Add latest changes from gitlab-org/gitlab@master

.gitlab/CODEOWNERS

@@ -573,7 +573,7 @@ lib/gitlab/checks/**
 /doc/administration/credentials_inventory.md @jglassman1
 /doc/administration/custom_html_header_tags.md @eread
 /doc/administration/custom_project_templates.md @brendan777
-/doc/administration/dedicated/ @lyspin
+/doc/administration/dedicated/ @emily.sahlani
 /doc/administration/dedicated/hosted_runners.md @rsarangadharan
 /doc/administration/diff_limits.md @brendan777
 /doc/administration/docs_self_host.md @axil
@@ -795,6 +795,7 @@ lib/gitlab/checks/**
 /doc/api/markdown.md @msedlakjakubowski
 /doc/api/member_roles.md @jglassman1
 /doc/api/members.md @jglassman1
+/doc/api/merge_request_approval_settings.md @brendan777
 /doc/api/merge_request_approvals.md @aqualls
 /doc/api/merge_request_context_commits.md @aqualls
 /doc/api/merge_requests.md @aqualls
@@ -950,32 +951,32 @@ lib/gitlab/checks/**
 /doc/development/cicd/ @gitlab-org/maintainers/cicd-verify
 /doc/development/contributing/verify/ @gitlab-org/maintainers/cicd-verify
 /doc/development/database/ @abdwdd @alexpooley @manojmj
-/doc/development/distributed_tracing.md @gitlab-org/analytics-section/platform-insights/engineers
+/doc/development/distributed_tracing.md @gitlab-org/analytics-section/product-analytics/engineers/frontend
 /doc/development/distribution/ @gitlab-org/distribution
 /doc/development/documentation/ @fneill
 /doc/development/duo_workflow/ @gitlab-org/ai-powered
-/doc/development/fe_guide/customizable_dashboards.md @gitlab-org/analytics-section/platform-insights/engineers/frontend @gitlab-org/plan-stage/optimize-group/engineers/frontend
+/doc/development/fe_guide/customizable_dashboards.md @gitlab-org/analytics-section/product-analytics/engineers/frontend
 /doc/development/fe_guide/keyboard_shortcuts.md @gitlab-org/foundations/engineering
 /doc/development/git_object_deduplication.md @proglottis @toon
 /doc/development/gitaly.md @proglottis @toon
 /doc/development/gitpod_internals.md @gl-quality/eng-prod
 /doc/development/image_scaling.md @abdwdd @alexpooley @manojmj
-/doc/development/internal_analytics/ @gitlab-org/analytics-section/platform-insights/engineers @gitlab-org/analytics-section/analytics-instrumentation/engineers
-/doc/development/logging.md @gitlab-org/analytics-section/platform-insights/engineers
+/doc/development/internal_analytics/ @gitlab-org/analytics-section/product-analytics/engineers/frontend @gitlab-org/analytics-section/analytics-instrumentation/engineers
+/doc/development/logging.md @gitlab-org/analytics-section/product-analytics/engineers/frontend
 /doc/development/navigation_sidebar.md @gitlab-org/foundations/engineering
-/doc/development/observability/ @gitlab-org/analytics-section/platform-insights/engineers
+/doc/development/observability/ @gitlab-org/analytics-section/product-analytics/engineers/frontend
 /doc/development/omnibus.md @gitlab-org/distribution
 /doc/development/organization/ @abdwdd @alexpooley @manojmj
 /doc/development/permissions.md @rlehmann1
 /doc/development/permissions/ @rlehmann1
 /doc/development/pipelines/ @gl-quality/eng-prod
 /doc/development/policies.md @gitlab-org/govern/authentication/approvers
-/doc/development/prometheus_metrics.md @gitlab-org/analytics-section/platform-insights/engineers
+/doc/development/prometheus_metrics.md @gitlab-org/analytics-section/product-analytics/engineers/frontend
 /doc/development/search/ @gitlab-org/search-team/migration-maintainers
 /doc/development/sec/ @gitlab-org/govern/threat-insights-frontend-team
 /doc/development/sec/gemnasium_analyzer_data.md @gitlab-org/secure/composition-analysis-be @gitlab-org/secure/static-analysis
 /doc/development/software_design.md @gl-quality/eng-prod
-/doc/development/stage_group_observability/ @gitlab-org/analytics-section/platform-insights/engineers
+/doc/development/stage_group_observability/ @gitlab-org/analytics-section/product-analytics/engineers/frontend
 /doc/downgrade_ee_to_ce/ @axil
 /doc/drawers/ @ashrafkhamis
 /doc/editor_extensions/ @aqualls
@@ -1009,7 +1010,7 @@ lib/gitlab/checks/**
 /doc/solutions/integrations/servicenow.md @ashrafkhamis
 /doc/subscriptions/ @lciutacu
 /doc/subscriptions/gitlab_com/ @lyspin
-/doc/subscriptions/gitlab_dedicated/ @lyspin
+/doc/subscriptions/gitlab_dedicated/ @emily.sahlani
 /doc/topics/ @msedlakjakubowski
 /doc/topics/autodevops/ @phillipwells
 /doc/topics/git/ @brendan777

