Merge branch...

Merge branch '243555-update-whitelist-blacklist-to-allowlist-denylist-in-signup-restrictions-window-2' into 'master' Use allowlist/denylist in application settings backend See merge request gitlab-org/gitlab!46170

Merge branch...
Merge branch '243555-update-whitelist-blacklist-to-allowlist-denylist-in-signup-restrictions-window-2' into 'master' Use allowlist/denylist in application settings backend See merge request gitlab-org/gitlab!46170
9b03d512 · Alper Akgun · eb632e1d · 40c46f39 · 9b03d512 · 9b03d512
Commit 9b03d512 authored Nov 10, 2020 by Alper Akgun
22 changed files
--- a/app/controllers/admin/application_settings_controller.rb
+++ b/app/controllers/admin/application_settings_controller.rb
@@ -218,8 +218,8 @@ class Admin::ApplicationSettingsController < Admin::ApplicationController

    # TODO Remove domain_denylist_raw in APIv5 (See https://gitlab.com/gitlab-org/gitlab-foss/issues/67204)
    params.delete(:domain_denylist_raw) if params[:domain_denylist_file]
-    params.delete(:domain_denylist_raw) if params[:domain_blacklist]
-    params.delete(:domain_allowlist_raw) if params[:domain_whitelist]
+    params.delete(:domain_denylist_raw) if params[:domain_denylist]
+    params.delete(:domain_allowlist_raw) if params[:domain_allowlist]

    params.require(:application_setting).permit(
      visible_application_setting_attributes

--- a/app/helpers/application_settings_helper.rb
+++ b/app/helpers/application_settings_helper.rb
@@ -199,11 +199,11 @@ module ApplicationSettingsHelper
      :default_projects_limit,
      :default_snippet_visibility,
      :disabled_oauth_sign_in_sources,
-      :domain_blacklist,
-      :domain_blacklist_enabled,
+      :domain_denylist,
+      :domain_denylist_enabled,
      # TODO Remove domain_denylist_raw in APIv5 (See https://gitlab.com/gitlab-org/gitlab-foss/issues/67204)
      :domain_denylist_raw,
-      :domain_whitelist,
+      :domain_allowlist,
      # TODO Remove domain_allowlist_raw in APIv5 (See https://gitlab.com/gitlab-org/gitlab-foss/issues/67204)
      :domain_allowlist_raw,
      :outbound_local_requests_allowlist_raw,

--- a/app/models/application_setting.rb
+++ b/app/models/application_setting.rb
@@ -40,8 +40,8 @@ class ApplicationSetting < ApplicationRecord
  serialize :restricted_visibility_levels # rubocop:disable Cop/ActiveRecordSerialize
  serialize :import_sources # rubocop:disable Cop/ActiveRecordSerialize
  serialize :disabled_oauth_sign_in_sources, Array # rubocop:disable Cop/ActiveRecordSerialize
-  serialize :domain_whitelist, Array # rubocop:disable Cop/ActiveRecordSerialize
-  serialize :domain_blacklist, Array # rubocop:disable Cop/ActiveRecordSerialize
+  serialize :domain_allowlist, Array # rubocop:disable Cop/ActiveRecordSerialize
+  serialize :domain_denylist, Array # rubocop:disable Cop/ActiveRecordSerialize
  serialize :repository_storages # rubocop:disable Cop/ActiveRecordSerialize
  serialize :asset_proxy_whitelist, Array # rubocop:disable Cop/ActiveRecordSerialize

@@ -184,9 +184,9 @@ class ApplicationSetting < ApplicationRecord
  validates :enabled_git_access_protocol,
            inclusion: { in: %w(ssh http), allow_blank: true }

-  validates :domain_blacklist,
-            presence: { message: 'Domain blacklist cannot be empty if Blacklist is enabled.' },
-            if: :domain_blacklist_enabled?
+  validates :domain_denylist,
+            presence: { message: 'Domain denylist cannot be empty if denylist is enabled.' },
+            if: :domain_denylist_enabled?

