From 9fbece3cd3ca1fe7a1a6e7d5df805100b1849a03 Mon Sep 17 00:00:00 2001 From: Patrick Cyiza Date: Fri, 17 Oct 2025 15:11:48 +0200 Subject: [PATCH 1/2] Unauthorize model selection with Amazon Q --- ee/app/policies/ee/global_policy.rb | 3 +++ ee/app/policies/ee/group_policy.rb | 1 + ee/app/policies/ee/user_policy.rb | 2 ++ ee/spec/policies/global_policy_spec.rb | 32 +++++++++++++++----------- ee/spec/policies/group_policy_spec.rb | 19 ++++++++------- ee/spec/policies/user_policy_spec.rb | 14 +++++++---- 6 files changed, 44 insertions(+), 27 deletions(-) diff --git a/ee/app/policies/ee/global_policy.rb b/ee/app/policies/ee/global_policy.rb index 0f384bd682754a..28ebe618d3a12d 100644 --- a/ee/app/policies/ee/global_policy.rb +++ b/ee/app/policies/ee/global_policy.rb @@ -118,11 +118,14 @@ module GlobalPolicy next false if ::Gitlab::CurrentSettings.gitlab_dedicated_instance? + next false if ::Ai::AmazonQ.connected? + true end condition(:instance_model_selection_available) do next false unless ::Feature.enabled?(:instance_level_model_selection, :instance) + next false if ::Ai::AmazonQ.connected? !::License.current&.offline_cloud_license? end diff --git a/ee/app/policies/ee/group_policy.rb b/ee/app/policies/ee/group_policy.rb index 9d8ffac09d22ae..c751f4c3772869 100644 --- a/ee/app/policies/ee/group_policy.rb +++ b/ee/app/policies/ee/group_policy.rb @@ -1063,6 +1063,7 @@ module GroupPolicy with_scope :subject condition(:group_model_selection_enabled) do + next false if ::Ai::AmazonQ.connected? next false unless subject.root? next false if ::Ai::Setting.self_hosted? next false unless ::Feature.enabled?(:ai_model_switching, subject) diff --git a/ee/app/policies/ee/user_policy.rb b/ee/app/policies/ee/user_policy.rb index cad8a74eb53326..904dbf3931e853 100644 --- a/ee/app/policies/ee/user_policy.rb +++ b/ee/app/policies/ee/user_policy.rb @@ -65,6 +65,8 @@ def private_profile? def can_assign_default_duo_group? return false unless ::Gitlab::Saas.feature_available?(:gitlab_com_subscriptions) + return false if ::Ai::AmazonQ.connected? + return false unless ::Feature.enabled?(:ai_user_default_duo_namespace, user) return false unless user.user_preference.distinct_eligible_duo_add_on_assignments.exists? diff --git a/ee/spec/policies/global_policy_spec.rb b/ee/spec/policies/global_policy_spec.rb index 573cdade93c013..9d9b72e0f66968 100644 --- a/ee/spec/policies/global_policy_spec.rb +++ b/ee/spec/policies/global_policy_spec.rb @@ -856,13 +856,14 @@ context 'when admin', :enable_admin_mode do where(:is_licensed, :is_active_add_on, :is_saas, :with_saas_flag_enabled, :dedicated_instance, - :can_manage_self_hosted_settings) do - true | true | false | false | false | be_allowed(:manage_self_hosted_models_settings) - true | false | false | false | false | be_disallowed(:manage_self_hosted_models_settings) - true | true | true | false | false | be_disallowed(:manage_self_hosted_models_settings) - true | true | true | true | false | be_allowed(:manage_self_hosted_models_settings) - true | true | false | false | true | be_disallowed(:manage_self_hosted_models_settings) - false | true | false | false | false | be_disallowed(:manage_self_hosted_models_settings) + :amazon_q_enabled, :can_manage_self_hosted_settings) do + true | true | false | false | false | false | be_allowed(:manage_self_hosted_models_settings) + true | true | false | false | false | true | be_disallowed(:manage_self_hosted_models_settings) + true | false | false | false | false | false | be_disallowed(:manage_self_hosted_models_settings) + true | true | true | false | false | false | be_disallowed(:manage_self_hosted_models_settings) + true | true | true | true | false | false | be_allowed(:manage_self_hosted_models_settings) + true | true | false | false | true | false | be_disallowed(:manage_self_hosted_models_settings) + false | true | false | false | false | false | be_disallowed(:manage_self_hosted_models_settings) end