Fix Duo for CLI policy to check instance setting for SM

For self-managed, we should be respecting the instance-level setting that determines whether Duo features are enabled or not. If Duo features are disabled, Duo for CLI shouldn't work as well. Changelog: fixed EE: true

Fix Duo for CLI policy to check instance setting for SM
3ed56e62 · Patrick Bajao · 6ca134a2 · 3ed56e62 · 3ed56e62
Commit 3ed56e62 authored 6 months ago by Patrick Bajao
--- a/ee/app/policies/ee/global_policy.rb
+++ b/ee/app/policies/ee/global_policy.rb
@@ -69,19 +69,23 @@ module GlobalPolicy
        self_hosted_models.free_access? || self_hosted_models.allowed_for?(@user)
      end
  
-      condition(:user_allowed_to_use_glab_ask_git_command) do
-        next true if glab_ask_git_command_data.allowed_for?(@user)
-
-        next false unless glab_ask_git_command_data.free_access?
-
+      condition(:glab_ask_git_command_licensed) do
        if ::Gitlab::Saas.feature_available?(:duo_chat_on_saas) # check if we are on SaaS
-          @user.any_group_with_ga_ai_available?(:glab_ask_git_command)
-        else
-          ::License.feature_available?(:glab_ask_git_command)
+          next @user.any_group_with_ga_ai_available?(:glab_ask_git_command)
        end
+
+        next false unless ::Gitlab::CurrentSettings.duo_features_enabled?
+
+        ::License.feature_available?(:glab_ask_git_command)
+      end
+
+      condition(:user_allowed_to_use_glab_ask_git_command) do
+        next true if glab_ask_git_command_data.free_access?
+
+        glab_ask_git_command_data.allowed_for?(@user)
      end
  
-      rule { user_allowed_to_use_glab_ask_git_command }.policy do
+      rule { glab_ask_git_command_licensed & user_allowed_to_use_glab_ask_git_command }.policy do
        enable :access_glab_ask_git_command
      end
  

--- a/ee/spec/policies/global_policy_spec.rb
+++ b/ee/spec/policies/global_policy_spec.rb
@@ -803,17 +803,19 @@
    let(:policy) { :access_glab_ask_git_command }
  
    context 'for self-managed' do
-      where(:licensed, :free_access, :allowed_for, :enabled_for_user) do
-        false | false | false | be_disallowed(:access_glab_ask_git_command)
-        true  | false | false | be_disallowed(:access_glab_ask_git_command)
-        true  | false | true  | be_allowed(:access_glab_ask_git_command)
-        true  | true  | false | be_allowed(:access_glab_ask_git_command)
-        true  | true  | true  | be_allowed(:access_glab_ask_git_command)
+      where(:duo_features_enabled, :licensed, :free_access, :allowed_for, :enabled_for_user) do
+        true  | false | false | false | be_disallowed(:access_glab_ask_git_command)
+        true  | true  | false | false | be_disallowed(:access_glab_ask_git_command)
+        false | true  | true  | true  | be_disallowed(:access_glab_ask_git_command)
+        true  | true  | false | true  | be_allowed(:access_glab_ask_git_command)
+        true  | true  | true  | false | be_allowed(:access_glab_ask_git_command)
+        true  | true  | true  | true  | be_allowed(:access_glab_ask_git_command)
      end
  
      with_them do
        before do
          stub_licensed_features(glab_ask_git_command: licensed)
+          stub_application_setting(duo_features_enabled: duo_features_enabled)
  
          service_data = CloudConnector::SelfManaged::AvailableServiceData.new(:glab_ask_git_command, nil, nil)
          allow(CloudConnector::AvailableServices).to receive(:find_by_name)
@@ -830,7 +832,7 @@
        where(:free_access, :any_group_with_ga_ai_available, :allowed_for, :enabled_for_user) do
          false | false | false | be_disallowed(:access_glab_ask_git_command)
          true  | false | false | be_disallowed(:access_glab_ask_git_command)
-          false | false | true  | be_allowed(:access_glab_ask_git_command)
+          false | false | true  | be_disallowed(:access_glab_ask_git_command)
          true  | true  | false | be_allowed(:access_glab_ask_git_command)
          true  | true  | true  | be_allowed(:access_glab_ask_git_command)
        end