Merge branch 'PFM-4137' into PFM-4146

jiparis · jiparis · commit 8fa108fd690b · 2026-02-05T00:03:14.000+01:00
diff --git a/.chainloop.yml b/.chainloop.yml
@@ -1,6 +1,6 @@
 # This indicates the [current version]+next
 # to indicate that we are building a new version of the project
-projectVersion: v1.74.0+next
+projectVersion: v1.74.1+next
 
 # Experimental feature used by Chainloop labs shared workflow https://github.com/chainloop-dev/labs
 # It maps the material names with location in disk so they get automatically attested
diff --git a/app/controlplane/api/gen/frontend/workflowcontract/v1/crafting_schema.ts b/app/controlplane/api/gen/frontend/workflowcontract/v1/crafting_schema.ts
diff --git a/app/controlplane/api/workflowcontract/v1/crafting_schema.pb.go b/app/controlplane/api/workflowcontract/v1/crafting_schema.pb.go
diff --git a/app/controlplane/api/workflowcontract/v1/crafting_schema.proto b/app/controlplane/api/workflowcontract/v1/crafting_schema.proto
@@ -330,13 +330,13 @@ message PolicySpecV2 {
     string embedded = 2;
 
     // generic reference for file:// and http(s):// schemes
-    string ref = 3;
+    string ref = 4;
 
     option (buf.validate.oneof).required = true;
   }
 
   // if set, it will match any material supported by Chainloop
-  CraftingSchema.Material.MaterialType kind = 4 [(buf.validate.field).enum = {
+  CraftingSchema.Material.MaterialType kind = 3 [(buf.validate.field).enum = {
     not_in: [3]
   }];
 }
diff --git a/app/controlplane/internal/service/organization.go b/app/controlplane/internal/service/organization.go
@@ -214,15 +214,12 @@ func (s *OrganizationService) UpdateMembership(ctx context.Context, req *pb.Orga
 }
 
 func (s *OrganizationService) canCreateOrganization(ctx context.Context) (bool, error) {
-	// Restricted org creation is disabled, allow creation only to users
-	if !s.authz.RestrictOrgCreation {
-		if entities.CurrentMembership(ctx) != nil {
-			return true, nil
-		}
-		return false, nil
+	// if org creation restriction is disabled, allow creation to all users
+	if !s.authz.RestrictOrgCreation && entities.CurrentUser(ctx) != nil {
+		return true, nil
 	}
 
-	// otherwise, check for permissions
+	// otherwise, check for permissions (both users and API tokens)
 	if err := s.checkPolicy(ctx, authz.PolicyOrganizationCreate); err != nil {
 		return false, err
 	}
diff --git a/app/controlplane/internal/service/service.go b/app/controlplane/internal/service/service.go
@@ -331,22 +331,19 @@ func (s *service) visibleProjects(ctx context.Context) []uuid.UUID {
 
 // checkPolicy Checks a policy against a user or a token
 func (s *service) checkPolicy(ctx context.Context, policy *authz.Policy) error {
-	_, token, err := requireCurrentUserOrAPIToken(ctx)
-	if err != nil {
-		return err
-	}
-
 	// Token case
-	if token != nil {
-		for _, p := range token.Policies {
-			if p.Resource == policy.Resource && p.Action == policy.Action {
-				return nil
-			}
+	sub := usercontext.CurrentAuthzSubject(ctx)
+	if sub != "" {
+		ok, err := s.authz.Enforce(ctx, sub, policy)
+		if err != nil {
+			return handleUseCaseErr(err, s.log)
+		}
+		if ok {
+			return nil
 		}
-		return errors.Forbidden("forbidden", "not allowed")
 	}
 
-	// user case
+	// Other cases
 	m := entities.CurrentMembership(ctx)
 	if m == nil {
 		return errors.Forbidden("forbidden", "not allowed")
diff --git a/deployment/chainloop/Chart.yaml b/deployment/chainloop/Chart.yaml
@@ -7,9 +7,9 @@ description: Chainloop is an open source software supply chain control plane, a
 
 type: application
 # Bump the patch (not minor, not major) version on each change in the Chart Source code
-version: 1.326.0
+version: 1.327.0
 # Do not update appVersion, this is handled automatically by the release process
-appVersion: v1.74.0
+appVersion: v1.74.1
 
 dependencies:
   - name: common
@@ -33,11 +33,11 @@ dependencies:
 