GITALY_SERVER_VERSION

@@ -1 +1 @@
-707b356f408806537ec770dc90407ab713716938
+bc889c809db86d6c16f8c726896a7b1d1c776aa9

app/views/projects/diffs/_diffs.html.haml

@@ -15,11 +15,11 @@
         = link_button_to _('Expand all'), url_for(safe_params.merge(expanded: 1, format: nil))
       - if show_whitespace_toggle
         - if current_controller?(:commit)
-          = commit_diff_whitespace_link(diffs.project, @commit, class: 'gl-hidden sm:gl-inline-block')
+          = commit_diff_whitespace_link(diffs.project, @commit, class: 'gl-hidden sm:gl-inline-flex')
         - elsif current_controller?(:compare)
-          = diff_compare_whitespace_link(diffs.project, params[:from], params[:to], class: 'gl-hidden sm:gl-inline-block')
+          = diff_compare_whitespace_link(diffs.project, params[:from], params[:to], class: 'gl-hidden sm:gl-inline-flex')
         - elsif current_controller?(:wikis)
-          = toggle_whitespace_link(url_for(params_with_whitespace), class: 'gl-hidden sm:gl-inline-block')
+          = toggle_whitespace_link(url_for(params_with_whitespace), class: 'gl-hidden sm:gl-inline-flex')
       .btn-group.gl-ml-3
         = inline_diff_btn
         = parallel_diff_btn

doc/api/graphql/reference/index.md

@@ -22977,6 +22977,29 @@ A Duo Workflow.
 | <a id="duoworkflowupdatedat"></a>`updatedAt` | [`Time!`](#time) | Timestamp of when the workflow was last updated. |
 | <a id="duoworkflowuserid"></a>`userId` | [`UserID!`](#userid) | ID of the user. |
 
+### `DuoWorkflowEnablement`
+
+Duo Workflow enablement status checks.
+
+#### Fields
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| <a id="duoworkflowenablementchecks"></a>`checks` | [`[DuoWorkflowEnablementCheck!]`](#duoworkflowenablementcheck) | Enablement checks. |
+| <a id="duoworkflowenablementenabled"></a>`enabled` | [`Boolean!`](#boolean) | Indicates whether GitLab Duo Workflow is enabled for current user and the project. |
+
+### `DuoWorkflowEnablementCheck`
+
+Represents single Duo Workflow enablement check.
+
+#### Fields
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| <a id="duoworkflowenablementcheckmessage"></a>`message` | [`String`](#string) | Description of status check. |
+| <a id="duoworkflowenablementcheckname"></a>`name` | [`String!`](#string) | Name of the status check. |
+| <a id="duoworkflowenablementcheckvalue"></a>`value` | [`Boolean!`](#boolean) | Whether the check was successful or not. |
+
 ### `DuoWorkflowEvent`
 
