productsubscription: service accounts with RBAC, instead of feature flags

[bobheadxi]

Removes the feature flag service account stuff, replacing it with "real RBAC" on permissions introduced in https://github.com/sourcegraph/sourcegraph/pull/60795. Cody Gateway SAs will need to use roles with these permissions.

This change does not migrate all product-subscriptions-related CRUD to check for the new roles - it only updates the helper used by Cody Gateway related functionality. This could be used with Security team's "Entitler" service to help CEs manage subscriptions and licenses if we expand the RBAC checks, at least until RFC 885, which is still some time away.

Rollout plan would be to deploy https://github.com/sourcegraph/sourcegraph/pull/60795, create the appropriate role and assign it to the service accounts we have today, and then roll this change out.

Test plan

Automated tests, and basic manual testing:

1. sg start dotcom
2. Logged in as user with site admin: can CRUD on subscriptions
3. Logged in as non-site admin user: cannot CRUD on subscriptions
   
4. Create a new role:
5. Assign to non-admin user: mutation { setRoles(user:"VXNlcjo0",roles:["Um9sZTo0"]) { __typename } } (must be done via API, as UI is currently disabled in dotcom mode)
6. can now do some CRUD on subscriptions
7. Remove the write permission from the role
8. Get error on attempting to write to subscription, but read is still ok

[bobheadxi]

• productsubscription: service accounts with RBAC, instead of feature flags #60796 👈
• rbac: add dotcom-only roles and productsubscription roles #60795
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

Join @bobheadxi and the rest of your teammates on Graphite

[eseliger]

seems fine, https://github.com/sourcegraph/sourcegraph/pull/60014 is probably gonna replace this once I get to it again :)

[bobheadxi]

seems fine, https://github.com/sourcegraph/sourcegraph/pull/60014 is probably gonna replace this once I get to it again :)

Or, you could augment this by expanding on the same permissions and roles? 😉

[BolajiOlajide]

The site-admin check is redundant. Every permission in a Sourcegraph instance is usually automaticallly applied to the SiteAdmin role.

So rbac.CheckCurrentUserHasPermission(ctx, db, rbac.ProductSubscriptionsWritePermission) will always return nil for site admins.

[bobheadxi]

Hm, I'm unable to get this behaviour in tests - test cases that call db.Users().SetIsSiteAdmin(ctx, test.user.ID, true) leads to an unauthorized response

[bobheadxi]

It's also kind of weird to make this work well in non-integration tests, where mocking permsStore.GetPermissionForUserFunc.SetDefaultHook means reimplementing this site admin behaviour

[bobheadxi]

I ended up keeping the explicit site-admin check in https://github.com/sourcegraph/sourcegraph/pull/60796/commits/a7e5dd1234bd871ae5c1f07fdace840f112a96d9 to cover those integration tests

[BolajiOlajide]

Yeah, that's because in test environment we don't assign the permissions to the SiteAdmin role implicitly, you'll have to manually add it to the database in the setup for your tests.

As discussed in Merge, a test helper will be helpful to avoid folks running into this gotcha.

[bobheadxi]

Would be neat if SetIsSiteAdmin assigned the role, but this is more a shortcoming of how we use DB directly so often leading to discrepancies like this, or maybe we should just get rid of site admin usage entirely

I think it's probably safer for this change to not change the nature of the checks too much, let's revisit this in a more concerted follow-up

[BolajiOlajide]

Yeah, unfortunately SetIsSiteAdmin is tied to role assignment while the problem here is with permissions assignment.

But you're right, let's revisit this later when #58114 is merged. That would be a good time for this improvement I guess.

[bobheadxi]

Rolled out the roles (roles now available via GraphQL after https://github.com/sourcegraph/sourcegraph/pull/60992):

query {
  writer: user(username:"llm-proxy") {
    username
    roles {
      nodes {
        name
      }
    }
  }
  reader: user(username:"llm-proxy-readonly") {
    username
    roles {
      nodes {
        name
      }
    }
  }
}

{
  "data": {
    "writer": {
      "username": "llm-proxy",
      "roles": {
        "nodes": [
          {
            "name": "Product Subscriptions Writer"
          }
        ]
      }
    },
    "reader": {
      "username": "llm-proxy-readonly",
      "roles": {
        "nodes": [
          {
            "name": "Product Subscriptions Reader"
          }
        ]
      }
    }
  }
}

I will roll this out tomorrow