Fix auth bypass external flag is not respected (!910) · Merge requests · GitLab.org / ModelOps / AI Assisted (formerly Applied ML) / Code Suggestions / AI Gateway

Shinya Maeda requested to merge fix-auth-bypass-external-flag-is-not-respected into main Jun 04, 2024

What does this merge request do and why?

This MR fixes that AIGW_AUTH__BYPASS_EXTERNAL=true flag stopped taking an effect after fix: use a custom self issued scope for user JWT (!872 - merged). This issue is currently failing CI jobs in GitLab-Rails https://gitlab.slack.com/archives/C051K31F30R/p1717479004054009.

The root cause is that, no places import ai_gateway.auth.authentication monkey patch, which includes if conn.user.is_debug is True: flag to respect the AIGW_AUTH__BYPASS_EXTERNAL flag. It turned out the patch is silently overriding starlette.authentication.requires, so we didn't notice this issue for while.

We're fully migrating to fine-grained auth logic, so that we can remove the patch.

How to set up and validate locally

Set AIGW_AUTH__BYPASS_EXTERNAL to True.

Test request and confirm that the request succeeds:

curl -X 'POST'   'http://localhost:5052/v1/search/gitlab-docs'   -H 'accept: application/json'   -H 'Content-Type: application/json'   -d '{
  "type": "string",
  "metadata": {
    "source": "string",
    "version": "string"
  },
  "payload": {
    "query": "string"
  }
}'

Merge request checklist

Tests added for new functionality. If not, please raise an issue to follow up.
Documentation added/updated, if needed.

Edited Jun 04, 2024 by Shinya Maeda

Fix auth bypass external flag is not respected

What does this merge request do and why?

How to set up and validate locally

Merge request checklist

Merge request reports