 Events that describe the history and progress of a Duo Workflow.
@@ -31023,6 +31046,7 @@ Project-level settings for product analytics provider.
 | <a id="projectdetailedimportstatus"></a>`detailedImportStatus` | [`DetailedImportStatus`](#detailedimportstatus) | Detailed import status of the project. |
 | <a id="projectdora"></a>`dora` | [`Dora`](#dora) | Project's DORA metrics. |
 | <a id="projectduofeaturesenabled"></a>`duoFeaturesEnabled` **{warning-solid}** | [`Boolean`](#boolean) | **Introduced** in GitLab 16.9. **Status**: Experiment. Indicates whether GitLab Duo features are enabled for the project. |
+| <a id="projectduoworkflowstatuscheck"></a>`duoWorkflowStatusCheck` **{warning-solid}** | [`DuoWorkflowEnablement`](#duoworkflowenablement) | **Introduced** in GitLab 17.7. **Status**: Experiment. Indicates whether GitLab Duo Workflow is enabled for the project. |
 | <a id="projectexplorecatalogpath"></a>`exploreCatalogPath` **{warning-solid}** | [`String`](#string) | **Introduced** in GitLab 17.6. **Status**: Experiment. Path to the project catalog resource. |
 | <a id="projectflowmetrics"></a>`flowMetrics` **{warning-solid}** | [`ProjectValueStreamAnalyticsFlowMetrics`](#projectvaluestreamanalyticsflowmetrics) | **Introduced** in GitLab 15.10. **Status**: Experiment. Flow metrics for value stream analytics. |
 | <a id="projectforkingaccesslevel"></a>`forkingAccessLevel` | [`ProjectFeatureAccess`](#projectfeatureaccess) | Access level required for forking access. |
@@ -34562,9 +34586,9 @@ Duo Chat slash command.
 
 | Name | Type | Description |
 | ---- | ---- | ----------- |
-| <a id="slashcommandcommand"></a>`command` | [`String!`](#string) | Full slash command including the leading `/`. |
 | <a id="slashcommanddescription"></a>`description` | [`String!`](#string) | Description of what the slash command does. |
 | <a id="slashcommandname"></a>`name` | [`String!`](#string) | Name of the slash command. |
+| <a id="slashcommandshouldsubmit"></a>`shouldSubmit` | [`Boolean!`](#boolean) | Indicates whether the command should be submitted automatically when clicked. |
 
 ### `Snippet`
 

doc/ci/interactive_web_terminal/index.md

@@ -2,78 +2,15 @@
 stage: Verify
 group: Runner
 info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://handbook.gitlab.com/handbook/product/ux/technical-writing/#assignments
+remove_date: '2025-02-22'
+redirect_to: '../../user/workspace/index.md'
 ---
 
-# Interactive web terminals
+# Interactive web terminals (removed)
 
 DETAILS:
 **Tier:** Free, Premium, Ultimate
 **Offering:** GitLab.com, Self-managed, GitLab Dedicated
 