  validates :housekeeping_incremental_repack_period,
            presence: true,

--- a/app/models/application_setting_implementation.rb
+++ b/app/models/application_setting_implementation.rb
@@ -60,7 +60,7 @@ module ApplicationSettingImplementation
        diff_max_patch_bytes: Gitlab::Git::Diff::DEFAULT_MAX_PATCH_BYTES,
        disabled_oauth_sign_in_sources: [],
        dns_rebinding_protection_enabled: true,
-        domain_whitelist: Settings.gitlab['domain_whitelist'],
+        domain_allowlist: Settings.gitlab['domain_allowlist'],
        dsa_key_restriction: 0,
        ecdsa_key_restriction: 0,
        ed25519_key_restriction: 0,
@@ -203,19 +203,19 @@ module ApplicationSettingImplementation
  end

  def domain_allowlist_raw
-    array_to_string(self.domain_whitelist)
+    array_to_string(self.domain_allowlist)
  end

  def domain_denylist_raw
-    array_to_string(self.domain_blacklist)
+    array_to_string(self.domain_denylist)
  end

  def domain_allowlist_raw=(values)
-    self.domain_whitelist = strings_to_array(values)
+    self.domain_allowlist = strings_to_array(values)
  end

  def domain_denylist_raw=(values)
-    self.domain_blacklist = strings_to_array(values)
+    self.domain_denylist = strings_to_array(values)
  end

  def domain_denylist_file=(file)
@@ -242,7 +242,7 @@ module ApplicationSettingImplementation
  end

  # This method separates out the strings stored in the
-  # application_setting.outbound_local_requests_allowlist array into 2 arrays;
+  # application_setting.outbound_local_requests_whitelist array into 2 arrays;
  # an array of IPAddr objects (`[IPAddr.new('127.0.0.1')]`), and an array of
  # domain strings (`['www.example.com']`).
  def outbound_local_requests_allowlist_arrays

--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -1843,15 +1843,15 @@ class User < ApplicationRecord
    valid = true
    error = nil

-    if Gitlab::CurrentSettings.domain_blacklist_enabled?
-      blocked_domains = Gitlab::CurrentSettings.domain_blacklist
+    if Gitlab::CurrentSettings.domain_denylist_enabled?
+      blocked_domains = Gitlab::CurrentSettings.domain_denylist
      if domain_matches?(blocked_domains, email)
        error = 'is not from an allowed domain.'
        valid = false
      end
    end

-    allowed_domains = Gitlab::CurrentSettings.domain_whitelist
+    allowed_domains = Gitlab::CurrentSettings.domain_allowlist
    unless allowed_domains.blank?
      if domain_matches?(allowed_domains, email)
        valid = true

--- a/app/views/admin/application_settings/_signup.html.haml
+++ b/app/views/admin/application_settings/_signup.html.haml
@@ -31,14 +31,14 @@
      .form-text.text-muted
        = _("See GitLab's %{password_policy_guidelines}").html_safe % { password_policy_guidelines: password_policy_guidelines_link }
    .form-group
-      = f.label :domain_whitelist, _('Allowed domains for sign-ups'), class: 'label-bold'
+      = f.label :domain_allowlist, _('Allowed domains for sign-ups'), class: 'label-bold'
      = f.text_area :domain_allowlist_raw, placeholder: 'domain.com', class: 'form-control', rows: 8
      .form-text.text-muted ONLY users with e-mail addresses that match these domain(s) will be able to sign-up. Wildcards allowed. Use separate lines for multiple entries. Ex: domain.com, *.domain.com
    .form-group
-      = f.label :domain_blacklist_enabled, _('Domain denylist'), class: 'label-bold'
+      = f.label :domain_denylist_enabled, _('Domain denylist'), class: 'label-bold'
      .form-check
-        = f.check_box :domain_blacklist_enabled, class: 'form-check-input'
-        = f.label :domain_blacklist_enabled, class: 'form-check-label' do
+        = f.check_box :domain_denylist_enabled, class: 'form-check-input'
+        = f.label :domain_denylist_enabled, class: 'form-check-label' do
          Enable domain denylist for sign ups
    .form-group
      .form-check
@@ -47,7 +47,7 @@
          .option-title
            Upload denylist file
      .form-check
-        = radio_button_tag :denylist_type, :raw, @application_setting.domain_blacklist.present? || @application_setting.domain_blacklist.blank?, class: 'form-check-input'
+        = radio_button_tag :denylist_type, :raw, @application_setting.domain_denylist.present? || @application_setting.domain_denylist.blank?, class: 'form-check-input'
        = label_tag :denylist_type_raw, class: 'form-check-label' do
          .option-title
            Enter denylist manually
@@ -56,7 +56,7 @@
      = f.file_field :domain_denylist_file, class: 'form-control', accept: '.txt,.conf'
      .form-text.text-muted Users with e-mail addresses that match these domain(s) will NOT be able to sign-up. Wildcards allowed. Use separate lines or commas for multiple entries.
    .form-group.js-denylist-raw
-      = f.label :domain_blacklist, _('Denied domains for sign-ups'), class: 'label-bold'
+      = f.label :domain_denylist, _('Denied domains for sign-ups'), class: 'label-bold'
      = f.text_area :domain_denylist_raw, placeholder: 'domain.com', class: 'form-control', rows: 8
      .form-text.text-muted Users with e-mail addresses that match these domain(s) will NOT be able to sign-up. Wildcards allowed. Use separate lines for multiple entries. Ex: domain.com, *.domain.com
    .form-group