 annotations:
     images: |
-        - image: ghcr.io/chainloop-dev/chainloop/artifact-cas:v1.74.0
+        - image: ghcr.io/chainloop-dev/chainloop/artifact-cas:v1.74.1
           name: artifact-cas
-        - image: ghcr.io/chainloop-dev/chainloop/control-plane:v1.74.0
+        - image: ghcr.io/chainloop-dev/chainloop/control-plane:v1.74.1
           name: control-plane
-        - image: ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v1.74.0
+        - image: ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v1.74.1
           name: control-plane-migrations
-        - image: ghcr.io/chainloop-dev/chainloop/cli:v1.74.0
+        - image: ghcr.io/chainloop-dev/chainloop/cli:v1.74.1
           name: cli
diff --git a/deployment/chainloop/values.yaml b/deployment/chainloop/values.yaml
@@ -138,7 +138,7 @@ controlplane:
   image:
     registry: ghcr.io
     repository: chainloop-dev/chainloop/control-plane
-    tag: "v1.74.0"
+    tag: "v1.74.1"
 
 
   ## @param controlplane.containerPorts.http controlplane HTTP container port
@@ -219,7 +219,7 @@ controlplane:
     image:
       registry: ghcr.io
       repository: chainloop-dev/chainloop/control-plane-migrations
-      tag: "v1.74.0"
+      tag: "v1.74.1"
     # Run the migration job forcing SSL, required in AWS RDS for PostgreSQL 15
     ssl: false
 
@@ -996,7 +996,7 @@ cas:
   image:
     registry: ghcr.io
     repository: chainloop-dev/chainloop/artifact-cas
-    tag: "v1.74.0"
+    tag: "v1.74.1"
 
   ## @param cas.containerPorts.http controlplane HTTP container port
   ## @param cas.containerPorts.grpc controlplane gRPC container port
diff --git a/extras/dagger/main.go b/extras/dagger/main.go
@@ -10,7 +10,7 @@ import (
 )
 
 const (
-	chainloopVersion = "v1.74.0"
+	chainloopVersion = "v1.74.1"
 )
 
 var execOpts = dagger.ContainerWithExecOpts{

Original file line number	Diff line number	Diff line change
`@@ -330,13 +330,13 @@ message PolicySpecV2 {`
`330`	`330`	`string embedded = 2;`
`331`	`331`
`332`	`332`	`// generic reference for file:// and http(s):// schemes`
`333`		`- string ref = 3;`
	`333`	`+ string ref = 4;`
`334`	`334`
`335`	`335`	`option (buf.validate.oneof).required = true;`
`336`	`336`	`}`
`337`	`337`
`338`	`338`	`// if set, it will match any material supported by Chainloop`
`339`		`- CraftingSchema.Material.MaterialType kind = 4 [(buf.validate.field).enum = {`
	`339`	`+ CraftingSchema.Material.MaterialType kind = 3 [(buf.validate.field).enum = {`
`340`	`340`	`not_in: [3]`
`341`	`341`	`}];`
`342`	`342`	`}`
Original file line number	Diff line number	Diff line change
`@@ -214,15 +214,12 @@ func (s OrganizationService) UpdateMembership(ctx context.Context, req pb.Orga`
`214`	`214`	`}`
`215`	`215`
`216`	`216`	`func (s *OrganizationService) canCreateOrganization(ctx context.Context) (bool, error) {`
`217`		`- // Restricted org creation is disabled, allow creation only to users`
`218`		`- if !s.authz.RestrictOrgCreation {`
`219`		`- if entities.CurrentMembership(ctx) != nil {`
`220`		`- return true, nil`
`221`		`- }`
`222`		`- return false, nil`
	`217`	`+ // if org creation restriction is disabled, allow creation to all users`
	`218`	`+ if !s.authz.RestrictOrgCreation && entities.CurrentUser(ctx) != nil {`
	`219`	`+ return true, nil`
`223`	`220`	`}`
`224`	`221`
`225`		`- // otherwise, check for permissions`
	`222`	`+ // otherwise, check for permissions (both users and API tokens)`
`226`	`223`	`if err := s.checkPolicy(ctx, authz.PolicyOrganizationCreate); err != nil {`
`227`	`224`	`return false, err`
`228`	`225`	`}`
Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@ import (`
`10`	`10`	`)`
`11`	`11`
`12`	`12`	`const (`
`13`		`- chainloopVersion = "v1.74.0"`
	`13`	`+ chainloopVersion = "v1.74.1"`
`14`	`14`	`)`
`15`	`15`
`16`	`16`	`var execOpts = dagger.ContainerWithExecOpts{`