Add service account validation for Duo Code Review API endpoint
What does this MR do and why?
This MR enhances security for the Duo Code Review API endpoint by validating that service accounts are properly provisioned and scoped to the correct organizational hierarchy.
Previously, any composite identity with a service account could post comments on behalf of @GitLabDuo. This MR adds validation to ensure that:
- The service account is provisioned by a group (not instance-wide)
- The provisioning group is a top-level (root) group
- The service account's provisioning group matches the project's root ancestor
How to set up and validate locally
- Enable feature flag:
Feature.enable(:duo_code_review_on_agent_platform) - Create a top-level group, project, and user with developer access
- Create a service account provisioned by that top-level group:
sa = User.find_by(username: 'duo-developer')
group = Group.find(YOUR_GROUP_ID)
sa.update!(provisioned_by_group_id: group.id)- Verify service account setup:
sa.reload.provisioned_by_group_id # Should match group ID
sa.provisioned_by_group&.root? # Should be true- Create an OAuth token with composite identity (
ai_workflows api user:{user.id}scopes) - POST to
/api/v4/ai/duo_workflows/code_review/add_commentswith valid parameters - Verify request succeeds (201 Created) and comments appear on MR
- Test with service account from different group/subgroup/no group → verify 403 Forbidden
- Follow the steps to reproduce section and validate that unauthorized users can no longer spoof AI code review comments
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to https://gitlab.com/gitlab-org/gitlab/-/issues/578840
Edited by Kinshuk Singh