feat(tokens): allow API tokens to create and read workflows (#762)

Signed-off-by: Jose I. Paris <[email protected]>

Author: jiparis

app/controlplane/internal/authz/authz.go

@@ -18,11 +18,10 @@ package authz
 
 import (
 	"context"
+	_ "embed"
 	"errors"
 	"fmt"
 
-	_ "embed"
-
 	psqlwatcher "github.com/IguteChung/casbin-psql-watcher"
 	"github.com/casbin/casbin/v2"
 	"github.com/casbin/casbin/v2/model"
@@ -181,8 +180,9 @@ var ServerOperationsMap = map[string][]*Policy{
 	// Robot Account
 	"/controlplane.v1.RobotAccountService/List": {PolicyRobotAccountList},
 	// Workflows
-	"/controlplane.v1.WorkflowService/List": {PolicyWorkflowList},
-	"/controlplane.v1.WorkflowService/View": {PolicyWorkflowRead},
+	"/controlplane.v1.WorkflowService/List":   {PolicyWorkflowList},
+	"/controlplane.v1.WorkflowService/View":   {PolicyWorkflowRead},
+	"/controlplane.v1.WorkflowService/Create": {PolicyWorkflowCreate},
 	// WorkflowRun
 	"/controlplane.v1.WorkflowRunService/List": {PolicyWorkflowRunList},
 	"/controlplane.v1.WorkflowRunService/View": {PolicyWorkflowRunRead},

app/controlplane/internal/biz/apitoken.go

@@ -74,6 +74,8 @@ func NewAPITokenUseCase(apiTokenRepo APITokenRepo, conf *conf.Auth, authzE *auth
 		DefaultAuthzPolicies: []*authz.Policy{
 			// Add permissions to workflow run
 			authz.PolicyWorkflowRunList, authz.PolicyWorkflowRunRead,
+			// To read and create workflows
+			authz.PolicyWorkflowRead, authz.PolicyWorkflowCreate,
 			// Add permissions to workflow contract management
 			authz.PolicyWorkflowContractList, authz.PolicyWorkflowContractRead, authz.PolicyWorkflowContractUpdate,
 			// to download artifacts and list referrers