Skip to content

Test cases for CODEOWNERS regression fix

This is a one-off issue that will serve as a QA task for the fixes that are being implemented in the next patch release to address concerns over the functionality and the security that is being addressed with the CODEOWNERS issue: gitlab-org/gitlab#217125 (closed)

Delivery will provide groupsource code and the Security team links to the Docker images that are built in order to perform the validation as soon as feasibly possible. I ask that the issue description below is updated with various steps to ensure that these images perform as desired.

@m_gill to provide the steps necessary to validate functionally in the backports that are to be included here will operate as desired:

  1. gitlab-org/gitlab!31152 (merged)
    1. You should be able to add a root group to your CODEOWNERS file and allow them to approve merge requests
      1. Create a project under @root-group
      2. Add a CODEOWNERS file to the project, and associate README.md to @root-group
      3. Protect your default branch and require CODEOWNERS approval
      4. Create a new MR with changes to README.md
      5. Code Owner approval should be required, the merge request should not be mergeable
      6. Once approved by a Code Owner, the merge request should be mergeable
    2. You should also be able to add a subgroup, that is not invited to your project, to your CODEOWNERS file and allow them to approve merge requests
      1. Create a project under @root-group/sub-group
      2. Add a CODEOWNERS file to the project, and associate README.md to @root-group/sub-group
      3. Protect your default branch and require CODEOWNERS approval
      4. Create a new MR with changes to README.md
      5. Code Owner approval should be required, the merge request should not be mergeable
      6. Once approved by a Code Owner, the merge request should be mergeable
    3. Additionally, after the merge request is approved by another Code Owner, can a maintainer who is also a Code Owner merge?
  2. gitlab-org/gitlab!31768 (merged)
    1. Maintainers should be able to merge a merge request that has been approved by Code Owners
      1. Create a project with CODEOWNERS file
      2. Protect the default branch and require code owner approval
      3. Add 2 members as maintainers, and set 1 as CODEOWNER. Associate the README.md to the code owner
      4. Maintainer 1 submits an MR to the README
      5. Maintainer 2 (CODEOWNER) approves the MR.
      6. Maintainer 1 clicks the merge button and it should merge successfully
  3. gitlab-org/gitlab!31283 (merged)
    1. When :skip_web_ui_code_owner_validations feature flag is disabled
      1. Protect a branch and require code owner approval
      2. Make sure the CODEOWNERS file exists and that it specifies a file
      3. Using the GitLab web interface, navigate to the file, make sure you're on the protected branch and select "edit"
      4. Make a change to the file and select "Commit” - It should not allow the commit
    2. When :skip_web_ui_code_owner_validations feature flag is enabled
      1. Protect a branch and require code owner approval
      2. Make sure the CODEOWNERS file exists and that it specifies a file
      3. Using the GitLab web interface, navigate to the file, make sure you're on the protected branch and select "edit"
      4. Make a change to the file and select "Commit” - It should allow the commit

@dcouture and/or @jeremymatos to provide the steps necessary to validate from a security perspective that the backports that are included here will operate as desired.

  1. Security check
    1. When :skip_web_ui_code_owner_validations feature flag is disabled
      1. As user1, protect a branch and require code owner approval
      2. As user1, create a file donttouch.txt in this branch
      3. As user1, create a CODEOWNERS file with this content *.txt @user1
      4. Using the GitLab web interface as user2, navigate to donttouch.txt, make sure you're on the protected branch and select "edit"
      5. Make a change select "Commit” - It should not allow the commit
    2. When :skip_web_ui_code_owner_validations feature flag is enabled
      1. Using the GitLab web interface as user2, navigate to donttouch.txt, make sure you're on the protected branch and select "edit"
      2. Make a change to the file and select "Commit” - It should allow the commit

This issue is in reference to the upcoming patch releases:

The patches that we are validating:

Version MR 1: Add project group and ancestors to group list MR 2: Remove check for user being applicable codeowner MR 3: Add feature flag for CODEOWNERS validations for web requests
master gitlab-org/gitlab!31152 (merged) gitlab-org/gitlab!31768 (merged) gitlab-org/gitlab!31283 (merged) (restores check)
12.10 gitlab-org/gitlab!31804 (closed) gitlab-org/gitlab!31809 (merged) gitlab-org/gitlab!31822 (merged)
12.9 gitlab-org/gitlab!31806 (merged) gitlab-org/gitlab!31808 (merged) gitlab-org/gitlab!31823 (merged)
Edited by Dominic Couture