Add network access domain cards to Duo settings

Andrew Fontainerequested to merge
593149-frontend-domain-cards into master

What does this MR do and why?

Adds the Allowlist and Denylist collapsible domain cards to the Network access section on both the admin and group-level GitLab Duo Configuration pages, gated behind feature flags.

Enterprise admins and group owners need a UI surface to review and manage the allowed and denied domain lists for network access controls introduced by the backend in !229734 (merged).

Admin page (/admin/gitlab_duo/configuration)

  • NetworkAccessSettings component added, gated behind dap_instance_network_access_controls feature flag
  • Uses the instance-level aiDomainSettings GraphQL query

Group page (/groups/<path>/-/settings/gitlab_duo/configuration)

  • NetworkAccessSettings component added, gated behind dap_group_network_access_controls feature flag
  • Uses a new namespace-scoped getGroupAiDomainSettings GraphQL query
  • groupFullPath is provided from the helper data through index.js

Shared components

  • DomainListCard: Supports both instance and group scopes via an optional groupFullPath prop. Uses reactive cursor-based pagination (no manual refetch() calls).
  • NetworkAccessSettings: Wraps two DomainListCard instances (Allowlist + Denylist), passes groupFullPath through.

References

Screenshots or screen recordings

Group configuration page — domain cards with data

07-group-domain-cards-new-heading

Admin config page

06-admin-domain-cards-with-data

How to set up and validate locally

Admin page

  1. Enable the feature flag: 
    Feature.enable(:dap_instance_network_access_controls)
  2. Seed domain data: 
    Ai::Setting.instance.update!(allowed_domains: ["example.com", "gitlab.com"], denied_domains: ["evil.com"])
  3. Visit /admin/gitlab_duo/configuration (requires Duo-tier license)
  4. Scroll to the Network access section — Allowlist and Denylist cards should appear
  5. Click + to open the inline add form; submit a domain and check the browser console for the [NetworkAccessSettings] log line
  6. Click × on a domain row and verify the same console log

Group page

  1. Enable the feature flag: 
    Feature.enable(:dap_group_network_access_controls)
  2. Seed domain data for a group: 
    group = Group.find_by_full_path("gitlab-duo")
group.ai_settings.update!(allowed_domains: ["safe.example.com", "trusted.dev"], denied_domains: ["evil.test"])
  3. Visit /groups/gitlab-duo/-/settings/gitlab_duo/configuration
  4. Scroll to the Network access section — Allowlist and Denylist cards should appear with the seeded domains
  5. Verify add/remove actions log to the browser console

Verify feature flag gating

  1. Disable the feature flags: 
    Feature.disable(:dap_instance_network_access_controls)
Feature.disable(:dap_group_network_access_controls)
  2. Reload both pages and verify the Network access section is hidden

Note: Add/remove mutations are not yet implemented on the backend. Actions console.log the domain as a placeholder until !229734 (merged)'s mutations land.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Andrew Fontaine

Merge request reports