Verify agent mappings when creating workspaces

Issue: BE: Implement APIs change to verify agent mappi... (#441540 - closed)

What does this MR do and why?

Adds new authorization based on agent mappings when creating workspaces.

This is behind the feature flag remote_development_namespace_agent_authorization.

• See BE: Implement APIs change to verify agent mappi... (#441540 - closed) for details.

Database Query Plan

Query Plan

Rails console output 1 (Queries 1 and 2)

[4] pry(main)> relevant_mappings =
              ::RemoteDevelopment::RemoteDevelopmentNamespaceClusterAgentMapping
[4] pry(main)> relevant_mappings =oject.project_namespace.traversal_ids)
::RemoteDevelopment::RemoteDevelopmentNamespaceClusterAgentMapping
.for_namespaces(project.project_namespace.traversal_ids)
.for_agents([agent.id])

  Namespaces::ProjectNamespace Load (1.9ms)  SELECT "namespaces"."id", "namespaces"."name", "namespaces"."path", "namespaces"."owner_id", "namespaces"."created_at", "namespaces"."updated_at", "namespaces"."type", "namespaces"."description", "namespaces"."avatar", "namespaces"."membership_lock", "namespaces"."share_with_group_lock", "namespaces"."visibility_level", "namespaces"."request_access_enabled", "namespaces"."ldap_sync_status", "namespaces"."ldap_sync_error", "namespaces"."ldap_sync_last_update_at", "namespaces"."ldap_sync_last_successful_update_at", "namespaces"."ldap_sync_last_sync_at", "namespaces"."description_html", "namespaces"."lfs_enabled", "namespaces"."parent_id", "namespaces"."shared_runners_minutes_limit", "namespaces"."repository_size_limit", "namespaces"."require_two_factor_authentication", "namespaces"."two_factor_grace_period", "namespaces"."cached_markdown_version", "namespaces"."project_creation_level", "namespaces"."runners_token", "namespaces"."file_template_project_id", "namespaces"."saml_discovery_token", "namespaces"."runners_token_encrypted", "namespaces"."custom_project_templates_group_id", "namespaces"."auto_devops_enabled", "namespaces"."extra_shared_runners_minutes_limit", "namespaces"."last_ci_minutes_notification_at", "namespaces"."last_ci_minutes_usage_notification_level", "namespaces"."subgroup_creation_level", "namespaces"."max_pages_size", "namespaces"."max_artifacts_size", "namespaces"."mentions_disabled", "namespaces"."default_branch_protection", "namespaces"."max_personal_access_token_lifetime", "namespaces"."push_rule_id", "namespaces"."shared_runners_enabled", "namespaces"."allow_descendants_override_disabled_shared_runners", "namespaces"."traversal_ids", "namespaces"."organization_id" FROM "namespaces" WHERE "namespaces"."type" = 'Project' AND "namespaces"."id" = 24 LIMIT 1 /*application:console,db_config_name:main,console_hostname:woolley.local,console_username:cwoolley,line:(pry):6:in `__pry__'*/
  RemoteDevelopment::RemoteDevelopmentNamespaceClusterAgentMapping Load (8.3ms)  SELECT "remote_development_namespace_cluster_agent_mappings".* FROM "remote_development_namespace_cluster_agent_mappings" WHERE "remote_development_namespace_cluster_agent_mappings"."namespace_id" IN (22, 24) AND "remote_development_namespace_cluster_agent_mappings"."cluster_agent_id" = 4 /*application:console,db_config_name:main,console_hostname:woolley.local,console_username:cwoolley,line:bin/rails:4:in `<main>'*/
=> []

Query 1 explain

• https://console.postgres.ai/gitlab/gitlab-production-main/sessions/27870/commands/86757

query 1:

SELECT "namespaces"."id", "namespaces"."name", "namespaces"."path", "namespaces"."owner_id", "namespaces"."created_at", "namespaces"."updated_at", "namespaces"."type", "namespaces"."description", "namespaces"."avatar", "namespaces"."membership_lock", "namespaces"."share_with_group_lock", "namespaces"."visibility_level", "namespaces"."request_access_enabled", "namespaces"."ldap_sync_status", "namespaces"."ldap_sync_error", "namespaces"."ldap_sync_last_update_at", "namespaces"."ldap_sync_last_successful_update_at", "namespaces"."ldap_sync_last_sync_at", "namespaces"."description_html", "namespaces"."lfs_enabled", "namespaces"."parent_id", "namespaces"."shared_runners_minutes_limit", "namespaces"."repository_size_limit", "namespaces"."require_two_factor_authentication", "namespaces"."two_factor_grace_period", "namespaces"."cached_markdown_version", "namespaces"."project_creation_level", "namespaces"."runners_token", "namespaces"."file_template_project_id", "namespaces"."saml_discovery_token", "namespaces"."runners_token_encrypted", "namespaces"."custom_project_templates_group_id", "namespaces"."auto_devops_enabled", "namespaces"."extra_shared_runners_minutes_limit", "namespaces"."last_ci_minutes_notification_at", "namespaces"."last_ci_minutes_usage_notification_level", "namespaces"."subgroup_creation_level", "namespaces"."max_pages_size", "namespaces"."max_artifacts_size", "namespaces"."mentions_disabled", "namespaces"."default_branch_protection", "namespaces"."max_personal_access_token_lifetime", "namespaces"."push_rule_id", "namespaces"."shared_runners_enabled", "namespaces"."allow_descendants_override_disabled_shared_runners", "namespaces"."traversal_ids", "namespaces"."organization_id" FROM "namespaces" WHERE "namespaces"."type" = 'Project' AND "namespaces"."id" = 24 LIMIT 1

Query 2 explain

• https://console.postgres.ai/gitlab/gitlab-production-main/sessions/27870/commands/86758

query 2:

SELECT "remote_development_namespace_cluster_agent_mappings".* FROM "remote_development_namespace_cluster_agent_mappings" WHERE "remote_development_namespace_cluster_agent_mappings"."namespace_id" IN (22, 24) AND "remote_development_namespace_cluster_agent_mappings"."cluster_agent_id" = 4

Other queries

• NOTE: The explain plans for the queries executed by the following piece of code have already been reviewed in BE: Add new query API to list available agents ... (!146453 - merged):

relevant_mappings =
              ::RemoteDevelopment::NamespaceClusterAgentMappings::Validations
                .filter_valid_namespace_cluster_agent_mappings(namespace_cluster_agent_mappings: relevant_mappings)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

The only UI difference should be in the text of the error message when a workspace cannot be created, otherwise the UI behavior is identical.

How to set up and validate locally

1. Set feature flag remote_development_namespace_agent_authorization on a top-level group of the group hierarchy which you will use for testing.
2. Create a workspace with a mapping set up and in the right hierarchy, verify it works.
3. Attempt to create a workspace without a mapping set up, verify that there the correct error message is shown.
4. Attempt to create a workspace with a mapping set up, but then move the project out of the hierarchy, and verify the correct error message is shown.