feat: authorization backend for API tokens (#474)

Signed-off-by: Miguel Martinez Trivino <[email protected]>

Author: migmartri

app/controlplane/cmd/main.go

@@ -57,7 +57,7 @@ func init() {
 	flag.StringVar(&flagconf, "conf", "../configs", "config path, eg: -conf config.yaml")
 }
 
-func newApp(logger log.Logger, gs *grpc.Server, hs *http.Server, ms *server.HTTPMetricsServer, expirer *biz.WorkflowRunExpirerUseCase, plugins sdk.AvailablePlugins) *app {
+func newApp(logger log.Logger, gs *grpc.Server, hs *http.Server, ms *server.HTTPMetricsServer, expirer *biz.WorkflowRunExpirerUseCase, plugins sdk.AvailablePlugins, tokenSync *biz.APITokenSyncerUseCase) *app {
 	return &app{
 		kratos.New(
 			kratos.ID(id),
@@ -66,7 +66,7 @@ func newApp(logger log.Logger, gs *grpc.Server, hs *http.Server, ms *server.HTTP
 			kratos.Metadata(map[string]string{}),
 			kratos.Logger(logger),
 			kratos.Server(gs, hs, ms),
-		), expirer, plugins}
+		), expirer, plugins, tokenSync}
 }
 
 func main() {
@@ -129,6 +129,15 @@ func main() {
 	// TODO: Make it configurable from the application config
 	app.runsExpirer.Run(ctx, &biz.WorkflowRunExpirerOpts{CheckInterval: 1 * time.Minute, ExpirationWindow: 1 * time.Hour})
 
+	// Since policies management is not enabled yet but instead is based on a hardcoded list of permissions
+	// We'll perform a reconciliation of the policies with the tokens stored in the database on startup
+	// This will allow us to add more policies in the future and keep backwards compatibility with existing tokens
+	go func() {
+		if err := app.tokenAuthSyncer.SyncPolicies(); err != nil {
+			_ = logger.Log(log.LevelError, "msg", "syncing policies", "error", err)
+		}
+	}()
+
 	// start and wait for stop signal
 	if err := app.Run(); err != nil {
 		panic(err)
@@ -140,6 +149,7 @@ type app struct {
 	// Periodic job that expires unfinished attestation processes older than a given threshold
 	runsExpirer      *biz.WorkflowRunExpirerUseCase
 	availablePlugins sdk.AvailablePlugins
+	tokenAuthSyncer  *biz.APITokenSyncerUseCase
 }
 
 func filterSensitiveArgs(_ log.Level, keyvals ...interface{}) bool {

app/controlplane/cmd/wire.go

@@ -21,6 +21,7 @@
 package main
 
 import (
+	"github.com/chainloop-dev/chainloop/app/controlplane/internal/authz"
 	"github.com/chainloop-dev/chainloop/app/controlplane/internal/biz"
 	"github.com/chainloop-dev/chainloop/app/controlplane/internal/conf"
 	"github.com/chainloop-dev/chainloop/app/controlplane/internal/data"
@@ -47,7 +48,9 @@ func wireApp(*conf.Bootstrap, credentials.ReaderWriter, log.Logger, sdk.Availabl
 			serviceOpts,
 			wire.Value([]biz.CASClientOpts{}),
 			wire.FieldsOf(new(*conf.Bootstrap), "Server", "Auth", "Data", "CasServer", "ReferrerSharedIndex"),
+			wire.FieldsOf(new(*conf.Data), "Database"),
 			dispatcher.New,
+			authz.NewDatabaseEnforcer,
 			newApp,
 		),
 	)