-Interactive web terminals give the user access to a terminal in GitLab for
-running one-off commands for their CI pipeline. You can think of it like a method for
-debugging with SSH, but done directly from the job page. Since this is giving the user
-shell access to the environment where [GitLab Runner](https://docs.gitlab.com/runner/)
-is deployed, some [security precautions](../../administration/integration/terminal.md#security) were
-taken to protect the users.
-
-NOTE:
-[Instance runners on GitLab.com](../runners/index.md) do not
-provide an interactive web terminal. Follow
-[this issue](https://gitlab.com/gitlab-org/gitlab/-/issues/24674) for progress on
-adding support. For groups and projects hosted on GitLab.com, interactive web
-terminals are available when using your own group or project runner.
-
-## Configuration
-
-Two things need to be configured for the interactive web terminal to work:
-
-- The runner needs to have
-  [`[session_server]` configured properly](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-session_server-section)
-- If you are using a reverse proxy with your GitLab instance, web terminals need to be
-  [enabled](../../administration/integration/terminal.md#enabling-and-disabling-terminal-support)
-
-### Partial support for Helm chart
-
-Interactive web terminals are partially supported in `gitlab-runner` Helm chart.
-They are enabled when:
-
-- The number of replica is one
-- You use the `loadBalancer` service
-
-Support for fixing these limitations is tracked in the following issues:
-
-- [Support of more than one replica](https://gitlab.com/gitlab-org/charts/gitlab-runner/-/issues/323)
-- [Support of more service types](https://gitlab.com/gitlab-org/charts/gitlab-runner/-/issues/324)
-
-## Debugging a running job
-
-NOTE:
-Not all executors are
-[supported](https://docs.gitlab.com/runner/executors/#compatibility-chart).
-
-NOTE:
-The `docker` executor does not keep running
-after the build script is finished. At that point, the terminal automatically
-disconnects and does not wait for the user to finish. Follow
-[this issue](https://gitlab.com/gitlab-org/gitlab-runner/-/issues/3605) for updates on
-improving this behavior.
-
-Sometimes, when a job is running, things don't go as you would expect, and it
-would be helpful if one can have a shell to aid debugging. When a job is
-running, on the right panel, you can see a `debug` button (**{external-link}**) that opens the terminal
-for the current job. Only the person who started a job can debug it.
-
-![Example of job running with terminal available](img/interactive_web_terminal_running_job_v17_3.png)
-
-When selected, a new tab opens to the terminal page where you can access
-the terminal and type commands like in a standard shell.
-
-![terminal of the job](img/interactive_web_terminal_page_v11_1.png)
-
-If you have the terminal open and the job has finished with its tasks, the
-terminal blocks the job from finishing for the duration configured in
-[`[session_server].session_timeout`](https://docs.gitlab.com/runner/configuration/advanced-configuration.html#the-session_server-section) until you
-close the terminal window.
-
-![finished job with terminal open](img/finished_job_with_terminal_open_v11_2.png)
+This feature was [deprecated and removed](https://gitlab.com/gitlab-org/gitlab/-/issues/444551) in GitLab 17.7.
+Use [workspaces](../../user/workspace/index.md) instead.

doc/development/documentation/site_architecture/global_nav.md

@@ -40,6 +40,11 @@ as helpful as **Get started with runners**.
 
 ## Add a navigation entry
 
+The global nav is stored in the `gitlab-org/gitlab-docs` project, in the file
+`content/_data/navigation.yaml`. The `gitlab-docs` project contains code that assembles documentation
+content from several projects (including `charts`, `gitlab`, `gitlab-runner`, and `omnibus-gitlab`)
+and then builds the `docs.gitlab.com` website from that content.
+
 **Do not** add items to the global nav without
 the consent of one of the technical writers.
 

lib/api/scope.rb

@@ -17,6 +17,10 @@ module API
       scopes.include?(self.name) && verify_if_condition(request)
     end
 
+    def to_s
+      name.to_s
+    end
+
     private
 
     def verify_if_condition(request)

lib/gitlab/application_context.rb

@@ -32,6 +32,7 @@ module Gitlab
       :sidekiq_destination_shard_redis,
       :auth_fail_reason,
       :auth_fail_token_id,
+      :auth_fail_requested_scopes,
       :http_router_rule_action,
       :http_router_rule_type
     ].freeze
@@ -40,6 +41,7 @@ module Gitlab
     WEB_ONLY_KEYS = [
       :auth_fail_reason,
       :auth_fail_token_id,
+      :auth_fail_requested_scopes,
       :http_router_rule_action,
       :http_router_rule_type
     ].freeze
@@ -66,6 +68,7 @@ module Gitlab
       Attribute.new(:sidekiq_destination_shard_redis, String),
       Attribute.new(:auth_fail_reason, String),
       Attribute.new(:auth_fail_token_id, String),
+      Attribute.new(:auth_fail_requested_scopes, String),
       Attribute.new(:http_router_rule_action, String),
       Attribute.new(:http_router_rule_type, String)
     ].freeze
@@ -140,6 +143,7 @@ module Gitlab
         assign_hash_if_value(hash, :sidekiq_destination_shard_redis)
         assign_hash_if_value(hash, :auth_fail_reason)
         assign_hash_if_value(hash, :auth_fail_token_id)
+        assign_hash_if_value(hash, :auth_fail_requested_scopes)
         assign_hash_if_value(hash, :http_router_rule_action)
         assign_hash_if_value(hash, :http_router_rule_type)
         assign_hash_if_value(hash, :bulk_import_entity_id)

