Skip to content

Code suggestions API for SM users with SaaS redirect

Nikola Milojevic requested to merge nm-poc2-sm-code-suggestions-part2 into master

What does this MR do and why?

In Code suggestions API for SM users with SaaS red... (!122645 - closed) we decide to split the work:

In this MR I extended the global policy change related to access_code_suggestion policy, and implemented steps 8-11 in the case of a Self-managed user using the v4/api/code_suggestions/tokens API introduced in !120892 (merged)

Note: This MR is blocked by gitlab.com/gitlab-org/gitlab/-/merge_requests/123023+

sequenceDiagram
    autonumber
    participant A as SM admin
    participant U as SM user
    participant VS as VS Code
    participant SM as SM GitLab
    participant GL as GitLab Inc.
    participant CS as Code Suggest

    Note over A,GL: Admin persona
    A->>GL: Add service account
    GL-->>SM: service account token (SAT)
    SM->>SM: store SAT
    Note over U,CS: Developer persona
    U->>SM: Obtain PAT
    SM-->>U: PAT
    U->>VS: Configure with PAT
    VS->>VS: store PAT
    loop Use code suggestions
        alt JWT token missing or invalid
            VS->>SM: Authenticate user with PAT
            SM->>GL: Get JWT with SAT
            GL-->>SM: JWT
            SM-->>VS: JWT  
        else
            VS->>CS: get code suggestions with JWT
            CS-->>VS: code suggestions
        end
    end

In case we are running on the self-managed instance:

  • authenticate SM user PAT
  • returns 404 in case code_suggestions is not enabled on self-managed instance
  • returns 404 in case SM admin didn't store ::Gitlab::CurrentSettings.ai_access_token
  • it will proxy the request to SaaS using workhorse send_url, using ai_access_token token
  • SaaS will authenticate the SaaS user using proxied ai_access_token
  • SaaS will return 401 in case that proxied used does not have code_suggestions_for_instance_admin_enabled ff enabled
  • SaaS will return 401 in case code suggestions are not enabled for the user or all his root group
  • SaaS will return the signed JWT token back to the client

Screenshots or screen recordings

 curl --request POST "http://localhost:3000/api/v4/code_suggestions/tokens" \
  --header "Authorization: Bearer <sm_user_personal_access_token>" \
  --header "Content-type: application/json"


{"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI1OTU4OTRlMC1mYTk0LTQ0NWItOGYyMy1lOWIyOTJlOGY2MTAiLCJhdWQiOiJnaXRsYWItY29kZS1zdWdnZXN0aW9ucyIsImlzcyI6Imh0dHA6Ly8xMjcuMC4wLjE6MzAwMSIsImlhdCI6MTY4NTU0MTkxOCwibmJmIjoxNjg1NTQxOTEzLCJleHAiOjE2ODU1NDU1MTh9.NrtsdOTQFDpNy0_TxZJellSCzUd2G75OnnXzVNUi85RsSF-xfwot_83EPV_lkU0DqgqPLJFxwqclVl_tZ0PhpDjfYPrUc2ST9gypPoXQAvRSzYcUBpG_VEVpJpX8APDxcSy8kRF4WXGVq5dvbwK4kh6pntQmH8yza2fKesASLRHbTXrRJFI8ENqbrgNiKNNWqLURZpcuWsD2juOZHh3aqN1VtfiOM-pHbAKU4y6gCI0dEy1BLYRVr7tOl0X9dSi_yQo4zt7qivupZqhhWHpWsKkHA9vlSmswvWdnX5omQdTTErUP3QqYU9EQWdBBNqskorQrzC3413snISoopp-nkg","expires_in":3600,"created_at":1685541918}% 

How to set up and validate locally

To test locally you need to have two GDK installations, both running this branch:

For GDK 1 create a file env.runit in the root directory

export SAAS_URL=http://localhost:3001

We need GDK 2 to simulate SaaS, so edit/create env.runit in the root directory

export GITLAB_SIMULATE_SAAS=true

In GDK 2, run gitlab, register an account, and generate personal access token.

Eneable feature flag for your user

Feature.enable(:code_suggestions_for_instance_admin_enabled, true)

In GDK 1, run the rails console and store Pat you created in the previous step:

 ::Gitlab::CurrentSettings.update!(ai_access_token:'<personal_access_token>')

In GDK 1, register an account and generate sm_personal_access_token

Restart both GDK1 and GDK2

execute in the shell:

curl --request POST "http://localhost:3000/api/v4/code_suggestions/tokens" \
  --header "Authorization: Bearer <sm_personal_access_token>" \
  --header "Content-type: application/json"

Related to Proxy CodeSuggestions Tokens API for Self Manag... (#411435 - closed)

Edited by Nikola Milojevic

Merge request reports

Loading