app/controlplane/cmd/wire_gen.go

@@ -0,0 +1,158 @@
+//
+// Copyright 2024 The Chainloop Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Authorization package
+package authz
+
+import (
+	"errors"
+	"fmt"
+
+	_ "embed"
+
+	"github.com/casbin/casbin/v2"
+	"github.com/casbin/casbin/v2/model"
+	"github.com/casbin/casbin/v2/persist"
+	fileadapter "github.com/casbin/casbin/v2/persist/file-adapter"
+	entadapter "github.com/casbin/ent-adapter"
+	"github.com/chainloop-dev/chainloop/app/controlplane/internal/conf"
+)
+
+const (
+	// Actions
+	ActionRead   = "read"
+	ActionList   = "list"
+	ActionUpdate = "update"
+	ActionDelete = "delete"
+
+	// Resources
+	ResourceWorkflowContract = "workflow_contract"
+	ResourceCASArtifact      = "cas_artifact"
+	ResourceReferrer         = "referrer"
+)
+
+// resource, action tuple
+type Policy struct {
+	Resource string
+	Action   string
+}
+
+var (
+	PolicyWorkflowContractList   = &Policy{ResourceWorkflowContract, ActionList}
+	PolicyWorkflowContractRead   = &Policy{ResourceWorkflowContract, ActionRead}
+	PolicyWorkflowContractUpdate = &Policy{ResourceWorkflowContract, ActionUpdate}
+	PolicyArtifactDownload       = &Policy{ResourceCASArtifact, ActionRead}
+	PolicyReferrerRead           = &Policy{ResourceReferrer, ActionRead}
+)
+
+type SubjectAPIToken struct {
+	ID string
+}
+
+func (t *SubjectAPIToken) String() string {
+	return fmt.Sprintf("api-token:%s", t.ID)
+}
+
+//go:embed model.conf
+var modelFile []byte
+
+type Enforcer struct {
+	*casbin.Enforcer
+}
+
+func (e *Enforcer) AddPolicies(sub *SubjectAPIToken, policies ...*Policy) error {
+	if len(policies) == 0 {
+		return errors.New("no policies to add")
+	}
+
+	if sub == nil {
+		return errors.New("no subject provided")
+	}
+
+	for _, p := range policies {
+		casbinPolicy := []string{sub.String(), p.Resource, p.Action}
+		// Add policies one by one to skip existing ones.
+		// This is because the bulk method AddPoliciesEx does not work well with the ent adapter
+		if _, err := e.AddPolicy(casbinPolicy); err != nil {
+			return fmt.Errorf("failed to add policy: %w", err)
+		}
+	}
+
+	return nil
+}
+
+// Remove all the policies for the given subject
+func (e *Enforcer) ClearPolicies(sub *SubjectAPIToken) error {
+	if sub == nil {
+		return errors.New("no subject provided")
+	}
+
+	// Get all the policies for the subject
+	policies := e.GetFilteredPolicy(0, sub.String())
+
+	if _, err := e.Enforcer.RemovePolicies(policies); err != nil {
+		return fmt.Errorf("failed to remove policies: %w", err)
+	}
+
+	return nil
+}
+
+// NewDatabaseEnforcer creates a new casbin authorization enforcer
+// based on a database backend as policies storage backend
+func NewDatabaseEnforcer(c *conf.Data_Database) (*Enforcer, error) {
+	// policy storage in database
+	a, err := entadapter.NewAdapter(c.Driver, c.Source)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create adapter: %w", err)
+	}
+
+	e, err := newEnforcer(a)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create enforcer: %w", err)
+	}
+
+	return e, nil
+}
+
+// NewFileAdapter creates a new casbin authorization enforcer
+// based on a CSV file as policies storage backend
+func NewFiletypeEnforcer(path string) (*Enforcer, error) {
+	// policy storage in filesystem
+	a := fileadapter.NewAdapter(path)
+	e, err := newEnforcer(a)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create enforcer: %w", err)
+	}
+
+	return e, nil
+}
+
+// NewEnforcer creates a new casbin authorization enforcer for the policies stored
+// in the database and the model defined in model.conf
+func newEnforcer(a persist.Adapter) (*Enforcer, error) {
+	// load model defined in model.conf
+	m, err := model.NewModelFromString(string(modelFile))
+	if err != nil {
+		return nil, fmt.Errorf("failed to create model: %w", err)
+	}
+
+	// create enforcer for authorization
+	enforcer, err := casbin.NewEnforcer(m, a)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create enforcer: %w", err)
+	}
+
+	return &Enforcer{enforcer}, nil
+}