lib/enterpriseportal: initial service API for RFC 885

[bobheadxi]

See RFC 885 Sourcegraph Enterprise Portal (go/enterprise-portal) - closes CORE-6. The only files requiring in-depth review are the .proto files, as everything else is generated:

• lib/enterpriseportal/subscriptions/v1/subscriptions.proto
• lib/enterpriseportal/codyaccess/v1/codyaccess.proto

This PR only introduces API definitions - implementation will come as subsequent PRs, tracked in the "Launch Enterprise Portal" Linear project.

Before reviewing the diffs, please review this PR description in depth.

Design goals

This initial schema aims to help achieve CORE-97 by adding our initial "get subscription Cody access", as well our general Stage 1 goal of providing read-only access to our existing enterprise subscription mechanisms. In doing so, we can start to reshape the API in a way that accommodates future growth and addresses some debt we have accumulated over time, before the Stage 2 goal of having the new Enterprise Portal be the source-of-truth for all things subscriptions.

I am also aiming for a conservative approach with the Cody Gateway access related RPCs, to ease migration risks and allow for Cody teams to follow up quickly with more drastic changes in a V2 of the service after a Core-Services-driven migration to use the new service: https://github.com/sourcegraph/sourcegraph/pull/62263#issuecomment-2101874114

Design overview

• Multiple services: Enterprise Portal aims to be the home of most Enterprise-related subscription and access management, but each component should be defined as a separate service to maintain clear boundaries between "core" capabilities and future extensions. One problem we see in the dotcom { productSubscriptions } is the embedding of additional concepts like Cody Gateway access makes the API surface unwieldy and brittle, and encourages an internal design that bundles everything together (the product_subscriptions table has 10 cody_gateway_* columns today). More concretely, this PR designs 2 services that Enterprise Portal will implement:
  • EnterprisePortalSubscriptionsService (subscriptions.proto): subscriptions and licenses CRUD
  • EnterprisePortalCodyGatewayService (codygateway.proto): Enterprise Cody Gateway access
• Multiple protocols: We use ConnectRPC to generate traditional gRPC handlers for service-to-service use, but also a plain HTTP/1 "REST"-ish protocol (the "Connect Protocol") that works for web clients and simple integrations. Go bindings for the Connect protocol are generated into the v1connect subpackages.
• Future licensing model/mechanism changes: The Subscription model is designed to remain static, but Licenses are designed to accommodate future changes -EnterpriseSubscriptionLicenseType and EnterpriseSubscriptionLicense in this PR describe only the current type of license, referred to as "classic licenses", but we can extend this in the future for e.g. new models (refreshable licenses?) or new products (Cody-only? PLG enterprise?), or existing problems (test instance licenses?)
• Granular history: Instead of a createdAt, isArchived, revokedAt and and so on, the new API defines Kubernetes-style conditions for licenses and subscriptions to describe creation, archival, and revocation events respectively, and can be more flexibly extended for future events and a lightweight audit log of major changes to a subscription or license. In particular, revokedAt already has a revokedReason - this allows us to extend these important events with additional metadata in a flexible manner.
• Pagination: I couldn't find a shared internal or off-the-shelf representation of pagination attributes, but each List* RPC describes page_size, page_token, and next_page_token
• Querying/filtering: I couldn't find a strong standard for this either, but in general:
  • Get* accepts query that is a oneof, with the goal of providing exact matches only.
  • List* accepts repeated filter, where each filter is a oneof a set of strategies relevant to a particular List* RPC. Multiple filters are treated as AND-concatenated.

Some major changes from the existing model:

• Downgrade the concept of "subscription access token": this was built for Cody Gateway but I am not sure it has aged well, as the mechanism is still tied to individual licenses, did not find new non-Cody-Gateway use cases (except for license checks, though those do not require an "access token" model either), and today are still not "true" access tokens as they cannot be expired/managed properly. This PR relegates the concept to remain Cody-specific as it effectively is today so that we might be able to introduce a better subscription-wide model if the use case arises. Over time, we may want to make this even more opaque, relying entirely on zero-config instead (generating from license keys).
• Subscriptions are no longer attached to a single dotcom user: Most of these users today are not real users anyway, as our license creation process asks that you create a fake user account ("User account: [...] We create a company-level account for this."). The new API removes the concept entirely, in favour of a true user access management system in CORE-102.
• Database/GraphQL IDs are no longer exposed - we use external, prefixed UUIDs for representing entities over APIs in a universal manner.
• Per-subscription Cody Gateway access no longer exposes allowed models: I suggested this to @rafax in light of recent problems with propagating new models to Enterprise customers. He agreed that the general product direction is "model options as a selling point" - it no longer makes sense to configure these at a per-subscription level. Instead, the Cody Gateway service should configure globally allowed models directly, and each Sourcegraph instance can determine what models they trust. If we really need this back we can add it later, but for now I think this removal is the right direction.

