_g_compliance_audit_events_weekly.yml @gitlab-org/manage/compliance
+/ee/config/metrics/counts_7d/20210216183932_i_compliance_audit_events_weekly.yml @gitlab-org/manage/compliance
+/ee/config/metrics/counts_7d/20210216183940_a_compliance_audit_events_api_weekly.yml @gitlab-org/manage/compliance
+/ee/config/metrics/counts_all/20211130085433_g_manage_compliance_audit_event_destinations.yml @gitlab-org/manage/compliance
+/ee/lib/api/audit_events.rb @gitlab-org/manage/compliance
+/ee/lib/audit/external_status_check_changes_auditor.rb @gitlab-org/manage/compliance
+/ee/lib/audit/group_merge_request_approval_setting_changes_auditor.rb @gitlab-org/manage/compliance
+/ee/lib/audit/group_push_rules_changes_auditor.rb @gitlab-org/manage/compliance
+/ee/lib/ee/api/entities/audit_event.rb @gitlab-org/manage/compliance
+/ee/lib/ee/audit/ @gitlab-org/manage/compliance
+/ee/lib/gitlab/audit/auditor.rb @gitlab-org/manage/compliance
+/ee/spec/controllers/admin/audit_log_reports_controller_spec.rb @gitlab-org/manage/compliance
+/ee/spec/controllers/admin/audit_logs_controller_spec.rb @gitlab-org/manage/compliance
+/ee/spec/controllers/groups/audit_events_controller_spec.rb @gitlab-org/manage/compliance
+/ee/spec/controllers/projects/audit_events_controller_spec.rb @gitlab-org/manage/compliance
+/ee/spec/factories/audit_events/external_audit_event_destinations.rb @gitlab-org/manage/compliance
+/ee/spec/features/admin/admin_audit_logs_spec.rb @gitlab-org/manage/compliance
+/ee/spec/features/groups/audit_events_spec.rb @gitlab-org/manage/compliance
+/ee/spec/features/projects/audit_events_spec.rb @gitlab-org/manage/compliance
+/ee/spec/finders/audit_event_finder_spec.rb @gitlab-org/manage/compliance
+/ee/spec/fixtures/api/schemas/public_api/v4/audit_event.json @gitlab-org/manage/compliance
+/ee/spec/fixtures/api/schemas/public_api/v4/audit_events.json @gitlab-org/manage/compliance
+/ee/spec/frontend/audit_events/components/__snapshots__/ @gitlab-org/manage/compliance
+/ee/spec/frontend/audit_events/components/audit_events_app_spec.js @gitlab-org/manage/compliance
+/ee/spec/frontend/audit_events/components/audit_events_export_button_spec.js @gitlab-org/manage/compliance
+/ee/spec/frontend/audit_events/components/audit_events_filter_spec.js @gitlab-org/manage/compliance
+/ee/spec/frontend/audit_events/components/audit_events_logs_spec.js @gitlab-org/manage/compliance
+/ee/spec/frontend/audit_events/components/audit_events_stream_spec.js @gitlab-org/manage/compliance
+/ee/spec/frontend/audit_events/components/audit_events_table_spec.js @gitlab-org/manage/compliance
+/ee/spec/frontend/audit_events/components/tokens/shared/ @gitlab-org/manage/compliance
+/ee/spec/graphql/types/audit_events/exterrnal_audit_event_destination_type_spec.rb @gitlab-org/manage/compliance
+/ee/spec/helpers/audit_events_helper_spec.rb @gitlab-org/manage/compliance
+/ee/spec/lib/audit/external_status_check_changes_auditor_spec.rb @gitlab-org/manage/compliance
+/ee/spec/lib/audit/group_merge_request_approval_setting_changes_auditor_spec.rb @gitlab-org/manage/compliance
+/ee/spec/lib/audit/group_push_rules_changes_auditor_spec.rb @gitlab-org/manage/compliance
+/ee/spec/lib/ee/audit/ @gitlab-org/manage/compliance
+/ee/spec/lib/gitlab/audit/auditor_spec.rb @gitlab-org/manage/compliance
+/ee/spec/models/audit_events/external_audit_event_destination_spec.rb @gitlab-org/manage/compliance
+/ee/spec/models/concerns/auditable_spec.rb @gitlab-org/manage/compliance
+/ee/spec/models/ee/audit_event_spec.rb @gitlab-org/manage/compliance
+/ee/spec/presenters/audit_event_presenter_spec.rb @gitlab-org/manage/compliance
+/ee/spec/requests/admin/audit_events_spec.rb @gitlab-org/manage/compliance
