chore: Package import lint pass (#19007)

dev/depgraph/internal/lints/lint.go

@@ -5,7 +5,7 @@ import (
 	"sort"
 	"strings"
 
-	"github.com/sourcegraph/sourcegraph/dev/depgraph/graph"
+	"github.com/sourcegraph/sourcegraph/dev/depgraph/internal/graph"
 )
 
 type Lint func(graph *graph.DependencyGraph) []lintError

dev/depgraph/internal/lints/no_binary_specific_shared_code.go

@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/sourcegraph/sourcegraph/dev/depgraph/graph"
+	"github.com/sourcegraph/sourcegraph/dev/depgraph/internal/graph"
 )
 
 // NoBinarySpecificSharedCode returns an error for each shared package that is used

dev/depgraph/internal/lints/no_dead_packages.go

@@ -1,7 +1,7 @@
 package lints
 
 import (
-	"github.com/sourcegraph/sourcegraph/dev/depgraph/graph"
+	"github.com/sourcegraph/sourcegraph/dev/depgraph/internal/graph"
 )
 
 // NoDeadPackages returns an error for any package that is not importable from outside the

dev/depgraph/internal/lints/no_enterprise_imports_from_oss.go

@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/sourcegraph/sourcegraph/dev/depgraph/graph"
+	"github.com/sourcegraph/sourcegraph/dev/depgraph/internal/graph"
 )
 
 // NoEnterpriseImportsFromOSS returns an error for each non-enterprise package that

dev/depgraph/internal/lints/no_loose_commands.go

@@ -3,7 +3,7 @@ package lints
 import (
 	"fmt"
 
-	"github.com/sourcegraph/sourcegraph/dev/depgraph/graph"
+	"github.com/sourcegraph/sourcegraph/dev/depgraph/internal/graph"
 )
 
 // NoLooseCommands returns an error for each main package not declared in a known command root.

dev/depgraph/internal/lints/no_reaching_into_commands.go

@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/sourcegraph/sourcegraph/dev/depgraph/graph"
+	"github.com/sourcegraph/sourcegraph/dev/depgraph/internal/graph"
 )
 
 // NoReachingIntoCommands returns an error for each shared package that imports a package

dev/depgraph/internal/lints/no_unused_shared_command_code.go

@@ -3,7 +3,7 @@ package lints
 import (
 	"fmt"
 
-	"github.com/sourcegraph/sourcegraph/dev/depgraph/graph"
+	"github.com/sourcegraph/sourcegraph/dev/depgraph/internal/graph"
 )
 
 // NoUnusedSharedCommandCode returns an error for each non-private package within

dev/depgraph/internal/lints/util.go

@@ -4,7 +4,7 @@ import (
 	"regexp"
 	"sort"
 
-	"github.com/sourcegraph/sourcegraph/dev/depgraph/graph"
+	"github.com/sourcegraph/sourcegraph/dev/depgraph/internal/graph"
 )
 
 var (

dev/depgraph/lint.go

@@ -6,8 +6,8 @@ import (
 
 	"github.com/peterbourgon/ff/v3/ffcli"
 
-	"github.com/sourcegraph/sourcegraph/dev/depgraph/graph"
-	"github.com/sourcegraph/sourcegraph/dev/depgraph/lints"
+	"github.com/sourcegraph/sourcegraph/dev/depgraph/internal/graph"
+	"github.com/sourcegraph/sourcegraph/dev/depgraph/internal/lints"
 )
 
 var lintFlagSet = flag.NewFlagSet("depgraph lint", flag.ExitOnError)

dev/depgraph/trace.go

@@ -8,8 +8,8 @@ import (
 
 	"github.com/peterbourgon/ff/v3/ffcli"
 
-	"github.com/sourcegraph/sourcegraph/dev/depgraph/graph"
-	"github.com/sourcegraph/sourcegraph/dev/depgraph/visualization"
+	"github.com/sourcegraph/sourcegraph/dev/depgraph/internal/graph"
+	"github.com/sourcegraph/sourcegraph/dev/depgraph/internal/visualization"
 )
 
 var traceFlagSet = flag.NewFlagSet("depgraph trace", flag.ExitOnError)

dev/depgraph/trace_internal.go

@@ -8,8 +8,8 @@ import (
 
 	"github.com/peterbourgon/ff/v3/ffcli"
 
