Add workflows scoped to project in GraphQL

Roman Eisnerrequested to merge
re/add-workflows-to-project into master

What does this MR do and why?

Currently, in GraphQL we can only query Workflows scoped to a user and a project. This query returns all workflows for the current_user in the project gitlab-duo/test:

query {
  duoWorkflowWorkflows(projectPath:"gitlab-duo/test"){
    nodes {
      id
      goal
      workflowDefinition
    }
  }
}

This MR adds a new way of querying duoWorkflowWorkflows, scoping them within a project (rather than specifying projectPath):

query {
  project(fullPath:"gitlab-duo/test"){
    duoWorkflowWorkflows(){
      edges{
        node {
          id
          userId
          projectId
          createdAt
        }
      }
    }
  }
}

The above returns all users workflows for a project, that originate in a pipeline.

The changes to the authorization policy give the current user access to other user's workflows if:

  1. They are part of the same project being queried
  2. The workflow has environment: web and does not have workflow_definition: chat (i.e. Remote Execution flows).

References

https://gitlab.com/gitlab-org/gitlab/-/issues/550468

How to set up and validate locally

  1. Set up Duo Workflow
  2. Open http://gitlab_path/-/graphql_explorer
  3. Confirm that the list:
    1. Contains workflows for this project created by the current user
    2. Contains workflows for this project created by other users
    3. Does not contain workflows created by the current user in another project.

To created workflows in the console, for testing:

current_user = User.first # The logged-in user
current_project = Project.find(1000000) # The project we will be querying
another_user = User.second
another_project = Project.first

# Current user, but different project: (This should NOT show up in the queries)
Ai::DuoWorkflows::Workflow.create!(:workflow_definition => "convert_to_gitlab_ci", user: current_user, project: another_project)

# Same project, different user: (This SHOULD show up in the queries with `scopeType:PROJECT` and project specified)
Ai::DuoWorkflows::Workflow.create!(:workflow_definition => "convert_to_gitlab_ci", user: another_user, project: current_project)

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Roman Eisner

Merge request reports