Refactor: use CloudConnector::AvailableServices

* Duo workflow should not use `::Gitlab::CloudConnector::SelfIssuedToken` because that is backend Cloud Connector code that is invoked by `CloudConnector::AvailableServices` * Resolves https://gitlab.com/gitlab-org/gitlab/-/issues/485857 * This also required setting up the unit primitive in the access_data.yml so this MR partially addresses https://gitlab.com/gitlab-org/duo-workflow/duo-workflow-service/-/issues/17

Refactor: use CloudConnector::AvailableServices
171c0275 · Jessie Young · GitLab · e19315b5 · 171c0275 · 171c0275
--- a/ee/config/cloud_connector/access_data.yml
+++ b/ee/config/cloud_connector/access_data.yml
@@ -140,3 +140,10 @@ services: # Cloud connector features (i.e. code_suggestions, duo_chat...)
      _irrelevant_: # not checked when cut_off_date is null
        unit_primitives:
          - security_scans
+  duo_workflow:
+    backend: 'gitlab-duo-workflow-service'
+    bundled_with:
+      _irrelevant: # not checked when cut_off_date is null
+        unit_primitives:
+          - duo_workflow_execute_workflow
+          - duo_workflow_generate_token
--- a/ee/lib/ai/duo_workflow/duo_workflow_service/client.rb
+++ b/ee/lib/ai/duo_workflow/duo_workflow_service/client.rb
@@ -48,11 +48,7 @@ def metadata
        end

        def token
-          ::Gitlab::CloudConnector::SelfIssuedToken.new(
-            audience: "gitlab-duo-workflow-service",
-            subject: ::Gitlab::CurrentSettings.uuid,
-            scopes: ["duo_workflow_generate_token"]
-          ).encoded
+          CloudConnector::AvailableServices.find_by_name(:duo_workflow).access_token
        end

        def channel_credentials

--- a/ee/lib/cloud_connector/available_services.rb
+++ b/ee/lib/cloud_connector/available_services.rb
@@ -14,7 +14,7 @@ def find_by_name(service_name)
      end

      def select_reader(service_name)
-        if use_self_signed_token?(service_name)
+        if use_self_signed_token?(service_name) # gitlab.com or self-hosted AI Gateway
          SelfSigned::AccessDataReader.new
        else
          SelfManaged::AccessDataReader.new

--- a/ee/lib/cloud_connector/self_signed/available_service_data.rb
+++ b/ee/lib/cloud_connector/self_signed/available_service_data.rb
@@ -43,7 +43,9 @@ def scopes_for(resource)

      def allowed_scopes_from_purchased_bundles_for(resource)
        add_on_purchases_for(resource).uniq_add_on_names.flat_map do |name|
-          # TODO: We shold remove this when https://gitlab.com/gitlab-org/gitlab/-/issues/458745 is done
+          # Renaming the code_suggestions add-on to duo_pro would be complex and risky
+          # so we are still using the legacy name is parts of the code.
+          # The mapping is needed elsewhere because of third-party integrations that rely on our API.
          add_on_name = name == 'code_suggestions' ? 'duo_pro' : name
          @bundled_with[add_on_name]
        end.uniq

--- a/ee/spec/lib/ai/duo_workflow/duo_workflow_service/client_spec.rb
+++ b/ee/spec/lib/ai/duo_workflow/duo_workflow_service/client_spec.rb
@@ -10,6 +10,7 @@
  let(:request) { instance_double('DuoWorkflowService::GenerateTokenRequest') }
  let(:response) { double(token: 'a user jwt', expiresAt: 'a timestamp') } # rubocop:disable RSpec/VerifiedDoubles -- instance_double keeps raising error  the DuoWorkflowService::GenerateTokenResponse class does not implement the class method: token
  let(:channel_credentials) { instance_of(GRPC::Core::ChannelCredentials) }
+  let(:cloud_connector_service_data_double) { instance_of(CloudConnector::SelfSigned::AvailableServiceData) }

  subject(:client) do
    described_class.new(
@@ -20,9 +21,10 @@
  end

  before do
-    allow_next_instance_of(::Gitlab::CloudConnector::SelfIssuedToken) do |token|
-      allow(token).to receive(:encoded).and_return('instance jwt')
-    end
+    allow(CloudConnector::AvailableServices).to receive(:find_by_name).with(:duo_workflow).and_return(
+      cloud_connector_service_data_double
+    )
+    allow(cloud_connector_service_data_double).to receive(:access_token).and_return('instance jwt')
    allow(DuoWorkflowService::DuoWorkflow::Stub).to receive(:new).with(anything, channel_credentials).and_return(stub)
    allow(stub).to receive(:generate_token).and_return(response)
    allow(DuoWorkflowService::GenerateTokenRequest).to receive(:new).and_return(request)