-	"github.com/sourcegraph/sourcegraph/dev/depgraph/graph"
-	"github.com/sourcegraph/sourcegraph/dev/depgraph/visualization"
+	"github.com/sourcegraph/sourcegraph/dev/depgraph/internal/graph"
+	"github.com/sourcegraph/sourcegraph/dev/depgraph/internal/visualization"
 )
 
 var traceInternalFlagSet = flag.NewFlagSet("depgraph trace-internal", flag.ExitOnError)

dev/release/src/release.ts

@@ -357,7 +357,7 @@ cc @${config.captainGitHubUsername}
                             `comby -in-place 'latestReleaseDockerComposeOrPureDocker = newBuild(":[1]")' "latestReleaseDockerComposeOrPureDocker = newBuild(\\"${release.version}\\")" cmd/frontend/internal/app/updatecheck/handler.go`,
 
                             // Support current release as the "previous release" going forward
-                            `comby -in-place 'env["MINIMUM_UPGRADEABLE_VERSION"] = ":[1]"' 'env["MINIMUM_UPGRADEABLE_VERSION"] = "${release.version}"' enterprise/dev/ci/ci/*.go`,
+                            `comby -in-place 'env["MINIMUM_UPGRADEABLE_VERSION"] = ":[1]"' 'env["MINIMUM_UPGRADEABLE_VERSION"] = "${release.version}"' enterprise/dev/ci/internal/ci/*.go`,
 
                             // Add a stub to add upgrade guide entries
                             notPatchRelease

enterprise/cmd/frontend/authz/CODENOTIFY

@@ -1,3 +0,0 @@
-# See https://github.com/sourcegraph/codenotify for documentation.
-
-**/* @unknwon