--- a/changelogs/unreleased/dstull-update-whitelist-blacklist-to-allowlist-denylist-in-signup-restric.yml
+++ b/changelogs/unreleased/dstull-update-whitelist-blacklist-to-allowlist-denylist-in-signup-restric.yml
+---
+title: Use allowlist/denylist in application settings backend
+merge_request: 46170
+author:
+type: changed
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -198,7 +198,7 @@ Settings.gitlab.default_projects_features['snippets']           = true if Settin
 Settings.gitlab.default_projects_features['builds']             = true if Settings.gitlab.default_projects_features['builds'].nil?
 Settings.gitlab.default_projects_features['container_registry'] = true if Settings.gitlab.default_projects_features['container_registry'].nil?
 Settings.gitlab.default_projects_features['visibility_level']   = Settings.__send__(:verify_constant, Gitlab::VisibilityLevel, Settings.gitlab.default_projects_features['visibility_level'], Gitlab::VisibilityLevel::PRIVATE)
-Settings.gitlab['domain_whitelist'] ||= []
+Settings.gitlab['domain_allowlist'] ||= []
 Settings.gitlab['import_sources'] ||= Gitlab::ImportSources.values
 Settings.gitlab['trusted_proxies'] ||= []
 Settings.gitlab['content_security_policy'] ||= Gitlab::ContentSecurityPolicy::ConfigLoader.default_settings_hash

--- a/db/migrate/20201029143650_rename_application_settings_to_allow_deny_names.rb
+++ b/db/migrate/20201029143650_rename_application_settings_to_allow_deny_names.rb
+# frozen_string_literal: true
+
+class RenameApplicationSettingsToAllowDenyNames < ActiveRecord::Migration[6.0]
+  include Gitlab::Database::MigrationHelpers
+
+  DOWNTIME = false
+
+  disable_ddl_transaction!
+
+  def up
+    rename_column_concurrently :application_settings, :domain_blacklist_enabled, :domain_denylist_enabled
+    rename_column_concurrently :application_settings, :domain_blacklist, :domain_denylist
+    rename_column_concurrently :application_settings, :domain_whitelist, :domain_allowlist
+  end
+
+  def down
+    undo_rename_column_concurrently :application_settings, :domain_blacklist_enabled, :domain_denylist_enabled
+    undo_rename_column_concurrently :application_settings, :domain_blacklist, :domain_denylist
+    undo_rename_column_concurrently :application_settings, :domain_whitelist, :domain_allowlist
+  end
+end
--- a/db/post_migrate/20201029144157_cleanup_application_settings_to_allow_deny_rename.rb
+++ b/db/post_migrate/20201029144157_cleanup_application_settings_to_allow_deny_rename.rb
+# frozen_string_literal: true
+
+class CleanupApplicationSettingsToAllowDenyRename < ActiveRecord::Migration[6.0]
+  include Gitlab::Database::MigrationHelpers
+
+  disable_ddl_transaction!
+
+  def up
+    cleanup_concurrent_column_rename :application_settings, :domain_blacklist_enabled, :domain_denylist_enabled
+    cleanup_concurrent_column_rename :application_settings, :domain_blacklist, :domain_denylist
+    cleanup_concurrent_column_rename :application_settings, :domain_whitelist, :domain_allowlist
+  end
+
+  def down
+    undo_cleanup_concurrent_column_rename :application_settings, :domain_blacklist_enabled, :domain_denylist_enabled
+    undo_cleanup_concurrent_column_rename :application_settings, :domain_blacklist, :domain_denylist
+    undo_cleanup_concurrent_column_rename :application_settings, :domain_whitelist, :domain_allowlist
+  end
+end
--- a/db/schema_migrations/20201029143650
+++ b/db/schema_migrations/20201029143650
+c718bc731f7dc3e1f0104dfdb79a3dc46c46849153ec9b228600eeb5a92465e7
\ No newline at end of file
--- a/db/schema_migrations/20201029144157
+++ b/db/schema_migrations/20201029144157
+a61310c95a1302871ea18881d45bc0c7357baa8f24daa31b7e2174318dab5707
\ No newline at end of file
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -9083,7 +9083,6 @@ CREATE TABLE application_settings (
    max_attachment_size integer DEFAULT 10 NOT NULL,
    default_project_visibility integer DEFAULT 0 NOT NULL,
    default_snippet_visibility integer DEFAULT 0 NOT NULL,
-    domain_whitelist text,
    user_oauth_applications boolean DEFAULT true,
    after_sign_out_path character varying,
    session_expire_delay integer DEFAULT 10080 NOT NULL,
@@ -9119,8 +9118,6 @@ CREATE TABLE application_settings (
    elasticsearch_search boolean DEFAULT false NOT NULL,
    repository_storages character varying DEFAULT 'default'::character varying,
    enabled_git_access_protocol character varying,
-    domain_blacklist_enabled boolean DEFAULT false,
-    domain_blacklist text,
    usage_ping_enabled boolean DEFAULT true NOT NULL,
    sign_in_text_html text,
    help_page_text_html text,
@@ -9341,6 +9338,9 @@ CREATE TABLE application_settings (
    secret_detection_token_revocation_url text,
    encrypted_secret_detection_token_revocation_token text,
    encrypted_secret_detection_token_revocation_token_iv text,
+    domain_denylist_enabled boolean DEFAULT false,
+    domain_denylist text,
+    domain_allowlist text,
    new_user_signups_cap integer,
    CONSTRAINT app_settings_registry_exp_policies_worker_capacity_positive CHECK ((container_registry_expiration_policies_worker_capacity >= 0)),
    CONSTRAINT check_2dba05b802 CHECK ((char_length(gitpod_url) <= 255)),

