Skip to content

fix(authZ): extract enforcer logic #2553

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
migmartri merged 6 commits into from
Nov 17, 2025
Merged

fix(authZ): extract enforcer logic #2553

migmartri merged 6 commits into from
Nov 17, 2025

Conversation

@migmartri
Copy link
Member

@migmartri migmartri commented Nov 15, 2025

This PR fixes #2551 by refactoring the Enforcer method to make sure it is always used in all parts of the application, not just the middleware.

@migmartri
fix enforcer
8aafdda 
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
@migmartri
fix enforcer
5273171 
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
@migmartri
fix enforcer
38a013a 
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
@migmartri migmartri requested review from javirln and jiparis November 15, 2025 23:23
@migmartri migmartri changed the title Revisit cas backend permissions fix(authZ): extract enforcer logic Nov 15, 2025
migmartri
migmartri commented Nov 15, 2025
View reviewed changes
app/controlplane/pkg/biz/authz.go
@@ -0,0 +1,86 @@
//
// Copyright 2025 The Chainloop Authors.
Copy link
Member Author

@migmartri migmartri Nov 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the main change.

It's basically a custom enforcer that knows not only about casbin but also about API-Tokens custom ACLs.

I created it in the biz layer since that way it can be used without the risk of package cycles.

I tried to do smth similar but by extending the current pkg/authz but that one is connected already referenced by both biz and data

@migmartri
test: add unit tests for AuthzUseCase.Enforce method
dbec713 
Add comprehensive unit tests for the Enforce method in pkg/biz/authz.go
covering both API token and regular user authentication flows.

Test coverage includes:
- API token validation with invalid UUIDs
- Token not found scenarios
- Database error handling
- Policy matching (allowed/denied)
- Empty and nil policy handling
- Partial policy matches
- Multiple policy evaluation

Uses testify suite pattern with mocked APITokenRepo and real enforcer
instance for integration testing.

Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
@migmartri
Merge branch 'main' into revisit-cas-backend-permissions
bd3aaa3 
Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
@migmartri
Copy link
Member Author

migmartri commented Nov 16, 2025

@jiparis ptal at this PR, it fixes an important bug

jiparis
jiparis reviewed Nov 17, 2025
View reviewed changes
jiparis
jiparis reviewed Nov 17, 2025
View reviewed changes
@migmartri
rename vble
5bd7411 
Signed-off-by: Miguel Martinez <miguel@chainloop.dev>
@migmartri migmartri merged commit 9c9c55a into chainloop-dev:main Nov 17, 2025
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jiparis jiparis jiparis approved these changes

@javirln javirln Awaiting requested review from javirln

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

the latest changes from casbin is causing API-tokens to fail in some operations

2 participants

@migmartri @jiparis