+/ee/spec/requests/api/audit_events_spec.rb @gitlab-org/manage/compliance
+/ee/spec/requests/api/graphql/group/external_audit_event_destinations_spec.rb @gitlab-org/manage/compliance
+/ee/spec/requests/groups/audit_events_spec.rb @gitlab-org/manage/compliance
+/ee/spec/requests/projects/audit_events_spec.rb @gitlab-org/manage/compliance
+/ee/spec/serializers/audit_event_entity_spec.rb @gitlab-org/manage/compliance
+/ee/spec/serializers/audit_event_serializer_spec.rb @gitlab-org/manage/compliance
+/ee/spec/services/audit_event_service_spec.rb @gitlab-org/manage/compliance
+/ee/spec/support/shared_contexts/audit_event_not_licensed_shared_context.rb @gitlab-org/manage/compliance
+/ee/spec/support/shared_contexts/audit_event_queue_shared_context.rb @gitlab-org/manage/compliance
+/ee/spec/support/shared_examples/audit/ @gitlab-org/manage/compliance
+/ee/spec/support/shared_examples/features/audit_events_filter_shared_examples.rb @gitlab-org/manage/compliance
+/ee/spec/support/shared_examples/services/audit_event_logging_shared_examples.rb @gitlab-org/manage/compliance
+/ee/spec/workers/audit_events/audit_event_streaming_worker_spec.rb @gitlab-org/manage/compliance
+/lib/gitlab/audit_json_logger.rb @gitlab-org/manage/compliance
+/qa/qa/ee/page/admin/monitoring/ @gitlab-org/manage/compliance
+/qa/qa/specs/features/ee/browser_ui/1_manage/group/group_audit_logs_1_spec.rb @gitlab-org/manage/compliance
+/qa/qa/specs/features/ee/browser_ui/1_manage/group/group_audit_logs_2_spec.rb @gitlab-org/manage/compliance
+/qa/qa/specs/features/ee/browser_ui/1_manage/instance/ @gitlab-org/manage/compliance
+/qa/qa/specs/features/ee/browser_ui/1_manage/project/project_audit_logs_spec.rb @gitlab-org/manage/compliance
+/spec/factories/audit_events.rb @gitlab-org/manage/compliance
+/spec/migrations/populate_audit_event_streaming_verification_token_spec.rb @gitlab-org/manage/compliance
+/spec/models/audit_event_spec.rb @gitlab-org/manage/compliance
+/spec/services/audit_event_service_spec.rb @gitlab-org/manage/compliance
+/spec/services/concerns/audit_event_save_type_spec.rb @gitlab-org/manage/compliance
+/spec/support/shared_examples/sends_git_audit_streaming_event_shared_examples.rb @gitlab-org/manage/compliance
+/spec/views/profiles/audit_log.html.haml_spec.rb @gitlab-org/manage/compliance
+/vendor/project_templates/hipaa_audit_protocol.tar.gz @gitlab-org/manage/compliance
--- a/data/removals/15_0/removal_manage_ repository_push_audit_event.yml
+++ b/data/removals/15_0/removal_manage_ repository_push_audit_event.yml
--- a/spec/tooling/lib/tooling/find_codeowners_spec.rb
+++ b/spec/tooling/lib/tooling/find_codeowners_spec.rb
@@ -11,6 +11,7 @@
      allow(subject).to receive(:load_config).and_return(
        '[Section name]': {
          '@group': {
+            entries: %w[whatever entries],
            allow: {
              keywords: %w[dir0 file],
              patterns: ['/%{keyword}/**/*', '/%{keyword}']
@@ -31,8 +32,11 @@
        end
      end.to output(<<~CODEOWNERS).to_stdout
        [Section name]
+        whatever @group
+        entries @group
        /dir0/dir1/ @group
        /file @group
+
      CODEOWNERS
    end
  end
@@ -57,21 +61,33 @@
                patterns: ['%{keyword}']
              }
            }
+          },
+          '[Compliance]': {
+            '@gitlab-org/manage/compliance': {
+              entries: %w[
+                /ee/app/services/audit_events/build_service.rb
+              ],
+              allow: {
+                patterns: %w[
+                  /ee/app/services/audit_events/*
+                ]
+              }
+            }
          }
        }
      )
    end