--- a/doc/api/settings.md
+++ b/doc/api/settings.md
@@ -43,9 +43,9 @@ Example response:
   "home_page_url" : null,
   "default_snippet_visibility" : "private",
   "outbound_local_requests_whitelist": [],
-   "domain_whitelist" : [],
-   "domain_blacklist_enabled" : false,
-   "domain_blacklist" : [],
+   "domain_allowlist" : [],
+   "domain_denylist_enabled" : false,
+   "domain_denylist" : [],
   "created_at" : "2016-01-04T15:44:55.176Z",
   "default_ci_config_path" : null,
   "default_project_visibility" : "private",
@@ -134,9 +134,9 @@ Example response:
  "default_snippet_visibility": "private",
  "default_group_visibility": "private",
  "outbound_local_requests_whitelist": [],
-  "domain_whitelist": [],
-  "domain_blacklist_enabled" : false,
-  "domain_blacklist" : [],
+  "domain_allowlist": [],
+  "domain_denylist_enabled" : false,
+  "domain_denylist" : [],
  "external_authorization_service_enabled": true,
  "external_authorization_service_url": "https://authorize.me",
  "external_authorization_service_default_label": "default",
@@ -233,9 +233,9 @@ listed in the descriptions of the relevant settings.
 | `diff_max_patch_bytes`                   | integer          | no                                   | Maximum diff patch size (Bytes). |
 | `disabled_oauth_sign_in_sources`         | array of strings | no                                   | Disabled OAuth sign-in sources. |
 | `dns_rebinding_protection_enabled`       | boolean          | no                                   | Enforce DNS rebinding attack protection. |
-| `domain_blacklist_enabled`               | boolean          | no                                   | (**If enabled, requires:** `domain_blacklist`) Allows blocking sign-ups from emails from specific domains. |
-| `domain_blacklist`                       | array of strings | no                                   | Users with e-mail addresses that match these domain(s) will NOT be able to sign-up. Wildcards allowed. Use separate lines for multiple entries. Ex: `domain.com`, `*.domain.com`. |
-| `domain_whitelist`                       | array of strings | no                                   | Force people to use only corporate emails for sign-up. Default is `null`, meaning there is no restriction. |
+| `domain_denylist_enabled`                | boolean          | no                                   | (**If enabled, requires:** `domain_denylist`) Allows blocking sign-ups from emails from specific domains. |
+| `domain_denylist`                        | array of strings | no                                   | Users with e-mail addresses that match these domain(s) will NOT be able to sign-up. Wildcards allowed. Use separate lines for multiple entries. Ex: `domain.com`, `*.domain.com`. |
+| `domain_allowlist`                       | array of strings | no                                   | Force people to use only corporate emails for sign-up. Default is `null`, meaning there is no restriction. |
 | `dsa_key_restriction`                    | integer          | no                                   | The minimum allowed bit length of an uploaded DSA key. Default is `0` (no restriction). `-1` disables DSA keys. |
 | `ecdsa_key_restriction`                  | integer          | no                                   | The minimum allowed curve size (in bits) of an uploaded ECDSA key. Default is `0` (no restriction). `-1` disables ECDSA keys. |
 | `ed25519_key_restriction`                | integer          | no                                   | The minimum allowed curve size (in bits) of an uploaded ED25519 key. Default is `0` (no restriction). `-1` disables ED25519 keys. |

