cody: replace access-control feature flag with RBAC

[emidoots]

This change replaces the old feature-flag which controls users who have access to Cody, with an RBAC-based implementation instead.

After this change, cody.restrictUsersFeatureFlag is deprecated. For Sourcegraph instances that still have it set, it will still be respected it until the site admin removes it from their config. A warning is displayed to let admins know this needs to be done:

Once cody.restrictUsersFeatureFlag is not set in the site config, the new RBAC system is used instead: site admins can manage user roles, and assign/remove cody:access to users or groups of users via the access control web UI.

By default, all users have access (admins can change this default via the access control web UI.)

The new Cody RBAC system defaults to enabled unless cody.restrictUsersFeatureFlag is set in the site config. It can be disabled by setting the new cody.permissions site config option to false, in which case Sourcegraph behaves as it did before this change.

Fixes #58623
Helps (fixes?) #58624
Resolves #58627

Remaining TODOs before this PR can be merged

• Some Go tests need updating / CI needs to pass
• These docs need to be updated to tell site admins on new versions what to do, tell site admins on old versions how they can use the old docs, and tell site admins upgrading what to do (remove the old config, and then use the RBAC system going forward.) with the exact Sourcegraph versions mentioned.

Test plan

• Created a non-admin user, signed into VS Code' Cody via that user, confirmed I have access by default.
• Using the site admin account, change normal users'

[sourcegraph-bot]

📖 Storybook live preview

[chwarwick]

Looks like it's always been this way but feels strange to me that the site resolver is returning if Cody is enabled for the current user, not is Cody enabled for the site.

[emidoots]

Yeah, it is very (functional, but) strange. It's also weird that we have Cody access control enforced in the feature-flag portion of internal/cody.

I haven't set out to 'correct' this in this PR with the hopes of keeping it from increasing in scope/risk

[chwarwick]

If i'm following correctly the RBAC permissions are only used if the config value is set to enable permissions, which means the default case is that all users have access (same as today 👍 )

But what happens in the RBAC UI? Does it look like you are configuring Cody access for groups/all users but because it's not enabled in the config it isn't considered?

[emidoots]

If i'm following correctly the RBAC permissions are only used if the config value is set to enable permissions, which means the default case is that all users have access (same as today 👍 )

But what happens in the RBAC UI? Does it look like you are configuring Cody access for groups/all users but because it's not enabled in the config it isn't considered?

That is correct; however if the RBAC permissions are not being respected then the warning would display at the top of the page indicating you're using the old permission system:

The one edge-case here would be if a site admin explicitly disables the new RBAC permissions model (cody.permissions set to false). Eventually I would like to remove the ability for a site admin to do that at all (in +1 release, so many months have passed and everyone has had a chance to upgrade.)

[emidoots]

@chwarwick or @eseliger would either of you be up for a quick review? I'd love to land this soon as it's blocking some other work :)

[chwarwick]

Nice, this looks correct to me. See note about new docs process.

[chwarwick]

Docs changes need to go into the new docs repo. I think having them here will fail the build?

[chwarwick]

What does but not completions mean? This test looks the same as the one above.

[emidoots]

Good catch, I mirror'd the existing good test suite but for the case of RBAC - and this ended up being redundant. Removed.

[eseliger]

LGTM, might warrant a changelog entry to make people aware prior to the upgrade that they need to migrate their access settings :)