lib/gitlab/auth/auth_finders.rb

@@ -194,18 +194,18 @@ module Gitlab
 
         case AccessTokenValidationService.new(access_token, request: request).validate(scopes: scopes)
         when AccessTokenValidationService::INSUFFICIENT_SCOPE
-          save_auth_failure_in_application_context(access_token, :insufficient_scope) if save_auth_context
+          save_auth_failure_in_application_context(access_token, :insufficient_scope, scopes) if save_auth_context
           raise InsufficientScopeError, scopes
         when AccessTokenValidationService::EXPIRED
-          save_auth_failure_in_application_context(access_token, :token_expired) if save_auth_context
+          save_auth_failure_in_application_context(access_token, :token_expired, scopes) if save_auth_context
           raise ExpiredError
         when AccessTokenValidationService::REVOKED
-          save_auth_failure_in_application_context(access_token, :token_revoked) if save_auth_context
+          save_auth_failure_in_application_context(access_token, :token_revoked, scopes) if save_auth_context
           revoke_token_family(access_token)
 
           raise RevokedError
         when AccessTokenValidationService::IMPERSONATION_DISABLED
-          save_auth_failure_in_application_context(access_token, :impersonation_disabled) if save_auth_context
+          save_auth_failure_in_application_context(access_token, :impersonation_disabled, scopes) if save_auth_context
           raise ImpersonationDisabled
         end
 
@@ -224,10 +224,12 @@ module Gitlab
         request.env[API_TOKEN_ENV] = { token_id: access_token.id, token_type: access_token.class.to_s }
       end
 
-      def save_auth_failure_in_application_context(access_token, cause)
+      def save_auth_failure_in_application_context(access_token, cause, requested_scopes)
         Gitlab::ApplicationContext.push(
           auth_fail_reason: cause.to_s,
-          auth_fail_token_id: "#{access_token.class}/#{access_token.id}")
+          auth_fail_token_id: "#{access_token.class}/#{access_token.id}",
+          auth_fail_requested_scopes: requested_scopes.join(' ')
+        )
       end
 
       def find_user_from_job_bearer_token

lib/tasks/gitlab/tw/codeowners.rake

@@ -51,7 +51,7 @@ namespace :tw do
       CodeOwnerRule.new('Fuzz Testing', '@rdickenson'),
       CodeOwnerRule.new('Geo', '@axil'),
       CodeOwnerRule.new('Gitaly', '@eread'),
-      CodeOwnerRule.new('GitLab Dedicated', '@lyspin'),
+      CodeOwnerRule.new('GitLab Dedicated', '@emily.sahlani'),
       CodeOwnerRule.new('Global Search', '@ashrafkhamis'),
       CodeOwnerRule.new('Remote Development', '@ashrafkhamis'),
       CodeOwnerRule.new('Import and Integrate', '@ashrafkhamis'),

locale/gitlab.pot

@@ -42900,6 +42900,9 @@ msgstr ""
 msgid "Project mismatch"
 msgstr ""
 
+msgid "Project must have GitLab Duo features enabled."
+msgstr ""
+
 msgid "Project must have default branch"
 msgstr ""
 
@@ -59973,6 +59976,9 @@ msgstr ""
 msgid "User map"
 msgstr ""
 