--- a/ee/spec/lib/cloud_connector/self_signed/access_data_reader_spec.rb
+++ b/ee/spec/lib/cloud_connector/self_signed/access_data_reader_spec.rb
@@ -5,31 +5,31 @@
 # rubocop:disable RSpec/MultipleMemoizedHelpers -- Test uses a lot of helpers, and will be reviewed in https://gitlab.com/gitlab-org/gitlab/-/issues/495021
 RSpec.describe CloudConnector::SelfSigned::AccessDataReader, feature_category: :cloud_connector do
  describe '#read_available_services' do
-    let_it_be(:cs_cut_off_date) { Time.zone.parse("2024-02-15 00:00:00 UTC").utc }
-    let_it_be(:cs_unit_primitives) { [:code_suggestions] }
-    let_it_be(:cs_bundled_with) { { "duo_enterprise" => cs_unit_primitives, "duo_pro" => cs_unit_primitives } }
+    let(:cs_cut_off_date) { Time.zone.parse("2024-02-15 00:00:00 UTC").utc }
+    let(:cs_unit_primitives) { [:code_suggestions] }
+    let(:cs_bundled_with) { { "duo_enterprise" => cs_unit_primitives, "duo_pro" => cs_unit_primitives } }

-    let_it_be(:duo_chat_unit_primitives) { [:duo_chat, :documentation_search] }
-    let_it_be(:duo_chat_ent_unit_primitives) do
+    let(:duo_chat_unit_primitives) { [:duo_chat, :documentation_search] }
+    let(:duo_chat_ent_unit_primitives) do
      duo_chat_unit_primitives + [:ask_build, :ask_commit, :ask_epic, :ask_issue, :ask_merge_request]
    end

-    let_it_be(:duo_chat_bundled_with) do
+    let(:duo_chat_bundled_with) do
      { "duo_enterprise" => duo_chat_ent_unit_primitives, "duo_pro" => duo_chat_unit_primitives }
    end

-    let_it_be(:backend) { 'gitlab-ai-gateway' }
-    let_it_be(:gob_backend) { 'gitlab-observability-backend' }
-    let_it_be(:sast_backend) { 'gitlab-security-gateway' }
+    let(:backend) { 'gitlab-ai-gateway' }
+    let(:gob_backend) { 'gitlab-observability-backend' }
+    let(:sast_backend) { 'gitlab-security-gateway' }
+    let(:duo_workflow_backend) { 'gitlab-duo-workflow-service' }

-    let_it_be(:self_hosted_models_cut_off_date) { Time.zone.parse("2024-10-17 00:00:00 UTC").utc }
-    let_it_be(:ai_proxy_cut_off_date) { Time.zone.parse("2024-10-17 00:00:00 UTC").utc }
-    let_it_be(:duo_chat_cutoff_date) { Time.zone.parse("2024-10-17 00:00:00 UTC").utc }
-    let_it_be(:glab_ask_git_command_cut_off_date) { Time.zone.parse("2024-10-17 00:00:00 UTC").utc }
-    let_it_be(:generate_commit_message_cut_off_date) { Time.zone.parse("2024-10-17 00:00:00 UTC").utc }
-    let_it_be(:self_hosted_models_bundled_with) { { "duo_enterprise" => [:code_suggestions, :duo_chat] } }
+    let(:self_hosted_models_cut_off_date) { Time.zone.parse("2024-10-17 00:00:00 UTC").utc }
+    let(:ai_proxy_cut_off_date) { Time.zone.parse("2024-10-17 00:00:00 UTC").utc }
+    let(:duo_chat_cut_off_date) { Time.zone.parse("2024-10-17 00:00:00 UTC").utc }
+    let(:glab_ask_git_command_cut_off_date) { Time.zone.parse("2024-10-17 00:00:00 UTC").utc }
+    let(:generate_commit_message_cut_off_date) { Time.zone.parse("2024-10-17 00:00:00 UTC").utc }