--- a/doc/development/what_requires_downtime.md
+++ b/doc/development/what_requires_downtime.md
@@ -94,6 +94,8 @@ renaming. For example
 class RenameUsersUpdatedAtToUpdatedAtTimestamp < ActiveRecord::Migration[4.2]
  include Gitlab::Database::MigrationHelpers

+  DOWNTIME = false
+
  disable_ddl_transaction!

  def up

--- a/lib/api/settings.rb
+++ b/lib/api/settings.rb
@@ -53,9 +53,9 @@ module API
      optional :default_projects_limit, type: Integer, desc: 'The maximum number of personal projects'
      optional :default_snippet_visibility, type: String, values: Gitlab::VisibilityLevel.string_values, desc: 'The default snippet visibility'
      optional :disabled_oauth_sign_in_sources, type: Array[String], coerce_with: Validations::Types::CommaSeparatedToArray.coerce, desc: 'Disable certain OAuth sign-in sources'
-      optional :domain_blacklist_enabled, type: Boolean, desc: 'Enable domain blacklist for sign ups'
-      optional :domain_blacklist, type: Array[String], coerce_with: Validations::Types::CommaSeparatedToArray.coerce, desc: 'Users with e-mail addresses that match these domain(s) will NOT be able to sign-up. Wildcards allowed. Use separate lines for multiple entries. Ex: domain.com, *.domain.com'
-      optional :domain_whitelist, type: Array[String], coerce_with: Validations::Types::CommaSeparatedToArray.coerce, desc: 'ONLY users with e-mail addresses that match these domain(s) will be able to sign-up. Wildcards allowed. Use separate lines for multiple entries. Ex: domain.com, *.domain.com'
+      optional :domain_denylist_enabled, type: Boolean, desc: 'Enable domain denylist for sign ups'
+      optional :domain_denylist, type: Array[String], coerce_with: Validations::Types::CommaSeparatedToArray.coerce, desc: 'Users with e-mail addresses that match these domain(s) will NOT be able to sign-up. Wildcards allowed. Use separate lines for multiple entries. Ex: domain.com, *.domain.com'
+      optional :domain_allowlist, type: Array[String], coerce_with: Validations::Types::CommaSeparatedToArray.coerce, desc: 'ONLY users with e-mail addresses that match these domain(s) will be able to sign-up. Wildcards allowed. Use separate lines for multiple entries. Ex: domain.com, *.domain.com'
      optional :eks_integration_enabled, type: Boolean, desc: 'Enable integration with Amazon EKS'
      given eks_integration_enabled: -> (val) { val } do
        requires :eks_account_id, type: String, desc: 'Amazon account ID for EKS integration'

--- a/lib/gitlab/url_blocker.rb
+++ b/lib/gitlab/url_blocker.rb
@@ -113,7 +113,7 @@ module Gitlab
        end
      rescue SocketError
        # If the dns rebinding protection is not enabled or the domain
-        # is whitelisted we avoid the dns rebinding checks
+        # is allowed we avoid the dns rebinding checks
        return if domain_allowed?(uri) || !dns_rebind_protection

        # In the test suite we use a lot of mocked urls that are either invalid or

--- a/spec/lib/gitlab/url_blocker_spec.rb
+++ b/spec/lib/gitlab/url_blocker_spec.rb
@@ -350,7 +350,7 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
          expect(described_class).to be_blocked_url('http://[fe80::c800:eff:fe74:8]', allow_local_network: false)
        end