enterprise/cmd/frontend/authz/authz.go

@@ -1,139 +0,0 @@
-package authz
-
-import (
-	"context"
-	"fmt"
-	"net/http"
-	"strings"
-	"time"
-
-	"github.com/inconshreveable/log15"
-
-	"github.com/sourcegraph/sourcegraph/cmd/frontend/backend"
-	"github.com/sourcegraph/sourcegraph/cmd/frontend/graphqlbackend"
-	"github.com/sourcegraph/sourcegraph/cmd/frontend/hooks"
-	"github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/internal/licensing/enforcement"
-	eauthz "github.com/sourcegraph/sourcegraph/enterprise/internal/authz"
-	edb "github.com/sourcegraph/sourcegraph/enterprise/internal/database"
-	"github.com/sourcegraph/sourcegraph/enterprise/internal/licensing"
-	"github.com/sourcegraph/sourcegraph/internal/conf"
-	"github.com/sourcegraph/sourcegraph/internal/database"
-	"github.com/sourcegraph/sourcegraph/internal/database/dbutil"
-	"github.com/sourcegraph/sourcegraph/internal/extsvc"
-)
-
-func Init(d dbutil.DB, clock func() time.Time) {
-	// TODO(efritz) - de-globalize assignments in this function
-	database.GlobalExternalServices = edb.NewExternalServicesStore(d)
-	database.GlobalAuthz = edb.NewAuthzStore(d, clock)
-
-	// Warn about usage of auth providers that are not enabled by the license.
-	graphqlbackend.AlertFuncs = append(graphqlbackend.AlertFuncs, func(args graphqlbackend.AlertFuncArgs) []*graphqlbackend.Alert {
-		// Only site admins can act on this alert, so only show it to site admins.
-		if !args.IsSiteAdmin {
-			return nil
-		}
-
-		if licensing.IsFeatureEnabledLenient(licensing.FeatureACLs) {
-			return nil
-		}
-
-		// We can ignore problems returned here because they would have been surfaced in other places.
-		_, providers, _, _ := eauthz.ProvidersFromConfig(context.Background(), conf.Get(), database.GlobalExternalServices)
-		if len(providers) == 0 {
-			return nil
-		}
-
-		// We currently support three types of authz providers: GitHub, GitLab and Bitbucket Server.
-		authzTypes := make(map[string]struct{}, 3)
-		for _, p := range providers {
-			authzTypes[p.ServiceType()] = struct{}{}
-		}
-
-		authzNames := make([]string, 0, len(authzTypes))
-		for t := range authzTypes {
-			switch t {
-			case extsvc.TypeGitHub:
-				authzNames = append(authzNames, "GitHub")
-			case extsvc.TypeGitLab:
-				authzNames = append(authzNames, "GitLab")
-			case extsvc.TypeBitbucketServer:
-				authzNames = append(authzNames, "Bitbucket Server")
-			default:
-				authzNames = append(authzNames, t)
-			}
-		}
-		return []*graphqlbackend.Alert{{
-			TypeValue:    graphqlbackend.AlertTypeError,
-			MessageValue: fmt.Sprintf("A Sourcegraph license is required to enable repository permissions for the following code hosts: %s. [**Get a license.**](/site-admin/license)", strings.Join(authzNames, ", ")),
-		}}
-	})
-
-	graphqlbackend.AlertFuncs = append(graphqlbackend.AlertFuncs, func(args graphqlbackend.AlertFuncArgs) []*graphqlbackend.Alert {
-		// 🚨 SECURITY: Only the site admin should ever see this (all other users will see a hard-block
-		// license expiration screen) about this. Leaking this wouldn't be a security vulnerability, but
-		// just in case this method is changed to return more information, we lock it down.
-		if !args.IsSiteAdmin {
-			return nil
-		}
-
-		info, err := licensing.GetConfiguredProductLicenseInfo()
-		if err != nil {
-			log15.Error("Error reading license key for Sourcegraph subscription.", "err", err)
-			return []*graphqlbackend.Alert{{
-				TypeValue:    graphqlbackend.AlertTypeError,
-				MessageValue: "Error reading Sourcegraph license key. Check the logs for more information, or update the license key in the [**site configuration**](/site-admin/configuration).",
-			}}
-		}
-		if info != nil && info.IsExpiredWithGracePeriod() {
-			return []*graphqlbackend.Alert{{
-				TypeValue:    graphqlbackend.AlertTypeError,
-				MessageValue: "Sourcegraph license expired! All non-admin users are locked out of Sourcegraph. Update the license key in the [**site configuration**](/site-admin/configuration) or downgrade to only using Sourcegraph Free features.",
-			}}
-		}
-		return nil
-	})
-
-	// Enforce the use of a valid license key by preventing all HTTP requests if the license is invalid
-	// (due to an error in parsing or verification, or because the license has expired).
-	hooks.PostAuthMiddleware = func(next http.Handler) http.Handler {
-		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			// Site admins are exempt from license enforcement screens so that they can
-			// easily update the license key. Also ignore backend.ErrNotAuthenticated
-			// because we need to allow site admins to sign in.
-			err := backend.CheckCurrentUserIsSiteAdmin(r.Context())
-			if err == nil || err == backend.ErrNotAuthenticated {
-				next.ServeHTTP(w, r)
-				return
-			} else if err != backend.ErrMustBeSiteAdmin {
-				log15.Error("Error checking current user is site admin", "err", err)
-				http.Error(w, "Error checking current user is site admin. Site admins may check the logs for more information.", http.StatusInternalServerError)
-				return
-			}
-
-			info, err := licensing.GetConfiguredProductLicenseInfo()
-			if err != nil {
-				log15.Error("Error reading license key for Sourcegraph subscription.", "err", err)
-				enforcement.WriteSubscriptionErrorResponse(w, http.StatusInternalServerError, "Error reading Sourcegraph license key", "Site admins may check the logs for more information. Update the license key in the [**site configuration**](/site-admin/configuration).")
-				return
-			}
-			if info != nil && info.IsExpiredWithGracePeriod() {
-				enforcement.WriteSubscriptionErrorResponse(w, http.StatusForbidden, "Sourcegraph license expired", "To continue using Sourcegraph, a site admin must renew the Sourcegraph license (or downgrade to only using Sourcegraph Free features). Update the license key in the [**site configuration**](/site-admin/configuration).")
-				return
-			}
-
-			next.ServeHTTP(w, r)
-		})
-	}
-}
-
-func init() {
-	// Report any authz provider problems in external configs.
-	conf.ContributeWarning(func(cfg conf.Unified) (problems conf.Problems) {
-		_, _, seriousProblems, warnings :=
-			eauthz.ProvidersFromConfig(context.Background(), &cfg, database.GlobalExternalServices)
-		problems = append(problems, conf.NewExternalServiceProblems(seriousProblems...)...)
-		problems = append(problems, conf.NewExternalServiceProblems(warnings...)...)
-		return problems
-	})
-}

