Draft: Code suggestions API for SM users with SaaS redirect
What does this MR do and why?
This MR implements steps 8-11 in the case of a Self-managed user using the v4/api/code_suggestions/tokens API introduced in !120892 (merged)
sequenceDiagram
autonumber
participant A as SM admin
participant U as SM user
participant VS as VS Code
participant SM as SM GitLab
participant GL as GitLab Inc.
participant CS as Code Suggest
Note over A,GL: Admin persona
A->>GL: Add service account
GL-->>SM: service account token (SAT)
SM->>SM: store SAT
Note over U,CS: Developer persona
U->>SM: Obtain PAT
SM-->>U: PAT
U->>VS: Configure with PAT
VS->>VS: store PAT
loop Use code suggestions
alt JWT token missing or invalid
VS->>SM: Authenticate user with PAT
SM->>GL: Get JWT with SAT
GL-->>SM: JWT
SM-->>VS: JWT
else
VS->>CS: get code suggestions with JWT
CS-->>VS: code suggestions
end
endIn case we are running on the self-managed instance:
- authenticate SM user PAT
- returns 404 in case code_suggestions is not enabled on self-managed instance
- returns 404 in case SM admin didn't store
::Gitlab::CurrentSettings.ai_access_token - it will proxy the request to SaaS using workhorse
send_url, usingai_access_tokentoken - SaaS will authenticate the SaaS user using proxied
ai_access_token - SaaS will return 401 in case that authenticated is not a member of "gitlab-org/modelops/applied-ml/code-suggestions/self-managed" group
- SaaS will return 401 in case that code suggestions are not enabled for the user or associated group
- SaaS will return signed JWT token back to the client
Screenshots or screen recordings
curl --request POST "http://localhost:3000/api/v4/code_suggestions/tokens" \
--header "Authorization: Bearer <sm_user_personal_access_token>" \
--header "Content-type: application/json"
{"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI1OTU4OTRlMC1mYTk0LTQ0NWItOGYyMy1lOWIyOTJlOGY2MTAiLCJhdWQiOiJnaXRsYWItY29kZS1zdWdnZXN0aW9ucyIsImlzcyI6Imh0dHA6Ly8xMjcuMC4wLjE6MzAwMSIsImlhdCI6MTY4NTU0MTkxOCwibmJmIjoxNjg1NTQxOTEzLCJleHAiOjE2ODU1NDU1MTh9.NrtsdOTQFDpNy0_TxZJellSCzUd2G75OnnXzVNUi85RsSF-xfwot_83EPV_lkU0DqgqPLJFxwqclVl_tZ0PhpDjfYPrUc2ST9gypPoXQAvRSzYcUBpG_VEVpJpX8APDxcSy8kRF4WXGVq5dvbwK4kh6pntQmH8yza2fKesASLRHbTXrRJFI8ENqbrgNiKNNWqLURZpcuWsD2juOZHh3aqN1VtfiOM-pHbAKU4y6gCI0dEy1BLYRVr7tOl0X9dSi_yQo4zt7qivupZqhhWHpWsKkHA9vlSmswvWdnX5omQdTTErUP3QqYU9EQWdBBNqskorQrzC3413snISoopp-nkg","expires_in":3600,"created_at":1685541918}% How to set up and validate locally
To test locally you need to have two GDK installations, both running this branch:
- https://gitlab.com/gitlab-org/gitlab-development-kit/blob/main/doc/howto/geo.md
- Change default ports for GDK 2 by editing
gdk.ymlport: 3001 webpack: port: 3809 gitlab_pages: port: 3011
For GDK 1 create a file env.runit in the root directory
export SAAS_URL=http://localhost:3001
We need GDK 2 to simulate SaaS, so edit/create env.runit in the root directory
export GITLAB_SIMULATE_SAAS=true
in GDK 2, we need to create self-managed group, open rails console:
Groups::NestedCreateService.new(User.first, group_path: "gitlab-org/modelops/applied-ml/code-suggestions/self-managed").executeIn GDK 2, run gitlab, register account and generate personal access token.
Make sure that user is member of the self-managed group
In GDK 1, run rails console:
::Gitlab::CurrentSettings.update!(ai_access_token:'<personal_access_token>')In GDK 1, register account and generate sm_personal_access_token
Restart both GDK1 and GDK2
execute in shell:
curl --request POST "http://localhost:3000/api/v4/code_suggestions/tokens" \
--header "Authorization: Bearer <sm_personal_access_token>" \
--header "Content-type: application/json"MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.