-        context 'when local domain/IP is whitelisted' do
+        context 'when local domain/IP is allowed' do
          let(:url_blocker_attributes) do
            {
              allow_localhost: false,
@@ -360,11 +360,11 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do

          before do
            allow(ApplicationSetting).to receive(:current).and_return(ApplicationSetting.new)
-            stub_application_setting(outbound_local_requests_whitelist: whitelist)
+            stub_application_setting(outbound_local_requests_whitelist: allowlist)
          end

-          context 'with IPs in whitelist' do
-            let(:whitelist) do
+          context 'with IPs in allowlist' do
+            let(:allowlist) do
              [
                '0.0.0.0',
                '127.0.0.1',
@@ -396,7 +396,7 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do

            it_behaves_like 'allows local requests', { allow_localhost: false, allow_local_network: false }

-            it 'whitelists IP when dns_rebind_protection is disabled' do
+            it 'allows IP when dns_rebind_protection is disabled' do
              url = "http://example.com"
              attrs = url_blocker_attributes.merge(dns_rebind_protection: false)

@@ -410,8 +410,8 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
            end
          end

-          context 'with domains in whitelist' do
-            let(:whitelist) do
+          context 'with domains in allowlist' do
+            let(:allowlist) do
              [
                'www.example.com',
                'example.com',
@@ -420,7 +420,7 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
              ]
            end

-            it 'allows domains present in whitelist' do
+            it 'allows domains present in allowlist' do
              domain = 'example.com'
              subdomain1 = 'www.example.com'
              subdomain2 = 'subdomain.example.com'
@@ -435,7 +435,7 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
                  url_blocker_attributes)
              end

-              # subdomain2 is not part of the whitelist so it should be blocked
+              # subdomain2 is not part of the allowlist so it should be blocked
              stub_domain_resolv(subdomain2, '192.168.1.1') do
                expect(described_class).to be_blocked_url("http://#{subdomain2}",
                  url_blocker_attributes)
@@ -458,8 +458,8 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
            end

            shared_examples 'dns rebinding checks' do
-              shared_examples 'whitelists the domain' do
-                let(:whitelist) { [domain] }
+              shared_examples 'allowlists the domain' do
+                let(:allowlist) { [domain] }
                let(:url) { "http://#{domain}" }

                before do
@@ -475,13 +475,13 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
                context 'enabled' do
                  let(:dns_rebind_value) { true }

-                  it_behaves_like 'whitelists the domain'
+                  it_behaves_like 'allowlists the domain'
                end

                context 'disabled' do
                  let(:dns_rebind_value) { false }

-                  it_behaves_like 'whitelists the domain'
+                  it_behaves_like 'allowlists the domain'
                end
              end
            end
@@ -504,11 +504,11 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
          end

          context 'with ports' do
-            let(:whitelist) do
+            let(:allowlist) do
              ["127.0.0.1:2000"]
            end

-            it 'allows domain with port when resolved ip has port whitelisted' do
+            it 'allows domain with port when resolved ip has port allowed' do
              stub_domain_resolv("www.resolve-domain.com", '127.0.0.1') do
                expect(described_class).not_to be_blocked_url("http://www.resolve-domain.com:2000", url_blocker_attributes)
              end

--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -319,7 +319,7 @@ RSpec.describe User do
        expect(subject).to validate_presence_of(:username)
      end

-      it 'rejects blacklisted names' do
+      it 'rejects denied names' do
        user = build(:user, username: 'dashboard')

        expect(user).not_to be_valid
@@ -442,9 +442,9 @@ RSpec.describe User do
    end

    describe 'email' do
-      context 'when no signup domains whitelisted' do
+      context 'when no signup domains allowed' do
        before do
-          allow_any_instance_of(ApplicationSetting).to receive(:domain_whitelist).and_return([])
+          allow_any_instance_of(ApplicationSetting).to receive(:domain_allowlist).and_return([])
        end

        it 'accepts any email' do
@@ -455,7 +455,7 @@ RSpec.describe User do

      context 'bad regex' do
        before do
-          allow_any_instance_of(ApplicationSetting).to receive(:domain_whitelist).and_return(['([a-zA-Z0-9]+)+\.com'])
+          allow_any_instance_of(ApplicationSetting).to receive(:domain_allowlist).and_return(['([a-zA-Z0-9]+)+\.com'])
        end

        it 'does not hang on evil input' do
@@ -467,9 +467,9 @@ RSpec.describe User do
        end
      end

