Separate policy logic for AI Catalog Flows and Foundational Flows
What does this MR do and why?
The policy / permissions checks for AI Catalog flows are coupled to Foundational Flows. The former is in beta and the latter is in GA. This MR separates the logic for the two.
Closes #586454
How to set up and validate locally
- Set
GITLAB_SIMULATE_SAAS: "1" - Disable beta/experimental features
- Check that Fix Pipeline/Issue-to-MR/Convert Jenkinsfile buttons show up - foundational flows info, and the flows run successfully.
- Check that "Flows" do NOT show up in in the
SessionsMenu item, and this is not accessible for your group:path/to/group/-/automate/agents - Validate the above in Self-Managed mode as well.
Note: We should probably check that the Code Review flow works fine after this change as well.
Test cases
Background info on foundational flows:
- List of foundational flows: https://docs.gitlab.com/user/duo_agent_platform/flows/foundational_flows/
- Software development flow only available from the IDE and does not have an individual flow setting. In testing locally I also saw that it is available when beta features are a disabled. But there is a bug related to availability that we can solve separately. For now, I suggest ignoring this foundational flow.
- All other flows have individual flow settings. Individual foundational flows must also be turned on for the top level group (they are not available by default). See Docs need updating: individual flows must be en... (#586565 - closed). How to turn on: https://docs.gitlab.com/user/gitlab_duo/turn_on_off/#turn-gitlab-duo-on-or-off
- The 5 foundational flows that have individual flow settings also run in GitLab runners so to test locally you will need to have a runner set up. This also means that the "Allow flow execution" toggle (another Duo setting) must be enabled to run these 5 flows.
- How to enable/disable experimental settings: https://docs.gitlab.com/user/gitlab_duo/turn_on_off/#turn-on-beta-and-experimental-features
- The changes in this MR should not change the availability of custom flows, which remain in beta. We should confirm that with beta features disabled a custom flow cannot be added to a project or invoked.
| Test Case ID | Flow Name | Environment | Beta/Experimental | Allow Foundational Flows | Individual Flow Toggle | Expected Outcome | Verified |
|---|---|---|---|---|---|---|---|
| Developer Flow (Full Coverage) | |||||||
| TC-01 | Developer | GitLab.com | Disabled | Enabled | Enabled | Available | @jessieay confirmed on branch with latest commit 8851e4f3 |
| TC-02 | Developer | GitLab.com | Disabled | Enabled | Disabled | Unavailable | @jessieay confirmed on branch with latest commit 8851e4f3 |
| TC-03 | Developer | GitLab.com | Disabled | Disabled | N/A | Unavailable | @jessieay confirmed on branch with latest commit 8851e4f3 |
| TC-04 | Developer | Self-Managed | Disabled | Enabled | Enabled | Available | @jessieay confirmed on branch with latest commit 8851e4f3 |
| TC-05 | Developer | Self-Managed | Disabled | Enabled | Disabled | Unavailable | @jessieay confirmed on branch with latest commit 8851e4f3 |
| TC-06 | Developer | Self-Managed | Disabled | Disabled | N/A | Unavailable | @jessieay confirmed on branch with latest commit 8851e4f3 |
| Other Flows (Smoke Tests) | |||||||
| TC-07 | Fix CI/CD Pipeline | GitLab.com | Disabled | Enabled | Enabled | Available | @jessieay confirmed on branch with latest commit 25cca5ca |
| TC-08 | Convert to GitLab CI/CD | GitLab.com | Disabled | Enabled | Enabled | Available | @jessieay confirmed on branch with latest commit 25cca5ca |
| TC-09 | Code Review | GitLab.com | Disabled | Enabled | Enabled | Available | @jessieay confirmed on branch with latest commit 25cca5ca |
| SAST (Special Case) | |||||||
| TC-10 | SAST False Positive Detection | GitLab.com | Enabled | Enabled | Enabled | Available | |
| TC-11 | SAST False Positive Detection | GitLab.com | Disabled | Enabled | Enabled | Unavailable |
Extra QA around SAST False Positive Detection
SAST False Positive Detection foundational flow is the only Beta foundational flow https://docs.gitlab.com/user/duo_agent_platform/flows/foundational_flows/sast_false_positive_detection/
Therefore:
- The option to enable that particular foundational flow should only display for groups that have enabled experimental/beta AI features, otherwise it should not be displayed in the list of foundational flows to enable.
- If a group has enabled experimental/beta AI features, and has enabled the Beta SAST False Positive Detection foundational flow, and then disables experimenta/beta AI features, SAST False Positive Detection foundational flow should act as if disabled, and it should not be possible to manually execute directly via the API.
QAing http://gdk.test:3000/groups/gitlab-duo/-/settings/gitlab_duo/configuration :
| With experimental/beta AI features enabled | Without experimental/beta AI features enabled |
|---|---|
|
|
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Edited by Jessie Young