+msgid "User must have developer access to the project."
+msgstr ""
+
 msgid "User restrictions"
 msgstr ""
 
@@ -65573,6 +65579,12 @@ msgid_plural "drafts"
 msgstr[0] ""
 msgstr[1] ""
 
+msgid "duo_workflow feature flag must be enabled."
+msgstr ""
+
+msgid "duo_workflow licensed feature must be available for the project and experimental features must be enabled."
+msgstr ""
+
 msgid "e.g. %{token}"
 msgstr ""
 

spec/channels/application_cable/connection_spec.rb

@@ -69,6 +69,7 @@ RSpec.describe ApplicationCable::Connection, :clean_gitlab_redis_sessions do
           expect(connection.current_user).to be_nil
           expect(app_context['meta.auth_fail_reason']).to eq('token_expired')
           expect(app_context['meta.auth_fail_token_id']).to eq("PersonalAccessToken/#{user_pat.id}")
+          expect(app_context['meta.auth_fail_requested_scopes']).to be_nil
         end
       end
 
@@ -85,6 +86,7 @@ RSpec.describe ApplicationCable::Connection, :clean_gitlab_redis_sessions do
           expect(connection.current_user).to be_nil
           expect(app_context['meta.auth_fail_reason']).to eq('token_revoked')
           expect(app_context['meta.auth_fail_token_id']).to eq("PersonalAccessToken/#{user_pat.id}")
+          expect(app_context['meta.auth_fail_requested_scopes']).to be_nil
         end
       end
     end

spec/controllers/graphql_controller_spec.rb

@@ -338,6 +338,7 @@ RSpec.describe GraphqlController, feature_category: :integrations do
 
           expect(app_context['meta.auth_fail_reason']).to eq('token_expired')
           expect(app_context['meta.auth_fail_token_id']).to eq("PersonalAccessToken/#{token.id}")
+          expect(app_context['meta.auth_fail_requested_scopes']).to include('api read_api')
         end
       end
 
@@ -351,6 +352,7 @@ RSpec.describe GraphqlController, feature_category: :integrations do
 
           expect(app_context['meta.auth_fail_reason']).to eq('token_revoked')
           expect(app_context['meta.auth_fail_token_id']).to eq("PersonalAccessToken/#{token.id}")
+          expect(app_context['meta.auth_fail_requested_scopes']).to include('api read_api')
         end
       end
 
@@ -462,7 +464,9 @@ RSpec.describe GraphqlController, feature_category: :integrations do
         subject
 
         expect(app_context).to include('meta.user' => user.username)
-        expect(app_context.keys).not_to include('meta.auth_fail_reason', 'meta.auth_fail_token_id')
+        expect(app_context.keys).not_to include('meta.auth_fail_reason',
+          'meta.auth_fail_token_id',
+          'meta.auth_fail_requested_scopes')
       end
 
       it 'calls the track api when trackable method' do
@@ -543,7 +547,9 @@ RSpec.describe GraphqlController, feature_category: :integrations do
         subject
 
         expect(app_context.key?('meta.user')).to be false
-        expect(app_context.keys).not_to include('meta.auth_fail_reason', 'meta.auth_fail_token_id')
+        expect(app_context.keys).not_to include('meta.auth_fail_reason',
+          'meta.auth_fail_token_id',
+          'meta.auth_fail_requested_scopes')
       end
     end
 

spec/lib/gitlab/application_context_spec.rb

@@ -9,6 +9,7 @@ RSpec.describe Gitlab::ApplicationContext, feature_category: :shared do
       expect(described_class.allowed_job_keys).not_to include(
         :auth_fail_reason,
         :auth_fail_token_id,
+        :auth_fail_requested_scopes,
         :http_router_rule_action,
         :http_router_rule_type
       )

spec/lib/gitlab/auth/auth_finders_spec.rb

@@ -994,10 +994,11 @@ RSpec.describe Gitlab::Auth::AuthFinders, feature_category: :system_access do
         it 'returns Gitlab::Auth::ExpiredError if token expired', :aggregate_failures do
           personal_access_token.update!(expires_at: 1.day.ago)
 
