Draft: PoC: Explore new TokenIssuer type for Duo Workflow

What does this MR do and why?

Build Ruby modules that make at least one Duo feature fully work without using AvailableServices. We are currently targeting Duo Workflow.

• Factor out token creation into a new TokenIssuer type
• Factor out add-on lookups/filtering into a Fulfillment code module
• Do we need to filter by License too?
  • Cannot do this now since license_types is not used yet
• Integrate new code modules with a selected Duo feature
• Avoid strong coupling of TokenIssuer to gitlab-rails since we may want to extract it to gitlab-cloud-connector and reuse it in CDot

References

• #515279 (closed)

Screenshots or screen recordings

curl -v -XPOST -H"Authorization: Bearer $(op read 'op://Employee/API access tokens/local')" gitlab.local:3000/api/v4/ai/duo_workflows/direct_access

{"gitlab_rails":{"base_url":"http://gitlab.local:3000","token":"e6bd7a21b2c006f3eb8b9eafc74e245c08e6fb9018b19fb40b2b8e6b72464ccc"},"duo_workflow_service":{"base_url":"duo-workflow:50052","token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRsYWItZHVvLXdvcmtmbG93LXNlcnZpY2UiLCJzdWIiOiJxK3ZGeXJJbVE0Z1RrMXNtWjVkeVpBc0VVMmVwQTJuRDJxakVPUklRWWNzPSIsImF1ZCI6ImdpdGxhYi1kdW8td29ya2Zsb3ctc2VydmljZSIsImV4cCI6MTc0MjQ2Mzg2MiwibmJmIjoxNzQyNDYwMjYyLCJpYXQiOjE3NDI0NjAyNjIsImp0aSI6IjQwMmQwYzU3LTM5NjYtNDAyNy1iZTU1LTMwNzJjNzM4N2VjYyIsImdpdGxhYl9yZWFsbSI6InNlbGYtbWFuYWdlZCIsImdpdGxhYl9pbnN0YW5jZV9pZCI6ImE2ZTgxZWYwLTM1ZGYtNGQ1Ny05N2Y3LWUzN2M2Yjc5ZGY3ZiIsInNjb3BlcyI6WyJkdW9fd29ya2Zsb3dfZXhlY3V0ZV93b3JrZmxvdyJdfQ.VJ7WIg2TOARANV2JNuHQm9FUMbg5JDuB2kKifRTKY7K6j3fsG1fAMon1P9YzJM7JGf40qhQKHo4JPqvU_OEVJGKKDwOup-1UlkO_x1odF0csaRYEyuaJbeIGI-5c42cuMnlmkJkQ0C4AO-2gg8lmDJMjtdto7bAV-cqrPVi9Ku_d3qq8QZ6YX9O1NteMvVnR3qv4PJzS37DBdqEmV0utW8jvAchFhMc1qgLJT1ygXMrIR161ie2rcmu03lMb8Z3mb4057hJkxdDOegXWzmDi34x5AiedMdNUYU243DhYApa-cwHvp4TiVbA7gvlXo3R4B0powlPJYR_Ev01neJTRZg","headers":{"X-Gitlab-Host-Name":"gitlab.local","X-Gitlab-Instance-Id":"a6e81ef0-35df-4d57-97f7-e37c6b79df7f","X-Gitlab-Realm":"self-managed","X-Gitlab-Version":"17.11.0","X-Gitlab-Global-User-Id":"q+vFyrImQ4gTk1smZ5dyZAsEU2epA2nD2qjEORIQYcs=","X-Gitlab-Duo-Seat-Count":"100","X-Gitlab-Feature-Enabled-By-Namespace-Ids":""},"secure":false},"duo_workflow_executor":{"executor_binary_url":"https://gitlab.com/api/v4/projects/58711783/packages/generic/duo-workflow-executor/0.0.27/duo-workflow-executor.tar.gz","executor_binary_urls":{"linux/arm":"https://gitlab.com/api/v4/projects/58711783/packages/generic/duo-workflow-executor/0.0.27/linux-arm-duo-workflow-executor.tar.gz","linux/amd64":"https://gitlab.com/api/v4/projects/58711783/packages/generic/duo-workflow-executor/0.0.27/linux-amd64-duo-workflow-executor.tar.gz","linux/arm64":"https://gitlab.com/api/v4/projects/58711783/packages/generic/duo-workflow-executor/0.0.27/linux-arm64-duo-workflow-executor.tar.gz","linux/386":"https://gitlab.com/api/v4/projects/58711783/packages/generic/duo-workflow-executor/0.0.27/linux-386-duo-workflow-executor.tar.gz","linux/ppc64le":"https://gitlab.com/api/v4/projects/58711783/packages/generic/duo-workflow-executor/0.0.27/linux-ppc64le-duo-workflow-executor.tar.gz","darwin/arm64":"https://gitlab.com/api/v4/projects/58711783/packages/generic/duo-workflow-executor/0.0.27/darwin-arm64-duo-workflow-executor.tar.gz","darwin/amd64":"https://gitlab.com/api/v4/projects/58711783/packages/generic/duo-workflow-executor/0.0.27/darwin-amd64-duo-workflow-executor.tar.gz","freebsd/arm":"https://gitlab.com/api/v4/projects/58711783/packages/generic/duo-workflow-executor/0.0.27/freebsd-arm-duo-workflow-executor.tar.gz","freebsd/386":"https://gitlab.com/api/v4/projects/58711783/packages/generic/duo-workflow-executor/0.0.27/freebsd-386-duo-workflow-executor.tar.gz","freebsd/amd64":"https://gitlab.com/api/v4/projects/58711783/packages/generic/duo-workflow-executor/0.0.27/freebsd-amd64-duo-workflow-executor.tar.gz","windows/amd64":"https://gitlab.com/api/v4/projects/58711783/packages/generic/duo-workflow-executor/0.0.27/windows-amd64-duo-workflow-executor.tar.gz","windows/386":"https://gitlab.com/api/v4/projects/58711783/packages/generic/duo-workflow-executor/0.0.27/windows-386-duo-workflow-executor.tar.gz","windows/arm64":"https://gitlab.com/api/v4/projects/58711783/packages/generic/duo-workflow-executor/0.0.27/windows-arm64-duo-workflow-executor.tar.gz"},"version":"0.0.27"},"workflow_metadata":{"extended_logging":false}}

How to set up and validate locally

1. Set up the Duo Workflow RPC service
   • Via GDK: https://gitlab.com/gitlab-org/duo-workflow/duo-workflow-service#setting-up-local-development-for-duo-workflow
   • Via GCK: gitlab-compose-kit!277 (merged)
2. Set CLOUD_CONNECTOR_SELF_SIGN_TOKENS=1
3. Run Puma and Duo Workflow
4. Run curl -v -XPOST -H"Authorization: Bearer <PAT>" gitlab.local:3000/api/v4/ai/duo_workflows/direct_access
5. The request should succeed

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #515279 (closed)