Allow Duo Core for Chat and Code Suggestions

What does this MR do and why?

Blocked by: !188854 (merged)

Allows use of Chat and Code Suggestion for those with the Duo Core add-on.

The allowed_to_use method is used throughout the codebase to check for access to various Duo features so we need it to be aware of Duo Core (formerly known as Nano) in order to provide access to Duo Chat and Code Suggestions with the add-on.

Examples:

1. Code Suggestions api checks current_user.can?(:access_code_suggestions). That policy check uses allowed_to_use?(:code_suggestions)
2. ChatAuthorizer checks access_duo_chat. That policy check uses allowed_to_use?

There is no seat assignment in Phase 1, so the add-on logic is:

For GitLab.com

User must belong to at least 1 root group that both has the Duo Core add-on and has duo_nano_features_enabled set to true

For all other GitLab instances

Instance must have Duo Core add-on and have application-wide duo_nano_features_enabled setting set

References

• Cloud Connector docs on allowed_to_use: https://docs.gitlab.com/development/cloud_connector
• Discussion about using this method: !188029 (comment 2453860547)

Screenshots or screen recordings

Testing Matrix

GitLab Offering	Add-On Purchase	Feature Flag State	AI Settings Enabled	Outcome
SAAS	Duo Core	Enabled	Yes	✅ Can use Duo Chat in UI ✅ Can use Code Suggestions in Web IDE
SAAS	Duo Core	Enabled	No	✅ No Duo Chat button in UI. Previously open chat bar shows features not enabled ✅ No code suggestions in Web IDE. Status bar icon shows Duo disabled - license not assigned
SAAS	Duo Core	Disabled	Yes	✅ No Duo Chat button in UI. ✅ No code suggestions in Web IDE.
SAAS	Duo Core	Disabled	No	✅ No Duo Chat button in UI. ✅ No code suggestions in Web IDE.
SAAS	None	Enabled	Yes	✅ No Duo Chat button in UI. ✅ No code suggestions in Web IDE.
SAAS	None	Enabled	No	✅ No Duo Chat button in UI. ✅ No code suggestions in Web IDE.
SAAS	None	Disabled	Yes	✅ No Duo Chat button in UI. ✅ No code suggestions in Web IDE.
SAAS	None	Disabled	No	✅ No Duo Chat button in UI. ✅ No code suggestions in Web IDE.
SM	Duo Core	N/A	true	✅ Can use Duo Chat in UI ✅ Can use Code Suggestions in Web IDE
SM	Duo Core	N/A	false	✅ No Duo Chat button in UI. Previously open chat bar shows features not enabled ✅ No code suggestions in Web IDE. Status bar icon shows Duo disabled - license not assigned
SM	Duo Core	N/A	nil	✅ No Duo Chat button in UI. ✅ No code suggestions in Web IDE.
SM	None	N/A	true	✅ No Duo Chat button in UI. ✅ No code suggestions in Web IDE.
SM	None	N/A	false	✅ No Duo Chat button in UI. ✅ No code suggestions in Web IDE.
SM	None	N/A	nil	✅ No Duo Chat button in UI. ✅ No code suggestions in Web IDE.

How to set up and validate locally

SaaS mode

1. Ensure that you have a premium or ultimate license for your GDK

2. Enable SaaS mode (GITLAB_SIMULATE_SAAS=1)

3. Enable the Duo Care feature flag (Feature.enable(:duo_core_saas)

4. Identify a premium or ultimate group to test with

5. Ensure that the test group has Duo Core enabled via settings: Group.find($ID).namespace_settings.duo_nano_features_enabled

6. Create the Duo Core add-on purchase for the test group in a rails console:

   add_on = GitlabSubscriptions::AddOn.create!(name: 'duo_core', description: GitlabSubscriptions::AddOn.descriptions[:duo_core])
   add_on_purchase = GitlabSubscriptions::AddOnPurchase.create!(
   add_on: add_on, namespace: $TEST_GROUP, started_at: Date.today, expires_on: 1.year.from_now, quantity: 100, purchase_xid: 'A-S0001', organization_id: 1
   )

7. Add a test user to the test group. Ensure that this test user does not have an existing Duo Pro or Duo Enterprise license

8. When the user logs in, they should see the Duo Chat Chat button (for now at least). They should be able to use Duo Chat and Code Suggestions in the IDE.

9. If the user is removed from the group, they should no longer have access to Duo features.

SM mode

1. Ensure that you have a premium or ultimate license for your GDK
2. Enable SM mode (GITLAB_SIMULATE_SAAS=0)
3. Ensure that the instance has Duo Core features enabled: Ai::Setting.instance.update (duo_nano_features_enabled:true)
4. If you already tested out SaaS mode:
   1. you can skip the following steps and just update the Duo Core add-on subscription to be for the instance instead of for a specific namespace: GitlabSubscriptions::AddOnPurchase.for_duo_core.first.update!(namespace: nil)
5. If you are testing for the first time:
   1. Create the Duo Core add-on purchase record locally.
   2. Add a test user to the instance. Ensure that this test user does not have an existing Duo Pro or Duo Enterprise license
6. When the user logs in, they should see the Duo Chat Chat button (for now at least). They should be able to use Duo Chat and Code Suggestions in the IDE.

Database review

Namespace.where(id: [9970]).select(:id).joins(:namespace_settings).where(namespace_settings: { duo_nano_features_enabled: true }).to_sql

Note: I am only selecting gitlab-org. It would be typical for most gitlab.com users to only belong to one root group with a Premium or Ultimate license (result of billable_gitlab_duo_pro_root_group_ids, which is cached), but it is possible for them to belong to more groups.

Generates the following sql:

SELECT
    "namespaces"."id"
FROM
    "namespaces"
    INNER JOIN "namespace_settings" ON "namespace_settings"."namespace_id" = "namespaces"."id"
WHERE
    "namespaces"."id" = 9970
    AND "namespace_settings"."duo_nano_features_enabled" = TRUE

Postgres.ai:

https://console.postgres.ai/gitlab/gitlab-production-main/sessions/38884/commands/119542#visualize-depesz

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.