enterprise/cmd/frontend/internal/auth/githuboauth/config_test.go

@@ -7,7 +7,7 @@ import (
 	"github.com/google/go-cmp/cmp"
 	"golang.org/x/oauth2"
 
-	"github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/auth/oauth"
+	"github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/internal/auth/oauth"
 	"github.com/sourcegraph/sourcegraph/internal/conf"
 	"github.com/sourcegraph/sourcegraph/internal/extsvc"
 	"github.com/sourcegraph/sourcegraph/schema"

enterprise/cmd/frontend/internal/auth/githuboauth/middleware.go

@@ -4,7 +4,7 @@ import (
 	"net/http"
 
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/auth"
-	"github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/auth/oauth"
+	"github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/internal/auth/oauth"
 	"github.com/sourcegraph/sourcegraph/internal/extsvc"
 	"github.com/sourcegraph/sourcegraph/schema"
 )

enterprise/cmd/frontend/internal/auth/githuboauth/middleware_test.go

@@ -12,7 +12,7 @@ import (
 
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/auth/providers"
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/external/session"
-	"github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/auth/oauth"
+	"github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/internal/auth/oauth"
 	"github.com/sourcegraph/sourcegraph/internal/actor"
 	"github.com/sourcegraph/sourcegraph/schema"
 )

enterprise/cmd/frontend/internal/auth/githuboauth/provider.go

@@ -8,7 +8,7 @@ import (
 	"golang.org/x/oauth2"
 
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/envvar"
-	"github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/auth/oauth"
+	"github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/internal/auth/oauth"
 	"github.com/sourcegraph/sourcegraph/internal/extsvc"
 	"github.com/sourcegraph/sourcegraph/internal/lazyregexp"
 	"github.com/sourcegraph/sourcegraph/schema"

enterprise/cmd/frontend/internal/auth/githuboauth/session.go

@@ -16,7 +16,7 @@ import (
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/auth/providers"
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/hubspot"
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/hubspot/hubspotutil"
-	"github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/auth/oauth"
+	"github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/internal/auth/oauth"
 	"github.com/sourcegraph/sourcegraph/internal/actor"
 	"github.com/sourcegraph/sourcegraph/internal/conf"
 	"github.com/sourcegraph/sourcegraph/internal/database"

enterprise/cmd/frontend/internal/auth/gitlaboauth/config_test.go

@@ -9,7 +9,7 @@ import (
 	"golang.org/x/oauth2"
 
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/auth/providers"
-	"github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/auth/oauth"
+	"github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/internal/auth/oauth"
 	"github.com/sourcegraph/sourcegraph/internal/conf"
 	"github.com/sourcegraph/sourcegraph/internal/extsvc"
 	"github.com/sourcegraph/sourcegraph/schema"

enterprise/cmd/frontend/internal/auth/gitlaboauth/middleware.go

@@ -4,7 +4,7 @@ import (
 	"net/http"
 
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/auth"
-	"github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/auth/oauth"
+	"github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/internal/auth/oauth"
 	"github.com/sourcegraph/sourcegraph/internal/extsvc"
 	"github.com/sourcegraph/sourcegraph/schema"
 )

enterprise/cmd/frontend/internal/auth/gitlaboauth/middleware_test.go

@@ -12,7 +12,7 @@ import (
 
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/auth/providers"
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/external/session"
-	"github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/auth/oauth"
+	"github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/internal/auth/oauth"
 	"github.com/sourcegraph/sourcegraph/internal/actor"
 	"github.com/sourcegraph/sourcegraph/internal/extsvc"
 	"github.com/sourcegraph/sourcegraph/schema"

enterprise/cmd/frontend/internal/auth/gitlaboauth/provider.go

@@ -7,7 +7,7 @@ import (
 	"github.com/dghubble/gologin"
 	"golang.org/x/oauth2"
 
