chore(api): Only block requests because CAS Backend status on needed endpoints

Signed-off-by: Javier Rodriguez <javier@chainloop.dev>

Author: javirln

app/controlplane/internal/server/grpc.go

@@ -207,7 +207,7 @@ func craftMiddleware(opts *Opts) []middleware.Middleware {
 				usercontext.CheckUserHasAccess(opts.AuthConfig.AllowList, opts.UserUseCase),
 			).Match(allowListEnabled()).Build(),
 			selector.Server(
-				usercontext.CheckOrgRequirements(opts.CASBackendUseCase),
+				usercontext.ValidateCASBackend(opts.CASBackendUseCase),
 			).Match(requireFullyConfiguredOrgMatcher()).Build(),
 		).Match(requireCurrentUserMatcher()).Build(),
 	)
@@ -234,6 +234,11 @@ func craftMiddleware(opts *Opts) []middleware.Middleware {
 			usercontext.WithAttestationContextFromAPIToken(opts.APITokenUseCase, opts.OrganizationUseCase, logHelper),
 			// 2.c - Set Attestation context from user token
 			usercontext.WithAttestationContextFromUser(opts.UserUseCase, logHelper),
+			// Validate the CAS Backend is fully configured and valid
+			selector.Server(
+				usercontext.ValidateCASBackend(opts.CASBackendUseCase),
+				usercontext.BlockIfCASBackendNotValid(opts.CASBackendUseCase),
+			).Match(requireFullyConfiguredCASBackendMatcher()).Build(),
 			// Store all memberships in the context
 			usercontext.WithCurrentMembershipsMiddleware(opts.MembershipUseCase),
 			// 2.d - Set its robot account from federated delegation
@@ -268,6 +273,14 @@ func requireFullyConfiguredOrgMatcher() selector.MatchFunc {
 	}
 }
 
+func requireFullyConfiguredCASBackendMatcher() selector.MatchFunc {
+	const requireMatcher = "/controlplane.v1.AttestationService.GetUploadCreds|/controlplane.v1.AttestationService.Init|/controlplane.v1.AttestationService.Store|/controlplane.v1.CASCredentialsService.Get"
+	return func(ctx context.Context, operation string) bool {
+		r := regexp.MustCompile(requireMatcher)
+		return r.MatchString(operation)
+	}
+}
+
 func allowListEnabled() selector.MatchFunc {
 	// the allow list should not affect the ability to know who you are and delete your account
 	const skipRegexp = "controlplane.v1.ContextService/Current|/controlplane.v1.AuthService/DeleteAccount"

app/controlplane/internal/server/grpc_test.go

@@ -46,16 +46,16 @@ func TestRequireFullyConfiguredOrgMatcher(t *testing.T) {
 		operation string
 		matches   bool
 	}{
-		{"/controlplane.v1.WorkflowService/List", true},
-		{"/controlplane.v1.WorkflowRunService/List", true},
+		{"/controlplane.v1.AttestationService.GetUploadCreds", true},
+		{"/controlplane.v1.AttestationService.Init", true},
 		{"/controlplane.v1.OCIRepositoryService/Save", false},
 		{"/controlplane.v1.OrganizationService/ListMemberships", false},
 		{"/controlplane.v1.OrganizationService/SetCurrent", false},
 		{"/controlplane.v1.CASBackendService/List", false},
 		{"/controlplane.v1.CASBackendService/Add", false},
 	}
 
-	matchFunc := requireFullyConfiguredOrgMatcher()
+	matchFunc := requireFullyConfiguredCASBackendMatcher()
 	for _, op := range testCases {
 		if got, want := matchFunc(context.Background(), op.operation), op.matches; got != want {
 			assert.Equal(t, matchFunc(context.Background(), op.operation), op.matches)

app/controlplane/internal/service/attestation.go

@@ -179,6 +179,11 @@ func (s *AttestationService) Init(ctx context.Context, req *cpAPI.AttestationSer
 		return nil, errors.NotFound("not found", "default CAS backend not found")
 	}
 
+	// Check the status of the backend
+	if backend.ValidationStatus != biz.CASBackendValidationOK {
+		return nil, cpAPI.ErrorCasBackendErrorReasonInvalid("your CAS backend can't be reached")
+	}
+
 	// Create workflowRun
 	opts := &biz.WorkflowRunCreateOpts{
 		WorkflowID:       wf.ID.String(),
@@ -284,6 +289,12 @@ func (s *AttestationService) storeAttestation(ctx context.Context, envelope []by
 