    it 'expands the allow and deny list with keywords and patterns' do
-      subject.load_definitions.each do |section, group_defintions|
-        group_defintions.each do |group, definitions|
-          expect(definitions[:allow]).to be_an(Array)
-          expect(definitions[:deny]).to be_an(Array)
-        end
+      group_defintions = subject.load_definitions[:'[Authentication and Authorization]']
+
+      group_defintions.each do |group, definitions|
+        expect(definitions[:allow]).to be_an(Array)
+        expect(definitions[:deny]).to be_an(Array)
      end
    end

-    it 'expands the auth group' do
+    it 'expands the patterns for the auth group' do
      auth = subject.load_definitions.dig(
        :'[Authentication and Authorization]',
        :'@gitlab-org/manage/authentication-and-authorization')
@@ -95,6 +111,21 @@
        ]
      )
    end
+
+    it 'retains the array and expands the patterns for the compliance group' do
+      compliance = subject.load_definitions.dig(
+        :'[Compliance]',
+        :'@gitlab-org/manage/compliance')
+
+      expect(compliance).to eq(
+        entries: %w[
+          /ee/app/services/audit_events/build_service.rb
+        ],
+        allow: %w[
+          /ee/app/services/audit_events/*
+        ]
+      )
+    end
  end

  describe '#load_config' do

--- a/tooling/config/CODEOWNERS.yml
+++ b/tooling/config/CODEOWNERS.yml
@@ -55,3 +55,24 @@
        - '/lib/gitlab/conan_token.rb'
      patterns:
        - '%{keyword}'
+
+'[Compliance]':
+  '@gitlab-org/manage/compliance':
+    entries:
+      - '/ee/app/services/audit_events/build_service.rb'
+      - '/ee/spec/services/audit_events/custom_audit_event_service_spec.rb'
+    allow:
+      keywords:
+        - audit
+      patterns:
+        - '**%{keyword}**'
+    deny:
+      keywords:
+        - '*.png'
+        - '*bundler-audit*'
+        - '/ee/app/services/audit_events/*'
+        - '/ee/spec/services/audit_events/*'
+        - '/ee/spec/services/ci/*'
+        - '/ee/spec/services/personal_access_tokens/*'
+      patterns:
+        - '%{keyword}'
--- a/tooling/lib/tooling/find_codeowners.rb
+++ b/tooling/lib/tooling/find_codeowners.rb
@@ -9,37 +9,10 @@ def execute
        puts section

        group_defintions.each do |group, list|
-          matched_files = git_ls_files.each_line.select do |line|
-            list[:allow].find do |pattern|
-              path = "/#{line.chomp}"
+          print_entries(group, list[:entries]) if list[:entries]
+          print_expanded_entries(group, list) if list[:allow]

-              path_matches?(pattern, path) &&
-                list[:deny].none? { |pattern| path_matches?(pattern, path) }
-            end
-          end
-
-          consolidated = consolidate_paths(matched_files)
-          consolidated_again = consolidate_paths(consolidated)
-
-          # Consider the directory structure is a tree structure:
-          # https://en.wikipedia.org/wiki/Tree_(data_structure)
-          # After we consolidated the leaf entries, it could be possible that
-          # we can consolidate further for the new leaves. Repeat this
-          # process until we see no improvements.
-          while consolidated_again.size < consolidated.size
-            consolidated = consolidated_again
-            consolidated_again = consolidate_paths(consolidated)
-          end
-
-          consolidated.each do |line|
-            path = line.chomp
-
-            if File.directory?(path)
-              puts "/#{path}/ #{group}"
-            else
-              puts "/#{path} #{group}"
-            end
-          end
+          puts
        end
      end
    end
@@ -50,10 +23,20 @@ def load_definitions
      result.each do |section, group_defintions|
        group_defintions.each do |group, definitions|
          definitions.transform_values! do |rules|
-            rules[:keywords].flat_map do |keyword|
-              rules[:patterns].map do |pattern|
-                pattern % { keyword: keyword }
+            case rules
+            when Hash
+              case rules[:keywords]
+              when Array
+                rules[:keywords].flat_map do |keyword|
+                  rules[:patterns].map do |pattern|
+                    pattern % { keyword: keyword }
+                  end
+                end
+              else
+                rules[:patterns]
              end
+            when Array
+              rules
            end
          end
        end
@@ -118,6 +101,49 @@ def consolidate_paths(matched_files)

    private

+    def print_entries(group, entries)
+      entries.each do |entry|
+        puts "#{entry} #{group}"
+      end
+    end
+
+    def print_expanded_entries(group, list)
+      matched_files = git_ls_files.each_line.select do |line|
+        list[:allow].find do |pattern|
+          path = "/#{line.chomp}"
+
+          path_matches?(pattern, path) &&
+            (
+              list[:deny].nil? ||
+              list[:deny].none? { |pattern| path_matches?(pattern, path) }
+            )
+        end
+      end
+
+      consolidated = consolidate_paths(matched_files)
+      consolidated_again = consolidate_paths(consolidated)
+
+      # Consider the directory structure is a tree structure:
+      # https://en.wikipedia.org/wiki/Tree_(data_structure)
+      # After we consolidated the leaf entries, it could be possible that
+      # we can consolidate further for the new leaves. Repeat this
+      # process until we see no improvements.
+      while consolidated_again.size < consolidated.size
+        consolidated = consolidated_again
+        consolidated_again = consolidate_paths(consolidated)
+      end
+
+      consolidated.each do |line|
+        path = line.chomp
+
+        if File.directory?(path)
+          puts "/#{path}/ #{group}"
+        else
+          puts "/#{path} #{group}"
+        end
+      end
+    end
+
    def find_dir_maxdepth_1(dir)
      `find #{dir} -maxdepth 1`
    end