Add license and BETA checks to AI item permissions
What does this MR do and why?
This MR adds additional checks for Ai::Catalog::Item and
Ai::Catalog::ItemConsumer permissions to deny permissions unless the
project or group has:
- Premium license
- Has opted-in to BETA AI features
When the top-level group of a project does not have both requirements they can no longer:
- Create an agent or flow in that project
- Add an agent or flow to that project
However, any public agents or flows created by the project (before one of the above requirements were toggled off) will be visible in the catalog - as we allow public items to remain visible in the AI Catalog even if the project license lapses, or they opt out of BETA features.
How to set up and validate locally
Enable global_ai_catalog feature flag.
Test that AI items can only be created and enabled by projects that:
- Their root group has opted in to Duo Beta features
- Have the correct license
Toggling BETA and plan
If you have set up Duo Workflows you will have the gitlab-duo/test project that you can test with.
The settings are toggled on its top-level group gitlab-duo.
You can toggle a top-level group has opted in to Duo Beta features (Group > Settings > GitLab Duo > Change Configuration). Toggle Turn on experiment and beta GitLab Duo features.
And to toggle the license, visit http://gdk.test:3000/admin/groups, find the top-level group, edit it, and change its plan to No Plan
When enabling an item for a project that does not meet the requirements, or adding an item to that project, you will see an error message (note improvements to this are being discussed in https://gitlab.com/gitlab-org/gitlab/-/issues/568176#note_2752874135):
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #568176