 	// If we have an external CAS backend, we will push there the attestation
 	if !casBackend.Inline {
+		if casBackend.ValidationStatus != biz.CASBackendValidationOK {
+			// Try to re-validate the backend; if it still fails, return an error
+			if err = s.casUC.PerformValidation(ctx, casBackend.ID.String()); err != nil {
+				return nil, cpAPI.ErrorCasBackendErrorReasonInvalid("your CAS backend can't be reached")
+			}
+		}
 		go func() {
 			b := backoff.NewExponentialBackOff()
 			b.MaxElapsedTime = 1 * time.Minute
@@ -438,6 +449,16 @@ func (s *AttestationService) GetUploadCreds(ctx context.Context, req *cpAPI.Atte
 	}
 
 	backend := wRun.CASBackends[0]
+
+	// Check the status of the backend
+	if backend.ValidationStatus != biz.CASBackendValidationOK {
+		// Try to re-validate the backend; if it still fails, return an error
+		// Assume PerformValidation updated the backend status; continue if validation succeeded
+		if err = s.casUC.PerformValidation(ctx, backend.ID.String()); err != nil {
+			return nil, cpAPI.ErrorCasBackendErrorReasonInvalid("your CAS backend can't be reached")
+		}
+	}
+
 	s.log.Infow("msg", "generating upload credentials for CAS backend", "ID", wRun.CASBackends[0].ID, "name", wRun.CASBackends[0].Location, "workflowRun", req.WorkflowRunId)
 
 	// Return the backend information and associated credentials (if applicable)

app/controlplane/internal/usercontext/apitoken_middleware_test.go

@@ -155,3 +155,7 @@ func TestWithCurrentAPITokenAndOrgMiddleware(t *testing.T) {
 		})
 	}
 }
+
+func toTimePtr(t time.Time) *time.Time {
+	return &t
+}

app/controlplane/internal/usercontext/orgrequirements_middleware.go

@@ -27,7 +27,12 @@ import (
 	"github.com/go-kratos/kratos/v2/middleware"
 )
 
-func CheckOrgRequirements(uc biz.CASBackendReader) middleware.Middleware {
+const validationTimeOffset = 5 * time.Minute
+
+// ValidateCASBackend checks that the current organization has a valid CAS Backend configured
+// If the last validation happened more than validationTimeOffset ago it will re-run the validation
+// This middleware does not block the request if the CAS Backend is not valid
+func ValidateCASBackend(uc biz.CASBackendReader) middleware.Middleware {
 	return func(handler middleware.Handler) middleware.Handler {
 		return func(ctx context.Context, req interface{}) (interface{}, error) {
 			org := entities.CurrentOrg(ctx)
@@ -52,11 +57,6 @@ func CheckOrgRequirements(uc biz.CASBackendReader) middleware.Middleware {
 				}
 			}
 
-			// 2 - compare the status
-			if repo.ValidationStatus != biz.CASBackendValidationOK {
-				return nil, v1.ErrorCasBackendErrorReasonInvalid("your CAS backend can't be reached")
-			}
-
 			return handler(ctx, req)
 		}
 	}
@@ -78,10 +78,9 @@ func validateCASBackend(ctx context.Context, uc biz.CASBackendReader, repo *biz.
 	return repo, nil
 }
 
-const validationTimeOffset = 5 * time.Minute
-
-// Since this check happens synchronously on every request it has a big performance impact
-// that's why we run it only in refresh windows
+// shouldRevalidate returns true if the repo needs to be re-validated
+// Currently, we only re-validate if the last status was "failed"
+// or if the last validation was more than validationTimeOffset ago
 func shouldRevalidate(repo *biz.CASBackend) bool {
 	// If the validation is currently failed we want to make sure we re-validate
 	if repo.ValidationStatus == biz.CASBackendValidationFailed {
@@ -91,3 +90,31 @@ func shouldRevalidate(repo *biz.CASBackend) bool {
 	// if it has been more than validationTimeOffset since the last validation
 	return repo.ValidatedAt.Before(time.Now().Add(-validationTimeOffset))
 }
+
+// BlockIfCASBackendNotValid checks that the current organization has a valid CAS Backend configured
+// If the CAS Backend is not valid it will block the request
+func BlockIfCASBackendNotValid(uc biz.CASBackendReader) middleware.Middleware {
+	return func(handler middleware.Handler) middleware.Handler {
+		return func(ctx context.Context, req interface{}) (interface{}, error) {
+			org := entities.CurrentOrg(ctx)
+			if org == nil {
+				// Make sure that this middleware is ran after WithCurrentUser
+				return nil, errors.New("organization not found")
+			}
+
+			// 1 - Figure out main repository for this organization
+			repo, err := uc.FindDefaultBackend(ctx, org.ID)
+			if err != nil && !biz.IsNotFound(err) {
+				return nil, fmt.Errorf("checking for CAS backends in the org: %w", err)
+			} else if repo == nil {
+				return nil, v1.ErrorCasBackendErrorReasonRequired("your organization does not have a CAS Backend configured yet")
+			}
+
+			// 2 - compare the status
+			if repo.ValidationStatus != biz.CASBackendValidationOK {
+				return nil, v1.ErrorCasBackendErrorReasonInvalid("your CAS backend can't be reached")
+			}
+			return handler(ctx, req)
+		}
+	}
+}