From daf6ec81bc61b6cca38df0b9cecf86dd1a17ac59 Mon Sep 17 00:00:00 2001
From: fdegier <fdegier@gitlab.com>
Date: Fri, 26 Sep 2025 16:55:32 +0200
Subject: [PATCH] Add support for composite identity to workflow resolver

Changelog: added
EE: true
---
 .../ai/duo_workflows/workflows_resolver.rb    | 24 +++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/ee/app/graphql/resolvers/ai/duo_workflows/workflows_resolver.rb b/ee/app/graphql/resolvers/ai/duo_workflows/workflows_resolver.rb
index ed515ace758bb0..a7e85ab775df2a 100644
--- a/ee/app/graphql/resolvers/ai/duo_workflows/workflows_resolver.rb
+++ b/ee/app/graphql/resolvers/ai/duo_workflows/workflows_resolver.rb
@@ -56,9 +56,10 @@ def conflicting_type_filters?(args)
 
         def resolve_single_workflow(workflow_id)
           Gitlab::Graphql::Lazy.with_value(find_object(id: workflow_id)) do |workflow|
+            user = resolve_user_for_authorization
             if workflow.nil?
               raise_resource_not_available_error! "Workflow not found"
-            elsif !Ability.allowed?(current_user, :read_duo_workflow, workflow)
+            elsif !Ability.allowed?(user, :read_duo_workflow, workflow)
               raise_resource_not_available_error! "You don't have permission to access this workflow"
             else
               ::Ai::DuoWorkflows::Workflow.id_in([workflow.id])
@@ -68,13 +69,14 @@ def resolve_single_workflow(workflow_id)
 
         def build_workflows_query(args)
           workflows = ::Ai::DuoWorkflows::Workflow
+          user = resolve_user_for_authorization
 
           if object.is_a?(::Project)
-            return [] unless current_user.can?(:duo_workflow, object)
+            return [] unless user.can?(:duo_workflow, object)
 
             workflows.for_project(object).from_pipeline
           else
-            workflows = workflows.for_user(current_user.id)
+            workflows = workflows.for_user(user.id)
             apply_project_filter(workflows, args[:project_path])
           end
         end
@@ -82,8 +84,10 @@ def build_workflows_query(args)
         def apply_project_filter(workflows, project_path)
           return workflows unless project_path.present?
 
+          user = resolve_user_for_authorization
+
           project = Project.find_by_full_path(project_path)
-          return [] unless current_user.can?(:duo_workflow, project)
+          return [] unless user.can?(:duo_workflow, project)
 
           workflows.for_project(project)
         end
@@ -101,6 +105,18 @@ def apply_filters(workflows, args)
         def find_object(id:)
           GitlabSchema.find_by_gid(id)
         end
+
+        def resolve_user_for_authorization
+          return current_user unless current_user.composite_identity_enforced?
+
+          composite_identity = ::Gitlab::Auth::Identity.fabricate(current_user)
+
+          if composite_identity.valid?
+            composite_identity.scoped_user
+          else
+            current_user
+          end
+        end
       end
     end
   end
-- 
GitLab