-	"github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/auth/oauth"
+	"github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/internal/auth/oauth"
 	"github.com/sourcegraph/sourcegraph/internal/conf"
 	"github.com/sourcegraph/sourcegraph/internal/extsvc"
 	"github.com/sourcegraph/sourcegraph/schema"

enterprise/cmd/frontend/internal/auth/gitlaboauth/session.go

@@ -13,7 +13,7 @@ import (
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/auth/providers"
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/hubspot"
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/hubspot/hubspotutil"
-	"github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/auth/oauth"
+	"github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/internal/auth/oauth"
 	"github.com/sourcegraph/sourcegraph/internal/actor"
 	"github.com/sourcegraph/sourcegraph/internal/conf"
 	"github.com/sourcegraph/sourcegraph/internal/database"

enterprise/cmd/frontend/internal/auth/init.go

@@ -8,11 +8,11 @@ import (
 
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/auth"
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/external/app"
-	"github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/auth/githuboauth"
-	"github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/auth/gitlaboauth"
-	"github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/auth/httpheader"
-	"github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/auth/openidconnect"
-	"github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/auth/saml"
+	"github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/internal/auth/githuboauth"
+	"github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/internal/auth/gitlaboauth"
+	"github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/internal/auth/httpheader"
+	"github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/internal/auth/openidconnect"
+	"github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/internal/auth/saml"
 	"github.com/sourcegraph/sourcegraph/internal/conf"
 )
 

enterprise/cmd/frontend/internal/authz/init.go

@@ -2,22 +2,137 @@ package authz
 
 import (
 	"context"
+	"fmt"
+	"net/http"
+	"strings"
 	"time"
 
+	"github.com/inconshreveable/log15"
+
+	"github.com/sourcegraph/sourcegraph/cmd/frontend/backend"
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/enterprise"
-	eauthz "github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/authz"
+	"github.com/sourcegraph/sourcegraph/cmd/frontend/graphqlbackend"
+	"github.com/sourcegraph/sourcegraph/cmd/frontend/hooks"
 	"github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/internal/authz/resolvers"
+	"github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/internal/licensing/enforcement"
+	eauthz "github.com/sourcegraph/sourcegraph/enterprise/internal/authz"
 	eiauthz "github.com/sourcegraph/sourcegraph/enterprise/internal/authz"
+	edb "github.com/sourcegraph/sourcegraph/enterprise/internal/database"
+	"github.com/sourcegraph/sourcegraph/enterprise/internal/licensing"
 	"github.com/sourcegraph/sourcegraph/internal/authz"
 	"github.com/sourcegraph/sourcegraph/internal/conf"
 	"github.com/sourcegraph/sourcegraph/internal/database"
 	"github.com/sourcegraph/sourcegraph/internal/database/dbutil"
+	"github.com/sourcegraph/sourcegraph/internal/extsvc"
 	"github.com/sourcegraph/sourcegraph/internal/oobmigration"
 	"github.com/sourcegraph/sourcegraph/internal/timeutil"
 )
 
