Code suggestions API for SM users with SaaS redirect
What does this MR do and why?
In Code suggestions API for SM users with SaaS red... (!122645 - closed) we decide to split the work:
- Part 1: Code suggestions group policy refactor (!123023 - merged)
- Part 2: Code suggestions API for SM users with SaaS red... (!123024 - merged)
In this MR I extended the global policy change related to access_code_suggestion policy, and implemented steps 8-11 in the case of a Self-managed user using the v4/api/code_suggestions/tokens API introduced in !120892 (merged)
Note: This MR is blocked by gitlab.com/gitlab-org/gitlab/-/merge_requests/123023+
sequenceDiagram
autonumber
participant A as SM admin
participant U as SM user
participant VS as VS Code
participant SM as SM GitLab
participant GL as GitLab Inc.
participant CS as Code Suggest
Note over A,GL: Admin persona
A->>GL: Add service account
GL-->>SM: service account token (SAT)
SM->>SM: store SAT
Note over U,CS: Developer persona
U->>SM: Obtain PAT
SM-->>U: PAT
U->>VS: Configure with PAT
VS->>VS: store PAT
loop Use code suggestions
alt JWT token missing or invalid
VS->>SM: Authenticate user with PAT
SM->>GL: Get JWT with SAT
GL-->>SM: JWT
SM-->>VS: JWT
else
VS->>CS: get code suggestions with JWT
CS-->>VS: code suggestions
end
endIn case we are running on the self-managed instance:
- authenticate SM user PAT
- returns 404 in case code_suggestions is not enabled on self-managed instance
- returns 404 in case SM admin didn't store
::Gitlab::CurrentSettings.ai_access_token - it will proxy the request to SaaS using workhorse
send_url, usingai_access_tokentoken - SaaS will authenticate the SaaS user using proxied
ai_access_token - SaaS will return 401 in case that proxied used does not have code_suggestions_for_instance_admin_enabled ff enabled
- SaaS will return 401 in case code suggestions are not enabled for the user or all his root group
- SaaS will return the signed JWT token back to the client
Screenshots or screen recordings
curl --request POST "http://localhost:3000/api/v4/code_suggestions/tokens" \
--header "Authorization: Bearer <sm_user_personal_access_token>" \
--header "Content-type: application/json"
{"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI1OTU4OTRlMC1mYTk0LTQ0NWItOGYyMy1lOWIyOTJlOGY2MTAiLCJhdWQiOiJnaXRsYWItY29kZS1zdWdnZXN0aW9ucyIsImlzcyI6Imh0dHA6Ly8xMjcuMC4wLjE6MzAwMSIsImlhdCI6MTY4NTU0MTkxOCwibmJmIjoxNjg1NTQxOTEzLCJleHAiOjE2ODU1NDU1MTh9.NrtsdOTQFDpNy0_TxZJellSCzUd2G75OnnXzVNUi85RsSF-xfwot_83EPV_lkU0DqgqPLJFxwqclVl_tZ0PhpDjfYPrUc2ST9gypPoXQAvRSzYcUBpG_VEVpJpX8APDxcSy8kRF4WXGVq5dvbwK4kh6pntQmH8yza2fKesASLRHbTXrRJFI8ENqbrgNiKNNWqLURZpcuWsD2juOZHh3aqN1VtfiOM-pHbAKU4y6gCI0dEy1BLYRVr7tOl0X9dSi_yQo4zt7qivupZqhhWHpWsKkHA9vlSmswvWdnX5omQdTTErUP3QqYU9EQWdBBNqskorQrzC3413snISoopp-nkg","expires_in":3600,"created_at":1685541918}% How to set up and validate locally
To test locally you need to have two GDK installations, both running this branch:
- https://gitlab.com/gitlab-org/gitlab-development-kit/blob/main/doc/howto/geo.md
- Change default ports for GDK 2 by editing
gdk.ymlport: 3001 webpack: port: 3809 gitlab_pages: port: 3011
For GDK 1 create a file env.runit in the root directory
export SAAS_URL=http://localhost:3001
We need GDK 2 to simulate SaaS, so edit/create env.runit in the root directory
export GITLAB_SIMULATE_SAAS=true
In GDK 2, run gitlab, register an account, and generate personal access token.
Eneable feature flag for your user
Feature.enable(:code_suggestions_for_instance_admin_enabled, true)In GDK 1, run the rails console and store Pat you created in the previous step:
::Gitlab::CurrentSettings.update!(ai_access_token:'<personal_access_token>')In GDK 1, register an account and generate sm_personal_access_token
Restart both GDK1 and GDK2
execute in the shell:
curl --request POST "http://localhost:3000/api/v4/code_suggestions/tokens" \
--header "Authorization: Bearer <sm_personal_access_token>" \
--header "Content-type: application/json"Related to Proxy CodeSuggestions Tokens API for Self Manag... (#411435 - closed)