Duo Workflow direct access endpoint
What does this MR do and why?
This MR implements item 1 in this authentication architecture diagram.
For this, this MR adds a new endpoint POST /api/v4/ai/duo_workflows/direct_access
The endpoint returns following payload
{
"gitlab_rails": {
"base_url": "http://gdk.test:3000",
"token": [an oauth token]
},
"duo_workflow_service": {
"base_url": [DUO_WORKFLOW_SERVICE_URL env var],
"token": [a duo workflow service token],
"headers": {
"X-Gitlab-Host-Name": "gdk.test",
"X-Gitlab-Instance-Id": "12f5283d-2102-411f-b87e-5d03f33ad141",
"X-Gitlab-Realm": "saas",
"X-Gitlab-Version": "17.2.0",
"X-Gitlab-Global-User-Id": "HlZcbHK5Wa5s07e8+Bp5eCxWIDpsF+t0haQK0+14R0g="
}
}
}The gitlab_rails.token and duo_workflow_service.token are returning "not implemented" and will be handled in a separate issues:
#471898 (closed)
#470862 (closed)
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
| Before | After |
|---|---|
How to set up and validate locally
- Set up local duo-workflow-service following docs
- If you are not running GitLab Rails on
localhost:3000, updateDUO_WORKFLOW_AUTH__OIDC_GITLAB_URLvalue in the.env fileon your Duo Workflow Service - Update
.envin the Duo Workflow service so thatDUO_WORKFLOW_AUTH__ENABLED=true - Run Duo Workflow Service server (
poetry run python -m duo_workflow_service.server) - Set
DUO_WORKFLOW_SERVICE_URLinenv.runittolocalhost:50052(where the duo workflow service is running) andgdk restart rails. curl -XPOST http://gdk.test:3000/api/v4/ai/duo_workflows/direct_access\?private_token\=[your_token]- You should receive a success response similar to the payload given above.
Related to #470128 (closed)
Edited by Halil Coban