+var clock = timeutil.Now
+
 func Init(ctx context.Context, db dbutil.DB, outOfBandMigrationRunner *oobmigration.Runner, enterpriseServices *enterprise.Services) error {
-	eauthz.Init(db, timeutil.Now)
+	// TODO(efritz) - de-globalize assignments in this function
+	database.GlobalExternalServices = edb.NewExternalServicesStore(db)
+	database.GlobalAuthz = edb.NewAuthzStore(db, clock)
+
+	// Warn about usage of auth providers that are not enabled by the license.
+	graphqlbackend.AlertFuncs = append(graphqlbackend.AlertFuncs, func(args graphqlbackend.AlertFuncArgs) []*graphqlbackend.Alert {
+		// Only site admins can act on this alert, so only show it to site admins.
+		if !args.IsSiteAdmin {
+			return nil
+		}
+
+		if licensing.IsFeatureEnabledLenient(licensing.FeatureACLs) {
+			return nil
+		}
+
+		// We can ignore problems returned here because they would have been surfaced in other places.
+		_, providers, _, _ := eauthz.ProvidersFromConfig(context.Background(), conf.Get(), database.GlobalExternalServices)
+		if len(providers) == 0 {
+			return nil
+		}
+
+		// We currently support three types of authz providers: GitHub, GitLab and Bitbucket Server.
+		authzTypes := make(map[string]struct{}, 3)
+		for _, p := range providers {
+			authzTypes[p.ServiceType()] = struct{}{}
+		}
+
+		authzNames := make([]string, 0, len(authzTypes))
+		for t := range authzTypes {
+			switch t {
+			case extsvc.TypeGitHub:
+				authzNames = append(authzNames, "GitHub")
+			case extsvc.TypeGitLab:
+				authzNames = append(authzNames, "GitLab")
+			case extsvc.TypeBitbucketServer:
+				authzNames = append(authzNames, "Bitbucket Server")
+			default:
+				authzNames = append(authzNames, t)
+			}
+		}
+		return []*graphqlbackend.Alert{{
+			TypeValue:    graphqlbackend.AlertTypeError,
+			MessageValue: fmt.Sprintf("A Sourcegraph license is required to enable repository permissions for the following code hosts: %s. [**Get a license.**](/site-admin/license)", strings.Join(authzNames, ", ")),
+		}}
+	})
+
+	graphqlbackend.AlertFuncs = append(graphqlbackend.AlertFuncs, func(args graphqlbackend.AlertFuncArgs) []*graphqlbackend.Alert {
+		// 🚨 SECURITY: Only the site admin should ever see this (all other users will see a hard-block
+		// license expiration screen) about this. Leaking this wouldn't be a security vulnerability, but
+		// just in case this method is changed to return more information, we lock it down.
+		if !args.IsSiteAdmin {
+			return nil
+		}
+
+		info, err := licensing.GetConfiguredProductLicenseInfo()
+		if err != nil {
+			log15.Error("Error reading license key for Sourcegraph subscription.", "err", err)
+			return []*graphqlbackend.Alert{{
+				TypeValue:    graphqlbackend.AlertTypeError,
+				MessageValue: "Error reading Sourcegraph license key. Check the logs for more information, or update the license key in the [**site configuration**](/site-admin/configuration).",
+			}}
+		}
+		if info != nil && info.IsExpiredWithGracePeriod() {
+			return []*graphqlbackend.Alert{{
+				TypeValue:    graphqlbackend.AlertTypeError,
+				MessageValue: "Sourcegraph license expired! All non-admin users are locked out of Sourcegraph. Update the license key in the [**site configuration**](/site-admin/configuration) or downgrade to only using Sourcegraph Free features.",
+			}}
+		}
+		return nil
+	})
+
+	// Enforce the use of a valid license key by preventing all HTTP requests if the license is invalid
+	// (due to an error in parsing or verification, or because the license has expired).
+	hooks.PostAuthMiddleware = func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			// Site admins are exempt from license enforcement screens so that they can
+			// easily update the license key. Also ignore backend.ErrNotAuthenticated
+			// because we need to allow site admins to sign in.
+			err := backend.CheckCurrentUserIsSiteAdmin(r.Context())
+			if err == nil || err == backend.ErrNotAuthenticated {
+				next.ServeHTTP(w, r)
+				return
+			} else if err != backend.ErrMustBeSiteAdmin {
+				log15.Error("Error checking current user is site admin", "err", err)
+				http.Error(w, "Error checking current user is site admin. Site admins may check the logs for more information.", http.StatusInternalServerError)
+				return
+			}
+
+			info, err := licensing.GetConfiguredProductLicenseInfo()
+			if err != nil {
+				log15.Error("Error reading license key for Sourcegraph subscription.", "err", err)
+				enforcement.WriteSubscriptionErrorResponse(w, http.StatusInternalServerError, "Error reading Sourcegraph license key", "Site admins may check the logs for more information. Update the license key in the [**site configuration**](/site-admin/configuration).")
+				return
+			}
+			if info != nil && info.IsExpiredWithGracePeriod() {
+				enforcement.WriteSubscriptionErrorResponse(w, http.StatusForbidden, "Sourcegraph license expired", "To continue using Sourcegraph, a site admin must renew the Sourcegraph license (or downgrade to only using Sourcegraph Free features). Update the license key in the [**site configuration**](/site-admin/configuration).")
+				return
+			}
+
+			next.ServeHTTP(w, r)
+		})
+	}
 