Direct translations

cmd/cody-gateway/internal/dotcom/operations.graphql defines our key dependencies for achieving CORE-97. The concepts referred in operations.graphql translate to this new API as follows:

• dotcom { productSubscriptionByAccessToken(accessToken) }: codygateway.v1.GetCodyGatewayAccess({ access_token })
• dotcom { productSubscriptions }: codygateway.v1.ListCodyGatewayAccess()
• fragment ProductSubscriptionState:
  • id: n/a
  • uuid: subscriptions.v1.EnterpriseSubscription.id
  • account { username }: subscriptions.v1.EnterpriseSubscription.display_name
  • isArchived: subscriptions.v1.EnterpriseSubscription.conditions
  • codyGatewayAccess { ... }: separate RPC to codygateway.v1.GetCodyGatewayAccess
  • activeLicense { ... }: separate RPC to subscriptions.v1.ListEnterpriseSubscriptionLicenses

Why lib/enterpriseportal?

We recently had to move another Telemetry Gateway to lib: #62061. Inevitably, there will be services that live outside the monorepo that want to integrate with Enterprise Portal (one is on our roadmap: Cody Analytics in https://github.com/sourcegraph/cody-analytics). This allows us to share generated bindings and some useful helpers, while keeping things in the monorepo.

Implications for Cody Clients

For now (and in the future), nothing is likely to change. Here's how I imagine things playing out:

graph TD
  cc["Cody Clients"] -- unified API --> cg[services like Cody Gateway]
  cg -- PLG users --> ssc[Self-Serve Cody]
  cg -- Enterprise users --> ep[Enterprise Portal]

Loading

Test plan

CI passes, the schemas can be generated by hand:

sg gen buf \
  lib/enterpriseportal/subscriptions/v1/buf.gen.yaml \
  lib/enterpriseportal/codyaccess/v1/buf.gen.yaml

[eseliger]

Do we ever need to be able to paginate here?

[bobheadxi]

We don't paginate in GraphQL :) I think over time this will become a smaller set - most instances should be using zero-config today, we could probably start discarding expired licenses from valid access tokens. Maybe we can even remove "access tokens" as a concept entirely from subscription management, and keep it invisible and dependent on zero-config?

cc @rafax who might have more context on the present state of things

[eseliger]

That would be very nice. I kinda hate that access token stuff, it was just the only thing we had :D Revoking an access token could also revoke the key I guess.

[bobheadxi]

Yeah this access token thing did not age well 🙃 In hindsight, going all-in on zero-config and keeping this whole thing opaque was probably the way to go (mentioned in my PR description under Downgrade the concept of "subscription access token")

[eseliger]

Yeah, I think we overestimated how many times customers would accidentally leak their token or license key and abuse in their bill would happen

[eseliger]

Multiple protocols: We use ConnectRPC to generate traditional gRPC handlers for service-to-service use

We cannot use plain gRPC for service-to-service?

[bobheadxi]

We cannot use plain gRPC for service-to-service?

ConnectRPC's generated handlers take care of both, but let me dig into the options a bit more

[rafax]

Some nits, but this is one of the first externally exposed gRPC APIs, so (I hope) it will be an inspiration for many people :) LGTM

[chrsmith]

Sorry for all the noise on the PR. After chatting with Robert over a short VC, I have a better understanding of what the master plan is here.

• I'm supportive of having an imperfect-but-compatible API, so that we can ease the transition over to pulling data from the Enterprise Portal.
• When we do have the Enterprise Portal up and running with a read/write view of the data, I look forward to trying to improve/streamline how we surface subscription information as it relates to Cody.

🚀

[bobheadxi]

Thank you for the review and discussion everyone ❤️ I've shared the state of this work over to the new #discuss-cody-prime team in https://sourcegraph.slack.com/archives/C05SZB829D0/p1715638980052279, and will give that a day or two to collect discussions. I'm also working through tidying up the Bazel stuff to make sure CI is happy.

We already have some work happening in parallel to set up the implementation to back the new API (e.g. #62525), so this isn't blocking - will aim to merge sometime mid-week