-      context 'when a signup domain is whitelisted and subdomains are allowed' do
+      context 'when a signup domain is allowed and subdomains are allowed' do
        before do
-          allow_any_instance_of(ApplicationSetting).to receive(:domain_whitelist).and_return(['example.com', '*.example.com'])
+          allow_any_instance_of(ApplicationSetting).to receive(:domain_allowlist).and_return(['example.com', '*.example.com'])
        end

        it 'accepts info@example.com' do
@@ -488,9 +488,9 @@ RSpec.describe User do
        end
      end

-      context 'when a signup domain is whitelisted and subdomains are not allowed' do
+      context 'when a signup domain is allowed and subdomains are not allowed' do
        before do
-          allow_any_instance_of(ApplicationSetting).to receive(:domain_whitelist).and_return(['example.com'])
+          allow_any_instance_of(ApplicationSetting).to receive(:domain_allowlist).and_return(['example.com'])
        end

        it 'accepts info@example.com' do
@@ -514,15 +514,15 @@ RSpec.describe User do
        end
      end

-      context 'domain blacklist' do
+      context 'domain denylist' do
        before do
-          allow_any_instance_of(ApplicationSetting).to receive(:domain_blacklist_enabled?).and_return(true)
-          allow_any_instance_of(ApplicationSetting).to receive(:domain_blacklist).and_return(['example.com'])
+          allow_any_instance_of(ApplicationSetting).to receive(:domain_denylist_enabled?).and_return(true)
+          allow_any_instance_of(ApplicationSetting).to receive(:domain_denylist).and_return(['example.com'])
        end

        context 'bad regex' do
          before do
-            allow_any_instance_of(ApplicationSetting).to receive(:domain_blacklist).and_return(['([a-zA-Z0-9]+)+\.com'])
+            allow_any_instance_of(ApplicationSetting).to receive(:domain_denylist).and_return(['([a-zA-Z0-9]+)+\.com'])
          end

          it 'does not hang on evil input' do
@@ -534,7 +534,7 @@ RSpec.describe User do
          end
        end

-        context 'when a signup domain is blacklisted' do
+        context 'when a signup domain is denied' do
          it 'accepts info@test.com' do
            user = build(:user, email: 'info@test.com')
            expect(user).to be_valid
@@ -551,13 +551,13 @@ RSpec.describe User do
          end
        end

-        context 'when a signup domain is blacklisted but a wildcard subdomain is allowed' do
+        context 'when a signup domain is denied but a wildcard subdomain is allowed' do
          before do
-            allow_any_instance_of(ApplicationSetting).to receive(:domain_blacklist).and_return(['test.example.com'])
-            allow_any_instance_of(ApplicationSetting).to receive(:domain_whitelist).and_return(['*.example.com'])
+            allow_any_instance_of(ApplicationSetting).to receive(:domain_denylist).and_return(['test.example.com'])
+            allow_any_instance_of(ApplicationSetting).to receive(:domain_allowlist).and_return(['*.example.com'])
          end

-          it 'gives priority to whitelist and allow info@test.example.com' do
+          it 'gives priority to allowlist and allow info@test.example.com' do
            user = build(:user, email: 'info@test.example.com')
            expect(user).to be_valid
          end
@@ -565,7 +565,7 @@ RSpec.describe User do

        context 'with both lists containing a domain' do
          before do
-            allow_any_instance_of(ApplicationSetting).to receive(:domain_whitelist).and_return(['test.com'])
+            allow_any_instance_of(ApplicationSetting).to receive(:domain_allowlist).and_return(['test.com'])
          end

          it 'accepts info@test.com' do
@@ -3637,9 +3637,9 @@ RSpec.describe User do
      end
    end

-    context 'when a domain whitelist is in place' do
+    context 'when a domain allowlist is in place' do
      before do
-        stub_application_setting(domain_whitelist: ['gitlab.com'])
+        stub_application_setting(domain_allowlist: ['gitlab.com'])
      end

      it 'creates a ghost user' do

--- a/spec/requests/api/settings_spec.rb
+++ b/spec/requests/api/settings_spec.rb
@@ -379,41 +379,41 @@ RSpec.describe API::Settings, 'Settings' do
      end
    end