 	go func() {
 		t := time.NewTicker(5 * time.Second)
@@ -29,6 +144,16 @@ func Init(ctx context.Context, db dbutil.DB, outOfBandMigrationRunner *oobmigrat
 	}()
 
 	enterpriseServices.AuthzResolver = resolvers.NewResolver(db, timeutil.Now)
-
 	return nil
 }
+
+func init() {
+	// Report any authz provider problems in external configs.
+	conf.ContributeWarning(func(cfg conf.Unified) (problems conf.Problems) {
+		_, _, seriousProblems, warnings :=
+			eauthz.ProvidersFromConfig(context.Background(), &cfg, database.GlobalExternalServices)
+		problems = append(problems, conf.NewExternalServiceProblems(seriousProblems...)...)
+		problems = append(problems, conf.NewExternalServiceProblems(warnings...)...)
+		return problems
+	})
+}

enterprise/cmd/frontend/internal/licensing/init/init.go

@@ -8,7 +8,7 @@ import (
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/external/app"
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/globals"
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/graphqlbackend"
-	_ "github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/auth"
+	_ "github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/internal/auth"
 	"github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/internal/dotcom/productsubscription"
 	enterpriseGraphQL "github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/internal/graphqlbackend"
 	"github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/internal/licensing/enforcement"

enterprise/cmd/frontend/main.go

@@ -24,7 +24,7 @@ import (
 	"github.com/sourcegraph/sourcegraph/internal/database/dbutil"
 	"github.com/sourcegraph/sourcegraph/internal/oobmigration"
 
-	_ "github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/auth"
+	_ "github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/internal/auth"
 	enterpriseGraphQL "github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/internal/graphqlbackend"
 	_ "github.com/sourcegraph/sourcegraph/enterprise/cmd/frontend/internal/registry"
 )

enterprise/cmd/repo-updater/main.go

@@ -11,7 +11,7 @@ import (
 	"github.com/sourcegraph/sourcegraph/cmd/frontend/globals"
 	"github.com/sourcegraph/sourcegraph/cmd/repo-updater/repoupdater"
 	"github.com/sourcegraph/sourcegraph/cmd/repo-updater/shared"
-	"github.com/sourcegraph/sourcegraph/enterprise/cmd/repo-updater/authz"
+	"github.com/sourcegraph/sourcegraph/enterprise/cmd/repo-updater/internal/authz"
 	frontendAuthz "github.com/sourcegraph/sourcegraph/enterprise/internal/authz"
 	"github.com/sourcegraph/sourcegraph/enterprise/internal/batches"
 	codemonitorsBackground "github.com/sourcegraph/sourcegraph/enterprise/internal/codemonitors/background"

enterprise/dev/ci/gen-pipeline.go

@@ -5,7 +5,7 @@ package main
 import (
 	"os"
 
-	"github.com/sourcegraph/sourcegraph/enterprise/dev/ci/ci"
+	"github.com/sourcegraph/sourcegraph/enterprise/dev/ci/internal/ci"
 )
 
 func main() {

enterprise/dev/ci/internal/ci/pipeline-steps.go

@@ -8,7 +8,7 @@ import (
 	"strings"
 
 	"github.com/sourcegraph/sourcegraph/enterprise/dev/ci/images"
-	bk "github.com/sourcegraph/sourcegraph/internal/buildkite"
+	bk "github.com/sourcegraph/sourcegraph/enterprise/dev/ci/internal/buildkite"
 )
 
 // Verifies the docs formatting and builds the `docsite` command.

enterprise/dev/ci/internal/ci/pipeline.go

@@ -9,7 +9,7 @@ import (
 	"strings"
 	"time"
 
-	bk "github.com/sourcegraph/sourcegraph/internal/buildkite"
+	bk "github.com/sourcegraph/sourcegraph/enterprise/dev/ci/internal/buildkite"
 )
 
 // GeneratePipeline is the main pipeline generation function. It defines the build pipeline for each of the