-          expect { validate_and_save_access_token! }.to raise_error(Gitlab::Auth::ExpiredError)
+          expect { validate_and_save_access_token!(scopes: %w[api read_api]) }.to raise_error(Gitlab::Auth::ExpiredError)
           expect(request.env).not_to have_key(described_class::API_TOKEN_ENV)
           expect(Gitlab::ApplicationContext.current['meta.auth_fail_reason']).to eq('token_expired')
           expect(Gitlab::ApplicationContext.current['meta.auth_fail_token_id']).to eq("PersonalAccessToken/#{personal_access_token.id}")
+          expect(Gitlab::ApplicationContext.current['meta.auth_fail_requested_scopes']).to eq("api read_api")
         end
 
         it 'returns Gitlab::Auth::RevokedError if token revoked', :aggregate_failures do
@@ -1007,6 +1008,7 @@ RSpec.describe Gitlab::Auth::AuthFinders, feature_category: :system_access do
           expect(request.env).not_to have_key(described_class::API_TOKEN_ENV)
           expect(Gitlab::ApplicationContext.current['meta.auth_fail_reason']).to eq('token_revoked')
           expect(Gitlab::ApplicationContext.current['meta.auth_fail_token_id']).to eq("PersonalAccessToken/#{personal_access_token.id}")
+          expect(Gitlab::ApplicationContext.current['meta.auth_fail_requested_scopes']).to be_nil
         end
 
         it 'returns Gitlab::Auth::InsufficientScopeError if invalid token scope', :aggregate_failures do
@@ -1014,6 +1016,7 @@ RSpec.describe Gitlab::Auth::AuthFinders, feature_category: :system_access do
           expect(request.env).not_to have_key(described_class::API_TOKEN_ENV)
           expect(Gitlab::ApplicationContext.current['meta.auth_fail_reason']).to eq('insufficient_scope')
           expect(Gitlab::ApplicationContext.current['meta.auth_fail_token_id']).to eq("PersonalAccessToken/#{personal_access_token.id}")
+          expect(Gitlab::ApplicationContext.current['meta.auth_fail_requested_scopes']).to eq('sudo')
         end
       end
     end
@@ -1031,6 +1034,7 @@ RSpec.describe Gitlab::Auth::AuthFinders, feature_category: :system_access do
           expect { validate_and_save_access_token! }.to raise_error(Gitlab::Auth::ImpersonationDisabled)
           expect(Gitlab::ApplicationContext.current['meta.auth_fail_reason']).to eq('impersonation_disabled')
           expect(Gitlab::ApplicationContext.current['meta.auth_fail_token_id']).to eq("PersonalAccessToken/#{personal_access_token.id}")
+          expect(Gitlab::ApplicationContext.current['meta.auth_fail_requested_scopes']).to be_nil
         end
       end
     end

spec/requests/api/api_spec.rb

@@ -72,6 +72,22 @@ RSpec.describe API::API, feature_category: :system_access do
         expect(response).to have_gitlab_http_status(:forbidden)
       end
 
+      it 'logs auth failure fields for post request' do
+        expect(described_class::LOG_FORMATTER).to receive(:call) do |_severity, _datetime, _, data|
+          expect(data.stringify_keys).to include(
+            'correlation_id' => an_instance_of(String),
+            'meta.auth_fail_reason' => "insufficient_scope",
+            'meta.auth_fail_token_id' => "PersonalAccessToken/#{token.id}",
+            'meta.auth_fail_requested_scopes' => "api read_api",
+            'route' => '/api/:version/groups'
+          )
+        end
+
+        params = attributes_for_group_api
+
+        post api("/groups", personal_access_token: token), params: params
+      end
+
       it 'does not authorize user for put request' do
         group_param = { name: 'Test' }