-    context 'domain_blacklist settings' do
-      it 'rejects domain_blacklist_enabled when domain_blacklist is empty' do
+    context 'domain_denylist settings' do
+      it 'rejects domain_denylist_enabled when domain_denylist is empty' do
        put api('/application/settings', admin),
          params: {
-            domain_blacklist_enabled: true,
-            domain_blacklist: []
+            domain_denylist_enabled: true,
+            domain_denylist: []
          }

        expect(response).to have_gitlab_http_status(:bad_request)
        message = json_response["message"]
-        expect(message["domain_blacklist"]).to eq(["Domain blacklist cannot be empty if Blacklist is enabled."])
+        expect(message["domain_denylist"]).to eq(["Domain denylist cannot be empty if denylist is enabled."])
      end

-      it 'allows array for domain_blacklist' do
+      it 'allows array for domain_denylist' do
        put api('/application/settings', admin),
          params: {
-            domain_blacklist_enabled: true,
-            domain_blacklist: ['domain1.com', 'domain2.com']
+            domain_denylist_enabled: true,
+            domain_denylist: ['domain1.com', 'domain2.com']
          }

        expect(response).to have_gitlab_http_status(:ok)
-        expect(json_response['domain_blacklist_enabled']).to be(true)
-        expect(json_response['domain_blacklist']).to eq(['domain1.com', 'domain2.com'])
+        expect(json_response['domain_denylist_enabled']).to be(true)
+        expect(json_response['domain_denylist']).to eq(['domain1.com', 'domain2.com'])
      end

-      it 'allows a string for domain_blacklist' do
+      it 'allows a string for domain_denylist' do
        put api('/application/settings', admin),
          params: {
-            domain_blacklist_enabled: true,
-            domain_blacklist: 'domain3.com, *.domain4.com'
+            domain_denylist_enabled: true,
+            domain_denylist: 'domain3.com, *.domain4.com'
          }

        expect(response).to have_gitlab_http_status(:ok)
-        expect(json_response['domain_blacklist_enabled']).to be(true)
-        expect(json_response['domain_blacklist']).to eq(['domain3.com', '*.domain4.com'])
+        expect(json_response['domain_denylist_enabled']).to be(true)
+        expect(json_response['domain_denylist']).to eq(['domain3.com', '*.domain4.com'])
      end
    end


--- a/spec/services/application_settings/update_service_spec.rb
+++ b/spec/services/application_settings/update_service_spec.rb
@@ -66,7 +66,7 @@ RSpec.describe ApplicationSettings::UpdateService do
    context 'when params is blank' do
      let(:params) { {} }

-      it 'does not add to whitelist' do
+      it 'does not add to allowlist' do
        expect { subject.execute }.not_to change {
          application_settings.outbound_local_requests_whitelist
        }
@@ -80,7 +80,7 @@ RSpec.describe ApplicationSettings::UpdateService do

      let(:params) { { add_to_outbound_local_requests_whitelist: ['example.com', ''] } }

-      it 'adds to whitelist' do
+      it 'adds to allowlist' do
        expect { subject.execute }.to change {
          application_settings.outbound_local_requests_whitelist
        }
@@ -98,7 +98,7 @@ RSpec.describe ApplicationSettings::UpdateService do

      let(:params) { { outbound_local_requests_allowlist_raw: 'example.com;gitlab.com' } }

-      it 'overwrites the existing whitelist' do
+      it 'overwrites the existing allowlist' do
        expect { subject.execute }.to change {
          application_settings.outbound_local_requests_whitelist
        }

--- a/spec/support/shared_examples/models/application_setting_shared_examples.rb
+++ b/spec/support/shared_examples/models/application_setting_shared_examples.rb
@@ -49,15 +49,15 @@ end

 RSpec.shared_examples 'application settings examples' do
  context 'restricted signup domains' do
-    it_behaves_like 'string of domains', :domain_allowlist, :domain_whitelist
+    it_behaves_like 'string of domains', :domain_allowlist, :domain_allowlist
  end

-  context 'blacklisted signup domains' do
-    it_behaves_like 'string of domains', :domain_denylist, :domain_blacklist
+  context 'denied signup domains' do
+    it_behaves_like 'string of domains', :domain_denylist, :domain_denylist

    it 'sets multiple domain with file' do
      setting.domain_denylist_file = File.open(Rails.root.join('spec/fixtures/', 'domain_denylist.txt'))
-      expect(setting.domain_blacklist).to contain_exactly('example.com', 'test.com', 'foo.bar')
+      expect(setting.domain_denylist).to contain_exactly('example.com', 'test.com', 'foo.bar')
    end
  end