Class: Gitlab::UsernameBotIdentifier

Inherits:

Object

• Object
• Gitlab::UsernameBotIdentifier

Defined in:

lib/gitlab/username_bot_identifier.rb

Overview

Determines whether a GitLab username appears to be a bot based on known patterns

Constant Summary

KNOWN_GITLAB_COM_BOT_USERNAMES =

%w[
  codeowner-maintainer-or-manager
  contributors.gitlab.com
  digitalexperience-service
  duo-developer
  employment-bot
  gitlab-argo-bot
  gitlab-bot
  gitlab-crowdin-bot
  gitlab-dependency-bot
  gitlab-dependency-update-bot
  gitlab_devrel_bot
  gitlab-duo-code-reviewer
  gitlab-infra-mgmt-bot
  gitlab-jh-bot
  gitlab-llm-bot
  gitlab-qa
  gitlab-release-tools-bot
  gitlab-security-bot
  gitlabduo
  gitlabreviewerrecommenderbot
  gl-infra-danger-bot
  glrenovatebot
  gl-support-bot
  kubitus-bot
  mr-bot
  ops-gitlab-net
  taucher2003-bot
].freeze

GHOST_ACCOUNT =

Automatically assigned to orphan records (e.g. when a user is deleted)

'ghost1'

PROJECT_ACCESS_TOKEN_REGEX =

Can be spoofed (e.g. someone can register project_1_bot, project_2_bot_abc123)

/^project_\d+_bot_?\w*$/.freeze

GROUP_ACCESS_TOKEN_REGEX =

/^group_\d+_bot_?\w*$/.freeze

SERVICE_ACCOUNT_REGEX =

/^service_account_(group|project)_\d+_?\w*$/.freeze

KNOWN_SERVICE_ACCOUNT_REGEX =

Used as best practice by GitLab team members when creating “service accounts”

/^gl-service-[-\w]+$/.freeze

GITLAB_DUO_AGENT_REGEX =

GitLab Duo and AI agent accounts start with duo-, duo_, ai-, or ai_ Examples: duo-developer-gitlab-com, duo_fix_ci_cd_pipeline, ai-code-reviewer, ai_assistant

/^(duo[-_]|ai[-_])/.freeze

Instance Method Summary

• #bot? ⇒ Boolean
• #ghost? ⇒ Boolean
• #gitlab_duo_service_account? ⇒ Boolean
• #group_access_token? ⇒ Boolean
• #ignorable_account? ⇒ Boolean
• #initialize(username) ⇒ UsernameBotIdentifier constructor

  A new instance of UsernameBotIdentifier.

• #known_bot? ⇒ Boolean
• #known_service_account? ⇒ Boolean

  “known service accounts” are accounts that match the naming convention of service accounts registered by GitLab team members.

• #project_access_token? ⇒ Boolean
• #project_or_group_access_token? ⇒ Boolean
• #service_account? ⇒ Boolean

  “service accounts” are accounts created through the service accounts feature, scoped to either a group or a project.

• #username ⇒ Object

Constructor Details

#initialize(username) ⇒ UsernameBotIdentifier

Returns a new instance of UsernameBotIdentifier.

# File 'lib/gitlab/username_bot_identifier.rb', line 51

def initialize(username)
  @username = username
end

Instance Method Details

#bot? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/gitlab/username_bot_identifier.rb', line 98

def bot?
  known_bot? ||
    known_service_account? ||
    project_or_group_access_token? ||
    service_account? ||
    gitlab_duo_service_account?
end

#ghost? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/gitlab/username_bot_identifier.rb', line 63

def ghost?
  username == GHOST_ACCOUNT
end

#gitlab_duo_service_account? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/gitlab/username_bot_identifier.rb', line 89

def gitlab_duo_service_account?
  username.match?(GITLAB_DUO_AGENT_REGEX)
end

#group_access_token? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/gitlab/username_bot_identifier.rb', line 78

def group_access_token?
  username.match?(GROUP_ACCESS_TOKEN_REGEX)
end

#ignorable_account? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/gitlab/username_bot_identifier.rb', line 106

def ignorable_account?
  known_bot? ||
    ghost? ||
    known_service_account? ||
    project_or_group_access_token? ||
    service_account? ||
    gitlab_duo_service_account?
end

#known_bot? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/gitlab/username_bot_identifier.rb', line 59

def known_bot?
  KNOWN_GITLAB_COM_BOT_USERNAMES.include?(username)
end

#known_service_account? ⇒ Boolean

“known service accounts” are accounts that match the naming convention of service accounts registered by GitLab team members. These accounts are regular user accounts that are used in automations.

Returns:

• (Boolean)

# File 'lib/gitlab/username_bot_identifier.rb', line 70

def known_service_account?
  username.match?(KNOWN_SERVICE_ACCOUNT_REGEX)
end

#project_access_token? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/gitlab/username_bot_identifier.rb', line 74

def project_access_token?
  username.match?(PROJECT_ACCESS_TOKEN_REGEX)
end

#project_or_group_access_token? ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/gitlab/username_bot_identifier.rb', line 93

def project_or_group_access_token?
  project_access_token? ||
    group_access_token?
end

#service_account? ⇒ Boolean

“service accounts” are accounts created through the service accounts feature, scoped to either a group or a project. See docs.gitlab.com/ee/user/profile/service_accounts.html

Returns:

• (Boolean)

# File 'lib/gitlab/username_bot_identifier.rb', line 85

def service_account?
  username.match?(SERVICE_ACCOUNT_REGEX)
end

#username ⇒ Object

# File 'lib/gitlab/username_bot_identifier.rb', line 55

def username
  @username.downcase
end