Inaccessible Code Owner validation

Original Description

This is a follow up to CODEOWNERS syntax/format validation (#216066 - closed) to implement the Inaccessible owner check. We need to parse each owner for an entry and ensure that the owners are accessible to the project as if the rules are being applied to an MR.

We need to consider how we implement this as we will be querying the database. We will need to extract the references and then use our group and user loaders to find the records and then create a list of missing references and map those back to the codeowner file.

https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/lib/gitlab/code_owners/reference_extractor.rb https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/lib/gitlab/code_owners/groups_loader.rb https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/lib/gitlab/code_owners/users_loader.rb

Our other validators will add an error and attach a line number to the error which is displayed in the UI. We also normally don't show the text that is an exception e.g. Entries with no owners (1) -> line 26. From a UX perspective we will need to display the offending references so users can even begin debugging. I think it's probably more useful to group by owner rather than line so the format 1 is probably better:

Format 1

Inaccessible owners (2)
-> @unknown_user
---> line 29
---> line 46
---> line 82
---> line 129
-> unknown@user.com
---> line 46
---> line 99

#### Format 2

Inaccessible owners (2)
-> line 29
---> @unknown_user
-> line 46
---> @unknown_user
---> unknown@user.com
-> line 82
---> @unknown_user
-> line 99
---> unknown@user.com
-> line 129
---> @unknown_user

Format 2 is more consistent with the original designs image

We need to create a validator to check if the owners for an entry are accessible. For users this means they are part of the project, and for groups this means they have been invited to the project.

We currently have a User Permissions Check which loads all of the users for an entry and checks if they can approve an MR. Any that cannot approve are marked with an error message.

We need to insert a Inaccessible Owner Check before this check to ensure owners are accessible before testing if they have approval permissions.

The end result will look something like this.

flowchart TB
  1[Inaccessible Owner Check]
  1-- Send user references to -->2[User Permission Check]
  1-- Send group references to -->3[Group Max Role Check]
  3-- Send users inside group to -->4[Group Users Permission Check]

To achieve this we need to extract the parsing logic from User Permission Check into it's own class. As we start from the smallest permission and work our way up to the most detailed permission we can extract the owners in this new check and then pass the valid owners down the stack. Only accessible users will be passed on to the user permissions check and accessible groups will be passed onto the group checks.

We also need some frontend work to display these new error types.

I recommend checking the work that went into the user permissions check for how this logic works:

Status

This feature has been implemented behind a feature flag. Rollout can be tracked via [Feature flag] Rollout of `accessible_code_owne... (#524437 - closed)

Edited by Joe Woodward