Add backend write support for network access boolean settings

Andrew Fontainerequested to merge
andrew-network-access-backend-params into master

What does this MR do and why?

Adds backend write support for three network access boolean settings — include_recommended_allowed, allow_all_unix_sockets, and allow_project_extension — so they can be persisted through both the GraphQL and REST save paths.

The data attributes and database columns for these settings were added in !230831 (merged), but neither the GraphQL mutation nor the REST API currently declares them as accepted parameters. This MR wires both save paths so these settings can be read and written end-to-end.

A separate frontend MR (!233475 (merged)) adds the checkbox UI that submits these values.

Admin page (instance-level) — GraphQL path

The duoSettingsUpdate mutation now accepts includeRecommendedAllowed, allowAllUnixSockets, and allowProjectExtension arguments. Values flow through Ai::DuoSettings::UpdateService to the ai_settings table.

  • Feature-flag gated: dap_instance_network_access_controls (args stripped when disabled)
  • Permission: can_admin_all_resources? (matches domain settings mutations)
  • Fields exposed on DuoSettingsType with authorize: :read_duo_core_settings

Group page (namespace-level) — REST path

The PUT /api/v4/groups/:id endpoint now permits include_recommended_allowed, allow_all_unix_sockets, and allow_project_extension inside ai_settings_attributes. Values flow through Groups::UpdateService to the namespace_ai_settings table.

  • Feature-flag gated: dap_group_network_access_controls (params stripped when disabled)
  • Controller strong params also updated for web controller path

How to set up and validate locally

Admin page (GraphQL)

  1. Enable the feature flag: Feature.enable(:dap_instance_network_access_controls)
  2. Run the mutation with an admin PAT: 
    mutation {
  duoSettingsUpdate(input: {
    includeRecommendedAllowed: true,
    allowAllUnixSockets: true,
    allowProjectExtension: false
  }) {
    duoSettings {
      includeRecommendedAllowed
      allowAllUnixSockets
      allowProjectExtension
    }
    errors
  }
}
  3. Verify the response returns the updated values
  4. Confirm in Rails console: Ai::Setting.instance.include_recommended_allowed (etc.)

Group page (REST API)

  1. Enable the feature flag: Feature.enable(:dap_group_network_access_controls)
  2. Update the group via API: 
    curl --request PUT --header "PRIVATE-TOKEN: <token>" \
  "http://gdk.test:3000/api/v4/groups/<group_id>" \
  --header "Content-Type: application/json" \
  --data '{
    "ai_settings_attributes": {
      "include_recommended_allowed": true,
      "allow_all_unix_sockets": true,
      "allow_project_extension": false
    }
  }'
  3. Confirm in Rails console: Group.find(<group_id>).ai_settings.include_recommended_allowed

MR acceptance checklist

  • Tests added for GraphQL mutation (success, feature flag disabled, permission denied)
  • Tests added for REST API (success, feature flag disabled)
  • GraphQL schema/docs regenerated
  • OpenAPI docs regenerated
Edited by Andrew Fontaine

Merge request reports