-    let_it_be(:anthropic_proxy_bundled_with) do
+    let(:anthropic_proxy_bundled_with) do
      {
        "duo_enterprise" => %i[
          categorize_duo_chat_question
@@ -46,7 +46,7 @@
      }
    end

-    let_it_be(:vertex_ai_proxy_bundled_with) do
+    let(:vertex_ai_proxy_bundled_with) do
      {
        "duo_enterprise" => %i[
          documentation_search
@@ -64,7 +64,7 @@
      }
    end

-    let_it_be(:generate_description_bundled_with) do
+    let(:generate_description_bundled_with) do
      {
        "duo_enterprise" => %i[
          generate_issue_description
@@ -72,7 +72,7 @@
      }
    end

-    let_it_be(:explain_vulnerability_bundled_with) do
+    let(:explain_vulnerability_bundled_with) do
      {
        "duo_enterprise" => %i[
          explain_vulnerability
@@ -80,7 +80,7 @@
      }
    end

-    let_it_be(:troubleshoot_job_bundled_with) do
+    let(:troubleshoot_job_bundled_with) do
      {
        "duo_enterprise" => %i[
          troubleshoot_job
@@ -88,7 +88,7 @@
      }
    end

-    let_it_be(:resolve_vulnerability_bundled_with) do
+    let(:resolve_vulnerability_bundled_with) do
      {
        "duo_enterprise" => %i[
          resolve_vulnerability
@@ -96,7 +96,7 @@
      }
    end

-    let_it_be(:generate_commit_message_bundled_with) do
+    let(:generate_commit_message_bundled_with) do
      {
        "duo_enterprise" => %i[
          generate_commit_message
@@ -104,7 +104,7 @@
      }
    end

-    let_it_be(:glab_ask_git_command_bundled_with) do
+    let(:glab_ask_git_command_bundled_with) do
      {
        "duo_enterprise" => %i[
          glab_ask_git_command
@@ -112,7 +112,7 @@
      }
    end

-    let_it_be(:summarize_comments_bundled_with) do
+    let(:summarize_comments_bundled_with) do
      {
        "duo_enterprise" => %i[
          summarize_comments
@@ -120,7 +120,7 @@
      }
    end

-    let_it_be(:observability_all_bundled_with) do
+    let(:observability_all_bundled_with) do
      {
        "observability" => %i[
          observability_all
@@ -128,7 +128,7 @@
      }
    end

-    let_it_be(:sast_bundled_with) do
+    let(:sast_bundled_with) do
      {
        "_irrelevant_" => %i[
          security_scans
@@ -136,12 +136,25 @@
      }
    end

+    let(:duo_workflow_bundled_with) do
+      {
+        "_irrelevant" => %i[
+          duo_workflow_execute_workflow
+          duo_workflow_generate_token
+        ]
+      }
+    end
+
+    let(:self_hosted_models_bundled_with) do
+      { "duo_enterprise" => [:code_suggestions, :duo_chat] }
+    end
+
    include_examples 'access data reader' do
-      let_it_be(:available_service_data_class) { CloudConnector::SelfSigned::AvailableServiceData }
-      let_it_be(:arguments_map) do
+      let(:available_service_data_class) { CloudConnector::SelfSigned::AvailableServiceData }
+      let(:arguments_map) do
        {
          code_suggestions: [cs_cut_off_date, cs_bundled_with, backend],
-          duo_chat: [duo_chat_cutoff_date, duo_chat_bundled_with, backend],
+          duo_chat: [duo_chat_cut_off_date, duo_chat_bundled_with, backend],
          anthropic_proxy: [ai_proxy_cut_off_date, anthropic_proxy_bundled_with, backend],
          vertex_ai_proxy: [ai_proxy_cut_off_date, vertex_ai_proxy_bundled_with, backend],
          resolve_vulnerability: [nil, resolve_vulnerability_bundled_with, backend],
@@ -154,7 +167,8 @@
          summarize_comments: [nil, summarize_comments_bundled_with, backend],
          observability_all: [nil, observability_all_bundled_with, gob_backend],
          troubleshoot_job: [nil, troubleshoot_job_bundled_with, backend],
-          sast: [nil, sast_bundled_with, sast_backend]
+          sast: [nil, sast_bundled_with, sast_backend],
+          duo_workflow: [nil, duo_workflow_bundled_with, duo_workflow_backend]
        }
      end
    end