Test cases for CODEOWNERS regression fix
This is a one-off issue that will serve as a QA task for the fixes that are being implemented in the next patch release to address concerns over the functionality and the security that is being addressed with the CODEOWNERS issue: gitlab-org/gitlab#217125 (closed)
Delivery will provide groupsource code and the Security team links to the Docker images that are built in order to perform the validation as soon as feasibly possible. I ask that the issue description below is updated with various steps to ensure that these images perform as desired.
@m_gill to provide the steps necessary to validate functionally in the backports that are to be included here will operate as desired:
-
gitlab-org/gitlab!31152 (merged) -
You should be able to add a root group to your CODEOWNERS file and allow them to approve merge requests - Create a project under @root-group
- Add a CODEOWNERS file to the project, and associate README.md to @root-group
- Protect your default branch and require CODEOWNERS approval
- Create a new MR with changes to README.md
- Code Owner approval should be required, the merge request should not be mergeable
- Once approved by a Code Owner, the merge request should be mergeable
-
You should also be able to add a subgroup, that is not invited to your project, to your CODEOWNERS file and allow them to approve merge requests - Create a project under @root-group/sub-group
- Add a CODEOWNERS file to the project, and associate README.md to @root-group/sub-group
- Protect your default branch and require CODEOWNERS approval
- Create a new MR with changes to README.md
- Code Owner approval should be required, the merge request should not be mergeable
- Once approved by a Code Owner, the merge request should be mergeable
-
Additionally, after the merge request is approved by another Code Owner, can a maintainer who is also a Code Owner merge?
-
-
gitlab-org/gitlab!31768 (merged) -
Maintainers should be able to merge a merge request that has been approved by Code Owners - Create a project with CODEOWNERS file
- Protect the default branch and require code owner approval
- Add 2 members as maintainers, and set 1 as CODEOWNER. Associate the README.md to the code owner
- Maintainer 1 submits an MR to the README
- Maintainer 2 (CODEOWNER) approves the MR.
- Maintainer 1 clicks the merge button and it should merge successfully
-
-
gitlab-org/gitlab!31283 (merged) -
When :skip_web_ui_code_owner_validations
feature flag is disabled- Protect a branch and require code owner approval
- Make sure the CODEOWNERS file exists and that it specifies a file
- Using the GitLab web interface, navigate to the file, make sure you're on the protected branch and select "edit"
- Make a change to the file and select "Commit” - It should not allow the commit
-
When :skip_web_ui_code_owner_validations
feature flag is enabled- Protect a branch and require code owner approval
- Make sure the CODEOWNERS file exists and that it specifies a file
- Using the GitLab web interface, navigate to the file, make sure you're on the protected branch and select "edit"
- Make a change to the file and select "Commit” - It should allow the commit
-
@dcouture and/or @jeremymatos to provide the steps necessary to validate from a security perspective that the backports that are included here will operate as desired.
-
Security check -
When :skip_web_ui_code_owner_validations
feature flag is disabled- As user1, protect a branch and require code owner approval
- As user1, create a file
donttouch.txt
in this branch - As user1, create a
CODEOWNERS
file with this content*.txt @user1
- Using the GitLab web interface as user2, navigate to
donttouch.txt
, make sure you're on the protected branch and select "edit" - Make a change select "Commit” - It should not allow the commit
-
When :skip_web_ui_code_owner_validations
feature flag is enabled- Using the GitLab web interface as user2, navigate to
donttouch.txt
, make sure you're on the protected branch and select "edit" - Make a change to the file and select "Commit” - It should allow the commit
- Using the GitLab web interface as user2, navigate to
-
This issue is in reference to the upcoming patch releases:
- 12.9.7 - #1332 (closed)
- 12.10.5 - #1333 (closed)
The patches that we are validating:
Version | MR 1: Add project group and ancestors to group list | MR 2: Remove check for user being applicable codeowner | MR 3: Add feature flag for CODEOWNERS validations for web requests |
---|---|---|---|
master | gitlab-org/gitlab!31152 (merged) | gitlab-org/gitlab!31768 (merged) | gitlab-org/gitlab!31283 (merged) (restores check) |
12.10 | gitlab-org/gitlab!31804 (closed) | gitlab-org/gitlab!31809 (merged) | gitlab-org/gitlab!31822 (merged) |
12.9 | gitlab-org/gitlab!31806 (merged) | gitlab-org/gitlab!31808 (merged) | gitlab-org/gitlab!31823 (merged) |