diff --git a/ee/app/policies/ee/global_policy.rb b/ee/app/policies/ee/global_policy.rb index 0f384bd682754a332745b0a4f2b1a504dc5e445e..28ebe618d3a12d73381d8cb2a1929abc5a81849f 100644 --- a/ee/app/policies/ee/global_policy.rb +++ b/ee/app/policies/ee/global_policy.rb @@ -118,11 +118,14 @@ module GlobalPolicy next false if ::Gitlab::CurrentSettings.gitlab_dedicated_instance? + next false if ::Ai::AmazonQ.connected? + true end condition(:instance_model_selection_available) do next false unless ::Feature.enabled?(:instance_level_model_selection, :instance) + next false if ::Ai::AmazonQ.connected? !::License.current&.offline_cloud_license? end diff --git a/ee/app/policies/ee/group_policy.rb b/ee/app/policies/ee/group_policy.rb index 9d8ffac09d22aeefdc02d8fa52e764e1e5df20ca..0ecea7812213c4b8b71f1ea4caf8e4440e64f2be 100644 --- a/ee/app/policies/ee/group_policy.rb +++ b/ee/app/policies/ee/group_policy.rb @@ -1066,6 +1066,7 @@ module GroupPolicy next false unless subject.root? next false if ::Ai::Setting.self_hosted? next false unless ::Feature.enabled?(:ai_model_switching, subject) + next false if ::Ai::AmazonQ.connected? subject.namespace_settings&.duo_features_enabled? end diff --git a/ee/app/policies/ee/user_policy.rb b/ee/app/policies/ee/user_policy.rb index cad8a74eb53326fa3ba9472e588b7a42d9180bc5..904dbf3931e8532418ebdbd8ff68de1aa8f190e5 100644 --- a/ee/app/policies/ee/user_policy.rb +++ b/ee/app/policies/ee/user_policy.rb @@ -65,6 +65,8 @@ def private_profile? def can_assign_default_duo_group? return false unless ::Gitlab::Saas.feature_available?(:gitlab_com_subscriptions) + return false if ::Ai::AmazonQ.connected? + return false unless ::Feature.enabled?(:ai_user_default_duo_namespace, user) return false unless user.user_preference.distinct_eligible_duo_add_on_assignments.exists? diff --git a/ee/spec/policies/global_policy_spec.rb b/ee/spec/policies/global_policy_spec.rb index 573cdade93c013ba73fd486deb14883a57855f34..9d9b72e0f66968a8016d3c7c07d35d2788064c64 100644 --- a/ee/spec/policies/global_policy_spec.rb +++ b/ee/spec/policies/global_policy_spec.rb @@ -856,13 +856,14 @@ context 'when admin', :enable_admin_mode do where(:is_licensed, :is_active_add_on, :is_saas, :with_saas_flag_enabled, :dedicated_instance, - :can_manage_self_hosted_settings) do - true | true | false | false | false | be_allowed(:manage_self_hosted_models_settings) - true | false | false | false | false | be_disallowed(:manage_self_hosted_models_settings) - true | true | true | false | false | be_disallowed(:manage_self_hosted_models_settings) - true | true | true | true | false | be_allowed(:manage_self_hosted_models_settings) - true | true | false | false | true | be_disallowed(:manage_self_hosted_models_settings) - false | true | false | false | false | be_disallowed(:manage_self_hosted_models_settings) + :amazon_q_enabled, :can_manage_self_hosted_settings) do + true | true | false | false | false | false | be_allowed(:manage_self_hosted_models_settings) + true | true | false | false | false | true | be_disallowed(:manage_self_hosted_models_settings) + true | false | false | false | false | false | be_disallowed(:manage_self_hosted_models_settings) + true | true | true | false | false | false | be_disallowed(:manage_self_hosted_models_settings) + true | true | true | true | false | false | be_allowed(:manage_self_hosted_models_settings) + true | true | false | false | true | false | be_disallowed(:manage_self_hosted_models_settings) + false | true | false | false | false | false | be_disallowed(:manage_self_hosted_models_settings) end with_them do @@ -871,6 +872,7 @@ allow(::GitlabSubscriptions::AddOnPurchase) .to receive_message_chain(:for_self_managed, :for_duo_enterprise, :active, :exists?).and_return(is_active_add_on) + allow(::Ai::AmazonQ).to receive(:connected?).and_return(amazon_q_enabled) stub_saas_features(gitlab_com_subscriptions: is_saas) stub_feature_flags(allow_self_hosted_features_for_com: with_saas_flag_enabled) @@ -895,13 +897,14 @@ end context 'when admin', :enable_admin_mode do - where(:is_licensed, :is_active_add_on, :instance_level_model_selection_enabled, :is_offline_license, - :can_manage_instance_model_selection) do - true | true | true | false | be_allowed(:manage_instance_model_selection) - true | false | true | false | be_disallowed(:manage_instance_model_selection) - true | true | false | false | be_disallowed(:manage_instance_model_selection) - true | true | true | true | be_disallowed(:manage_instance_model_selection) - false | true | true | false | be_disallowed(:manage_instance_model_selection) + where(:amazon_q_enabled, :is_licensed, :is_active_add_on, :instance_level_model_selection_enabled, + :is_offline_license, :can_manage_instance_model_selection) do + false | true | true | true | false | be_allowed(:manage_instance_model_selection) + true | true | true | true | false | be_disallowed(:manage_instance_model_selection) + false | true | false | true | false | be_disallowed(:manage_instance_model_selection) + false | true | true | false | false | be_disallowed(:manage_instance_model_selection) + false | true | true | true | true | be_disallowed(:manage_instance_model_selection) + false | false | true | true | false | be_disallowed(:manage_instance_model_selection) end with_them do @@ -912,6 +915,7 @@ before do stub_licensed_features(self_hosted_models: is_licensed) allow(License).to receive(:current).and_return(license_double) + allow(::Ai::AmazonQ).to receive(:connected?).and_return(amazon_q_enabled) allow(::GitlabSubscriptions::AddOnPurchase) .to receive_message_chain(:for_self_managed, :for_duo_enterprise, :active, :exists?).and_return(is_active_add_on) diff --git a/ee/spec/policies/group_policy_spec.rb b/ee/spec/policies/group_policy_spec.rb index 3432bb98f191f5c8a835d37a9a08d159651de3e0..d85e559e1938386181e2e26dcd2ef88ecf601106 100644 --- a/ee/spec/policies/group_policy_spec.rb +++ b/ee/spec/policies/group_policy_spec.rb @@ -4943,10 +4943,12 @@ def create_member_role(member, abilities = member_role_abilities) let(:feature_flags_enabled) { true } let(:namespace_duo_enabled) { true } let(:with_self_hosted) { false } + let(:amazon_q_enabled) { false } before do stub_feature_flags(ai_model_switching: feature_flags_enabled) allow(::Ai::Setting).to receive(:self_hosted?).and_return(with_self_hosted) + allow(::Ai::AmazonQ).to receive(:connected?).and_return(amazon_q_enabled) group.namespace_settings.update!(duo_features_enabled: namespace_duo_enabled) end @@ -4968,14 +4970,15 @@ def create_member_role(member, abilities = member_role_abilities) context 'when user can admin the group' do let(:current_user) { owner } - where(:feature_flags_enabled, :namespace_duo_enabled, :with_self_hosted, :enabled_for_user) do - false | false | false | be_disallowed(:admin_group_model_selection) - false | false | true | be_disallowed(:admin_group_model_selection) - true | false | false | be_disallowed(:admin_group_model_selection) - true | false | true | be_disallowed(:admin_group_model_selection) - false | true | false | be_disallowed(:admin_group_model_selection) - true | true | false | be_allowed(:admin_group_model_selection) - true | true | true | be_disallowed(:admin_group_model_selection) + where(:amazon_q_enabled, :feature_flags_enabled, :namespace_duo_enabled, :with_self_hosted, :enabled_for_user) do + false | false | false | false | be_disallowed(:admin_group_model_selection) + false | false | false | true | be_disallowed(:admin_group_model_selection) + false | true | false | false | be_disallowed(:admin_group_model_selection) + false | true | false | true | be_disallowed(:admin_group_model_selection) + false | false | true | false | be_disallowed(:admin_group_model_selection) + false | true | true | true | be_disallowed(:admin_group_model_selection) + true | true | true | false | be_disallowed(:admin_group_model_selection) + false | true | true | false | be_allowed(:admin_group_model_selection) end with_them do diff --git a/ee/spec/policies/user_policy_spec.rb b/ee/spec/policies/user_policy_spec.rb index 80835b231b728f24c455d6c597f4a267c6f5e8ba..319d4ef63595749e9cb216244e2bc7d0b577d57d 100644 --- a/ee/spec/policies/user_policy_spec.rb +++ b/ee/spec/policies/user_policy_spec.rb @@ -342,6 +342,7 @@ def policy let(:default_duo_namespace_enabled) { true } let(:duo_features_enabled) { true } + let(:amazon_q_enabled) { false } before do default_duo_namespace = default_duo_namespace_enabled ? current_user : false @@ -349,6 +350,8 @@ def policy stub_feature_flags(ai_user_default_duo_namespace: default_duo_namespace) stub_application_setting(duo_features_enabled: duo_features_enabled) + + allow(::Ai::AmazonQ).to receive(:connected?).and_return(amazon_q_enabled) end context 'with seats assigned to user' do @@ -357,11 +360,12 @@ def policy # Since this policy work with logical AND operator # We only need to test when one variable is false and the rest is true to validate it works correctly # This make this test more intelligible - where(:default_duo_namespace_enabled, :duo_features_enabled, :allowed?) do - false | true | false - true | false | false - false | false | false - true | true | true + where(:amazon_q_enabled, :default_duo_namespace_enabled, :duo_features_enabled, :allowed?) do + false | false | true | false + false | true | false | false + false | false | false | false + true | true | true | false + false | true | true | true end with_them do