with_them do @@ -871,6 +872,7 @@ allow(::GitlabSubscriptions::AddOnPurchase) .to receive_message_chain(:for_self_managed, :for_duo_enterprise, :active, :exists?).and_return(is_active_add_on) + allow(::Ai::AmazonQ).to receive(:connected?).and_return(amazon_q_enabled) stub_saas_features(gitlab_com_subscriptions: is_saas) stub_feature_flags(allow_self_hosted_features_for_com: with_saas_flag_enabled) @@ -895,13 +897,14 @@ end context 'when admin', :enable_admin_mode do - where(:is_licensed, :is_active_add_on, :instance_level_model_selection_enabled, :is_offline_license, - :can_manage_instance_model_selection) do - true | true | true | false | be_allowed(:manage_instance_model_selection) - true | false | true | false | be_disallowed(:manage_instance_model_selection) - true | true | false | false | be_disallowed(:manage_instance_model_selection) - true | true | true | true | be_disallowed(:manage_instance_model_selection) - false | true | true | false | be_disallowed(:manage_instance_model_selection) + where(:amazon_q_enabled, :is_licensed, :is_active_add_on, :instance_level_model_selection_enabled, + :is_offline_license, :can_manage_instance_model_selection) do + false | true | true | true | false | be_allowed(:manage_instance_model_selection) + true | true | true | true | false | be_disallowed(:manage_instance_model_selection) + false | true | false | true | false | be_disallowed(:manage_instance_model_selection) + false | true | true | false | false | be_disallowed(:manage_instance_model_selection) + false | true | true | true | true | be_disallowed(:manage_instance_model_selection) + false | false | true | true | false | be_disallowed(:manage_instance_model_selection) end with_them do @@ -912,6 +915,7 @@ before do stub_licensed_features(self_hosted_models: is_licensed) allow(License).to receive(:current).and_return(license_double) + allow(::Ai::AmazonQ).to receive(:connected?).and_return(amazon_q_enabled) allow(::GitlabSubscriptions::AddOnPurchase) .to receive_message_chain(:for_self_managed, :for_duo_enterprise, :active, :exists?).and_return(is_active_add_on) diff --git a/ee/spec/policies/group_policy_spec.rb b/ee/spec/policies/group_policy_spec.rb index 3432bb98f191f5..2714b7324e9927 100644 --- a/ee/spec/policies/group_policy_spec.rb +++ b/ee/spec/policies/group_policy_spec.rb @@ -4943,10 +4943,12 @@ def create_member_role(member, abilities = member_role_abilities) let(:feature_flags_enabled) { true } let(:namespace_duo_enabled) { true } let(:with_self_hosted) { false } + let(:amazon_q_enabled) { true } before do stub_feature_flags(ai_model_switching: feature_flags_enabled) allow(::Ai::Setting).to receive(:self_hosted?).and_return(with_self_hosted) + allow(::Ai::AmazonQ).to receive(:connected?).and_return(amazon_q_enabled) group.namespace_settings.update!(duo_features_enabled: namespace_duo_enabled) end @@ -4968,14 +4970,15 @@ def create_member_role(member, abilities = member_role_abilities) context 'when user can admin the group' do let(:current_user) { owner } - where(:feature_flags_enabled, :namespace_duo_enabled, :with_self_hosted, :enabled_for_user) do - false | false | false | be_disallowed(:admin_group_model_selection) - false | false | true | be_disallowed(:admin_group_model_selection) - true | false | false | be_disallowed(:admin_group_model_selection) - true | false | true | be_disallowed(:admin_group_model_selection) - false | true | false | be_disallowed(:admin_group_model_selection) - true | true | false | be_allowed(:admin_group_model_selection) - true | true | true | be_disallowed(:admin_group_model_selection) + where(:amazon_q_enabled, :feature_flags_enabled, :namespace_duo_enabled, :with_self_hosted, :enabled_for_user) do + false | false | false | false | be_disallowed(:admin_group_model_selection) + false | false | false | true | be_disallowed(:admin_group_model_selection) + false | true | false | false | be_disallowed(:admin_group_model_selection) + false | true | false | true | be_disallowed(:admin_group_model_selection) + false | false | true | false | be_disallowed(:admin_group_model_selection) + false | true | true | true | be_disallowed(:admin_group_model_selection) + true | true | true | false | be_disallowed(:admin_group_model_selection) + false | true | true | false | be_allowed(:admin_group_model_selection) end with_them do diff --git a/ee/spec/policies/user_policy_spec.rb b/ee/spec/policies/user_policy_spec.rb index 80835b231b728f..6e70d98fd1c34c 100644 --- a/ee/spec/policies/user_policy_spec.rb +++ b/ee/spec/policies/user_policy_spec.rb @@ -342,6 +342,7 @@ def policy let(:default_duo_namespace_enabled) { true } let(:duo_features_enabled) { true } + let(:amazon_q_enabled) { true } before do default_duo_namespace = default_duo_namespace_enabled ? current_user : false @@ -349,6 +350,8 @@ def policy stub_feature_flags(ai_user_default_duo_namespace: default_duo_namespace) stub_application_setting(duo_features_enabled: duo_features_enabled) + + allow(::Ai::AmazonQ).to receive(:connected?).and_return(amazon_q_enabled) end context 'with seats assigned to user' do @@ -357,11 +360,12 @@ def policy # Since this policy work with logical AND operator # We only need to test when one variable is false and the rest is true to validate it works correctly # This make this test more intelligible - where(:default_duo_namespace_enabled, :duo_features_enabled, :allowed?) do - false | true | false - true | false | false - false | false | false - true | true | true + where(:amazon_q_enabled, :default_duo_namespace_enabled, :duo_features_enabled, :allowed?) do + false | false | true | false + false | true | false | false + false | false | false | false + true | true | true | false + false | true | true | true end with_them do -- GitLab From 2c0dee0ad0c38a712ff57348591beb083e7ad77f Mon Sep 17 00:00:00 2001 From: Patrick Cyiza Date: Thu, 23 Oct 2025 12:04:54 +0200 Subject: [PATCH 2/2] Apply 3 suggestion(s) to 3 file(s) Co-authored-by: Dillon Wheeler --- ee/app/policies/ee/group_policy.rb | 2 +- ee/spec/policies/group_policy_spec.rb | 2 +- ee/spec/policies/user_policy_spec.rb | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ee/app/policies/ee/group_policy.rb b/ee/app/policies/ee/group_policy.rb index c751f4c3772869..0ecea7812213c4 100644 --- a/ee/app/policies/ee/group_policy.rb +++ b/ee/app/policies/ee/group_policy.rb @@ -1063,10 +1063,10 @@ module GroupPolicy with_scope :subject condition(:group_model_selection_enabled) do - next false if ::Ai::AmazonQ.connected? next false unless subject.root? next false if ::Ai::Setting.self_hosted? next false unless ::Feature.enabled?(:ai_model_switching, subject) + next false if ::Ai::AmazonQ.connected? subject.namespace_settings&.duo_features_enabled? end diff --git a/ee/spec/policies/group_policy_spec.rb b/ee/spec/policies/group_policy_spec.rb index 2714b7324e9927..d85e559e193838 100644 --- a/ee/spec/policies/group_policy_spec.rb +++ b/ee/spec/policies/group_policy_spec.rb @@ -4943,7 +4943,7 @@ def create_member_role(member, abilities = member_role_abilities) let(:feature_flags_enabled) { true } let(:namespace_duo_enabled) { true } let(:with_self_hosted) { false } - let(:amazon_q_enabled) { true } + let(:amazon_q_enabled) { false } before do stub_feature_flags(ai_model_switching: feature_flags_enabled) diff --git a/ee/spec/policies/user_policy_spec.rb b/ee/spec/policies/user_policy_spec.rb index 6e70d98fd1c34c..319d4ef6359574 100644 --- a/ee/spec/policies/user_policy_spec.rb +++ b/ee/spec/policies/user_policy_spec.rb @@ -342,7 +342,7 @@ def policy let(:default_duo_namespace_enabled) { true } let(:duo_features_enabled) { true } - let(:amazon_q_enabled) { true } + let(:amazon_q_enabled) { false } before do default_duo_namespace = default_duo_namespace_enabled ? current_user : false -- GitLab