Exclude Duo flow service accounts from users autocomplete query unless explicitly required
What does this MR do and why?
This MR changes how autocomplete users GraphQL query behave by excluding all service accounts created for Duo workflows from the final results.
The newly added AutocompletedUser.includeServiceAccountsForTriggerEvents argument controls which types of event types you want to add back to the results.
graph TD
A["remove_duo_flow_service_accounts_from_autocomplete_query?"] -->|Disabled| B["Include Duo service accounts"]
A -->|Enabled| C{"includeServiceAccountsForTriggerEvents"}
C -->|Empty| D["Exclude ALL Duo service accounts<br/>WITH or WITHOUT triggers"]
C -->|ASSIGN| E["Include ONLY service accounts<br/>with ASSIGN triggers"]
C -->|ASSIGN, MENTION| F["Include ONLY service accounts<br/>with ASSIGN or MENTION triggers"]
style B fill:#90EE90
style D fill:#FFB6C6
style E fill:#87CEEB
style F fill:#87CEEBNote
Service accounts not associated with a Duo flow are not filtered out from the result.
Query plans
Old query
https://console.postgres.ai/gitlab/gitlab-production-main/sessions/47484/commands/143563
New query
https://console.postgres.ai/gitlab/gitlab-production-main/sessions/47484/commands/143562
References
Related to !217856 (merged)
How to set up and validate locally
-
Chose a group and project with Duo enabled
-
Enable
remove_duo_flow_service_accounts_from_autocomplete_queryfeature flag:Feature.enable(:remove_duo_flow_service_accounts_from_autocomplete_query) -
Enable at least 1 foundational flow for that project (e.g. Code Review): http://gdk.test:3000/groups/gitlab-duo/-/edit#js-gitlab-duo-settings
See screenshot
-
Create a few new flows and enable them for that group
See screenshot
-
Add triggers for each flows you have created: http://gdk.test:3000/gitlab-duo/test/-/automate/triggers
See screenshot
-
Test different values for the new
AutocompletedUser.includeServiceAccountsForTriggerEventsargument in GraphQL:Only ASSIGN triggers
query projectAutocompleteUsersSearchWithMRPermissionsEE { project: project(fullPath: "gitlab-duo/test") { users: autocompleteUsers(includeServiceAccountsForTriggerEvents: [ASSIGN]) { name } } }{ "data": { "project": { "users": [ { "name": "Administrator" }, { "name": "Assign Flow" }, { "name": "Assign and Mention Flow" }, { "name": "Developer One" }, { "name": "Developer Two" }, { "name": "Flowless Service Account" }, { "name": "GitLab Duo" } ] } }, "correlationId": "01KFE5QXTQ84ZTH8W894TXKMP5" }Only ASSIGN_REVIEWER and MENTION triggers
query projectAutocompleteUsersSearchWithMRPermissionsEE { project: project(fullPath: "gitlab-duo/test") { users: autocompleteUsers(includeServiceAccountsForTriggerEvents: [ASSIGN_REVIEWER, MENTION]) { name } } }{ "data": { "project": { "users": [ { "name": "Administrator" }, { "name": "Assign Reviewer Flow" }, { "name": "Assign Reviewer and Mention Flow" }, { "name": "Assign and Mention Flow" }, { "name": "Developer One" }, { "name": "Developer Two" }, { "name": "Flowless Service Account" }, { "name": "GitLab Duo" }, { "name": "Mention Flow" } ] } }, "correlationId": "01KFE64BYEQ3X14PS23ETY6H1R" }
Important
Note that @duo-code-review-gitlab-duo is excluded because Duo Code Review does not use the standard flow trigger system
Important
Note that @flowless-service-account is included because it is not a service account created for a Duo flow
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.