Class: Gitlab::UsernameBotIdentifier

Inherits:
Object
  • Object
show all
Defined in:
lib/gitlab/username_bot_identifier.rb

Overview

Determines whether a GitLab username appears to be a bot based on known patterns

Constant Summary collapse

KNOWN_GITLAB_COM_BOT_USERNAMES = 
%w[
  codeowner-maintainer-or-manager
  contributors.gitlab.com
  digitalexperience-service
  duo-developer
  employment-bot
  gitlab-argo-bot
  gitlab-bot
  gitlab-crowdin-bot
  gitlab-dependency-bot
  gitlab-dependency-update-bot
  gitlab_devrel_bot
  gitlab-duo-code-reviewer
  gitlab-infra-mgmt-bot
  gitlab-jh-bot
  gitlab-llm-bot
  gitlab-qa
  gitlab-release-tools-bot
  gitlab-security-bot
  gitlabduo
  gitlabreviewerrecommenderbot
  gl-infra-danger-bot
  glrenovatebot
  gl-support-bot
  kubitus-bot
  mr-bot
  ops-gitlab-net
  taucher2003-bot
].freeze
GHOST_ACCOUNT =

Automatically assigned to orphan records (e.g. when a user is deleted)

'ghost1'
PROJECT_ACCESS_TOKEN_REGEX =

Can be spoofed (e.g. someone can register project_1_bot, project_2_bot_abc123)

/^project_\d+_bot_?\w*$/.freeze
GROUP_ACCESS_TOKEN_REGEX = 
/^group_\d+_bot_?\w*$/.freeze
SERVICE_ACCOUNT_REGEX = 
/^service_account_group_\d+_?\w*$/.freeze
KNOWN_SERVICE_ACCOUNT_REGEX =

Used as best practice by GitLab team members when creating “service accounts”

/^gl-service-[-\w]+$/.freeze

Instance Method Summary collapse

Constructor Details

#initialize(username) ⇒ UsernameBotIdentifier

Returns a new instance of UsernameBotIdentifier.



47
48
49
 
# File 'lib/gitlab/username_bot_identifier.rb', line 47

def initialize(username)
  @username = username
end

Instance Method Details

#bot?Boolean

Returns:

  • (Boolean) 


89
90
91
92
93
94
 
# File 'lib/gitlab/username_bot_identifier.rb', line 89

def bot?
  known_bot? ||
    known_service_account? ||
    project_or_group_access_token? ||
    service_account?
end

#ghost?Boolean

Returns:

  • (Boolean) 


59
60
61
 
# File 'lib/gitlab/username_bot_identifier.rb', line 59

def ghost?
  username == GHOST_ACCOUNT
end

#group_access_token?Boolean

Returns:

  • (Boolean) 


74
75
76
 
# File 'lib/gitlab/username_bot_identifier.rb', line 74

def group_access_token?
  username.match?(GROUP_ACCESS_TOKEN_REGEX)
end

#ignorable_account?Boolean

Returns:

  • (Boolean) 


96
97
98
99
100
101
102
 
# File 'lib/gitlab/username_bot_identifier.rb', line 96

def ignorable_account?
  known_bot? ||
    ghost? ||
    known_service_account? ||
    project_or_group_access_token? ||
    service_account?
end

#known_bot?Boolean

Returns:

  • (Boolean) 


55
56
57
 
# File 'lib/gitlab/username_bot_identifier.rb', line 55

def known_bot?
  KNOWN_GITLAB_COM_BOT_USERNAMES.include?(username)
end

#known_service_account?Boolean

“known service accounts” are accounts that match the naming convention of service accounts registered by GitLab team members. These accounts are regular user accounts that are used in automations.

Returns:

  • (Boolean) 


66
67
68
 
# File 'lib/gitlab/username_bot_identifier.rb', line 66

def known_service_account?
  username.match?(KNOWN_SERVICE_ACCOUNT_REGEX)
end

#project_access_token?Boolean

Returns:

  • (Boolean) 


70
71
72
 
# File 'lib/gitlab/username_bot_identifier.rb', line 70

def project_access_token?
  username.match?(PROJECT_ACCESS_TOKEN_REGEX)
end

#project_or_group_access_token?Boolean

Returns:

  • (Boolean) 


84
85
86
87
 
# File 'lib/gitlab/username_bot_identifier.rb', line 84

def project_or_group_access_token?
  project_access_token? ||
    group_access_token?
end

#service_account?Boolean

“service accounts” are accounts that were created through the service accounts feature. See docs.gitlab.com/ee/user/profile/service_accounts.html

Returns:

  • (Boolean) 


80
81
82
 
# File 'lib/gitlab/username_bot_identifier.rb', line 80

def service_account?
  username.match?(SERVICE_ACCOUNT_REGEX)
end

#usernameObject 



51
52
53
 
# File 'lib/gitlab/username_bot_identifier.rb', line 51

def username
  @username.downcase
end